Post-Fukushima work: the reactor's "hardened safety core"

After the Fukushima accident, the safety authorities imposed a number of requirements on nuclear operators:

1. The case of a single extreme external event, or of a combination of extreme external events, far more severe than originally taken into account for the design of the installations, had to be considered as possible. These extreme situations are referred to as "noyau dur" situations, in other words situations that the reactor's hardened safety core of components must be able to withstand. The "noyau dur" situations for the ILL are the following: 

  • An extreme earthquake with a recurrence interval of more than 20000 years, taking into account possible amplification due to the particular configuration of the Grenoble basin (or an even stronger earthquake)
  • Extreme flooding following the cascade failure of the 4 dams upstream on the river Drac. The risk of scouring (excavation of the earth around and under foundations which could cause the structures or buildings affected to "tip over") around the installations due to the passage of the flood wave must be taken into account.
  • A toxic cloud over the site following the earthquake and/or flooding of the Grenoble basin in the event of a dam burst, caused in particular by phosgene released by the chemical installations south of Grenoble. 

2. The creation a small sub-assembly of "structures, systems and components" designed to resist these "noyau dur" situations and:

  • prevent a serious accident and limit its escalation
  • limit the massive release of radioactive substances
  • enable the operator to carry out its crisis management responsibilities.

This sub-assembly is known as the "hardened safety core" of the nuclear facility.

The most serious accident likely to happen at the ILL's high-flux reactor (HFR), as at any reactor, is a core meltdown (see glossary).
The HFR's hardened safety core therefore includes systems designed to prevent a meltdown in extreme "noyau dur" conditions:

1. ARS: Seismic reactor shutdown circuit (ARS - arrêt réacteur sismique): this system guarantees that the reactor will shutdown even in the event of the extreme earthquake defined as one of "noyau dur" situations and that it will do so even in the hypothetical case where there is no "weak" phase in the seconds preceding the "strong" phase of the earthquake. Basically, when an earthquake occurs, a succession of primary (compression) waves - P waves - and secondary (shear) waves - S waves - are propagated from the epicentre. The compression waves travel faster than shear waves and would therefore be the first to reach the installations. The shear waves, however, are more destructive. Like other reactors, the HFR therefore originally had an automatic shutdown mechanism that would be triggered on detection of very low-level (0.01 g) P waves. As the shutdown would occur preventively at low levels of acceleration, the system that detected and triggered the shutdown did not itself need to be designed to withstand high levels of acceleration, i.e. to be earthquake resistant. 
To comply with "defence in depth" requirements (a concept implemented to compensate for potential human and technical failures and comprising several levels of protection, based on the creation of multiple barriers to prevent the release of radioactive substances into the environment), the ILL has therefore installed as part of its hardened safety core of components a new system capable of shutting down the reactor completely automatically even in the extremely hypothetical case of an earthquake that does not generate P waves that are detectable on the site before the arrival of the more destructive S waves. 
This system has been operating since 2016.

2. CRU and CEN: We have already shown (see FAQ: "Is a power supply needed …") that the reactor does not need electricity or an external cold source to cool down once it has been shut down. To cool down the core properly we only need to maintain a sufficient level of water to ensure the process of natural convection.
There are two different systems which guarantee that the water level remains above the core in the event of a breach in the reactor vessel or reactor pool caused by an earthquake of the severity defined to be withstood by the hardened safety core: 

  • The emergency core cooling (‘reflood’) system (CRU - circuit de renoyage ultime): the CRU connects the reactor vessel, which has a volume of only 12 m3, and the reactor pool (over 350 m3) and allows a passage between the two to be opened if necessary. The system was brought into manual operation in 2012. From 2018 it will be operated in automatic mode. It enables the core located inside the reactor vessel to be reflooded passively (by gravity) with water from the reactor pool. The CRU ensures that the reactor has the cooling water it needs for about one hour. 
  • The groundwater supply system (CEN - circuit d'eau de nappe): The CEN is a system designed as a means of refilling the reactor pool with groundwater water taken from the underground aquifers beneath the ILL site. Together with the CRU, this second safeguard system ensures that there will always be sufficient water in the reactor pool and hence in the reactor vessel. To avoid flooding the reactor after a few hours, the system also includes a number of pumps located in the reactor basement. Once there is enough water in the reactor pool, the system automatically switches from "groundwater pumping" to "run-off water recirculation" mode. The system will be brought into service early in 2018 with the reactor restart.    

It should be noted that the ILL has decided on its own initiative to require these three accident prevention systems of the hardened safety core to be fully redundant. In other words, the reactor shutdown and water makeup mechanisms can each withstand at least one system failure without themselves failing to fulfil their function. 

The reactor's hardened safety core also includes systems for limiting releases into the environment, should a core meltdown nevertheless occur following an extreme external event (despite the systems in place designed to prevent such a meltdown). This is a perfect example of our application of the principle of "defence-in-depth".

