 Tako biliHere this difficult task to羅zno porjelišmlje, after a lunch, talking about safety requirements for the design. So I'll try to do my best. Maybe we ask you once in a while some questions. So be ready and just to keep you to keep you awake. So I'm going to talk about this safety requirement Before the design, this publication of the agency that is known as SSR2slash1. SSR stands for a specific safety requirement. So we are at the top of the requirement where some general requirement apply to all facilities and activities, then we have more specific requirements that apply to a specific facility, ki je to kakva z vsečna zičnja, pa nekaj želimo dobro začiniti, začiniti tudi začiniti začiniti, začiniti zičnje in površenje. Zato smo tega počanati vizivno z vsečna zičnja. To je dokument. Realne dokument, kaj je, da se tako vse neč začiniti in ki so našli, da se bo vsečnje, da je, da je, da vsečnje načiniti, da je to zelo nekaj dobar, in očičenja. Zato smo prišli počkati, da nekaj nekaj nekaj nekaj dokušal. To je najbolj. Zato je dokušal, da vse predstavili in vse dve dne, kaj je zelo počkati in meditaj, kaj je tudi prišlo. Zato je vse dokušal, da je dokušal na dve občini. Prvo, da da vse pred collected sections and rules to the designer how to design a safe nuclear power plant. But also for the reviewer, the safety assessor how to assess the safety of nuclear power plantahaha. It is clear, if I give a requirement to the design the designer as to SUPERDE związana According to this requirement and the person or the organization who is making the safety assessment da priverim, da se je vzgleda. Tudi nekaj zelo vzgleda. Tukaj to priberila v 2012. Vzgleda je zelo vzgleda v Fukushima. V Fukushima, da se vzgleda, se v March 2011. Tako, dokumen je pripravljati in je prišljeno po različenju, različen po različenju, različen po različenju. Tako, skupnje za svetljenje standa je prišljeno po različenju, kaj je prišljeno po različenju. Tako, kaj je prišljeno po različenju, različen je prišljeno po različenju, prišljeno po različenju po različenju. Pravaj, pokazno kaj je prišljeno po različenju, različeno po različenju, This was the case also of this document and now there is a version called the revision one of this document. This has been already approved by the Board of Governors. So it is a document, valid document, but it is not printed yet. It is now in the process of printing. So I think you don't find this new revision one in the site of our safety standard, Vse je to našem vse. Zato pa zelo nekaj da je tudi zelo, da je to vse prišli v reviščenju. Zelo pa bilo počkala mnogo konceptov, ki je tudi Tony različil, tudi ne bi se vse prišli, se boš odličil in so bi se vse učeli, da je tudi tudi Tony, in izdnevam, daicatedo ti nega dajimi zelo v njih a nasyači v pohledu. In način sem je več zelo, da sem biližite, da tudi našli tudi da ste kodovno posledali žemljenje. Zatikujem, da ti pomembislim četko, nisi nekaj jo vzgledaj. Zato vidiš, da si se bojte, zelo se je izložiti na glasbi, ki sem videli tukaj način, in tukaj način, da je tukaj način izgleda, tukaj način, in tukaj način izgleda po 10 način prinsipov. In tukaj način tukaj način tukaj način prinsipov in tukaj način nekaj prinsipov, pa je izgledo prinsipov vziv. Vziv je pravda tukaj način vziv, vziv, tukaj način tukaj način prinsipov, tukaj način prinsipov. To je več vsoščil kot tukaj način. ki sem skupil v tem, da sem nekaj prišel. certainly so te 3 zelo veliki, če svebe prišeli v nekaj circonstanči. Zato je sve, da imamo zelo kon coaching in reaktivitaj v normali operaciju, inکrani operacije in vzvejnje, in vzvejnje, nespečno, po raznega in vzvejnje. The is always in a way or another control the activity. We have to remove if you want to stabilize the final situation of the core. We have to remove the heat from normal operation accident conditions and severe accident. All the should be removed. If you don't remove the heat, the core continues to degenerate and release a redactivity. So that is something to be done. and also the confinement if you don't want to release anything to the environment, we have to confide, in any situation, what is different from one situation and another is the acceptance criteria can be different. In normal operation we want to release very little, in accident we can accept to release a little more, and so on. We will go back to this. So, the functions are always the same, In kratilij, ki se nešto da bo, kratilij, kratilij ki se zelo izgleda, je zelo še nekaj. Vse je to zelo vse diagnosis, da je ta šečna vsečna vsečna vsečna in se je težkaj pričetnja. Vsečna vsečna vsečna je izgleda generalne strategije in se je vsečnja vsečna vsečnja vsečnje barjevi, da se zelo vsečnja vsečnja vsečnja, ali taj je obliženje, da je vsečne vsečne. It is important because you need, if you don't have the barrier of course you lose. But what is important in the concept in the defense in depth is how we approach the situation to keep the plan in a safe conditions. So in the defense in depth we address normal operation of the plan, we try to understand what are the possible in malovali in malovali mališčičnih, kaj smo prišli, da smo malovali in malovali in malovali in malovali in malovali in malovali in malovali in malovali in malovali. If this is not possible, maybe it's not, if you have an event sequences that proceeds to a more severe situation, we also to predict what can be this situation, what kind of accident, and we have to have the capability to do deal with this accident. But always to think maybe something goes wrong. So what happens next and what do we next. So the defense in depth is a general strategy that helps us to control a failure and the consequences of failure at different stages of severity. This should be clear. And then we will see how we, I think already here on the right side, there are the