The role of nuclear energy is to supply electric power on a stable basis to meet increasing demands, reduce carbon dioxide emissions, and maintain stable electric power costs while ensuring safety. The Fukushima accident taught us many lessons for creating safer nuclear power plants. Considering the design of systems, the areas of weakness at the Fukushima nuclear power plants can be divided into three categories: plant protection, electricity supply, and cooling of the nuclear fuel. In this paper, focusing on these three areas, the lessons learned are proposed and applied for pressurized heavy water reactors. Firstly, hard protection against external risks ensures the integrity of components and systems such that they can perform their original functions. Secondly, additional emergency power supply systems for electrical redundancy and diversity can improve the response capabilities for an accident by increasing the availability of active components. Thirdly, cooling for removing decay heat can be augmented by adopting diverse safety systems derived from other types of reactors. This study is expected to contribute to the safety enhancement of pressurized heavy water reactors by applying design changes based on the lessons learned from the Fukushima accident.

1. Introduction

Background. Although more than four years have passed since the Fukushima accident, the impacts of this accident are still immensely felt both in Japan and globally. This illustrates that the influence of a nuclear accident is greater than the estimated impact when the social effects are considered. Immediately after the Fukushima accident, several countries, including Japan, declared that they would stop operating and constructing nuclear power plants (NPPs). However, some countries, including the United States, China, and India, are still pursuing increased electricity production using nuclear energy. Additionally, Japan revised its original plan of total shutdown and reviewed the reoperation of 16 NPPs following the introduction of new regulatory requirements (as of January 1, 2014). Four NPPs (Takahama-3, 4 and Sendai-1, 2) obtained preliminary approval from the nuclear regulation authority (NRA) of Japan (as of December 18, 2014). Germany, however, declared the shutdown of all of their NPPs, and they have experienced a sharp increase in the cost of electricity. It is predicted that the global electricity demand in 2040 will be approximately 80 percent higher than that in 2012 [1]. To meet this high demand, nuclear energy is arguably a necessary energy source. However, NPPs must not be operated without considering the lessons from the Fukushima accident.

Many reports have been published by international and national organizations with various views on the accident. The Tokyo Electric Power Company (TEPCO) published investigation reports on the Fukushima accident. An interim report was published on December 26, 2011 [2], and the final report was published on July 23, 2012 [3]. These reports described the events after the occurrence of the natural disaster and analyzed the effects of the accident that were exacerbated by human errors and the complicated command structure within the electrical power company. Varieties of solutions in terms of systems and management strategies have been proposed for increasing the safety of NPPs in the reports.

The OECD/NEA (Organization for Economic Co-operation and Development/Nuclear Energy Agency) published the report “The Fukushima Daiichi Nuclear Power Plant Accident: OECD/NEA Nuclear Safety Response and Lessons Learnt” [4]. In this report, the responses and actions following the accidents were described, focusing on regulations, safety, radiological protection, and legal framework. Practical responses, including enhancements for public protection, were proposed based on insights into the entire accident.

The ASME (American Society of Mechanical Engineers) published a paper entitled “Forging a New Nuclear Safety Construct” based on the background and a new direction from the Fukushima accident [5]. This report was focused on the need of a new nuclear safety construct because the sociopolitical and economic consequences of NPP accidents were not fully addressed in the previous safety goals. The proposed “New Nuclear Safety Construct” is shown in Figure 1. In the construct, because the primary safety requirements that govern the design of a NPP are contained in the “General Design Criteria for NPPs,” the design basis must be robust for new plants as well as for existing plants. In addition to the design basis and severe accident management, “Emerging Safety Construct” such as the FLEX (diverse and flexible coping capability) built in the United States was included for enhancing nuclear safety as a post-Fukushima strategy. Finally, the safety guideline was to forge the necessary elements of a construct that addressed accidents based on an all-risk approach. Thus, a key aspect implies that the structures, systems, and components in both design basis and extended design basis are directly responsible for and capable of preventing, interdicting, and mitigating accidents in the framework of the construct [5].

The Fukushima accident was also comprehensively reviewed in terms of safety and security in the United States [6]. This review considered the lessons learned from the Fukushima accident based on plant operations, safety regulations, off-site emergency management, and nuclear safety culture. The study specifically contained comparison analyses of boiling water reactors (BWRs) in Japan and the United States. Recommendations for improving the training of human resources, strengthening capabilities for assessing risks from beyond-design basis accidents and incorporating modern risk concepts into nuclear safety regulations were also proposed.

