 So, we are going to start the afternoon with two presentations I was asked to give about the design requirements for Nuka plants on the IE. So, over the time I had to change a bit the focus on the presentation because I also... No, no, that's nothing. Sorry. Excuse me. Hopefully is that one. Okay, so I changed a bit because there has been some reorganization of the draft agenda and a number of topics on related to the requirements has been previously presented during the week. And then I have seen, I mean, there's going to be a bit of an overlapping, but I try not to do too much of an overlap. So, the first presentation is going to be about the requirements themselves. The requirements are something that are very dry, one by one, what is the requirement. And it's not very, I would say, beneficial or nice or attractive that I just read so you can read in a document without providing further elaboration that also will take a lot of time. So, I'm going to say something about the overall perspective of the requirements. Why do we have the requirements? Why they are important? For what are the requirements and so on. And I will go into some specific topics and then some details of some of the general requirements, principle requirements and so on. And then we have requirements for every system, every system important to safety of the plan, specific requirements for every system. I will not go into those details because it will really take very long and it's not really going to have that much just requirement by requirement. So, I focus on the general picture and some of the concepts and then we are going to be elaborating more in second presentation that it is based not on the standards of the IEA but based in some further detail work that we have in a tech doc that we are developing. So, I'm going to be tech talking later about these topics of design extension condition and so on that you have heard as well and has been outputting my presentation. So, for the moment, I will try to give you a perspective of the document and some insights in the most important requirements. Sorry, wrong direction. This picture you have seen it. You have seen it because Marco has presented to you. I gave him the picture but Marco Gasparini was the person who developed the requirements in SSR 2 slash 1 and he retired in 2011 and in this regards his successor. The requirements for design were approved shortly after the Fukushima accident but we had them practically finalized. They were approved in September 2011, a couple of weeks after Marco left. So, this is his work. Requirements for design relate to the fundamental safety principles. They will have 10 principles and one safety objective. This has been explained to you and there is one number eight related to the prevention of accidents and for the prevention of accidents, the requirements for design are very important. I will not do this. This is the evolution. The previous requirements were from 2010 and the new ones are 2012 and now we have been revising them after the Fukushima accident to take into account wherever necessary some lessons learned. We took some lessons learned. I think that the Japanese are those that should be taking really the lessons but to be proactive we have reinforced some things but in fact if you compare the design of Japan with the standards of year 2000 there were some things that were not taken into account by them. So, this revision has finalized this year. They are approved and we are in the final editorial process and there is a commitment of the IEA to have them printed with the stamp with the date of 2015. So, hopefully we succeed. We have two months to do that. So, but we are at the end. Good. Under these requirements was probably explained to you we have a collection of safety guides that we are now revising to make them consistent with the new requirements because currently they are consistent with the previous requirements. It's not that there's a revolution in the requirement. It's not that everything has been changed. It is more that we have reinforced the requirements and we have reorganized them and put in a more logical manner. Now, as you probably have heard, these requirements are primarily based for light-water reactors, for water-cooled reactors. We think always light-water reactors but there are also heavy-water reactors there. Land-based water reactors. But maybe using some adjustment to other reactor types to determine what is the essence of the requirements, how they can be applied. Actually, this is a work that is being done for developing new requirements for generation four reactors, for these fast reactors, solving fast reactors and so on. Starting from the requirements of the IEA. Trying to see what is the rationale for those requirements and trying to elaborate requirements for generation four reactors. The new requirements may be not applicable to existing... I mean, not easy, not practical to apply to existing nuclear power plants because there are some things that are difficult to change. Sometimes you can upgrade your design but sometimes you have limitations. So if you want now to design existing nuclear power plants to be able to withstand severe accidents, you may not be able to put something like a core catcher or something like this. So it is sometimes not practical to apply in full all the new requirements. But for others, there are backfitting programs, there are refurbishing programs that can be implemented, for instance, in the context of the periodic safety review. Now, probably has been also explained, I don't know, why are important the requirements for design? The requirements for design are particularly important because they establish what is the safety levels for the design of nuclear power plants. They reflect, they try to reflect the state of the art. They reflect the safety measures that are being implemented in the newest generations of reactors that are being licensed. They reflect also what are the views and the practice of the in licensing of the member