Nuclear Safety

Nuclear Safety This page intentionally left blank Nuclear Safety GIANNI PETRANGELI Amsterdam Boston Heidelberg...

Author: Gianni Petrangeli

266 downloads 3574 Views 4MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Nuclear Safety

This page intentionally left blank

Nuclear Safety GIANNI PETRANGELI

Amsterdam Boston Heidelberg London New York Paris San Diego San Francisco Singapore Sydney Butterworth-Heinemann is an imprint of Elsevier

Oxford Tokyo

Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP 30 Corporate Drive, Suite 400, Burlington, MA 01803 First edition 2006 Copyright ß 2006, Gianni Petrangeli. Published by Elsevier Butterworth-Heinemann. All rights reserved. The right of Gianni Petrangeli to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (þ44) (0) 1865 843830; fax (þ44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permissions to use the Elsevier material Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN 13: 978-0-7506-6723-4 ISBN 10: 0-7506-6723-0 For information on all Butterworth-Heinemann publications visit our web site at http://books.elsevier.com Printed and bound in the UK 06 07 08 09 10 10 9 8 7 6 5 4 3 2 1

Contents

Preface xiii Acknowledgements xv

3-3 Future safety systems and plant concepts 3-3-1 General remarks 23 3-3-2 Some passive safety systems for nuclear plants 27 3-3-3 Inherently safe systems in the process industries 30 References 32 Chapter notes 32

Chapter 1 Introduction 1 1-1 Objectives 1 1-2 A short history of nuclear safety technology 1-2-1 The early years 2 1-2-2 From the late 1950s to the Three Mile Island accident 2 1-2-3 From the Three Mile Island accident to the Chernobyl accident 7 1-2-4 The Chernobyl accident and after 8 References 10 Chapter notes 10

2

Chapter 2 Inventory and localization of radioactive products in the plant 13 References

15

Chapter 3 Safety systems and their functions 17 3-1 Plant systems 17 3-2 Safety systems and accidents

18

23

Chapter 4 The classification of accidents and a discussion of some examples 35 4-1 Classification 35 4-2 Design basis accidents 35 4-2-1 Some important data for accident analysis 35 4-2-2 Example of a category 2 accident: spurious opening of a pressurizer safety valve 40 4-2-3 Example of a category 3 accident: instantaneous power loss to all the primary pumps 41 4-2-4 Example of a category 4 accident: main steam line break 43 4-2-5 Example of a category 4 accident: sudden expulsion of a control rod from the core 44 4-2-6 Example of a category 4 accident: break of the largest pipe of the primary system (large LOCA) 46 4-2-7 Example of a category 4 accident: fuel handling accident 47 4-2-8 Area accidents 50 v

vi

Contents

4-3 Beyond design basis accidents 51 4-3-1 Plant originated accidents 51 4-3-2 Accidents due to human voluntary actions 51 4-4 External accidents of natural origin 51 References 51 Chapter notes 51

Chapter 5 Severe accidents 53 5-1 Existing plants 53 5-2 Future plants: extreme and practicable solutions 55 5-3 Severe accident management: the present state of studies and implementations 57 5-4 Data on severe accidents 58 5-5 Descriptions of some typical accident sequences 58 5-5-1 Loss of station electric power supply (TE ¼ transient þ loss of electrical supply) 58 5-5-2 Loss of electric power with LOCA from the pump seals (SE ¼ small LOCA þ loss of electric power) 61 5-5-3 Interfacing systems LOCA (V) 61 5-5-4 Large LOCA with failure of the recirculation (ALFC) 62 5-5-5 Small LOCA with failure of the recirculation (SLFC) 62 5-6 ‘Source terms’ for severe accidents 62 References 64

Chapter 6 The dispersion of radioactivity releases 65 6-1 The most interesting releases for safety evaluations 65 6-2 Dispersion of releases: phenomena 66 6-3 Release dispersion: simple evaluation techniques 70 6-4 Formulae and diagrams for the evaluation of atmospheric dispersion 71 Reference 76 Chapter notes 76

Chapter 7 Health consequences of releases 79 7-1 The principles of health protection and safety 79 7-2 Some quantities, terms and units of measure of health physics 79 7-3 Types of effects of radiation doses and limits 80 7-4 Evaluation of the health consequences of releases 81 7-4-1 Evaluation of inhalation doses from radioactive iodine 81 7-4-2 Evaluation of doses due to submersion in a radioactive cloud 81 7-4-3 Evaluation of the doses of radiation from caesium-137 deposited on the ground (‘ground-shine’ dose) 81 7-4-4 Evaluation of the dose due to deposition of plutonium on the ground 81 7-4-5 Indicative evaluation of long distance doses for very serious accidents to nuclear reactors 82 7-4-6 Direct radiation doses 82 Reference 83 Chapter notes 83

Chapter 8 The general approach to the safety of the plant-site complex 85 8-1 Introduction 85 8-2 The definition of the safety objectives of a plant on a site 85 8-2-1 The objectives and limits of release/dose 85 8-3 Some plant characteristics for the prevention and mitigation of accidents 86 8-4 Radiation protection characteristics 86 8-5 Site characteristics 87

Chapter 9 Defence in depth 89 9-1 Definition, objectives, levels and barriers 9-2 Additional considerations on the levels of Defence in Depth 89

89

Contents

Chapter 14 Notes on some plant components 119

Chapter 10 Quality assurance 93 10-1 General remarks and requirements 10-2 Aspects to be underlined 93 Reference 94

93

Chapter 11 Safety analysis 95 11-1 Introduction 95 11-2 Deterministic safety analysis 95 11-3 Probabilistic safety analysis 97 11-3-1 Event trees 98 11-3-2 Fault trees 99 11-3-3 Failure rates 105 References 105 Chapter notes 105

Chapter 12 Safety analysis review 107 12-1 Introduction 107 12-2 The reference points 107 12-3 Foreseeing possible issues for discussion 107 12-4 Control is not disrespectful 108 12-5 Clarification is not disrespectful 109 12-6 Designer report 110 12-6-1 Introduction 110 12-6-2 Conclusions 110 12-6-3 Hydrodynamic aspects 110 12-6-4 Effective mass of oscillating system 111 12-6-5 Evaluation of fluid damping 111 12-6-6 Vibration analysis 111 12-7 Discussion 114 References 115 Chapter notes 115

Chapter 13 Classification of plant components 117 Reference

118

vii

14-1 Reactor pressure vessel 119 14-1-1 Problems highlighted by operating experience 119 14-1-2 Rupture probability of non-nuclear vessels 120 14-1-3 Failure probability of nuclear vessels 122 14-1-4 Vessel material embrittlement due to neutron irradiation 124 14-1-5 Pressurized thermal shock 126 14-1-6 The reactor pressure vessel of Three Mile Island 2 126 14-1-7 General perspective on the effect of severe accidents on the pressure vessel 127 14-1-8 Recommendations for the prevention of hypothetical accidents generated by the pressure vessel 128 14-2 Piping 130 14-2-1 Evolution of the regulatory positions 130 14-2-2 Problems indicated by experience 130 14-2-3 Leak detection in water reactors 132 14-2-4 Research programmes on piping 133 14-3 Valves 134 14-3-1 General remarks 134 14-3-2 Some data from operating experience 134 14-3-3 The most commonly used types of valve 135 14-3-4 Types of valve: critical areas, design and operation 136 14-3-5 Valve standards 140 14-4 Containment systems 141 References 142

Chapter 15 Earthquake resistance 145 15-1 General aspects, criteria and starting data 145 15-2 Reference ground motion 148 15-3 Structural verifications 158 15-3-1 Foundation soil resistance 158 15-3-2 Resistance of structures 162 References 182

viii

Contents

Chapter 16 Tornado resistance 185 16-1 The physical phenomenon 185 16-2 Scale of severity of the phenomenon 16-3 Design input data 186 Reference 187

186

Chapter 17 Resistance to external impact 189 17-1 Introduction 189 17-2 Aircraft crash impact 189 17-2-1 Effects of an aircraft impact 189 17-2-2 Overall load on a structure 189 17-2-3 Vibration of structures and components 191 17-2-4 Local perforation of structures 191 17-2-5 The effect of a fire 192 17-2-6 Temporary incapacity of the operating personnel 192 17-3 Pressure wave 192 17-5 Other impacts 193 References 194

Chapter 18 Nuclear safety criteria 195 18-1 General characteristics 195 18-2 The US general design criteria 195 18-3 IAEA criteria 196 18-4 EUR criteria 196 18-5 Other general criteria compilations 197 References 198 Chapter notes 198

Chapter 19 Nuclear safety research 199 Reference

199

Chapter 20 Operating experience 201 20-1 Introduction 201 20-2 Principal sources 201

20-3 Some significant events 201 20-3-1 Mechanical events 201 20-3-2 Electrical events 202 20-3-3 System events 202 20-3-4 Area events 203 20-3-5 Reactivity accidents 204 20-3-6 Possible future accidents 204 20-4 The International Nuclear Event Scale References 207

205

Chapter 21 Underground location of nuclear power plants 209 References

212

Chapter 22 The effects of nuclear explosions 215 22-1 22-2 22-3 22-4 22-5 22-6 22-7

Introduction 215 Types of nuclear bomb 215 The consequences of a nuclear explosion 215 Initial nuclear radiation 217 Shock wave 217 Initial thermal radiation 218 Initial radioactive contamination (‘fallout’) 218 22-8 Underground nuclear tests 218 22-8-1 Historical data on nuclear weapons tests 218 22-8-2 The possible effects of an underground nuclear explosion 219 22-8-3 The possible radiological effects of the underground tests 220 References 220

Chapter 23 Radioactive waste 221 23-1 Types and indicative amounts of radioactive waste 221 23-2 Principles 222 Reference 223

Chapter 24 Fusion safety 225 References

228

Contents

Chapter 25 Safety of specific plants and of other activities 229 25-1 Boiling water reactors 229 25-2 Pressure tube reactors 231 25-3 Gas reactors 231 25-4 Research reactors 232 25-5 Sodium-cooled fast reactors 232 25-6 Fuel plants 233 25-7 Nuclear seawater desalination plants 233 25-8 VVER plants 234 25-9 Ship propulsion reactors 234 25-10 Safe transport of radioactive substances 234 25-11 Safety of radioactive sources and of radiation generating machines 234 References 235

Chapter 26 Nuclear facilities on satellites 237 26-1 Types of plant 237 26-2 Possible accidents and their consequences 238 Reference 238

Chapter 27 Erroneous beliefs about nuclear safety 239 References

241

Chapter 28 When can we say that a particular plant is safe? 243

Chapter 29 The limits of nuclear safety: the residual risk 245 29-1 Risk in general

245

ix

29-2 Risk concepts and evaluations in nuclear installation safety 245 29-2-1 Tolerable risk 245 29-2-2 Risk-informed decisions 246 29-3 Residual risk: the concept of loss-of-life expectancy 247 29-4 Risk from various energy sources 247 29-5 Risk to various human activities 248 29-6 Are the risk analyses of nuclear power plants credible? 248 29-7 Proliferation and terrorism 250 References 250

Additional references 251 Appendices Appendix 1 The Chernobyl accident 279 A1-1 Introduction 279 A1-2 The reactor 279 A1-3 The event 281 References 284

Appendix 2 Calculation of the accident pressure in a containment 285 A2-1 Introduction 285 A2-2 Initial overpressure 285 A2-3 Containment pressure versus time 286 A2-3-1 Introductory remarks 287 A2-3-2 Calculation method 287 A2-3-3 Heat exchanged with the outside through the metal container 288 A2-3-4 Heat released by hot metals 288 A2-3-5 Heat exchanged with cold metals 289 A2-3-6 Heat exchanged with concrete layers 289 A2-3-7 Decay heat 290 A2-3-8 Heat removed by the spray system internal to the containment 291 A2-3-9 Solar heat 291 A2-3-10 Thermal balance in the interval 292 A2-3-11 Considerations on the performance of the calculation and on the choice of the input data 292 A2-3-12 Example calculation 293 References 296

x

Contents

Appendix 3 Table of safety criteria 297

Appendix 4 Dose calculations 315 A4-1 Introduction 315 A4-2 Virtual population dose in a severe accident 315 A4-2-1 The reactor and the released isotopes 315 A4-2-2 Source term at three days (I, Cs, Xe) 315 A4-2-3 Dose at the fence after three days of exposure 316 A4-2-4 Ground shine long-term dose 316 A4-3 Explorative evaluation of the radiological consequences of a mechanical impact on a surface storage facility for category 2 waste 316 A4-3-1 Type of repository 316 A4-3-2 Reference impact 316 A4-3-3 Fragmentation and dispersion of material 317 A4-3-4 Doses 318 A4-3-5 Conclusions 319 A4-4 Explorative evaluation of the radiological consequences of a mechanical impact on a transport/storage cask containing spent fuel 319 A4-4-1 Characteristics of the cask 319 A4-4-2 Reference impact 319 A4-4-3 Amount of significant fission products in the internal atmosphere of the cask and external release in one day 319 A4-4-4 Effective committed doses 320 A4-4-5 Conclusions 321 References 321

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core 323 A5-1 Analysis of the core without refrigeration 323 A5-2 Other formulae and useful data for the indicative study of the cooling of a core after an accident 325 References 326

Appendix 6 Extracts from EUR criteria (December 2004) 327 2-1-8-3 List of design basis conditions 327 2-1-8 Tables 328 2-1-8-1 Table 1: Radiological criteria for radioactive releases in normal operation and incident conditions 328 2-1-8-2 Table 2: Frequencies and acceptance criteria for normal operation, incident and accident conditions 328 2-1-B-1 Criteria for limited impact for DEC 329 2-1-B1-1 Table B1: Criteria for limited impact for no emergency action beyond 800 m from the reactor 329 2-1B 1-2 Table B2: Criteria for limited impact for no delayed action beyond 3 km from the reactor 330 2-1B 1-3 Table B3: Criteria for limited impact for no long-term actions beyond 800 m from the reactor 330 2-1B 1-4 Table B4: Criteria for limited impact for economic impact 330 2-1 B2 Release targets for design basis category 3 and 4 conditions 330 2-1-B-2-1 Table B5: DBA release targets for no action beyond 800 m from the reactor 331 2-1-B-2-2 Table B6: DBA release targets for economic impact 331 2-1-2-3 Operational staff doses during normal operation and incidents 331 2-1-2-6 Probabilistic safety targets 332 2-1-3-4 Single failure criterion 332 2-1-4-3-2 Complex sequences that may be considered in DEC 333 2-1-6-8 Classification of the safety functions and categorisation of the equipment 333 2-1-6-6-3 Requirements according to level of safety functions 334 2-1-6-8-4 Assignment of equipment and structures to a safety category 334

Contents

2-1-6-8-5 Requirements on equipment and structures according to safety category 335 2-1-6-8-6 Classification of structures and equipment according to the design and construction codes 335 2-1-6-8-7 The relation of seismic categorisation to safety level of functions 335 2-1-6-13 Accident management 335 2-1-6-14 Radiation protection 336

Appendix 7 Notes on fracture mechanics 337 A7-1 Introduction 337 A7-2 Current practice 338 References 341

Appendix 8 US general design criteria 343 A8-1 Introduction 344 A8-2 Definitions and explanations 345 A8-3 Criteria 345 A8-3-1 Overall requirements 345 A8-3-2 Protection by Multiple Fission Product Barriers 346 A8-3-3 Protection and Reactivity Control Systems 348 A8-3-4 Fluid Systems 349 A8-3-5 Reactor Containment 351 A8-3-6 Fuel and Radioactivity Control 352 Notes 353

Appendix 9 IAEA criteria 355

Appendix 10 Primary depressurization systems 357 A10-1 Initial studies 357 A10-2 Depressurization systems for modern design reactors 359 References 363

xi

Appendix 11 Thermal-hydraulic transients of the primary system 365 A11-1 General remarks 365 A11-2 General program characteristics 366 A11-3 Program description 366 A11-3-1 Macro Stampa dati 366 A11-3-2 Macro Copia_dati 368 A11-3-3 Macro HF 368 A11-3-4 Macro HFG 369 A11-3-5 Macro VF 369 A11-3-6 Macro VFG 370 A11-3-7 Macro QS 370 A11-3-8 Macro GU 370 A11-3-9 Macro GE 372 A11-3-10 Macro DT 373 A11-3-11 Macro PS 373 A11-4 Using the program 377 A11-5 Other formulae for the expanded use of the program 377 A11-5-1 ATWS 377 A11-5-2 Pressure in a depressurization water discharge tank 378 References 378

Appendix 12 The atmospheric dispersion of releases 379

Appendix 13 Regulatory framework and safety documents 385 A13-1 Regulatory framework 385 A13-2 Safety documents 385 A13-2-1 The safety report 386 A13-2-2 The probabilistic safety assessment 388 A13-2-3 The environmental impact assessment 388 A13-2-4 The external emergency plan 388 A13-2-5 The operation manual, including the emergency procedures 388 A13-2-6 Operation organization document 390 A13-2-7 The pre-operational test programme 390

xii

Contents

A13-2-8 The technical specifications for operation 390 A13-2-9 The periodic safety reviews References 391

391

Appendix 14 USNRC Regulatory Guides and Standard Review Plan 393 A14-1 Extracts from a regulatory guide 393 A14-2 List of contents and extracts from a sample chapter of the Standard Review Plan 395 A14-3 Sample chapter 400

Appendix 15 Safety cage 405 A15-1 General remarks 405 A15-2 Available energy 405 A15-3 Mechanical energy which can be released 405 A15-4 Overall sizing of a structural cage around the pressure vessel 406 A15-5 Experimental tests on steel cages for the containment of vessel explosions 408 Reference 408

Appendix 16 Criteria for the site chart (Italy) 409 A16-1 Population and land use 409 A16-2 Geology, seismology and soil mechanics 409 A16-3 Engineering requirements 410 A16-4 Extreme events from human activities A16-5 Extreme natural events 410

410

Appendix 17 The Three Mile Island accident 411 A17-1 Summary description of the Three Mile Island no. 2 Plant 411 A17-2 The accident 413 A17-3 The consequences of the accident on the outside environment 419 A17-4 The actions initiated after the accident 421 References 422

Glossary 423 Web sites 425 Index 427

Preface

Introduction I have written this book because of my firm belief that it is necessary to try to gather and to preserve in written form, and from one perspective, the accumulated experience in the fields of nuclear safety and of radiation protection. This is particularly important for countries where nuclear energy exploitation has been stopped, but where it might have to be resumed in future. The main accent of this book is on Nuclear Safety. From another point of view, many areas developed in nuclear safety studies are of interest in the safety of process plants too and, therefore, it is worthwhile writing about them. Given this perspective, I have tried to collect the ideas, the data and the methods which, in many decades of professional work in several countries, are in my opinion the most useful for ‘integrated system’ evaluations of the plant safety. I have emphasized the complete site–plant system more than single details, so the data and the methods discussed are not those applied in the many specialized disciplines devoted to the in-depth study of safety but are those required for overall, first approximation, assessments. In my opinion, such assessments are the most useful ones for the detection of many safety-related problems in a plant and for the drafting of a complete picture of them. The more accurate and precise methods are, however, essential in the optimization phase of plant design and of its operational parameters. Specialists in reactor engineering, in thermalhydraulics, in radiation protection and in structural

response issues may, therefore, be surprised to read that simple methods and shortcuts suggested here are very useful, as my experience and that of other ‘generalists’ suggests. Additionally, this book aims to cover some general and some unusual topics, such as: the overall conditions to be complied with by a ‘safe’ plant, the trans-boundary consequences of accidents to plants or to specific activities, the consequences of terrorist acts, and so on. On some crucial issues, the views of the world’s nuclear specialists are not the same, for example, the views in Western countries compared with those in former soviet-bloc countries on the pre-Chernobyl approach to nuclear safety in Eastern Europe: the West considered the soviet approach to be a relatively lenient one, while the soviets thought that they concentrated on prevention of accidents rather than on the mitigation of them. In these cases, the text tries to be objective and to quote the ‘Eastern’ view besides the ‘Western’ one, leaving future engineers and technical developments to decide on this issue. Except where explicitly indicated, the text refers to the pressurized water reactor. Extrapolation to other kinds of plants is, however, possible. The text complies with internationally recognized safety standards, and in particular with International Atomic Energy Agency (IAEA) requirements. On occasions I have digressed, in notes, from the main thrust of the text. I have done this for several reasons: many notes relate facts that qualify or justify what is written in a preceding paragraph; some of them are numerical examples added for clarification; xiii

xiv

Preface

others are simple comments and personal reflections on the subject. These notes are set at the end of each chapter. I have provided a list of references at the end of each chapter, however a complete chapter (Additional references) is almost completely devoted to a list of some ‘institutional’ references (i.e. those published by the IAEA, by the Organization for Economic Cooperation and Development (OECD) and by the United States Nuclear Regulatory Commission (USNRC) which is one of the richest sources of publications among Regulatory Bodies). These additional references are labelled with the superscript AR. Many of these references can be consulted and even downloaded from the web sites listed in the Web sites chapter (see p. 425). Calculation sheets mentioned in the text may be downloaded from the publisher’s web site (http://books.elsevier.com/companions/0750667230); the way to use them is described in the text. Finally, I wish to underline that all my experience suggests to me, after many positive and negative lessons learned, that today’s nuclear plants can be

completely safe and that significant accidents can be avoided. This is, however, only true on the condition that safety objectives are carefully pursued by the organizations involved in the plants; in this arena, as it will be shown, even organizations apparently very far from any specific plant must be, up to a certain extent, included (e.g. the bodies responsible for the general energy strategy of a country and the ‘media’). I will be very grateful to my readers for any suggestion concerning improvements to the text and also corrections to the mistakes which are certainly present in it. I am fully aware, in particular, of the subjective nature of the choice of the material included: the subject of nuclear safety, as does that concerning the safety of process plants in general, has become, over time, a discipline composed of many specific rather autonomous subsections. It is not easy, therefore, to choose the material to be included in a general text like this one; in this, practical experience of what is necessary while doing assessment work of plants has been my guide.

Acknowledgements

I am very grateful to all the colleagues who have cooperated, deliberately or by chance, in supplying me with the material for these pages. I apologize to

them if I don’t name them individually; this is not only because they are many, but because I am sure that I would inadvertently miss out some names. Gianni Petrangeli

xv

This page intentionally left blank

Chapter 1 Introduction

1-1. Objectives The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as, for example, the internationally accepted health, safety and radioprotection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable (the ALARA – As Low As Reasonably Achievable – Principle) in all operational conditions and in case of accidents. These objectives are frequently subdivided into a General Objective, a Radiation Protection Objective and a Technical Objective: for example, in the International Atomic Energy Agency (IAEA) criteria (see www.iaea.org). The General Nuclear Safety ObjectiveAR1 is to protect individuals, society and the environment from harm by establishing and maintaining effective defences against radiological hazards in nuclear installations. The Radiation Protection Objective is to ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed limits and as low as reasonably achievable, and to ensure mitigation of the radiological consequences of any accidents. The Technical Safety Objective is to take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation,

including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low. The target for existing power plants consistent with the Technical Safety Objective has been defined by the INSAG (International Nuclear Safety Advisory Group, advisor to the IAEA Director General)AR185 as a likelihood of occurrence of severe core damage that is below about 10 4 events per plant operating year. Implementation of all safety principles at future plants should lead to the achievement of an improved goal of not more than about 10 5 such events per plant operating year. Severe accident management and mitigation measures should reduce the probability of large offsite releases requiring short-term off-site response by a factor of at least 10. It has to be observed that these principles, while indicating the need for strict control of radiation sources, do not preclude the external release of limited amounts of radioactive products nor the limited exposure of people to radiation. Similarly, the objectives require to decrease the likelihood and the severity of accidents, but they recognize that some accidents can happen. Measures have to be taken for the mitigation of their consequences. Such measures include on-site accident management systems (procedures, equipment, operators) and off-site intervention measures. The greater the potential hazard of a release, the lower must be its likelihood. The chapters of this book, except the few of them not concerned with the safety of nuclear installations, deal with the ways for practically achieving these objectives.

1

2

Nuclear Safety

1-2. A short history of nuclear safety technology

1-2-1. The early years The first reactor, the ‘Fermi pile’ CP1 (or Chicago Pile 1, built in 1942) was provided with rudimentary safety systems in line with the sense of confidence inspired by the charismatic figure of Enrico Fermi and his opinion concerning the absence of any danger from unforeseen phenomena. The safety systems (Fig. 1-1) were:

gravity driven fast shutdown rods (one was operated by cutting a retaining rope with an axe); and

Cadmium solution

(Samuel Allison)

Ax man Spectator

(Norman Hilberry)

ZIP rod 57 layers of uranium and graphite Cadmium rod

Detector Recorder

Compared with the set of safety systems subsequently considered essential, an emergency cooling system was missing as decay heat was practically absent after shut down, and there was no containment system (except for a curtain!) provided as the amount of fission products was not significant. Other reactors were soon built, for both military and civil purposes, and since they were constructed on remote sites (e.g. Hanford, WA), they didn’t need containment systems. In the light of subsequent approaches used in reactor safety, probably, in this first period, not all the necessary precautions were taken; however, it is necessary to consider the specific time and circumstances present (a world war in progress or just finished, status of radiation protection knowledge not yet sufficiently advanced, etc.).1 In the 1980s and 1990s, a revision of the ‘simplified’ approach used for these first reactors (mainly devoted to plutonium production) was made. They were, as a consequence, either shut down or modified. In particular, the following characteristics or problems were removed or solved:

(Enrico Fermi)

(George Weil)

THE FIRST REACTOR 2, December 1942

Figure 1-1. Drawing of the CP1 pile. Scram – this term means ‘fast shutdown of a reactor’: various explanations have been proposed for its origin. The most credited one assumes that it derives from the abbreviated name of the CP1 safety rod which could be actuated by an axe. In the original design sketches of the pile, the position of the operator of the axe was indicated by ‘SCRAM’, the abbreviation of ‘Safety Control Rod Ax Man’. The designated operator was the physicist Norman Hilberry, subsequently Director of the Argonne Laboratory. His colleagues used the name ‘Mister Scram’. The drawing is courtesy of Prof. Raymond Murray.

a secondary shutdown system made of buckets containing a cadmium sulphate solution, which is a good neutron absorber. The buckets were located at the top of the pile and could be emptied onto it should the need arise.

the open cycle cooling of the reactors and nonpressure-resistant containments; the disposal of radioactive waste using unreliable methods, such as the location of radioactive liquids in simple underground metallic tanks which were subject to the risk of corrosion and of consequent leaks; the storage of spent fuel elements in leaking pools of water.

1-2-2. From the late 1950s to the Three Mile Island accident Since the early 1960s and even before, in the West, the criterion of locating power reactors in a leakproof and pressure resistant containment vessel was established and consolidated. In those cases where a significant release of radioactive products could be possible, the design pressure of the containment was

Chapter 1 Introduction

chosen on the assumption that all the primary (and part of the secondary) hot water (for a water reactor) was released from the cooling systems. Indeed, since the 1950s, the US ‘Reactor Safeguards Committee’, set up by the Atomic Energy Commission with the task of defining the guidelines for nuclear safety, had indicated that, for a noncontained reactor, an ‘exclusion distance’ (without resident population) should be provided. This distance, R, had to be equal, at least to that given by Eq. 1.1. pﬃﬃﬃﬃﬃﬃﬃ R ¼ 0:016 Pth km,

ð1:1Þ

where Pth is the thermal power of the reactor in kilowatts. For a 3000 MW reactor (the usual size today), this exclusion distance is equal to approximately 30 km, which is equal to the distance evacuated after the Chernobyl accident (Bourgeois et al., 1996). Evidently, the reference doses for the short-term evacuation were roughly the same for the two cases. An exclusion distance of this magnitude poses excessive problems to siting, even in a country endowed with abundant land such as the USA, therefore, the decision of adopting a containment is practically a compulsory one. The first reactor with leakproof and pressure resistant containment was the SR1 reactor (West Milton, NY, built in the 1950s). Built to perform tests for the development of reactors for military ship propulsion; this reactor was cooled by sodium and the containment was designed for the pressure corresponding to the combustion of the sodium escaping from a hypothetical leak in the cooling circuit. In Western countries, moreover, it was required that the whole refrigeration primary circuit should be located completely inside the containment, so that, even in the case of a complete rupture of the largest primary system pipe, all the escaped fluid would be confined in the containment envelope. The design pressure of the containment for water reactors (starting with the Shippingport, Pa, reactor, moderated and cooled by pressurized water) was derived on the basis of the assumption of the complete release of the primary water. In Eastern Europe, these criteria were applied to a lesser degree, as it was accepted that the pressure vessel alone would be located within the containment

3

(the rupture of large pipes was considered sufficiently unlikely to justify this assumption) and that the leakproof containment characteristic need not be very stringent. Thus, at the second Atoms for Peace conference in Geneva in 1964, the Western visitors were impressed but surprised by the model of the Novovoronezh reactor, which showed only one small containment enclosure around the reactor pressure vessel and was located in a building that from the outside resembled a big public office building. Still many years afterwards, the Russian reactors of the VVER 230 series, although provided with complete ‘Western-style’ containment, had a leakage rate from the containment of the order of 25 per cent each day (to be compared with figures of the order of 0.2 per cent each day from typical Western containments).2 Apart from differences of approach between world regions, in this period of time and in all the countries with nuclear reactors, the systems installed in the plants according to the requirements of the safety bodies and having the sole purpose of accident mitigation, were frequently the subject of heated debates; in particular, the emergency core cooling systems and the containment systems were often discussed. More precisely, the opinions on the accident assumptions evolved in the West were divided. The reference situations for the reasonably conceivable accidents were chosen by the judgement of expert committees. These situations included the worst ‘credible’ events (such as the complete severance of the largest primary pipe). The assumptions concerning the initiating event were accompanied by simultaneous conservative assumptions concerning malfunctions in safety systems, such as a ‘single failure’ consisting in the failure, simultaneous with the initiating event (pipe failure and so on), of one active component of one of the safety systems devoted to emergency safety functions during the accident (water injection system, reactor shutdown system and so on).3 On one side, the more cautious experts, generally members of public safety control bodies, many scholars and members of non-governmental organizations for the defence of public rights, supported the need for keeping these conservative assumptions; on the other side, more optimistic people (members of manufacturing industries and of electric utilities) maintained that the above mentioned accident

4

Nuclear Safety

assumptions entailed a true waste of resources (those necessary to provide nuclear plants with huge containment buildings and powerful safety systems). It has to be noted that the ‘optimists’ were by no means imprudent or reckless: a sincere conviction existed in the industry that the current accident assumptions were not well founded.4 The contrast between the optimists and the pessimists was exacerbated by the foreseeable circumstance that not all of the logical consequences of the initially adopted accident assumptions were from the start clear to technical people. As an example, as far as the effectiveness of emergency core cooling systems is concerned, it was not understood from the start that Zircaloy fuel cladding (stainless steel behaves in a similar way) could react with water in an auto-catalytic way at relatively low temperatures and could release large quantities of hydrogen. Neither was it understood from the start that the same cladding could swell before rupturing and could occupy the space between fuel rods, preventing the flow of cooling water. The existence of these phenomena was demonstrated by studies and by tests performed by the Atomic Energy Commission (AEC) on the Semiscale facility at the US National Laboratory of Idaho Falls towards the end of the 1960s, when many US reactors had already been ordered and were being designed or built. Similarly, at the beginning of the 1970s, the possibility was demonstrated that the break of a pipe could damage other nearby pipes or other plant components, starting a chain of ruptures (known as the ‘pipe whip’ effect). All of these discoveries, made late in the design and procurement phases of US reactors, persuaded the control bodies to stipulate that the inherent safety systems be improved in order to take them into account. Other requests for improvement concerned the resistance of the plants to natural phenomena or to man-made events, in order to reach a balanced defence spectrum against all of the realistically possible accidents; in such a way the defence against new phenomena became analogous to the defence against the already considered phenomena having a comparable or lower probability. These requests for improvement (‘backfitting’) extended the construction times of the plants, together with their costs.

It can be understood that the industry, which already considered the initially adopted accident assumptions to be excessive, strongly opposed these aggravating requests. As previously said, up to the Three Mile Island (TMI) accident, not all nuclear technical experts believed in the reasonableness of the current accident assumptions and in the need to pursue them with logical rigour and, in the light of the up-to-date scientific knowledge, up to their extreme consequences.5 The increase in costs as a consequence of the continuous requests for plant improvements, was strongly in contrast with the initial industrial expectations, which were concisely summarized by the then chairman of the Atomic Energy Commission, Lewis Strauss, who famously stated that nuclear energy would become ‘too cheap to meter’. In this period, the expression ‘ratcheting’ was created to describe the action of the control bodies in the field of the improvement of the plants concurrently with the indications of the progressing studies and research. This continuous process of improvement produced, where it was performed, very safe but also very costly and rather complicated plants. Indeed, the plants were subject to a series of safety feature additions to a substantially unchanged basic design. In this period a diverse approach to plant siting developed and was consolidated in the USA and in Western Europe. In the USA, the plant siting criteria, as far as demographic aspects were concerned, were substantially decoupled from the design features of the plant. On the contrary, in Europe, criteria for the site-plant complex were adopted. The US site criteria (except for seismic problems and for other external natural or man-made events) can be summarised as follows:

The existence of an ‘exclusion zone’ around the plant, where no dwellings or productive settlements exist, with access under the complete control of the plant management. The existence of a ‘low population zone’ around the plant, which could be quickly evacuated (within hours) in case of accident to the plant. The radioactive products release from the core to the plant containment conventionally established as a function of the plant power only: the TID release (Di Nunno et al., 1962).

Chapter 1 Introduction

A dose limit of 250 mSV (25 rem) total body and of 3 Sv (300 rem) for the thyroid (children) within two hours after the accident at the border of the exclusion zone.6 Dose limits equal to the preceding ones for the whole accident duration at the external border of the low population zone.

The exclusion zone was established at a radius of 800–1000 m around the plant and the low population zone at roughly 5 km from the plant (US Code of Federal Regulations, 2004a). The conventional release from the core was as follows:

For iodine-131:50 per cent of the core inventory, of which 50 per cent only is available in the containment for external release (deposition and plate out in the primary circuit). The iodine available for external release is 91 per cent elemental, 5 per cent particulate and 4 per cent organic iodide (methyl iodide). Noble gases are totally released to the containment.

