 Any way, today I have several topics, in fact all the topics of the day, and I'm going to be talking first about internal hazards, then external hazards. Actually I'm going to make some definitions at the beginning and put them together, but then first internal hazards and later the externals. Just another view as there are many different types of hazards, there's no time at all for, even for an individual hazard. We could have a, could be a whole week talking just about internal fires. And then in the afternoon I have some other presentation related to the requirements for design. And in particular these aspects of the defence in depth and design station conditions that you will have had during the week and some topics of interest, so the practical elimination of large releases. So let me start by this, well maybe to give you a background of who I am and so on. I'm currently at the agency, I work in different things, but the main field of my work is the development of safety standards or the revision of safety standards for design and safety assessment. In fact I've developed some of them, but I'm also coordinating this development of revision of all the documents that have been done at the section, at the section of safety assessment. And I was revising the requirements for design and safety assessment after the Fukushima Daiichi accident for taking into account some lessons learned from the accident. And now we are in the process of revising the subordinated safety guides to these requirements. And in particular for instance I'm revising the safety guide on the reactor cooling and associated systems which encompass most of the most important mechanical systems of the plant. And also I'm in the process to revise and combine, I will tell you later, the safety guides on internal hazards. Ok, let me start by trying to understand what this, ok, this is the outline of the presentation, what I'm planning to do in this presentation first and we talk a bit about the definition, what is and what is not an internal or external hazards. Then I will explain a bit why are they important and why we give them some special consideration. I will talk a bit about the applicable or related standards of the IEA. Then of course because you know we cannot talk about all the hazards here, it will be simply too much, there is no time. We were going to talk about what is the general approach for designing against internal hazards and for making a safety assessment of internal hazards. And then I pick up one example and I pick up the pipe break and the floating. I pick up this one because how is it easy to understand and also because it shows the possibility of seeing potential secondary hazard effects that can happen because when you break a pipe only that you originate a flooding. It is also you can have pipe whip, water spray, pigment and a number of secondary hazards. And this pipe break is the possibility to explain the topic of secondary hazards. And then we may have some time for discussion or questions. So let me start by saying or explaining or talking about what is an internal hazard. In the IEA safety glossary we don't have a definition for internal or external hazard. We speak in the standards about internal or external hazard but we don't have a definition. The IEA safety glossary is not supposed to be a dictionary and defined everywhere but of course it should be defining the terms that are used across the safety standards. But this one in particular is not and also the use in the safety standard is not very clear all the time. Maybe this is the reason why it's not there. What we do have is a definition for an external event. An external events are defined as events unconnected with the operation of the facility or the contact of the activity that could have an effect on the safety of the facility or activity. And typical examples of external events for nuclear facilities include earthquakes, tornado, tsunami, aircraft gas. This is the definition we have there. So that means if something happening that is not related to the process. But if you think in this definition you could come for instance to the conclusion that an internal fire at a nuclear power plant in some location of the plant could be considered by this definition actually as an external event. So the terminology is not clear. It is also not clear in member states. I'm used to the US terminology. And there you may see that for instance an internal flooding at the plant is considered an internal hazard. But an internal fire is not. Is considered an external event. So sometimes it's not clear. All the countries talk about area events because are events that happen in some area of the plant. I don't want to try to in this presentation to make a unique terminology because it is not. But I tried to explain you the concept and I tried to explain you how we use them. So in the requirements for design we speak about design against internal and external hazards. We don't say events. We say internal external hazards. Those concepts however are not defined. So if you think about the meaning of the words and have been discussing with several colleagues about this and also our technical editor in reality the hazard describes the circumstances that may lead to an event. For instance the presence of a combustible material in this room is a hazard that may lead to the fire. But the hazard is the combustible material. The possibility that there is a fire. The fire is the event. So the hazard may exist or may not. And the event may occur or may not occur. In reality in this context sometimes these topics are used in intersensible. Are taken as synonyms. And this is even done in the ISFT standards and other publications. So this is what I am going to do. So no matter if we think that the hazard is the circumstances that may lead to an event. Have example the seismicity in a region may lead to a number of external events. It's not only an earthquake. It can be a tsunami. It can be a landslide. It can be other effects. We can be thinking we have several examples. But here we will consider when we talk about internal hazard or internal or external event is the same. So it's at the end in reality the event that we are going to address. So internal hazards are those or internally. I don't want to say internally events because it creates another confusion with the initiating events. So the internal hazards originate from sources that are located inside the nuca power plant. Both inside and outside the buildings but inside the nuca power plants. And the sources may or may not be part of the process for instance. You can have an internal flooding that it is the result of a pipe of a system that breaks. Or you can have a fire which is a fire on a piece of equipment of the plant. But maybe also the fire is part of a combustible material or some activity some people is welding or something like that. And a fire starts up. So the source doesn't need to be part of the process or may not be. Examples of internal hazards where we have here at least is not complete but certainly and the most important is the internal fires. Then we have a pipe weep internal flooding maybe related to turbine missiles. Of course are related to safety too to the equipment of the plant cannot be something not related to the process. The drop of heavy loads something is being moved in the plant some equipment, some material and maybe fall on top of the equipment and equipment may fail. So then we have also on site explosions. When we talk about explosions at the Nuca power plants is normally the result of a fire or another violent phenomenon. But it's not explosions in the sense that we have explosives at the plant. In principle explosives will not be at the plant. So can be healthy in explosions. But actually I worked for a while in my past in a company producing explosives and in this industry they make a difference between explosive and explosive materials. Suddenly they work in English like this. But the fact is that some substances in combination with air and some physical conditions explode or detonate. But these are not explosive. Explosives such as TNT or something like this. They really are designed to detonate. They don't need air or something like that. They are much more destructive. So in the Nuca power plant in principle there should not be any explosive. Explosives are always the result of I don't know hydrogen flammable materials, arcing faults or something like this. Associated to some of the phenomena. Now I'm introducing fuel. What will be the hazard of a spent fuel? No we are not thinking. I will come to that. I mean hazard in the sense that it can be a source