states for these reactors. And these are as many other IEA safety standards, these are documents of large consensus. It's very difficult to reach these consensus sometimes but it is a document of consensus. And this one in particular is important also because it establishes the links between the requirements for site evaluation and the requirements also for operation of the plant after it has been designed. So it takes into account the impact of the site on the design and then so the requirements for design are also there to facilitate the operation of the plant. They are also the main reference to perform design reviews, not only via IEA but also can be the basis for the member states to develop their own regulations and their own review processes. And also the requirements contribute after all the discussions to establish a common safety approach and the terminology. Our standards are sometimes adopted by international regulations. Mostly there are some not just an adoption, there is some consideration on the requirements for analysis of them and they are used to develop their own national regulations. And in fact recently for instance we have been requested to revise to review and compare regulations in some countries for design with our standards. Okay, this you have seen this is the structure of the requirements, how they are done and we have a part with introduction and principles and concepts. Then we have requirements for the management system of the design. Then we have requirements applicable to all the CIS that are important to safety, divided into sections. Those are mainly those that I'm going to explain now and then we have requirements for specific systems. So and there of course we have requirements for every important CIS plan system from the reactor core, the reactor shutdown system, the cooling system, electrical system, instrumentation, auxiliary systems and so on, all of them. So this is how we have this distribute. I think Marco has showed them to you and as I said I'm going to be concentrated on this general plan design and principal technical requirements. And requirements of the IEA use the Shal language and now in this new system that we have in this new generation of requirements we have reduced the number of requirements statement and we have some overarching requirements and some other requirements that elaborate on the overarching requirements. So basically here what I'm going to explain is always the overarching requirements, the details, normally I will not because it will take too much time. Only in some cases I will provide some a bit of an explanation. I'm going to repeat maybe some of the concepts but this is important because in the next presentation and so on I'm going to be focusing on these topics of defence in depth and the different plant states and the design extension conditions and so on. And this, the subject of defence in depth I know you heard this before in this week it's come, of course this is a concept that it is very old as I said before has been used in the military and in other technical areas but in our case it's something to start developing more thoroughly about after the Chernobyl accident and it is indicated in the fundamental safety principle number eight which goes about the prevention of accidents says that all practical efforts must be made to prevent and mitigate nuclear radiation accidents and after that it says that the primary means for preventing and mitigating the consequences of accidents is defence in depth and defence in depth normally people associated them to barriers which is true but the defence in depth as such are not just the barriers you can have defence in depth also in other contexts without barriers so defence in depth the way it should be understood is implemented through the combination of a number of consecutive independent levels of protection or layers of protection we will see that not everything is barrier what happened is that at the end to protect the people in the environment from the effects of radiation protection you need barriers, you need this sometimes you need confinement otherwise you just need shielding because nothing escapes from the source shielding what you need and the alternative to barriers is distance but distance is not practical because you are not going to be kilometres away from the source and sometimes you need to be close so at the end if you take out the distance you need barriers and the barriers of course depends on the source this can be a nice barrier for alpha particles I hope the water is not contaminated because I am going to drink but in reality when we deal with the reactor core with the fuel we need several barriers because these barriers may be challenged these barriers normally what happens is that they enclose internal energy because we have a lot of heat in the fuel because also we have heat and pressure in the primary system because also we have the barriers can be challenged from outside so we can also have an aircraft crash so barriers also prevent the release of radioactivity because of an external aging on the installation so we have the barriers because they are necessary and we need to protect the barriers for protecting the barriers we need to take care of the external hazards the aircraft crash for instance but we also need to take care of ensuring that the barriers will not fail because of the internal energy that is inside all of these things are very well known to you but this is what it brings inside the defence in depth the two things that we need barriers and we need to protect them and for protecting the barriers at the nuclear power plant we need to fulfil the so-called fundamental safety function that you have had so if you control the reactivity you are controlling the generation of energy if you control the core, the cooling of the fuel you are controlling the removal of energy and then if you maintain the integrity of the barrier in the place where it is you confine what is inside so these are the three things and the