  • CDS: Seismic depressurisation circuit (Circuit de Dégonflage Sismique): this automatic system makes it possible to maintain the dynamic confinement of the reactor building. It involves extracting a minimal quantity of air from the reactor building, in order to keep the building at a pressure slightly below that outside the building.
    The air extracted is filtered through an iodine trap and two sets of very high-efficiency filters, before being monitored and released via a new dedicated exhaust stack located 50 metres above ground level on the reactor dome.
    The CDS provides a means of controlling the rate and quality of releases, thus avoiding uncontrolled leaks through any fissures in the containment that may be caused by a severe earthquake. This system has been operating since 2016.
  • GAS: Seismic pressurisation of the annular space (gonflage annulaire sismique): this automatic system ensures that the space between the inner and outer reactor building walls is maintained at a permanent overpressure compared to the outside. This "annular space" is filled with clean air.  It strengthens dynamic confinement considerably during transient phases when the pressure inside the reactor building could be higher than atmospheric pressure. This is because even when the interior of the reactor building is at positive pressure during these transient phases, there will still be clean outside air entering the building through any fissures in the concrete containment that may appear after a severe earthquake. This system has been operating since 2016.

As with the other accident prevention systems, these two systems designed to limit releases are fully redundant. 

The reactor's hardened safety core of components also includes a set of resources to manage a crisis triggered by an extreme external event.

1. The emergency reactor control room:
ILL has constructed a new emergency control room designed to cope with any of the extreme external events considered to be "noyau dur" situations, including a possible combination of such events.  Previously the ILL had an underground emergency control room designed to withstand a "safe-shutdown earthquake". It was also designed to withstand the flooding liable to occur on site following a rise in the level of the river Isère or the river Drac. It would not however remain operational in the event of flooding caused by the breach of one or more of the dams upstream. 
The new control room has been operational since the end of 2016 and is designed to:

  • withstand an extreme earthquake measuring 7.3 on the Richter scale
  • withstand a flood wave of 6 metres on the ILL site
  • withstand the scouring liable to result from this flood wave
  • protect the personnel who would have to manage such a crisis, even in a core meltdown situation (protection from direct radiation and radioactive releases, but also protection from toxic chemical hazards, including in particular from phosgene pollution from the chemical industries south of Grenoble). The control room is equipped with a ventilation system which maintains the crisis management quarters at a positive pressure and which ensures that all the outside air entering the building is filtered. The filter system consists of a very-high-efficiency filter, an iodine trap, and an NBC filter (nuclear, biological and chemical) to counter the phosgene risk. 
  • The 45-metre reactor exhaust stack has been modified to ensure that it poses no risk to the new control room in the event of an extreme earthquake. 

2. Hardened safety core instrumentation and control:
The new control room is equipped with all the I&C systems needed to be able to operate the hardened safety core components either automatically or, if so required by the reactor operators, in manual mode.  In particular, emergency electrical power is available for all the hardened safety core components (an emergency diesel generator, plus inverter and batteries ensures that the power supply is not interrupted during the transfer from the external mains network to the emergency supply). 

3. Monitoring systems
The control room also houses all the instrumentation required to diagnose and monitor the four critical safety functions: 

  • controlling the reactivity of the fuel element: ensure that the reactor is completely shut down
  • controlling the cooling: check the water inventory and hence the proper cooling of the reactor by the CRU and CEN systems
  • controlling confinement: monitor the dynamic confinement process (CDS and GAS)
  • controlling exposure: monitor using dedicated instruments the levels of irradiation and contamination inside and outside the reactor, including the releases by the seismic depressurisation circuit. The areas inside the emergency control room are also specially monitored to ensure that the levels of radiation and radioactive or toxic contamination are acceptable for the crisis management teams. If this is not the case, there are procedures for conditioning the air and ordering the use of additional protective equipment if necessary (masks, breathing apparatus, etc.).
  • Environmental monitoring: dedicated instrumentation is in place to monitor meteorological conditions (wind speed and direction, low-level or normal concentration of releases) provides data for assessing the exposure of the population, in addition to measuring any releases. Even during or after flooding following a dam break, the operators can use drones to take air samples and bring them back to the ILL site for analysis in a special micro-laboratory designed to withstand extreme earthquake conditions.

4. Communications
The control room has the communication equipment needed to alert the authorities in these extreme situations. In particular, ILL's access to the "Iridium" satellite communications network ensures that communication remains possible with those outside the site even if the other systems are down (landlines, GSM etc.).

Finally, the crisis management teams may need to access the reactor building during or after major flooding. This can be done via a suspended footbridge connecting the roof of the emergency control room to a new external walkway fixed to the outside of the metal reactor containment. The walkway leads to the roof of the ILL administration building (reinforced to resist earthquake and flooding) and from there to the entrance to the reactor building. 

With the exception of the building housing the emergency control room, all these systems (power supplies, air conditioning, monitoring and communication) are also fully redundant. 

The creation of these hardened safety core components, together with the reinforcement measures required to protect them from being damaged by equipment not designed to withstand an earthquake, cost some 30 million euros.  The work will be complete in time for the reactor restart in early 2018.