An Approach for Systematic Peer Review of the Nuclear Facilities Protection Against The

An Approach for Systematic Review of the Nuclear Facilities Protection against the Impact of Extreme Events

I. Kuzmina, A. Lyubarskiy, M. El-Shanawany

International Atomic Energy Agency

Wagramer Strasse 5, PO Box 100, 1400 Vienna, Austria

, ,

Abstract

The International Atomic Energy Agency (IAEA) through an extra-budgetary project funded by Norway aimed at building competence and capacity for nuclear safety is also reviewing the impact of extreme events on plant response. The emphasis is currently placed on development of a methodology for a systematic review of the protection provided at a nuclear facility against the impact of extreme events. The methodology may be utilized through the existing IAEA’s Design and Safety Assessment Review Services. The scope of the methodology encompasses the principles of the ‘stress test’ being performed within the European Union; it will focus on the design and safety assessment aspects of the protection against extreme events including defence-in-depth, safety margins, robustness of the design, cliff edge effects, multiple failures, and the prolonged loss of support systems. The methodology will also focus on the evaluation of whether the emergency procedures, including severe accident management guidelines, provide sufficient guidance for the operator actions that need to be carried out for the extreme event damage states identified. The extra-budgetary project is also evaluating the means for dissemination and sharing the information relating to the lessons learned amongst Member States. The paper highlights some preliminary outcomes of the IAEA activities and encourages further discussion and development of the assessment methodology internationally.

1. BACKGROUND

The accident that occurred in Japan at Fukushima nuclear power plant (NPP) on 11th March 2011 highlighted the need to examine the impact of extreme events for extended design basis conditions on the level of protection provided at nuclear facilities and to identify possible vulnerabilities that the protection systems may have to extreme events. The latter include not only external events (natural and human-induced), but also internal hazards and all credible combinations, for which protection may not be explicitly envisaged in the design basis.

After the accident in Japan it became evident that further effort should be pursued worldwide to build and enhance competence and capacity for comprehensive safety assessment of NPPs and specifically for the analysis of an impact and sufficiency of protection in terms of systems, structures, and components (SSCs) and emergency procedures against extreme events. The extra-budgetary project funded by Norway is focused on building competence and capacity for nuclear safety and is being utilized by the IAEA to promote the development of competence and capacity to review plant protection against extreme events. A consultants’ meeting of a small group of experts was held at the end of June 2011 to identify priority areas where further work is needed and provide suggestions for specific activities. Specifically, it was found relevant to concentrate efforts on:

1)  Enhancement of the existing IAEA’s Design and Safety Assessment Review Services to address extreme events;

2)  Development of a methodology for a systematic assessment of the protection in terms of sufficiency and adequacy of safety provisions from the defence-in-depth perspective provided in a nuclear facility against the impact of extreme events including severe accident management guidelines (SAMGs); the methodology should encompass the principles of the ‘stress test’ being performed within the EU; and

3)  Development of an approach for conducting peer reviews of plant protection on the basis of the existing IAEA safety review services and the methodology mentioned in Item (2).

For Item (2), the work has been already started, and the paper provides information on the developments taken place.

2. OVERVIEW OF THE FRAMEWORK OF ‘STRESS TEST’

In response to the challenges posed by the Fukushima accident, the European Commission (EC) and European Nuclear Safety Regulators Group (ENSREG) in its ‘Declaration of ENSREG’ [1] announced that all 143 NPPs within the European Union (EU) will undergo a safety examination named ‘stress test’. The latter is defined in Ref. [1] as a ‘comprehensive and transparent risk assessment’ focused on ‘targeted reassessment of the safety margins of NPPs in the light of the events which occurred at Fukushima: extreme natural events challenging the plant safety functions and leading to a severe accident’. The scope and modalities of ‘stress test’ are specified in Ref. [1]. Two major analysis areas will be covered: (a) evaluation of the response of an NPP to the postulated extreme events, and (b) verification of the preventive and mitigative measures from the perspective of defence-in-depth.

The technical scope includes the consideration of external hazards with emphasis on earthquake, flooding, and combination of the two, accident sequences involving loss of power sources and ultimate heat sink, and mitigatory measures, including design provisions in terms of available equipment, emergency operating procedures (EOPs) and SAMGs.