of danger. But here when we talk about hazard we talk about some harsh phenomena. That has the potential to affect all the equipment at the plant. And therefore originate at the end, be a challenge for safety. Have the potential to lead to the damage of the fuel in the release of some radioactive material. External hazards will be those that take place not inside the plant but outside. And here there is a huge variety. This is a very short list. But I put here seismic hazard because seismic can always happen. It's a matter of what is the seismicity of the plant of the area. We are coming to that in the presentation for external hazards. High winds, wind induced missiles, external flooding, many kinds of severe weather conditions including tornadoes, offside transportations. You can make a whole list. You can put even meteorites if you want. Aircraft crash and so on. Vulcanis, principle not site the plant next to volcanic area. But some countries don't have many choices. So it's something you place in Japan or maybe Indonesia where they are planning to have a nuclear power plant. Things like this cannot be excluded so easily. And actually because some of the phenomena can be far reaching. If you think for instance about tsunami, tsunamis are originated as you know by an earthquake. A tsunami propagates very fast and it is not like you say some of the hazards where like winds, high winds or tornadoes. You are thinking about the phenomena taking place near the nuclear power plant. But a tsunami can be a few thousand kilometers away the origin and still has an impact on the plant. Are you kidding? Thank you. Internal flooding will be any source of flooding a tank pipe that it is inside the plant site. Normal inside the building because otherwise it will spread and go away. So it is a break of a pipe, an accidental opening of a valve or whatever that will result in a sufficient amount of water being spread in the rooms of the plant and damaging equipment that are important to safety. But the origin is inside the plant. An external flooding will be when due to very heavy rains or whatever all the water is going to the plant site or the river level goes up and the plant is eventually flooded. This is an external flooding. The water is coming internal. Internal will be as I said internal flooding you take for instance a pipe in the plant that it breaks gives a sufficient amount of water. That maybe is not even detected and then the plant is flooded. Just put an example you have the fire protection system that normally is a water based system and it is in many areas of the plant and for whatever reason the piping of this system breaks or accidentally is actuated and then the water spreads in the plant and floods several areas. They have the system to drain. Yes. Well, this is correct but then you enter in what is the reason of the draining in the plant. When you go to the plant you see those draining and sometimes this drain which by the way can be extracted and dirty and not always worse to the full capacity. These drains are designed for the expected sources of water in this area. So sometimes it is because people is cleaning the area with a hose sometimes because there is a fire protection system. Other there is a sprinkler here something like this is calculated for this amount of water but it's not calculated for a break of the pipe itself. So you have to be thinking so it always depends on what is the flow. So it's a competitive effect. You put water inside one area and the water escapes to the drains or through whatever gaps of the doors and maybe goes to somewhere else where it can also affect. So you have to be thinking. Sometimes also there is not much water that can be delivered because it is a closed circuit. You have to be thinking. At the moment where you are identifying the what are the potential or the different internal or external hazard. When you come to the analysis those aspects you need to take into account. So obviously when you want to deal with all these phenomena here as you can see you need a lot of knowledge in different areas. Even if you take something like earthquakes is not just one specialist because you need a specialist about all the ground motions, geotectonics and all the soil and so on. But you also need the expert in structural design. So there it entails different areas of knowledge and of course you are not going to find a person that knows about seismic hazards, aircraft crash. And all the topics. So this is the analysis of hazards is very complicated and it's really a multidisciplinary team effort. Now why are the internal or the external hazard, why are they important and when are they important. So these are important that's what I wanted to clarify because they have the potential to produce a disturbance in the operation of the plant. They can lead to an initiating event and they can also in addition, this is important, damage equipment, several pieces of equipment in fact that may be needed to shut down the plant and bring the plant to a safe shutdown condition. They have this potential and this is why they are important. And if you think something like an earthquake, it not only affects the plant itself, it affects the whole area of the plant so it may even affect the emergency response. It may even affect the evacuation of the people if it is necessary or the capacity or the need for bringing resources to the plant. So one point I will repeat several times is that the internal or the external hazard, I have a point that I think here. I don't know why I use this because I press it with the wrong button. So I thought I had a laser but it doesn't matter. I come here and I do with my finger. That's the internal or the external hazard event however you want to call it. The internal hazard because in the requirement they will say hazard. That doesn't matter. But the hazard may lead to an initiating event and it will lead in many cases. But the hazard is not the initiating event. And you will see that the systems are designed against initiating events. The cooling systems are designed to provide cooling when something happens, when the normal cooling is lost. When there is a break and the water from the reactor is draining and you need to provide water. The emergency power is there to provide power when the normal power has been lost and there is no power from the grid. But the emergency power, the cooling system are not there to mitigate earthquakes. You cannot mitigate an earthquake. Those systems are there designed to withstand the effects of the earthquake or to withstand the effects of the flooding or whatsoever. But the purpose for the function of the system is to mitigate the initiating events that can be caused by the external event. The external event is not an initiating event. I know there is a confusion and in many places including some IA document this confusion is introduced. But I want to make it clear. This is not how it is in our standards or how we try that it is everywhere in our standards. What we have to do is to first design the plan in a manner that the frequency of the hazard is minimized when possible. Sometimes there is not so much you can do unless you move to another place because the earthquake is an earthquake and you cannot minimize the frequency of tornadoes. They are there. We simply have to design against them. And then what is important is well the frequencies there but then the plan and the operators need to have sufficient equipment to operate the plan when the hazard occurs and be able to bring the plan to a safe shutdown state. In a durable situation it is not only due to a safe shutdown but you have to be in this stable situation for a long time maybe. And so there is a number of the operators the operating crew itself and a number of minimal number of equipment is necessary to make sure that it is not affected by the hazard. This is the whole idea. So I'm coming a bit to the IA safety standards and explaining where do we have the which requirement we have for the design against internal or external hazards. This is in requirements 17. I don't know if in the previous presenters this week came to this point. But this requirement says that all forceable internal hazard and external hazard we have some examples here and includes not only the natural ones but some that are human induced and that can affect the plan safety should be identified and the effects need to be evaluated. When I say human induced for instance an aircraft crash is human induced is not something natural. Then the aircraft crash can be simply human induced accidental can happen or can be intentional malevolent can be happened of course somebody