Since Fukushima, there has been a general reassessment of the risks to nuclear facilities from high-impact low-probability events. Sealed geological repositories are effectively immune to most credible events after closure. But there would be some vulnerability during the operational phase from loss of power, flooding or loss of institutional control, especially if such events occur together.

It is worth making changes to repository designs if they add to resilience.

There is no standard definition of resilience. Its elements include anticipation, monitoring, responding and learning, applied to a whole system or programme (as it explicitly includes organisational aspects). Resilience also applies to defence against unknown events and events of low or undefined probability. It is clearly important for a repository, both during the operational phase and during planning, siting and site characterisation.

In the past, post-closure performance assessment emphasised passive safety, provided by multiple engineered and geological barriers. More recently, safety during the operational phase has received greater consideration, with more active control measures, using the common nuclear terminology of defence in depth. These focus on the expected future and allow for uncertainties in the understanding of the site and the disposal system.

After closure, emphasis is very much on assuring safety by the passive robustness of the engineered barrier system within a suitable geological setting. However, even after closure, some active control might be required such as "oversight" or "institutional control".

At a top level, therefore, resilience can include all active and passive approaches to assure safety, extended to cover rare events missed in the existing safety cases. In addition, it takes a more holistic approach, regarding the transitions from construction to operation to closure to end of formal oversight as a continuous process.

The post-closure safety case may be reviewed until the point when institutional control is given up, reflecting the increase in understanding of perturbations that could be potential threats to long-term safety.

For the geological disposal system, resilience can be regarded as a high-level component of the safety concept. At some point in the future safety will be assured by robustness. The transition from defence in depth to multi-barrier robustness is more complicated than a simple step-change on repository closure. Passive institutional control measures might contribute to safety even after all active oversight has been lost.

Better resilience could improve repository concepts. To examine this further, a concept for direct disposal concept of spent fuel was considered with regard to resilience, especially in terms of thermal impacts.

Developing a resilient repository design

We define a repository concept as a conceptual design of all surfaces and underground repository structures tailored to a given siting environment, along with a description of how the repository can be constructed, operated and sealed. This also includes an evaluation of operational and long-term safety, and an assessment of socio-economic impacts. The concept is dynamic, evolving with our programme as it moves from early generic studies through to siting and, eventually, licensing and construction and operation.

Any design exercise needs to consider the inherently contradictory requirements for a disposal facility and accept that trade-offs are required.
It is important to highlight lessons learned from design work carried out over the last four decades. Construction underground is inherently a dangerous operation: safety assessments have focused on worker safety, but accidents (especially those causing loss of life) can also dramatically reduce public confidence. Repository designs should aim to make construction as simple as possible, using access ramps rather than shafts, avoiding complex underground operations or work in very confined conditions. These issues were rarely considered in the past, when design focused almost entirely on post-closure safety.

Construction and operation are often planned to run in parallel to cut costs and help manage logistics. This is inherently less resilient than working sequentially, but might be balanced by the greater resilience of physical separation. When construction and emplacement are sequential, the implications of keeping tunnels and vaults open for many decades must be considered.

During the operational phase, a repository might be vulnerable to extreme events, though they are unlikely to result in radiological impact to the general public. The most significant events are those leading to long-term loss of services or control for an open repository, such as natural disasters or civil disruption. This is rarely considered.

In the case of spent fuel, one concern is safeguards; unauthorised access could lead to diversion of fissionable material.

Post-closure control or oversight should be considered at the design phase. This inevitably depends on assumptions about future capabilities and resources that are difficult to justify. For example, threats like climate change might have major impacts, and thus any actions that could cost-effectively increase repository resilience should be considered.

Approaches like stepwise closure or avoiding active control after closure can help improve resilience. A key risk is abandonment during a period of national, regional or global crisis, so an option for easy and rapid closure during construction should be considered.

After closure and a period of institutional control most repositories would be robust against almost any credible event. On a site-specific basis, however, this should be checked with emphasis on common-mode failures.

Although best done for a specific site, the requirements summarised above can be used to develop a resilient repository concept for spent fuel disposal.

In traditional repository concepts for spent fuel many massive packages, each containing a few tonnes of fuel, are placed in tunnels and over a large area. This option simplifies post-closure assessment by reducing the thermal transient but makes retrieval more complex. Recently, cavern disposal with more flexible staging and a smaller footprint has become more popular. Thermal loading is handled by an extended open storage period prior to closure.

