Our history of nuclear events

Our history of nuclear events EDF fleet and global experience feedback

2 | EDF fleet and global experience feedback At a time when the nuclear fleet is extending its operating life by carrying out ten-yearly inspections VD4 900, VD3 1300, preparing for VD5 900, VD4 1300 and VD3 N4, and also starting the Flamanville 3 EPR, I consider it essential to keep in mind the events that have marked the history of nuclear power worldwide and within the EDF fleet. Since the start-up of the French nuclear fleet 60 years ago, EDF Group has accumulated 2,500 years of reactor operation and several generations of nuclear professionals have already passed through its ranks. It is thus vital to capitalise on our operating experience and benefit from it to avoid repeating past mistakes. This is a recommendation from WANO and the Davis-Besse SOER and one of the features of a good Safety Culture. It is with this in mind that I have commissioned some of our senior colleagues (*) to select the most noteworthy events, illustrate the lessons learned by the DPN and set out straightforward key messages for all those contributing to the safety of our facilities. The ambition of this booklet is to contribute to passing on information between generations and to invite everyone to go further through the use of digital tools. I am convinced that knowledge of these events, which form the basis of our collective memory, will be a driver for development of the Safety Culture that will enable us to continue improving the safety of our PWR fleet. François Goulain Deputy Safety Director of the Nuclear Power Generation Division (*): Christian Borgne (former Nuclear Safety and QA Senior Advisor at Fessenheim) and Serge Blond (former Director of the Nuclear Inspectorate) with the assistance of Jean-Philippe Bainier (former Deputy Director of the DPN and former Director of Dampierre, Fessenheim and Tihange). Thanks to Laurent Panisset and Valérie Palfner who worked to bring this booklet to life and to grow under Wik’ing.

EDF fleet and global experience feedback | 3 INES scale The International Nuclear and Radiological Event Scale A “Tour de France” of NPP experience feedback Gravelines (6) Penly (2) Flamanville (2+1) Chooz (2) Cattenom (4) Fessenheim (2) Belleville (2) St Laurent (2) Chinon (4) Civaux (2) Le Blayais (4) Golfech (2) Bugey (4) Cruas (4) Tricastin (4) St Alban (2) Nogent/Seine (2) Dampierre (4) Paluel (4) 7 St-Laurent UNGG plant France - 1980 Three Mile Island USA - 1979 Vandellos Spain - 1989 Chernobyl USSR - 1986 Fukshima-Daiichi Japan - 2011 6 5 4 3 2 1 0 Major accident Serious accident Accident with wider consequences Accident with local consequences Serious accident Incident Anomaly Below scale – No Safety significance

4 | EDF fleet and global experience feedback Develop a questioning attitude, a rigorous approach and effective communication Role of managers • Criticality management • Safety Management Levers • On-site HF consultant After Chernobyl 1990s Safety culture INSAG 4, 13, 15 Reduce the risk of human error • Automation/computerisation • core cooling monitor • administrative isolation • “control by state” approach • crisis organisation • simulator training • design ergonomics • Safety Engineer After TMI 1980s Human presence but source of errors 1 2 1979 - Three Mile Island 1986 - Chernobyl Development of safety culture: 5 very distinct periods • Robust design is paramount • Quality approach • Defence in depth Before TMI Safety based on technical reliability 4 global events that have marked

EDF fleet and global experience feedback | 5 Avoid slow drift, avoid trivialisation of anomalies Reaffirm safety culture • Safety Management Guide • Human Performance project • SOH approach After Davis-Besse 2000s Low-level events Safety / competitiveness INSAG 18 Develop the ability of an organisation to anticipate disruption, to withstand it, and to return to an acceptable status • Extreme Situation Operations Team • FARN • DUS • FPCS-bis • Last-resort water supply After Fukushima Resilience 3 4 2002 - Davis-Besse 2011 - Fukushima the history of nuclear power 1979 TMI % Year 1986 Chernobyl 2011 Fukushima 2023 2002 Davis-Besse 2010s

6 | EDF fleet and global experience feedback Contents Introduction......................................................................................................................................................................................P. 2 INES scale........................................................................................................................................................................................... P. 3 4 global events that have marked the history of nuclear power.........................................P. 8 - 25 Three Mile Island (TMI)............................................................................................................................................P. 10 - 13 Chernobyl........................................................................................................................................................................P. 14 - 17 Davis-Besse....................................................................................................................................................................P. 18 - 21 Fukushima Daiichi.....................................................................................................................................................P. 22 - 25 A “Tour de France” of NPP experience feedback.............................................................................. P. 26 - 78 Thematic data sheets.....................................................................................................................................P. 28 - 55 Reactivity management........................................................................................................................................P. 30 - 31 Unintentional dilution.............................................................................................................................................P. 32 - 33 Clogging of the water intake...........................................................................................................................P. 34 - 35 Primary circuit break by opening the PZR SEBIM safety valve......................................................P. 36 - 37 SGTR “Steam Generator Tube Rupture that cannot be offset by the CVCS”....................P. 38 - 39 Major fires.....................................................................................................................................................................P. 40 - 41 Hydrogen explosion risk......................................................................................................................................P. 42 - 43 Circuit corrosion.......................................................................................................................................................P. 44 - 45 Administrative isolations......................................................................................................................................P. 46 - 47 DMP / MTI - Temporary device and Temporary modification .....................................................P. 48 - 49 FME - Loose parts.....................................................................................................................................................P. 50 - 51 Common Mode failure...........................................................................................................................................P. 52 - 53 “Fraud & Irregularity” risk - CFSI (Counterfeit, Fraudulent and Suspect Items)................P. 54 - 55