tries to hit the plan with aircraft. That's another story we will come to this maybe. So these hazards we put it in red shall be considered for the determination of the postulated initiating events. We have to think in what are the hazards what initiating events can create and they are not going to create any initiating event only as we say before that can to create a load in the plan because of the physical or chemical or whatever phenomena they entail. So they generate a load the load potentially leads to failures. So these potential initiating events and the loads that they generate the seismic load the vibration the forces should be taking into account for the design of the items important to safety. Now it's important to identify what are the initiating events that can create because as I said before we designed them to mitigate initiating events. So if a hazard can create an initiating event that they have not identified I have a problem. So the hazard is not or is not the initiating event the hazard may lead to an initiating event but I have to be sure that I have consider this initiating event in my design. If the hazard could create some initiating event in addition to those that I have identified and I miss it there we have a problem. So to be more specific the requirement says that the design shall take due account of internal hazard such as fire, explosion, flooding, missile generation, collapse of structures and falling objects by with jet impact and release of different fail systems this will be an internal flooding or from other situations on the side. It's not an exhaustive lease there are more. So appropriate features for prevention and mitigation shall be provided to ensure that safety is not compromised. This is what we have in summary in the requirements we go now into all the details. Associated to these requirements we have at the moment for the internal hazard to safety guys. We have divided the war into internal fires and explosions and we have the explosions mainly there because explosions are the results. Or are combined with fires as I mentioned before this explosion from explosives themselves should not happen at the plant so very often explosions are linked with fires and then we have the rest. So sorry I was the other way around this is fire and explosions and this is the rest. Well this sounds a bit artificial on one hand what we're going to do now this part of my work I'm starting this having a meeting next month. We're going to combine these two guys together not only combining them together and putting. It's also because we have now new requirements for design these were developed to provide recommendations on the previous requirements of 2001. So now the requirements or the practices in the member states for for design for instance against fires are more strict in terms of segregation of the division separation protection of trains and so on. So we are going to revise the safety guys put in combining together be stronger no matter if we combine them or not. I need to mention that internal fires still is the most important hazard in the nuclear power plant. It deserves special attention. It has it because we have a system for fire protection and because there is a fire protection program nuclear power plants also the requirements for design give special consideration to fire. I mean fire protection has not the same treatment as the fall of heavy loads or something like this from a crane. Anyway now I tend to see how can I describe them all together and see what is in common and so on. I put this on the perspective of what you have learned and how that is the defense in that the defense in that approach that is not only nuclear power plants. It comes originally from the military and you can find application in several areas so the defense approach is here consider as the implementation of consecutive layers of protection. I will explain also later when we talk about defense in depth this is just not physical barriers we need physical barriers because this is what works against radiation but as an approach is not necessarily barriers. So how the defense in that approach translates or can be applied in the context of the internal hazards. The first thing is to prevent the internal hazard from occurring. Sometimes you cannot prevent it. You cannot prevent the earthquake. It may happen or not but you cannot prevent it. It will be there and you cannot also not say in this plan they are not going to be earthquakes. You have to postulate the earthquake. Another story is what is going to be the magnitude of the earthquake that you are going to postulate for which you are going to design. Sometimes you can indeed said there is no hazard because simply if you talk about the drops of load you go into a room said there is no crane. I have the equipment what is going to fall simply it's not. But in many cases it's a matter of what is the magnitude. So you will take measures to reduce the frequency. I will not go in this point because I'm going to explain them later. Just maybe perhaps say the points here. The second thing will be in the defense approach when something happens if I can detect it as soon as possible and take steps to stop this hazard or to control it is good. Then if it happens sometimes I cannot detect it or the detection can be there but it is not the matter of the design. The design tells me you have to design to make sure that this hazard has a limited impact. So the next topic is to limit the impact on the plan and to avoid secondary hazard avoid the one hazard leads to another one. Finally we have control the hazard when we have a secondary impact or they have taken into account we have a damage situation. Finally the last part is now you have to be able to ensure that you can still shut down the plan after the internal hazard with whatever loads or failures have occurred at the plan. That's the idea. And I'm going to try to explain these steps of the defense in this approach for in general for all the internal hazards. For some of them we have a meaning or strong meaning for others we have less meaning. Now let's go to the first step. Oh I have some animation here I didn't know I have animations. The first thing I said that a few hazards can be totally eliminated. There are some of them you cannot say they are not going to take place. Please. How early detection is being done in case of internal hazard? It will come to that. You are going to like this. So first thing is I don't want the hazard to happen. So in some cases you can screw it depends on the hazard. Well there is not you don't have a crane you don't leave or move equipment on top of safely important equipment. This room is dry. I'm sure what I cannot go inside sometimes. Some of the times it's a matter of reducing the frequency. So you make sure that the combustible materials are not introduced in a very sensitive area. Dangerous activities. You don't do welding or something like this. A number of things or your control the transient fuels etc. There can be also some design measures that for instance this circumferential to aid that you break a pipe and you have a break of twice the size of the section. Something you sometimes apply this design criteria slick before break. So you are allowed by some regulators to exclude this guillotine double guillotine break. But the point is sometimes you can screw the hazard many other times you cannot. You simply work on the frequency. You do your best to minimize the frequency of a hazard of a given magnitude to occur. So how you do this is by design provisions like this leak before break of by operation provisions. Control of combustible materials, control of dangerous activities, control of the barriers and so on. Let me just move because I don't know get rid of the animation. So for instance you also can control the fire loads in an area so that they are not sufficiently big to ignite the rest. You can also do piping inspections, inspection of vessels. This also reduce the frequency the likelihood that this pipe will break and so on. So this is for about the prevention. That's the first step. So this is where you should be working. The best choice for you is to minimize the occurrence of the hazard. That's the best choice. Now sometimes you can. And this approach can be also applied to the external hazard. So I may be combining talking also about the external hazard. Now the second will be the early detection and the suppression. I call it suppression. I don't know if this is the best work. The idea is to arrest to stop the hazard. So sometimes it's possible to have an early suppression. For instance the case of the fires, you install