plant states, there are the plant states that can be associated to each level of the defense in depth. Normal operation, anticipate operational occurrences, design basis accident, and design extension condition. And as at last resource, really lose control of the plant and release radiative to environment, we have to have means to protect the people with some pre-implementation of some emergency activity and relocation of people, sheltering, all these measures. So this is the flow diagram of the defense in depth. I'm sure you have seen this already, but it's important then you will understand immediately why to discuss a little bit again. Then effective implementation of defense in depth requires at all levels, one to five, conservative approach, large margins, that is conservative approach means implement enough margins, large margins, quality assurance, and safety culture. This is something general that applies to everything. So this is, I will try to give you what is the rationale behind the safety requirement, what is the origin of the safety requirement. And these are what we call the main pillars of the safety or nuclear power plant design. You see first the fundamental safety principle that is the objective, we have to achieve some telephone number. Then the three fundamental functions, that means what we have to do to achieve that objective, and then the defense in depth that says how. So objective, what to do to achieve the objective and how. The defense in depth tells us how robust the plant is, how many barriers we have, how many control systems, how many safety systems and so on. And you see with all the requirements, all the requirements we have is really an explicit demonstration of this achievement of these pillars. So all the requirements are saying how in the defense in depth we have to keep the safety function to meet the objective. So this is really the origin of all our safety requirements for the design. So these are very general concepts but we have to keep in mind. And these things are very important when you for the first time have to assess the safety of a design for which you don't have any experience, for which there are not so many rules already written. Then how do you, where do you start? You have to prove in any circumstances that you meet always the safety, the fundamental safety function and do this with high reliability, applying strong concept of the defense in depth. So why these requirements are so important? First because they define what I've discussed so far. They discuss the show and define an effective safety approach and establish the safety level. If a plant meets all these requirements, it's a safe plant. If it doesn't meet all these requirements, it's a plant less safer. It exceeds these requirements, it's even safer what is required. But this is, how can you say a plant is safe enough? When a plant is safe enough? Some people say, oh, when the core frequency damage is 10 minus 5, but it's not sufficient. That is not sufficient. A plant is safe enough if you meet all the requirements for the design. Of course, I'm talking about the document of the agency, but member states they have different sets of requirements. 99% of times they are very similar to this, maybe with some specific changes. Reflect the state of the art because these documents are revised periodically. So all what is new deriving from knowledge deriving from research programs or from experience from accident that happened are maybe with some years of delay, but they are incorporated in the standard at the agency. Reflect the views and the licensing practices of the majority of the member states and reflect a large consensus. This is a document that has been approved by all member states of the agency, has been approved by the Board of Governors of the agency, so that means there are or less everybody agreed on this. Then provide the links with the requirement for site evaluation and for operation. Because, of course, the design is affected by the site. Because the external events that are generated are possible, will be generated in a specific site, will affect the design. Because the level of earthquake that you have in one site is different from the level of earthquake you have in another site because the seismicity is not the same everywhere. So the loads induced by the vibration of the earthquakes are different from one site to another. So this, there are some requirements that link the rule of the design with the hazard evaluation derived from the site evaluation. And the same for the operation. The design should provide the possibility to write proper operating procedures and should also provide a plant that can be operated easily. Because we can design a plant that is almost impossible to operate. And it's providing for easy and safe operation over the lifetime of the plant, taking into consideration all the degradation phenomena due to aging and so on. But these are quite general concepts I think you are familiar with. But nevertheless I think it's better to have a review of this. Then is the main reference, at least one of the main references to conduct the safety review services that we have at the agency. So the agency sometimes is asked by member states to review a design, to review a safety analysis report. And the agency is providing this service but using as main reference the standard of the agency. And then provides some recommendation if there are some problem. The agency provides some recommendation on how to achieve better compliance with this document. And as I said before is the basis for a safety assessment of a nuclear power plant. Another important aspect that significantly contributes to establishing just in finish this statement and then with you contributes to establishing a common safety approach and the common terminology. So