EDF fleet and global experience feedback | 7 Selection of events to keep in mind ................................................................................................ P. 56 - 78 Belleville 1 - Undetected unavailability of FPCS tank.....................................................................................P. 58 Blayais - Partial flooding of the station due to a storm..............................................................................P. 59 Bugey 5 - Appearance of a vortex in RHRS LOR.............................................................................................P. 60 Cattenom 3 - Numerous leaking fuel assemblies.............................................................................................P.61 Chinon B0 - Freezing of DVN and DVK heaters...............................................................................................P. 62 Chooz 1 - Earthing of the live 400 kV line..........................................................................................................P. 63 Civaux 1 - Primary circuit break with the RHRS connected......................................................................P. 64 Cruas 4 - SG leak greater than 70l/h.....................................................................................................................P. 65 Dampierre 4 - Error when loading fuel in reactor vessel..........................................................................P. 66 Fessenheim 1 - Uncontrolled criticality..................................................................................................................P. 67 Flamanville 2 - Safety injection, primary in single phase............................................................................P. 68 Flamanville 3 - Non-compliance of MSSS welds..............................................................................................P. 69 Golfech 2 - Uncontrolled drainage of the MPS................................................................................................P. 70 Gravelines 2 - 21,000 ppm SIS unavailable at full power...........................................................................P. 71 Nogent 1 - Hot water seepage into SIP rooms.................................................................................................P. 72 Paluel 2 - Primary side cooling >56°C/h...............................................................................................................P. 73 Penly 2 - Damage to MCP and fire in the reactor building.......................................................................P. 74 Saint-Alban 1 - Prolonged loss of fuel building pool cooling....................................................................P. 75 Saint-Laurent A - Fuel meltdown..............................................................................................................................P. 76 Saint-Laurent B2 - Unavailability of both CCWS trains...............................................................................P. 77 Tricastin 2 - Partial lifting of 2 fuel assemblies with the Upper Internals........................................P. 78 Glossary............................................................................................................................................................................................P. 80 To go further: Wik’ing and event references............................................................................................... P. 81 - 83

4 global events that have marked the history of nuclear power

Three Mile Island (TMI) on 28 March 1979 P. 10 - 13 Davis-Besse on 6 March 2002 P. 18 - 21 Fukushima-Daiichi, units 1-2-3-4 on 11 March 2011 P. 22 - 25 Chernobyl, unit 4 on 26 April 1986 P. 14 - 17

INES 5 Unit 2, USA (Pennsylvania), 900 MW PWR on 28 March 1979 Three Mile Island (TMI)

EDF fleet and global experience feedback | 11 Main causes: The incorrect positioning of the manual isolation valves of the SG emergency feedwater system (EFWS) was the result of human error. The non-closure of the PZR discharge relief valve was of material origin and the operator was late to diagnose this anomaly. The operator shuts down the safety injection based on the PZR “high level” reading in the control room (normal level for the PZR in this situation), which accentuated the water deficit in the RCS. Procedures and training did not yet take into account the consequences of the physical phenomenon caused by this type of primary circuit break. Main consequences: The meltdown of approximately 50% of the core released total radioactivity of about 1019 Bq in the containment. Due to the widespread clad meltdown and the bursting of the pressuizer relief tank, containment was only ensured by the 3rd barrier. Radioactive releases into the environment were from the NAB, where effluent from the reactor building sumps had been transferred. They resulted in a dose uptake of 1 mSv at the station boundary throughout the release period. This accident led to final shutdown of TMI unit 2 after only 3 months of production. This was followed by a 14-year clean-up of the facility, with removal of the fuel and decontamination of the area. INES 5 With the unit in Power operation, the SGs dried out in 3 minutes due to loss of normal feedwater supply to the SGs and the closed position of the EFWS manual isolation valves. As primary side cooling was no longer assured, this resulted in expansion of the reactor coolant, an increase in RCS pressure and then the opening of the pressuriser relief valve. Non-closure of the valve caused an increase in the pressuriser level reading in the control room, and the operator performed an inadequate manual shutdown of the safety injection. The deliberate shutdown of the MCPs due to strong vibration (resulting from the presence of steam in the RCS) accelerated core dewatering after 2 hours. Restoration of cooling by the SGs did not prevent partial meltdown of the fuel. Partial core meltdown

12 | EDF fleet and global experience feedback Three Mile Island (TMI) Key lessons learned at international level The TMI accident brought to light shortcomings in the “equipment”, “organisational” and “human” fields: By design: inappropriate control room interface, non-representative indications of the phenomenon to be measured, inappropriate accident procedures for the diagnosis of certain types of accident (in particular no correlation between the pressuriser level and the saturation margin in the reactor vessel), In operation: weaknesses in operator training, shortcomings in working methods, lack of feedback and insufficient emphasis on potential human errors. The 1980s were particularly devoted to taking account of human error in operations and its mitigation by the organisation. In 1988, the IAEA report “INSAG-3” (*) laid the foundation for the fundamental safety principles relating to the design and operation of nuclear power plants worldwide (core requirements). They cover: • General safety objectives, • The concept of defence in depth (developed and extended by INSAG-10 in 1996), • The principle of operator responsibility and inspection by national safety authorities, • Quality assurance, consideration of human factors and the implementation of integrated feedback. (*) The 1988 INSAG-3 report was revised by the IAEA in 1999 in the form of “INSAG-12 - Basic Safety Principles for Nuclear Power Plants”. Reduce the risk of human error • Automation/computerisation • core cooling monitor • administrative isolation • “control by state” approach • crisis organisation • simulator training • design ergonomics • Safety Engineer After TMI 1980s Human presence but source of errors