The process of conducting EU stress tests will include the stages of self-assessment, regulatory review, and peer review. Technical reports will be produced at each stage and made available to the public. Full transparency is promoted throughout the whole process. Ultimately, the evaluation will provide indications of robustness of NPP designs being operated within the EU and highlight the measures to further enhance nuclear safety in response to extreme events.

The methodology being developed by the IAEA is aimed to encompass the scope and modalities of the EU stress test specified in Ref. [1].

3. DEVELOPMENT OF A METHODOLOGY FOR THE ASSESSMENT OF PLANT PROTECTION AGAINST EXTREME EVENTS

This section summarizes preliminary outcomes of the IAEA activities on development of a methodology for the assessment of plant protection against extreme events from the defence-in-depth perspective.

3.1 Definitions

Several terms that are widely used in connection with the discussion of plant response and protection in accident conditions need to be clearly defined. In this paper, the definitions provided below are used.

Design Safety Margins

There is no single definition of the term ‘design safety margins’ (or just ‘safety margins’). The review of different IAEA Safety Standards [Refs. 2, 3, 4] publications shows that the term ‘safety margins’ is primarily used in three different meanings reflecting different aspects of NPP design safety. Accordingly, for the purpose of the paper the following definitions are applicable:

1.  Hazard/Fragility-Related Safety Margin – can be split into two parts:

1a. Design Hazard Safety Margin: the difference between the magnitude of the design basis hazard and a higher magnitude hazard that structures and components can factually withstand due to their internal inherent properties.

Means of assessment: load assessment, hydrological studies, structural analysis etc.

1b. Site Hazard Safety Margin: the difference between the magnitude of the hazard credible for the site and the magnitude that the plant can factually withstand.

Means of assessment: statistical analysis of event occurrence data; load assessment, hydrological studies, structural analysis etc.

2.  Plant Parameters-Related Safety Margin: the difference between the values of design parameters for operation of components in accident conditions (including the reactor core) and the limiting values of the parameters, at which components fail. These are primarily pressure and temperature parameters.

Means of assessment: thermal hydraulic, neutronic, thermal physics calculations

3.  Plant Response-Related Safety Margin: the difference (in terms of components/ systems) between the configuration of components survived after the accident and the minimal configuration of components needed to cope with the accident (both by the design and design extension provisions). Required human actions are also considered. These margins are assessed sequentially; firstly, for core damage scenarios, and then for containment failure scenarios.

Means of assessment: engineering analysis (deterministic and probabilistic) of sufficiency and adequacy of the design provisions in terms of equipment/ components and procedures from the perspective of defence-in-depth.

Correlated Hazards

Correlated hazards are characterized by simultaneous occurrence of a causal combination of external and/or internal hazards that are not statistically independent. Frequency of simultaneous occurrence of correlated hazards is higher than the frequency estimated under the assumption of their full independence.

The examples of correlated hazards include:

·  Source correlated hazards: seismic hazard and tsunami;

·  Phenomenologically correlated hazards: strong winds and heavy rain;

·  Duration correlated hazards: any external hazards occurred during the prolonged hot summer temperature period;

·  Induced hazards: seismic hazards and seismically induced fire, etc.

Extreme Event

Extreme event is an event involving widespread damage to the systems, structures and components at a nuclear facility caused by an external or internal hazard or correlated hazards that is more severe than the postulated initiating events and component failures considered in the design of the plant. Such an event would provide a severe challenge to the ability of the plant to carry out the fundamental safety functions of criticality control, removal of residual heat and confinement of radioactive material. However, even for an extreme event, the plant may be capable to withstand the damage due to the existing plant response safety margins.

Limiting Extreme Event

Limiting extreme event is an extreme event of a very low probability, for which there are no plant response safety margins to prevent core damage. For the limiting extreme events caused by external hazards, the magnitude of the hazards is of specific interest as it characterises the threshold, beyond which the core damage is unavoidable.