this is very important because we are talking, you see this morning, talking about safety system, talking about item important to safety. But I would put another big problem on the table. Defense in depth. I'm sure if I ask many of you what is your perception and what is according in your organization defense in depth you come out with different questions. That nothing is wrong because it can be different. But I think now in the nuclear community everything is interlinked and so it is much better to have a common language that everybody understand each other in the same way. So this is, I think, a very important contribution of this document. Can we try to, unless it's very important to have the question at the end because I think with this microphone going back and forward unless it's a clarification something very important in the moment so we can take this. If it's something we can delay defer to the end I think it's a little better so we can spend maybe the last 20 minutes just having a question and answer. Then this document is used as a basis for establishing the regulatory regulation in several countries. There are countries that adopted the requirement of the agency in their law. Just they made copy and paste. They put the stamp and that's it. Other countries they use this document as a main reference they wrote but they were inspired by this document. So this is another use of this document. The SSR 2 slash 1 is a revision of a formal requirement called NSR 1. Maybe also this was on the market for about 10 years was published in the year 2000. So it's quite known document and you can see the structure of this document. I go very quickly because practically the new document reflect the same structure. In the introductory part when there is explained the main safety objective and concept like defense in that this but this part does not contain requirements. Then we have some general requirements for management of safety, technical requirements, requirements for plant systems and these are like Tony mentioned this morning, is a series of statement with the shell. Each of these requirements has a shell. So this is the structure and what was changed compared to this document that was on the market for more than 10 years in the new one. What was really the need to change. And this I mentioned was done before Fukushima so it's not affected by the Fukushima accident. There was of course at least we think a general improvement of the text, some repetition were eliminated. A new style was used in the requirement. If you look at this requirement now there are some bold statement and then underneath some statements like normal character. All are requirements. There is no difference of importance. But the bold the requirement in bold character are more general and we call key requirement. So the other are really more supporting of this requirement and better articulating and explaining the requirement. But all requirements are important. All of them should be fulfilled. There was the independence was more enhanced the independence of level of the defense in depth. When you think about level of the defense in depth you have to think that in each level of defense in depth there are systems there are structures that perform what is required by that level. So when you say independence of level in reality you want that system that act in one level are independent as much as possible from system in another level. So if I have a safety system that works in design basis accident and I have another system we don't call safety system but works in severe accident this system should be independent. The problem is to which level we want to reach independence because absolute independence is not feasible because we have only one operator in the plant we have only one containment in the plant. So we cannot have one operator for normal operation one operator for BBA one operator to make you understand that is almost impossible to reach the absolute independence but when you enter in the level of system we are talking about supporting system that compress their electric power I mean to have a full independence of this that means you have to feed some components with one line electric line you have to feed a system from another independent if you have emergency power to feed some system you have to have complete independent power for another system and then all the IC should be independent and so on but what we say this is a sort of objective just to to reach as much as possible a goal to reach as much as possible to get closer as possible to this but having in mind that the full complete independence is not possible but to some extent can be done so this is and on this aspect I think we have a dedicated lecture at the end of the week so you will go into this in detail with many examples so you will see this again then we have requirements for interfaces between safety security and safeguard but at the end we design only one plan only one design so this design should meet all these requirements at the same time then requirement for auxiliary systems we added and then detailed description of conditions so we spell out the design basis in more clear terms we modified a little bit some definition we include a new definition like accident condition and design basis accident and we are always very clear explicit distinction between systems for DBA safety systems and system for design extension condition I come back to this safety feature for design extension conditions and we introduce also qualitative radiological acceptance criteria for different plant conditions this was not in the preview so some very important topics have been clarified and enriched with more information the structure of the document is the same as before we have introduction and more specific requirements coming from the