Summary of Relevant Safety Assessments for the PHWR. There are 437 operable NPPs worldwide. Of these, 48 pressurized heavy water reactors (PHWRs) are in an operational state. In addition to the currently operable plants, 5 PHWRs are under construction in Argentina and India [7]. Although a PHWR has different fuel cycle characteristics and neutron economics compared with pressurized water reactors (PWRs) and BWRs, there are still commonalities that apply to all. The safety of a PHWR is equally important as that of a PWR and a BWR and has to be continuously reviewed and checked.

Closely related with this research, the safety of NPPs in European Union (EU) countries has been assessed by performing “stress tests” following the Fukushima accident. The stress test was defined as a targeted reassessment of the safety margins of NPPs in light of the events that occurred at Fukushima: extreme natural events challenging the plant safety functions and leading to a severe accident [8]. The stress tests were conducted under assumed conditions of severe natural disasters, including earthquakes and floods, loss of electrical power, loss of primary ultimate heat sink, and severe accidents leading to core damage. Member states in the EU have been implementing national action plans developed based on the results of the comprehensive assessments of the risk and safety of NPPs. The reports from the stress tests contained proposed measures for enhancing the safety of each NPP in the EU.

The hard protection described in this paper is closely connected with the evaluations of earthquakes and floods from the stress tests. The proposed design concepts for electricity and cooling are based on the stress test results concerning loss of electrical power and loss of ultimate heat sink. In the EU, there are two PHWRs, both of which are located in Romania: Cernavoda units 1 and 2, whose electrical power is 706.5 MWe each [9]. At Cernavoda, some of the post-Fukushima action plans have been implemented, and the others are still in progress [10]. Some improvement activities in Romania related to three solutions in this paper are cited and explained together in the following chapters.

CANDU (CANada Deuterium Uranium), which is a representative PHWR, was first developed by Atomic Energy of Canada Limited (AECL). The assessments for all of the current CANDUs showed that the safety was sufficiently robust; however, COG (the CANDU Owners Group Inc.) developed a whole-site PSA (Probabilistic Safety Assessment) methodology reflecting the risks derived from the Fukushima accidents [11]. Many of the post-Fukushima recommendations have been implemented for CANDU reactors. Connected with this paper, Canadian utilities have procured portable water pumps and emergency generators for preventing fuel failure. This emergency mitigating equipment (EME) includes portable AC power generators, system connections, and piping [12]. EME was installed on-site and off-site.

AFCR (Advanced Fuel CANDU Reactor) is being developed by Candu Energy Inc. as a Generation III reactor based on the CANDU 6 and EC6 (Enhanced CANDU 6) reactors [13]. This reactor uses both recycled uranium and thorium-based fuels, and it also meets the recent Canadian and international standards for a Generation III reactor based on the lessons from the Fukushima accidents. Therefore, from a safety system perspective, the criteria for the principles of separation, diversity, and high reliability are enhanced in an AFCR [14]. A larger volume of water in the calandria vault provides the second passive heat sink for the core. Moreover, the AFCR includes gravity-driven, passive water supply lines, and a pump-driven recovery circuit for containing any severe core damage within the calandria vessel [14].

In response to the lessons from the failures that occurred in the Fukushima accidents, regulatory bodies have presented recommendations for enhancing the safety of CANDU reactors. The CNSC (Canadian Nuclear Safety Commission) released “the Fukushima Task Force Recommendations,” as shown in Table 1 [15]. The action plans have been implemented in a phased approach. In Korea, 56 short- to long-term improvements were identified to secure safety in May 2011. The plans to enhance the diversity of emergency power supply systems and emergency injection systems were covered and implemented. For the four CANDU reactors in the Wolsong site, Korea, stress tests based on the EU stress test are being conducted by regulatory bodies, operating utilities, and environmental groups. These stress tests include assessments for various external risks, such as storm surges, wave setups, and tornados.

Objective and Scope. This paper is divided into two chapters according to the two main aims of this study. Each chapter consists of the three categories: plant protection, electricity supply, and cooling of the nuclear fuel. The first aim of this paper is to review the Fukushima accident in terms of macroscopic losses, particularly for units 1 through 3 of the Fukushima Daiichi nuclear power station. Several parts associated with this aim are based on the findings in the interim and final reports of TEPCO [2, 3]. The second aim is to propose design concepts for safety enhancements of a PHWR based on the described losses and the previous studies. The concrete applications described in this paper follow a companion paper written by one of the coauthors [16]. The ranges of views and contents are extended from the previous paper for application designs according to the design of a PHWR.