We need to balance competing requirements to provide resilience:

  • Ease of construction;
  • Small footprint;
  • Option for rapid sealing;
  • Simple heat management;
  • Low vulnerability to loss of services;
  • Low risk of human intrusion;
  • Post-closure spread of the instant release fraction of radionuclides.

Is it feasible to conceive of a design that meets these needs?

The Robust Disposal Module

One possible solution is based on robust disposal modules, which are compact, highly- engineered caverns. Dead-end caverns can be aligned with the hydraulic gradient to reduce the risk of preferential short-circuits along the surrounding disturbed zone. Caverns have a high-quality, thick, fibre-reinforced concrete liner for mechanical support and groundwater control.

Spent fuel is encapsulated in simple cast steel overpacks, which are placed in cased holes in a reinforced concrete monolith, immediately plugged with a steel cap. Emplacement would be remotely operated. At any time, packages can be recovered by reversing the emplacement procedure. With packages comprising 2t fuel and with a 4×125 emplacement array, this would give an inventory of 1000Mg of spent fuel per module, with a total thermal loading on emplacement of about 1MW.

The module could be kept open for an extended period to allow decay of radiogenic heat. When a decision is made to close the vault, a layer of concrete is poured over the top of the monolith and void space backfilled. The bulkhead is then sealed, a concrete plug emplaced and the access tunnel backfilled.

This design would be relatively easy to construct and operate. Remote emplacement and recovery employs equipment already used in surface storage facilities. It would also have a small footprint due to the high emplacement density. Resilience features are:

  • Heat management;
  • Option for rapid sealing;
  • Low vulnerability to extended loss of services;
  • Low risk of human intrusion;
  • Post-closure spread of radionuclides.

For such a high emplacement density, heat management is clearly an issue. This concept uses heat pipes and heat pumps. Under normal operations, the vault is actively held at or slightly below rock ambient and the heat extracted and used for power generation or local heating. The system of heat pipes make it possible to use cyclic thermal extraction, cooling the rock during winter and allowing it to warm up again during the summer.

The disposal module can be closed at any time with a massive bulkhead, designed to close without power and open only when power is available. The bulkhead default position is closed, and it is opened only for waste emplacement. It is dimensioned to resist flooding for an extended period. In response to a threat or as fail-safe in case of off-site power loss, the bulkhead closes, but heat pumps run off emergency power. In case of loss of all power, the heat pipes spread the thermal load efficiently to the bulk rock, whose thermal buffering maintains temperatures below a specified limit.

After closure, the small footprint of the disposal caverns reduces the risk of inadvertent intrusion by drilling. The engineered roof is also a barrier and could incorporate markers to further reduce the risk of intrusion.

After closure and saturation of the engineered barrier system, the huge volume of concrete ensures that degradation, with associated drop in pH, develops gradually along the direction of flow. Corrosion of steel packages occurs more rapidly at lower pH conditions, so this should effectively spread containment failures and associated releases of gap and grain boundary radionuclides. Any flow that does occur is likely to be concentrated in the crushed rock backfill. As long as overpack failure times are spread over a long period, the volume of the diffusive barrier will also spread the peak of any pulse release radionuclide like I-129.

Going further

Apart from technical concerns, it is important to demonstrate that passive safety can provide sufficient system resilience after repository closure and communicate this to a public that often prefers active to passive systems. This needs careful explanation, considering the fundamental limitation in assuring organisational stability over millennia – and the associated financial stability that is also needed.

The design illustrated here may be a useful starting point for more extensive assessment of resilient designs, but its limitations must be clearly seen. For example:

  • It has been developed specifically for spent fuel disposal and would probably not be suitable for vitrified HLW;
  • It assumes robust heat pipes are available that could be left in place and would not influence long-term performance;
  • The design of heat pumps needs to be assessed, particularly in terms of operating reliability and the costs and benefits of utilising waste heat;
  • The cost is probably less than conventional options but has yet to be calculated;
  • Performance must be assessed quantitatively for both expected post-closure evolution and credible perturbations.

The concept of resilience, which was the driver for this work, is relatively novel in this context, but in tune with international concerns. It may thus be a good topic for future international collaboration.


The concepts outlined in this paper were developed by with many colleagues at Japan Atomic Energy Agency who are thanked for their valuable input. This study forms part of a project for validating assessment methodology for geological disposal system, funded by the Ministry of Economy, Trade and Industry of Japan (METI).