defense in depth this is the defense in depth according to INSAG 10 that Tony presented this morning and you see here we have the five levels and there is the objective we have to reach in each level and what are the means that are implemented into the design to reach this level and now there is there is a correspondence between level of the defense in depth and plant state so when we say level 1 people associate level 1 with normal operation level 2 is transient anticipated operational currency level 3 designed by accident but this is artificial there is no reason to do this link we can even more the level of the defense in depth but this is a practice now everybody is following this so also our requirement also in the requirement you don't find strictly this link it's not explicitly said but this is a common practice so I think I encourage you to follow now with SSR 2 slash 1 we introduce a new a new element a new category of accident that are these design extension conditions without core melt and we have to find a place in the table of the defense in depth the easiest way let's add another level of the defense just dedicated for that why we have to have 5 level we have 6 and it was a proposal of some members state they said put a new one and others said no split level 3 and because these are the design extension without core melt that's practically like very similar to design basis just one failure of a safety system more but I mean it's the same beast so put a level 3, 3a and 3b other people no no no why you have to don't touch level 3 that in my regulation is frozen I don't want to touch my regulation why don't you split level 4 and put there okay put where you like is there but important design is what you do in your plan in your design to deal with the situation this is what important it's not important if it's 3b, 4a, 4c or 7 that doesn't matter so that is something I think you should bear in mind so these are the content of the design requirement as you see the structure is very similar to the old one and practically you can go through the book we don't have to bother you now with this list coming back to the requirement to the plant equipment that Tony showed this morning I just want to add a little more things why first of all is important the distinction when we talk about plant equipment this can be structure system or components so rather than say SSC we say plant equipment but these are the same the same meaning but the first important subdivision is between items important to safety and items not important to safety what is the difference the main difference between these two if an item important to safety fails you have some radiological consequences these radiological consequences can be very small, very large it depends but you have some consequences if the item not important to safety fails you don't have radiological consequences if the kitchen of the nuclear power plant fails you don't have lunch but you don't have radiological consequences so this is not important to safety but the another important factor is that for the item important to safety you have to apply the classification so for these items you have to say how important to safety the item is so you have to rank the important to safety of course the other you don't care and then of course we have under this we have safety related systems and safety system we discuss this morning I mean all these are items important to safety but the design rules that we implement in these categories are in some cases completely different we have very strict rules Tony mentioned the single failure criteria that is a requirement for safety system is not a requirement for other safety related system so this is very legal in the licensing implication very important this subdivision but I mention one important criteria but there are many others because the classification is completely different the way you make maintenance in a safety system is completely different from the way you make in other items important to safety and so on the quality of the items the codes that are using are different and so on so there is this we keep this distinction so let's see now what are these plant states of that we have to consider for the design of the plant this is things you know very well we have operational states in accident conditions the operational states are normal operation I'm going to explain to you what normal operation is and anticipated operation occurrences these are these deviation from normal operation but you can predict you know that happens and happens quite frequently at least some happens once per year or even more it depends on experiment during the the life of the plant that you have designed basis accident that are more important accident that have serious consequences and they are asking you how many design basis accident do you think will happen in a life of power plant but I should cover the table below but anyway once, twice, ten times and the times what is your perception everybody sleeping or what no one this is something that should not happen so this morning we will say why we put so much effort in the item important to safety don't rely on the safety system because we don't want to reach that level so the design basis accident something very rare we showed that severe accident have been more frequent than large DBA we never had large break locker in a plant large pipe that broke and that never happened and we studied for years and years and even Tony developed code to start this accident and this frustration this accident never happened there is a good point it is good that it did not happen but you see we put a lot of effort in some situations that are very rare in the plant there are the most expensive system in the plant are to deal with this accident that never happened and we hope it