five detectors. And as soon as a fire breaks out, you have an opportunity to detect. Of course depends on the nature of the fire. There are even some detectors that are very sensitive. You can put some of these, I don't know what is, I forgot the name. There are some detectors that are capturing the air from inside cabinets and have make an analysis of the air there. There is a sign here that a fire may be starting. Those are too sensitive, are normally or cannot be used to trigger automatic fire suppression because you will be watering the plant and have many spirit situations. But it is good for you because you have an early warning that something may be happening. You can check manually. But in other cases it can act. So the first thing is to detect that something is happening or to detect that the pipe is broken and a flood is taking place and so on. Because if you detect you react. So and you stop the hazard as early as you can. But this is not always possible. For example, fire detection extinguishes this is the most typical thing. It is also in civil or in normal constructions, even in hotels. You have your fire detection or houses extinguishing. And then for flooding I will not call it extinguishing otherwise suppression is even good but the idea is to isolate the flood. Of course if it is talking about the drop of loads it doesn't apply. It falls. So now you have to be thinking from the perspective of design and the operation that there are different situations regarding this subject and detection. The detection and the suppression can be automatic or manual just to try to maybe explain. So you can have a detection that it is automatic and direct. This will be if you have a fire detector or if you have a building and there is a sump in the building. Many buildings on the basement have a sump where you collect water. And this will be dry. And then you have an alarm and then you say okay something is going on. And this is automatic and it is direct because automatically I associate that fire detector with a fire or I associate this water there with the sump, with the flooding. So you have to be careful because it depends how this is set because maybe well it's not just the flooding. I can associate that you know simply there has been some water spill from whatever some people cleaning or so. But it depends on the room and so on. But the thing is that the direct detection because you associate with the phenomena you can use it for isolation or for suppression. Then we have also an indirect detection. So we don't detect directly the signs of the fire or the flooding. But we detect the causes. So I may see alarms coming up in the control room because electrical equipment is failing, equipment is malfunctioning and so on. So you detect that something is going on there. But you don't know directly okay this is a fire, maybe something else. But the operator is alerted. We call this automatic because it is automatic. So this is not used for any automatic action. And then we have manual detection. And this can happen because the fire or the flooding takes place near or in the place where somebody is working because he may be involved in the origin. Or sometimes you have people going to do surveillance as people are going on the plan for this or that. And you notice smell or something. So this of course is the latest thing. It doesn't help that much. The advantage is that you know it's a fire because you see that. So there's no doubt. And then we have automatic suppression. For instance for fires, fire extinguishers of different kind. Can be water, can be gas, can be foam, whatever thing. In case of flooding they may be, not always, but they may be some actions automatically of some action that stops some valves, stop the flooding and so on. This is always triggered by the automatic detection. The automatic action are not triggered by any indirect detection and so on. And then you have at the end of course also the suppression manually. There's a fire, there's no automatic suppression, but you can either go there, press a button remotely and the water start pouring there or we are with the hose and with extinguishers and so on. This intervention can be remote as pressing the button or somebody has to go there. So this is just an idea but it's good to mention this thing but it is also important to say, I will be speaking about fires now in particular maybe, that the new designs of course in favor promote that you have this detection and suppression. It's good for your plan. You don't want the fire to grow up and you don't want to lose your equipment but the design or the justification of the safety of the design is not based on detection and suppression. This can also be not reliable. So the design is based on confinement which is now going to be this topic. It's based on designing in a manner, you want to ask something? It's just based on a design that ensures you that the fire will not spread from a given area. But so those areas sometimes are too big, sometimes are smaller, it's not always possible but this is now the next thing. So how when a fire or a flood or somebody happened, I take in general, maybe the drop of loads is not important case, how when something happened I can limit the impact on the whole plan. That's the next point of this call in defence in that approach. So the first thing is very important, I will say this many times is the plan layout. If you want to ensure this thing, it's very important how you construct your plan, where you put your buildings and inside the buildings, how you set divide the buildings, how you separate the zones by which constructed elements with resistance to the houses, walls, doors, dampers whatsoever that are resistant to fire and then where I am putting my equipment. So the plan layout is the most important thing and it has to be considered from all the perspective. It's not the same for flooding as for fires. For flooding as you can imagine the water goes always down, so the basement is a sensitive area, the higher parts are less sensitive for fires, well we also know that the smoke goes up and so on, but that's not as important as for the flooding. For aircraft crash you have to be thinking what the aircraft can hit. So there are many implications because you have only one plan layout and this plan layout has to be good for all the houses, internal and external. So the plan layout is the most important thing and you have to design a plan in a way that the equipment is protected. This is one of the reasons we have the Nuka power plants, the equipment and everything in buildings and it's not like a raffinery where you go and you see all these distillation towers, tanks and everything and they are little buildings. So very important, plan layout and adequate protection features for the equipment. This plan layout, let me just get rid of the animation. First thing, what it's going to do, the first thing is that it's going to help to prevent to the extent possible the postulated initiative. Now this is not always possible. Sometimes you cannot even exclude, you are going to postulate that it happens. Sometimes it even triggers the initiative and no more thinking about the external hazards. For instance many plants in Japan and other places when you have an earthquake of a given level, the seismic instrumentation actuates the reactor scram. But in other cases it's not automatic but they may happen. Actually a very difficult thing is to justify that the plant's scram is not going to happen. So if you have a fire in this room and in this room you have many equipment, many cable trays and even if these cable trays are not for safety related equipment but normal process equipment, it can be very hard to justify that you are not going to have an initiating event and the plant is not going to scram and maybe the operator is going to do it. So you designed for minimizing the initiating event but it was not always possible to exclude it. Now the question is what initiating events you can originate. And AOS as I said should be prevented are likely to happen. Are there things that you expect to see during the life of the plant or we think when we designed that this may happen. Accidents are something very rare and we don't expect to see them. So in accordance to these criteria the design should be such that the internal or the external hazard should not lead to an accident. So sometimes it's not also not possible but it has to be a very low frequency. And for instance a break of a primary system is an accident in itself. Actually we don't consider this an internal flooding but you know that the loca, the break of a pipe of the primary system