so-called fundamental safety pillar or something like this Matthew Marco, I saw on the slide he explained it to you so I'm going to go a bit on the requirements having made this comment it will be there seeing some of the elements of defence in there the management of systems we have three requirements but I'm not going to provide any details so the question is who has the responsibility for the management of the design the primary responsible for safety you always know is the licensee so at the end the responsibility is transferred to the licensee so the licensee is responsible that what he submits or submits to the regulatory body has to ensure that meets all applicable requirements for safety and for doing that it has to ensure also that all the safety requirements that were established for the design are considered and implemented through all the phases of the design and also so and so and that if the final design meets the requirements it has to be make sure that the requirements are maintained requirements for design are maintained through all the lifetime of the plan and for doing this the designer and then the operator need to develop a management system we have some these requirements that develop this in more detail but I don't think this is what we want now to go into the detail I'm going to talk about its principal requirements these are nine requirements we have now here and the first one is about the fundamental safety functions and it says we have to fulfill them or ensure that the fundamental safety functions are fulfilled in all plan states so there must be always fulfilled of course I mean you could say well if you have a reactor meltdown at some point I have failed the removing of the heat and you are right but even though at this moment you have failed this function and you have to make sure that you confine the radioactive material you need in the long term to re-establish and to make sure that you are going to be continue cooling the fuel and for sure make sure that the reactivity is under control because otherwise you will not be able to confine but without having failures we don't go into this place to this point these functions must be always fulfilled during normal operation, abnormal operation, accident conditions and so on so this is why by fulfilling these functions is the way you ensure that the barriers will not fail so what you have to do is to have identified what are the systems that you have in your design to fulfill those functions of course they are designed with some criteria, it comes later and you need to have always the operator needs to have the design has to provide for ways to monitor that you are fulfilling this function so you have to be able to know that you are cooling the core that the reactivity in the core is controlled and the status of the containment and so on, the barriers and so on we have requirements for radiation protection in the design because of course it's not only about accidents but also during normal operation the doses should be minimized inside the plant also for the workers and for members of the public so the way to do this is to establish measures already in the design but the topic I want here maybe to emphasize you to talk because it is of interest is that we have included the requirements to establish measures in the design in a manner that accidents that can lead to high radiation doses or large radiation releases are practically eliminated so and this is of course difficult to achieve and this is the topic of the design of safety systems and these safety features for that we are going to be discussing this point later but it is the first place where we find something like this now in the requirements for design in design for nuclear power plants we have requirements saying that the design of nuclear power plants will ensure that the plant and items important to safety have appropriate characteristics to ensure that safety functions can be performed with the necessary reliability and so on and so that means this requirement is going to tell us that you cannot install any component there so for meeting this reliability you have to be complying with a number of design codes you have also to take care that the plant does not exit or have to take into account the capabilities of the operators and so on this is a whole thing then we have a requirement for defence in depth so now when it comes to the implementation of defence in depth and this tells us that we have to implement several levels of defence in depth and the levels shall be independent as far as practicable this is natural and logical because if you have several levels of defence and they are not independent then they don't contribute too much because if you fail one level and fail because of something that affects the second level so the second level may fail and so on so there can be a cascade effect the problem is that it is not always to make sure that those levels are independent and important limitations so this is another topic which is explained in the next presentation but to tell you something for instance just to give you an example you have an earthquake and the earthquake affects all the levels of defence in depth and the operator is there and is the same for when operating all the systems and so on and if you want to go into more system design considerations you cannot afford to have a containment for design-based accidents and another containment for civil accidents so sometimes you are forced to share some systems but there are other cases in which you don't need to share but some designs share because of course it's more economic more practical and so on but now the requirements we say that they shall be independent as far as practical now the question is what does it mean how independent is independent enough so we have this requirement and say that relaxation shall be justified and then of course when you have the levels of defence in depth you cannot just rely on the last one you cannot weaken the level of defence in