EDF fleet and global experience feedback | 13 on 28 March 1979 Unit 2, USA (Pennsylvania), 900 MW PWR Main lessons learned by EDF In France, EDF organised post-TMI actions around five major themes: 1. Improving the reliability of pressuriser relief valves (SEBIM technology), 2. Introducing the “severe accident” approach (core degradation), 3. Taking into account situations where there is a combination of material and human failures, 4. Structuring feedback to strengthen its use, 5. Increasing the reliability of normal and abnormal operation. What is important for us to remember today: • The numerous equipment modifications (SEBIM, LLS, GUS, TAC, sand filters (U5 filters), H2 recombiners, safety panel), • The administrative isolation process on some equipment with no information on its position sent to the control room, • Creation of the U and H procedures and then adoption of the “control by state” approach (with installation of the KPS core cooling monitor) and full-scale simulator training, • Creation of the Independent Safety Branch (Safety and Radiation Protection Engineer then Safety Engineer at each NPP and IGSNR), • Creation of a national crisis organisation and the provision of iodine tablets to power plants and residents in the off-site emergency response area, • Increased emphasis on HF to take better account of humans and their actions and consideration of human error in nuclear safety studies. KEY MESSAGE The organisation has set up lines of defence to prevent human errors and limit their consequences.

INES 7 Unit 4, UKRAINE, graphite-moderated 1000 MW RBMK on 26 April 1986 Chernobyl

EDF fleet and global experience feedback | 15 Main causes: By design, RBMK reactors have an operating range with a positive void coefficient and the tips of the graphite control rod initially counteract the negative reactivity provided by their insertion. The building containing the reactor did not form a real “third barrier” that could withstand such an accident. The test, which other stations had refused to perform, was accepted without fully measuring the risk involved. Protection systems were disabled and computer requests for an immediate reactor shutdown were not implemented by the operators (lack of safety culture). The procedures implemented during the test had been modified without technical validation to analyse the risks. Main consequences: The two successive explosions led to destruction of the core and the reactor coolant system. The graphite fire propelled radioactivity of 107 Ci (= 37 × 1016 Bq) to an altitude of 1,500 m which was then dispersed by wind over a large part of Europe. Given the magnitude of the radioactive releases, the accident was classified at level 7 on the INES scale. A total of approximately 300,000 people were evacuated. The exclusion zone of several kilometres around the plant is still in place. INES 7 An exploratory test to check operation of the reactor on an emergency power supply required the reactor to be placed in an unauthorised operating range (50% nP, positive void coefficient). Signals requesting immediate reactor shutdown were disabled by the operators so that they could carry out the test. The operator extracted the control rods to offset the xenon production. The test to close the steam inlet valves to the turbine was started, leading to heating of the cooling water, which under the positive void effect increased the reactor power by a factor of 80 in 4 seconds. The fuel was pulverised and a steam explosion lifted the top slab of the reactor (1,000 metric tons). The graphite stack caught fire and a 2nd explosion due to the power excursion expelled the fuel to the outside. Explosion of the reactor

16 | EDF fleet and global experience feedback Chernobyl Key lessons learned at international level In 1987, the IAEA compiled its first analysis report of the Chernobyl accident, “INSAG-1”. It points to a lack of Safety Culture at all levels of the organisation. In 1989, the World Association of Nuclear Operators (WANO) was formed to prevent such an accident from happening again. It has 120 members operating 430 reactors worldwide and performs the following tasks: peer reviews every four years, targeted audits, indicators that allow operators to make comparisons with other plants and improve their performance. In 1991, the IAEA published the “INSAG-4” report which defines Safety Culture: “Safety culture is that assembly of characteristics and attitudes in organisations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance.” It sets out the principles of safety as the overriding priority and the pursuit of excellence by engaging stakeholders at all levels, national and local directorates, management and individuals. The three pillars it adopts are: a questioning attitude, a rigorous and cautious approach, and effective communication. Develop a questioning attitude, a rigorous approach and effective communication Role of managers • Criticality management • Safety Management Levers • On-site HF consultant After Chernobyl 1990s Safety culture INSAG 4, 13, 15

EDF fleet and global experience feedback | 17 on 26 April 1986 - Unit 4, UKRAINE, graphite-moderated 1000 MW RBMK Main lessons learned by EDF In France, EDF organised post-Chernobyl actions around 5 major themes: 1. Development of the concept of Safety Culture based on INSAG-4, 2. Study of the prompt criticality accident, 3. Setting up countermeasures to avoid unintentional dilution of the RCS (anti-dilution modification, RHRS sampling before start-up, optimisation of the procedure for balancing primary and secondary pressures when dealing with an SGTR), 4. Creation of GIE INTRA (robots) to intervene in the post-accident environment, 5. Increased public transparency (staffing of communicators centres at each station, publication of events, creation of CLIs, etc.). What is important for us to remember today: The “Safety Management Levers” Management Reference Baseline sets out the five following managerial requirements: • Work or maintenance on the industrial facility is systematically subject to a risk assessment (ADR), • A Technical Check (CT) is carried out systematically if it is defined as a countermeasure in the risk assessment or if the activity concerned is a QRA, • Human Performance levers are implemented for activities on the facility: ownership of the activity, “I declare myself ready”, adherence to procedures and use of Human Performance Tools (PFIs), • Stations implement a multi-year road map that defines the actions to be taken to develop Safety Culture at station level and in the departments. KEY MESSAGE I always adopt a questioning attitude, a rigorous and cautious approach, and I communicate transparently (INSAG-4).