The safety systems in NPPs are designed to perform one of three fundamental safety functions: controlling reactor power, cooling the fuel, and containing radiation (regarded as the 3Cs) [12]. The recommendations in this paper concern the successful removal of decay heat for the prevention of core melt. The scope of this paper does not address the sequences covering the shutdown process of the core immediately following an accident or the release of radioactive materials after the core melt. Therefore, the first assumption is that the core is shut down. Even if the proposed systems can be used for severe accidents, the possibility of utilizing such systems during severe accidents is not discussed here.

Each category in this paper is related to the others. First, an earthquake and a tsunami were the initial events at the Fukushima site. Even with the occurrence of an earthquake and a tsunami, cooling systems should be protected from damage by hard protection for external risks. A cooling system requires coolant, a flow path, driving power, and cooling capacity. The driving power for cooling systems generally consists of either electrical power or natural phenomena. Therefore, an electrical power failure is directly associated with a loss of driving power for active safety systems. In the Fukushima accident, the loss of protection against external risks caused the loss of electrical power. Accidents that cause electrical power loss necessitate passive safety systems operated by natural phenomena such as gravity, natural circulation, or pressure differences. For cooling medium in a cooling system, cooling capacity refers to the role of a heat sink. Generally, for water-cooled reactors, water is used both as coolant and as heat sink.

This study does not include the failures of cooling spent fuel caused by the losses in the Fukushima accidents. However, some of the proposed systems could be used to cool the spent fuel bay based on the estimations of the application possibilities. The application of the spent fuel bay could be positively reviewed due to the accessibility of the location connected to the external containment. In addition, the problems and effects from human factors, coping strategies, and policies are not thoroughly discussed to avoid reiteration, although they were the main contributors to failures in the Fukushima accident. This paper only addresses systems installed on-site or off-site.

2. Losses of the Fukushima Accident

2.1. Loss of Protection against External Risks

All NPPs are always exposed to external risks. These risks include earthquakes, fires, floods, tsunamis, tornados, and terrorist attacks. The units in the Fukushima site were designed for external risks, including earthquakes and tsunamis. However, the degrees of the external risks were considerably higher than the designed values. A 9.0-magnitude earthquake occurred at the hypocenter at 14:46 on March 11, 2011. Additionally, a 6+ magnitude earthquake was observed in the Fukushima prefecture [2]. Subsequently, numerous earthquakes occurred. Following the first earthquake, the first tsunami reached the Fukushima site at 15:27, and the second tsunami, which was considerably higher than the first, reached the site at 15:35 [2]. Many subsequent tsunamis struck the site.

The earthquake was detected by the plant protection system, and the reactor was automatically scrammed. The critical damage resulting from the earthquake was failure of electrical supply from off-site power. None of the external electric transmission lines were available due to damage to the components of each line. The durability of the electric components in the switch gear yard, transformer substation, and transmission line against an earthquake was not high. Additionally, the fire protection systems and the in-plant roads at the site were severely damaged by the earthquake. The tsunami almost completely flooded the major building areas and washed away cars and tanks, and large amounts of rubble were scattered at the site. Because the elevation of the reactor and turbine building area was approximately 10 m and the height of the tsunami was between 11.5 m and 15.5 m, the inundation depth was between 1.5 m and 5.5 m [3].

There was a time gap between the first earthquake and the first tsunami. However, for some components in the plant, it was not possible to determine whether the cause of damage was the earthquake or the tsunami because there was no opportunity to survey the plants due to the aftershocks and the following tsunamis on the site. Additionally, it is known that several specific damaged locations have not yet been investigated [3].

The loss of protection against external risks has two general implications other than the direct damage caused by the earthquake and tsunami. Firstly, the loss of protection resulted in a loss of main element transfers, such as electricity and coolant. Although the earthquake and tsunami did not damage the complete structural integrity of the reactor pressure vessel and primary containment vessel, they affected the lines for supplying electricity and coolant. Secondly, the damage caused by the external risks became larger than that in the initial state. The external risks had wide and continuous effects on the site. Breaks in reactor pressure lines and damage to safety systems were not found in the initial state. Therefore, accurate analyses were not possible due to damage to several components. As the pressure in the reactor vessel increased, the conditions worsened due to the extension of broken parts. Consequently, the loss of protection should be prevented not only to ensure the integrity of a component but also to avoid the occurrence of other losses and extension of the loss.

2.2. Loss of Electricity

The loss of electricity is divided into three physical losses.

The first is the loss of off-site AC power. Seven off-site electricity supply lines were connected to the site of the Fukushima NPPs. Six lines were connected from the Shin-Fukushima transformer substation. The other line was connected from the electrical network of the Tohoku Electric Power Company. However, all the supplies from the lines were unavailable due to the earthquakes. Figure 2 illustrates the damage to electrical installations for the external supply of AC power. In units 1 and 2, the power-receiving circuits at the nuclear power stations were damaged. In units 3 and 4, the damage to supply lines at the Shin Fukushima substation caused disconnection of the AC power supply. Additionally, the cable on one supply line from the electrical network of Tohoku was damaged due to the earthquake [3].