depth thinking ok I have others because otherwise this spoils the concept of defence in depth now it says something also about some aspects of the defence in depth provision it says that the designs shall provide multiple physical barriers as we know what are the physical barriers from the fuel, the reactor coolant and boundary the containment and so on it says about the quality of the equipment participating in the defence in depth measures the high quality for preventing the failure for preventing accidents it says about the conservatity of the analysis and the design and the construction and so on and then it says also about the preference in the use of measures so if possible you should rely on inherent aspects of the design that for instance you know the coefficients of the fuel coefficients of the modulator if not you can rely on systems the activation of safety systems should be minimized because you don't want to go into accident conditions if you have to go into accident conditions there are requirements for automatization so that the operator doesn't need to be taking actions from the beginning and is overloaded by the situation and so on so maybe the final one is also that the fundamental safety function there should be several means for reaching or ensuring each of the fundamental safety functions not just by one system we come here into the application of the defence in depth and we describe in the requirements the five levels that probably have been explained already to you and in some of the levels we introduce the concept of design extension conditions that we will go now to explain but the design extension condition is something that we have introduced in the design we have implemented some provisions in the design to deal with situations that go beyond the design basis accident for preventing the core mel or for mitigation of core mel so when we put there some more provisions in the design there should be some independence and here's where you have a requirement saying that what you add should be independent from the safety provisions for design basis accident to the extent possible as I said you cannot put or not practical to put two containment but in that case for instance the containment should be designed for design basis accident so excuse me for design extension conditions for conditions involving core damage so interface with safety and security is important but I'm not going to explain the same with proven engineering practices that you have to be using applicable codes and standards in the design safety assessment probably comes very often here in the discussion it is important to conduct a comprehensive safety assessment both from the deterministic point of view and also from the probabilistic point of view to ensure that all relevant safety requirements are met by the design of the plan and not only at the beginning but through all the stages of plan life so these were the general requirements now I'm going to explain also some requirements that were principal technical requirements these are general for the plan design as well and you go into some topics that you have seen already in the previous day you have to define these categories of plan states and these are group you group them by frequency and impact normally of course the more frequent is some condition the small can be the consequences of these conditions happening we use here the language of the IEA we know in different countries sometimes they have also different categories here we use these two grouping of operational states and accident conditions in operational states we have normal operation a normal operation needs to not be confused with the operation modes of the plan so when you are refueling or cold shutdown, hot shutdown, etc these are operation modes but still this is normal operation being in shutdown is not an abnormal operation so then you have the anticipated operation occurrences that this is something conditions you expect to happen during the life of the plan you design for them and beyond that we have the accident conditions and there we have design basis accidents and design extension conditions this has been explained to you but so for each of the conditions you assign some acceptance criteria regarding what can be the radiological consequences and can be also the impact on the fuel so when you are in an accident condition here in a DBA you don't have the same requirements for the impact on the core than NAO so here it's possible you have a large locker you are required to maintain the geometry of the core and have the core coolable and so on so you can even tolerate certain oxidation of the cladding and some failure of some fuel beams and so on so there are some criteria, acceptance criteria that of course here are more restrictive and even more of course for normal operation so this is a categorization by frequency this is less frequent and then also associated that is acceptance criteria for radiological consequence I think also Marco provides on the table some indicative values that we are taking for the European utility requirements this is important and I think it was explained about what is design basis because sometimes people speak about the design basis of the plan which is a bit confusing like an overarching concept but in our understanding of the requirements the design basis is for each SSC for each component of the plan has its own design basis so when you say for instance that a large locker is part of the design basis or something like this what it really means is that the conditions generated by this large locker the whole pressure on the containment, humidity and so on whatever debris that goes into the sump, etc have been taken into account when you establish the design basis of some equipment that has to be working during large locker or extending the large locker and so on so when you design there, I don't know a pump for emergency core cooling system has to take into account which conditions produces a large locker which conditions