INES 3 USA (Ohio), 940 MW PWR on 6 March 2002 Davis-Besse damaged area of the reactor vessel

EDF fleet and global experience feedback | 19 Main causes: No action was taken in spite of repeated warning signs (low-level events) detected over several years: observation of boron deposits on the head, accelerated fouling of the ventilation cooling coils and the filters of the reactor building PRMS channels. The main reasons for the erosion of standards and requirements were: • T he station was too focused on short-term production, • L ack of line management and presence of managers in the field, • D ealing with problems without identifying and analysing the root causes, • L ack of analysis of low-level events, • Erosion of awareness of nuclear safety reflected in a series of non-conservative decisions. The station’s process for explaining anomalies was not very open to OPEX (INPO, NRC, international). Anomalies had nevertheless been discovered previously in Beznau (Switzerland) in 1970, Turkey-Point and Salem (USA) in 1987 and Bugey (France) in 1991. Main consequences: In the event of rupture of the stainless-steel liner of the RPV closure head, the unit would have suffered a Loss of Coolant Accident – Intermediate Break (LOCA-IB), which could not have been isolated.​ Discovery of a non-through cavity in the RPV closure head INES 3 A boron leak due to a crack that had not been properly dealt with over several years gradually eroded the carbon steel of the RPV closure head around the opening for a drive rod. The volume of the cavity discovered was equivalent to a cylinder 11 cm in diameter and 11 cm high. Only the inner stainless-steel liner (thickness 6 mm) of the head, partially deformed and cracked, held the pressure of the primary fluid.

20 | EDF fleet and global experience feedback Davis-Besse Key lessons learned at international level The drift that had set in at all levels of the organisation over a number of years meant that the station went from having high standards to simply meeting minimum standards. This finding demonstrates the timeliness and relevance of the International Nuclear Safety Advisory Group (INSAG) reports produced by the IAEA, in particular: • INSAG-13 “Management of operational safety in nuclear power plants” issued in 1999. This report addresses the aspects that are important in promoting Safety Culture, along with recommendations and best practice, particularly concerning how to monitor safety performance and how to detect a drop in performance. • INSAG-15 “Key Practical Issues in Strengthening Safety Culture” issued in 2002. This report sets out the questions that can be asked as part of a self-diagnosis. It addresses how to communicate, the reporting culture, the attention that needs to be paid to near misses and possible drift (tolerated risk becomes the norm), and an organisation’s ability to question itself at all levels (the learning organisation). • INSAG-18 “Managing Change in the Nuclear Industry: The Effects on Safety” issued in 2003. This report addresses the consequences of changes in the nuclear environment on organisations and individuals (search for increased competitiveness, increased safety requirements, etc.), which can affect safety if they are not properly incorporated and managed. For its part, WANO produced SOER 2003-2 “Davis-Besse reactor vessel head” which recommends that each plant operator should: ​ • Train all managers and supervisors in this incident,​ • Self-assess the safety/production focus of its decision-makers,​ • Re-examine all anomalies of unclear origin. Avoid slow drift, avoid trivialisation of anomalies Reaffirm safety culture • Safety Management Guide • Human Performance project • SOH approach After Davis-Besse 2000s Low-level events Safety / competitiveness INSAG 18

EDF fleet and global experience feedback | 21 on 6 March 2002 USA (Ohio), 940 MW PWR Main lessons learned by EDF Over the years, the DPN has implemented various approaches and levers to develop the Safety Culture principles defined by WANO: • Drafting of the “Safety Management” Guide (2004 edition) which defined the Safety Culture requirements for each player and the specific role of management by incorporating IAEA reports INSAG-13, INSAG-15 and INSAG-18, • Improved consideration of warning signs and the search for root causes of events (see Event Analysis Guide, SOH approach, etc.), • Strengthened incorporation of international feedback What is important for us to remember today: • The objectives of managers’ presence in the field have been structured (giving meaning, sharing safety issues, understanding difficulties encountered, reiterating requirements, etc.). • Each station implements an Operational Decision Making (ODM) approach based on an organisation and a method, • The Corrective Action Programme (PAC) approach has been implemented to take account of “low-level events”. KEY MESSAGE I am never complacent about anomalies that are unexplained or have not been addressed in a long time.