is something of a very low frequency. So these are safety class equipment and they are designed in a manner that the break is very low frequency. The same should happen in some other areas of the plant if something could happen and lead to an accident. So the external hazard should not lead to accidents or very rarely. And when we talk about for instance seismic design the protection of the equipment, the design, the seismic design of the equipment should be such that an earthquake shall not lead to an accident. Now how you, this is equipment just itself but then the question is how you prevent that the equipment affects too many components or components of different divisions and this is where the layout comes. So you have to have separations to prevent that the hazard fails components of several divisions and this you do either by the physical separation total segregation of one division with another, with barriers that are qualified for the hazard and the consideration, or sometimes you cannot do that totally and then you have protections around some equipment or less strong provisions for protection. For instance there are places where you cannot really implement a full separation. You cannot have electrical divisions separated in the control room because there where things go together you go near the control room you have the cable speeding room and you also it's difficult sometimes you get some cable from one cable room in the top one from the bottom. There are areas where it's very difficult to implement the same level of separations or you have the containment and in the containment everything is the containment. So in the containment you start thinking what I put some electrical penetrations of some division here, the others there, partial walls, component which is on pictures there, protected by... from missiles or pipe, barriers and so on. But it's not always possible to achieve the same level of protection. And this also, these kind of protections prevent the effects from secondary hazards. I have here the case of the pipe weeps what the pigment and so on. I think I have here some... let me see. I thought I have a picture here maybe come later about this... Now imagine whatever has happened in your plan supposedly it's good design you have no damage to many equipment now you have to make sure that the plan can be safely shut down. So you have now to mitigate the consequences of this AOO and additional failures. So what we want to say here is first you need to ensure that sufficient amount of equipment survives the internal or the external hazard. When you have... I'm going to make a bit of a difference between the internal and the external. I know these lectures about internals but I mentioned the external hardware. When you have an external hazard like an earthquake to prevent that the earthquake shakes the whole plan. The earthquake is going to shake all the units of the plant and the surrounding the earthquake shakes everything. The fire is not going to affect the whole plan not even of the units. So what you do with the earthquake is you design the systems against the earthquake. You establish seismic categorization the most important equipment in the seismic category one. You make sure that the earthquake design basis earthquake and even something stronger doesn't fail this equipment of this structure. So the whole system by design can remain fully functional because you design against the earthquake so everything survives. For internal hazards however you cannot make this claim because depending where is the fire you cannot prevent one division from failing. I can have a fire in this room and there is no equipment important to safety may propagate somewhere else can cause an initiative event and so on and I don't fail safety equipment. That's not the most important thing but if this room has equipment of division one for electrical division one and the other room there somewhere else has division two ok I design the walls the closure of this room in a manner that the fire stays here but the failure of division one cannot be prevented because the fire is here. So the difference between internal and external hazards is that for the internal hazards the failure of a division by the fire in many cases cannot be prevented. You have to buy that you have lost one division then you have to shut down the plan with the remaining thing and then you have to be thinking can something happen in the other in the other divisions how many divisions do I have is this single failure criterion still in force or not is the regulator allowing that a fire takes out the single failure criterion or not. It's a bit of controversy there. So what you have to do in any case is a safe shutdown analysis and for every fire or for every internal hazard in a given location how to take into account is where the fire whatever hazard can be enclosed what is the maximum damage that it is postulated then what is not affected can you shut down with the rest? You have to define what are your safe shutdown systems and make sure that these safe shutdown systems are not affected by the fire or the flood or whatever or if affected that sufficient number of redundancies are not affected. That's the safe shutdown analysis this is just from let's say the deterministic point of view of course you can also do this analysis taking into account probabilistic considerations. So that's the part of the four steps of this defense and depth approach I don't know how what I'm going with the time. I have until 10.30, right? So again maybe to recap the internal external hazard shall not lead to an initiating event for which the plan is not designed. This is always very important message. The identification of the PIE must be thorough when you design and consider potential effects of internal external hazard. So when you have your internal hazard analysis when you have your plan, your layout you have to be thinking if something breaks out here where it can be enclosed what can happen normally you have this PIE's identifier but if not you have to include it or do something. I put you an example for instance in the identification of PIEs very easily you or commonly you take into account for instance a mainstream light break but this is just one line or if a state of a break a spurious opening of the safety valves. In other words you depressurize one steam generator from the secondary side. This creates a very fast cooling in the primary circuit missing the work changes of the density you need safety injection sudden change and you design your safety injection, your operation systems for that. Now you don't postulate that this can happen at two steam generators, two steam lines at the same time. You don't do that and this is very unlikely it's not going to happen at the same time but you may think in what can not happen like this maybe an internal hazard can do so you have to make sure that there is not such a fire or something that provides a spurious opening in both steam generators or an aircraft crash that can hit two steam lines at the same time something like this. If it can it has two options the best one is you prevent it so you make sure that the cables for these safety valves are not in the same place can never be burned together. The aircraft gas cannot hit the two lines because the lines are put inside the building or separate and so on. Either you eliminate the potential for this initiating event not considered or the other option is now I postulate in my accident analysis an accident that it is caused by two broken lines which of course has design implications maybe it's not even possible but the point is it's very important that the internal external hazard cannot produce an initiating event that you have not considered so the initiating event identification must be very thorough and systematic now in your accident analysis you model you take into account the plan response you use your sophisticated computer codes and analysis to demonstrate that the systems that you have designed in place are sufficient to shut down the plan and meet the acceptance criteria for the fuel for the pressure boundary and so on and you do this with a certain level of conservatism in the analysis of safety system so you have to make sure that the effects of the fire don't challenge don't devalidity or don't invalidate those analysis the effects should not invalidate those analysis now the operational safety system secondary effects sorry and this actually this PIE analysis this accident is important because it's also telling you what you need for the PIE what systems you need to to use for safe shutdown of the plan so this PIE