produces a steam generator to rupture and so on the design basis is for each SSC we explain that later with a graph I think you have seen as well what is the design basis and design limits now the postulated initiating event we have been mentioning all the day and it is important to mention that the design needs to apply a systematic approach to develop a comprehensive set of initiating event so you have to make sure that this list of initiating event is I would say complete, I don't know if it's the adequate work so for that there are several processes of course you don't start from scratch because nobody designs a nuclear power plant just for the first time so we take into account all the initiating event that has been considered up to date and then of course you take into account a number of things that the logic matrix of the instrumentation and you do this FMEA and so on try to see what happens after planning if this fails, if this fails does it produce the initiating event so you have to be identified but this is a whole process to identify the initiating event and then ranking them by the consequences and ranking them also taking into account their likelihood whether this is an AOA whether this is an accident because this is necessary for the design and in doing this process an important thing to remark is that you also have to take into account I mentioned in the morning what are the initiating event that could take place also not only because failures are the plant but also because actions of the operator operators can also produce an initiating event but possible failures are arising from an internal and external hazard this was the point in this morning because if an internal hazard or external hazard produce a PIE an initiating event for which you don't design you have a problem then the ways to respond to initiating event so preferably as mentioned before in the first line in an internal plant characteristics if not take the benefit of passive features if not then the action of systems in operation then other systems and finally the safety systems and if this doesn't help then you have to do accident management you have to use operation procedures the internal and external hazard I think this is something that we have covered this morning but to come to the topic you have to design for all forcible internal hazard and external hazard and so they should be carefully identified and the effects should be evaluated and this internal hazard has to be taken into account for the layout of the plant it's very important for determining the possibility initiating event and then for the design of the items important to safety because this equipment has to be either protected from the hazard or has to be designed in a manner that can withstand the effects of the hazard now I'm going just from the red part because this is what maybe is new and I want to also be important to highlight we have introduced in the requirements the new one that's going to be published soon some more restricted or some more demanding conditions for margins so we say that items important to safety should have adequate margins to withstand hazard both internal and external taking into account the site evaluation of course this is for the external site evaluation and to avoid cliff edge effects so now the agency language is always this adequate, sufficient we never say 20% more 30% more or something like this only quantitative values you will see in our requirements when you go to radiation protection or something like this but in the design ok you may say they play with the words but this is what we can do or we have accepted so the way we are emphasizing is that we don't want to see what happened in Fukushima with the flooding or something like this well we want to have more margins that's the lesson learned ok you could say in reality in Fukushima what happens is that the input to the design was wrong the design basis was wrong these people didn't take into account the adequate level of tsunami also not the earthquake but the margins for the earthquake were sufficient to prevent important failures but there was no margin for the tsunami so the tsunami was underestimated as a result of their mistake with the rest of the people now we want to emphasize that we need to have margins but for having margins the first thing is to establish adequately the design basis so we are requiring adequate margins against internal and external hazards but that's not the end of the story we also want that for items that are ultimately necessary to prevent large or early releases from the plant the margins are even larger that's what we are requesting now because the question is what are those items that ultimately prevent the release of radioactive materials from the plant we will come into this point later the point here is that we are requiring margins and for some equipment large margins engineering rules of course items important to safety have to be designed according to national international codes and standards with some engineering practice the question sometimes is which codes we are going to be used for things like that because sometimes we may not have a code or standard for some conditions okay design basis accident we know what is design basis accident I will maybe not go into the very many details but the design basis are there for establishing what is the boundary conditions that the plant has to withstand the design basis accident or what are the largest accident that we take into account and design basis accident are used to define the design basis of the safety system for design basis accident we use safety systems so for design basis accident the plant should be controlled by safety systems and should not necessitate intervention measures by design and the last part is that the design of safety systems shall be done in a conservative manner that also makes a difference with the design extension conditions that come here so now this is new or relatively new in the design is new in our requirements