INES 7 Units 1-2-3-4 JAPAN, 1000 MW BWR on 11 March 2011 Fukushima Daiichi

EDF fleet and global experience feedback | 23 Main causes: The reactor platform was not protected against waves higher than 6 m despite the existing OPEX in the region. Few updates to the design of units 1 to 4 had been made since commissioning between 1971 and 1979 (no H2 recombiner in the reactor building, for example). The station and the company had made no arrangements to deal with the consequences of such a natural disaster or an accident affecting several reactors on the same site. Main consequences: Loss of reactor cooling led to fuel meltdown in reactors 1 to 3. The hydrogen release following clad meltdown caused explosions in the reactor buildings. The accident led to significant radioactive releases (in gas, particle and liquid form) and dose rates of up to 400 mSv/h at some points on the site. Units 5 and 6, built on an elevated platform, did not suffer a severe accident following the earthquake and tsunami. Following the Fukushima accident, the Japanese government had most nuclear power plants shut down. Some of them have subsequently been restarted after checks and safety upgrades. INES 7 A magnitude 9 marine earthquake caused the SCRAM of the 3 units in operation (unit 4 in was in RCD). The tsunami (15 m wave) generated by the earthquake submerged the 6 m dyke protecting the station and violently swept the platform for reactors 1 to 4. The emergency diesel generators and electrical distribution system were flooded. Electrical power to equipment was lost and the pumping station was destroyed. The loss of cooling of the 3 reactors in operation, over several hours, led to dewatering of the cores and clad and fuel meltdown. The resulting hydrogen release caused the successive explosion of reactor buildings 1, 3 and 2. Unit 4, in RCD, also suffered loss of cooling to its spent fuel pool and dewatering of the fuel assemblies. A hydrogen explosion followed by a fire then impacted this pool, located in the unit 4 reactor building. Core meltdown following an earthquake and tsunami

24 | EDF fleet and global experience feedback Fukushima-Daiichi Key lessons learned at international level The Fukushima accident highlighted the problems of large-scale external hazards that can cause common-cause failures in safeguard systems. This type of hazard had been taken into account in the design of most units, but the scale of the disaster showed that the world nuclear fleet as a whole had to re-examine the material and human resources at its disposal to cope with very large-scale events. Onagawa NPP, located approximately 50 km from Fukushima, was the nuclear power plant closest to the epicentre of the March 2011 earthquake. All three reactors successfully withstood the earthquake and the tsunami of a greater height than that at Fukushima. This demonstrates the ability of a well-designed nuclear facility to withstand even the most powerful earthquakes and tsunamis recorded in Japan. WANO issued 3 SOERs with post-Fukushima recommendations for global plant operators. SOER WANO 2013-2 “Lessons learned from the Fukushima accident” makes recommendations in the following areas: • Safety Culture and leadership, • Consideration of external hazards in facility design, • Training and skills of workers in emergencies, • Accident management (equipment, resources, etc.). 1979 TMI Develop the ability of an organisation to anticipate disruption, to withstand it, and to return to an acceptable status • Extreme Situation Operations Team • FARN • DUS • FPCS-bis • Last-resort water supply After Fukushima Resilience 2010s

EDF fleet and global experience feedback | 25 on 11 March 2011 units 1-2-3-4, JAPAN, 1000 MW BWR Main lessons learned by EDF In France, EDF has carried out Additional Safety Assessments (ECSs) to check the robustness of each station with regard to extreme hazards. They have led to post-Fukushima actions in seven areas: 1. Safety reviews include consideration of risks generated by large-scale external hazards affecting several units on the same site. 2. Creation of the Nuclear Rapid Response Taskforce (FARN) with sufficient mobile resources and teams to come to the aid of all units on a site. 3. Addition of emergency resources: construction of a DUS for each unit, an emergency heat sink using an auxiliary water source, plug and play electrical and hydraulic fittings compatible with FARN’s mobile equipment. 4. Strengthened static protection against flooding. 5. Creation of a On-site emergency control centre (CCL) at each station, which can withstand extreme hazards. 6. Strengthened Station emergency response equipment (MLC) available to emergency response teams. 7. Ability to cope with isolation of the station for 24 hours in the event of an extreme situation (Extreme Situation Operations Team). What is important for us to remember today: • Devices and systems to counter natural hazards maintained in operational condition (RASA rule), • Effectiveness of station and corporate crisis organisation, • Operability of FARN and the new equipment (DUS, EAS U, FPCS-bis, etc.). KEY MESSAGE I contribute to the effectiveness of the crisis organisation and the operability of emergency equipment.

26 | EDF fleet and global experience feedback A “Tour de France” of NPP EXPERIENCE FEEDBACK Thematic data sheets ............................................................................................... P. 28 - 55 Selection of events to keep in mind ..................................................... P. 56 - 78

EDF fleet and global experience feedback | 27 1980-1989 8 Events 1990-1999 4 Events 2000-2009 12 Events 2010-2023 23 Events 0 1 1982 1984 1987 1989 1991 1995 1996 1998 2000 2001 2003 2004 2006 2007 2009 2011 2013 2015 2017 2018 2019 2020 2021 2 3 4 5 1980 1993 1994 1998 1999 2001 2004 2005 2006 2008 2011 2012 2017 2019 2020 1980-1989 1 Event 1990-1999 5 Events 2000-2009 6 Events 2010-2023 9 Events 0 1 2 Annual breakdown of the selected events in the Thematic data sheets P. 28 - 55 Annual breakdown of the Selection of events to keep in mind P. 56 - 78 Total: 68 events Breakdown of the 68 events by period 9 18 32 9 2000 - 2009 1980 - 1989 1990 - 1999 2010 - 2023