Independent criteria were then established for the design of the plant. In this approach, the decision about the adequacy of a proposed site could be taken only on the basis of the plant power level and, possibly, on the specific characteristics of its fission product removal systems (to be evaluated and possibly validated on a case by case basis). On the other hand, in Europe, the site selection criteria usually consider the site-plant complex. Therefore, for example, if a plant with the usual safety systems could not be located on a specific site because accident doses exceeded the reference limits, it was possible to make the plant acceptable for the same site by the improvement of the systems for fuel integrity protection in case of accidents. The dose limits varied somewhat between various countries, but they were of the order of 5 mSv (500 mrem, effective dose) to the critical group of the population outside the exclusion zone for every credible accident (design basis accidents); some increase of this limit up to the level of tens of millisievert for single specific accidents could also be accepted. In order to evaluate the consequences of these accidents, then, no conventional figure for the

5

releases is used (such as the TID figures). On the contrary, conservative but more realistic assumptions are adopted; typically, the iodine released in the containment is assumed equal to the inventory in the fuel-clad interface, equal to one to five per cent of the total core inventory, instead of the TID 50 per cent. In Europe, the need to take account of the specific plant features for the evaluation of the acceptability of the site arises from the much higher population density in Europe in comparison with that of the USA (approximately 200 inhabitants per square kilometre and 30 per square kilometre, respectively). It is therefore much more difficult to find low population sites in Europe. The different population densities in Europe and the USA has also brought about differences in accident emergency plans: in the USA, the provision of a complete evacuation of the population within 16 km of the plant in a few hours is adopted, while in Europe the maximum comparable distance is equal to 10 km. It is indeed difficult to assure the evacuation of population centres with tens, hundreds or thousands of inhabitants. Here too, the countries’ differences in demographic conditions has to be compensated by additional plant features (generally, the use of double containment provided with intermediate filtration systems and the use of elevated stacks). The practice in the Far East (Japan, South Korea) is similar to the European one. These differences in the fundamental approach to safety among various countries have always been thought by the general public to be a weakness of the nuclear industry, thereby affecting their acceptance of nuclear energy. These differences have always been a source of confusion in the mind of the public and, therefore, they aggravate the public distrust in the safety of this energy source. Many attempts have been made, in the international and community arenas where nuclear safety is discussed (IAEA, OECD, EU), to adopt unified criteria (see Chapter 18). The aim of agreeing common criteria has been reached only at the expense of unification at a higher logical level, therefore leaving untouched the differences previously described, for example leaving to the freedom of each country the definition of acceptable distances or doses.

6

Nuclear Safety

In this period up to the TMI accident, three other facts influenced nuclear safety technology: defence against non-natural external events; the preparation of the Rasmussen report, WASH 1400; and the introduction of Quality Assurance (QA) in design, construction and operation of plants. The first of these, the defence against non-natural external events, would not deserve specific mention and discussion, except that its motivation has changed with time. For example, the initial official incentive for the reinforcement of plant structures and components of many reactors consisted in the defence against the accidental fall of an aircraft, while, subsequently, it was provided to defend against sabotage performed by the use of aircraft, but also by explosives of various kinds. In effect, the strengthening of structures and components was initially made in Germany as a consequence of the high number of crashes of the Lockheed Starfighter fighter plane in the 1960s. Subsequently, with the onset of terrorist activity in the 1970s, the need arose to defend nuclear plants against hypothetical external attacks conducted with the use of projectiles and of explosives. At this point, it was discovered that the German protection against the plane crash could also envelope a sufficient number of sabotage events based on the use of explosives. Therefore, as many people preferred not to mention these sabotage protections explicitly, the corresponding provisions were named in the official documents as ‘protection against plane crash’. Plant protection against the various effects of the impact by a fighter aircraft (weighing about 20 t) was adopted at least in Germany, Belgium, Switzerland and Italy, while in other countries the protection against the fall of a smaller sports aircraft was chosen, frequently only if justified by the proximity of an airport. No country explicitly adopted the protection against the impact of a wide-bodied airliner of the Jumbo Jet type (weighing about 350 t), which would be far more onerous (possibly requiring the underground location of plants). It was calculated that the protection against the fall of a fighter aircraft included the protection against the fall of a large airliner too if the impact takes place with less damaging characteristics (lower speed of impact, shallower angle of impact, and so on) than those which would cause the worst structural consequences. (See Chapter 17 for more on aircraft impact.)

The second influence, the Rasmussen report, first published in 1975, was sponsored by the Nuclear Regulatory Commission (NRC – the successor to the Atomic Energy Commission in control of peaceful applications of nuclear energy and the regulatory body on nuclear safety matters) with the aim of outlining an overall picture of all the conceivable accidents and of their probabilities, in order to identify the risk connected to a nuclear plant. It was the first time a study that included all conceivable accidents had been made. It included less probable scenarios too, such as the catastrophic explosion of a reactor pressure vessel and an estimate of the probability of each of them. It should be understood that the probability data concerning the most unlikely phenomena are scarce or even absent given the impossibility of studying these phenomena by experimental tests and the scarcity of applicable real-life data. In some ways, quantifying these events in a report was a bold decision, but, once the objective of the study was decided upon, nobody questioned the feasibility of it. Subsequently, once the report was published, criticism ensued: some people said that it was inscrutable, others criticized the completeness of the database, and others criticized the inconsistency of the executive summary with the main report. In the second, and final, edition some evident insufficiencies were corrected, but some of the criticisms remained unresolved. Whoever it was who started a risk study of the first cars, of the first railway trains or of the first airplanes, would have met the same difficulties. However, with the passing of time, the report has remained a fundamental reference for any safety and risk evaluation. Nobody could support the validity of the absolute quantitative risk evaluations contained in it, but, at the same time, the validity of this study and of the similar ones which followed is universally acknowledged as far as the relative probability estimates are concerned for detection of weak points in a specific design. In substance, the Rasmussen report and similar studies are possible judgement instruments in the nuclear safety field, although they cannot be used alone. Sound engineering evaluations, based on operating experience, even in different but similar fields, and on research results, are the necessary complement to the probabilistic evaluations. In the history of nuclear safety technology, the Rasmussen report did not solely represent a

Chapter 1 Introduction

methodological advancement. Severe accidents (those accidents more serious than those up to then considered credible) were included, especially after the TMI accident, in the design considerations for nuclear plants. Finally, the start of the application of QA in nuclear engineering has to be mentioned. According to this management system, the quality of a product is guaranteed by the control of the production processes, more than by the control of the products themselves. Certainly this represents remarkable progress towards the achievement of products better complying with their specifications, however the implementation of this system requires a significant effort in the field of activity planning and of the management of the documentation, entailing a corresponding cost burden.

1-2-3. From the Three Mile Island accident to the Chernobyl accident In March 1979, during a rather frequent plant transient, a valve on top of the pressurizer of the TMI plant (Pennsylvania, USA) remained stuck open, giving rise to a continuous loss of coolant. In an extremely concise way, an opening in that position (although this fact had not been sufficiently studied and publicized in the technical literature) generated over time a situation of a void reactor pressure vessel and of a full pressurizer. This accident demonstrated that the attitude of many technical people towards nuclear safety was careless and optimistic. It could also be concluded that bad ‘surprises’ caused by a nuclear plant could be avoided only at the expense of a strong change in their mindset towards safety itself. These conclusions were shared by practically all technical people and all over the world. Some optimists still existed, however. They were convinced that all the blame for the accident had to be placed on the operators who had not correctly diagnosed the plant conditions in time, and that all the problems could be solved by the use of more stringently screened operators. It can be said that this accident completely changed the attitude of the industry towards safety in all the OECD countries. The provision of features previously considered to be pointless by some (such as the presence of a leakproof, pressure

7

resistant containment) were acknowledged as valid in the light of the possibility of unforeseeable events. Two organizations were created for the exchange of information on operational events at nuclear plants and for the promotion of excellence in the nuclear safety field: the Institute of Nuclear Power Operations (INPO) in the USA and the World Association of Nuclear Operators (WANO) internationally. In the USA, within the NRC, a specific Office was created (Analysis and Evaluation of Operational Data – AEOD) for the analysis and the dissemination of operating experience. Long lists of ‘lessons learned’ were prepared and a ‘Three Mile Island Action Plan’ compiled which contained a large number of specific provisions against the possible repetition of similar accidents in the future. The implementation of these provisions cost each plant an amount of money ranging between several million dollars and several tens of millions of dollars. Above all, two concepts were underlined and reinforced: the concept of Defence in Depth and the concept of Safety Culture. According to a number of experts, in particular from the former USSR, the attitude of the industry towards safety also changed in Eastern Europe after the TMI accident: already in early 1980s, Russian designers of VVER reactors proposed a number of measures for safety improvements. The Defence in Depth initiative is a concept meaning that many, mutually independent, levels of defence against the initiation and the progression of accidents are created. The various levels include physical barriers, such as the fuel cladding, the primary system, the containment, etc. Five levels are defined: good plant design, control systems, emergency systems, accident management, and emergency plans. The Safety Culture concept is defined as the set of convictions, knowledge and behaviour in which safety is placed at the highest level in the scale of values in every activity concerning the use of nuclear energy.7 The result of these initiatives, together with the Rasmussen report and the TMI accident convinced many countries to give attention to severe accidents. Severe accident occurrence was introduced as a consideration in the design and operation of plants.

8

Nuclear Safety

A severe accident is defined as one exceeding in severity the Design Basis Accidents, which are those against which plant safety systems are designed in such a way that:

the core does not exceed the limits of irreversible damage of the fuel (e.g. 1200 C maximum temperature, 17 per cent local oxidation of the claddings, etc. (US Code of Federal Regulations, 2004b); the external releases do not exceed the maximum tolerable ones, according to the national criteria in force.

In many cases it is considered, as an accident progressively worsens, that the limit for which it becomes ‘severe’ is the attainment of 1200 C in the fuel cladding since at about this temperature the progression of the water–cladding exothermic reaction becomes auto-catalytic and proceeds at a high rate. The IAEA definition for severe accidents is ‘accident conditions more severe than a design basis accident and involving significant core degradation’.AR49 All the OECD countries (but also others) agreed on the advisability of studying and of implementing severe accident management techniques on their plants. These provide equipment and emergency procedures for severe accidents which, in the extreme case of reaching a situation close to a severe accident, prevent its occurrence or, at least, prevent it from worsening. Examples of typical equipment and procedures for severe accidents are the following:

portable electric energy generators, transportable from the plant to another on the same site or on a different site; procedures to supply electric energy to the essential loads, in case of total loss of electric power; procedures for the voluntary depressurization of the primary system in case of loss of the high pressure emergency injection systems, and so on.

By the 1980s, practically all the plants in the OECD area were equipped with Severe Accident Management Plans to various degrees of completeness. Some countries have progressed further than others, instigating real plant modifications as a means of implementing their Accident Management Plans. France, Germany and Sweden (and others)

have installed filtered containment venting systems designed to avoid the rupture of the containment in case of a severe accident entailing the slow overpressurization of the building beyond its strength limits (this situation could happen in every accident scenario without sufficient cooling of the core and of the containment). Other countries, such as the USA, concluded that these systems were not needed, on the basis of a cost–benefit analysis. In Italy, a set of criteria was developed, the ‘95–0.1 per cent criterion’, according to which, by the installation of appropriate systems (including a filtered venting system for at least one reactor), a release of iodine higher than 0.1 per cent of the core inventory could be avoided with a probability higher than 95 per cent, conditional upon core melt (defined as attainment of a cladding temperature higher than 1200 C). Obviously, no single events of very low probability were considered, such as a pressure vessel explosion due to a mechanical defect. A similar criterion was adopted in Sweden. Among the proposals at this time was one that concerned a preventative system for the voluntary depressurization of the primary system in pressurized water reactors (PWRs) and for the passive injection of water into the primary system for about 10 hours. This core rescue system (CRS) could decrease the core melt probability by a factor of at least 10. The system was proposed as a modification of the design chosen for the Italian Unified Nuclear Design, but was not considered necessary by the designers at that time. A few years later, the designers applied it, with modifications, to the passive reactor AP 600. Another reactor design (this time German) has a similar system. The voluntary primary system depressurization has subsequently been adopted by all the more modern PWR designs, such as the European Pressurized Reactor (EPR) and the System 80.

1-2-4. The Chernobyl accident and after In my opinion and the opinion of other experts, there were two primary causes of the Chernobyl tragedy. The first was that although the plant was certainly very good from a production point of view, it had been designed with excessive optimism as far as

Chapter 1 Introduction

safety was concerned. Indeed, in some operating conditions (low power, low steam content in the pressure tubes) the reactor was very unstable, in the sense that an increase in power or a loss of coolant tended to increase its reactivity, increasing the power auto-catalytically. In this way, the destruction of the reactor and of the plant could be initiated. Moreover, with completely extracted control rods (a situation forbidden by the operating procedures), the potential instability was more severe and, additionally, the use of the scram acted as an accelerator and not as a brake in the first moments of the rod movement (an ‘inverted scram’). The second fatal circumstance was that the operators were working, on that night in April 1986, in a condition of frantic hurry for various reasons. Although this reactor had been provided with leakproof and pressure resistant containment as a result of the prevailing changes in attitude already discussed, the containment did not include a significant portion of the reactor itself (a remarkable design decision). In particular, the fuel channel heads were directly put in a normal industrial building. A completely uncontained accident, therefore, happened. The reasons for the adverse design characteristics may have been financial (but expert opinion differs). The general lesson to be learned is always the same: no weak points compromising safety must be left in a plant. Human errors, as in the cases of TMI and Chernobyl, will succeed in finding them and will cause disasters and fatalities. I don’t believe, as some anti-nuclear people maintain, that ‘if an accident can happen, sooner or later it will happen’, however, experience indicates that accident possibility must be seriously considered during all the phases of the life of a nuclear plant.8 However, for the sake of completeness, it has to be said that the Chernobyl-type reactors were not well known in the Western world. The pertinent information was kept somewhat confidential because this reactor could potentially be used for plutonium production and therefore it was interesting from a military point of view.9 A confidential safety analysis of an RBMK reactor, similar to the Chernobyl one, was performed some years before the accident by a European design company. It concluded that this reactor, in many respects, did not meet the safety standards in use in the Western world. Copies of this safety analysis were

9

circulated among the experts after the Chernobyl accident. The Chernobyl accident, with its consequences (both local and afar) had not much to teach the Western nuclear safety engineers as the reactor’s shortcomings were all accurately known and avoided in their designs.10 Obviously, it was not possible to convince the public that such an accident could only happen in that specific design of reactor. In Italy, for example, some political parties exploited the evident fear generated in the population and, substantially, led the country towards the immediate and sudden dismissal of the nuclear source of power, with understandably prohibitive costs. In general, after Chernobyl and as a consequence of that accident, two ideas gained momentum:

Nuclear plant design, evolved by successive additions, had become too complicated and it was useful to think of simpler systems, based on concepts of passive rather than active safety. Accidents, even the most severe ones, should have modest consequences beyond the exclusion zone of the plant and so should require smaller emergency plans, especially concerning the quick evacuation of the population.

The USA was frequently against any simplification of its emergency plans in order not to change their well-established system of siting decoupled from the characteristics of the plants. This system, after all, was well accepted by the technical bodies and by the population. The concept of passive safety meant the use of systems based on simple physical laws more than on complex equipment. One example is represented by safety injection systems on water reactors which use gravity as a motive force and not pumps. This principle was, for example, adopted in the passive PWR AP600, certified by the NRC in 1999. It comprises a voluntary fast depressurization system of the primary circuit and the provision of a water reservoir in the containment located at an elevated position with respect to the reactor vessel. Passive cooling of the containment was also incorporated in the design. Evidently, however, neither of these new concepts nor the industrial weight of the NRC certification are sufficient to immediately convince the investors because, up to now (2005), no new AP600 has been ordered.

10

Nuclear Safety

A weak point of this concept has always been the reduced power and its consequent bad scale economy. The 600 MWe rating was initially chosen on the basis of a poll among the US utilities on the basis that this was the preferred size of a power station (lower financial risk and correspondence with the dimension of the electric grids served by the single utilities). The designers thought that they could in any case be competitive because of the use of passive components (i.e. with a reduction of installed components) and because of a general simplification of the plant. It seems now that this objective can be more easily reached by the AP1000 design (namely with a power of 1000 MWe), whose design has been recently (2004) approved by the NRC. A design where the passive safety has been adopted with a higher degree of caution but with a strong tendency towards the reduction of emergency plans is the French–German EPR of approximately 1400 MWe, where many precautions against severe accidents have been taken (e.g. molten core containment structures, ‘core catchers’, multiple devices for the quick recombination of hydrogen, voluntary primary system depressurization, etc.). New concepts based on passive safety presently under study are the Pebble Bed Modular Reactor (PBMR – gas cooled, high temperature, helium operated, direct cycle turbine generators) supported by an international group based in South Africa, the IRIS reactor (a PWR with steam generators integrated in the reactor pressure vessel) and the already mentioned AP1000. Other concepts still under study but already proposed exist.AR152, AR244 As usual, the future is difficult to forecast, however, when nuclear energy will be unquestionably necessary, it will be generally accepted. The investors will not have the continuous concern of its competitiveness, and the safety of the plants, which is already at a very good level, will be still more guaranteed.11

References Bourgeois, J., Tanguy, P., Cogne´, F. and Petit, J. (1996) La Surete Nucleaire en France et dans le Monde. Polytechnica, Paris. Di Nunno J., Baker, R.E.D., Anderson, F.D. and Waterfield, R.L. (1962) ‘Calculation of distance factors for power and test reactor sites’, USAEC, TID-14844.

Glasstone, S. (1963) Nuclear Reactor Engineering, Van Nostrand, Princeton, NJ. US Code of Federal Regulations (2004a) ‘Part 100: Reactor Site Criteria’, US Government. US Code of Federal Regulations (2000b) ‘Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors’, US Government.

Chapter notes 1 What radiation dose did Fermi and the other scientists absorb during the first criticality? Taking into account that the reactor was kept in a critical state for roughly half an hour and that the power was equal to about 0.5 W, an order of magnitude evaluation using current data [Glasstone, 1963] shows that the dose due to neutrons and to gamma rays was of the order of 10 Sv (1 mrem); very low indeed. 2 According to a number of experts, in particular from the former USSR, this situation is not to be viewed as the outcome of a more rigorous attitude in the West than in the East. There were different safety philosophies in East and West: the former focused on accident prevention without much care of the high cost (at least in the case of VVER reactors), the latter focused more on mitigation of accidents, with a strong effect on the results from cost–benefit considerations. The debates on relativism in philosophy (ethics or epistemology, for example) have some similarity with these arguments. Indeed, relativism has not to be identified, as some of its critics say, with the thesis that all points of view are equally valid, but with the thesis that one thing (moral values, beauty, knowledge, taste, meaning and nuclear safety criteria, too) is relative to some particular framework or standpoint (e.g. the individual subject, a culture, an era, a language or a conceptual scheme). Moreover, no standpoint is uniquely privileged over all others. With these kinds of highly controversial similarities, it is easy to understand that any attempt to resolve the issue by discussions may scarcely be productive and that only the future will indicate where the relative merits are higher. 3 This method of defining the accidents to be considered in the design was subsequently named the ‘deterministic method’, to be distinguished from the ‘probabilistic method’ based on the evaluation of the probability of the various accidental events. Presently, however, the choice criteria are generally a combination of the two approaches. 4 ‘Pipes leak, pipes crack, pipes are corroded, but pipes don’t break’, one of the senior US industry engineers used to repeat. And indeed, in the light of subsequent ‘experience’ (now equivalent to more than 10 000 reactor-years of operation) very few guillotine breaks of large pipes have happened. Moreover, most of these cases have not

Chapter 1 Introduction

11

Isolation valve

Normal cooling line Pressure channel

Emergency injection line

Figure 1-2. Sketch for a discussion on a break in a pressure tube reactor.

happened in primary pipes, but in pipes not submitted to the most stringent design and operation practices (periodic inspections and so on). Only two cases have happened in two feed-water pipes, weakened by erosion. On the other hand, the figures based on the assumption of a complete break of the largest pipe in the plant affords protection from a number of different events not explicitly considered, such as the flange bolts breaking in large valves (several cases of ‘near misses’ of this kind have happened), the partial rupture of pump casings caused by rotor failure, etc. 5 Towards the end of the 1960s, two eminent nuclear designers discussed with a safety reviewer the pipe rupture assumptions for a pressure tube reactor under design. The technical problem under discussion is sketched in Figure 1-2. If the cooling water pipes ruptured, the designers declared that the cooling of the fuel contained in each pressure channel was ensured as a valve at the inlet of each channel (shown in the drawing) would be closed in order to force the emergency cooling water to flow into the channel and to cool the fuel before reaching the rupture point and spilling into the containment. When the safety reviewer pointed out that this design objective would not be reached if the rupture had happened in the position marked with an X, their answer was ‘Safety is not a game with rigid and meticulous rules, sir! More room should be left to technical judgement!’ It has to be appreciated that in the nuclear safety profession everybody knows that an accidental break has to be assumed at every location on every pressure pipe and that, in these conditions, the plant must continue to be safe; so, it is ridiculous that somebody tries to resort to the difference between nuclear safety and a game in order to justify a departure from this rule concerning the break location. Many years afterwards, this sentence came again to my mind after the TMI accident in which the only rupture position for which the primary water loss could have created the situation of an ‘empty pressure vessel and filled up pressurizer’ which totally confused the operators and induced them to shut off the emergency injection system was precisely the one which happened, namely at the top of

the pressurizer. This anecdote is representative of a state of mind prevalent in the industry in the period of time up to the TMI accident, that is that the current accident assumptions were excessive so that their implementation could be rather flexible without adverse consequences. 6 The reference, in the US criteria, to 250 mSv total body and 3 Sv thyroid doses may be intriguing for some people. Indeed, nowadays, no acceptance criterion includes such high figures: the effective dose limits for design basis accidents (credible accidents) are 10 to 100 times lower. Indeed, in the 1950s and 1960s, the figures adopted in the US criteria were officially considered as maximum tolerable doses for serious accidents. Over time, however, progress in radiation protection knowledge has brought about an additional decrease in the tolerability limits, therefore the figures initially adopted in the USA have become ‘completely conventional numbers’, losing their (uncertain) original physical–biological meaning. The question arises as to why these figures have not been updated. Here, as in many other cases in the nuclear safety field, perhaps the consideration has prevailed that any reduction of the limits could be interpreted as a disapproval of already built and operating plants, for which the original figures were adopted. The site criteria have, however, always been thought to give acceptable protection to the population. 7 Two things are surprising when the operating experience of nuclear plants is considered. The first one is the astonishing coincidence of different adverse facts which is at the origin of many serious accidents (TMI and Chernobyl included). The second is the surprising intervention of resolving factors in sequences of events already well advanced in their progress towards a disaster (the Browns Ferry Fire (Alabama, 1975), many discoveries ‘at the last minute’ of very dangerous cracks in pressure vessels, and so on). It is thought that the motivation of many of these surprising events is the presence of a special atmosphere or mindset in the group of people responsible for the construction and the operation of a plant. This atmosphere can be either favourable or adverse to safety. Perhaps, the

12

Nuclear Safety

possible presence of it should be in some way considered in probabilistic analyses as a ‘concurrent event’ of any accident studied. As an example, letting our imagination wander, the initiating event ‘small pipe break’ could be studied in coincidence with ‘hectic atmosphere because of the need to conclude an operational phase or a test’, with a probability which now could be estimated of the order of 10 per cent. Obviously, the practical answer to these remarks is ‘prevention’, namely the strengthening of Defence in Depth and of Safety Culture. 8 The forgotten safety criterion: Many safety criteria have been discussed and written about, but one which requires that a nuclear plant should never be constructed and operated in haste has not been proposed yet. Perhaps, more than one criterion is involved here. For example, one of the specific requirements might be that ‘no nuclear plant can operate if its power is essential to the grid’, as happens when reserve energy is not available to allow it to be stopped in cases of unforeseen events, emergencies, or to perform inspection, maintenance or tests. In the case of Chernobyl, the existence of a similar criterion would have allowed the power station superintendent to oppose the request to continue to operate beyond the programmed time. Obviously, such a criterion could be opposed by the strong supporters of the cost convenience of nuclear energy. I think, on the contrary, that without subtracting anything from the great merits of nuclear energy, a more realistic attitude is necessary. A good example in which a plant was operated for production needs with a lack of power reserve in the grid, against the opinion of many experts, happened between 1995 and 1996 (American Nuclear Society, 1996). In that period, a power station was operated in various months in order to support the power demand during the winter period, despite strong doubts about the strength of the reactor pressure vessel (presence of cracks and doubts on the possible excessive neutron embrittlement of the vessel material). These doubts were expressed by a group of European specialists, which opposed the continuation of the plant operation. What the most pessimistic people feared did not happen but, for those knowing the facts, it was a worrying situation: the burst of a reactor pressure vessel of a water reactor must be absolutely prevented within reliable safety margins, as it can give rise to an accident of the severity of the Chernobyl one. 9 At the time when Finland was planning its first nuclear power station, because of existing commercial agreements, technical experts contacted Russian experts in order to explore the possibility of the supply of a Russian-designed reactor. When, during one of the meetings, the Finn responsible for nuclear safety and the Russian responsible

for the peaceful use of nuclear energy were discussing the various types of reactors available, the RBMK reactor (the Chernobyl type) was considered too. The Finnish expert asked for a copy of the safety report of this reactor, but the Russian answered that the safety report could be provided only to the buyers of the reactor. The Finn persisted, saying that Finland seriously intended to buy, but received a final answer that this type of reactor could not be sold outside the Soviet Union (for national security reasons). 10 The major lesson which was learnt from the Chernobyl accident was that it was demonstrated that a catastrophic accident could have consequences up to distances not yet imagined before. In this connection, it is not completely true, as many people have said, that the dispersion of the releases up to great distances was due solely to the upward propulsion caused by the explosion and by the fire of the reactor. The very large quantity of radioactive releases was the primary factor, although with an additional contribution by the explosion/fire phenomenon. 11 The symptoms of an illness might be around us, a desire to disregard past experience of accidents, which, if it should continue to grow, might really impair the safety of nuclear plants. On the one hand, a past WANO (World Association of Nuclear Operators) president has publicly declared, from his special observation point, that the interest in the lessons of experience is decreasing among operators. On the other hand, discussions with some designers of specific countries indicate that the pre-TMI accident mindset is surfacing again, exemplified by self confidence and optimistic bias. Moreover, some plant operators have stated with annoyance that after more than twenty years since the TMI accident, people still keep on studying it and that it is time to forget because what had to be learnt has been learnt already. These are all wrong attitudes because keeping alive the memory of the lessons of the past will avoid the carelessness that has caused the accidents in the first place. It is just as important to extract lessons from lesser incidents, those ‘semi-accidents’ which could have evolved into a disaster. In this field, the NRC keeps records that include the evaluation and publication of results. The media, too, can strongly contribute to the progress of safe nuclear energy. It is not necessary for it to always praise its virtues, but it should give special attention to the exactness of the news given and avoid emotive reporting, in particular as far as the gravity of the small accidental events which continuously happen in every industrial plant and therefore also on nuclear plants. As a reaction to sensationalism, the stakeholders in the nuclear industry react with a confidentiality policy which is detrimental to the progress of safety.

Chapter 2 Inventory and localization of radioactive products in the plant

One of the primary objectives of nuclear safety is to contain within the plant the radioactive products there present. It is, therefore, essential to know the amount and the normal location of these products. Almost all the radioactive products are contained in fuel located in the reactor itself or in used fuel which is still stored at the plant, in the spent fuel pool or, less frequently, in dry containers for temporary storage. Table 2-1 lists the half-life and total radioactivity for the nuclides in a 1000 MWe water reactor in equilibrium conditions (that is after a certain operation time). At the start of the operation, the amount of some nuclides with a long half-life continuously increases until it reaches, after several months, a practically constant saturation level. For the preliminary evaluations of the consequences of accidents, it is usually sufficient to consider the doses due to:

noble gases (direct cloud radiation dose); iodine (inhalation dose); caesium (mainly long-term doses due to radiation from the radioactivity deposited on the ground – ‘ground shine’); tritium (fusion machines and specific reactors), plutonium (fall of satellites, fuel treatment plants which handle plutonium).

The nuclides are grouped according to a criterion adopted in many ‘source term’ (complex of external releases in an accident) studies. This classification takes into account important factors in the release evaluation, such as the volatility of the element or its probable compounds and their chemical/physical properties.

In a rather indicative way, it can be assumed that if in an uncontrolled (severe) accident X per cent of the noble gases inventory is released, the releases of iodine and of caesium may reach 0.1X per cent, and the releases of other products roughly the 0.01X per cent. Each conceivable accident, however, has specific aspects which may strongly alter these indicative percentages, here mentioned in order to give an average measure of the natural release potential of the various isotopes. The radioactive products contained in the fuel are normally located in the sinterized uranium dioxide of the reactor fuel (the uranium dioxide fuel is shaped into pellets, roughly 1 cm in diameter, inserted in long zirconium alloy (zircalloy) cylinders). The matrix of these cylinders (roughly 40 000), grouped in bundles to form the fuel elements, is the reactor core. A fraction ranging from 0.5–5 per cent (USNRC, 1992) of the more volatile radioactive products (noble gases, iodine, caesium) is contained in the gap between the uranium pellets and the containment cylinder (cladding). For sake of conservatism, however, sometimes the accident release evaluations are made assuming that this percentage is equal to 10 per cent (this is the value suggested, for example, by USNRC Regulatory Guide 1.25 on fuel element drop accidentsAR316). During accidents without core melt but entailing a severe threat to the fuel (of a mechanical and/or thermal nature), these radioactive products may escape from the fuel and be released to the primary system. In general, it is assumed that at least noble gases, iodine and caesium are released in this way. 13

Table 2-1. Nuclides, half-life and radioactivity for a 1000 MWe PWR Radioactivity

Noble Gases

Krypton

Xenon Iodine

Iodine

Caesium & Rubidium

Caesium

Tellurium & Antimony

Rubidium Tellurium

Antimony Alkaline Earths

Strontium

Volatile Oxides

Barium Cobalt Molybdenum Technetium Ruthenium

Non-volatile Oxides

Yttrium Zirconium Niobium Lanthanum Cerium

Praseodymium Neodymium Neptunium Plutonium

Americium

18

Nuclide

Half-life (days)

(Bq 10 )

(MCi)

85

3950 0.183 0.0528 0.117 5.28 0.384 8.05 0.0958 0.875 0.0366 0.28 750 13 11 000 18.7 0.391 109 0.048 0.34 1.25 3.25 3.88 0.179 52.1 11 030 0.403 12.8 71 1920 2.8 0.25 39.5 0.185 366 1.5 2.67 59 65.2 0.71 35 1.67 32.3 1.38 284 13.7 11.1 2.35 32 500 8.9 106 2.4 106 5350 1.5 105

2.072 0.888 1.739 2.516 6.290 1.258 3.145 4.440 6.290 7.030 5.550 0.2775 0.111 0.1739 0.00096 0.2183 0.0407 1.147 0.1961 0.481 4.44 0.2257 1.221 3.478 0.1369 4.07 5.92 0.02886 0.01073 5.92 5.18 4.07 2.664 0.925 1.813 0.1443 4.44 5.55 5.55 5.55 5.92 5.55 4.81 3.145 4.81 2.22 60.68 0.002109 0.000777 0.000777 0.1258 0.0000629

56 24 47 68 170 34 85 120 170 190 150 7.5 3 4.7 0.026 5.9 1.1 31 5.3 13 120 6.1 33 94 3.7 110 160 0.78 0.29 160 140 110 72 25 49 3.9 120 150 150 150 160 150 130 85 130 60 1640 0.057 0.021 0.021 3.4 0.0017

Total activity (EBq) 193

Total activity (MCi) 5202

Kr 85m Kr 87 Kr 88 Kr 133 Xe 135 Xe 131 I 132 I 133 I 134 I 135 I 134 Cs 136 Cs 137 Cs 86 Rb 127 Te 127m Te 129 Te 129m Te 131m Te 132 Te 127 Sb 129 Sb 89 Sr 90 Sr 91 Sr 140 Ba 58 Co 60 Co 99 Mo 99m Tc 103 Ru 105 Ru 106 Ru 105 Ru 90 Y 91 Y 95 Zr 97 Zr 95 Nb 140 La 141 Ce 143 Ce 144 Ce 143 Pr 147 Nd 239 Np 238 Pu 239 Pu 240 Pu 241 Pu 241 Am

Chapter 2 Inventory and localization of radioactive products in the plant

Even during normal operation, the primary coolant contains a certain amount of radioactivity, partly due to nuclides formed by the irradiation in the core of elements dispersed in the coolant (oxygen, hydrogen, cobalt, iron, etc.) and partly due to the presence of defective (fissured) claddings in the core which let a part of the gap inventory escape into the coolant. The concentration of radioactive products in the water depends on the entity of fissures (in general, it is assumed that 1–2 per cent of the elements have fissures) and on the effectiveness of the primary water purification system. The degree of contamination of the primary coolant by iodine-131 (the most significant isotope) normally assumed in the study of accidents is equal to roughly 104–105 Bq g 1, corresponding to a total of the order of tens of terabequerels for the whole primary system (i.e. hundreds of curies). For iodine-131 (the same considerations are valid for caesium), the effects of the phenomenon of ‘iodine spike’ are, in addition, taken into consideration (this is an increase in the release of these radioactive products from the fissured fuel rods caused by power variations). The phenomena involved are connected with the ingress and subsequent exit of water through the gap and with likely fracturing of the fuel matrix. Guidance on figures to be used can be found in USNRC (1996). The normal values are:

A factor of 50 on the normal iodine content in the primary water (that is up to a total of 100–1000 TBq for all the primary system).

15

A factor of 500 on the rate of release of the iodine from the fuel, whose order of magnitude can be, for each fissured rod, 10 4–10 3 TBq h 1. A peak time duration of 1–5 hours.

Radioactive products are present in decay storage tanks for gases extracted from the primary water before their release to the atmosphere. Not all the plants use these tanks since the decay of waste gases is frequently obtained by delay lines that temporarily adsorb the gases on activated carbon. Where decay tanks are used, a rupture of one of them is serious. The total inventory of the stored gases is subdivided in several (typically eight) tanks. The most relevant external doses are those connected with the irradiation from the cloud of noble gases, whose total inventory may be of the order of 104 TBq. For completeness, although the accidents discussed may have minor consequences, it must be added that other radioactive products are contained in the plant, mainly in the form of solid waste.