the concept of design extension condition has been introduced and this is something that it is there to enhance the capability of the plant to withstand without acceptable radiological consequences some accidents that are more severe than the design basis accidents or that involve additional failures and this design extension condition shall be used to identify what are the additional accident scenarios to be addressed in the design and to plan practicable provisions for prevention of accidents such accidents or the mitigation so this we will explain later carefully here to mention that for this design extension conditions we don't apply the same design criteria as for the DBA it is not required to fulfill the single failure criteria and design extension conditions can be analyzed using the best estimate analysis this is a relaxation for something you put in addition sometimes it is necessary and it is important for instance the best estimate analysis for severe accidents I will explain why but here just think that if you will put design extension conditions and you will design them with the same requirements with the same manner as the design basis accident the system you put there somebody could say well these are in fact then safety systems and this is part of the DBA and it is possibly true we have requirements for safety classification safety classification is important to attach the other requirements to the different equipment or structures in the design depending on the significance to safety and it has an impact of course in the economy of the plan because the safety grade equipment is more expensive than normal equipment but the idea is to provide design requirements that are commensurate with the significance for safety of the equipment so we classify them taking into account the deterministic and probabilistic consideration and this also takes into account how often the equipment is called to operate and what happens if the equipment fails or not and so on so there are some criteria for the safety classification and at the IEA we classify the equipment in several categories we have normal equipment these are items not important to safety and the rest is items important to safety and within items important to safety we have safety systems that is very clear with the subdivision we are not going to detail protection and so on and then we have what we call safety related items that are also not safety systems but are also important so for instance the primary circuit cooling circuit is not a safety system or a reactor is not a safety system but obviously it is not important to safety and as important as a safety system but now the point is that we have introduced the safety features for deck that are not safety systems and it's also a bit different from this one so we have introduced this as a category but the question is what does it mean because now we have to define what are the codes and the design rules for deck and they are not always clear there are several criteria single failure criteria on common course failures and so on you know them very well I'm going to just talk about this common course because it says that the design of the equipment should take into account the potential for common courses equipment important to safety to determine how to apply some concepts again common course and you have here diversity, redundancy physical separation and functional independence passive reliability so people often relate common course failure to diversity and say if I want to avoid common course failure I need to provide diversity that's not always true you have to find out what is the reason for the common course failure sometimes you have to apply physical separation so because if you have a flooding here it doesn't matter if this pump there is of this manufacture in this one of the other or this is a steam dryer or this is everything is going to be flooded so maybe the physical separation is what it counts also even the redundancy because not everything fails at the same time but to give you an example yesterday I came from Vienna into aircraft and at both sides of the aircraft the engines were the same so I never flew in an aircraft who implement diversity so I mean how to be thinking what is what you need for reliability so redundancy also helps because there is not even if there is a common course sometimes not the common course actuates at the same time you know the redundancy of course there are some reasons that can affect both and we have also this in the next presentation a bit of an elaboration we have another another general requirement that I will not explain I am just touching upon some of them qualification is important we mentioned this in the context of internal hazards that's why I bring it here because sometimes you can protect an equipment from being exposed to a hazard but sometimes is sufficient or you can make it happen or work on the environment produced by the hazard of course you can maybe not be exposed to a hazard to a component to a fire well even it can happen because I don't think nothing happens if you put a pipe it's exposed to some fire and so on but sometimes it's not possible to survive in the conditions it is possible with the adequate qualification and it's not only for hazard it's also for accident conditions and so on so the equipment in the containment has to be able to withstand the conditions created by local by higher radiation and so on so the equipment has to be designed for all the conditions in which it has to intervene it will come later again this is another one that we put and change the modify is about sharing systems and sharing safety equipment for them I mean it was a lot of debate but what does it mean sharing all that thing but one of the things that can be also concluded or taken into account from the accident in Fukushima is what happens when you have in a site several units and what happens with equipment there so people say it's very good if we can share the equipment because if something