Thematic data sheets

30 | EDF fleet and global experience feedback Reactivity management CRUAS 2 / 2006 - Undetected convergence and return to criticality The reactor was at 30% nP after a turbine trip. The Lead Operator performed a re-set of the opening authorisations for the condenser steam turbine bypass system (GCTc), which resulted in closure of the GCTc valves, an increase in Tmean of the RCS and the insertion of the R rod bank below its bite LTBi (RGL402AA). The Lead Operator applied the alarm sheet and initiated direct boration. The alarm cleared. Not having detected the convergence of the reactor, the team then initiated dilution and extracted the rods manually, which caused the reactor to return to criticality with a rapid power ramp-up to 7% nP. Causes: The inappropriate re-set of the GCTc was linked to an erosion of knowledge of GCTc operating modes. The undetected convergence and return to criticality were caused by insufficient communication and a lack of allocation of roles within the team. Consequences: The insertion of the rods below the bite LTBi decreased the negative reactivity margin in the event of SCRAM. The undetected return to criticality and reaching a doubling time <18 s created a risk of uncontrolled power ramp-up, as the chain reaction came close to the prompt criticality threshold. CIVAUX 1 / 2013 - Uncontrolled power ramp-up A TOS powerdown from Power operation (100% nP) to AN/GV within 2 hours was initiated. At around 1% nP, Tmean fell and risked an excursion from the P,T range. At the request of the Deputy Shift Manager, the Lead Operator extracted the rods by approximately 60 steps in 4 stages. The “Doubling time <18s” alarm appeared on four occasions without being detected by the team. The power increases very rapidly to 10% nP. The maximum gradient reached was 7.5% nP/min, above the TOS limit (5% nP/min). Causes: A lack of coordination by the Lead Operator led to the P1/P2 power imbalance and the decrease in Tmean. The Deputy Shift Manager did not fully supervise the transient. The rods were extracted without setting a permissible number of steps. Consequences: The chain reaction was very close to the prompt criticality threshold which, once crossed, would have generated an uncontrolled power excursion. The proximity to prompt criticality is measured by the doubling time, which should remain >18s. A high power gradient increases the risk of nucleate boiling in contact with the fuel rods. TRICASTIN 4 / 2017 - Exceeding 102% nP for 6 hours During a measurement on the turbine governor, pumping took place on the governing valves (SR). The turbine governor panel became inoperative and KIT alarm P >100.4% nP appeared. The shift personnel and the Safety Engineer did not identify that this alarm signalled that the TOS limit of 102% nP, which takes uncertainties into account, had been exceeded. The unit power dropped back to 100% nP almost 6 hours after repair of the fault by the I&C technicians. The anomaly was detected the next day by the safety engineers. Causes: The risk assessment did not include the risk of pumping on the governing valves. The “P >100.4% nP” alarm sheet did not mention the TOS limit of 102% nP. The participants did not understand the link between the threshold of alarm KIT005AA (P >100.4% nP), the uncertainties, and the TOS limit of 102% nP. Consequences: Exceeding the TOS limit of 102% nP compromised compliance with the initial conditions taken into account in the RDS accident studies. INES 1 INES 1 INES 1

EDF fleet and global experience feedback | 31 The manoeuvring band of the R rod bank (1.6°C) is approximately the same power as an Airbus A380! Main lessons learned As early as the 1990s, the DPN took steps to strengthen reliability in three areas (Equipment, Organisation, Skills), including: • Renovation of the NIS (upgrade from analogue to digital), • Grouping the alarms at the control desk (e.g. “Doubling time <18 s” alarm). • Development of control support software (OAP, Xenon 0d) • Going critical after comparison of the Safety Engineer/ Operations reactivity calculations and in the presence of the Safety Engineer, • The “Sensitive settings” approach (see the dedicated Special Operating Rule), • Improved ergonomics of the RGL alarm sheets in “Low flux conditions”, • Strengthening of initial training, refresher training and reflex training on the simulator, • Sharing of practices between stations coordinated at corporate level by UNIE/GECC. EDF has also drawn on WANO SOER 2007-1 “Reactivity management”, which extends reactivity management to all specialists, in particular by drafting and distributing the “Reactivity Management Guide” (GMR) since 2010. KEY MESSAGE Any deliberate variation in reactivity must be carried out in a cautious and controlled manner.