will never happen again but anyway so the plant is designed for these very rare events and the plant is designed also for some more severe situation that can be an evolution of design basis accident because the design basis accident is controlled by the safety system very well designed with the single failure criteria but you can have also a redundant system if you lose the power you lose all the systems and so that means that you can anticipate that you have to face situation that are more severe than design basis accident so you have to know what to do and this situation more severe than design basis accident we call design extension condition because there was an attempt to extend the range of situation for which we designed the plant extension condition this can be without Kormel and we can be with Kormel then I give you some example so you know exactly probably you know some of this but you don't know that are deck but you heard about this and in the table you have some indication of the frequency, the range of frequency that can help to group this event and so let's see now what happened to this from switching from moving from NSR1 to the new requirement you see in NSR1 we had normal operation anticipate operational currencies and DBA and then of course severe accident was already included because severe accident have been addressed in nuclear safety and in design of nuclear plant for long time it's not something new but before there were no in the plant specific system specific features designed only for severe accident in front of severe accident we were using the system that were already in the plant because they have already a lot of margins they can work in condition more severe as those consider in the design and so on there were measures of accident management I'm sure you are familiar but there were no features designed for the severe accident so the severe accident were not part of the design basis of the plant now we change this in SSR2 slash 1 you see now the design extension conditions are part of the accident condition that we consider for the design that means of course not all system the system that are important to deal with severe accident should be designed for severe accident what is the most important system to deal with the severe accident or the most important structure the most important component in your view think when you talk about severe accident we have imagine a molten core a molten core that can be even outside of the vessel that is the situation we have to face how you deal with this you deal with the containment but you know you understand that the containment should be designed in particular way to deal with this situation so that means the core melt situation at least some of this should be the design basis for the containment should be capable to keep a molten core to cool a molten core and to avoid that there are reactivity excursions so we have to design for this so this is a big step this of course is already implemented in the modern plant the latest plant in the market now they already have this concept maybe they don't call deck, they call somewhere else but this is already there but in old plant most of operating plants in the world this was not the case so this is a big step and it's a big step but there is also very strong important economical impact it's not something that so that is I think one of the key point that you have to bear in mind so this is I think probably one of the strongest changes now here in this slides we try to show you what are the the factors that provide input to the design basis of each set of structure of system and components the for example the design basis of the equipment sorry of the equipment for operational states is derived by the normal operation conditions that means the power the pressure of the fluids the pressure how many transient I have how many changes of power and so on and this gives the input to design correctly the system for normal operation this is only a part then of course we have also the majority of transient because we include in the operational states also the anticipated operational occurrences so these provide input in this system but they are not the only input of course this system should work in presence of loads to do internal hazards or external hazards can be an earthquake can be a flood, can be strong wind and then we have some criteria some margins that we apply only to this equipment because the margin for example just to mention in the morning again the margin that we require for this equipment is different from the margin we require of this not all equipment is designed with the same rules it depends on the function of the equipment so for the safety systems you see the main input come from the least of the accidents we have to mitigate from the earthquake either for this system and for the criteria that Tony mentioned some criteria of maximum temperature of the fuel, maximum oxidation and so on all this help to design this system provide the input to design this system and the same for the design extension condition let's focus more on those with Cormelt because for this the situation is very similar but for this condition we have really to design some feature to mitigate Cormelt and mitigating the Cormelt means to deal with the phenomenon associated with the Cormelt because if we have a Cormelt means that we have hydrogen generation because we have metal in contact with the steam so we have hydrogen generated before the Cormelt but if you have a Cormelt so you have to deal with hydrogen you have to recombine eliminate whatever you want to do so to deal with this you have to design something to deal with this situation so this is a feature or if you want to retain Tony showed this large cavity but the cavity cannot be with the plastic on the bottom should