References USNRC (1996) ‘Standard review plan for the review of safety analysis reports for nuclear power plants’, NUREG-0800. USNRC (1992) ‘Accident source terms for light-water nuclear power plants’, NUREG-1465.

This page intentionally left blank

Chapter 3 Safety systems and their functions

3-1. Plant systems By necessity, a nuclear power plant is composed of the parts required to generate electric power (the ‘process’ parts or systems) but also of a complexity of safety systems. The name ‘safety systems’ here indicates all those systems which are not strictly necessary to the plant operation or to health protection under normal conditions, but rather to those

that prevent the progression of accidents and therefore avert the large release of radioactive products. Accident prevention is a major activity of designers, operators and control bodies. Figure 3-1 will remind the reader of the components of a typical pressurized water reactor (the PWR – the most common design in the world). The process components are: the reactor (R) itself, where the nuclear chain reaction takes place and the Primary containment

Secondary containment

Secondary circuit S Steel liner

V

Spray

V

T G

SG

Cooling

C

PR AC

V

Pump Filtered suction

CR A

Primary circuit

F

I

R EC Foundation

Figure 3-1. Simplified schematic of a pressurized water reactor (PWR). 17

18

Nuclear Safety

heat is produced which will finally be transformed into electric energy; the steam generator (SG), where the heat is used to produce high pressure steam; the turbine (T), where the steam energy is transformed into mechanical rotation energy; and, finally, the electric generator (G), which produces the electric energy to be supplied to the grid. As can be seen in the drawing, the process fluid, that is water in the form of liquid or vapour, circulates in two distinct systems, the primary and the secondary system, which mutually exchange heat in the steam generator. Another important component of the primary system is the pressurizer (PR), whose function is that of an expansion volume and of a pressurization component. The latter function being obtained by electric heaters. The pressurizer keeps the circuit water at a higher pressure than its saturation pressure, thereby suppressing the steam production in the primary system. (The pressurizer was significant in the Three Mile Island (TMI) accident.) The safety systems have three main objectives: the quick emergency shutdown of the chain reaction; the emergency cooling of the reactor after shutdown; and, finally, the containment of radioactive products after their accidental release from the reactor. The quick shutdown is obtained by the insertion, by gravity, of control rods (CR) in the reactor and, as a backup, by the injection of a liquid neutron ‘poison’ (boron) in the primary water. The emergency cooling of the reactor is necessary because the radioactive products accumulated in the nuclear fuel continue to generate heat after the shutdown of the chain reaction (decay heat) (see Figs 3-2 and 3-3). The emergency cooling systems are both passive ones (that is those practically without moving components, such as pumps) and active ones. By way of examples, Figure 3-1 shows a passive system (accumulators, AC, kept under pressure by compressed nitrogen) and an active system (I). The containment comprises a combination of special buildings and engineered systems. The figure shows a complete ‘double containment’ system, similar to those adopted in many countries. In this design, an internal reinforced concrete building, strong enough to resist the accident pressure of the worst design basis accident, is internally lined by steel in order to guarantee optimum leakproof characteristics (primary containment). Isolation

valves (V) will close in case of accident, always for leak proofing reasons. The first building is enclosed in another reinforced concrete building (secondary containment) in order to further improve the retention of radioactive products and the shielding from direct radiation; it has also the function of affording protection against external impact events. The area between the two containments is kept at a negative pressure with respect to the external environment by means of filtered suction systems (A and F). The primary containment is provided with cooling and water spray systems in order to decrease, in case of accident, both the internal pressure and the amount of free radioactive products.

3-2. Safety systems and accidents The safety systems are designed to cope with a set of accidental events (design basis accidents or DBAs), either originating inside the plant or outside it. This set also includes events of such a low probability that their occurrence during the life of the plant should not be feared. As an example, the following events are included within the DBAs: an instantaneous guillotine break of the largest pipe of the primary circuit; the sudden expulsion of a control rod from the core; and the maximum potential seismic event on the plant site. An accident at a nuclear power plant can be caused by many combinations of anomalous initiating event, malfunction and human error. The types of possible accidental situations are studied in the specific safety analysis of each plant and the safety systems described above are designed to prevent, or mitigate the effects of all the accidents chosen as DBAs. Table 3-1 provides an approximate indication of the effectiveness of various safety systems in limiting external releases in a typical loss of coolant accident (the break of a large primary circuit pipe). The figures are for the release of iodine-131 (often assumed as the reference isotope in indicative evaluations of ‘source terms’ and for a 1000 MWe reactor). As can be seen, the reduction of the releases caused by the safety systems is very significant and corresponds to a factor of the order of one million. The study of the safety of a plant is not, however, limited to the study of the serious and unlikely design basis accidents. For many years, the most serious

19

4 Mw

Kg/sec

Kg/sec

Burning kerosene

Kcal/sec 25000

Vaporizing water

Percent of nominal power

Chapter 3 Safety systems and their functions

100

90 3

20000 80

40

2

70 30

15000 60 2 50 10000

20

40

1

30

1 5000

10

20

10 0.1 10E2 (=100)

1000 10E3

10E4

10E6 10E5 Time after shutdown [sec]

1hr

10hr

1d

7d

Figure 3-2. Decay power for a 2775 MWt reactor (10% over best estimate). accidents, named ‘severe accidents’ have also been the subject of studies and research. Some definitions of safety criteria (IAEA Safety Criteria and EUR Requirements) specify a third class of accidents that lies between the two already mentioned. These include:

operating transients without scram (ATWS); complete loss of alternate electric power in the power station; containment bypass accidents.

This class does not require the same conservative design provisions required by DBAs (high safety margins for mechanical strength, strict quality assurance requirements, etc.). However, substantial core integrity is required as a consequence of the implementation of accident management measures. The main reasons for the general interest in severe accidents are primarily the intention of improving the protection of the plant by its extension to the field of the most serious accidents, and the need to know

Nuclear Safety

Full power seconds

Mwh

10E9

Kg

1000 1000

10E8

10E6

Kg

Burning kerosene

Kcal

Vaporizing water

20

10E5

10E4

100 100 10E5

10E7

10E3

10 10 10E4

2*10E6 10E2 (=100)

10E3

10E4

1hr

10E5 10E6 Time after shutdown [sec]

10hr

1d

7d

Figure 3-3. Decay energy for a 2775 MWt reactor.

phenomenologies and probabilities of these accidents in order to perform less uncertain evaluations of the global risk of a plant (probability risk assessment or PRA) of the type of the famous Rasmussen report. What are the possible causes, the typical phenomena and the possible course of events in a severe accident? Here, a concise and necessarily incomplete description will be attempted. The typical sequences entail damage and melt of the core, interaction of the molten core with the pressure vessel and afterwards with the containment floor and, finally, perforation of the containment itself.

The damage and the melt of the core may happen for two reasons only, notwithstanding the large number of the possible sequences:

the late or missing shutdown of the chain reaction, when required; insufficient decay heat removal from the reactor.

For PWRs, in particular, the decay heat dominates the stage in severe accidents. Figure 3-2 illustrates the behaviour of the decay power with time for a 2775 MWt reactor. It shows the correspondence between this power and the amount of

Chapter 3 Safety systems and their functions

Table 3-1. An example of the effectiveness of safety system. Release of (current reactors) Location

Activity (TBq)

Safety systems

In core In the gaps

3.5 106 3.5 104

Primary containment

3.5 103

Secondary containment

1.8 102

Environment

21

131

I due to loss of coolant

Effect

fast shutdown; emergency cooling.

Prevent releases from the fuel matrix and decrease releases from the gaps (dissolution, plate out).

primary containment; removal and cooling systems.

Leak proof: reduction factor of 20 for a 0.5% leakage per day and 10 days of pressurization.

secondary containment; activated carbon filters.

Segregate radioactive products.

1.8–18

water which could be evaporated per second by it (the corresponding amount of equivalent burnt kerosene per second is also shown). As can be seen, after a few hours, a really small flow rate of water is sufficient to cool the core (about 10 l s 1, that is the normal flow rate of a 50 mm diameter pipe). Contrasting this is the transient situation of a reactor where the rupture of a large diameter pipe has occurred (a large loss of coolant accident or LOCA). In this case the reactor vessel quickly empties (in a few tens of seconds) and therefore it has to be quickly refilled in order to keep the core covered and therefore adequately cooled. In this situation, it is essential that the emergency cooling systems have large flow rates (of the order of thousands of litres per second). The ‘re-flooding’ of the core places the largest flow rate demand on the safety injection systems. The first consequences of uncontrolled overheating of the core are the fissuring of the fuel claddings (at about 1073–1173 K (800–900 C)), while their normal operating temperature is about 623 K (350 C)) and their subsequent oxidation reaction with water or with steam (above 1473 K (1200 C)) which generates heat and hydrogen. It has to be remembered that, during their life in the reactor, the fuel tubes become significantly pressurized because of the development of fission gases inside them (up to several tens of atmospheres) and, therefore, once fissured, they tend to quickly release to the outside (if the reactor pressure is low, as in many accidents) all the accumulated volatile products.

The amount of hydrogen which can be generated by a normal size reactor may reach 700–800 kg: a very large quantity! The most severe hazard caused by hydrogen release is that it will be released, sooner or later according to the conservative assumptions made in severe accident studies, into the primary containment atmosphere where it may cause, in the presence of air, explosions or relatively slow combustion. In both cases, the internal pressure in the primary containment will increase and its integrity will be endangered. The containment safety margins against internal pressure are, however, normally high.1 If the accident is allowed to progress in an uncontrolled way, the temperature of the reactor core will continue to increase and it can be assumed that at about 1973 K (1700 C) the not yet oxidised, zircalloy claddings will melt, and at about 3073 K (2800 C) the uranium oxide pellets will melt completely. The liquid mass that could be formed in this way (named ‘corium’) collects on the bottom of the reactor vessel and may perforate it as the generation of decay heat continues. The TMI accident progressed up to the threshold of this event, without trespassing it, however. A large quantity of molten and re-solidified ‘corium’ was indeed found on the bottom of the vessel, which, however, was not perforated. Once the base of the vessel has been breached, the corium could pour on the bottom of the primary containment, usually made of a very thick layer of reinforced concrete (1–5 m). On contact, any water residing here would be vaporized increasing the pressure inside the containment.

22

Nuclear Safety

Today a ‘steam explosion’ under these conditions (the sudden contact and physical interaction of high temperature corium with water on the containment bottom) is generally thought to be very unlikely and, perhaps, physically impossible, at least not of such a magnitude to cause the rupture of the containment. Contact between the corium and the containment concrete is, on the contrary, certain. The chemical– physical attack of the concrete itself with the consequent production of gases (even of explosive ones, such as carbon monoxide and hydrogen) raises the possibility of perforation of the containment wall. Gas production and combustion, and the continued production of heat from the corium will necessarily cause the pressure to increase within the containment up to its rupture value (2–4 times the design pressure), unless the perforation of the containment floor, due to the concrete attack by the corium, intervenes first. This typical scenario is the one foreseen under the extreme assumption of a lack of any intervention able to stop the progress of the accident in the time period from its inception up to the rupture of the containment (which is expected to happen after 20 hours to 5 days, depending on the specific characteristics of the plant). The time periods indicated here refer to a reactor which had operated continuously for a long time before the accident. More than 400 civilian power reactors operate in the world today and they have altogether accumulated more than 10 000 reactor years of operation. The principal accidents which have occurred are the TMI accident (1979) and the Chernobyl accident (1986). The accident at the experimental Windscale reactor (1957, see Chapter 20) is also an interesting reference for the study of the consequences of serious accidents. The TMI accident (see Chapter 1) was due to a relief valve on the pressurizer (indicated S in Fig. 3-1) remaining stuck open during a normal plant transient. The operators didn’t become aware for hours of this opening in the primary circuit because they had, from the available instrumentation, contrasting indications about the level of water in the circuit itself. Indeed, the pressure and temperature instruments indicated that the water in the core was boiling, while the level instruments in the pressurizer indicated a primary circuit full of liquid. In deciding what to do, they made the wrong choice and believed the level instrumentation.

Consequently, they blocked the emergency water injection systems which had been automatically actuated. The core overheated and partially melted. The releases were negligible from the health protection point of view because of the presence of an effective containment. The fact that TMI didn’t result in a public health catastrophe has to be ascribed to the Defence in Depth principle systematically adopted as Western safety practice. The concept provides multiple redundant and diverse barriers against radioactive releases, well beyond what could be thought strictly necessary. TMI showed that this principle offers protection against the unforeseen and the unknown possible events. Chernobyl, on the contrary, is an example of what can happen if a completely opposite principle is applied, that to do only what is necessary for safety. In RBMK reactors, like the Chernobyl reactor, the safety margins were not stringent enough. For example, the plant had a containment system for the primary circuit but it was only partial: the reactor itself, and in particular the fuel channel heads, were not included in it. The designers thought that it was sufficient only to install protective monitoring instrumentation. Figure 3-4 shows the containment for a typical 900 MWt PWR and the Chernobyl reactor containment. In addition to the Chernobyl design deficiencies, there was evidence of human error and the voluntary violation of safety rules, both for production reasons and in the incorrect appreciation of the real danger. Chernobyl can with good reason be considered representative of the maximum possible accident to a power reactor. Unfortunately, the abundant information supplied by the designers does not allow us to conclude that the corrective measures adopted in other reactors of the same type (about 20) are sufficient to rule out the danger of another severe accident, possibly with different modalities. The accident, indeed, has highlighted a dangerous vulnerability of this type of reactor, which is generic in nature, and which is not specifically tied with the sequence of events that happened at Chernobyl in 1986. In particular, a weak point of the reactor is its upper closure plate, to which 1700 fuel channels and the control rods are fastened. There is no containment present above the plate: a major hazard during possible accidental internal over-pressurization of the reactor.

Chapter 3 Safety systems and their functions

PWR

23

CHERNOBYL

60 m

Light upper containment

Figure 3-4. PWR containment and Chernobyl (RBMK 1000) containment (roughly to the same scale).

Figures 3-5 and 3-6 show the significant differences between the dynamics of the Chernobyl and the TMI accidents. Figure 3-5 illustrates the crucial phase of the Chernobyl accident and shows how it essentially comprised an uncontained ‘explosion’ of the reactor. Figure 3-6 shows the damaged state of the TMI-2 reactor core and vessel after the accident, and results from many years of research (OECD, 1993). As can be seen, in the case of TMI-2, and unlike Chernobyl, a slow ‘core melt’ took place, without explosive phenomena and with the absence of intrinsic instabilities. The following, also derived after many studies, gives a quantitative measure of the sequence of events in the same accident:

0–100 minutes: Loss of coolant and core exposure; 100–174 minutes: Start of core damage; 174–180 minutes: Temporary operation of the primary pump; 180–224 minutes: Prolonged heating-up of core; 224–226 minutes: Displacement of core material; 226 minutes: Stabilization of the debris.

It is possible to classify the types of significant accidents on a scale of increasing severity and, on the basis of available data, assign to them orders of magnitude of releases and of probabilities (see Table 3-2). The download file, DRYCORE (on this book’s companion website, http://books.elsevier.com/ companions/0750667230) provides some data and

methodology for evaluations on a barely refrigerated or completely dry core. These methods help, for example, in evaluating the time to the start of melt down after shutdown of a core (or part of a core) without refrigeration.

3-3. Future safety systems and plant concepts 3-3-1. General remarks The nuclear reactors now operating incorporate both passive and active safety features (see pp. 9 and 26). For example, reactors have a passive limitation of power excursions through a negative power coefficient of reactivity, which is, for most of them, the outcome of the early recognition that a power excursion might be difficult to limit in the presence of self-enhancing dynamic reactor features. On the other hand, most reactor emergency cooling systems are active. The variety of solutions does not reflect a precise choice in the early days of nuclear power towards active or passive systems, rather it reflects the best choice for the designers of that time. Passive and intrinsic safety solutions were adopted when they were recognized as being effective and economically convenient. Moreover, the fundamental safety functions required in a nuclear reactor are limited to reactor shutdown, reactor and containment cooling, and containment of radiotoxic

24

Nuclear Safety

Figure 3-5. The destruction of the Chernobyl reactor. products. The most natural engineering solutions for these functions were in general adopted, with obvious variations, in all of the reactor designs developed. With the passing of time, in depth safety studies and data from operating experience both tended to widen the safety requirements beyond those originally devised. Plants became more complex and some

of the passive safety features originally present tended to disappear. This is evident, for example, in containment cooling, which was originally entrusted to passive, natural mechanisms. The accidents at TMI and at Chernobyl, although, as discussed, different in many respects from one other, were equally rich in lessons in their applicable technical environment.

Chapter 3 Safety systems and their functions

2B inlet

Upper grid damage

Coating of previously molten material on bypass region interior surfaces

25

1A inlet

Cavity

Loose core debris Crust Previously molten material

Hole in baffle plate

Ablated incore instrument guide

Lower plenum debris

Possible region depleted in uranium

Figure 3-6. The final configuration of the TMI core. (Reproduced from ‘Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results’, OECD, 1993.) Additionally, the integral safety studies of typical plants (see Section 1-2), starting with the Rasmussen study, caused the technical experts to completely rethink the safety approach hitherto followed. Now the design engineers and operators were

convinced (or even more convinced) that accident prevention and mitigation in nuclear plants deserved very special attention: serious accidents could be avoided, but continued attention to safety in design and operation was warranted, including

26

Nuclear Safety

Table 3-2. A possible classification of accidents, their external releases and their probabilities (current reactors) 131

Types of accident A – Maximum design basis accidents (DBA) B – Maximum DBA (degraded safety systems) or accidents with partial core melt C – Severe accidents with quick intervention D – Severe accidents with delayed intervention E – Severe accidents without intervention

I release fractions

10 10

7 5

10 4 10 3 10 2–10

the consideration of important plant design alternatives. Some facts, in particular, became even more evident than before: firstly, the potential importance of multiple failures in complex safety systems and, secondly, the possible serious consequence of human errors. Hence, attention focused on passive safety systems and on inherent or intrinsic safety systems. These needed fewer auxiliary systems, they were simpler, with a lower number of parts which could potentially fail, and they did not require as much operator intervention as active systems. ‘Passive’ safety systems are defined as the operating safety features of structures and devices designed to counteract specific events without the reliance on mechanical and/or electrical power, forces or ‘intelligence’ signals external to the same structures and devices (Lo Prato et al., 1990; IAEA, 1991). These features should rely only on natural laws and the properties of materials, and should not require any human action. Different degrees of passivity exist, for example a safety system may operate without external power but may require some sort of active actuating signal. In this case, too, the system is deemed passive even if not to the full definition of the term. ‘Inherent’ safety means the elimination of hazard by choice of material or design concept, for example the elimination in a plant of any combustible material (if possible) would demonstrate inherent safety from the danger of fire. In the last few years, a great deal has been discussed on the merits of passive and intrinsic safety Although it is evident that a substantial research and development effort on simpler and less vulnerable nuclear plants is still warranted, it appears now more

1

Order of magnitude of the release (TBq)

Associated probability each year

0.3 30

10 5 10 5–10

300 3000 30 000–300 000

10 10 10

6

6 7 8

generally recognized that the best possible and safest plant, at this point in time, and one in which serious accidents can be avoided throughout all of its life, probably includes both active and passive features in an optimization perspective. Passive systems, although at first sight attractive for their simplicity, may have drawbacks (e.g. they are less powerful and slower in their action than their active counterparts). Moreover, their reliability is more difficult to evaluate. Safety system development in the process (mainly chemical) industry is somewhat similar where a number of TMI–Chernobyl-type of events have occurred, for example Flixborough, Seveso, Bhopal, and others. The Flixborough nylon plant accident in the UK (1974) was caused by an open-air explosion of a flammable gas released into the air. It killed the 28 plant employees present and caused extensive property damage in the surrounding area. The failure to perform a full technical assessment of a modification was given as the main cause of the event. The Seveso pesticide plant accident in Italy (1976) is well known for the dangerous release of dioxin due to poor plant safety features and to the underestimation of the possibility of a runaway reaction. The Bhopal incident in India (1984), at another pesticide plant, killed an estimated 4000 (although the total number is still unknown). This disaster was attributed to too large an inventory of toxic substances and to very poor staff attention to the operability of safety features. As in the nuclear arena, the process industry plant designs tended to grow bigger and bigger with time, becoming, therefore, more complicated and dangerous as a result of the large amounts of stored chemicals, and the need for complex modifications

Chapter 3 Safety systems and their functions

and operating procedures. The accidents initiated a rethinking period pointing to the study of ‘more inherently safe’ plants. The wording chosen is indicative of the need to eliminate the wrong idea of a completely safe plant. The following two sections respectively explore some of the main ideas brought about by this rethink of safety in the nuclear and process industries.

3-3-2. Some passive safety systems for nuclear plants The passive systems and components discussed in the last few years range from complete reactor concepts to single components (Forsberg et al., 1989; Petrangeli, 1992). A rather arbitrary selection of a few of these proposals is presented in this section. They are all well-known concepts in the nuclear industry and they discussed here because they are considered among the most interesting ones. Passive plant reactors (e.g. the AP600W) are proposed future reactors that use the technology of current reactors, but include also significant changes in plant design and layout. Safety, in the event of an accident, depends on truly passive safety systems and on safety systems which are passive in operation although started up by a simple action such as valves opening. In the AP600, a passive cooling containment system (PCCS) is provided to remove heat from the steel reactor containment (Petrangeli, 1992). The operation of the passive safety injection system (PSIS) following a LOCA results in steam released from the reactor core being passively condensed inside the containment. Steam condensation reduces containment pressure. In the first instance, the PCCS comprises a large tank above the containment structure that allows the drain of water by gravity on the outside of the steel containment vessel. Secondly, the opening of air dampers supplies natural circulation air cooling of the external surface of the steel containment. The air and evaporated water exhaust through an opening in the roof of the shield building. The PCCS is capable of removing the thermal energy following a DBA so that the containment pressure remains below the design value with no operator action required for (three) days. The PCCS is designed to reduce containment pressure to less than one half its design pressure

27

within 24 hours following a LOCA. After three days, if there is no supply of water, the heat removal is assured by air alone with an increased pressure (up to about design pressure). In nuclear power plants, the containment is the final barrier that prevents radioactive release to the environment during accident events. Because of containment importance in mitigating the consequences of an accident, it is necessary not only to assess its integrity during an accident, but also to ensure that it is and stays leakproof after the accident has occurred. Typical allowable primary containment leakage rates lie in the range of 0.1–1 per cent of volume a day, but the operating experience sometimes has indicated ‘real-world’ values above these allowable limits. These are usually due to excessive valve or penetration leakage, valves or penetrations left open after testing, airlock failure, etc. Studies have been made on the following aspects:

containment leak proofing enhancement (e.g. improved choice of valve types, reduction of the number of penetrations, valves stems leakage reduction, etc.); the root causes of leak proofing degradation (e.g. debris reduction and deposition on valve seal surfaces and valves behaviour under severe accidents); the concept of a secondary containment to reduce the primary containment releases by hold-up, deposition, filtration, elevated release (e.g. a secondary containment that envelopes possibly affected buildings equipped with filtration systems); monitoring capabilities to detect pre-existing openings in the containment boundary (e.g. monitoring nitrogen leaks in inert containments).

The advanced light water reactor (ALWR) passive plants, employ safety grade passive decay heat removal (PDHR) systems in order to enhance the capability (relative to current plants) of maintaining the plant in a safe shutdown condition following non-LOCA events. The approach developed for these systems is founded on meeting the following requirements:

The PDHR system is employed for both the hot stand-by and long-term core cooling modes. This system can operate at full reactor coolant system pressure and places the reactor in the long-term cooling mode immediately after shutdown.

28

Nuclear Safety

The operation in the long-term cooling mode is automatic. The operation of the system does not require any a.c. power, either on- or off-site. The operation of the system does not require any pumps or valve operation once initial alignment is established. No make-up water is required for a period of at least three days following reactor shutdown. The systems are located entirely within containment.

The passive decay heat removal (PDHR) systems, however, do not have the ability to bring the plant to the cold shutdown conditions of 373 K (100 C). This is inherent in the passive heat removal process itself because heat removal is accomplished by heat exchangers located within a pool of water, and the temperature on the reactor coolant side of the heat exchanger tubing will, by necessity, exceed the boiling point of water at normal pressure. Cold shutdown can be achieved by the reactor shutdown cooling system, proposed as a non-safety-grade system. The AP600 PDHR system, for example, is designed to perform the following functions for non-LOCA events:

The automatic actuation to provide reactor coolant and to prevent water release through the pressurizer safety valves. The removal of core decay heat assuming the steam generated in the in-containment refuelling water storage tank (IRWST) is condensed on the containment vessel and returned by gravity into the IRWST. The PDHR should provide decay heat removal for at least 72 hours if no condensate is recovered. Cooling the reactor coolant system to 473 K (200 C) in about 72 hours. Removal of core decay heat and reduction of reactor coolant system temperature and pressure, during a steam generator tube rupture event, equalizing primary pressure with steam generator pressure and terminating break flow, without overfilling the steam generator.

During the TMI accident, one of the strategies unsuccessfully tried by the operators to regain control of core cooling was to depressurize the reactor system. The reactor was not designed for that operation and the manoeuvre did not succeed. A reactor depressurization system would probably

have helped. Moreover even the initial probability risk assessments (PRAs) did highlight the possibility of high pressure severe accident sequences for current light water reactors (LWRs). The idea then started to be studied of designing a depressurization system into LWRs. This was a new concept, especially in PWRs. Boiling water reactors (BWRs) had a relief system in order to cope with loss of condenser accidents. In principle, a primary depressurization system has many advantages: its operation tends to create an immediate, yet temporary, reactor shutdown effect; it decreases the primary water temperature and favours core cooling; finally, it allows water to be supplied to the core either by high pressure injection systems or by low pressure ‘jury-rigged’ emergency systems (fire truck water, etc.). New passive LWRs incorporate a powerful depressurization system which allows emergency water injection to be made by gravity driven (passive) arrangements. Moreover the operation of the primary depressurization system also ensures that the reactor coolant system would be depressurized during a severe accident. Therefore, violent ejection of molten core debris from a pressurized reactor coolant system is highly unlikely for the passive plant with a corresponding reduction in the potential for direct heating of the containment atmosphere. This is also applicable to the evolutionary LWRs, in fact NRC staff has concluded (USNRC, 1990) that ALWR designs (evolutionary and passive) should include a depressurization system to preclude the ejection of molten core debris under high pressure from the reactor vessel. Nevertheless the reactor coolant release to containment has the potential for adverse effects on in-containment equipment. Accordingly, the ALWR plants should be designed to minimize such adverse effects by ensuring that the frequency of inadvertent actuation is extremely low (2 10 3 per year) for passive plants according to US Electric Power Research Institute requirements (EPRI, 1990) ensuring that recovery from such inadvertent actuation is feasible without compromising plant availability for a long period (recovery within 30 days or less according to EPRI requirements). As an example, a short description of the AP600 depressurization system follows. The AP600 automatic depressurization system comprises 16 valves divided into four depressurization stages. These valves are installed in the reactor coolant system at three different locations. The valves

Chapter 3 Safety systems and their functions

in the first three stages are connected to nozzles on top of the pressurizer. The fourth stage valves are connected to the hot leg of reactor coolant loop. The main actuating signals for each depressurization stage come from different level set points in the core make-up tanks (CMTs that provide high pressure make-up by gravity). When the CMT is going to deplete, the depressurization takes place to allow low pressure injection from the IRWST by gravity. Moreover the depressurization system, together with passive injection of borated water from the IRWST, could ensure safe shutdowns in the long term in case of ATWS if other active systems are not available for this purpose. The design of hydraulic engineered safety features for LWRs has traditionally been performed according to high reliability and leak proof standards. These systems are usually called into operation to protect the fuel barrier in the case of a loss of the primary system barrier. In addition, being strictly connected to the primary circuit pressure boundary, they have to be equipped with leak proof isolation devices, normally closed during plant operation. Squib valves, initially used for applications in the space industry, have been considered very attractive for use in an advanced passive reactor. These valves are characterized by a no-leak capability and, once actuated, they are designed to maintain the open position. The inlet chamber of the valves is normally closed by a sealing cap. When the valve is actuated, an explosive initiator pushes a plunger that shears the cap off. This kind of actuation has been found to be very reliable from operational experience and qualification tests. These valves require very limited maintenance. In fact no periodic intervention, other than the substitution of the initiator, is necessary. There are additional benefits associated with their use in automatic depressurization systems relating to the possibility of providing a flow area larger than that traditionally obtained with standard safety relief valves (SRVs). Such a large area is very important in passive reactors to depressurize the primary system at very low pressures, consistent with the operation of injection systems based on gravity. The installation of such valves in the core cooling injection system, in addition to the benefits associated to the leak proof characteristics, ensures, during normal operation, a pressure shielding function on the upstream check valves. Therefore, these valves do not remain forced in the closed position for long

29

periods, thus improving their reliability when called to open under a low differential pressure. Density locks (or ‘hot–cold interfaces’) are passive devices which perform a similar function as normally-closed valves during normal operating conditions. However, in case of transient or accident conditions, they allow cooling flow without the need of a power supply or the motion of mechanical parts. Density locks have been applied in the process inherent ultimate safety (PIUS) reactor concept (Fosberg et al., 1989). In this design, the reactor core is immersed in a large pool of pressurized, cold, borated water. The hot primary water and the cold pool water are in contact at two ‘hot–cold interfaces’ (high and low elevation in the cooling circuit) where, during normal operation, substantial mixing is prevented by design details and by pump speed (head) adjustment, governed by the lower interface temperature. In case of uncontrolled accidents of any origin, the core will tend to overheat causing water boiling and a decrease of the hydrostatic head in the riser pipe above it, beyond the correction capability of the pump speed control system. Under these conditions, natural circulation between the cold pool, the core and the riser pipe will be established through the two ‘hot–cold interfaces’ along an always-open natural circulation path. The pool of cold, borated water will then enter into the core and will shut the reactor down and remove the decay heat. In a certain sense, PIUS safety is based on the use of an essentially unstable cooling circuit, which needs active pump action to ensure stability during normal operation; in off-normal conditions, the system automatically switches to its stable condition which also is a safe shutdown condition. Density locks perform a fundamental role in PIUS ensuring core cooling during emergency conditions, and thus the potential for blockages caused by gas collection, material distortion or plugging by detached insulating materials should be analysed in depth. The density lock concept has been used in other new reactor schemes. Fluidic diodes and vortex valves are passive devices whose use in future nuclear power plants (NPPs) is currently under evaluation with reference to their potential use as check valves or actuation valves in safety-related systems. Fluidic diodes, used in reprocessing plants and chemical industries, are one-way valves with no moving parts. They are characterized by a very high flow resistance in one

30

Nuclear Safety

direction with respect to the other. This characteristic allows them to be used as flow limiters to maintain core coolant boundary integrity in the case of a LOCA event. A potential application in a typical PWR system, might be to install a fluidic diode on the reactor pressure vessel nozzle of the cold legs of the circuit to avoid reverse flow conditions following a pipe break. Due to the diode’s characteristics, instead of a massive release of coolant, only limited leaks would occur. Vortex valves are ‘normally active/passive during emergency’ devices designed to maintain a separation between environments normally operating at different pressures. This function is performed by the fluid movement provided by a normally operating pump. A potential application to NPP safety features is as actuation valves in case of transients or accidents. During normal operation the two environments remain isolated as the vortex valve functions as a standard isolation valve. Following a transient, the pump operation is interrupted and water flows from the environment at high pressure to that at low pressure.

3-3-3. Inherently safe systems in the process industries In process industry plants, the concept of more inherently safe design is a recurring theme in the three reports of the Advisory Committee on Major Hazards (ACMH – set up in the UK after the Flixborough accident). These reports set the general principles of ‘new’ process industry safety in the UK and they represent in their field what, for example, the IAEA ‘Safety Fundamentals’ documents do in the nuclear industry. A full account of the developments of this concept is given in Lees,AR587 Kletz (1984) and UMIST (1982). The Loss Prevention Bulletin (published by the Institution of Chemical Engineers, England) is also a ‘must’ for interested people. It is available in most technical libraries and a list of its main articles over the years is included in Lees.AR587 The basic principles of inherently safer designs in the process industry are:

Intensification: namely carrying out the chemical reaction in a smaller volume in order to have a lower inventory of dangerous substances and smaller consequences of an accident.

Substitution: of a dangerous process or substance, for example a heat transfer medium with a less dangerous one. Attenuation: adoption of a less hazardous process condition, for example a lower pressure in combination with the improvement of a catalyst. Simplicity: for example designing a vessel or pipe for full over-pressure instead of adopting a pressure-relief system. (As Henry Ford has supposed to have said, ‘What you don’t fit costs nothing and needs no maintenance’.) Operability: adoption of a process which can be easily controlled and adjusted to off-normal conditions. Fail-safe design: where the failure of the system leads directly to a safe condition. Second chance design: second line of defence.

Interesting examples of proposals in the process industry follow The first typical example concerns the manufacture of nitroglycerine. It has to be classified as an ‘intensification’ of the process, namely the drastic reduction of the inventory of the dangerous substance. Nitroglycerine is manufactured by the reaction between glycerin and a mixture of concentrated nitric and sulphuric acids. The reaction is highly exothermic and the mixture has to be continuously cooled and stirred otherwise a violent explosion may occur due to the uncontrolled decomposition of nitroglycerine. Originally the reaction was performed in batches using large (1 t) pots. The operator had to continuously monitor the temperature and check that stirring was effective. Since the reaction lasted a rather long time (hours) there was the danger of the operators falling asleep and, therefore, they used to work sitting on onelegged stools, as it can be seen in historical pictures (Fig. 3-7). This kind of process continued to be used until fifty years ago with a number of casualties and complete plant losses. The same reaction is now obtained in a small injector where the acid jet entrains the correct amount of glycerin and, due to the turbulent mixing, the reaction time has been reduced down to minutes. The reaction is complete at the exit of the injector. The amount of nitroglycerine in the reactor is reduced to a few kilograms and the operators can be protected by a blast wall.

Chapter 3 Safety systems and their functions

Figure 3-7. Manufacture of nitroglycerine in old times.