The second is the loss of on-site emergency AC power. All the emergency diesel generators (EDGs) were operated as designed after the loss of off-site AC power. However, the tsunami flooded the EDGs installed on the basement floor of the turbine building. Although two EDGs on the ground floor of the common spent fuel storage building were not inundated, the tsunami submerged their metal-clad switchgear installed on the basement floor.

The third is the loss of on-site emergency DC power. The batteries of units 1, 2, and 4 were inundated due to the tsunami. The remaining batteries that survived the flooding were operated for approximately two days for detection and control of the systems at unit 3. However, because the capacity was not designed for several days, the remaining batteries eventually lost all capacity.

There was also a critical problem of an unseen loss of electrical power in the Fukushima accident. The electricity supply systems in a shutdown state are classified as off-site AC power, on-site emergency AC power, and on-site emergency DC power. Although most of the supply systems failed due to the earthquake and tsunami in the Fukushima Daiichi NPPs, they were originally designed to supply electricity for a designed time, excluding off-site AC power. The design operation time of EDGs and batteries is normally set based on the assumption that the external AC power would be restored before the depletion of EDGs and batteries. However, it took approximately 10 days to repair and reconnect the off-site AC power due to the external conditions of the site. The off-site AC power supplies were lost immediately after the earthquake, and the on-site supplies failed at 15:42 on March 11. The external AC power at units 1 and 2 was restored on March 20. The external AC power at units 3 and 4 was restored on March 22 [3]. However, the coping time for a SBO is generally 8 or 72 hours. In terms of the off-site conditions, it is necessary to change the approach for managing systems from being treated by outside systems to being mitigated by systems installed on-site. Additionally, the time to restore off-site power first has to be actually estimated for NPPs considering severe external risks. The mitigation methods in the severe accident management guideline (SAMG) have to be established based on the estimated time.

2.3. Loss of Cooling

The release of radioactive materials was caused by core melt in the Fukushima accident. Core damage could be thermally prevented by removing decay heat. To remove decay heat, a continuous coolant supply is required after a shutdown.

A BWR generates steam for electricity generation in one pressure boundary. In the Fukushima Daiichi NPPs, unit 1 was BWR-3 and units of 2 to 5 were BWR-4. In preparation for cooling the fuels in accidents, there were two isolation condensers (ICs) and a high-pressure injection system (HPCI) in BWR-3. There were a reactor core isolation cooling system (RCIC) and a HPCI in BWR-4. In an accident, steam vaporized from the core goes to ICs. An IC tank filled with normal temperature water has a heat exchanger in which steam from the core flows in tubes. Condensed water cooled in the IC tanks returns to the core by gravity. The RCIC and the HPCI are systems to supply water from the condensate storage tank or suppression chamber by turbine-driven pumps using steam from the core.

Water was filled in the reactor vessel and the suppression chamber under normal operation before the reactor shutdown caused by the earthquake. At unit 1, the IC was operated for approximately one hour after the earthquake. However, because the flooding caused the total failure of AC and DC power, the ICs and the HPCI could not be operated. The water in the vessel and chamber was maintained for only a few hours. The cladding was exposed to the steam in the core due to the lack of supplying the coolant. At unit 2, even though the total power was failed due to the flooding, the RCIC was operated for approximately three days. After the trip of the RCIC, the water level in the core dropped and the core was damaged. All the AC power sources at unit 3 were also failed due to the flooding. On the other hand, because DC batteries were installed at the higher elevation than the ground level, the RCIC and HPCI could be operated by the intact DC power. However, the coolant was not continuously supplied due to the failure of an injection mode shift from the HPCI to low-pressure coolant injection (with a diesel-driven fire pump) [18]. Finally, the reactor core at unit 3 was also damaged.

The fuel could not also be protected by the off-site coolant injection. The Sakashita dam, located approximately 9 km from the Fukushima Daiichi NPPs, was prepared to supply off-site water. However, the water could not be conveyed because the water supply system for moving water to the plants was damaged and failed, even though the water could flow by gravity from the dam [16]. Furthermore, the coolant injection from fire engines could not prevent a core melt accident because the fire trucks were connected to the injection lines after the core uncovery. Additionally, the seawater next to the plants could not be used as an ultimate heat sink due to the loss of electrical power to pump the water. This means that additional water has to be supplied from adjacent systems to minimize the failure rate on supply lines. In addition, it would be better for cooling systems to be operated by natural phenomena using the installed injection lines.