be designed to contain a molten core high temperature and this very aggressive material so you have to design for this and you should know exactly what kind of accident you have in mind so you see the defined the design basis of each group of this SSC is very complicated because they are affected by many many factors and they are they are different for each of these and the approach is not the same everywhere in the world there are different approaches so it's not so simple so now I won't just go through a couple slides and try to to show what is really the main different, the main implication between the considering the DBA and the design extension conditions DBA I mean is very well known because it's a classic now all plants are designed for DBA so everybody knows that is a set of accident postulated means we assume that this accident will happen so what do we do? we design some system to deal with this so the DBA are used to define the design base of the safety system we have seen there and to bring the plan to control to control this accident this system we have said already have designed with the application of single failure criteria key parameters do not exceed the specified design limit these are always, these are limits imposed by the safety authority and during the evolution of this accident you should not exceed these limits of course you have to make all the calculation how the accident evolves and demonstrate that for example the temperature of the cladding should not exceed a specified value the enthalpy of the fuel should not exceed specified value the thickness of oxidation in the cladding should not exceed a specified value this is really important because it is important for the licensing that the safety authority will review all these results of the safety analysis and verify that the plant is really designed to meet this criteria and another important thing is that the design base is accident shall be analyzed in a conservative manner conservative manner implies that you include the large safety margins so this is the design basis but what is another important point what is the radiological impact that now in a modern plant we can accept in condition of the design basis accident the design basis accident should not have any relevant impact outside of the plant that means I try now to be a little schematic that means if the farmer is working close to the site for nuclear power plant there is a large a large break locker in the plant thousands of lights in the control room the farmer can continue to dig his field practically that is what we are at least from a technical point of view so the plant should have intrinsic capability to deal with the situation without exceeding the level of of releases or exceeding by very little the level of releases that we accept for normal operation during the life of the plant so imagine how strong this feature should be it looks very few words here but to implement these few words it is not easy because in some countries design basis accident they are evacuating for many kilometers around the plant so that is that was the old situation I forgot to tell you this is very important what I am saying now is applicable to new nuclear power plant so the nuclear power plant of the last generation of course this requirement cannot be met 100% from the majority of existing plant although some of them they had some backfitting program they have been improved but still many of them cannot meet this requirement this should be clear so then is is just a responsibility of each member state of each safety authority to decide what to do in the case of old plant so now if we are going to the design extension condition so this situation more severe more or less we already said what they are think about when we talk about design extension condition these are always in the large majority of the cases situation that occur in case of multiple failure not just one single failure because if there is one single failure the system of the plant the safety system can be because they are designed against a single failure the redundancy but if I have multiple failure if I have two trains of emergency cooling systems and both of them fail for any reason can be an external event so I lose the power in both of them if they are powered with electricity so this is a situation more severe and since the experience proved that some sequences of multiple failure have a frequency that can be higher that some single failure event think about that the large break lock you know one big pipe has a probability frequency of occurrence better to occur that is lower than to have a station blackout station blackout has been experimented in several plants these have two diesels or three diesels diesel generator they don't start or two don't start only one starts and so on so there are situation just extrapolating as I said before we had several severe accident molten core starting from TMI and then Ratcher Nobel and then Fukushima and we never had a serial DBA design basis accident so it's something that it's the reality that is teaching us that this can happen and so we have to do something so the main purpose of the design extension condition is to ensure that accident condition not considered DBA are prevented or mitigated as much as possible we use the deck this set of accident to design the feature to mitigate the deck at least in the safety requirement of the agency the systems for design extension condition are not required to apply the single failure criteria so we are more relaxed but there are already some member states that implement the single failure criteria also for the feature for for deck and design extension conditions can be analyzed with the best estimate I think during the session on safety analysis accident analysis you will be explained much