analysis is going to help you to define what are the safe shutdown systems the minimal set of systems that you need to prevent from failing after the internal hazard be flat, be fire whatever now you do all these things the question is if the plan is still safe enough or not sorry so as I mentioned before it's not always possible to prevent a transient and AO or maybe the operator will trigger it the hazard initiating an accident should be prevented to the extent possible by design this is your goal this actually should not happen but if it happens it should be very low frequency with the frequency similar at those of the frequency of accidents of DBA so this goes in line with the you have seen probably in previous presentations there are different frequencies from AO's accidents and so on so the lower the frequency you can be accept more consequences but if the frequency is relatively high then the consequences has to be to be low and important and thing is the safe shutdown of the plan has to be always possible this is the most important thing this is part of the design this is what you need to ensure you don't want the the hazard to happen you don't want the damage but eventually the ultimate goal is to safe shutdown of the plan that's not what you want this is what you want you have to demonstrate that you safe shutdown but also you are an owner of a nuca power plant you don't want to have a fire say well very good I save it shutdown but I have lost the turbine and I have lost this thing and now the plan is destroyed I will never operate or I will not operate in the next 4 years you protect your property you have all the interest but the ultimate goal is to ensure that the plan can be safely shutdown now let me put the rate of the animation I am recapitulating a bit so the consideration for the hazard the topic of the first importance is the layout the layout of the plan the construction of the plan where you put your buildings how you divide your buildings where you place your equipment how you separate your equipment this is of capital this is of the first importance if the layout is not optimal then you have to do other things you need all the type of protections this is not the preferred choice but sometimes either is not totally possible to have a layout that prevents everything other times what happens is that the plans have been designed with requirements that were not so demanding in the past where not so much attention was given for instance to fires or flooding and the plans need to be refurbished I work in my past in these topics after this browns ferry accident if you remember it was 75 the cable was spread in a room fire with several implications in the US they established the so called appendix R regulation to the design criteria and so they gave three choices for plans designed against real standards to improve the plans so either to separate divisions to make sure the divisions equipment of different divisions were separated 22 feet with no combustible materials in between or separated by the best choices of course when you have the three hours barrier but this is what is not given or other where there were other options like one hour barrier in automatic detection and suppression so where several options given and so what sometimes people had to do is to identify for instance where there are some cable trace of one division road through places where there was other division and so on and the cable race had to be protected with the coating with some blankets or something qualify for one or three hours they use different materials that need to be tested and so on so in any case each hazard also depends has a specific protection so sometimes things that are designed for fires are good for flooding because of course a world that resist the fires resist flooding but it is not always exactly like this sometimes you have a seal for instance for water for flooding that step may be sufficient depends the amount of water that comes and that step may be possible that the water instead of going here prefers to go somewhere else but that step even if it is not like this it is like this can prevent flooding here but it will not prevent the propagation of fire so you have to be thinking sometimes we have a seal on the wall that it is a seal pool for fire prevention of fire smoke going through or fire effects and it is fine for that but the water will go through actually when you have one of the things when you put water in a room the water finds all the ways to propagate and you will be amazed how many ways are there that were sometimes not taking into control so the total failure of existing important to safety that is designed to accomplish one of this fundamental safety function control or reactivity removal of decay heat and confinement of redacted material is not acceptable so these fundamental safety functions must be always preserved even if the system accomplishing them is not required to actuate following the hazard now what I was mentioned on the layout for the new plans the call is for a good segregation what you want is that make sure that the fire or the internal event cannot affect several divisions that's the preferred way you can implement the detection and suppression but the design is based on the confinement of the hazard to limited areas you start to divide the plan in so-called fire areas and then sometimes these areas are too big and you also realize that the fire cannot maybe if you break in one corner affect the whole area so sometimes the analysis consider some smaller subdivisions I'm putting here is an example of the containment because it is of maybe particular importance containment is a place where you cannot segregate the divisions very clearly in the buildings around the containment where you put the the safety system, the magic or cooling and so on the electrical building you can make sure that one division is in one room the other division is in the other room well separated and so on containment and around the containment you have one a magic or cooling division here the other one here, the other one here so really separated by by distance and barrier when you go inside the containment that separation is not fully cannot be done like this of course it cannot be seen here but you make sure that if you have here division A the electrical penetrations will be somewhere here the mechanical penetrations somewhere there but not one that can affect the other and then the electrical penetrations of all the buildings or for instrumentation will be somewhere else or not you make some separation as you see the separation is by distance is not you cannot claim that everything burns here and everything because then in that case you affect all the divisions so what you do here let me take distance because otherwise I cannot maybe explain I put this picture in vertical to show different type of protections again so you have a missile slap here in case that something happens inside the reactor or breaks you see the steam generators are surrounded by walls so you don't want any kind of break of a pipe that to be affecting all the structures this is also double wall containment by the way but also if you see inside the containment it's not very visible but you want to make sure in other words you want to make sure that some hazard happening here doesn't affect everything if you look for instance at fire protection the most important fire loads in the containment are on one hand the main coolant pumps this should be maybe a main coolant pump I'm not sure I think so they have a nice amount of oil so there is assistance normally for collecting the gas break collecting the the oil of the of the pump to make sure that not the oil intervenes in the fire so on the pressurizer has also the heaters inside the pressurizer has also heavy loads of cables around and so on so this is for fires and for all the floating or pipe breaks I will call them pipe breaks where you do the most thorough analysis against all the forces that take place after the break pipe whip and so on we will be dealing with this later on so there and you do everything there from supports from structures preventing pipe whip from structures preventing the impact of one piece of equipment on another and so on but if you want a total physical separation is not given because the environment is the same so you cannot say that a fire or the effects of the fire the smoke is going to or the steam is going to of course be everywhere in that case the second option is qualification so the equipment here should be qualified to be withstanding the effects of high temperature humidity and so on so the instrumentation