3. Solutions from the Losses

The design of CANDU-6, which is a representative PHWR, is described as a reference reactor in this chapter [19].

3.1. Hard Protection against External Risks

In the concept of defense in depth, because the containment is the final barrier for preventing the release of radioactive materials to the containment outside, protecting the integrity of the containment is directly connected with avoiding contamination for the public and environment. Regarding the containment structure of the BWR in the Fukushima site, the primary containment vessel (PCV), which is composed of steel, consists of a flask-shaped dry well, a doughnut-shaped pressure suppression chamber (wet well), and vent pipes in Mark-I BWR. The reactor pressure vessel is located in the dry well. The wet well in the pressure suppression chamber was connected to the dry well by vent pipes, which were designed to penetrate the dry well. In the event of an ex-vessel core melt accident, failures of components in the dry well, vent pipes, suppression chamber, or reactor building could cause a large release of radioactive materials to the outside. Although the reactor building as secondary containment was composed of reinforced concrete, it could not withstand the unexpected hydrogen explosion at Fukushima. In contrast, the reactor containment in a PHWR has a solid protection boundary that consists of a foundation slab, a cylindrical wall, and a partly spherical dome. It is structurally separated from the primary system, which includes a calandria assembly and steam generators. The minimum thickness of the cylindrical wall in a PHWR is approximately 1.1 m. It is stronger than the BWR containment for external risks such as tsunamis and tornados. Additionally, the BWR containment is designed primarily for condensing steam due to the inherent character of the reactor type. Accordingly, because the containment free volume of a PHWR is considerably larger than that of a BWR, it can have a longer safety duration time to protect the integrity of the containment.

For harder protection against an earthquake, the seismic class of several specific components has to be higher. In the case of the fire protection systems in the Fukushima accident, the seismic class was classified as C. It was designed to be used for injecting alternative water and for extinguishing fires in emergency conditions. However, because the protection lines, fire plugs, and intake ports were damaged by the earthquake, the system could not be properly operated [2]. Accordingly, it caused loss of the function to inject water into the NPP as the final provision of supplying coolant. In the stress tests implemented for the two Cernavoda NPPs (CANDU 6 design) in Romania, improving the seismic robustness for the existing Classes I and II DC batteries was adopted and implemented as one of the post-Fukushima action plans [10]. Accordingly, an elevated seismic class of systems, such as the fire protection and DC power sources for PHWRs, can be considered for decreasing the risk caused by the occurrence of an earthquake.

The risk of damage by a tsunami can be decreased by a high barrier along the sea outside NPPs. Although the height of the tsunami barrier in the Fukushima accident was designed using the previously established criteria, the actual tsunami that occurred in the accident was higher than the tsunami barrier. Additional work to raise the 18 m tsunami barrier that was constructed after the Fukushima accident to 22 m is under way at the Hamaoka site in Japan. Additionally, the tsunami barrier at the Kori site in Korea was extended from 7.5 m to 10 m as a post-Fukushima action. With respect to components, waterproof shielding is needed for components that perform safety functions both inside and outside the containment. For Cernavoda NPPs, volumetric protection by replacing selected access doors with resistant doors and room penetration sealing was recommended from a “stress test” peer review [10]. It guarantees safety against tsunamis and floods by securing spatial isolation.

3.2. Electrical Redundancy and Diversity

First, the electrical power in a NPP can be enhanced by simply increasing the number of current power systems that supply electricity. The concept of redundancy can be applied in the supply systems for off-site electricity, on-site emergency AC electricity, and on-site DC electricity.

Redundant power supply systems can be modified and adopted together with the concept of diversity. Examples of diversification of power supply systems to be applied are provided in Table 2.

The diversification of systems decreases the risk of common cause failure, which is one of the dominant causes of failure in a large system. Transmission lines from substations are typically installed on the ground. A new underground transmission line can be connected using underground power transmission cables. In addition, it is necessary to diversify the locations of EDGs. General EDGs and diesel tanks, including those in the Fukushima NPPs, are installed on the ground or underground. These are designed and installed for the security of NPPs. However, from the perspective of safety in the event of a tsunami and flood, the risk to an elevated EDG would be lower than that to an underground EDG. Furthermore, the availability of EDGs can be increased by diversifying the cooling type of EDGs. The diversification of installation locations also has to be considered for DC batteries. Another option for adding diversity to supply electrical power is to make diesel generators and DC batteries portable. CNSC reviewed the usability of portable uninterruptible power supplies as the deployment of EME [12]. It will secure the make-up water capabilities with portable diesel pumps for primary heat transport system and steam generators. The Cernavoda CANDUs in Romania have already procured mobile diesel generators on-site as part of the post-Fukushima action plan [9]. They have been tested to enhance protection against SBO scenarios.