Another reaction, the adipic acid reaction (used in the manufacture of nylon), was previously performed in a huge reactor with external circuits for cooling. Today, it is carried out in a smaller integral vessel with internal cooling and agitation, and with a very smaller possibility for leaks. A similar evolution has taken place in nuclear reactors which changed from external to internal recirculation units (or to integral proposals for future reactors). It is also worth mentioning the ICI’s Higee process, where the process of gravitational separation is enhanced by centrifugal forces in a rotating unit, with a consequent decrease in amount of substance in the separator. Many examples are available concerning the substitution of one process with a less dangerous one. In a number of cases in the chemical industry the choice has to be made between the availability of a large storage of substances and the reduction of stored substances concurrent with the continuous production of them on site. In the first case,

31

continuity of production is better assured but the risk attributable to the storage is present. The situation is reversed in the second case. The concept of inherent safety leans thinking towards the second choice. It has to be remembered that in the case of Bhopal, the situation was exacerbated because it had been decided to produce methyl isocyanate (MIC – the poison which was released in the accident) on site instead of importing it from another factory. However, the already existing huge MIC tanks continued to be used with the consequent risk. In the industry, subsequent major reductions of inventories have taken place on safety grounds brought about by new regulations concerning, in particular, hazardous substances such as ethylene oxide, propylene oxide and sulphur trioxide. Huge strides are being made in chemical industry safety, in areas that are of strong interest for nuclear plants as well (e.g. a reduction in the possibility of leaks from containments through the reduction in the number and the dimension of penetrations). The simplification of complex designs is also pursued by such measures as design for over-pressure and design modification to avoid instrumentation. Simple cases of the latter operation is the use of suitable piping arrangements to avoid reverse flow and to provide for automatic sump voiding (high turns of pipe with anti-siphon openings, self-priming siphons, etc.). Concerning the ‘operability’ concept in the previous list of principles of more inherently safe design in the process industry, it seems worth noting that, in the parallel field of nuclear plants, designers tend now to provide a longer ‘grace period’ in case of mistakes or accidents (e.g. an increase of the water inventory in water reactors, and so on). Speculative proposals for the future process plants also exist. One of them considers the advantages of distributed manufacture of chemicals using miniaturized plants at the user’s site. Such plants would be more environmentally friendly and would deliver their products on a ‘just in time’ basis. They should also be completely automated, highly reliable, selfcleaning and sealed for life. As is apparent from this section, in a number of instances the process industry has gone beyond the study phase and has adopted more inherently safe provisions. Safety experts in the process industry, however, complain that, as yet, not enough has been

32

Nuclear Safety

done (Kletz, 1984). Some of the restraints towards a higher level of inherent safety are:

the technical options available for the next plant are usually limited by time, so if major advances are to be made there has to be a ‘plant after next’ design policy, namely during the design stage of a plant there is not enough time to discuss and to develop alternative designs); the desire for certainty of production (if a new process or a new equipment is used, then unforeseen difficulties may cause trouble during start-up, perhaps delay or prevent the achievement of design output or efficiency); the process licensing authorities are often on the side of tradition (possibly to prevent unforeseen snags and surprises); technical misconceptions (like the belief that, for example, the reduction in the inventory of dangerous substances may render the control of the process more difficult); the organization of a company in business areas instead of in functional departments is not favourable to innovation because of the strong influence of the control of expenditures (i.e. illdefined responsibility for design innovation by research departments or design departments).

It has been remarked that it is difficult to convince people close to the industry that there is a need to improve safety levels. Many are accustomed to think that hazard is inherent in the industry (which may be true to a certain extent) and it does not occur to them that in many cases it may be possible to reduce the risk and consequences of the hazards.3

References US Code of Federal Regulations (2004) ‘Part 100: Reactor Site Criteria’, US Government. EPRI (1990)-NP 6780, Advanced Light Water Reactor Utility Requirements Document. Forsberg, C.W., et al. (1989) ‘Proposed and existing passive and inherent safety-related structures, systems and components (building blocks) for advanced light water reactors’, ORNL-6554, Oak Ridge National Laboratory. IAEA (1991) ‘Safety-related terms for advanced nuclear plants’, IAEA TECDOC 626.

Kletz, T.A. (1984) Cheaper, Safer Plants or Wealth and Safety at Work? Rugby: The Institution of Chemical Engineers. Lo Prato, E., Petrangeli, G., Tononi, R. and Zaffiro, C. (1990) ‘Terminology for future nuclear power plants’, IAEA TECDOC 550. OECD (1993) ‘The Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results’, OECD. Petrangeli, G. (1992) ‘Fifty years from the Fermi Pile’, Proceedings of CIRTEN Safety Technologies and Safeguards 1992, Pisa University. USNRC (1990) SECY 90.016 Evolutionary Light Water Reactor Certification Issues and their relationships to current regulatory requirements. UMIST (1982) ‘Inherently safe plant’, Proceedings of Safety in the Chemical Industry 1982, University of Manchester Institute of Science and Technology.

Chapter notes 1 An explosion of roughly 350 kg of hydrogen occurred during the TMI accident without any damage to the containment. 2 The TMI accident progressed up to the threshold of this event. A large quantity of molten and re-solidified corium was indeed found on the bottom of the vessel which, however, was not perforated. 3 The following short story, attributed to a chemical engineer, demonstrates the similarity of thought between safety engineers in the nuclear and process industries. It is so enjoyable, I think that it deserves reproduction here. It has been slightly adapted from Kletz (1984). The tiger and the treasure: A king offered a challenge to three young men. Each young man would be put in a room with two doors. The young men could open either door they pleased. Behind one door was a hungry tiger, the fiercest and most cruel that could be procured, which would immediately tear them to pieces. But if they opened the other door, they would find a precious treasure. So I leave it to you, which door should they open? The first young man refused to take the chance. He lived safe and died poor. The second man hired risk assessment consultants. He collected all the available data on tiger populations and on ways to detect treasures. He brought in sophisticated technology to listen for growling of tigers and to detect metals and precious stone from some distance. He completed checklists. He developed a utility function and assessed his

Chapter 3 Safety systems and their functions risk averseness. Finally, sensing that in a few more years he would be in no condition to enjoy the treasure anyway, he opened the optimal door. Some sources maintain that he was eaten by a low-probability tiger. The third man took a course in tiger taming.

33

Is the optimal combination of the course of actions chosen by the two young men who opened the door very dissimilar from the Defence in Depth concept, well established as a foundation block of the nuclear safety? It seems not, and this seems to also be the conclusion of the chemical engineer who invented the story.

This page intentionally left blank

Chapter 4 The classification of accidents and a discussion of some examples

4-1. Classification

4-2-1. Some important data for accident analysis

Accidents are usually grouped as follows:

Accidents of internal or external origin. Area accidents (fires, internal floods). Accidents of natural origin. Accidents of human origin (explosion of a tank near the plant, sabotage, etc.). Voluntary accidents (sabotage). Design Basis Accidents, Beyond Design Basis Accidents, Severe Accidents (see Section 1-2 and Chapter 3).

Design Basis Accidents are usually subdivided into four categories:

4-2-1-1. Initial conditions

Operational transients. Moderate frequency sequences. Rare sequences. Limiting accidents.

The EUR criteria give an idea of the probabilities assigned to these accidents (see Appendix 6 on EUR Criteria).

The core nominal power is usually increased by 2 per cent in order to take into account possible calorimetric errors. The average coolant temperature is taken as the nominal one 2 C due to measurement errors. The pressurizer pressure is varied by 200 kPa (2 bar) in order to take into account normal fluctuations and measurement errors. The initial values of the various parameters quoted are chosen in such a way to minimize the initial departure from nuclear boiling ratio (DNBR – the power ratio margin from nucleate boiling, usually kept higher than 1.3 in normal operation and in ordinary transients). The fast shutdown trigger levels and the corresponding time delays considered in the analyses (including errors) are of the order of magnitude indicated in Table 4-1 and Figure 4-1.

4-2. Design basis accidents

4-2-1-2. Doppler coefficient

Design basis accidents (DBAs) are those accidents chosen by the deterministic method or with the help of probabilistic considerations, in order to design all the plant systems, but particularly the safety ones. Some of the following considerations are of interest for DBAs and for the other accidents. Most of the quoted data are taken from examples of typical 1000 MWe pressurized plants.

It is well recognized that the Doppler coefficient is one of the most important counter-reactions during reactivity excursions. The increase of the fuel temperature causes an increase in the amplitude of the uranium-238 neutron capture resonances and, therefore, a decrease in the core reactivity. In some transients, it is conservative to assume a most negative Doppler coefficient (when a higher power 35

36

Nuclear Safety

Table 4-1. Fast shutdown signals and corresponding delays (core safety limits, p ¼ 15.51 MPa (2250 psig) Origin of fast shutdown

Trigger level in the analyses

High neutron flux Core T (excess temperature) Core T (excess power) High pressurizer pressure Low pressurizer pressure Low recirculation flow Turbine trip Low-low level in steam generator High level in steam generator, feedwater pumps stop, feedwater system valves shut-off, turbine trip

118% Automatically variable Automatically variable 16.65 MPa (normal 15.51 MPa) 12.31 Mpa 87%

Time delay (s) 0.5 6 6 2 2 1 1 2 2

140 Overpower DT trip 120 Overpower trip 100

% Power

Operating point Over-temperature DT trip

80

60

Technical specifications safety limit

Steam generator safety valves open

40

20

0 573

593

613 Tavg (K)

Figure 4-1. Core safety limits ( p ¼ 15.51 MPa/2250 psig).

633

Chapter 4 The classification of accidents and a discussion of some examples

PCM per per cent power

0

0

20

40

60

80

100

37

120

−5 Most negative Doppler power coefficient −10 −15 −20

Least negative Doppler power coefficient

−25 Per cent power Figure 4-2. Doppler coefficient for transient analyses. and temperature decrease is contrary to a conservative evaluation, e.g. for steel over-cooling reasons) and in others (the majority), the opposite applies. Figure 4-2 shows, the curves for the two cases. According to the two curves, at practically zero initial power, an increase in power until 10 per cent causes a reduction in reactivity ranging from 0.1 per cent to 0.2 per cent. The Doppler coefficient varies with the fuel burnup, that is with the operation time, becoming less negative (i.e. less effective as a safety counterreaction) when the burn-up increases. In fact, with time, four phenomena cause a variation of the coefficient:

The variation of the composition of the gap gases in the fuel rods (which includes helium at the start only, but then also fission gases); the conductivity of the gap decreases with increasing time and, therefore, the fuel tends to become hotter. The densification of the fuel pellets which tends to increase the gap with an effect similar to the preceding phenomenon. The increase in the content of plutonium-240 which shows strong resonance peaks for neutron capture in the thermal zone and the consequent magnification of the uranium-238 effect (which, on the contrary, tends to decrease). The deformation by mechanical creep of the claddings, which tends to decrease the gaps and, therefore, the Doppler effect.

The last factor predominates over the others and, at the end of the core life, the Doppler coefficient is less effective. The two curves in Figure 4-2 to be used for transient analysis, are the result of the fuel burnup and the uncertainties of evaluation. As can be seen from the figure, the variation of power from zero to 100 per cent entails a variation of Doppler reactivity of the order of 1–1.5 per cent; this figure doesn’t include the effect of the variation of the moderator temperature, which is separately evaluated.

4-2-1-3. Coefficient of moderator temperature and of the voids The moderator temperature reactivity coefficient is also important for safety. In fact, when the moderator temperature increases, its density decreases and, as a consequence, the moderating effectiveness also decreases. This decrease causes an increase in the loss of neutrons from the core and an increase in the parasite captures, so that the reactivity tends to decrease. As, however, PWRs adopt chemical shim, that is the control of reactivity through dissolution of boric acid in the reactor water, the presence of this neutron absorber decreases the safety effectiveness of the moderator temperature coefficient; in fact, if the temperature increases, the amount of boron

38

Nuclear Safety

20

Moderator temperature coefficient (PCM/°C)

10

2000 ppm

0 −10 0

100

200

300 1500 ppm

400

−20 −30

1000 ppm

−40 500 ppm

−50 −60

0 ppm

−70 −80 −90 Moderator temperature (K−273)

Figure 4-3. Moderator temperature coefficient (start of life, no rods). 0

Moderator temperature coefficient (PCM/°C)

−10 0

50

100

150

200

250

−20

300 Unrodded

350

−30 −40 −50 500 ppm

−60

Rodded

−70

0 ppm

−80 −90 Moderator temperature (K−273)

Figure 4-4. Moderator temperature coefficient (end of life).

contained in the reactor water decreases and consequently the reactivity increases. For this reason, when the boron concentration is high (start of life, cold conditions) the overall temperature coefficient of the reactor water may be positive. Additionally, it must be emphasized that, in any case, the power coefficient (which includes the Doppler effect) must be always negative. Figures 4-3 and 4-4 show the behaviour of the temperature reactivity coefficient of the reactor water.

4-2-1-4. Reactivity of the boron content The content of boron in the cooling water is usually measured in parts per million (ppm). Generally, boric acid is used as the soluble boron compound: 1000 ppm of boron corresponds to about 0.6 per cent of boric acid. The reactivity of the dissolved boron is equal to about 800–900 pcm per 100 ppm, therefore in an operating condition with 1000 ppm boron, the reactivity in the dissolved boron is roughly

Chapter 4 The classification of accidents and a discussion of some examples

8–9 per cent. The usual values of the boron content are 2000 ppm boron at start of life and in cold conditions, 1000 ppm in hot conditions and only some hundreds of parts per million at end of life and hot conditions. It has to be remembered that boric acid may precipitate from the solution as various kinds of deposits (crud) which form on the inside primary system surfaces and especially on the hot surfaces of the fuel elements. Subsequently, in case of thermal or hydraulic transients, some of these deposits may peel off from the core giving rise to a reactivity transient. Over the years, no accidents due to this phenomenon have happened, notwithstanding the fact that the boron deposition on core surfaces has been observed and studied. The maximum reactivity which could be released can be evaluated of the order of 0.1 per cent in half a second (Petrangeli, 1967).

4-2-1-5. Reactivity of the control rods The reactivity of the complex of control rods is typically of the order of 10 per cent. The reactivity available for fast shutdown, however, depends on the position of the rods (e.g. rods are usually inserted under zero power and hot circuit conditions, but less often inserted under full power conditions), on the axial shape of the neutron flux and on the core burnup. Moreover, in order to evaluate the reactivity available for a fast shutdown, the assumption is usually made that the most reactive rod stays stuck in its position (generally it is considered completely extracted).

Overall, the reactivity available for a fast shutdown typically ranges between 6 per cent (under hot conditions and zero power conditions) and 9 per cent (at full power). Theoretically, a single rod may reach a worth of two per cent or more (as an example, a rod at the centre of the core with all the other rods inserted, which increases the worth of the rod) but the reactivity corresponding to the ejection of any rod (one of the DBAs) is always kept below the ‘prompt reactivity’ value (0.6 per cent): typically a limit of 0.5 per cent is adopted. The integrated worth of a control rod has the shape shown in Figure 4-5. Figure 4-6 shows the typical trend of the start-up rate, expressed in decades of growth of the neutron flux per minute, as a function of reactivity. The relationship connecting the start-up rate to the period T (s) is: Start-up rate ¼

26 decades min T

ð4:1Þ

Core reactivity is strongly influenced by the dynamic variation of the fission products as a consequence of the operational states of the core. Of course, the fission products accumulated in the core as a function of the fuel burn-up have also a strong influence on reactivity. Xenon-125 and samarium-149 are, in different ways, the most important nuclides in this context.

2 Reactivity, %

1

4-2-1-6. Reactivity of fission products (xenon and samarium)

2.5

1.5 1 0.5 0 0

39

20 40 60 80 Control rod position, percentage withdrawal

Figure 4-5. Integrated worth of a control rod (indicative).

100

40

Nuclear Safety

Reactivity (Dk/k * 10E-4)

100

10

1 0.01

0.1

1

10

Reactor start-up rate

Figure 4-6. Start-up rate as a function of reactivity.

Under stationary power operation conditions, the reactivity absorbed by xenon and samarium varies between two and three per cent. However, after shutdown, the reactivity of xenon may increase many times showing the well-known peak at about 11 hours. The negative reactivity due to samarium increases asymptotically up to a few per cent.

4-2-1-7. Reactivity balance Taking into account the above sections, the typical reactivity balance of a PWR could be similar to that shown in Table 4-2. The use of burnable poisons in the core to compensate for the burn-up reactivity of the fuel, normally adopted at least for the first cycle of the core, significantly reduces the need for compensating reactivity by soluble poison (Table 4-2 does not consider the use of burnable poisons). Table 4-2. The reactivity balance of a PWR Motivation

Reactivity (%) Rods

Cold shutdown (variation between hot and cold core) Doppler Xenon Samarium Operation margin Fuel burn-up (life)

Boron 2

2.2 2.2 0.8 0.8 9

4-2-2. Example of a category 2 accident: spurious opening of a pressurizer safety valve This scenario assumes that a pressurizer safety valve opens and stays open during the full power operation of the reactor. In the following, results are from studies made on a modern 1000 MWe reactor, but it can reasonably well apply to any PWR. After the opening of the valve, the primary system starts to quickly depressurize while the mixture of water and steam contained in the pressurizer reaches the temperature and pressure conditions of the primary hot leg. The valve has a flow area of 27.9 cm2 and the voiding of the pressurizer, for this opening, takes place in about 600 s. Subsequently, the depressurization of the entire primary system continues following the trend shown in Figure 4-7, where the curves obtained by the simple code ps.xls (available on the downloadable file ‘Primary System’ on this book’s accompanying web site) are also shown (the pertinent calculation will be commented on later). The reactor is shut down by the intervention of the low primary pressure signal at 10.93 MPa (abs) (109.3 bar (abs)). The normal primary pressure from which the transient starts is 15.82 MPa (abs) (158.2 bar (abs)). At a pressure of 10.93 MPa (abs), the safety injection system is automatically actuated which starts to inject water in the primary system through the high pressure pumps. Conservatively, it is

Chapter 4 The classification of accidents and a discussion of some examples

41

Primary pressure (105 Pa)

100

80

60 Safety report 40

ps.xls program (steam efflux)

20

ps.xls program (homogeneous efflux)

1200

2400

3600

4800

6000

Time (s)

Figure 4-7. Spurious opening of a safety valve on the pressurizer: calculated primary system pressure trend. assumed that one high pressure injection pump only operates (single failure), the injection flow rate is initially equal to about 1200 kg min 1 (20 kg s 1), increasing to 2700 kg min 1 (45 kg s 1) when the primary pressure decreases to 5 MPa (abs) (50 bar (abs)). Subsequently, as the primary pressure continues to decrease, the safety accumulators and the low pressure injection pumps start operating. During this accident scenario, the heat transfer from the fuel rods to the water does not usually reach the threshold of nucleate boiling, that is the conditions of ‘film boiling’ are not reached. In other words, the DNBR (or ‘burn-out’ ratio) never goes below 1, with some safety margin. In the transient described, the maximum fuel clad temperature is of the order of 843 K (570 C), well below the limit of 1477 K (1204 C) specified by the US regulations (US Code of Federal Regulations, 2004) universally followed in other countries. For interest, the other limits given in the abovementioned regulations applicable to DBAs are listed here:

Maximum oxidation of the cladding in the core: 17 per cent.

Less than one per cent of the total clad metal consumed by the metal–water reaction which generates hydrogen. The core geometry variation due to thermal and mechanical effects (swelling due to creep, etc.) insufficient to prevent its ability to cool.

None of these limits is reached in this accident, weighting the scenario as lower among other DBAs. Throughout accident duration, when very soon the primary system saturation conditions are reached (after about 600 s), the average steam–water mixture quality in the primary system always stays at a very low level. Obviously, if, as at Three Mile Island, the safety injection was shut off, the accident would continue to the start of core melt and beyond.1

4-2-3. Example of a category 3 accident: instantaneous power loss to all the primary pumps This scenario assumes that the accident starts at full power, then evolves through a number of stages

42

Nuclear Safety

Recirculation flow rate (%)

100

50

10

10

20

Time (s)

Figure 4-8. Total loss of power supply to the pumps: coast-down of the flow rate. concurrently with a progressive slowing down of the pumps. The initiating cause may only be the instantaneous loss of all the external electric power sources. The fast shutdown is quick (<2 s) actuated by the slowing down of the primary recirculation. The actuation signals vary according to design preference and they may comprise loss of pump speed, inadequacy of their electric power supply (voltage and frequency) and reduction of recirculation flow rate. The temperature of the primary water, as well as the primary pressure, initially tend to increase and subsequently to decrease after the reactor scram has operated a few seconds from the start of the accident. The heat loss from the secondary side occurs by steam dump to the atmosphere as the turbinegenerator combination stops on the scram signal. The condenser is lost if there is a total loss of electric power. The safety and steam dump valves open within seconds of the start of the accident. During the first seconds of the transient, the greater risk is the reduction of the DNBR (its limit is generally 1.3) and fuel damage: the coast-down curve of the pumps’ flow rate, influenced by the pump flywheel inertia, can prevent this danger.

A typical curve of the pumps’ coast-down is shown in Figure 4-8. It is generally assumed that after half an hour the operators will regain the plant control and start a controlled cooling of it. This cooling down will generally be performed through the manual actuation of the high pressure safety injection pumps (HPSI) and by controlling their flow rate by the actuation of the relevant control valves. At a certain point in this process, the automatic initiation of the safety injection system has to be prevented by changing the set points of the same automatic action. This initiation could have negative consequences (pressure). The pressure accumulators have to be disabled at the appropriate moment (when the pressure approaches the initiation value of roughly 4 MPa). At the start of the accident, on sensing the low voltage signal on the station auxiliary bus, the diesel generators automatically start and all the emergency loads are progressively connected to them (emergency safety features – ESF) as soon as each generator has reached its working voltage and frequency. In this scenario, it is assumed that no single failure aggravates the plant conditions, mainly because the

Chapter 4 The classification of accidents and a discussion of some examples

most critical situation (DNBR) is reached within a few seconds from the start of the accident, that is before the intervention of any safety system (except, naturally, for the reactor scram, for which the usual assumption of the worst stuck rod is made). As far as modelling the decrease of flow rate with time after the loss of electric power is concerned, the codes used balance the momentum in each cooling circuit and in the core. This momentum balance is combined with the continuity equations, with the momentum balance of the pumps and with the pump characteristic curves. In these calculations the head losses are overestimated for sake of conservatism.

4-2-4. Example of a category 4 accident: main steam line break In this scenario, it is assumed that one of the outlet lines of a steam generator suddenly breaks. The concept of ‘leak before break’, which excludes the guillotine break of the large primary lines, cannot be applied to the steam lines because it is difficult to demonstrate that a steam leakage from a quasicritical crack can be detected in time with certainty. This accident, therefore, has to be considered less unlikely than a primary pipe break. According to the position of the rupture, to the initial reactor conditions and to the accompanying malfunctions assumed, a variety of accidents with different consequences arise. In general, however, the rapid voiding of the affected generator causes:

a decrease of the primary temperature and, therefore, a significant increase of the core reactivity (the moderator temperature coefficient is usually negative), with a consequent increase of the neutron flux and possible overheating of the claddings and of the primary overpressure. In this regard, it should be remembered that, as a consequence of the usual assumption of the most reactive rod being stuck, the applicable peaking factors of the neutron flux are particularly high, although they are partly compensated by the increase in the void fraction near the extracted rod; the pressurization of the room where the rupture happens (container or nearby building); the release of radioactive products due to leakages from primary to secondary which, although small (of an order of magnitude of some kilograms per

43

minute) must always be considered, exacerbated by the possible damage of the fuel during the violent transient following the break. The accident is analysed for various locations of the steam line break (anywhere along its length, for example before or after the isolation valve/s, inside or outside the container, etc.). Various initial operating conditions (full power or hot shutdown), as well as various additional malfunctions (loss of the external power supplies, highest worth control rod fully extracted, etc.) are possible. Some of these situations, in fact, are the worst for potential fuel damage, others for the primary over-pressure or for external radiological consequences. In order to understand the various possible situations, the following facts have to be remembered:

the isolation valves take several seconds to shut (conservatively, 10 s) and in this time a significant amount of water can leave the steam generators. It has to be assumed that this water is contaminated, because of the unavoidable leaks between primary and secondary systems during normal operation, and it has to be remembered in this connection that the primary system typically contains some thousands of Gigabecquerels of iodine-131 and that the secondary water contains only a few tens of Gigabecquerels of it; a flow limiter (Venturi tube) is usually installed at the exit of each steam generator. This reduces the equivalent efflux area to about one third of its real value; the injection of highly borated water (e.g. with 5000 ppm boron) by the high pressure injection system (HPIS) pumps has some tens of seconds delay after the corresponding actuation signal, due to the pumps’ inertia and to the water expulsion from the lines containing a lower boron concentration (e.g. 2000 ppm); that besides the radioactive products present in the water from the start, during the transient an additional release from the fuel elements can happen if the DNBR goes below the safety limit (e.g. <1.3) (i.e. the release of the radioactive products contained in the gap between pellets and cladding, conservatively assumed equal to 10 per cent of the total fuel rod inventory for volatile products, like noble gases, iodine and caesium;AR316

44

Nuclear Safety

depending on the particular characteristics of the reactor under consideration (e.g. volume of water in the primary and secondary systems, and in the pressurizer, the scram signals and line isolation signals adopted, etc.) the worst transient among the possible ones may vary. In general, the transients starting from zero power are considered the worst ones because the scram intervenes later, given the usual characteristics of the protection systems.

Figures 4-9–4-11 show the trends of some particularly significant quantities for some steam line break accidents. As it can be seen, the accident causes a quick depressurization and temperature decrease in the primary system, with consequent significant thermal stresses in the structure. The containment pressure, too, may reach significant levels. The outside doses may be of the order of 1 Sv to the thyroid of an individual for a two hour exposure at the edge of the exclusion zone.

4-2-5. Example of a category 4 accident: sudden expulsion of a control rod from the core This accident might happen if one of the control rod drive housings circumferentially breaks and is projected into the containment by the primary system pressure. In this scenario, the control rod drive and the control rod itself would be expelled (in a few hundredths of a second) and the rod would be completely and rapidly expelled from the core. This accident has been included in the DBAs since the early days of the peaceful use of nuclear energy. Relevant protection initially comprised:

a procedure for the management of the control rods’ location in the core which limited the maximum reactivity connected with a control rod expulsion: these limits were established in such a way that the consequences of the expulsion on the

Primary pressure (105 Pa)

150

100

10

100

500

Time (s)

Figure 4-9. Main steam line break at full power with external electric power supply available: primary pressure as a function of time.

Exit temperature of primary coolant (K−273)

Chapter 4 The classification of accidents and a discussion of some examples

45

350

300

250

200

150

100

500

Time (s)

Figure 4-10. Main steam line break at full power with external electric power available: core exit temperature.

Containment pressure (105 Pa)

3

2

1

10

100

1000 Time (s)

Figure 4-11. Main steam line break at full power inside the containment: containment pressure versus time.

46

Nuclear Safety

fuel were not destructive (average enthalpy in the hottest point of the most endangered fuel rod less than 1.17 MJ kg 1);AR360 the protection of the containment wall from possible perforation by the missile (control rod housing), usually implemented by a steel shield (centimetres thick) or by a concrete shield, located above the control rod housings complex.

At the start of the 1990s, several cases of throughwall cracks were found in French reactors (Bourgeois et al., 1996). Similar cracks were found in other reactors. These were attributed to stress-assisted corrosion of Inconel 600, the material used for the housings. A systematic replacement of all the pressure vessels’ heads was implemented, with substitution of Inconel 600 housings with Inconel 690 ones. Moreover, the leak detection systems were improved and a device capable of preventing the expulsion of the corresponding rod drive mechanism, in case of a break of the housing, was installed. Additionally, the most dangerous event since TMI occurred at the Davis Besse power station in February 2002 (see Chapter 20). In general, it is possible to ensure that the additional reactivity due to a control rod expulsion is of the order of 0.15 per cent (but, in any case, well below 0.6 per cent, which would originate a ‘prompt criticality’). The accident reactivity excursion is mitigated by the Doppler coefficient and is terminated by the reactor scram. Roughly 10 per cent of the fuel can be damaged (DNBR < 1) and the effective whole-body doses outside the plant may reach 10–20 mSv in two hours at the edge of the exclusion area. The releases from the plant are due either to the leakages from the containment (assumed to be single containment type with ground release) and those from the secondary steam dump and the leaks between the primary and secondary systems (some litres per minute). The containment pressure increases because of the release of primary liquid. The release from the secondary system is caused by the opening of the relief and safety valves. The reactor power in the transient may reach 200–400 per cent of the nominal power (the highest values correspond to zero initial power), obviously for very short times. The analysis of this accident scenario is performed by suitable computer codes, capable of simulating the

multi-dimensional neutron kinetics and the thermal– hydraulic behaviour of the fuel and of the reactor cooling systems.

4-2-6. Example of a category 4 accident: break of the largest pipe of the primary system (large LOCA) Since the early days of nuclear power generation, this accident has been considered to be the most serious of the DBAs. It remains so to this day as it originates a large part of the specifications of the plant safety systems. Operating experience and probabilistic studies, however, indicate that the largest risk of severe accidents (more serious than the DBAs) comes from other accident sequences (e.g. small breaks). In particular, a break in a small instrumentation line in the vessel bottom is very dangerous: in fact, in this case, the primary system depressurizes rather slowly as the rupture allows liquid water to escape, while a large mass of coolant is lost. The safety injection systems might in some reactors not operate properly as the reactor pressure stays high (preventing the safety injection) while the coolant level in the core decreases, with consequent uncovering of the fuel elements and their overheating. Very different is the case of a small break in the upper part of the primary system. In this case, in fact, steam exits from the break, the primary pressure tends to decrease rapidly and liquid water is forced to vaporize with consequent rapid cooling and decrease of the pressure. At low pressure, all the safety injection systems may operate injecting water in the circuit and cooling the core. In a large LOCA, a very rapid depressurization occurs and the primary circuit loses almost all the water (only a small part of it remains, at low temperature, on the vessel bottom) in 15–20 seconds. In the meantime the reactor shuts down (even if the power could initially increase slightly if the void coefficient is positive) and the safety injection through the accumulators and then through the high and low pressure pumps, starts. The core is re-flooded in some tens of seconds (when the fuel reaches its worst conditions in the transient) then, the core cools steadily. The operators then initiate the long-term cooling procedure. The container is pressurized, but usually this is favourable to core re-flooding. Therefore, the

Chapter 4 The classification of accidents and a discussion of some examples

calculation of the transient in the core is performed under conditions of minimum pressurization of the containment (indeed the minimum intervention thinkable of its cooling systems is assumed: e.g. of the spray system). Table 4-3 show the sequence of events for a typical accident of this type. Figures 4-12–4-17 depict the important phenomena of the transient and show the critical parameters. The difficulty of keeping a high mixture level in the core is evident. The presence of a second clad temperature peak is a consequence of this fact. See Table 3-1 in Chapter 3 for a list of typical external releases in this type of accident.

4-2-7. Example of a category 4 accident: fuel handling accident This accident is classified among the most serious of DBAs because, although it concerns only one fuel element, it may happen outside the containment, that

Table 4-3. Sequence of events in a large LOCA Event Break Peak power Pressurizer pressure at scram actuation and initiation of safety injection Scram and safety injection signal Accumulator discharge starts Core re-flood starts Maximum secondary pressure HPSI injection start Accumulator voiding LPSI injection start Clad temperature peak Signal of actuation of recirculation from containment bottom

Value

Time (s)

114% 10.9 MPa (abs)

0 0.2 10

11 4.1 MPa (abs)

15

8.4 MPa (abs)

30.7 5.4

1423 K

Core power (normalized to 1)

1.2

1

0.8

0.6

0.4

1

2

47

3

Figure 4-12. Large LOCA: core power.

4

Time (s)

31 78 31 300 1500–7000

Nuclear Safety

Containment pressure (×105 Pa)

3

2

1

100

200

300

400

Time (s)

Figure 4-13. Large LOCA: containment pressure.

40 000

Mass of water supplied to core (kg)

48

30 000

20 000

10 000

100

200

300

400

Time (s)

Figure 4-14. Large LOCA: mass of water supplied to core during re-flooding.

Chapter 4 The classification of accidents and a discussion of some examples

Mixture level (m)

2

1

100

200

300

400

Time (s)

Heat transfer coefficient in the core (1.16 W/m2s K)

Figure 4-15. Large LOCA: mixture level in the core during re-flood.

400

300

200

100

100

200

300

400

Time (s)

Figure 4-16. Large LOCA: heat transfer coefficient in the core (hot spot).

49

50

Nuclear Safety

Clad temperature (K-273)

1200

1000

800

600

100

200

300

400

Time (s)

Figure 4-17. Large LOCA: clad peak temperature.

is in the fuel building which is provided with a dynamic containment system (blowers and filters) that allows a certain amount of external releases. It is assumed that during the handling of a spent fuel element, it falls in the pool on the spent fuel elements rack. The element will be damaged and it is usually assumed that all the gap radioactive products (10 per cent of the total volatile products of all the rods) are released. This assumption, as the others made in Regulatory Guide 1.25,AR316 are conservative and it is usually possible to demonstrate that no more than 30 per cent of the rods are damaged. A decontamination factor of 100 is assumed for iodine in the pool water and a factor of 10 and of 1.5, respectively, for inorganic and organic iodine, in an activated carbon filter 5 cm thick. With these assumptions, the two hour effective whole-body

dose at the edge of the exclusion zone may be of the order of 5 mSv, which is significant.

4-2-8. Area accidents Accidents originating inside the plant but which affect the entire plant area are termed area accidents. In particular, these maybe fires and internal floods, typically started by breaks in the service water system. The physical separation of redundant sections of plant protection systems is usually one of the fundamental defences against the consequences of these events. Operational experience indicates the possibility of rather peculiar accidents of this kind. For example, the complete loss of external electric supplies caused

Chapter 4 The classification of accidents and a discussion of some examples

by a grass fire which was allowed to grow too much in the power station switchyard; the fire triggered the fire protection of the transformers, so electrically isolating the power station from outside. An accurate examination of the risks relevant to each specific plant may reveal all the possible accidents and suggest pertinent prevention/mitigation provisions. For fires, in particular, every regulatory system has issued guide criteria and requirements which, in general, necessitate the implementation of a complete fire protection program. This includes provisions for the separation of redundant safety systems, other prevention measures, anti-fire equipment and operating procedures.