32 | EDF fleet and global experience feedback Unintentional dilution Gravelines 1 / 1984 - Dilution of the MPS by 340 ppm in API After refuelling, drainage of the reactor vessel pool was started in parallel with decontamination of the walls of the reactor building pools and the reactor vessel sluice gate using SED (demineralised) water. Instead of flowing as expected towards the internals pool, the SED water flowed towards the reactor vessel pool and caused dilution of the MPS. As the boron meter was out of service for calibration, the decrease in boron concentration was detected late when measured manually by a chemist. Causes: Lack of coordination: the scheduled unavailability of the boron meter and manual sampling line was incompatible with decontamination using SED. Consequences: Late detection of slow dilution of the MPS can lead to an uncontrolled return to criticality (Criticality Accident with the reactor vessel open). Nogent 1 / 2011 - Dilution of 14 m3 in AN/RRA Following a powerdown, the unit was in AN/RRA, MCPs in service, cooling on the SGs, and RHRS pumps out of service. For the restart, the Power Cycle work management structure requested “pre-dilution”. No one involved (Power Cycle work management structure, shift personnel) identified that the TOS required two RHRS pumps to be in service for “Any change in Cb”. At the start of dilution via the RBWMS panel, the panel was locked by the “Stop dilution RHRS connected” protection and RBWMS alarm RCV806AA “Dilution choice locked” appeared. After discussions between the Lead Operators and the Deputy Shift Manager, manual dilution was initiated by opening the valves using the TPL switch. The planned volume of 14 m3 was injected. The deviation from the TOS was detected by the Safety Engineer the next morning. Causes: Insufficient ownership of the AN/RRA TOS at the start of the shift by the Shift Manager and team, insufficient preparation by the Power Cycle work management structure (risk assessment, planning, procedure). Consequences: In AN/RRA, any dilution or boration of the RCS, with the RHRS pumps shut down, risks causing an uncontrolled variation in the primary Cb when they are returned to service. Cruas 1 / 2021 - Injection of 3 m3 of plain water into the MPS The Valves maintenance department was starting the leakage test of the “SIS test reactor building manifold” The maximum volume of 100 L of SED water set by the procedure was injected without effect on the pressurisation of the manifold. The Work Coordinator orally asked the Shift Manager for his agreement to continue injecting SED water without setting a limit. Following the pressurisation difficulties, several injections of SED water were carried out over the following days to complete the test. On reading the test report, the Work Coordinator discovered that the total volume injected was 3 m3 of SED water. He alerted the Outage work management structure, which had the SIS section drained to remove the pocket of plain water. Causes: Inappropriate operation of the boundary valves by the contractor lead worker. The job file did not include the requirement set by the “Dilution” Management Reference Baseline to carry out the test using borated water. Exceeding the 100L threshold without sufficient analysis and without updating the risk assessment and the procedure. Consequences: The injection of unborated water into the MPS can generate a pocket of plain water that can result in heterogeneous dilution when the MCPs are returned to service. INES 1 INES before INES 0

EDF fleet and global experience feedback | 33 Maximum Cb zone Minimum Cb zone (hole for the plug) Main lessons learned The “homogeneous dilution” accident was taken into account when the Fleet was first designed. Following the Chernobyl accident, additional studies were carried out to strengthen the consideration of the “heterogeneous dilution” accident (sending a pocket of plain water into the core following the restart of an MCP or an RHRS pump, causing a very significant immediate increase in reactivity which could damage the fuel). For the EDF fleet, this is reflected in particular by: • Addition of RBWMS anti-dilution protection (see RBWMS PLC and panel), • The addition of automatic make-up of the MPS using borated water via the modification “Permanent Anti-Dilution Protection” (suction on the CVCS pumps switched to PTR001BA on the PAD signal and SRC High Flux), • Increase in the required subcriticality in outage from 1,000 to 2,000 pcm (see Cb TOS), • Creation of administrative isolations to protect against dilution and incorporation of specific specifications into the TOS, • Specification that tests on primary capacity in outage should be carried out using borated water, • Washing of the walls when pools are drained using FPCS borated water instead of SED water, • The obligation to use a volume meter and set a maximum volume when using SED water in the RCA. • Enhanced monitoring of the flux and the RCS Cb during certain sensitive phases in outage. Homogeneous... slow! or Heterogeneous... rapid & sudden!!! KEY MESSAGE In AN/RRA, API and APR, I prevent any water make-up of the primary when the Cb is below the required Cb.

34 | EDF fleet and global experience feedback Clogging of the water intake Clogging with ice plugs Saint-Laurent A (gas-cooled reactor) / 1985 and 1987: Ice formation on the water intake grids upstream of the pumping station drum screens resulted in insufficient cooling of the turbo-fans and start-up of the auxiliary turbine generators. Chinon B / 1985, 1986 and 1987: The arrival of ice carried by the Loire river led to partial clogging of the water intake grids at the pumping station. The Army intervened to clear the way using explosives. Chooz B / 2009: The anti-intrusion grids on the water intake in the Meuse were partially obstructed y frazil ice (accumulation of ice crystals on the grids) which led to the rupture of a panel on the drum screen and then to clogging of the ESWS/CCWS heat exchanger. The ESWS flow rate was reduced to 60% of the nominal flow rate. Causes: Accumulation on the water intake of frazil ice or blocks of ice carried by the river. Consequences: Strong reduction in the raw water circuit flow rate. No safety consequences, as the duration of clogging was limited by operational manoeuvres and mechanical intervention. Clogging with plants or animals Blayais 0 / 2009 (INES 1): The mass ingress of plant debris caused the circulation pumps to trip on “drum screen pressure differential” followed by deterioration of the vacuum in the condensers leading to turbine trips and SCRAMs of the station’s four units. Cruas 4 / 2009 (INES 2): The clogging of the train A and B SEF grids by the mass ingress of aquatic plants, which could not be fully removed by the screen, led to the total loss of the unit 4 heat sink. The operators powered down the unit to AN/GV under RHRS connection conditions. The CCWS temperature was controlled via emergency cooling from the FPCS. Paluel 1 and 4 / 2021 (INES 0): The mass ingress of juvenile herring (5 cm) clogged the drum screens. The automatic tripping of the Unit 1 and 4 circulation pumps led to turbine trips and then SCRAMs in Units 1 and 4. Blayais 3 and 4 / 2021 (INES 0): The mass ingress of oak leaves from the previous autumn and transported by flood water led to tripping of the circulation pumps, turbine trip (loss of condenser vacuum), SCRAM and then powerdown of both units to AN/RRA due to the high temperature in the EFWS tanks. Causes: Mass ingress of plant debris at the pumping station. No flow or ineffective flow through the drum screens at “high speed”. Consequences: Total loss of the train A and B heat sink and SCRAM of one or more reactors on the same site. Note: At Fessenheim 2 in 2009, an event of this type forced the shift personnel to operate the facility on the thermosiphon to powerdown to AN/GV under RHRS connection conditions. The potential safety consequences of this type of event are loss of EAS, RHRS, FPCS and systems such as DVH, DEL, DEG, MCP, and excess let-down. INES 0 INES 1 INES 2