The bunker concept that integrates redundancy and diversity was proposed in Europe for enhancing the ability of supplying electrical power. It was designed to be applied in the Beznau NPP [17]. Unit 1 of the Beznau NPP located in the northern part of Switzerland is the oldest operating PWR in the world, which began operation in September 1969. The original design objective of the bunker concept was to backfit the plant for continued operation [20]. There are additional safety systems for reactor shutdown, feedwater supply to the steam generators, and electricity supply from the installation of diesel generators in the bunker. The outer wall of the bunker is concrete-steel with a thickness of 1.5 m. Figure 3 shows a bunker system installed adjacent to a containment building. The original design of the bunker concept increases the availability of heat removal systems as well as that of electrical power supply systems through providing additional systems for redundancy and diversity. After the Fukushima accidents, one emergency electrical power supply system installed in a bunker has been considered as a prospective system in terms of both safety and security even though the original bunker concept includes many components for cooling, emergency power sources, and emergency control room. In addition to safety-grade EDGs, an alternative AC (AAC) power source installed inside the bunker can guarantee high reliability of operation even in extreme weather events. Because it can be installed for two PHWRs as a non-safety-grade system, the efficient utilization in the high integrity will be secured by covering an accident affected on single or multiple plants in a site.

3.3. Cooling Redundancy and Diversity

To ensure successful cooling, redundancy and diversity of the coolant source, heat sink, and connected lines have to be secured. First, the safety of cooling can be enhanced through redundancy of current safety systems. An increase in the number of safety systems decreases the probability of system failures to cope with an accident. Second, diversification of coolant sources can enhance the safety and security of cooling. In addition, the application of new coolant refilling systems can increase the coping time for an accident by an increase in the capacity of the coolant source during which decay heat can be removed. The following methods can be adopted to refill the coolant tanks:(i)provision using fire trucks and fire cisterns;(ii)coolant tanks and connections outside the containment building on-site;(iii)artificial reservoir and connections on-site;(iv)water conveying system from lakes, rivers, or dams.

Third, the diversification of final heat sinks can also enhance the cooling capacity. The ultimate heat sink for emergency cooling systems at Fukushima was seawater. For the designs of emergency cooling systems, a lake, river, dam, artificial reservoir, or atmosphere can be used as a diversified final heat sink according to the conditions of each site.

In addition, the safety of a PHWR for cooling the fuels can be enhanced in various ways by applying design concepts of safety systems proposed for other type of water-cooled reactors. Examples of safety systems for the application to a PHWR are introduced in the next subchapters under two categories: cooling by natural circulation and injection.

3.3.1. Cooling via Natural Circulation

Passive cooling systems operated by natural circulation are divided into two categories according to the primary or secondary pressure loop designed in a PHWR.

Even though the coolant is heavy water, the single-phase natural circulation can be used for removing decay heat from the core. The passive residual heat removal system (PRHR) in a PWR is a representative example. The PRHR designed for the primary side of AP1000 removes decay heat through PRHR heat exchangers, which can be operated under a pressure of 17.2 MPa [21]. The heat is directly transferred from the core to the PRHR heat exchangers. It is similar to the design of the IC in a BWR to circulate coolant in the primary loop; however, the IC is operated by the two-phase natural circulation in the primary side.

A design for the removal of decay heat using natural circulation in the secondary pressure loop is a passive auxiliary feedwater system (PAFS) developed in Korea [22]. The PAFS consists of steam and feedwater lines connected to a steam generator, heat exchanger, and condensate cooling tank. The steam from a steam generator goes to the heat exchanger in the water of the cooling tank. Steam is condensed, and the water flows to the steam generator again. This system also decreases the failure risks caused by human errors. Because four steam generators are installed in the secondary circuit in CANDU-6, this cooling concept can be used for enhancing the passive safety of a PHWR in a shutdown state. One of the merits of this system is the lack of a need for a discharging steam to the outside. The decay heat is removed by being transferred from the core to steam generator and from the steam generator to the atmosphere as the final heat sink.

The cooling tanks of these systems have to be continuously refilled because the cooling capacity is set for a designed time on-site. Refilling the coolant into the tanks installed inside the containment is difficult due to the accessibility of the containment inside as shown in the Fukushima accident. Therefore, the coolant tank for the auxiliary injection is recommended to be installed outside the containment.