4-3. Beyond design basis accidents During the long debates on nuclear safety, the need arose to study some accidents which can neither be termed DBAs (because of their low probability) nor severe accidents (since they do not lead to severe core damage). They are dealt with using specific prevention and mitigation measures even if, because of their low probability, the corresponding margins of safety are rather smaller than those adopted for DBAs. The most important among these accidents are:

transients without scram (ATWS – anticipated transients without scram); and total loss of external and internal electric power supplies (station blackout).

By analogy, the voluntary accidents of human origin are included here and dealt with in a similar way.

4-3-1. Plant originated accidents As far as ATWS accidents are concerned, usually a duplicated and diversified fast shutdown system is required, see US Code of Federal Regulations (2006) and the EUR criteria (see the pertinent Appendix). The need to cope with a station blackout has shown the need to foresee the voluntary depressurization of the primary system with water injection by independent means. See the EUR criteria in Appendix 6 for a list of other accidents of this type.

51

4-3-2. Accidents due to human voluntary actions The spectrum of situations considered in the protection framework against these types of accident varies from country to country. Usually, in all cases protection is provided against malevolent intrusion in the plant by the use of access control measures. Other protections adopted are those against aeroplane crash and external impact, and those against pressure waves (see Chapter 17).

4-4. External accidents of natural origin Chapters 15 and 16 discuss accidents resulting from earthquakes and tornadoes. Protection against floods has to be considered in the choice and the improvement of a site: usually, no possible flood water is permitted to reach the level of the station, whose elevation is frequently raised by an embankment. Obviously, the choice of a site includes the study of the possible collapse of nearby dams and of the consequent flood waves. Other possible events are much more specific in nature (oscillations of lakes due to earthquakes or to wind, sand storms, volcanic eruptions, etc.) and must be studied on the merits of the local conditions.

References Bourgeois, J., Tanguy, P., Cogne´, F. and Petit, J. (1996) La Surete Nucleaire en France et dans le Monde. Polytechnica, Paris. Petrangeli, G. (1967) ‘Factors involved in the evaluation of the maximum credible boron release from the core surfaces of a PWR with chemical shim’, Euratom, EUR 3609 e. US Code of Federal Regulations (2004) ‘Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors’, US Government. US Code of Federal Regulations, 2004, Part 50.62: US Government.

Chapter notes 1 As discussed, the accident can be summarily studied also using simple calculation methods similar to the one included

52

Nuclear Safety

on this book’s accompanying website. Given the limitations of the downloadable file PRIMARY SYSTEM (one volume only represents the primary system), only the phases when saturation conditions are present can be studied: this means that, if the initial transient of the pressurizer has to be simulated, up to the moment when saturation conditions are reached in the primary system (at about 600 s after the accident initiation), then the pressurizer has to be studied separately from the primary system, while, if the complex of the primary system has to be studied, this can be done only after the first 600 s. In Figure 4-7, the pressure curves (dotted lines) obtained from ps.xls, assume steam and homogeneous efflux. A better approximation could be obtained by subdividing the transient in phases, to which one or the other of the assumption above would be applied, according to the estimated level of the water in the primary system. It is worth repeating, however, that simple codes like ps.xls are only suitable for a first orientation and for overall comparative evaluations. They are not suited for accurate studies of accidents. The following lists the input data for ps.xls in the steam efflux case: Ab ¼ 27.9 cm2 As ¼ 0 cm2 DP1 ¼ 2 DP2 ¼ 0.2 DT ¼ 1 s FL1 ¼ 0 FL2 ¼ 0 GS ¼ 0 kg s 1 HA ¼ 49 kcal kg 1 KA1 ¼ 711 kcal s 1 KA2 ¼ 12 kcal s 1 KQD ¼ 1.45 Mp ¼ 298 830 kg P ¼ 2871.3 MWt P0 ¼ 94 kg cm 2 PA1 ¼ 40 kg cm 2 PA2 ¼ 15 kg cm 2 QS ¼ 0 kcal s 1 TU0 ¼ 600 s TU1GS ¼ 600 s TU2GS ¼ 6000 s TU1QS ¼ 0 s TU2QS ¼ 0 s TUF ¼ 6000 s VA1 ¼ 0 m3 VA2 ¼ 675 m3 Vab ¼ 463,3 m3 VAT1 ¼ 118 m3 VAT2 ¼ 1012 m3

Vp ¼ 463.3 m3 Where the symbols have the following meanings: A1 A2 are the intermediate pressure (4 MPa) and low pressure (1.5–2 MPa) accumulators, respectively; Ab is the area of the break in the primary system; As is the equivalent efflux area of the depressurization line; DP1 DP2 are the pressure variations in each step, high (from about 0.2 to 0.5 MPa) and low (20–50 kPa), respectively; DT is the time increment in a calculation step; ECCS is the emergency core cooling system; FL1 FL2 are useful ‘flags’ for calculating efflux from the depressurized line and from the rupture, respectively; GS is the efflux flow rate from the ECCS system; HA is the accumulator and ECCS water enthalpy; KA1 KA2 are the efflux coefficients from accumulators A1 and A2, respectively; KQD is the decay power multiplier (¼1.05 for ANS curve); Mp is the mass of water in the primary system (liquid and steam); P is the thermal power rating; PA1 PA2 are the A1 and A2 accumulator pressures, respectively; TU0 is the start time of the transient; TU1GS TU2GS are the start and shut-off times, respectively, of the ECCS system; TU1QS TU2QS are the start and end times for heat exchange with steam generators; TUF is the end time of the calculated transient; VA1 VA2 are the volumes of water in accumulators A1 and A2, respectively; Vab is the primary volume below the assumed rupture; VAT1 VAT2 are the total volumes of accumulators A1 and A2, respectively; Vp is the primary system volume. In the ps.xls calculation, the possibility of simulating heat exchange with steam generator water has not been used; indeed, since the depressurization is rather slow and the primary system is always nearly filled up with steam– water mixture, it is believed that the pressure behaviour can be simulated using the assumption that all the steam generator water and the primary water will be mixed together. In order to implement this model, the initial mass of water has been assumed equal to that of the primary system (210 000 kg) plus that of the steam generators (80 000 kg). Consequently, the volume of the system has been adjusted on the initial assumption that all the water is in a liquid state. The decay power multiplier KQD has been chosen in such a way as to agree with the power curve used in the safety report (i.e. KQD ¼ 1.45).

Chapter 5 Severe accidents

5-1. Existing plants Severe accidents are defined as those which entail at least an initial core damage, in many cases specified as the overcoming of the regulatory fuel limits, such as a temperature of 1473 K (1200 C) in the fuel claddings, etc.). The need to consider severe accidents aside from DBAs became apparent after the final edition of the Rasmussen report was issued in 1978, when it demonstrated that core melt could have a probability (of the order of 1 in 20 000 reactor-years) which was higher than that at the time rather implicitly estimated for the then worldwide reactor list (which was roughly 500 units). This probability figure indicated an expected core melt event every 40 years on the average. Since many reactors had at that time been operating for about twenty years, the outlook was not completely reassuring. It has, however, to be considered that the same Rasmussen report envisaged that only one in about 100 core melt events could cause severe health consequences (up to 10 casualties). In any case, the prevailing ideas of nuclear safety were not substantiated by these figures. Therefore, responsible people started to think about the best way severe accidents could be prevented, or at least mitigated. The Three Mile Island event reinforced and confirmed this need for progress in nuclear safety. Although none of the Rasmussen report sequences replicated exactly the course of events in TMI, the report sequence TMLB was rather close to what happened there. TMI was certainly a severe accident, even if the degree of devastation suffered by the core was not clear from the start. TMI was a real shock for all in the nuclear industry. Many, dubious that the efforts made for nuclear safety were really needed, were indeed struck by the new evidence: human errors, communication

defects among organizations, and insidious design weaknesses. That a core melt accident could happen and had happened was indeed a wake-up call! It is true that the foresighted adoption of Defence in Depth provisions at TMI prevented any casualties. It can be recalled that only 666 GBq (18 Ci) of iodine were released to the environment, with a correspondingly minute virtual dose at the fence of 0.8 mSv. Besides the post-TMI plant improvement programmes (prevention) which cost millions of dollars for each plant, in the Western countries investigations were started on what else could reasonably be done to the plants with the goal of stopping the progression of an impending severe accident or to mitigate its consequences. Since then, the studies and the programmed and implemented provisions against severe accidents have been assigned to three consecutive phases of action. In the first phase, soon after TMI, mitigation measures against the ‘certain’ consequences of a core melt (the slow over-pressurization of the containment up to its burst and the attack of the containment bottom by the molten core deposited there after reactor vessel perforation) were implemented. For the protection of the containment against over-pressure (caused by burning of hydrogen gas which would definitely be produced), procedures for the more or less filtered venting of it were adopted (filtered venting), as it was considered preferable to release some radioactive gases rather than risk bursting the containment. For the protection of the containment bottom, plant specific procedures were adopted, generally consisting of additional passive protective means and bottom-flooding procedures. As already mentioned, in this first phase, only the ‘certain’ consequences of a core melt were considered. Theoretically possible but less well known (and, in any case, low probability) phenomena (like steam explosions due to the contact of a 53

54

Nuclear Safety

molten core with water having such a high intensity to be able to threaten the integrity of the containment) were left out. In the second phase, lasting from about 1982 to about 1985, studies of severe accident prevention and mitigation were more systematic. Additional probabilistic studies were performed and mechanistic models, more elaborate than the Rasmussen report ones, were developed. This work, in particular, indicated which phenomena, besides the above mentioned ‘certain’ ones, were important for risk reduction. They are briefly listed in the following (which also includes the ‘certain’ ones):

Slow containment over-pressurization. Scenarios of core melt with high primary pressure: direct containment heating (DCH – due to the violent expulsion of part of the molten core from the vessel and to its fragmentation in the atmosphere with consequent combustion and heat production) and destructive forces on the vessel (due to the expulsion of molten material from the vessel at high pressure). Lack of leak proofing of the containment systems: containment bypass sequences (the V sequences of Rasmussen) and presence of leaks higher than the design values in the containment, either because of defects which existed before the accident (preexisting openings) or because of the actions of the aggressive containment environment (pressure, temperature, aggressive and heat generating aerosols, radiations). Destructive reactivity accidents due to accidental expulsion of control rods or to control rod melting before fuel melting during a severe accident. Destructive steam explosions either inside or outside the reactor vessel. Destructive hydrogen explosions. Attack of the containment bottom by molten masses and lack of coolability of core debris.

The studies of this period led to a definition of severe accident protection criteria (see Section 1-2 and Chapter 18) similar to those already in force in Italy and to those developed in Sweden. In Italy, it was thought possible to provide a defence against severe accidents by accident management provisions and by some reasonable plant modification, up to the point of limiting iodine and caesium releases to 0.1 per cent with a probability higher than 95 per cent in the case of core melt (conditioned probability).

The absolute probability of this release would be lower than the product of the core melt probability and 0.05 (¼ 1 0.95). The releases of other elements were defined on the basis of their ‘propensity’ to external release, according to the mechanistic models and the then available data. This period of time is also characterized by some new scientific views on some phenomena of interest, which were somewhat different from those prevailing (e.g. enhanced importance of the release of iodine as a compound with caesium, and the enhanced importance of aerosols) and by some characteristic technical choices (huge filtered venting systems, such as the Swedish FILTRA, see Figs 5-1 and 5-2, installed on the Ba¨rsebeck reactor). The third phase of the studies on severe accidents started after Chernobyl. This terrible accident taught the industry that even a small contamination risk, like the one which affected Western Europe as a consequence of the accident, may generate panic in the population and turn public opinion against nuclear energy power generation. Therefore, the third phase of the studies on severe accidents is characterized by release restrictions even more stringent than those taken as a reference in the second phase: in practice, many, especially European, countries strive for severe accident releases so small that population evacuation and land decontamination measures can be eliminated or reduced to a very low level, at least for health reasons (leaving alone possible needs for psychological well being of the population). This, in particular, is the position taken by France, by Germany and, at the appropriate time, by Italy. Now, reference levels of 1–10 TBq of caesium should be reached (the second phase reference releases of the above mentioned studies were 0.1 per cent iodine and caesium, corresponding to about 160 TBq of caesium). Therefore, this change of position corresponds to a reduction factor of about 100! In order to comply with this stringent goal, it is understandable that attention has been mainly switched to future reactors which now include substantial design modifications. Moreover, the importance of a ‘perfectly’ leak-proof containment in case of severe accident is now clear. Another tendency consolidated in the third phase is the use, when possible and advantageous, of plant solutions based on ‘intrinsic’ or ‘passive’ safety.

Chapter 5 Severe accidents

55

To stack

40 m

From containment

Figure 5-1. Schematic of the FILTRA system.

5-2. Future plants: extreme and practicable solutions The ability to choose between extreme solutions and simpler, more easily implemented, solutions is hindered by the uncertainty still present in our knowledge of some key phenomena in the field of severe accidents listed in the preceding section. The practical feasibility of the studied solutions must always take account of inherent drawbacks compromising safety itself (in many cases a safety provision adopted with certain situations in mind is detrimental in other conditions) and cost (which, if excessive, could put a plant out of the market). Among the extreme solutions imagined are the following:

A super-strong pressure containment, passively cooled in order to sustain without failure slow over-pressurizations, hydrogen detonations and over-pressurizations from direct containment heating (DCH).

A structural cage around the vessel resistant to the burst of the vessel itself (destructive steam explosion, destructive reactivity accident) or to jet force caused by its perforation in conditions of high pressure in the primary system (the energies involved are illustrated in Fig. 5-3). A ‘core catcher’ to contain the molten core, as a protection for the bottom of the containment.

Figure 5-4 shows one of these extreme approaches studied by the KfK Karlsruhe Nuclear Research Centre. Appendix 15 on Safety Cage shows an example of dimensioning a solution of the ‘extreme’ type, with the objective of listing the orders of magnitude of the dimensions and of the provisions required. ‘Practicable’ solutions have been the subject of an international study promoted by Italy (Petrangeli, Zaffiro and Arru, 1995; Theofanous and Corradini, 1995). In order to give an idea of the solutions suggested in this study, the following summary is given which

56

Nuclear Safety

Figure 5-2. FILTRA on site. relates to one of the two reactors taken as a reference: the AP600 design equipped with a passive pressurized reactor. A first cornerstone of the defence strategy, already incorporated in the AP600 design, is the voluntary depressurization of the primary system in case of the danger of inadequate core cooling. A feature of this type was proposed and thoroughly studied for the first time at the start of the 1980s for pressurized reactors (see Appendix 10 on Primary Depressurization Systems). The primary depressurization eliminates at the source, all the severe accident sequences with a pressurized primary system (i.e. direct containment heating, destructive reaction forces due to perforation of the vessel, etc.). Moreover, in case of malfunction of the high pressure cooling systems, it allows the cooling of the core by intermediate pressure accumulators and low pressure systems. A second cornerstone of the proposed defence strategy is the voluntary flooding of the reactor

cavity and the cooling of the molten core inside the vessel. The final proof that this measure is effective for all plant sizes, including the largest (1300 MWe) doesn’t yet exist. The expectations are, however, good at least up to 1000 MWe and studies are underway. The problem of the high leak-proof level of the containment would be tackled by the reduction of the number and of the size of the penetrations, by the collection of the leaks in closed rooms with discharge to the stack, by continually monitoring for excessive leaks (at least in the containment configuration pertinent to operation conditions) and by the pressurization (or flooding or draining) of the space between the two seals of each penetration after the accident. The probability of destructive reactivity accidents is considered negligible, but an uncertainty remains for up to one hour between the melting of the control rods and the fuel melting in the core. The situation might be more critical for a BWR where the

Chapter 5 Severe accidents

57

Total missile mass: 200 t Kinetic energy of missile: 150 MJ

ENERGY DISSIPATION:

4.70 MJ (bolts)

3.70 MJ (upper internals) 2.150 MJ (pipes) 700 MJ kinetic energy

1.260 MJ (barrel)

Molten core

2 GJ explosion

Figure 5-3. Possible partition of energy associated with a steam explosion in the vessel. re-flooding of the core would be performed by fresh water, not containing any neutron poison.

5-3. Severe accident management: the present state of studies and implementations A Nuclear Energy Agency report (NEA, 1995) contains the summary and conclusions of an international specialist meeting on the implementations of severe accident management, in the framework of an OECD activity lasting many years on the subject of accident management. The document makes clear

that, at last, an international consensus exists on intervention measures applicable to water reactors, such as the following: the injection of water in a damaged core, the cooling of the containment and the need to provide reserve systems for the emergency electric power supply. The troubles in reaching this agreement demonstrate the degree of difficulty in the technical problems of the severe accidents: every intervention can, here more than in other cases, result in a counter-productive action (e.g. the water on the core provides the necessary cooling but may enhance the metal–water reaction; containment cooling will condensate the steam and may so de-inert the already

58

Nuclear Safety Reinforced concrete (200 cm) Section A–A

Double containment 100 cm

Steel shell (38 mm) A

A

Safety cage

Natural convection cooling

Core melt cooling device 65 m

Figure 5-4. Conceptual scheme of a composite containment for a PWR (internal steel shell and external structure in reinforced concrete; from J. Eibl, reproduced courtesy of Forschungszentrum, Karlsruhe, Germany).

present hydrogen, etc.). The degree of knowledge is not yet complete in this area, for example, the cooling mechanisms of the ‘core on the floor’ are not yet known to the desired degree. However, the uncertainties are not such as to prevent definite action in the field of accident management which leans essentially on the optimization of the accident management procedures.

5-4. Data on severe accidents Table 5-1 shows some data which can be useful in performing order of magnitude evaluations on phenomena connected with severe accidents. The transfer of scientific knowledge on phenomena into actions and procedures is a difficult process (see the above quoted case of the pouring of water on a degraded core): research still plays an important part in the implementation of accident management. Moreover, additional work is needed in the field of severe accident management under low power or shutdown conditions.

5-5. Descriptions of some typical accident sequences The following describes some typical severe accident sequences for a PWR. The nomenclature, the choice of the critical sequences and the descriptions made by the US Nuclear Industry Degraded Core Rule Making (IDCOR) programme (IDCOR, 1984) is adhered to in line with a general illustration of the trend of the phenomena. As far as the quoted numerical figures are concerned, other studies may in some degree differ. The plant considered by IDCOR is ZION, a typical PWR. Table 5-2 gives a summary of the events with the most significant external releases, and the consequences.

5-5-1. Loss of station electric power supply (TE ¼ transient þ loss of electrical supply) This sequence is caused by a loss of all the external electric supplies of the power station with subsequent

Chapter 5 Severe accidents

59

Table 5-1. Severe accident data (indicative figures) Production of hydrogen per kilogram of zirconium: Zircaloy in a 600 MWe PWR reactor: Structural steel in the core: Hydrogen combustion heat: Heat developed in the metal–water reaction: Fe > 0.4 MJ kg 1 Penetration velocity of a molten core in the containment floor: Gas generated by the attack of floor by a molten core:

Limit power for coolability of a molten core on the floor: Total mass of molten fuel and structural materials (corium) in a 1000 MWe PWR: Maximum theoretical energy of a steam explosion: Theoretical total energy: Mass of molten core which may reasonably react with water: Assumed mechanical efficiency of the steam explosion: Assumed maximum pressure (for steam explosion) in the vessel cavity: Exit velocity of a ‘corium’ jet from a hole in the bottom of the vessel for an internal pressure of 15 MPa (150 bar): Minimum primary pressure for which DCH is possible: Maximum thermal energy released in a very serious reactivity accident (AP600): Maximum mechanical energy released in a very serious reactivity accident (AP600): Pressure generated in a containment (AP600) by detonation of H2 at 13% without steam starting from 150 kPa (1.5 bar): Bursting pressure of a containment in quasi-static conditions: Removal coefficient for released iodine and caesium in the ground after penetration of the containment floor (collapse mode " of the Rasmussen report):

loss of all the sources of alternate emergency electric power. Scram follows, then the coast-down of the pumps starts and the loss of the auxiliary feed-water to the steam generators takes place. Under these conditions, no core cooling system is available, except the passive pressure accumulators. The containment engineered safeguards are not available, either. This sequence could be considered similar to that at TMI, although here the lack of

44.4 g 19 000 kg 29 000 kg 121 MJ kg 1 (57.8 kcal mole 1) Zr > 6.7 MJ kg 1 Siliceous concrete:

0.0001 m/s (40 cm/hr)

limestone concrete: siliceous concrete: limestone concrete:

0.00005 m/s (20 cm/hr) 0.07 kgH2O kgcalc 0.26 kgCO2 kgcalc þ 0.065 kgH2O kgcalc 0.02 m2 MWt 1 (MWt of the core at full power) 110 t (incl. 61 t UO2 þ 19 t Zr þ 29 t stainless steel) 1 MJ kg 1 corium 110 000 MJ 10% 2–15% (probable value 4–5%) 10 MPa (100 bar) 60 m s

1

2 MPa (20 bar) 80 000 MJ 80 000 MJ 10% fragmented fuel 3% (efficiency) ¼ 240 MJ 2.9 MPa (29 bar) (duration 13 ms)

2

4 pd ( pd ¼ design pressure)

100

some essential safeguards is due to the loss of electric power and not to an erroneous diagnosis of the situation by the operators. From a thermo-hydraulic point of view, the steam generators eliminate heat at the start, but afterwards their water reserve finishes. The primary pressure increases because of decay heat up to the point where the pressurizer relief valves (PORV) open. The primary system loses water through the PORV up to

60

Nuclear Safety

Table 5-2. Events and consequences of some significant sequences Sequences with the most significant external releases

Probability for reactor-year Uncovering of the top of the core Start of melting Vessel break Containment break due to over-pressure Start of radioactive products release Release fractions of radioactive products Xe–Kr I–Br Cs–Rb Te–Sb Sr–Ba Ru–Mo External consequences: Prompt casualties Immediate physical damage Late tumours index (fractional increase of cases beyond normal occurrence within 80 km from the plant and within 30 years from the accident) External costs (106$US) Whole body dose [man Sv]

TE ¼ transient þ loss of electric power

SE ¼ small LOCA þ loss of electric power

V ¼ interfacing systems LOCA

2E 7 2.3 hours 3.1 hours 4 hours 32 hours 32 hours

6E 6 2.2 hours 3 hours 3.8 hours 32 hours 32 hours

1E 7 20 hours 23 hours 26 hours

1 2E 3 2E 3 2E 5 <1E 5 <1E 5

1 2E 3 2E 3 2E 5 <1E 5 <1E 5

1 8E 5 8E 5 8E 5 5E 5 <1E 5

0 0 1E 4

0 0 1E 4

0 0 2E 5

700 8E3

70 8E3

60 9E2

the point where the core starts to uncover. After that, the additional heat produced by the metal–water reaction increases the steam production rate. When a significant part of the core is molten, its support plate fails and the ‘corium’ enters the lower plenum of the vessel. The possibility of a steam explosion is negligible. It is then assumed that the vessel fails at a weld of one of the lower head penetrations and that, therefore, the corium is released at high pressure, together with hydrogen and water, into the reactor cavity. The molten core migrates, through the instrumentation tunnel, on the floor of the lower compartment of the containment. The residual vessel water flows (including the water supplied by the passive accumulators) in the same space. The corium continues to flow in the cavity because the core continues to melt. Here, too, the probability of a steam explosion is considered negligible. It is estimated that the water in the cavity completely vaporizes in about nine hours, that the corium again reaches the concrete melting temperature after about one hour and that at this

24 hours

point the erosive attack of the bottom starts. Hydrogen is produced by the interaction of corium with the concrete and it partially burns until the temperature is reached where a global combustion initiated by the corium takes place. Hydrogen and the other non-condensing gases generated by the concrete–molten core reaction slowly pressurize the containment which is assumed to burst (at a pressure of about 2.9 times the design value) 32 hours after the start of the accident. As far as the behaviour of the radioactive products of the core is concerned, almost all the volatile ones are released in the upper plenum before the vessel rupture. The remainder is deposited in the cooling circuits and in the steam generators. After vessels burst, a small part of the radioactive products enters the cavity and is swept away in the containment compartments where it is deposited on the various horizontal surfaces and adheres on the vertical ones due to condensation of steam. The material deposited in the upper plenum and in the circuits heats the structures up, vaporizes again and

Chapter 5 Severe accidents

is deposited in the high parts of the circuits and in the vessel down-comer, where it is effectively trapped, dissipating the generated heat through the thermal insulation towards the containment. At the moment of the containment failure, vapours escape from the primary system towards the containment, because of the depressurization, and hence towards the environment. The external consequences are not disastrous. No quick casualties are envisaged and late developing cancers are few (with reference to the natural occurrences): about 0.5 per cent of the natural occurrence in a radius of 80 km from the plant. In this evaluation a reasonable implementation of the existing emergency plan is assumed. As far as possible effects of operator actions are concerned, if electric power is recovered before the core is uncovered, cooling is re-established and the accident is terminated without damage, or with only modest damage, to the core. The operator has also to open the PORV in order to decrease the pressure in the primary system and to allow the use of the low pressure injection pumps for cooling the core. If the power is recovered after vessel break, flooding of the cavity will take place as an effect of the containment spray system and consequently the end of the accident destructive processes will occur.

5-5-2. Loss of electric power with LOCA from the pump seals (SE ¼ small LOCA þ loss of electric power) The assumption here is that, as a consequence of the total loss of electric power and with a delay of about 45 minutes, the pumps’ seals are damaged because of the loss of the cooling system. This sequence of events and the consequences are very similar to the preceding scenario (Section 5-5-1). In this case no safety valve opening takes place because the pressure is kept low by the efflux through the pumps’ seals.

5-5-3. Interfacing systems LOCA (V) This sequence is caused by the break of the two double-disk valves between the primary system and the residual heat removal (RHR) system. The release of high pressure water in the low pressure pipe causes the seals in the RHR pumps to break discharging

61

water into the pump room (auxiliary building). The following systems are assumed to be operational: the auxiliary feed-water system, the relief valves of the steam generators and one train of the high pressure injection system (HPSI). The accumulators are available, as well as the containment cooling system. It is assumed that the operator manually blocks the reactor pumps at the start of the emergency core cooling system (ECCS). The start-up of ECCS ensures core cooling until, at six hours into the accident, the water tank (RWST) for the fuel-handling pools empties. The core remains covered for 20 hours because of the reflux refrigeration in the steam generators and the operation of the auxiliary feed-water. A large amount of steam is released in the auxiliary building during this period. After 20 hours the core starts to uncover and overheats, zircaloy is oxidized and subsequently the fuel starts to melt. Steam is continuously released in the auxiliary building, the core drops down in the vessel lower plenum and the vessel itself is perforated at about 26 hours. The discharge of corium into the cavity causes a quick attack of the concrete in the absence of water. Gases are evolved and released in the auxiliary building through the primary system. During discharge of gases and vapours in the auxiliary system, a simultaneous transport of radioactive products takes place; these products finally deposit on interior surfaces because of the continuous condensation of steam. It is estimated that the percentages released to the outside are rather small and the external consequences are negligible. No short-term casualties result and only an increase of a fraction per ten thousand of the natural occurrence of tumours in the surrounding zone are estimated. Procedures have been, moreover, studied to further mitigate the consequences of the accident by the intervention of operators. The first is based on keeping the RHR pumps submerged by flooding their room by the use of fire-fighting hoses routed through the stairs. In this way the wash down of fission products is increased and their release is decreased. The second technique, even more effective, is based on preserving core cooling through:

the RWST tank; the boric acid mixer; the fuel pool; portable pipes and hoses;

62

Nuclear Safety

a jury-rigged sump pump to take water from the bottom of the RHR pumps’ room and make it available again for injection in the reactor by the ECCS system.

5-5-4. Large LOCA with failure of the recirculation (ALFC) This scenario assumes a break in the cold leg of the primary circuit with operation of the ECCS in the injection phase (although it could also fail in the recirculation phase). It is assumed that the auxiliary feed-water of the steam generators operates correctly, as well as the fan coolers of the containment. Additionally, it is assumed that one train of the containment spray system operates in the ECCS injection phase. After the break, scram occurs, pumps slow down progressively and the auxiliary feed-water starts. The ECCS operates until the moment the recirculation mode is switched from the containment bottom (after 30 minutes), which does not succeed. The core remains without refrigeration except for the effect of the water present in it which is sufficient for 50 minutes. The metal–water reaction starts after 1.1 hours and about 450 kg (49 per cent of the claddings have reacted) of hydrogen are produced in the vessel. Core melt starts after 1.7 hours and the penetration of the vessel by corium intervenes after approximately 2.3 hours. Afterwards, the corium, the remaining water and the hydrogen are released in the cavity (presumably two hydrogen deflagrations occur which increase temperature and pressure in the containment up to 650 C and 150 kPa (1.5 bar), respectively, for a short time. The pressure in the containment increases in an initial period (up to 230 kPa (2.3 bar) at 3.5 hours) and is then controlled again by the fan coolers. The reactor cavity remains flooded and the molten core is cooled, so the concrete is not massively attacked by the corium and the production of gases which would tend to repressurize the containment, is avoided. The containment building remains intact and no unforeseen releases of fission products occur.

5-5-5. Small LOCA with failure of the recirculation (SLFC) This scenario assumes that a break occurs in the cold leg of the reactor recirculation system. The

thermo-hydraulic behaviour is similar to the preceding scenario but with an expanded time scale: switch to recirculation mode after 6.5 hours, fuel top uncovered after 7.2 hours, start of rapid metal– water reaction after 8 hours. Roughly 600 kg of hydrogen (65 per cent of the claddings, that is more than in the preceding case due to the presence of steam–water in the core for a longer time). After 12 hours, the fuel starts to melt and the vessel is perforated after 13.8 hours. Here, too, a generalized combustion of hydrogen takes place, but the containment is not damaged and the releases are small.

5-6. ‘Source terms’ for severe accidents In 1962, the US Atomic Energy Commission (at the time the regulatory body on the peaceful uses of nuclear energy) published a technical information document, TID-14844 (Di Nunno et al., 1962), in which a release (‘source term’) within the containment was defined for a light water reactor, corresponding to a typical accident with core melt, to be used for the verification of the compliance with the site acceptance criteria from the radiological point of view contained in the rule 10 CFR 100 (see Section 1-2). It is worth noting that the ‘source term’ envisaged the immediate release into the containment of:

100 per cent of the core inventory of noble gases; 50 per cent of the core inventory of iodine isotopes (of which 50 per cent is assumed to be immediately deposited on various surfaces of the containment so that the iodine available for external release through the containment leaks is equal to 25 per cent of the total); 1 per cent of the remaining ‘solid’ fission products, which however were always neglected by the standards and in the subsequent practice (for example in NRC Regulatory Guides 1.3AR299 and 1.4AR300 for the calculation of external consequences).

Iodine, moreover, was assumed to be mainly in elemental form (I2, 91 per cent), for five per cent in particulate form (particles or aerosols) and for four per cent in the form of organic iodide (methyl iodide and similar compounds). It is surprising to consider that these simple rules have dominated a large part of the nuclear safety

Chapter 5 Severe accidents

technology for more than twenty years. They had important consequences on the plants either from the amount of releases, from the assumption of practically instantaneous release from the core, or from their composition and chemical–physical form. The engineered safety features, for example, have been optimized for the removal of elemental and organic iodine, while the closure time of the isolation valves has been established on the basis of the immediate release from the core. The Technical Information Document 14844 (TID) releases, as they were then named, have been used for the verification of the resistance to radiations of equipment inside the containment, as well as for the evaluation of control room habitability after an accident and for the design of liquid and gas sampling systems. After publication of the Rasmussen report (1975) and the TMI accident, the validity of the ‘old and glorious’ TID was questioned, much research on the subject was carried out and, in 1992, after years of debate in all the scientific and regulatory centres all over the world, a NRC report was published (USNRC, 1992a) containing a new proposal of ‘source term’, which should replace the TID. The new proposed releases for a PWR are shown in Table 5-3, expressed as a fraction of core inventory. The releases for a BWR are slightly different. The new proposal derives from the consideration of the sequences studied in USNRC (1990) and USNRC (1992b), and intends to represent an average of meaningful cases. The releases due to interaction of the molten core with concrete (late out of vessel releases) are those deriving from the assumption of an absence of water above the molten layer.

If the case where a water layer is present is of interest, then the release will be lower due to the effect of removal of the water. As far as the chemical–physical form of iodine is concerned, the following suggestions are given:

at least 95 per cent in the form of caesium iodide, (CsI, aerosol); 5 per cent in the form of I or of HI with at least 1 per cent in each one of the two forms; the iodine dissolves in the containment water as I and may subsequently evolve as elemental iodine if the water pH is low (also as a consequence of radiolysis). In this case organic forms of iodine can be formed (to be particularly feared as they are difficult to remove by filters and by other systems). In the case where a pH control is envisaged for the containment water with the goal of keeping it above 7, then it is possible to assume that not more than 1 per cent of dissolved iodine is freed from the water and can produce organic iodine. Moreover, the other isotopes, besides noble gases and iodine, released are assumed to be in particulate form.

The report on the new source terms (USNRC, 1992a) also gives guidance on the removal factors by filters, containment spray systems and water pools. Typical values for these factors are:

Removal by carbon filters 90–99 per cent for elemental iodine and 30–99 per cent for organic iodides. Decrease of the radioactivity in suspension in a containment by a factor of about 100 as a result of a spray system in the first half an hour (subsequently the removal is much slower and

Table 5-3. New source terms

Duration (hours) Noble gases Iodine Caesium Tellurium Strontium Barium Ruthenium Cerium Lanthanum

63

Gap

Prompt releases in the vessel

Releases outside the vessel

Late, in vessel, releases

0.5 0.05 0.05 0.05 0 0 0 0 0 0

1.3 0.95 0.35 0.25 0.15 0.03 0.04 0.008 0.01 0.002

2 0 0.29 0.39 0.29 0.12 0.10 0.004 0.02 0.015

10 0 0.07 0.06 0.025 0 0 0 0 0

64

Nuclear Safety

depends on the water pH), under the condition that all the volume of the containment can be considered covered by the spray. Removal by a factor between 10 and 100 as a result of the passage of the effluents through the pool water of a BWR.