3.2 Objectives, General Framework, and Scope of the Assessment Methodology

The methodology for the assessment of plant protection against extreme events being developed by the IAEA focuses on the assessment of the plant response safety margins from the perspective of defence-in-depth in accordance with the definitions given above.

It is currently envisaged that the assessment methodology will include five stages as follows:

(1)  Examination of accident scenarios leading to core damage (CD) in the reactor

(2)  Examination of accident progression after the core is damaged and associated severe accident management programmes (SAMP)

(3)  Examination of accident scenarios involving other sources of radioactivity such as spent fuel pool (SPF), radioactive waste treatment facilities, etc. focusing on fuel damage scenarios

(4)  Examination of interactions between plant units at multi-unit sites and the accident scenarios involving simultaneous failures of containments

(5)  Integral evaluation of the results of the assessments accomplished in the previous four stages and drawing attention for potential safety improvement as appropriate.

The first two stages form the basis of the assessment methodology. The first stage will be focused on prevention of severe accidents with core damage, and the second stage will be dealing with mitigation of the consequences of core damage and prevention of containment failure. The methodology for Stages #3 and #4 will be based on the methodologies for Stages #1 and #2 with necessary adjustments. Stage #5 will focus on holistic consideration of all the results obtained in the previous four assessment stages for all plant units located at the site.

The range of nuclear installations, for which the methodology is applicable, is currently restricted to NPPs only, although the principles and concepts can be applied to other nuclear installations as well.

3.3 General Approach

Systematic assessment of the NPPs response to extreme events, with focus on long term development of the accident and identification of cliff edges in provision of important support functions (AC, DC power, essential service water, etc.) and safety functions, is usually beyond the scope of the licensing basis. Plant systems – normal operation as well as safety classified – have usually been assessed only against design basis accidents. Comprehensive assessment of anoverall NPP response would necessitate alarge set of analyses performed for different initial conditions affected by extreme events.

Generally, the assessment approach is aimed to estimate the robustness of the relevant safety systems, civil structures and the continued presence of the defence-in-depth principle for load cases that exceed the design basis.

The overall approach is based on the IAEA Safety Standards. The assessment is focused on determining whether the SSCs that remain available in the NPP following an extreme event are sufficient to carry out the fundamental safety functions of:

·  Criticality control;

·  Residual heat removal; and

·  Confining radioactive material (focus on providing containment integrity which requires heat removal from the containment, prevention of containment overpressure, prevention of containment bypass through interfacing systems, and containment isolation).

In order to achieve the three fundamental safety functions, different safety-related aspects need to be addressed, such as provisions for redundancy, diversity, spatial separation, absence of cliff edges – that is, there is no sudden aggravation of the situation.

The first stage assessment specified above in Section 3.2 is dealing with the first two fundamental safety functions. Currently, the first stage assessment methodology (i.e. examination of accident scenarios leading to core damage in the reactor) is under development; details are provided further in the paper.

3.4 Overview of the Methods for the First Stage Assessment

Specific objectives

The specific objectives of the first stage assessment for NPPs are the following:

·  To identify all credible limiting extreme events and the associated accident scenarios (leading to core damage) in terms of initiating events accompanied by component failures and identify possible technical measures that could be implemented to prevent core damage.

·  To perform a bounding assessment of the frequency of limiting extreme events, for which no reasonable measures could be suggested.

·  For the extreme events of the magnitude lower than the respective limiting extreme event, to evaluate the sufficiency of the existing plant response safety margins from the perspective of defence-in-depth and to identify practical measures that could be implemented to reduce plant vulnerability, if found appropriate.

Methods

Two practical methods are proposed for the first stage assessment to address the fundamental safety functions of criticality control and residual heat removal.

1)  Fault Sequence Analysis (FSA) Method

The method uses linked event trees and fault trees developed for an NPP under consideration in the course of an internal initiating events Level-1 PSA. Specifically, the method focuses on the analysis of minimal cutsets (MCSs) generated in PSA.

A minimum prerequisite for the use of the FSA method is the availability of a Level-1 internal initiating events PSA of reasonable technical quality/level of detail. In case a more comprehensive PSA is available (e.g. internal and external hazards PSA), then a more comprehensive fault sequence analysis can be performed.