This type of system for cooling via natural circulation can be applied to new plants to be constructed. However, the applicability on current operating reactors is very low due to large design modifications from the original design even though the performance is guaranteed without the use of AC power.

3.3.2. Cooling via Injection of Coolant or Feedwater

In this subchapter, systems that can inject coolant or feedwater into the calandria vessel, primary heat transport system, or steam generators are introduced.

For emergency core cooling in primary heat transport system, there are two high-pressure injection tanks as a safety-grade system in CANDU-6. The accumulator is the representative system that uses the pressure difference between the primary heat transport system and the water tank connected to the compressed gas tank. As the need for passive safety systems that can be operated without AC electrical power has increased after the Fukushima accident, an application of a safety injection tank designed with the higher gas pressure is being reviewed for new advanced water-cooled reactors.

One of the effective methods for removing decay heat is to supply feedwater into a steam generator while preserving the integrity of the primary side by all means available in unprepared emergency conditions in a PHWR. After shutdown of the reactor in an accident, feedwater supply pumps powered by AC power in the secondary side inject the water into the steam generators. Steam generators are utilized to transfer heat from the primary side to the secondary side, as coolant in a primary loop can be circulated by natural convection, from a lower reactor vessel as a heat source and a higher steam generator as a heat sink.

In the case of a PWR, motor-driven auxiliary feedwater pumps (MDAFPs) and turbine-driven auxiliary feedwater pumps (TDAFPs) supply the feedwater into steam generators in accidents, excluding most cases with loss of coolant in the primary side. The MDAFP such as the feedwater supply pump in a PHWR supplies the feedwater into steam generators when AC power is available. The TDAFP can supply the feedwater into steam generators despite a total loss of AC power. The auxiliary feedwater system with the TDAFP powered by a small turbine is similar to the RCIC in a BWR. As there are four steam generators that can be used for the removal of decay heat in the CANDU-6, the applications of the design concepts such as the RCIC and TDAFP can be considered in preparation for accidents with a total loss of AC power.

Cooling water from an external water reservoir has to be pumped into steam generators when the general safety system is not operable. An on-site reservoir and fire trucks were installed on CANDU reactors at the Wolsong site in Korea. Figure 4 shows the design concept for removing decay heat in either the primary side or the secondary side. In the emergency system, an on-site emergency water supply storage pool or a fire truck serves as a water source. An emergency core cooling heat exchanger is used as a heat sink. In addition, a mobilized fire truck and emergency pumps provide active driving power to deliver coolant. There are various methods to inject or circulate coolant in this emergency cooling system. One method is to inject water from an emergency water supply storage pool to a steam generator by a mobilized fire truck situated in a place for the direct injection. When the steam generators are unavailable, the coolant can be directly injected into the core with depressurization in the primary side. The decay heat can also be removed by circulating coolant from the sump to the core through an emergency core cooling heat exchanger and a pump. This system is controlled by several valves installed in each line. The function of this system is similar to that of EME used by installing the movable power generator, portable water pumps, and connection lines on the specified location in an accident.

In contrast to the designs of other LWRs, the CANDU reactor has a dousing water tank situated at high elevation. This water tank is located on the top of the inner containment below the outer containment. The opening part of the tank is installed below the inner containment. Because the tank is filled with approximately 2100 tons of water that can be used for emergency core cooling and containment spray operation, the safety duration time dependent on the on-site water capacity can be longer than those of other types of reactors [19].

As one of the safety systems for emergency cooling, an integrated passive safety system (IPSS) was proposed for beyond design basis accidents, including a SBO and a total loss of feedwater (TLOFW), based on the design of a PWR after the Fukushima accident [23]. The IPSS consists of pipes, heat exchangers, and large water tanks at high elevation outside the containment. The design concept of the IPSS can also be applied to a PHWR. An application example of the IPSS on a PHWR is shown in Figure 5. Because a water tank is installed at high elevation, such as at the top of a service or turbine building in a PHWR, it can serve as a heat sink for forming natural circulation with steam generators, and the coolant can be injected by gravity.

The IPSS performs five functions using the water in two large tanks, named integrated passive safety tanks (IPSTs). The first function, that is, a passive decay heat removal (PDHR), can be performed by installing one of the two design options. For the first option of the PDHR, feedwater and steam are circulated through steam generators and heat exchangers designed in the IPSTs by natural circulation. The second of the PDHR is a steam generator gravity injection system (SGGI) to fill steam generator by gravity with water from the IPST. The vaporized steam from steam generators is discharged to the atmosphere outside the containment through atmospheric steam dump valves (ASDVs). The second function of the IPSS is a passive safety injection system (PSIS) to inject coolant into the core through the emergency core cooling system after the depressurization in the primary side. The other functions are passive containment cooling system (PCCS), passive in-vessel corium retention through external reactor vessel cooling (PIVR), and containment filtered venting system (CFVS) for mitigating a core melt accident. The functions of the IPSS can be selectively installed for a PHWR. The applicability of the SGGI can be relatively higher when an IPST is installed outside the containment and pipes penetrate the containment through originally designed penetration holes. Furthermore, even if a large water tank is installed only for refilling on-site water tanks, the cooling duration time could be increased before outside emergency treatment.