better these terms if you are not very familiar with conservative approach and best estimate approach but it's more relaxed approach more realistic there are less prescriptive rules to be followed just you make a physical analysis of the phenomena and you design with that without including this additional margin that the authority has to do it so this is a big difference also if this is still this is what is in our requirement now but maybe if we will stay like this forever maybe it will be criticized and adjusted in the coming years but that is the situation now and what is the qualitative success criteria for the design extension condition first is that the integrity of the containment so the containment should keep should be not leak tight as in case of other accident but should keep the integrity at least the structure integrity maybe some leakages are allowed but the integrity should not collapse the containment should cope with the core melt situation we said this before and should allow to bring the plant in a controlled state regarding the radiological releases radiological releases of course we cannot guarantee this situation we can meet the success criteria that we use for the design basis accident but should be such that we don't have large contamination or heavy contamination of large land and everything should be limited in area space that be affected by the accident and time so it's not acceptable if you have a situation of core melt in a plant that you have to evacuate large, very large area for a very long number of years very high number of years this is not acceptable so the plant should be such that also the environmental the environmental damage and the impact on the population and the life should be limited in area and in time we don't specify a level of requirement the numbers but the designer can specify some design objectives for different category of accidents or you can find something in documents at the lower level at the agency at the technical document you can find some value so you have an idea what are the level of releases and levels of doses we are talking about so I think this is something very important I hope this so now here I included some example of this so you realize what is this this new term and what kind of accident in the deck without Kormel we have first line anticipated transient without a screen this has been considered for decades in the design on nuclear power plant was not called deck that is a situation we have a safety system and the safety system fails you have one of the shutdown system doesn't work fails or doesn't work correctly so you need something else to deal with this situation this different way to deal different kind of reactors different way to deal with this situation but this something due to a multiple failure that you have to consider design another very common deck that has been considered for years is the station black out you have a loss of power external power in your plant so you need to supply to supply power to your systems then you have your emergency emergency diesel for some reason this doesn't work then you have the plant isolated from outside from the power point of view and you have emergency diesel doesn't work so you have to cope with this situation and of course is a multiple failure because the diesel normally are considered a safety system so you have more than one so to have the station black out more than one failure one failure is not sufficient and then you see there are there are other there are other sequences but this is very strongly designed dependent each design will have its own list of design extension conditions and this also strongly dependent on the country each safety authority can have a different view include one more, one less so this is really you have to consider this this list is not frozen for every for every plant so is a little different than the situation that we have for design basis accident that are more or less very well recognized by everybody but this is still is still under discussion then regarding the core melt also in this case what we say we have to deal with the core completely core molten core we have to deal in the containment but we cannot deal with all possible phenomena like this very severe phenomenon like the hydrogen detonation or the direct containment heating in the in the containment large steam explosions so we have to do something to eliminate to screen out this phenomena to put in the plant some features that make this phenomena let's say between brackets impossible so and then we cannot design the containment for whatever comes to your mind because then you don't build any nuclear power plant so but we have to to select some specific situation with molten core for which the containment has to be designed so these are part of the design nuclear power plant so I hope this helped you a little bit with this design extension conditions but I can anticipate that also this will be matter of a specific presentation at the end of the week so will be very good that you go back to this concept and explain with different words and with much more detail so what happened after Fukushima what was the effect of this accident on our standard the agency the agency as I said before started general process to reconsider all the standard and we prepare we have just published recently report what is the title of the report on Fukushima Tony Tony was one of the authors this big report report on Fukushima accident yeah this is a very comprehensive report it's five big volumes plus one smaller volume general volume that I suggest you really to read because it's very very interesting it is available you can download from the site of the agency this was just presented the general conference in September at the agency so it is something very recent but very