It is worth repeating that the ‘source term’ has the purpose of replacing, using the modern research data now available, the releases given in the TID-14844 report in their specific applications, essentially of US interest. The new source term represents a reasonable average reference for severe accidents with extensive core melt. Obviously, for each specific case of interest, that is for every accidental sequence which has to be studied in depth, the calculation codes used to determine the new source term (SCDAP-RELAP and MELCOR) are capable of adequately supplying the required specific answer. It has to be expected, however, that the new source terms will be extensively applied, in particular for order of magnitude evaluations, to those scenarios of main interest in this book.

References Di Nunno, J., Baker, R.E.D., Anderson, F.D. and Waterfield, R.L. (1962) ‘Calculation of distance factors for power and test reactor sites’, USAEC, TID-14844. IDCOR (1984) ‘Nuclear power plant response to severe accidents’, Technology for Energy Corp., Knoxville, TN. NEA (1995) Summary and conclusions. Report NEA/CSNI/ R(95)16: Specialist meeting on severe accident management implementation, Niantic CT, 12–14 June, Nuclear Energy Agency. Petrangeli, G., Zaffiro, C. and Arru, L. (1995) ‘Design of containment systems against severe accidents’, Nuclear Europe Worldscan, 15(5/6), May/June. Theofanous, T.G. and Corradini, M.L. (1995) ‘The containment of severe accidents in the Advanced Passive Light Water Reactors’, ANPA, March. USNRC (1990) ‘Severe accident risks: An assessment for five US nuclear power plants’, NUREG 1150. USNRC (1992a) ‘Accident source terms for light water nuclear power plants’, NUREG 1465. USNRC (1992b) ‘Estimates of radionuclide release characteristics into containment under severe accidents’, NUREG CR5747.

Chapter 6 The dispersion of radioactivity releases

6-1. The most interesting releases for safety evaluations This chapter deals with some simple and quick methods for the evaluation of the dispersion in the environment of gaseous releases (gases, volatile products, aerosols and particulates). Chapter 7 describes some methods for evaluating the health consequences of releases. There are three steps in the evaluation of the consequences of accidents: (1) Evaluation of the releases (the ‘source term; amount, chemical–physical form, trend with time). (2) Evaluation of the dispersion of releases in the environment. (3) Evaluation of the health consequences (see Chapter 7). The gaseous releases which are dealt with here, are the most relevant ones for the evaluation of the immediate accident consequences and for the preparation of short-term emergency plans. Solid and liquid releases are less important for a nuclear power station because the radioactive products released to the environment are mainly gaseous and have high velocity (which may cause adverse consequences outside the plant). However, liquid releases have to be taken into account under some circumstances. The situation, then, is very different from many non-nuclear process plants where the prevailing accidental release from the point of view of the consequences may frequently be the release of flammable or toxic liquids. The radioactive isotopes which could in theory be released during an accident from a nuclear power station are listed in Table 2-1. In practice, however,

as recalled in Chapter 2, for order of magnitude evaluations and in order to only evaluate the scale of the accident consequences, it is sufficient to evaluate the following effects:

direct radiation dose from noble gases (xenon-133, krypton-85) contained in the plume released; inhalation dose from iodine-131; radiation dose due to ground-shine from caesium137 deposited on the ground (this effect is generally important only over long periods, that is weeks or months).

In some cases, the safety reports used for licensing evaluate only the releases of the above listed isotopes, even if this practice doesn’t satisfy many specialists. Ultimately, it is totally unsatisfactory when the consequences of releases evaluated in this manner are relatively close to the limits fixed for them in the design criteria. It is necessary to consider plutonium and tritium only for specific plants and accidents. Some physical–chemical properties of the listed isotopes are particularly important for studying the consequences of accidents, and are briefly discussed here:

The half life, short or long, of the isotopes: Xenon133, very abundant among the fission products, has a half-life of roughly five days and, therefore, it is important immediately after an accident. Krypton-85, on the other hand, has a half-life of about 11 years and, therefore, the defence against it doesn’t consist in waiting for its decay. However, it tends to disperse and to dilute in the atmosphere without depositing out on the ground and, therefore, if released to the outside of a plant, it soon becomes innocuous. Even if it remains trapped in the containment after an accident, it is possible 65

66

Nuclear Safety

to get rid of it by venting it to the outside in favourable meteorological conditions and in a controlled way.1 Caesium-137, too, has a long half-life (about 30 years) but, in addition, tends to deposit on the ground with its compounds. It is, therefore, the cause of prolonged irradiation of people from the ground. Moreover, the measurements performed on the ground after the Chernobyl accident have demonstrated that, even after many years, the deposited caesium remains concentrated in the first centimetres of soil without penetrating in deeply and without dispersing, in contrast with what might be expected. Higher or lower volatility of the nuclide or of its more probable compounds: From this point of view, xenon, krypton, iodine, caesium and tritium must be considered volatile, in contrast with the other nuclides; Strontium has an intermediate position, approaching that of a non-volatile element. The higher or lower tendency to be removed and retained by the impact against walls and by rain (natural or artificial): Iodine, except for its organic compounds which tend to be formed in a very modest proportion (from 0.01 to 1 per cent according to the surrounding conditions), must also be considered easily removable even if in some conditions it may, subsequently, re-enter the atmosphere in suspension. Caesium too is removed rather easily.

In case of accident, the releases outside the plant would probably occur by slow infiltration through the leakage paths of the containment system, generally through the leak paths of the personnel and equipment airlocks, or through the leak paths of the electrical or mechanical penetrations of the containment. These leakages would generally be routed to a high (80–100 m) chimney and hence released to the outside. Part of the leaks might, however, bypass the emergency ventilation systems and be directly released to the outside at ground level. In both cases, the dispersion in the environment occurs by diffusion activated by the existing wind and by transport due to the wind itself. In particular cases, the releases might happen in an explosive way and be projected, therefore, to a great height. This happened in the Chernobyl accident. In this case the dispersion in the environment would occur under the influence of the high altitude air currents and by diffusion (to distances up

to several tens of kilometres from the site) with mechanisms a little different from those governing the releases near the ground (or from a chimney).2

6-2. Dispersion of releases: phenomena In general terms, gaseous releases may give rise to dense (heavy) clouds (i.e. heavier than air) or to light clouds. Chlorine and ammonia, for example, give rise to heavy clouds. The dispersion of a light cloud in the environment occurs by diffusion, generally in a turbulent regime. On the other hand, the dispersion of a heavy cloud occurs firstly by fall and by gravitational spread (in a similar fashion as water in a bucket placed on the ground would disperse if the bucket suddenly disappeared). Subsequently, at a certain distance from the source, the heavy cloud is also dispersed by diffusion. In the case of the release of radioactive substances from nuclear plants, light clouds are always formed: only the substances released as particulates or as aerosols show a gravitational motion of deposition towards the ground which is simultaneous to the dispersion by diffusion. The fact that the releases happen at ground level or at the mouth of a chimney has a large influence on their dispersion pattern. As can be seen from Figure 6-1, during a ground release all the zone of ground downwind from the release point is exposed to the contamination of the products transported by the cloud (a). However, during release from an elevated chimney the ground is not contaminated up to a distance D from the release point, and people who stay within this distance are effectively protected by being in its ‘shadow’ (b). Moreover, at distance D, at ground level, the contaminant concentration is lower than in the ground release case for two reasons. Firstly, the release plume has diffused in all directions (at a distance D from the plant, the concentration of contaminants at the centreline of the plume is lower than in the ground release case by a factor of two according to the diffusion theory. Secondly, at distance D the ground is affected by the outside border of the plume (where the concentration, by definition of ‘plume border’, is equal to 10 per cent of the value at the centre of the plume itself), while in the ground release case, at distance D, the centreline concentration is present.3

Chapter 6 The dispersion of radioactivity releases

67

(a)

(b)

D = protected distance

Figure 6-1. Diffusion plume for (a) ground and (b) elevated release from a chimney.

The following parameters have an overwhelming influence on the atmospheric dispersion:

the wind speed; the vertical thermal gradient (i.e. the change of the temperature with height).

The effect of the wind speed on the air turbulence and on its dispersion capabilities is self-evident. The importance of the vertical thermal gradient can be understood by the following points:

If a small volume of air is ideally displaced because of turbulence from position 1 upwards to position 2 (Fig. 6-2) without heat exchange with the outside (a valid assumption for quick movements due to turbulence), then its pressure, in order to be in equilibrium with the new external environment, must decrease (at low elevations atmospheric pressure decreases by about 9 mmHg every 100 m

increase in elevation). (In this example in the figure, the spherical volume of air is displaced by 100 m upward so that a substantial pressure variation results.) As the displacement has taken place without thermal exchanges, that is in an adiabatic way, the temperature T2 (kelvin) will be given by the law valid for adiabatic transformations (equation 6.1):

T2 ¼ T1

P2 P1

ðk k 1Þ

,

ð6:1Þ

where, k is the ratio of specific heat at constant pressure to specific heat at constant volume (for air ¼ 1.4).

If the air temperature at position 2 is higher than the final one of the adiabatic transformation, T2,

68

Nuclear Safety

100 m

Position 2: pressure = 751 mmHg

0m

Position 1: pressure = 760 mmHg

Figure 6-2. Adiabatic expansion of an air volume.

then the small air volume displaced will be more dense and heavier than the surrounding air and will tend to return in its starting position by gravity (stability). In the opposite case, it will tend to raise even more under the effect of buoyancy (instability). The same reasoning is valid if a downward displacement is assumed. The vertical thermal gradient of air is adiabatic if it corresponds to an adiabatic transformation, it is superadiabatic if it is algebraically lower than the adiabatic one and it is underadiabatic if it is

Adiabatic

h

Underadiabatic Superadiabatic Inversion

T

Figure 6-3. Identification of various distributions of temperature with height.

algebraically higher than the adiabatic one (Fig. 6-3). For a superadiabatic gradient, the temperature decreases with increasing height more than for an adiabatic transformation. The opposite is true for an underadiabatic gradient. Therefore, a superadiabatic situation (Fig. 6-4), is favourable to the instability of the turbulent movements of the atmosphere and therefore it is favourable to an effective dispersion of contaminants. On the other hand, an underadiabatic situation is stable and unfavourable to dispersion (Fig. 6-5). The peculiar underadiabatic situations where the temperature increases with increasing height are thermal inversions (Fig. 6-6). Generally, they occur on clear nights when the earth more easily loses its heat by radiation towards the sky and therefore the lower atmosphere layers also cool down significantly, while the higher layers remain relatively warm. On the following morning, after some hours of insolation, the ground heats up again and the inversion tends to disappear. The inversion condition is favoured by light winds (wind speed <2 m s 1). Another very peculiar condition is fumigation (see Fig. 6-7). It can occur in the first hours of the morning, after a clear night with inversion, when the soil starts to heat up and the inversion raises from ground level up to an elevation H. If the diffusion below the inversion elevation is very good (for example in the presence of a breeze), then, always below the inversion layer, the release concentration

Chapter 6 The dispersion of radioactivity releases

69

Adiabatic gradient h

T

Figure 6-4. The case of superadiabatic thermal gradient (good dispersion).

Adiabatic gradient

h

T

Figure 6-5. The case of underadiabatic thermal gradient (small dispersion).

Adiabatic gradient

h

T

Figure 6-6. The case of superadiabatic thermal gradient with overhead inversion (good dispersion only below the inversion layer).

70

Nuclear Safety

Adiabatic gradient h Category F Category B H h T

Figure 6.7. The limit case of a thermal inversion (fumigation conditions).

tends to be constant along the height. This is important because the effect of the presence of the chimney (the ‘umbrella’ effect) is reduced or eliminated. In general, the fumigation conditions don’t last more than a few hours. The diffusion characteristics near a plant at a certain moment can be judged by knowing the air temperature as a function of height, together with other factors which are discussed below. The local meteorology of the site of a nuclear plant is the subject of attentive and long studies with the aim of forecasting environment contamination and getting guidance on the most opportune moments to discharge gaseous waste into the atmosphere. A meteorological tower, roughly 100 m high is a characteristic feature on the site of an important power plant. The above has given basic information on the meteorology of atmospheric diffusion. The following gives some simple techniques for evaluating the concentration of contaminants at a specified distance from the release.

6-3. Release dispersion: simple evaluation techniques ‘Cloud concentration’ ( seconds per cubic metre) is the measure of air contamination at a certain position for health protection evaluations. Sometimes, the symbol /Q is used for the same quantity, where Q is the activity release (Bq). Cloud concentration is inversely proportional to wind speed

(sometimes it is given for a wind velocity equal to unity, i.e. 1 m s 1).

Case 1 (instantaneous release): The radioactivity inhaled by an exposed person during the passage of the contaminated cloud, I ¼ R Q Bq,

ð6:2Þ

where R is the respiration rate of the exposed person (3.4 10 4 m3 s for an adult), Q is the activity released (Bq) and is the cloud concentration (s m 3). Case 2 (continuous release): The radioactivity inhaled by an exposed person during the passage of the contaminated cloud, I¼R

Q Bq s 1 , t

ð6:3Þ

where R is the respiration rate of the exposed person (3.4 10 4 m3 s for an adult), Q/t is the activity released by a continuous source (Bq s 1) and is the cloud concentration (s m 3). In Gaussian theory of diffusion (the most commonly used), is a function of wind speed (inverse proportionality), the values of the standard deviation of the Gaussian distribution, the height of release and the position of a point in space with reference to the release point. The relevant formulae and diagrams, valid within several tens of kilometres from the release point, are given in Section 6-4. For simplified evaluations that usefully support quick decisions, they are not strictly necessary. For now it is sufficient to know that the formulae and diagrams

71

Chapter 6 The dispersion of radioactivity releases

Table 6-1. Relationship between turbulence types (categories) and weather conditions A – Extremely unstable conditions B – Moderately unstable conditions C – Slightly unstable conditions D – Neutral conditions (applicable to heavy overcast conditions, day or night) E – Slightly stable conditions F – Moderately stable conditions Daytime insolation 1

Night-time conditions (cloud cover*)

Wind speed (m s )

Strong

Moderate

Light

Thin overcast or > 4/8

<3/8

<2 2 4 6 >6

A A–B B C C

A–B B B–C C–D D

B C C D D

— E D D D

— F E D D

*The degree of cloudiness is defined as the fraction of sky covered by clouds above the local apparent horizon.

applied to a specific condition are, in current practice, connected with six categories of meteorological diffusion (the Pasquill categories, after the name of the specialist who proposed them).4 The categories and the meteorological conditions in which each of them is applicable, are shown in Table 6-1. Although condition F with a wind speed of 2 m s 1 is shown in the table only as a night-time condition, in reality it is currently used as a condition applicable to both day and night in conservative evaluations. For rule of thumb, quick and conservative evaluations, a ground release in condition F with a windspeed of 2 m s 1 is assumed, with:

¼ 3 10 4 s m 3, at a distance of 1000 m from the release: 10001:5and 2 d ¼ s m 3, at other distances d (m) d (that is, variation of the cloud concentration with distance on the basis of an inverse proportionality to the ratio of the distances with an exponent of 1.5–2).

If the release occurs from an elevated chimney (roughly 80–100 m high), is assumed to be ten times lower than the value given for the first kilometres from the release. If less favourable meteorological situations are to be evaluated (as an example of ‘best estimate’ calculations), a D condition with a wind speed of 5 m s 1 is frequently assumed, with a corresponding at 1000 m of 10 5 s m 3.

The concentration of the material deposited on the ground by a cloud generated by an instantaneous release is obtained by the concentration in air multiplied by a deposition velocity v, usually conservatively assumed equal to 0.01 m s 1. We define the concentration on the ground, Ct ¼ Q v Bq m 2 ,

ð6:4Þ 3

where is the cloud concentration (s m ), Q is the activity released (Bq) and v is the deposition velocity, usually assumed equal to 0.01 m s 1.5

6-4. Formulae and diagrams for the evaluation of atmospheric dispersion The value of at ground level is given, in the absence of precipitations and within a maximum distance of 100 km from the release point, by the following equation of the ‘generalized Gaussian plume’: Q e ¼ y z u

y2 2 y2

þ

h2 2 z2

,

ð6:5Þ

where is in Bq s m 3 for a release Q (Bq) for an instantaneous source, and is in Bq m 3 for a release rate Q (Bq s 1) for a continuous source, u is the average wind speed (m s 1), h is the height of the release point (m), y is the distance from the plume axis in the transverse direction (m), y and z (m) are

72

Nuclear Safety

B, log sigma y (m)

(a)

y = 0.0027x 3 − 0.0585x 2 + 1.2136x − 1.0106 R2 = 1

4.5 4

log sigma y (m)

3.5 3 2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

6

log x (m)

(b)

B, log sigma z (m) y = 0.9238x 2 − 3.5634x + 4.4731 R2 = 1 12

log sigma z (m)

10 8 6 4 2 0 0

2

4

6

log x (m) Figure 6-8. Diffusion coefficients for category B.

the Pasquill–Gifford coefficients of atmospheric diffusion, given as a function of x, the downwind distance. The values of y and z are given, for the three Pasquill categories B, D and F considered as the most representative, in Figures 6-8–6-10. The

distance from the point of release is indicated by x (m). It has to be noted, in order to avoid confusion, that, in the trendline formulae written on top of each graph, x is the abscissa, that is log x and y is the ordinate, that is log y or log z, according to the figure considered. This is due to the symbols

Chapter 6 The dispersion of radioactivity releases D, log sigma y (m)

(a)

log sigma y (m)

73

4 3.5 3 2.5 2 1.5 1 0.5 0

y = 0.0148x3 − 0.1752x2 + 1.5541x − 1.6231 R2 = 1

0

1

2

3

4

5

6

log x (m)

(b)

D, log sigma z (m) y = 0.0049x3 − 0.1354x2 + 1.4082x − 1.6325 R2 = 1

3

log sigma z (m)

2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

6

log x (m)

Figure 6-9. Diffusion coefficients for category D. used by the automatic interpolation program, which always names the abscissa x and the ordinate y. An example will further clarify this point: looking at the upper graph of Figure 6-8, which gives log y as a function of log x, where log means as usual the logarithm in base 10, for 10 000 m (log x ¼ 4), a value of about 3 can be read on the line graph for log y), which means y ¼ 1000. Similarly, the trendline formula gives: y ¼ log y 3

¼ 0:0027ðlog xÞ 0:0585ðlog xÞ þ 1:2136ðlog xÞ 1:0106

2

¼ ð0:0027 43 Þ ð0:0585 42 Þ þ ð1:2136 4Þ 1:0106 ¼ 3:08: Ground concentrations are given in Figures 6-11– 6-13 for the three categories B, D and F considered

the most representative and for three values of release height (10, 30 and 100 m). A simple program for calculating the concentrations is on the enclosed download files. Further data can be found in Slade (1968). Under fumigation conditions, the usual assumption of a concentration constant with height below the impervious inversion layer, leads to Equation 6.6: Q f ¼ e ð2Þ1=2 y z uH

y2 2 y2

,

ð6:6Þ

where H is the height of the base of the inversion layer (m) (see Fig. 6-7) and the other symbols have the same meaning as before.6 In the case where a release occurs from a building or near it, the formulae for a point release are too conservative at a short distance. Indeed, the

Nuclear Safety F, log sigma y (m) y = 0.0044x3 − 0.0713x 2 + 1.2271x − 1.6022 R2 = 1

3.5

2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

log x (m) F, log sigma z (m) y = 0.0011x3 − 0.144x 2 + 1.5033x − 2.0967 R2 = 1 2.5

log sigma z (m)

log sigma y (m)

3

2 1.5 1 0.5 0 0

2

4

6

log x (m)

Figure 6-10. Diffusion coefficients for category F. Concentrations, h = 10 m

1,00E-02 Concentrations (m−2)

74

1,00E-03

F

Category B Category F

1,00E-04

Category D 1,00E-05 1,00E-06 100

1000

10 000

Distances (m)

Figure 6-11. Ground concentrations for height of release of 10 m.

6

Chapter 6 The dispersion of radioactivity releases

75

Figure 6-12. Ground concentrations for height of release of 30 m.

Figure 6-13. Ground concentrations for height of release of 100 m.

turbulent wake of the building ensures an initial dilution of the release. A way to take into account this effect consists in using the point release formulae but with an imaginary backward displacement of the source. Figure 6-14 shows this procedure. The presence of a building may reduce the beneficial effect of an adjacent chimney at short distances, reducing the already mentioned ‘umbrella’ effect. The influence of the building can be considered completely absent only if the height of the chimney is equal to at least 2–2.5 times that of the building otherwise the effect of the chimney will be reduced or possibly eliminated by the turbulence generated by the building. In the case when the release occurs from a chimney and the effluent is warmer than the

external air and/or it is released to the environment with a significant initial vertical velocity, the buoyancy forces and the kinetic energy will make the releases behave as if they were released from a higher chimney (thermal and kinetic elevation of the plume). There are many studies and evaluation methods that take into account these effects (Slade, 1968). Here, as an example, is the Stu¨mke formula (Equation 6.7) for the rise of the plume, h: h ¼

1:5wd 65d3=2 T 1=4 þ , u Ts u

ð6:7Þ

where d is the diameter of the chimney outlet (m), w is the exit speed at the chimney mouth (m s 1),

76

Nuclear Safety

Backing distance

Real release point Point of imaginary backward displaced release

Figure 6-14. Effect of a building on a plume. u is the wind speed (m s 1), T and Ts are the temperature difference with reference to the environment and the external temperature, respectively (kelvin).

Reference Slade, D.H. (ed.) (1968) ‘Meteorology and atomic energy’, United States Atomic Energy Commission, USAEC, Division of Technical Information, Oak Ridge, Tenn.

Chapter notes 1 This happened after the TMI accident, when roughly 3700 TBq (105 Ci) of 85Kr were trapped in the containment. After an exhaustive safety analysis and under the authorization of the US regulatory body, the NRC, it was voluntarily released to the outside about one year after the accident. 2 As already mentioned in Section 1-2, it has often been written that the contamination caused by Chernobyl at great distances was solely due to the violent initial upward projection of the releases. In reality, a ground release too, at distances of several tens of kilometres reaches, by diffusion, a height of several kilometres and, therefore, the exclusive effect of the initial upward momentum on the dispersion of contamination at great distances has not to be considered self-evident. Certainly, an influence at short distances has been present. It is therefore necessary to believe that a large release, even at ground level, may cause extensive contamination at

long distance, as is also demonstrated by the case of the contamination generated by the atmospheric leaks (without violent projection) of radioactivity during defective underground tests of nuclear weapons. Another example might be the path of the chlorinated compounds as a danger for the stratospheric ozone layer. Finally, unfortunately, a nonRBMK reactor design could in theory give rise to extensive contamination. For example, even without considering the catastrophic burst of a light water reactor vessel, a severe accident in one of these reactors with the subsequent explosion of the containment could give rise to consequences similar to those of Chernobyl. It is considered useful to make remarks like this precisely because reactor safety, which can without any doubt be ensured, is also based on the meticulous detection of all the potential hazards. 3 Using methods which will later be explained, it can be shown that a 100 m high chimney, in typical meteorological dispersion conditions, affords very good protection of the land up to a few kilometres from the plant and that at this distance the concentration is decreased by a factor of about 10 (sometimes higher than that) with reference to the case without a chimney! 4 Frank Pasquill proposed his scheme in 1958 in a written note which he didn’t consider worth publishing. Subsequently his method was acknowledged so useful that it was universally adopted. 5 Those surprised by the excessive simplicity of these evaluations, must be, in a certain sense, reassured. In evaluating meteorological dispersion it is much more important to take into account all the dominating factors, than to perform extremely precise evaluations using conceptually defective schemes. For example, it is fundamental, in the dispersion evaluations, to consider the variation of wind

Chapter 6 The dispersion of radioactivity releases direction and speed with time and distance, the effect of rain of various types, and the extent and effect of local topography (presence of settlements on hills or in valleys, and so on). In international comparative exercises performed (‘benchmarks’), the maximum difference between the results of different groups of evaluators and the difference between anticipated evaluations and measures has been, unfortunately, equal to several orders of magnitude. 6 Example calculation of order of magnitude. The purpose here is to get an idea of the importance of neglecting the fumigation effect in a situation such as that in Figure 6-7, where the diffusion conditions below the inversion layer correspond to a Pasquill category D.

77

Equation 6.6, for wind speed, u, and source, Q, equal to 1, and for h ¼ H ¼ 100 m, gives a typical distance of 1500 m.

¼ 5 10 6 s m

3

However, the use of the fumigation formula gives:

¼ 3:3 10 5 s m

3

It can be concluded that the effect of the fumigation condition increases by a factor of 10 the ground concentration, nullifying the beneficial effect of the chimney.

This page intentionally left blank

Chapter 7 Health consequences of releases

7-1. The principles of health protection and safety The principles of radiation protection and safety as summarized by the IAEAAR185 and based on ICRP (1991) and INSAG3 are:

A practice which entails or that could entail exposure to radiation should only be adopted if it yields sufficient benefit to the exposed individuals or to society to out-weigh the radiation detriment it causes or could cause (justification principle). Individual doses due to the combination of exposures from all relevant practices should not exceed specified dose limits (limitation principle). Radiation sources and installations should be provided with the best available protection and safety measures under the prevailing circumstances, so that the magnitudes and likelihood of exposures and the number of individuals exposed be as low as reasonably achievable, economic and social factors being taken into account, and the doses they deliver and the risks they entail be constrained (optimization principle or ALARA – as low as reasonably achievable). Radiation exposures that are not part of a practice should be reduced by intervention when this is justified, and the intervention measures should be optimized. The legal person authorized to engage in a practice involving a source of radiation should bear the primary responsibility for protection and safety. A safety culture should be inculcated that governs the attitudes and behaviour in relation to protection and safety of all the individuals and organizations dealing with sources of radiation.

In depth defensive measures should be incorporated into the design and operating procedures for radiation sources to compensate for potential failures in protection and safety measures. Protection and safety should be ensured by sound management and good engineering, quality assurance, training and qualification of personnel, comprehensive safety assessments and attention to lessons learned from experience and research.

7-2. Some quantities, terms and units of measure of health physics ABSORBED DOSE: the average energy imparted by an ionizing radiation to the mass unity of a matter, unit of measure: gray (Gy) ¼ 1 J kg 1. DOSE: this term has two meanings:

a measure of the quantity of radiation present in a radiation field or given by this field: notion expressed by the word ‘exposure’; a measure of the radiation received or absorbed by a target.

EFFECTIVE DOSE: the summation of the tissue equivalent doses, each multiplied by the appropriate tissue weighting factor. EQUIVALENT DOSE: the dose absorbed by a tissue or organ, multiplied for the pertinent radiation type weighting factor. Unit of measure: sievert (Sv) ¼ 1 J kg 1 (sometimes, the previous unit, the rem ¼ 1/100 Sv, is still used). GENETIC EFFECTS: the effects on genetic material of somatic or germ cells, used in an imprecise way as a synonym of ‘hereditary effects’.

79

80

Nuclear Safety

Table 7-1. Radiation weighting factors Type and energy range of radiation

Table 7-2. Tissue weighting factors

Radiation weighting factor

Photons Electrons and muons Neutrons <10 keV Neutrons 10–100 keV Neutrons 100 keV–2 MeV Neutrons 2–20 MeV Neutrons >20 MeV Protons (except recoil protons) >20 MeV -particles, fissile fragments, heavy nuclei

1 1 5 10 20 10 5 5 20

HEREDITARY EFFECTS: the effects which manifest themselves in descendants of the exposed individual. NON-STOCASTIC (DETERMINISTIC) EFFECTS: the effects for which generally a threshold level of dose exists above which the severity of the effect is greater for a higher dose. RADIATION WEIGHTING FACTOR: a multiplication factor for the absorbed dose which accounts for the relative effectiveness of the various types of radiation in inducing health effects (see Table 7-1). RADIOACTIVITY: the radioactivity of a sample is the number of disintegrations per second. Unit of measure: becquerel (Bq) ¼ disintegrations second 1 (sometimes, the previous unit, the curie (Ci) ¼ 37 GBq is still used (1 TBq, a frequently used unit, is thus equal to about 27 Ci). SOMATIC EFFECTS: the effects which manifest themselves in the exposed individual. STOCHASTIC EFFECTS: the radiation effects, generally occurring without a threshold level of dose, whose probability is proportional to the dose and whose severity is independent of the dose. TISSUE WEIGHTING FACTORS: to account for the different sensitivity of organs and tissues to the induction of stochastic effects of radiation (see Table 7-2).

7-3. Types of effects of radiation doses and limits So far as the deterministic effects are concerned, the following brief and imprecise facts should

Tissue or organ Gonads Bone marrow (red) Colon Lung Stomach Bladder Breast Liver Oesophagus Thyroid Skin Bone surface Remainder

Weighting factor 0.2 0.12 0.12 0.12 0.12 0.05 0.05 0.05 0.05 0.05 0.01 0.01 0.05

be remembered:

The lethal dose at 50 per cent probability (LD 50) is equal to about 3–5 Gy, in the absence of a good medical assistance. Impairment of vision may happen between 1 and 10 Gy, according to the type of radiation (high or low linear energy transfer, LET). Permanent sterility may occur between 2.5 and 6 Gy.

For the stochastic effects in the population, the following, again brief, reference data should be noted:

Death risk for low doses ¼ 5 10 2 Sv 1. Risk of serious effects in descendants ¼ 0.5–1.3 10 2 Sv 1.

As far as the limits adopted in many countries by law are concerned, we have:

for workers: 20 mSv for solar year (effective dose); for the population: 10 Sv year 1 for each practice.

These limits hold for normal operation of the plants and not for accidents. Indeed, other limits for accidents do not exist except those fixed by the local Regulatory Body, case by case, or for classes of plants and of sources, for example for a nuclear power station, the most recent trend in Italy was to prevent the overcoming of the reference values for short-term evacuation of the population (taken as equal to 1 rem, which is the lowest value named in foreign and international guidelines) in case of a severe accident.

Chapter 7 Health consequences of releases

Moreover, it is usual to define a design limit for the collective dose of workers: the present value in many countries is of the order of 1 Sv person year 1.

7-4. Evaluation of the health consequences of releases As elsewhere in this book, here only simple methods and orders of magnitude are listed which can be useful for quick dose evaluations for preliminary decisions: more precise methods are described in the references and in the abundant literature in the field.

7-4-1. Evaluation of inhalation doses from radioactive iodine The following is a simple formula which can be used for a quick evaluation. It is most easily remembered if the old units of measurement are used (curie, rem, etc.).1 D ¼ 10 R, where D is the effective dose for adults (rem) (for children a multiplication factor ranging from 5 to 10, according to age, has to be used), is the cloud concentration (s m 3) (see also Chapter 6), and R are the curies of iodine-131 released.2 The dose calculated for all the iodine isotopes (not just for iodine-131) could result in a dose of the order of double that calculated for iodine-131 only. The dose to the thyroid is equal to about 20 times the one here calculated.

7-4-2. Evaluation of doses due to submersion in a radioactive cloud In some cases the term ‘submersion doses’ may not be appropriate because what is generally meant with this expression are the doses of direct radiation from a cloud of radioactive substances travelling in the vicinity. Here xenon-133 (important for accidents to reactors or to gaseous waste decay tanks) and tritium (3H, important for fusion machines, for example) are

81

considered. The doses are roughly: For xenon-133: D¼

R , 300

which can give lower dose values than other models (this has been taken from CEC documents). In order to take into account the finite dimensions of the cloud, the calculated doses should be multiplied by a factor (<1) which, for ground release and for F category ranges from 0.1 at 1 km to 0.7 at 100 km. For tritium (skin irradiation, inhalation): D ¼ 0:03 R,

7-4-3. Evaluation of the doses of radiation from caesium-137 deposited on the ground (‘ground-shine’ dose) The figures of interest for any practical case can be extrapolated from the data shown in Table 7-3, which gives the dose at various times after the deposition of 1 kBq m 2. For contamination deriving from an accident to a reactor, the radiation doses from the ground due to caesium-137 are generally more important than the contribution of other isotopes.

7-4-4. Evaluation of the dose due to deposition of plutonium on the ground A deposition of plutonium might happen as the result of an accident to a space vehicle (238Pu) (see Chapter 26) or because of a very violent accident to a nuclear reactor (239Pu and 240Pu). Plutonium isotopes are highly radiotoxic but plutonium is highly insoluble and in general the highest risk originates from the inhalation of very

Table 7-3. Ground-shine dose (caesium-137) First year

Second year

0–50 years

1.2 mSv (120 mrem)

800 Sv (80 mrem)

16 mSv (1600 mrem)

82

Nuclear Safety

fine dusts (5 m). The conversion factor for the inhalation dose to adult is, for plutonium-238, in average conditions, 4.6 10 5 Sv Bq 1.AR29 Similar figures apply to plutonium-239 and plutonium-240. The mechanisms by which the plutonium might be inhaled are to be evaluated case by case. The specific activity of plutonium-238 is 6.44 105 Bq g 1 and 2300 Bq g 1 for plutonium-239.

7-4-5. Indicative evaluation of long distance doses for very serious accidents to nuclear reactors Figure 7-1 gives a first impression of possible effective committed doses. It shows data from the Chernobyl, Windscale and Three Mile Island accidents (collected by G. Santarossa), together with a subjective evaluation of the effects of a maximum

severe accident ‘reasonably’ conceivable for a present and future reactor.

7-4-6. Direct radiation doses It is often useful to have an idea of the possible radiation fields caused by a point source. The approximate formula to remember is the following (see Note 1): Rhm ¼ 0:6 C E, where Rhm is rems per hour at 1 m distance in air, C is the source curies, and E is the energy of the emitted radiation (MeV). Figure 7-2 can also be of help.3 Remember that -rays are stopped by the thickness of a simple sheet of paper, while -rays can penetrate several centimetres into human body tissue.

Dose (mSv)

100

10

1

0.1

1

10

100

1000

Figure 7-1. Long range doses from accidents.

Range (km)

Chapter 7 Health consequences of releases

1 Ci

1 Mev

83

0.6 rem h−1 Air

1000 m

Water

34 cm

Concrete

16.5 cm

Glass (Ce or Pb)

5–15 cm

Steel

5 cm

Lead

3 cm

1m

Figure 7-2. Activity–dose relationship.

-rays or neutrons can penetrate much deeper into matter. Figure 7-3 shows the thickness of various materials able to reduce the intensity of -rays by a factor of 10. As can be seen, there is a certain inverse proportionality to the material density.

Reference ICRP (1991) Recommendations of the International Commission on Radiological Protection. ICRP Publication 60, Pergamon Press.