4. Conclusions

Three macroscopic losses of the Fukushima accident were reviewed in terms of installed systems and components. In light of the three losses, the design concepts for enhancing the safety of PHWRs were proposed. Using the approaches based on redundancy and diversity, the accident management strategy can be strengthened for the prevention of core damage. First, the need for hard protections for a fire system and a DC power source against earthquake was proposed. In addition, a tsunami site barrier and volumetric sealing isolation are conducive to the hard protection for a PHWR. Second, the diversification of emergency electrical power supply system can enhance the usability of active safety systems in a SBO. A method is to install diverse cooling types of AAC power sources in independent locations. Movable EDGs and DC batteries can supply emergency electrical power with high reliability; the systems are recommended to be prepared at the higher elevation than the ground level. The bunker concept is an integrated concept for supplying emergency AC power besides containment, which is designed based on hard protection. Third, solutions for enhancing the function of cooling a core were proposed for a PHWR. Diverse coolant sources and heat sinks will guarantee the increase of coping time before the recovery of off-site AC power.

As proposed, the designs concepts of the existing safety systems such as PRHR, RCIC, and PAFS in other types of water-cooled reactors can be applied to a PHWR; however, it will cause many license issues because of the main modifications of a reactor design inside the containment. Also, it actually has to be designed according to the applicable standards, codes, and regulatory requirements as a system on safety-grade. For enhancing the safety with fewer design modifications, several countries, including Romania and Korea, have adopted emergency systems that can mitigate an accident by arranging movable pumps with the connection lines outside containment. The system can inject a coolant or feedwater into a calandria vessel, primary heat transport system or steam generators through nozzles, and waterway connected from the outside. The IPSS was proposed as an additional safety system installed outside containment. The subsystems in the IPSS are designed to be operated without the AC power for removing decay heat or preventing the release of radioactive materials.

There have been previous studies regarding PSA for some systems proposed in this paper. For the design of a PWR, an emergency water supply system (EWS) similar to EME reduced the SBO contribution portion to the total CDF (core damage frequency) by half [24]. In the case of the IPSS, the CDF from LOOP (loss of off-site power) and LOFW (loss of feedwater) reduced by less than half [25]. When the mass flow rate from an emergency pump was low or the preparation time for the injection was later than one hour from the SBO occurrence, the core damage could not be prevented in the case using the EME. On the other hand, the IPSS did not need the preparation time, but the analysis results were sensitive to the failure events related with depressurization systems and human errors. The results of the cost-benefit analysis were primarily dependent on the risk aversion factor, which was estimated by the public in a local, relocated, or regional group near a NPP [24, 26]. In consideration of the increased risk aversion factor after the Fukushima accidents, the application of EME or IPSS to a PHWR would provide cost-effective benefits.

This study implies that a design concept of a large water tank at high elevation, such as an IPSS, and a dousing water tank, supplied by passive methods, needs to be applied in LWRs for enhancing the safety of the emergency water supply. Considering an accident that affects an overall NPP site with a wide range of damage, such as the case of the Fukushima accident, it is possible that emergency water supplies prepared by off-site actions will be difficult to mobilize due to severe external conditions. The accident management strategy needs to be modified to use systems installed on-site.

Several systems are proposed for enhancing the safety of a PHWR in this paper, as the follow-up actions of the Fukushima accidents. It is not intended that the safety of a PHWR is low and must be enhanced more by the proposed systems without foundation. The determination for the application of a system is completely dependent on the government, regulatory bodies, operation and management companies, and public acceptance. As the further work of this paper, the study of PSA and cost-benefit analysis for the comparison of the proposed systems will show the quantitative effects from the applications.


The Fukushima accident is reviewed in terms of protection, electric power, and cooling.Setting a time for the restoration of external AC power is critical for designing safety systems.Emergency provision systems for a PHWR are proposed.The bunker concept enhances safety through electrical redundancy and diversity.The addition of an elevated external coolant tank increases the cooling duration time.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.


This research was supported by the KUSTAR-KAIST Institute, Korea, under the R&D program supervised by the KAIST.