inside the containment for instance has to be designed for the conditions caused by a LOCA now protections of equipment of structural safety components that are important to safety generally most of this equipment cannot be and are not designed to withstand all the causes of the external hazard but this is too expensive so when you do you cannot design a plan in which everything is designed seismically or that all the equipment is protected against everything this is prohibitively expensive so what you do is you need to protect those things that are necessary for safety and you protect this by apropielaia we mentioned if not by distance or by protections around some specific kind of equipment in the picture you saw before there are some protections against missiles barriers and so on and otherwise when you cannot protect is what I mentioned just before also you have to qualify the equipment for this hazard environment that is produced by by the hazard so the other important point is the limitation of the effects you have to make sure that there is no so called a domino effect it is already enough to have one internal hazard or one external hazard you don't want the internal or external hazard cause something else so this is very important this is what you not always easy but very important so the case of the pipe break we will talk about you have to be particularly the break of course of a high energy pipe you have to have sufficiently well designed supporting structures or to have some division walls and so on to make sure that the break is not impacting other pipe and creates another break or is impacting the equipment electrical equipment and providing some additional failures so there is also if you look from the perspective of the external event and as it has been seen from this Fukushima accident or this Tohoku earthquake better said because it affects several plants in Japan you can have an earthquake that can trigger or can trigger a fire this happens when you don't have for instance the adequate qualification many plants you have systems that are not seismically designed so fire water protection system for instance not seismically designed many plants you can have an earthquake the earthquake breaks the fire protection system the water is released you have a flood so all these things should be should be taken into account to ensure the safe shutdown of the plant and the main point is that the hazard or the combination of hazard should not lead to the common cause failures of all the divisions of the same system and so prevent the safe shutdown of the plant and this is normally accomplished by a physical separation this I mentioned before in the mitigation sometimes you create the mitigation regulator sometimes allows to create the mitigation for instance in fire protection detection and suppression generally however for new plants it's good to have detection and suppression of fires but the approach taking is the confinement principle so in the design this is not credit what it is credit is the physical separation of the divisions to make sure that even if everything burns in this area it's not propagated to the other redundant divisions the hazards resulting from a PIE have to the PIEs I mean by hazard and the associated failures should be such that never the envelope consider in the analysis that the PIE is exceeded and the measures I always said before that the internal hazard cannot lead to any PIE I don't call it PIE call it initiate event because it will not be postulated cannot lead to something that it is not postulated in the design it has to be a PIE so these are all for the let's say the design part if you want but at the end after the application of all these measures for design you need to have an analysis a safety assessment deterministic of course and sometimes also taking into account probabilistic consideration to demonstrate to the satisfaction of the regulator that all these provisions for layout, for protection of the equipment for provision of PIEs etc that are sufficient and at the level of safety achieved by the plan external hazard is sufficient so you need to have an analysis of the generated PIEs and additional failures that can be caused by all these scenarios flood scenarios fire scenarios and so on and you have to prove that all the consequences are kept below the limits those that are upset by the design also for initiating events you have to demonstrate that the operation of the reactor is possible and the operation mean can be operated to bring the plan to a safe shutdown and maintain it there and you have to demonstrate that the hazard cannot cause the failure of all the redundancies of the system that are required for this safe shutdown now sometimes to gain the knowledge of all the specific actors aspects for the design is very difficult but you don't have many options when you are designing but when you do construct or when you do have a plan you have the option to do a plan hold down and this is very important because there you capture things specific things that can only be observed in the reality and also you can design in a plant but the reality can change tomorrow because you can believe it or not small changes that can take in a nuclear power plant related to door, door gaps, penetrations and so on, something like this can be important for the effects of the hazards this change so it is important to make sure to verify all these small constructive elements about the confinement of the hazards and so on and also make sure that we are doing the operation of the plant those provisions are maintained I need to run, I have a bit use my time I'm going to be saying about something of pipe failure and associated to the to the flood I took this as the energy because it gives the opportunity to combine and to see several things that can happen from the pipe failures so the first thing pipe failure is something in January can happen everywhere and it's also something you can exclude but of course you can postulate failures of pipes everywhere but not all the pipes are going to break in the same manner with the same frequency with the same consequences so you need some rules you need some methodologies I'm referring there for instance to the US to the branch technical position 3.4 you say where do you postulate and when which type of breaks and so on ok so the idea is you have to take into account the possible postage in the events we said you have to take into account the system that are required to mitigate them they should not be very filled by the hazard and then you should not create by the break a secondary internal hazard that will aggravate this PAE and the main 3 safety functions has to be accomplished so where do you postulate the breaks if you see for instance this US methodology so depends on the pipe what is the energy of the pipe what is the pressure inside what is the temperature inside what is the diameter stress value etc there are a number of things so you distinguish low energy and high energy pipes so for low energy pipes you say ok there is going to be just like because there is low energy it's not a big break high energy pipe then you make a difference between where there is some qualification for preclusion of the break before break and so on so to distinguish there going to be circumferential break or not and so on and then also the locations where you postulate the break depends on the energy and the size so I will not go into the details but so there is generally deterministic approach and say ok for piping of less than this diameter and if there is no nuclear class it can happen in any location if it is a pipe which are quality grade I mean safety class pipe and something I postulate that the break can happen on this place like the connections the weldings and so on and otherwise so here and there so we postulate where the break can take place then we postulate what can happen so what can happen is the high energy pipe is the pipe weep this is the pipe breaks totally if it doesn't break totally there is no weep but if it is then you have to be thinking what are the effects of the pipe weeps you have to identify what could be the targets of the pipe weep what you can break so then you have to protect against this pipe weep I will not stop because I don't will not finish the presentation the next effect that you have to be taking into account is not only the weep so what forces in which direction are going to be affecting there is going to be a jet of what are projected against all the equipment so is the equipment sensitive to these forces what can happen and so on so we have to be this this is very important