fails then I can use it in the other but the question what does it mean sharing so the requirement is very clear I don't know how people interpret them but the question is here that we said that each unit at the plant where there are several units has to have its own safety systems and its own safety features for deck so then of course you can provide in the design to enhance safety can provide means to allow interconnections and so on what it doesn't what is not allowed is that you say I'm only going to have I have for instance two units and only three diesel generators and I say ok this is for one unit this is for the other and this is for both or something like this so reduce the number and so on and the same with the SBO diesel I'm going to have one SBO diesel for two units at the end it's an SBO diesel no the requirement is clear you don't share in a sense you don't reduce you design the units as if they will be individual from this perspective and then you want to enhance safety you establish interconnections that allow you one unit to support the other to economize and have less so this goes into now specific plan systems and I'm skipping most of them because there is no purpose you have been dealing with different systems I think in the previous lessons this week and just making some emphasis in a few things and the one is here about reactor shutdown for the reactor shutdown you have to provide means to shut down the nuclear power plant in any condition and maintain them in shutdown in the most reactive conditions of the core this is the only case here where the requirements in a clear manner and without distinction require to diverse an independent system before they tell you you have to be looking for common cause you have to be seeing how to prevent common cause the concept of redundancy diversity physical separation is implemented and so on they were not instructing you do it like this that's the only case in which the requirement say specifically the two means for shutdown have to be diverse and then they say one of them should be capable of maintaining the reactor's criticality in any time this is because as you probably know in a BWR shutting down the reactor with the control rods does not ensure you anti-criticality in all the conditions so if you cool down the reactor because of the coefficient of the modulator you may be increasing the reactivity so when you cool down you go to shutdown conditions you have to be borating but the other system the boration system we do this diverse I mean one is the control rods the other one is normally the introduction of some liquid poison so the boration system the emergency boration system or the boration systems this ensure anti-criticality in all conditions not true I don't want to do something anything from that ok here I'm putting that one here let's keep it because after this lesson learned from Fukushima before we just wanted to have a very high reliable systems to transfer the heat to the ultimate heat sink by the way for the agency the ultimate heat sink is defined as a large body of water or the atmosphere where the residual heat or the heat from the core is being transferred some people consider the essential service water something that is part of the sink the sink is just the ultimate part now to achieve a high level of reliability in cooling the plan after Fukushima we are asking for two things so either to have an alternate ultimate heat sink or if not to have an alternative access or mean of transferring the heat to the ultimate heat sink and this function also should be fulfilled for levels of natural hazards more severe than those considered for the design taking into account the site health evaluation in other words this heat transfer chain to the ultimate heat sink needs larger margins than those that you will take from the input from the site to the design containment I don't know if I want to go into that what is the purpose of the containment confinement protection and shield I am going here because we have introduced now the capability to remove heat ensured by should be ensured by systems with sufficient reliability and redundancy and the designs also include features to enable the safe use of non-permanent equipment for restoring the capability to remove heat the loss of containment protection integrity shall be prevented in all plant states so we need to preserve the integrity of the containment always and then we have introduced also now that Fukushima that there should be provisions to implement the use of non-permanent equipment and this I am also going to explain in my last presentation because this non-permanent equipment are not part of the design what is part of the design are the provisions for connection sorry example so for instance you lose the cooling of the core or the cooling of the containment and then you have some piping at the plant that now this pump is properly designed you come with your file track or something you connect there you have also operational provisions but you have the adequate fittings and so on and now you come and say I connect here and I cool inside the containment so this is what they mean by design provisions but this is the connection is a design provision the track this is not part of the design it is possible what do you mean some conditions well I mean you have to put when you design these connections you have to put them in the correct place in the same for power supplying for electricity so this is what I mean really is this for there that if you need it you go and you connect and it's not that you know now I have water but I don't have a hose and where do I put it do I connect to this pipe and how do I do it and I have to weld and then which valve I need to operate and maybe I cannot so now it is considered in advance in the design where you will connect in this case it's for for cooling but when you come to power supply will come the same and still connecting water cooling is easier when you connect power supply is more difficult because there