Chapter notes 1 Relaxation moment! Concerning the use of obsolete units of measure, the subtle truth contained in a popular joke comes to mind. It concerns a professor, very popular with his students, who, answering a question about the reason why he taught so many incorrect notions in his lessons, replied, ‘This way they understand better!’. 2 It is worth recalling from Chapter 6 that can conservatively be assumed to equal 10 4–10 3 s m 3 (Pasquill category F with a wind speed of 2 m s 1) at 1 km and variable for other distances as the inverse of the ratio of the distances raised to the power of 1.5–2. 3 As an example, one curie of cobalt-60, which emits gamma radiation at a total of 2.5 MeV, delivers about 1.5 rem hr 1 at the distance of 1 m.

Figure 7-3. Thicknesses of materials for reduction of 10 in -ray intensity.

This page intentionally left blank

Chapter 8 The general approach to the safety of the plant-site complex

8-1. Introduction This chapter assumes the point of view of an expert who wishes to evaluate the safety of a modern plant at a specific site and firstly decides to perform checks on those key aspects where it is most likely to find areas that can be improved. The content lists and discusses some of these aspects. It is impossible to be exhaustive in the most general terms as many fundamental aspects are connected with the specific features of each single case, for example the compliance between plant characteristics and assumptions made in the study of accidents. In any case, if the evaluation of a case under scrutiny shows that any aspect among those listed in the following, has been omitted or not adequately dealt with, then this fact should be noted and corrected.

8-2. The definition of the safety objectives of a plant on a site This sections discusses some aspects of the approach to safety which pertain to a plant-site complex. In the following, some important issues about the approach to safety will be considered.

8-2-1. The objectives and limits of release/dose The limits of release and of dose to the population should be defined for normal operation, operational transients, design basis accidents and more serious accidents, including severe accidents.

Usually this aspect of the basic approach to safety assumes the form of one or more tables where the following data are collected:

The classes of situations considered in the design of the plant and in the control of site factors (normal operation, anticipated transients, severe accidents, etc.), with an indication of the order of magnitude of the probabilities of the pertinent initiating events or of the accidental sequences (defined as sequence of events originated by the initiating event and by further equipment malfunctions or operating errors). Sometimes (see, for example, the EUR criteria in Appendix 6) a list of all the representative sequences is also given. The corresponding limits and objectives of release and/or of doses to the critical group of the population, with indication of the emergency actions considered in the demonstration of the compliance with objectives and limits.

In particular, the approach to the consideration of beyond design accidents, among which the severe ones, should be especially coherent and complete. The beyond design accidents considered should be clearly identified and the method by which they are prevented and/or mitigated should be explained; for example it should be clarified if the defence from possible events caused by a molten core outside the ‘vessel’ is based on the containment of the molten core within the vessel itself (flooding of the cavity and cooling of the vessel from outside) or on the refrigeration of the molten core on the floor of the containment. The experimental and theoretical basis of the demonstration of the adequacy of the solutions chosen should be clearly identified. 85

86

Nuclear Safety

Another typical aspect which sometimes is not well clarified concerns the type and extent (in space and time) of the emergency measures which are acceptable in case of the most serious accidents considered and in view of the compliance with the radiological limits and objectives chosen. The foreseen emergency plan is, indeed, a powerful additional safety measure (the fifth level of the Defence in Depth concept) but may also be seen as an indication that the plant per se is not sufficiently safe. For these reasons, a present trend consists in designing plants which don’t need stringent emergency plans (for example there is a trend towards excluding the evacuation of the population, except from a zone within a few kilometres from the plant). In the extreme, the objective that the most severe accident considered has externally significant consequences completely confined within the plant fence could be adopted. Obviously (but practical experience indicates that it is useful to remind ourselves), where the safety criteria also include an indicative limit of the maximum probability of a ‘large release of radioactivity’ (for example, no large release with a probability higher than 10 6 per year), the amount and the characteristics of the released radioactivity for which the release starts to be defined as ‘large’, must be clearly defined.

8-3. Some plant characteristics for the prevention and mitigation of accidents Among the factors for accident prevention and mitigation, it is useful to check:

the presence of a negative reactivity coefficient for power increase in every operating condition (and preferably also the presence of a negative moderator temperature reactivity coefficient); the abundance of core cooling water (e.g. in the pressurizer and in the steam generators) because the availability of a large amount of water makes transients slower and allows the operators to better intervene; the presence of a fast depressurization function for the primary system (efflux opening of the order of 10 cm in equivalent diameter or higher for a reactor of 1000 MWe;

the existence of a robust accident management system, with procedures and equipment that are complete and up to date; that the reactor pressure vessel has dimensions and other characteristics sufficient to keep the fast fluence, and the embrittlement, at low level during its life (construction such to minimize the presence of welds in the highly irradiated zone); there is a solid and controlled technical basis for the possible application of the ‘leak before break’ concept to the primary pipings (including adequate leak detection methods); the presence of emergency electric power supply sources, including portable ones, but different from the traditional emergency sources, either by type of machine and by type of fuel; that where a microprocessor-based reactor protection system is used, the presence of a backup system of traditional type or of other means to ensure protection against malfunctions, included those involving the software is assured; that the specification of a realistic maximum leakage rate from the containment (‘realistic’ means a leakage rate which is really obtainable in practice for a period of time of more than one year, indicatively). Use, in the safety analyses, of conservative figures for the same quantity (possibly much higher than the specified ones). This last precaution is suggested in order to cope, without too many difficulties, with possible situations where the result of integral or local leakage tests should not satisfy the specified leakage limits.

8-4. Radiation protection characteristics It is recommended to pay attention to the following points, in addition to complying with the limits and objectives mentioned in Section 8-2-1:

The presence in the design of an objective figure for collective occupational doses per year of plant operation (today this figure could be of the order of 1 Sievert person per year or less). The presence of a plant design policy which includes a review of the design details and of the layout of equipment and structures in view of the minimization of occupational doses (room for maintenance, radiation shields, provisions for

Chapter 8 The general approach to the safety of the plant-site complex

‘robotized’ inspections, etc.). A written guide should also be available for these reviews. The presence of a policy for the minimization of the solid, liquid and gaseous waste. The consideration, in the design, of the simplification and optimization of the plant decommissioning from a radiological point of view.

8-5. Site characteristics Given that the foregoing criteria are met, it is good practice for a nuclear plant site to have certain characteristics objectively favourable to its installation, either in normal operating conditions and in a hypothetical emergency. In particular, the following characteristics are noted:

The absence of danger of natural destructive phenomena, such as a strong seismicity (for example historical earthquakes higher than degree IX on the MCS scale), a danger of surface faulting on the site or of tsunami,AR27 a danger of destructive flood waves due to the collapse of dams upstream, etc. In particular, it is advisable that the plant should be immune from the danger of submersion due to floods because of objective situations, such as it being located on a hill or embankment more elevated than the surrounding countryside. In this way the demonstration of safety doesn’t depend on frequently uncertain evaluations of the maximum flood level of rivers

87

or alike; this is valid also for other natural hazards different from flood, given the intrinsic difficulty in forecasting the gravity of natural events in general. Possible excessive conservatism in the design parameters can thus be avoided. Favourable population distribution. Some national criteria specify limits for the distribution of population around the site, obtained by assuming a reference radioactive release from the plant and the limitation of doses outside. A minimum distance from population centres is also usually specified, which increases with increasing population in the centre itself (in general, in Europe, it should be necessary to stay a few kilometres apart from centres with some thousands of inhabitants and at least 10 km from centres with tens of thousands of inhabitants). Guaranteed characteristics of accessibility by roads, besides demographic characteristics, in order to have a favourable situation in case of external emergency and of need to evacuate people.

Other essential characteristics of a site are not listed here because they essentially bear on productivity issues, even if they may have an influence on safety too. For example, land average slope (the slope of the surroundings should be compatible with the transportation of huge components) or the availability of abundant quantities of water for the normal cooling of the plant besides the availability of smaller amounts of water for shutdown or emergency conditions.

This page intentionally left blank

Chapter 9 Defence in depth

9-1. Definition, objectives, levels and barriers As already discussed in Section 1-2, the Defence in Depth (DID) concept in nuclear safety consists in providing multiple independent protections against the occurrence of accidents and their progression, in such a way that, should one of them fail, at least another is present whose failure is independent from the operation of the first. It has to be said, however, that the object of independent barriers in totality is only an objective, and it is not always possible in reality in every conceivable accident sequence. The definition of DID has to be understood as a general defence principle, to be implemented to the maximum technically feasible degree. DID is implemented through design and operation provisions in a way to provide a ‘graded’ protection against a vast variety of transients, abnormal events and accidents, including the malfunction of components, human errors in the plant and events initiated outside it.AR177, AR178, AR185 The decision to create DID in the plants was taken at the start of nuclear energy development which indicates a remarkable farsightedness, as subsequent history has demonstrated that it has been the best defence against the uncertainties of the technology and the mistakes initially made (see, for example, the Three Mile Island accident). Obviously, in the first period of nuclear energy, many protests were made against this ‘waste of resources’ which consisted in the construction of costly barriers (e.g. the containment) without, according to some, ‘a real need’ for them. Accordingly, in the most recent documents,AR177 the DID is based on four principal barriers against the external release of radioactive products (fuel matrix, fuel cladding, reactor cooling circuit pressure boundary, and containment system), and on five defence levels in order to best use these barriers (illustrated in Table 9-1).

The actual implementation of DID needs the support of some base requirements which apply to all of the five quoted levels. These requirements descend from the technical principles of nuclear safety which lead to the specific measures: AR178, AR185

The adoption of proven engineering solutions. The classification and qualification of structures and components. Adequate quality assurance measures, proportionate to the safety classification of structures, systems and components. A high quality of engineering applied to all aspects of the design, construction and operation. A safety analysis, including its verification. The provision against common cause faults, such as diversity, physical separation and barriers for internal and external events. Good practices of operation and maintenance, including the provisions for the use of the lessons learned from past experience. A safety culture and attention to human factors. The provisions to ensure the documented adequacy of the operation organization and the independent role of the regulatory control bodies.

As it can be observed, practically all the issues of nuclear safety can be viewed as an implementation of Defence in Depth.

9-2. Additional considerations on the levels of Defence in Depth Among the provisions necessary to ensure the good implementation of defence Level 1, the following ones can be listed:

A clear definition of normal and abnormal operating conditions. 89

90

Nuclear Safety

Table 9-1. DID defence levels Defence level

Objective

Essential means

Level 1

Prevention of abnormal operation and of malfunctions. Control of abnormal operation and detection of malfunctions. Control of accidents included in the design basis. Control of the severe accident conditions of the plant, including the prevention of accident progression and mitigation of consequences. Mitigation of the radiological consequences of significant releases of radioactive products.

Conservative design and high quality of construction and of operation. Control, limitation and protection systems and other surveillance characteristics. Engineered safety systems and accident procedures. Additional measures and accident management.

Level 2 Level 3 Level 4

Level 5

Adequate margins in the design of systems and of components, including those concerning their robustness and strength in accident conditions, in particular in order to minimize the need to resort to measures of Levels 2 and 3. Intrinsic plant safety characteristics, such as nuclear and thermal–hydraulic stability and thermal inertia of the cooling system. Design provisions intended to give operators enough time to respond to events and to ensure an adequate man–machine interface, including operator-supporting means intended to facilitate their task. Attentive choice of materials and use of adequate fabrication processes of proven technology, together with the extensive use of tests. Exhaustive training of the personnel devoted to operation, maintenance, engineering and management, chosen by appropriate selection, ensuring behaviour fully compliant with a solid safety culture. Adequate operation instructions and reliable control of the state of the plant and of its operating conditions. The recording, evaluating and use of operating experience. Complete preventive maintenance, with priority established on the basis of safety importance and reliability requirements of systems.

External site emergency plan.

Moreover, Level 1 offers the initial protection basis against important external or internal hazards (e.g. earthquakes, fires, floods), even if some additional protection may be necessary at higher defence levels. The following design principles are followed in order to ensure a high reliability level of the engineered safety features (Level 3):

Redundancy. Prevention of common mode failures due to internal and external events through spatial or physical separation and structural protections. Prevention of common mode failures due to design, fabrication, construction, commissioning, maintenance or other human interventions, through diversity or functional redundancy. Automation in order to reduce vulnerability to human errors, at least in the initial phase of an abnormal event or of an accident. Overall architecture which facilitates periodical tests in order to give demonstration of the availability and of the performance of systems. Qualification of system, structures and components for the specific environmental conditions which may result from accidents or from external events. Reliability: the auxiliary and support systems are designed, built, commissioned and operated in

Chapter 9 Defence in depth

conformity with the degree of reliability required by engineered safety features.

Essential objectives of accident management (Level 4), which includes both preventive and protective measures, are:

monitoring of the principal characteristics of the plant state; controlling the core sub-criticality; restoring the core cooling and preserving the longtime cooling;

91

protecting the containment integrity (including its leak-proof characteristics) ensuring the removal of heat and preventing loads and dangerous effects on containment and on all the points of possible localized leakage in case of serious damage of the core or of further deterioration of the accident; regaining the control of the plant in order to avoid further damage.

Accident management is strictly connected with the best use of human factors of safety: essential components for the safety of a plant.

This page intentionally left blank

Chapter 10 Quality assurance

10-1. General remarks and requirements Quality assurance is an essential aspect of good management. A definition of quality assurance (QA) in the nuclear energy arena is the following:

All the planned and systematic actions necessary to provide adequate confidence that an item or service will satisfy given requirements for quality. IAEA (1988) Quality assurance is implemented through the definition and the realization of a quality assurance programme (QAP). The QAP is an integral part of the plant design and shall provide for a disciplined approach to all activities affecting quality, including verification that each task has been satisfactorily performed and that necessary corrective actions have been implemented. It shall also provide for production of documentary evidence to demonstrate that the required quality has been achieved. The establishment and the implementation of a QAP for a nuclear plant are essential. However, it shall always be recognized that the basic responsibility for achieving quality in performing a particular task (e.g. in design, in manufacturing, in commissioning, in operation) rests with those assigned the task and not with those seeking to ensure by means of verification that it has been achieved. In the general legal framework for the regulation of nuclear power plants of each country, the requirement that an effective, overall quality assurance programme be established, should be present. The organization having overall responsibility for a nuclear power plant shall also be responsible for the establishment and implementation of the overall quality assurance programme for that plant.

This organization may delegate to other organizations the work of establishing and implementing all, or a part, of the programme but shall retain responsibility for the effectiveness of the overall programme. The following aspects must be included in a QAP: procedures, necessary instructions and drawings; periodical reviews by management; organization; responsibility, authority and communication; organizational interfaces; staffing and training; document control; document preparation, review and approval; document release and distribution; document change control; design control; design interface control; design verifications; design changes; procurement control; supplier evaluation and selection; control of purchased items and services; identification and control of materials, parts and components; handling, storage and shipping; maintenance; process control; inspection and test control; programme of inspection; test programme; calibration and control of measuring and test equipment; indication of inspection, test and operating status; non-conformance control; non-conformance review and disposition; corrective actions; records; preparation of QA records; collection, storage and preservation of QA records; audits; scheduling of audits.

10-2. Aspects to be underlined The QA activities are fundamental in order to attain safety in a plant. Over the years, the QA method has been demonstrated in many sectors of production and service activities as the most effective and efficient means to obtain the desired quality. In many production sectors it has replaced the method of product control, substituting it with the control of the process which originates the product itself. 93

94

Nuclear Safety

Product controls are included in the more general QA methods. QA is a rather costly activity (a component can cost much more if a stringent QA requirement is specified), therefore every QA requirement must be accurately weighed against its real need: the approach must always be ‘graded’ and proportionate. It has been known in some cases, for defective application of the method to have produced more ‘paper’ than quality and this must, by all means, be avoided.

Governmental organizations control safety reviews of the QAP and conduct audits on its implementation: this is an important aspect of the control and supervision activity.

Reference IAEA (1988) Code on the safety of nuclear power plants: quality assurance. IAEA Safety Series N.50-C-QA (Rev.1), International Atomic Energy Agency, Vienna.

Chapter 11 Safety analysis

11-1. Introduction The objective of a safety analysis is to help define and to confirm, through adequate analysis tools, the safety basis for the parts of the plant which are important for safety and to ensure that the general design of the plant is capable of complying with the dose limits in force and with the radioactive releases specified for any plant conditions.AR17 Safety analyses, which are a part of the safety evaluations used in the licensing procedure of the plant, should proceed in parallel with the design, with interactions between the two activities. They must be kept up to date during the life of the plant in order to account for the progress of knowledge and in case of plant or site modifications.

11-2. Deterministic safety analysis The deterministic approach studies the behaviour of the plant in operational states and under specific accident conditions originally identified on the basis of evaluations of prudent engineering or for compliance with the chosen criteria. Today, probabilistic techniques are sometimes used to aid decisions concerning the deterministic approach, for example if a new candidate appears (e.g. from research or operating experience) for inclusion in the list of Design Basis Accidents (DBAs), the decision on inclusion or not can be aided by a probabilistic comparison with other situations already inserted in the DBA list. Usually the deterministic analyses are performed using conservative assumptions on input data, intermediate parameters for the analyses and on the behaviour of plant systems (single failure, etc.). Consequently, the behaviour of the plant as evaluated could be rather different from the most

likely one, even if in a sense beneficial to safety (conservative analyses or ‘licensing basis’). The deterministic analyses have been used for a longer time and, therefore, they are based on a wellconsolidated basis, at least for the rare events included among the DBAs. Severe accidents are now also part of the deterministic analyses. However, because of their very low probability, the conservative assumptions used for DBAs are not used. A ‘best estimate’ treatment of the phenomena is preferred in this case. Safety analysis should consider normal operation, operational occurrences and accidents.AR17 The aim of a safety analysis for normal operation should be to assess that normal operation of the plant can be carried out safely. Therefore, it has to confirm that radiological doses to workers and members of the public are within acceptable limits and that planned releases of radioactive materials from the plant are within acceptable limits. All the conditions met during normal operation, without external or internal disturbances, should be considered. These include start-up, normal power operation and power changes, various shutdown modes (hot, cold, refuelling, etc.), and handling and storage of fresh and irradiated fuel. Both the limits in force, and the ALARA principle (Chapter 7) should be complied with. In particular, reduction to the minimum reasonable amount of the radioactive gaseous and solid releases to the environment, and of the waste produced by the plant, should be pursued. In some cases a balance should be made between doses to the population and doses to workers, as some operating decision may increase the first and decrease the other, or vice versa. A typical example is the frequency of replacement of effluent filtering packs since replacement usually means more doses to personnel and less doses to the public. 95

96

Nuclear Safety

Anticipated operational occurrences are offnormal events, usually plant transients, which can be coped with by the plant protection systems and normal plant systems but which could have the potential to damage the reactor if some additional malfunction should happen. Their typical frequency of occurrence may be more than 10 2 year 1. Some of the anticipated occurrences (PIEs – postulated initiating events) are due to the increase of reactor heat removal (as might occur for an inadvertent opening of a steam relief valve, malfunctions in control systems, etc.). Some are due to the decrease of reactor heat removal (such as for feed-water pumps tripping, loss of condenser vacuum and control systems malfunctions). Some are due to a decrease in reactor coolant system flow rate, as in the case of a trip of one or more coolant pumps. Some are connected with reactivity and power distribution anomalies, such as for an inadvertent control rod withdrawal or unwanted boron dilution due to a malfunction of the volume control system for a PWR. Events entailing the increase or decrease of the reactor coolant inventory may also happen, due to malfunctions of the volume control system or small leaks. Finally, releases of radioactive substances from components may occur. DBAs have a lower frequency of occurrence than operational transients, typically in the range 10 2– 10 5, and are not expected to occur during the lifetime of the plant. They, however, are considered in the design of the plant safety systems for emergencies. There are also some groups of PIEs that are traditionally included among DBAs which may have lower frequencies (as could be for the largest pipe guillotine break for plants built to modern standards). All the PIEs considered as initiators of anticipated operational occurrences should also be considered as potential initiators of DBAs. The groups of PIEs considered for DBAs are the same listed above for anticipated occurrences: the severity of the specific events considered, though, is here higher. Typically, DBA initiators include steam line breaks, feed-water line breaks, pump shaft break or seizure, control rod ejection due to breakage of the rod thimble housing, boron dilution due to the start-up of an idle loop, inadvertent operation of the emergency core cooling system (ECCS), small and large loss of coolant accidents (LOCAs), break of a radioactive gas holdup tank, and fuel damage during handling.

Radiological limits are established for the various categories of operational occurrences and accidents. Lower limits are used for less infrequent transients and higher limits for more rare events (see, for example, the EUR criteria in Appendix 6). Since the number of PIEs is usually large, the natural tendency is to group them and to study only the one which causes the most serious consequences (bounding case). It may well be that one accident is the worst for one consequence and another one is worse for another consequence (e.g. peak rector pressure or peak fuel clad temperature). In this case, both have to be studied. The safety analysis should demonstrate that the plant can be safely shut down and maintained in that condition, that the residual heat can be removed from the core at any time after the accident and that radioactive releases are minimized and below acceptable limits. Here, it must be underlined that the time span covered by the analytical studies of the various accidents must be long enough to allow the plant to reach a long-term stable shutdown and cooled core state. A tendency exists, in order to save precious computer time or to avoid the numerical difficulties of long calculations, to stop the analytical studies at the intervention of the first plant protection or safety system or shortly later. This inadequate behaviour may also have been responsible for preventing the possible peculiar primary system situation that occurred during the TMI accident (pressurizer full of water mixture and core essentially dry) from being public knowledge in the reactor safety profession before the accident. Indeed, this plant situation could have been predicted by thermal–hydraulic codes if the transient time studied had been long enough. The analytical studies of accidents can be performed either by a conservative approach or by a best estimate approach. In the first case, conservative assumptions are adopted for initial and boundary conditions and for the various elements of the evaluation (correlations, parameters, equipment availability, etc.). Apart from the obvious advantages (for safety) of this approach, it, however, frequently leads to a completely unrealistic description of the real accident sequence, with a distorted timing of the events and the masking of interesting phenomena (see also Chapter 27). Because of these shortcomings and the current maturity of best estimate codes, they should be used in a safety analysis in combination with a reasonably conservative selection of input data

Chapter 11 Safety analysis

and a sufficient evaluation of the uncertainties of the results.AR427 This approach is accepted by regulatory bodies. It may also be acceptable to use a combination of a best estimate code and realistic assumptions on initial and boundary conditions. The safety analysis should be performed within a QA system. The following assumptions should be made in a conservative approach:

The initiating event occurs at an unfavourable time as regards initial reactor conditions (e.g. power level, residual heat level, reactivity and reactivity coefficients conditions, system temperatures, pressures and coolant inventory). The operation of control systems should not form part of the analysis, unless their intervention may aggravate the accident. Protection systems only should be considered. All non-safety-grade components should be disregarded, except when there is the possibility that they could aggravate the transient. A single failure criterion should be adopted (the worst single failure should be assumed to occur in the group of safety systems which have to intervene during the accident). For redundant systems it is often assumed that the minimum number of trains start and run. In some cases, the requirement exists that, if n systems are necessary for a specific function, (n þ 2) systems should be provided because one is considered unavailable for maintenance and the other is assumed to fail (e.g. as is the practice in Germany). Safety systems should be assumed to operate at their minimum performance level (with action intervening at the worst end of the possible band). Equipment that cannot be considered fully and demonstrably operable, should be disregarded. Actions of the plant staff should be considered only if there is ample time available, if ample and written information is available for diagnosis or for identification of guiding symptoms, and if sufficient training has taken place. Plant staff actions are assumed to occur no sooner than 10 minutes after the start of the event.

Acceptance criteria should be clearly defined (see Section 8.2.1). An accident may generate more than one unwanted consequences (e.g. excessive system pressure and excessive clad temperatures) and this situation may require different sets of conservative

97

assumptions for the analysis of safety for each possible consequence studied. Severe accidents are also studied using a deterministic approach, with less conservative assumptions than DBAs due to their low probability of occurrence. Probabilistic methods are, however, used for the identification of those accidents which should be considered in a safety analysis.

11-3. Probabilistic safety analysis Although in many countries it is not compulsory to perform a probabilistic safety analysis (PSA), in practice it has become common practice for new plants and for existing ones. Moreover, international requirements include that safety analysis reports include a summary of the PSA study of the plant. A PSA is a complete and well-structured method for identifying accident scenarios and to obtain numerical risk estimates. The question of whether PSAs, or probability risk assessments (PRAs) can be used to demonstrate the compliance with numerical safety criteria has been debated at length. It is now believed that their use is not advisable because of the uncertainties in methods, in data and, therefore, in their results. However, all those who experienced the probabilistic method, are convinced, at least, of the following positive aspects of it:

It forces the analyst to examine the complete set of possible sequences of events which may happen on a plant, without excluding any of them beforehand (as is done in the deterministic method). Therefore the risk of forgetting in the analysis some important sequence or situation is lower. It affords a general vision of the plant from the safety point of view, highlighting specific weak points and, therefore, in particular during the design phase, allowing a well-balanced plant to be conceived. The method gives an idea of the global risk and, notwithstanding its possible imprecision, is useful for comparative considerations between different plants and, therefore, it contributes to the creation of an homogeneous reactor overview from the point of view of risk.

It is common for a probabilistic safety analysis to detect weak points of the plant where the normal

98

Nuclear Safety

design process had not been able to reveal weaknesses. This, in particular, happens for support systems of primary safety systems, for example the space cooling systems for rooms where the safety injection pumps are located. The present trend for the support of plant safety decisions, including those concerning operation, involves both safety analyses: the deterministic and the probabilistic. Probabilistic analyses are applicable to Levels 1, 2 or 3 (IAEA, 1992, 1995, 1996), because they examine the events up to core damage, up to the evaluation of radioactivity releases from the plant, or up to the external radiological consequences. A less general consensus exists on the inclusion of external events (e.g. earthquakes) in the probabilistic analyses. Indeed the degree of uncertainty in the identification of events of this type at very low probability levels is high. The related doubts are going to become weaker in view of the advantages of a rational treatment of all the phenomena, including the external ones. At the same time, the use of methods and of procedures internationally agreed upon is strengthening (USNRC, 1983; Fullwood, 1999), which decreases the uncertainties present in a specific methodological choice. For the probabilistic treatment of a seismic event the following steps are necessary:

Determine a ‘seismic hazard’ curve for the site which establishes a relationship, for example between the maximum ground acceleration and the corresponding expected frequency (on a worldwide basis, the Gutenberg correlation between magnitude (M) and annual frequency ( f ) can be included: ln f ¼ 4.13–0.844 M. Perform the dynamic analysis of the plant. Determine the fracture probability of structures and components. This is rather conventionally undertaken using fragility curves which relate the conditioned probability of fracture with the maximum acceleration of the component/structure. The simplification introduced by the fragility curves consists in the fact that they are supposed to depend on three parameters only: a median rupture acceleration, Aˆ, and two logarithmic standard deviations (log-normal distribution), AR and AU, related to the intrinsic variability of the component behaviour and to the variability

of Aˆ, respectively. The fragility curves are based on the (few) results of tests and on good engineering judgement. A very important factor in safety management and safety analysis is the recognition of the importance of the human intervention in the related activities. Human errors should be avoided by the establishment of clear interfaces between man and machine, and by the preparation of operating and emergency procedures and of maintenance rules and guidelines. Beneficial human intervention, even in extremely degraded situations, should be implemented by adequate training, procedures and simulation studies and practices. Moreover, one of the most difficult aspects of the probabilistic analyses lies in the probabilistic treatment of human behaviour, that is of the operator actions which may have a decisive influence on the development of the accidental sequence under study. Usually, for the sake of conservatism, focus is placed on the probability of operator error (omission, commission and, more difficult to analyse, diagnosis errors). In the real world, however, the role of operators in an accident sequence is not limited to committing or not committing mistakes in the implementation of operational procedures. In fact, as many events indicate (the Browns Ferry 1975 accident is typical, see Chapter 20), the operators may react to an unexpected situation with creative and resolving interventions. For the present moment, however, except for specific cases, the possibility is taken into account only that the operator makes mistakes in the implementation of emergency procedures, even in the field of the management of severe accidents. Table 11-1 and Figures 11-1 and 11-2 give an idea of the probabilities used for these analyses (Petrangeli and Zaffiro, 1985). The probabilistic analysis of a plant is usually performed by the construction of event trees, for any single group of similar initiating events, and of fault trees, for any single system or component whose fault probability is important for the study of the various accident sequences.

11-3-1. Event trees Event trees are branched graphs which, starting from the initiating event considered, show (in their most

Chapter 11 Safety analysis

1.00 0.25 0.10 0.05 0.03 0.01

<5 5–10 10–20 20–30 30–60 >60

<15 15–20 20–30 30–40 40–70 >70

1

Error probability

ms

ste

y ts

n

Pla

1

10 Time available (mins)

100

Figure 11-2. Non-repair probability of a component as a function of the time available.

10−1

Figure 11-3 shows a simplified event tree for the TLMB sequence of a PWR according to the Rasmussen report (loss of all the external power supplies for at least three hours and of auxiliary feed-water due to loss of the diesel generators and of the turbine-driven pump).1

10−2

10−3

11-3-2. Fault trees

10−4

10−5

er

Elsewhere on the component

w

In the control room

00.5 0.1 0.2 0.5 1 2 5 10 20 30 40 50 60 70 80 90

po

Non-recovery probability for a component

Non-repair probability (%)

Recovery time of the component (mins)

O ffsi te

Table 11-1. Non-recovery probabilities

99

1

10 100 Time available (mins)

1000

Figure 11-1. Probability of operator error as a function of the time available for the operation. common use) the various possible sequences of plant situations (with corresponding estimated probability) consequent to the good operation or malfunction of safety systems designed to stop the accident or to mitigate its consequences. An event tree, therefore, gives the picture of the various final plant situations, each one with the pertinent overall probability.

The fault trees, unlike the event trees, proceed backward from the final event (i.e. the fault of the component or system) to the various causes which may have originated it, with the corresponding probabilities. Figure 11-4 shows a fault tree for the simple system shown in Figure 11-5 and for the fault ‘insufficient flow from V3’. (Some fault tree symbols are shown in Fig. 11-6.) In order to calculate the fault probability of the component under study on the basis of its fault tree, it is possible to proceed directly combining the various probabilities of the events represented in the tree. This method, however, except for rather simple cases, can be rather tiresome and doesn’t highlight the most important factors. The method more generally used, instead, is based on the use of Boolean algebra (the algebra of binary systems: 1s and 0s) and on the fact that a correspondence exists between its results, when applied to a fault tree, and the results of a direct probabilistic analysis, mentioned above.

100

Nuclear Safety

T, transient

M, B, lack of recovery of electric power supplies in three hours

L, failure of the auxiliary feed-water

Core condition

Probability per year

OK 0.2/y

OK

Yes: 1 × 10−1 1 × 10−1

Yes: 1.5 × 10−4

MELT

3 × 10−6

Figure 11-3. Event tree (sequence TMLB).

The advantage of applying Boolean algebra resides in the fact that it quite naturally leads algebraically to the maximum simplification of the fault tree. The correspondences in Figure 11-7 are defined between the Boolean and the probabilistic logical environments. The sample fault tree of Figure 11-4 is simplified as follows using Boolean algebra: Fundamental relationships

So applying these laws to the fundamental relationships of our example, we get: C1 ¼ C þ B þ F þ G þ B C2 ¼ D þ B þ F þ G þ B B1 ¼ C D þ C B þ C F þ C G þ C B þ B D þBBþBFþBGþBBþFDþFB þFFþFGþFBþGDþGBþGF

A1 ¼ A þ B þ B1

þGGþGBþBDþBBþBF

B1 ¼ C1 C2

þBGþBB

C1 ¼ C þ B þ D1 D1 ¼ F þ G þ B C2 ¼ D þ B þ D1 (Here the þ (Boolean OR) symbol represents the union symbol [, and the symbol (Boolean AND) represents the intersection symbol \.) These relationships can be developed and dealt with according to the rules of Boolean algebra, which are similar yet not identical to those of the ordinary algebra. Some of these rules and properties are listed in Table 11-2 (it must be remembered that the þ (OR) symbol and the (AND) symbol mean ‘union’ and ‘intersection’, respectively).

But A1 ¼ A þ B þ B1 and (XX) ¼ X, so A1 ¼ A þ B þ C D þ C B þ C F þ C G þCBþBDþBþBFþBGþB þFDþFBþFþFGþFBþGD þGBþGFþGþGBþBDþB þBFþBGþB Reducing these equations, using (XþX) ¼ X, gives: A1 ¼ A þ B þ C D þ C B þ C F þ C G þ B D þBFþBGþFDþFþFGþGDþG

Chapter 11 Safety analysis

101

Insufficient flow in V3 A1

V3 doesn’t open

Lack of CS signal to V3

A

Insufficient flow to V3 B1

B

Insufficient flow from V1

Insufficient flow from V2 C2

C1

V1 doesn’t open C

Lack of CS signal to V1

01

Insufficient flow from the pump D1

B

Pump doesn’t start F

Pump stops

G

V2 doesn’t open

Lack of CS signal to V2

D

B

Lack of CS signal to V3 B

Figure 11-4. A fault tree for the system shown in Figure 11-5.

Insufficient flow from the pump 01

102

Nuclear Safety Control system (CS)

V1

V3 P

V2

Figure 11-5. A simple system.

Legend of symbols used in fault trees Intermediate event: fault which happens for one or more preceding causes acting through logic gates.

OR - Output fault happens if at least one of the input events happens.

AND - Output fault happens if all the input events happen.

Primary fault.

Event not developed in fault tree (insufficient consequences or basic information).

Transfer ‘from’ or ‘to’: it is used to connect parts of the tree developed elsewhere with the tree under study.

Figure 11-6. Symbols used in fault trees.