comprehensive so if you are interested I think I recommend you to have a look at least of the general part because it is very very important document so after all this consideration and after all these studies we made some changes in the requirements and the work on the requirement has been completed so all the requirements for site evaluation for operation for design have been already revised and are ready for printing I don't know if someone is already printed and the revision of the safety guide is in progress now we just started so let's see what are the main areas that have been affected first let me say the changes introduced are not too many we could survive even without making these changes but this improved the clarity of the document and explained better something what the designer or the safety assessor should do regarding the defense in depth is further enhancement of the independence of level 3 and 4 that means that the systems that are dealing with design basis accident should be I say completely as independent as practicable from the system to deal with core melt situation that means independent means that the source of power of these systems should be independent we should not require the use of emergency diesel generators that normally we are in the plant for DBA to cool the core in a molten core situation we should have an independent source of power we should have independent INC we should have independent direct current battery system so you see the implication on the design implication of cost of a statement like this is very strong but on this I think everybody our member state agreed now is a law but I talk about electric power but we can stand to other aspect the external events in Fukushima the level of earthquake and the flooding that was caused by the earthquake was really much higher than was considered in the design basis of the plant what resulted for many reasons and in the report of the agency you will understand what these reasons were so we ask that the all items important to safety are designed with large margin against external events in the old requirement this was limited to the earthquake now we extended to all because I mean Fukushima the cause of the accident was not really the earthquake itself but the damage of the plant but caused by the tsunami by the flooding the plant responded quite well to the earthquake because of the big margins already used in the seismic design of the old structure and the system of the plant the design and then we introduce a new category of equipment that we call ultimately necessary so this set of equipment that you are in a very degraded situation with a molten core loss of external power big external events there is a set of equipment that you would like to survive to this first the control room because if you lose the control room there is no way you can do anything the control room the containment the ultimated sink and the way to remove the heat from the container so these are these are features that used to never lose and what we require you should not lose this feature even if the external events exceeds quite a bit how much we don't say but quite a bit what you consider in the design there will be a responsibility of each regulator each designer each member state to design how much this value can be, how this value can be determined but we will say look this is the last chance you have to limit the release so do the maximum the best you can do so this is something now is a level of the requirement the reliability of the ultimated sink this is just refinement you see regarding the station black out the plant should be equipped with a dedicated source of power for deck with core melt we say for deck in general dedicated source of power so even if you lose all the source of power on the same basic accident external power on site emergency power you should dedicate separate different system to feed the feature for severe accident but we are not happy with this and we say something can be even worse than the worst deck that you that you can think about so let's do add the plant some feature that are well say that are not very expensive is not true but some feature that can help you in the case of extreme difficult situation to supply power to some critical equipment of the plant or supply cooling to some critical critical equipment of the plant in Fukushima they were from the fire brigade from outside try to put water in the pool of the spent fuel in one plant so if the plant had one extra line to connect the line to this pool from outside this would be very easy they didn't put this in the original design because they never thought that it would end so now after these lessons they said okay even these are very remote are very hard and should never happen a plant but it's better that the plant has this capability to connect possibility of cooling and the possibility of supply power to some equipment this is not part of the design this equipment should not be necessary to deal with this situation that you consider in the design but something that you didn't think about something that can happen it can exceed your imagination so these are important points and now if you read the revision one of SSR 2 you can see this new requirement if you compare with the old one then we made some modification already mentioned to you the very slight modification accident condition because they include the deck so we had to change the definition to include also the deck but then the new definition of safety feature for design extension condition of course this definition was not there when the deck were not considered then we also included the definition of control state and safety state so these are I think concludes my presentation only few of you are sleeping so it was not so bad about 3-4% so it is physiological