are also protections electrical protection so it's not that you just close the breaker and so on because you know the the loads can be start protection stripping and simply you can it is not that easy even to synchronize the NSBO diesel to the to the bar and so it is you cannot start the diesel and take all the loads of the bar because normally for instance the capacity of this diesel is not the same as the one of the Mercedes diesel you have to make sure that you know there are some loads are removed from the bus bar then that there is not something like a load sequencer or something of protection that will drip down your so it's more complicated now the point is that it is required for the new plans that in spite of everything that you have in the design you now have places for providing cooling and power supply power supply will come and this is part of the design the connection but not what you will bring because this is not part of the plan you know and also we don't want to that the safety of the plan relies on this connection excuse me on this portable equipment that for which there is not in requirements for quality requirements for reliability and so on so you cannot compare a diesel that you bring in a truck with the diesel of a nuclear power plant that has specific plan requirements so at the moment it's simply saying that we have include now the need for having connections to provide cooling of the container instrumentations I have something here because now the one thing is of course the digital instrumentation and reliability and independence of digital instrumentation control systems should be fully separated from from protection systems ok now something of course about the control room it comes to the same topic control room is one of the things that you have to make sure that it will be maintained operable that it will maintain the habitability will be preserved so for the control room it is required that we stand also has more severe than those taken into account for the side hazard evaluation there is a requirement for a supplementary called control room fully equipped or equipped as necessary this is something to be used if you have to abandon the control room for whatever is in the control room availability is lost the typical case is a fire in the control room so people can simply not stay there because they die or simply because the equipment will fail you cannot operate from there there is now this emergency response center that we mentioned before that there was in Fukushima so now it's required that we have been changing the name so I have to be very careful but now it's called emergency response facility before it was technical support center now it's called emergency response facility in other words this is a place at the plant where you have information all necessary information from the plant but not only meaning papers instructions technical documents also but the information on the plant operation you have also information from the plant parameters not all of them maybe for which the plant organization can support the operation of the control of the control room the plant is not operated from there you don't operate the plant but you can't but you have the information to support the plant operation in case of we will say for design station conditions basically should not be necessary for design basis actually of course you can use it but should not be necessary so this this is one of the facilities for which also we require larger margins because if there is such an external hazard you need to have it available this is also the place where Fukushima the people were then taking shielding and taking actions at the plant emergency power we have introduced the number of changes but important of course you need to have emergency power for the case of loss of safe power that this is a safety system but now we have introduced the need for an alternative power supply and this is for deck basically and this is there to both things to preserve reactor cooling and of course also the cooling of the spin fuel pool and if this eventually fails and you have a civil accident also you should need to have power supply to mitigate the the consequence of a reactor core melt and for this equipment necessary to mitigate civil accidents we are requiring that this should be possible to be supplied by any of the available power sources at the plant should be of course supplied by the alternative power source because you may go there because of an SBO but sometimes you go into a core accident not because of an SBO so you want to have in this case the possibility of using any potential any source available there are other ones I don't want to describe but I put this thing here just on the screen because we're talking about the internal hazards you will not find here something like specific requirements for systems for flooding we are finding things for preventing the drops of equipment and so on but fire protection is specific system, a specific program of the plant is important is reflected at the requirements and there are several others for each type of plant ventilation and everything else instruments but I don't think it's necessary to go one by one I just want to give an overview I don't know how late I am with the agenda after you maybe talk about the questions and so on I don't know if we have a break then I'm going to have another presentation in which we discuss some more practical topics because this is the requirements just as they are but then in the other one we may be talking about what is understood by one thing but the other and so on in fact one of the problems that we have now is that we have introduced some of these topics in the requirement and then we realize that there is not a common understanding on what they mean and we have difficulty to implement those concepts in the safety guide well any questions now at this moment and sorry for the boring presentation because I see how your eyes are like this so I try to improve for the next one