particularly in the containment for the local analysis explicitly all these effects taking into account the next thing have to be taking where the reaction forces when the break are escaping very fast from a system so this has to be taking into account for designing the support of the equipment the anchoring and etc all of these needs very sophisticated mechanical and hydrodynamical modeling the next one will be pressure wave forces and forces of the flow this is considering the primary system also in the pressure vessel in the steam generator how these affected tubes and so on and then all the thing to consider is the build up of pressure there is an area where the water or the effects of it cannot escape put the containment maybe of the rooms you will build up pressure so what is the effect this is also useful at the end of the containment then you are going to produce humidity, temperature radiation when the pipe that you break contains material that is activated or is radioactive all these things have to be taking into account on the environment produced on the operator if it is not the containment and so on so all of these are factors unfortunately I don't have the time to give some more details the message is it's not just the pipe break the pipe break is something that is going to be produced it's the last one, it's the flooding the water is going out and you have to see now what happens with the water but in addition to the water to the flooding you have to make sure that you don't destroy more things because of all these mechanical effects so you have to prevent these secondary hazards so now we have the flooding now we break a pipe and independently of any of these things happen or not pipe whip imagine we prevent the pipe whip but now you have water running out and the amount of water can be small and not sufficient to damage equipment or we will escape here and there then I don't care it's not that important but it can be massive it can be even connected to the sea to the river or to a pool or simply there is a pump like the fire water protection system and it's running and it's going to give you as much water as you can and so this has to be taken into account so now you have to be thinking what is going to happen this is a recap on the pipe break and things that need to be considered or not depending on the characteristics of the pipe but now I'm going to go to the flooding so the flooding it can be the break I just described it could be sometimes not a break but any unintentional opening of a valve is produce opening a maintenance error that something was left open where it should not and something in the operator triggers unintentionally a flooding then when there is flooding somewhere you need to identify the flood sources you need to identify where you can wet what you can damage this is normally basso formation but it can be also by spray and other effects so you need to see how much water you need to deliver in some place to damage the equipment and then here they are competitive factors this was the question I was asked at the beginning you put water in some place the water will propagate or I'm going to be taking a picture so so you release water in some place the water finds out all the places to go and it will propagate and it will create damage where you are where the flood is taking place but also in some other areas so this is very important because I will give you some example maybe later on we have time maybe at the end not now about some funny propagations of flooding that were not expected so I think I'm going to move detection is sometimes possible sometimes there are some detectors in some rooms some indication that may lead you to understand that something is there is like a a flood but it's not always possible to associate it to the break and sometimes you may associate but you cannot for instance imagine that you you break a fire a fire water protection system and you detect the flooding but the operator may not be sure if this has been an actuation of the protection system triggered by somebody or triggered by some detector or something so it may not be immediately stopping the pump of the fire maybe thinking this is a new actuation so detection in isolation of flooding is not so straightforward and yeah was going to happen of course can be eventually triggered in a PIE and it's going to damage equipment this is what is relevant and what you're going to do is you're going to go in the different areas of the plan see what can break you have the sources where it can be flooded you have the equipment which is there you see where it can go and this gives you a scenario so source rate of flooding surface are going to flood propagation and equipment there and then you calculate all this for the propagation and see what it can happen and what can happen and then you have to make sure you shut down the plan with this I have a list here of floods occur in some nuclear power plants in the plant just to make sure that to make the point that these things happen that is not only I will not go on them that's the picture that maybe describe the analysis process maybe to come back on them so first you have to get the plan information on the layout and everything maybe sometimes on walk down to see what is where and so on then you have to see where are the sources so what things can be a source of flooding or not there you have to take into account what is the potential it is a balanced thing how much water can be released how quickly and how much water is necessary to damage equipment if there is something small you may say ok this is not a flood source because that's not much water can be released or not sufficient or can go into the drain then the frequency is another story how frequent this can occur I will not talk on that and then you have the equipment then you see what can happen what can know where we can go and then there is sometimes there is some screening and say ok here nothing can happen or this can happen but a quick calculation is sufficient for me to say that can happen and I can handle this or that can happen and with this growth analysis unhappi I don't need to spend more effort in the analysis I'm sure that the contribution to risk is not important because all these analysis take a lot of time and resources and money and so on sometimes it's not like this and you need to do some more detail analysis with the verification by work done in some hydrodynamic calculations but the best thing is that you are here because this tells you that the plan is well designed and eventually you can also go into risk analysis come up with the probabilistic numbers if you take into account the flood evaluation frequency possibilities for isolation and you have a PSA model to see what is the probability of safety down the plan with the damage occur that's the idea I think this is just saying a bit the things that you need to know sources, ways of mitigation barriers that prevent the connections and so on had to be looking at all the penetration I haven't seen the standard hazards later on some picture where you see some unexpected propagation and so on and so on these are basically the steps and then this leads to these things identification flooding sources flooding so on and so on that could be an idea in a picture of a a scenario generic one in which you have an area three or four areas involved imagine your sources in this area in this room and you can propagate to this area back and forth maybe through a door gap or something as put a door in this area can be drainage that goes here to some area in the basement where there is a sound pump that takes outside and here this one maybe propagate with this one here there is a drainage something like this so you can you get what are the room symbol what are the propagation paths sometimes there is a step like this and it only propagates as it goes above do your modeling and at the end you can come up with a result that here I get five centimeters of water here I get two or here I get twenty whatever if I get twenty ok I have this equipment and that's a breaker and if it goes here nothing happens but if it goes here it's going to the whole bus bus is going to fail but those things have to be very careful because you know the flood is not always nice it can be some b-way it can be moisture most can affect the equipment you have to have adequate basis to support your assumptions the best thing is when you design is such that this will not get wet that's the best thing but nevertheless so this is the kind of analysis you do and here this is the last thing and I have minus five minutes for questions thank you very much