EDF fleet and global experience feedback | 35 Main lessons learned The DPN has progressively strengthened the robustness of heat sinks by: • Equipment modifications adapted to station vulnerabilities (reinforcement of trash rakes, modification of the protection of drum screens, etc.), • The creation in 2012 of the Hazard Guidance Document (“Monitoring”, “Vigilance”, “Alert”) and by the evolution of the site I-SEF and I-CRF incidental instructions to target the preventive work to be undertaken, • The creation of a single Special Operating Rule for all heat sink hazards, • Implementation of the Hazard Specifications Application Rule (RASA) including the heat sink hazard, • Active environmental monitoring of the development of aquatic plant habitats, and ongoing studies with R&D into the mechanism of these different types of clogging. The following recommendations of WANO SOER 2007-2 “Obstruction of the cooling water intake” have also been taken into account: • Periodic updating of the study of environmental changes, • Development of monitoring techniques and predictive methods, • Establishment of equipment reviews and performance of appropriate maintenance, • Training of operations staff and provision of appropriate procedures. KEY MESSAGE I pay attention to the operability of the equipment and instrumentation contributing to the robustness of the heat sink. Channel Flow direction 102.29 NGF 100.29 NGF 99 NGF Canal Ice formation Anti-intrusion grid 98 NGF Channel Flow direction 102.29 NGF 100.29 NGF 99 NGF Canal Ice formation Anti-intrusion grid 98 NGF

36 | EDF fleet and global experience feedback Primary circuit break by openin Saint-Laurent B2 / 2000 - unintentional opening of the PZR SEBIM valve At 100% nP, the SEBIM pressure relief valve 2RCP020VP opened and closed again unexpectedly. The PZR relief line was declared unavailable and powerdown to API was initiated. The pressure relief valve opened again and remained open, resulting in depressurisation that was halted at 136 bar by the automatic closure of isolation pressure relief valve 2RCP017VP. At the end of powerdown (RCS at 9 bar, 90°C), isolation pressure relief valve 2RCP017VP reopened (by design). The Lead Operator managed to stabilise the pressure at 6 bar by charge/discharge balancing. The unit was powered down to API – Partially vented for repair of the defective pressure relief valve. Causes: The opening of 2RCP020VP was due to loosening of the “Banjo” fitting on the head of the pressure relief valve. This loosening was attributed to the vibrations generated by opening/closing on 38 occasions during an unintentional safety injection which had occurred 6 weeks earlier. Consequences: Risk of an Intermediate break LOCA that could not be isolated if isolation pressure relief valve 2RCP017VP failed to close. Dampierre 1/2003 - Repeated opening of the PZR SEBIM valve With unit in AN/GV (28 bar, 168°C), the Shift Manager was checking the lifting of a Type C administrative isolation and noted the presence on the control desk of keys blocking safety injection through P11 and P12. He asked the Lead Operator to confirm locking of the safety injection and to remove the keys. The Lead Operator mistakenly turned the keys in the wrong direction, validating the safety injection command on the “PZR Low Pressure” signal. The team adopted the “control by state” approach to manage the safety injection. The Lead Operator confirmed the SCRAM in the DOS and then in ECP1. It was on moving to ECP2 that he re-armed the SCRAM circuit breakers instead of confirming the SCRAM, which generated a second safety injection. SEBIM pressure relief valve 1RCP020VP opened 75 times in total and the RDP membrane burst. Causes: The Lead Operator lacked concentration when executing the Shift Manager’s request, which was outside the scope of the procedure. The second safety injection resulted from a lack of vigilance linked to the repeated SCRAM confirmations (three in 20 minutes). Consequences: Spill of primary fluid in the reactor building. Risk of an Intermediate break LOCA that could not be isolated in the event of failure of the pair of PZR SEBIM valves. Paluel 1/2021 - Opening of the PZR SEBIM during maintenance In AN/RRA, during the “Reactor Building Valves” walkdown before start-up, water was found on the pilot detectors of two PZR protection valves that had been replaced during the outage. Maintenance was organised under an exceptional work system (RET) with an ice plug and a temporary modification of the General Operating Guidelines (MT-RGE). Following their procedure, the workers purged the detector-head assembly of the first relief line, which caused the protection valve to open. With the isolation pressure relief valve open, the resulting primary circuit break led to a pressure drop on the RCS from 25 bar to 7 bar. To stabilise the RCS pressure, Operations started a low head safety injection pump and then closed the isolation pressure relief valve. The primary leak lasted 7 minutes and the RDP tear membrane burst. Causes: Prior closure of the isolation pressure relief valve was not indicated in the risk assessment or in the RET worksheet. The contractor lead worker (from the Manufacturer) was aware of the risk but did not check with the Lead Operator that the isolation pressure relief valve was closed. Consequences: Spill of primary fluid in the reactor building. Risk of an Intermediate break LOCA in the event of failure of the pair of PZR SEBIM valves. INES 1 INES 1 INES 1

RkJQdWJsaXNoZXIy MTA5MjA=