Chapter 11 Safety analysis

A

AA

B

103

Boolean UNION = A + B; Probability = P(A) + P(B) − P(A) . P(B)

Boolean INTERSECTION = A . B; Probability = P(A) . P(B)

B

Figure 11-7. Correspondence between Boolean and probabilistic logical environments. Table 11-2. Basic rules of Boolean algebra Property

Expressions

Commutative

AþB¼BþA AB¼BA A þ (B þ C) ¼ (A þ B) þ C A (B C) ¼ (A B) C A (B þ C) ¼ A B þ A C A þ (B C) ¼ (A þ B) (A þ C) Aþ1¼1 A1¼1 A (A þ B) ¼ A A þ (A B) ¼ A AA¼A AþA¼A

Associative Distributive Unity Absorption

Rearranging: A1 ¼ A þBþCBþBDþBFþBG þCD þFþCFþFDþFG þGþGDþCG and using X þ (XY) ¼ X repeatedly, gives A1 ¼ A þ B þ F þ G þ C D The final result allows the easy calculation of the probability of A1 and shows, moreover, the minimal paths (‘minimum cut sets’, that is the minimum number of components involved) which may lead to the final event (the ‘top’ event) A1. They are A, B, F, G and (CD). The calculation of the final probability

is particularly easy if the single events are rare, that is with low probability values. In this case it is generally allowable to neglect in the probabilistic calculation products of events in front of the single events themselves (the result, then, in the case of the probability calculation in presence of various independent originating events and singularly sufficient, is conservative). The calculation and the reduction of fault trees may be done by specific calculation codes (for example see Fullwood (1999)). One of the more delicate aspects in setting up fault trees is the method chosen to take into account the ‘common cause failures’ (CCFs) (CEC, 1987). This aspect of the vulnerability of systems is particularly important for systems provided with a high level of redundancy. In this case, the presence of some CCFs may drastically reduce the probability of correct operation of the system upon demand. This effect is so feared that frequently the safety criteria specify a minimum value of the failure probability of a nondiversified system (that is, a system not made up of systems diverse in operating principle, materials, and so on). Figures for these ‘cut-off’ probabilities are usually of the order of 10 5–10 3 per demand (USNRC, 1983). Various methods exist to account for CCFs in an analysis. One among these, at the level of safety system, consists in introducing, in the logic model representing the system, a basic fictitious event which represents the CCF of the system. Another method, named ‘of the -factor’, consists in supposing that the failure rate of a component results from the sum of an individual term and of a common term ( ¼ i þ c, with c/ ¼ ). Typical values of are of 0.2 for identical redundant components, 0.02 for partial diversity (diverse

104

Nuclear Safety

Table 11-3. Failure rates

Table 11-3. Continued

Component

Value

Component

Value

Break of very small pipe (up to about 30 l s 1) Break of small pipe (up to about 80 mm diameter) Break of intermediate pipe (up to about 160 mm) Break of large pipe

3E 2 yr 1 (B) 2E 2 yr 1 (P) 3E 3 yr 1 (B) 1E 3 yr 1 (P) 3E 4 yr 1 (B) 1E 3 yr 1 (P) 1E 4 yr 1 (B) 5E 4 yr 1 (P) 5E 3 yr 1 5E 3 yr 1 0.1 yr 1 4.8 yr 1 (B, FW) 0.56 yr 1 (B, etc.) 6.85 yr 1 (P) 1.56 yr 1 (B) 1.41 yr 1 (P) 1.4E 1 yr 1 (B) 0 (P)

failure to operate unavailability for test and maintenance Diesel engine pumps: failure to start failure to operate unavailability for test and maintenance Heat exchanger: plugging break (leaks) Emergency diesel generator: failure to start failure to operate unavailability for test and maintenance Malfunction of external power supply (not an initiating event) Malfunction of various components: batteries buses battery chargers inverters Unavailability for test and maintenance: batteries buses battery chargers inverters Battery depletion time

5E 3 hr 1E 2/d

Transient for loss of d.c. bus Transient for loss of a.c. Transient for loss of outside lines Transients not caused by the loss of the electric power generation system Transients caused by loss of electric power generation system Spurious opening of relief valve Solenoid valves: failure to operate plugging unavailability for test and maintenance Hydraulic operated valves: failure to operate plugging unavailability for test and maintenance Explosive operated valves: failure to operate plugging unavailability for test and maintenance Manual valves: plugging unavailability for test and maintenance Non-return valves: failure to open failure to close Motor operated relief or safety valves: failure to open failure to reclose Electric motor pumps: failure to start failure to operate unavailability for test and maintenance Turbine driven pumps: failure to start

1E 3/d demand 4E 5/d 2E 4/d

1E 3/d 4E 5/d 2E 4/d

3E 3/d 4E 5/d 2E 4/d

1E 3/d 8E 4 hr 1E 2/d

1

1

5.7E 6 hr 3E 6 hr 1 3E 2/d 2E 3 hr 6E 3/d

1

1

2E 4/d

4E 9E 4E 4E

4/d 5/d 4/d 2/d

1E 6E 3E 1E 5–7

3/d 5/d 4/d 3/d hr

The letters B and P indicate values applicable to BWRs and to PWRs. FW is the feed-water system.

4E 5/d 2E 4/d

1E 4/d 1E 3/d 0.1/d 3E 2/d 3E 3/d 3E 5 hr 2E 3/d

1

3E 3/d (Continued )

‘hardware’ or ‘software’), and 0.002 for complete functional diversity of the redundant elements (Smith, 1997). It is necessary to add here that a remarkable freedom exists in the proportion in which event trees and fault trees can be used in a specific probabilistic analysis. Indeed, ‘large’ event trees and ‘small’ fault trees can be chosen (or vice versa) with all the intermediate grades. Here, reference has been made to the most common way, which uses event trees up to the primary safety systems, and fault trees for the determination of the failure probabilities of the primary systems, also on the basis of the failure probabilities of their support systems.

Chapter 11 Safety analysis

11-3-3. Failure rates One of the fundamental steps in carrying out a probabilistic analysis is choosing the failure rates of components. In principle, specific plant figures should be used, that is obtained by the operating experience of the plant itself. When this is not possible, data of similar plants should be used or, in the extreme case, generic applicable data. Table 11.3 lists some data (average values) used in the study NUREG 1150 (NUREG, 1987). Other sources of failure data are described in Fullwood (1999), Taylor (1994) and Smith (1997), as well as many other sources.

105

IAEA (1996) ‘Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 3)’, Safety series 50-P-12. NUREG (1987) ‘Reactor risk reference document’, NUREG 1150. Petrangeli, G. and Zaffiro, C. (1985) ‘Regulatory implications of source term studies’, IAEA-SM-281/53. Smith, D.J. (1997) Reliability, Maintainability and Risk. Butterworth-Heinemann. Taylor, J.R. (1994) Risk Analysis for Process Plant, Pipelines and Transport. E. & F.N. Spon. USNRC (1983) ‘PRA procedure guide’, NUREG CR 2300.

References

Chapter notes

CEC (1987) ‘Common cause failures reliability benchmark exercise’, EUR 11054-EN. Fullwood, R.R. (1999) Probabilistic Safety Assessment in the Chemical and Nuclear Industries. ButterworthHeinemann. IAEA (1992) ‘Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 1)’, Safety series 50-P-4. IAEA (1995) ‘Procedures for conducting probabilistic safety assessments of nuclear power plants (Level 2)’, Safety series 50-P-8.

1 T is the transient of main feed-water loss due to loss of electric power supply. M, B indicate the lack of recovery of the outside lines and the non-operation of the station diesels for at least three hours (in the Rasmussen report, the probability of non-recovery of the outside lines in one hour is assumed equal to 2 10 1 and the probability, to be combined with the preceding one, of nonrecovery for the other two hours of the same lines, is assumed equal to 5 10 1). L indicates the malfunction of the auxiliary feed-water system and therefore also of the turbine-driven pump.

This page intentionally left blank

Chapter 12 Safety analysis review

12-1. Introduction A safety review is undertaken by the design, construction and operation organizations, and the control bodies. As all the regulatory documents repeate.g. AR17 and as also explained by those who have for a long time been involved in this activity (Bourgeois et al., 1996), it is essential that this control function is independent, competent and credible. I will use some experience accumulated over several decades of involvement in safety reviews to add here some further additional and more detailed considerations on the subject with some examples.

12-2. The reference points In the early days of nuclear energy, in particular in a country without previous experience, for example in military applications, it was very difficult for a safety reviewer to obtain data and information on which a review could be based. The available criteria were scarce, the data on already built plants were in some case difficult to obtain and the research was at an initial stage. Today, data and information are much more abundant. These include:

The international criteria and guides (e.g. IAEA) which offer useful indications, even if necessarily of general nature (see Chapter 18). Compilations of national regulations, such as the technical positions, the ‘Regulatory Guides’ and the ‘Standard Review Plan’ used in the USA are easily available (see Appendix 14). The proceedings of debates within international and community organizations, such as the IAEA, the OECD Nuclear Energy Agency (Committee for the Safety of Nuclear Installations (CSNI), Committee for Nuclear Regulatory Activities

(CNRA), Committee for Radiation Protection and Public Health (CRPPH), Health Protection, Committee for Waste Management (CWM), and the European Union groups. The results of research in the international field and the proceedings of many conferences on any part of nuclear safety technology.

However, there is no ‘Decision Machine’ available, either in the form of technical guides or handbooks, and experts are frequently compelled to take subjective technical decisions and to accept the related responsibility. In fact, the practical cases are always so specific that they cannot be covered by an ‘all-embracing’ handbook. Moreover, even if such a tool existed, in case of judicial trial, the compliance with the handbook could frequently be considered only an extenuation of the possible guilt of the technical expert. ‘Historical’ examples exist of technical specialists who have been sentenced in a case of a pressure vessel explosion, although in due course they had verified its compliance with the technical standards in force. In case of accident, in fact, the technical expert must demonstrate the application of all the means suggested by the ‘status of the technical knowledge’. Only completely new phenomena escape this criterion.

12-3. Foreseeing possible issues for discussion Four of the most respected experts among those responsible for nuclear safety in Europe have written that the principal qualities of the safety controller are the following (Bourgeois et al., 1996):

independence competence credibility modesty (which they call ‘the mother of safety’). 107

108

Nuclear Safety

My experience suggests that a very productive quality, but the most difficult to develop, is to be able to foresee, so far as possible, the problems which will come up in discussions with the designer or the future operator of the plant. Following the wise words of the above quoted four experts: We have to start from the idea that our counterparts, whatever their responsibility level may be, never primarily intend to put safety in danger. An industrialist who builds a dangerous factory has not the objective of causing an accident. A technician who is going to set a safety valve has not the objective to make it inoperable. Instead, both of them frequently have in their mind a dominant concern which obscures the others: for the first one it may be to produce at low cost in order to conquer larger market shares, for the second, it may be to get rid as soon as possible of a boring task. The function of the safety expert is to make them understand that the neglect of safety may put everything in danger and that it is certainly more effective for them to take care of safety at the correct moment, rather than to awake too late and have to pay for the consequences. Then, the role of the expert is to help people in charge . . ..

before any action is taken. At this stage it may be difficult for the reviewer to express a judgement for lack of data but he or she can give expert comment, possibly conditional to subsequent verifications. From experience, the reviewer can possibly see future problems and give advice. Finally, the good safety controller must have the courage to take responsibility, and always sensibly balance the designer/operator requirements against the safety requirements without hindering the design process unnecessarily. As implemented in some national regulations, this ‘ahead of time’ intervention should be encouraged and explicitly facilitated by a set of rules on safety controls. However, adherence to this policy should not be taken for granted and it is often opposed by some control experts, worried by an excess of responsibility, and by some managers. In this connection, before the TMI accident (see Section 1-2), there were two erroneous attitudes within the nuclear industry, both held in order to ‘defend itself’ from the control bodies: the first one was to ‘flood them with paper’, that is to overburden them with documents; and the second was to ‘giving them the minimum possible amount of information’. But these were past times and things are changed somewhat.

12-4. Control is not disrespectful In order for this action of persuasion and of assistance to be effective in practical cases, it must be initiated, as far as possible, ahead of time. Frequently the plant designs arrive at the safety reviewer’s table when the design phase has been declared practically finished and when many components have already been ordered, that is when the finished activities represent such a firm precedent that it cannot practically be put in discussion again, unless large penalties and stresses within the owner organisation are accepted. In these conditions it has to be hoped that the design can be considered acceptable by the reviewer too, otherwise every objection mentioned would hit a wall of resistance, which might not have existed if the review had taken place at the proper time. It is therefore essential that the reviewer is involved at the initial phases of the design process

Sometimes, in performing the design review, it is possible to get the idea that some remarks may be offensive and so are sometimes deleted: this is a mistake as shown in the following example. In the 1960s and 1970s an experimental pressurized water reactor was built whose reactivity control for fuel burn-up was not performed by ‘chemical shim’ (i.e. by changing the concentration of boric acid in the cooling water), but by ‘spectral shift’. In practice, cooling water was composed of a mixture of light water and heavy water, in varying proportions during the life of the core: at the start the content of heavy water was higher and decreased with increasing fuel burn-up. At the start of the life, the addition of light water to the primary circuit caused a reactivity increase, as expected. Therefore all the systems were conceived

Chapter 12 Safety analysis review

in such a way to avoid an unwanted light water injection. However, there was a flaw in the design which was not discovered until a safety review by a group of European experts found it. The safety injection system, in fact, was designed to inject a solution of strongly borated light water so that, at any time during the life of the core, the negative effect of the injected boron on the core reactivity would take precedence over the positive one due to the injection of light water. A check made during the above mentioned review showed that, on the contrary, for a period of time at the start of core life, the actuation of the safety injection system would have caused a net increase of reactivity, infringing one of the fundamental system specifications. Although the design team had doubts about the credibility of this finding, the error proved to be real and the safety review committee were thanked for their contribution to perfecting the design.

12-5. Clarification is not disrespectful The solution to any problem found by the controller must be illustrated to the necessary degree of detail, with the maximum confidence in the competence of the recipient but without neglecting any detail, but without assuming that ‘the designer has certainly thought of that’. A lack of completeness may be costly to all concerned. In this connection, here is a long technical digression, which is useful to think about. Many years ago, two pressurized water reactors were built, with the lower support plate of the core subdivided into two plates, about three metres apart in the vertical direction and connected by an external row of round rods in traction (tie rods – TR) and by internal guide tubes for the control rod followers (cruciform) containing fuel rods, as illustrated in Figure 12-1. The core was supported by the upper plate and through the followers in compression, by the lower plate and, finally, by the tie rods in tension. The cooling water coming from the downcomer at the periphery of the core, made a turn towards

109

core tie rods

plate

plate

followers

Figure 12-1. Core support arrangement. the interior in the tie rods zone, then went up along the guide tubes before finally entering in the core. During the safety review of the design by the control body, the fact that, in this configuration, a transversal and longitudinal current of water flowing around the TR could cause their vibration was highlighted; the von Karman vortex wake due to the transversal flow was of particular concern. (It is known that this phenomenon is responsible for the vibration of many chimneys, and, sometimes, in order to break the above mentioned vortices, they are fitted with an external helical foil along much of their length.) The control body had made a quick check of the natural frequency of the TR and of the probable vortex frequency: f¼

0:207u , d

ð12:1Þ

where f is frequency, u is water velocity and d is the round rod diameter, and showed that resonance between forcing frequency and natural rod frequency could exist. The forcing frequency is practically independent from the Reynolds number and therefore from the type of fluid, in the range of Reynolds numbers of interest. On the basis of this first investigation, the designer was requested to give information on the possibility of vibrations of the rods and on significant fatigue stresses. After some months the designer answered with the report which is summarized in the following. The report is long but has been almost fully reproduced here because it gives a good engineering insights. (The original report references have been removed although their citations have been retained

110

Nuclear Safety

to show proper check were made, and the original imperial units have also been kept.)

12-6. Designer report 12-6-1. Introduction The core support structure consists of a core plate, upon which the fuel assemblies rest, a casting located approximately 120 in below the core plate, control rod shroud tubes and tie rods which join the core plate to the casting. This structure is located in the bottom of the reactor pressure vessel. The reactor coolant (water) flows downward around the outside of the core and reverses direction in the bottom portion of the reactor vessel to flow up through the core. Thus, the core support structure is in a region of flow direction change and a complex flow pattern exists. The tie rods are located around the circumference of the core support structure and are subjected to fluid flow of varying direction and velocity. The possibility of the tie rods vibrating in the complex flow pattern has been the subject of considerable analysis and study as the reactor design developed. This study and analysis divided naturally into two parts, one which considered the hydrodynamic aspects of possible tie rod oscillations and one which determined the vibration deflections and stresses of the tie rods under the influence of the possible exciting forces. The following paragraphs describe the results of these analyses and studies.

12-6-2. Conclusions The primary conclusion is that in the unlikely event that the tie rods vibrate in resonance with maximum possible excitation the stresses and deflections in the tie rods will be sufficiently small that there is no possibility of fatigue failure. In the actual case, the tie rods are not expected to be in resonance with the exciting force because the maximum local cross flow velocity will probably be less than 7 ft s 1. Furthermore, at high Reynolds numbers, there are experimental indications that the exciting forces will be aperiodic and that the combination of parallel and cross flow will decrease the stability of the flow

which leads to the formation of a regular periodic vortex sheet.

12-6-3. Hydrodynamic aspects Flow distribution in lower plenum The velocity distributions normal and parallel to the tie rods, respectively, were obtained from potential flow analogue studies of a two-dimensional model of the lower plenum. A wake of highly turbulent, but essentially stagnant fluid, was assumed to exist, protruding downwards into the plenum from the lower edge of the core barrel. The extent of the wake was adjusted to give consistency with the experimentally observed flow non-uniformity at the lower core plate. A maximum cross flow velocity of 7 ft s 1 occurs just above the middle of the tie rod. Below this point, the velocity decreases to less than 0.5 ft s 1 at one-third of the distance between the casting and the core plate. The velocity parallel to the rod decreases from 12 ft s 1 at a position two-thirds of the distance between the casting and core plate to less than 1 ft s 1 at the mid-point of the tie rods. The maximum cross flow velocity will probably be less than 7 ft s 1 because some of the net flow will cross through the wake.

Transverse force in cross flow The transverse force due to vortex formation (von Karman) in flow normal to the rod is assumed to be periodic with a frequency calculated for a Reynolds number (Re) greater than 103 assuming a constant Strouhal number of 0.21 (Reference 1). While Rouse (Reference 2) indicates that alternating side thrust exists for Re as high as 106, there is evidence (Reference 3) that for 103 < Re < 105 the flow in the wake behind the cylinder is periodic, while for Re > 105 it is not periodic. For a cross flow of 7 ft s 1, the Reynolds number is 4.7 105. The magnitude of the transverse periodic force is assumed identical to the drag force on a cylinder in steady flow. For a velocity less than 8 ft s 1, the maximum drag force is Fmax ¼ 1.43 lb ft 1. The actual transverse force (lift) is expected to be less than this value. Experimental values (Reference 3)

Chapter 12 Safety analysis review

for Re ¼ 735 are CL ¼ 0.45 compared to CD ¼ 1.09. The same ratio applied to Re ¼ 105 gives Fmax ¼ 0.6 lb ft 1. It seems reasonable to expect that the ratio CL/CD measured at Re ¼ 735 will not change unfavourably as Re increases. As the frequency of the vortex shedding increases, their size becomes smaller rendering the asymmetrical pressure distribution which is associated with a single vortex effective over a smaller area. Also, the combined parallel and normal flow is believed to decrease the stability for the formation of a regular periodic vortex sheet.

12-6-4. Effective mass of oscillating system The effective mass of the vibrating rod is calculated by adding the virtual mass of fluid to that of the rod. For steady flow normal to a cylinder:

meff ¼ mrod 1 þ

fluid ¼ 1:098 mrod :

rod

ð12:2Þ

12-6-5. Evaluation of fluid damping The damping of the vibration due to fluid friction is calculated from the drag on a cylinder in steady motion with the mean velocity um ¼ 4f, where is the deflection and f is the frequency of vibration. The ratio of damping to critical damping becomes: C 2 CD 1 ¼ 2

1 þ fluid Cc rod

! , D

ð12:3Þ

where CD is the drag coefficient. The damping thus increases with deflection. For CD 1, C/Cc 0.02/D.

12-6-6. Vibration analysis The response of the tie rods to the effects of the fluid flow was determined using analyses which are conservative in nature. The natural frequency of the tie rod is a function of the rod diameter and length and the tension in the rod. During assembly of the core support structure, the tie rods are placed in tension by tightening the nuts at their lower ends.

111

The torque on the nuts is specified so that the natural frequency of the rods will be approximately 19 cps in air and with no loading due to core weight. The relationship between this natural frequency and the torque on the tie rod nuts was determined experimentally on the actual structure during initial fit up at the shop. Following installation of the core support structure in the reactor the tie rods will be immersed in water which will cause the natural frequency of the rods to drop by approximately 5 per cent. However, installation of the core will increase the tension in the tie rods and the natural frequency of the tie rods will increase approximately 8 per cent, more than offsetting the effect of the water.

Cross flow In determining the effect of the cross flow, the maximum possible velocity of 7 ft s 1 was used to determine the maximum von Karman vortex frequency of 17.5 cps. The cross flow velocity distribution was taken as shown in Figure 12-2 which is, of course, an approximation of the actual case. The exciting force distribution was taken similar to the velocity distribution and, for each velocity, the exciting force was taken as the drag on the rod due to the cross flow. In the case of the 7 ft s 1 velocity, the drag was determined for a flow velocity of 5 ft s 1 because the velocity–drag curve has a local peak at this velocity. The cross flow drag distribution is also shown in Figure 12-2. Each tie rod was considered to be a series of six lumped masses connected by springs. The tension in the rod was included and the ends of the rods were considered to be clamped. This multi degree of freedom system was excited by alternating forces imposed on two of the lumped masses to simulate the assumed loading shown in Figure 12-2. No damping was assumed and the amplitude of vibration was determined for each of the lumped masses for the first mode of vibration. The amplitude of vibration and the bending moment along the rod are shown in Figure 12-3. It is seen that the maximum amplitude of vibration is 0.0153 in and the maximum bending moment is 39.5 in lb. The corresponding maximum alternating stress is 403 psi.

112

Nuclear Safety

Cross flow velocity (ft s−1)

12 10 8 6 4 2 0

Cross flow drag force (lb ft−1)

0

20

40 60 80 100 Distance from top of tie rod (in)

120

140

40 60 80 100 Distance from top of tie rod (in)

120

140

1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 0

20

Figure 12-2. Cross flow quantities.

The static deflection of the tie rod due to the forces shown in Figure 12-2 was calculated to be approximately 0.007 in. Thus, the amplification, or resonance, factor was found to be 2.18. In comparing this factor with that which would be expected from a single degree of freedom system with no damping (amplification factor equals 6.5, Reference 4), it was found that the effect of the tension in the rod served to reduce the amplification factor by 2.98. The analysis described above was for the case of the tie rod natural frequency being slightly greater than the exciting frequency (19 cps vs. 17.5 cps). While it is felt that the exciting frequency used will be the maximum possible and that the natural frequency used is close to the actual, the case of the natural frequency being in resonance with the exciting

frequency was also considered. At resonance, the amplitude of vibration will, of course, become infinite unless damping exists in the system. Damping will certainly exist in the tie rod system although it will be small. The principal source of damping will stem from internal damping in the tie rod material. For stainless steel, this will amount to at least 1 per cent of critical damping (Reference 7). The water will also provide a small amount of damping which will depend upon the amplitude of the tie rod vibration. This damping will be approximately 0.2 per cent. Damping will also stem from very small motions in the top and bottom tie rod threaded joints. For a single degree of freedom system at resonance, the amplification factor is approximately 45 for damping equal to 1.2 per cent of critical

Chapter 12 Safety analysis review

113

18

Deflection (in × 1000)

16 14 12 10 8 6 4 2 0 0

20

40

60

80

100

120

140

Distance from top of tie rod (in) 50

Bending moment (in lb)

40 30 20 10 0 −10 −20 −30 −40 −50 0

20

40

60

80

100

120

140

Distance from top of tie rod (in)

Figure 12-3. Vibration data. (Reference 4). Reducing this in proportion to the reduction determined above, to account for tension in the rod, the amplification factor was found to be approximately 15.1. The maximum deflection was then determined to be 0.106 in and the alternating stress was found to be 2780 psi.

Parallel flow The vibration of the tie rods due to parallel flow was analysed based upon a method described by Burgreen et al. (Reference 5). The flow velocity was taken as 12 ft s 1, the maximum parallel flow velocity, and the hydraulic diameter was taken as 24 in.

The maximum deflection was found to be 0.074 in and the maximum alternating stress was 1950 psi.

Fatigue analysis A fatigue analysis was made to determine if the tie rods will fail due to fatigue in the unlikely event that the rod vibrates in resonance with the von Karman vortex frequency. The modified Goodman diagram was used in this analysis. This method is described in Reference 6. It was assumed that the stresses and deflections due to the cross and parallel flow vibrations are additive. The maximum deflection becomes, then, 0.180 inches and the maximum alternating stress becomes 4730 psi. The tensile stress in the tie rods,

Nuclear Safety

Alternating stress (PSI × 10−3)

114

20

Sae

10 1

SAFE

45° 10

20

Sb 30

40

Su 50

60

Mean stress (PSI × 10−3)

Figure 12-4. Modified Goodman diagram (for stainless steel at 600 F). with the tie rod nuts torqued as specified and with the core installed, is approximately 4870 psi. This stress is the mean stress in the tie rods. The modified Goodman diagram is shown in Figure 12-4. The values for Su, Sb, and Sae are given by Reference 6 for AISI 304 stainless steel at 600 F. The maximum alternating stress and mean stress values given above determine the location of point (1) in Figure 12-4. This point is well within the ‘safe’ region of the diagram which indicates that the tie rods can be allowed to vibrate at resonance without failure. The report concluded with the references cited in the text.

12-7. Discussion The report was read and commented on by the reviewers: not all the doubts were dissipated, but it was thought possible to discontinue any further action on this issue as the designer (a very experienced one) had demonstrated with his report to have seriously considered the issue raised. It was decided at this point to completely trust the designer. During the pre-operational tests of the reactor no vibration measurements were performed on the reactor internals as, at that time, the problem of the internal fatigue failures inside the vessel had not yet become the serious safety problem which in subsequent years it was to become.

Today, no newly designed reactor is allowed to start operation without having gone through a complete test routine demonstrating the absence of dangerous vibrations in the vessel internals AR 311. After a short operation time, severe failures happened in the vessel internals, among which was the break of the above mentioned tie rods, which might well have been the cause of other damage. The reactor was stopped for about two years for tests and modifications to the internal complex: the tie rods, in particular, were removed and replaced with other duly reinforced internals. Naturally, the above summarized short report was read and studied again in order to discover possible defects and erroneous evaluations which would justify the breaks. The defect that the reviewers immediately found, once the real mechanical drawings of the complex were available (which were not enclosed in the above report), was that the writer of the report, in evaluating the peak stresses for the evaluation of the fatigue strength in the rods, didn’t take into account the stress intensification factor in the notch represented by the upper and lower threads of the rods, which were not protected by stress attenuation grooves or by other provisions. The stress intensification factor might range from 2 to 4, therefore completely capable of reversing the result of the initial evaluations. Another doubt, which unfortunately remained unresolved, concerned the opportunity to base the demonstration of sufficient strength on the presence of a traction in the rods, due to the torque imposed on the lower nuts. Indeed, if this confidence could

Chapter 12 Safety analysis review

be justified in the case of an isolated rod, the case of many rods in parallel is much more uncertain; indeed, in the absence of an estensimetric measurement on all the rods, it might well be that the subsequent torquing of nuts could totally or partially eliminate the traction in the previously tightened rods. It is in fact necessary to consider the uncertainty connected in part with casual factors like the amount of friction and in part with the conditions of imperfect cleanliness of the threads and of the nuts. At least in this case, if the reviewers had been more determinate in their in-depth study of the design evaluations, perhaps significant industrial damage could be avoided, notwithstanding the fact that the breaks didn’t impair the ability to shut down the reactor using the control rods. In any case, the reason why such a mistake, under many respects incredible, happened was never discovered or notified: perhaps it consisted in an erroneous assignment of task (the hydrodynamic analyst was perhaps put in charge of the fatigue verifications too without adequate supervision) or in an erroneous mindset in the treatment of the answers to the questions of the control body (for example, believing that the design had to be necessarily correct and that the answer to the control body had the only purpose of convincing it, as if the requests of clarification were not also a contribution to the verification of the design!). It is not easy to draw precise and general lessons by facts like this one: it is however opportune that the narration of these experiences be freely circulated in order to try to avoid future mistakes of this kind.1

115

References Bourgeois, J., Tanguy, P., Cogne´, F. and Petit, J. (1996) La surete´ nucleaire en France et dans le monde. Politechnica, Paris. Ford, D. (1982) The Cult of the Atom. Simon and Shuster, New York.

Chapter notes 1 And perhaps, you will meet this situation too . . . At the time when the technology of pressurized reactors had not yet been stabilized, a safety reviewer noticed that in a PWR no-isolation valve had been placed in the steam generator outlet steam lines; in this situation, if a rupture of a steam line inside the containment occurs, the water inventory of all the steam generators would be discharged in the containment (together with the inventory of primary water, according to a conservative usual assumption). At the end, after long discussions, the owner of the plant accepted the need to install the big isolation valves, which caused delays and significant extra expense (the plant construction was almost complete). The young reviewer was summoned by his ‘boss’ in order to receive the news of the owner’s decision and to hear also the following (semi-serious) remark: ‘. . . however, don’t find these defects any more!’. (Reportedly, elsewhere and in a different context, the same concept was probably expressed by the sentence: ‘‘Don’t turn over new rocks’’ (Ford, 1982, page 198)). All this is understandable, if not condonable. However, it is necessary to remember that it is better to resolve plant deficiencies earlier rather than later. After many years of heated discussions with designers, it is easy to hear sentences like this one: ‘You made us suffer a great deal, but you were right’.

This page intentionally left blank

Chapter 13 Classification of plant components

A general agreement exists that classification of systems, structures and components of a plant from the point of view of safety and from the point of view of resistance to external actions (earthquake, and so on) is necessary to make decisions on the following:AR17

Adequate design, construction and operation provisions for each class. System characteristics, such as redundancy, emergency power supply, qualification for environmental conditions. Systems to be considered available or not in the deterministic analysis of the Postulated Initiating Events (PIE) (EUR, Chapter 18). Gradation of the QA measures, to be proportioned to the importance of the safety component but also to the characteristics of the component such as its complexity and degree of technological innovation.

In general, the following classifications should be defined:

Classification on the basis of the safety function, with reference to the requirements above. Classification for pressure components, on the basis of the mechanical complexity and the pressure level. Classification for the resistance to earthquakes, with reference to the need that the component continue to be undamaged or functional during and after an earthquake of a certain severity, taking into account the aftershocks and therefore the possible incremental damage. Classification of the instrumentation and control systems, on the basis of their safety function, which may be different from that of other

system types because of the existence of classification schemes specific to their field and commonly used. Classification for QA requirements.

The various national approaches to the classification systems strongly differ from each other and in every practical case the choice of the classification criteria and the assignment of the various components to the classes identified need a certain degree of reflection and judgement. The subject of classification is made very delicate by the fact that the pertinent choices have a strong economic relevance. Moreover, it is not always possible to correlate the different classes with levels of reliability or unavailability upon demand in the Probabilistic Safety Evaluations, because of the lack of sufficient experimental data. The probabilistic safety analyses should confirm that the structures, systems and components which ensure that the risk connected to the plant is low, be classified at the appropriate level. It is necessary to stress the adequacy of the isolation and separation systems adopted for different systems having a possibility of mutual interaction and assigned to different classes. The malfunction of a system or component should not cause the malfunction of another system or component assigned to a superior class. If this possibility exists, the affected system or component should also be classified in the superior class. Some examples of adopted classification systems may be found in IAEA (1979), the IAEA Guide on classification (under revision) in EUR (Chapter 18), the EUR criteria, an extract of which, also including the classification system, is included as Appendix 6.

117

118

Nuclear Safety

Some examples of system classifications are given in the following paragraphs, as an illustration. These examples comply with the above listed principles and may be found in IAEA (1979) and EUR (Appendix 6).

The system of vessels, pipes and pressure components which form the primary cooling system of a PWR (reactor vessel obviously included) is in Class 1, the highest one, as the failure (break) of the system constitutes a serious LOCA. The core emergency cooling system is placed in Class 2, as its failure doesn’t cause directly and necessarily an accident. The compressed air system which supports the emergency cooling systems is in Class 3 as it is considered a normal, not highly stressed system.

The station fire fighting system is not placed in a safety class (or it is in Class 4) as it is considered that the specific industrial standards in force already offer sufficient guarantee by themselves if needed.

These examples make clear the degree of subjectivity in the classification choices and therefore the importance of giving classification adequate attention.

Reference IAEA (1979) ‘Safety functions and component classification for BWR, PWR and PTR’, Safety Guide N. 50-SG-D1, Vienna.

Chapter 14 Notes on some plant components

14-1. Reactor pressure vessel 14-1-1. Problems highlighted by operating experience During the past 45 years of peaceful use of nuclear energy, no case of a nuclear reactor pressure vessel rupture has occurred. This hypothetical event is not included in the design basis accidents (DBAs) nor, according to the most recent trends, among the severe accidents to be reasonably considered. This is not, as it will be discussed more extensively later, the only possible choice: it, however, has been considered acceptable and practicable. It is also necessary to remember that the burst of a nuclear vessel without previous mitigation measures, would easily result in an accident of the severity of the Chernobyl one. Every effort, therefore, is made by technical experts involved to prevent a break by design, construction and operation provisions. In order to meet this goal, however, extraordinary efforts and means are necessary. Indeed, even though there is good design experience for ordinary industrial vessels built and operated at the best quality level, the resulting failure rate is unacceptable for the best nuclear vessels, where the risk is kept at minimum level. It must be remembered that the frequency of catastrophic ruptures in Class 1 industrial, non-nuclear, pressure vessels ranges between 10 4 and 10 3 per year. The total service time of nuclear pressure vessels for civil and military uses is now somewhat higher than 10 000 reactor-years. Other additional facts must be considered in the operating experience of nuclear pressure vessels. An example was the case of a nuclear reactor steam generator which was built twenty years ago according

to the rules then in force. It worried some nuclear experts because of what they thought could have happened. The case is described in Chapter 20, but here it is recalled that, during a normal inspection of the plant, a patch of damp was discovered on the exterior of the thermal insulation of the vessel. A subsequent in-depth inspection revealed the presence of a circumferential crack along a weld which extended for most of the circumference and had an average depth of roughly 70 per cent of the wall thickness. The rupture of a steam generator in a nuclear plant would probably cause a lower environmental contamination than the rupture of the reactor pressure vessel, but in any case this is a disruptive accident, not considered among the design basis ones or among those taken as a reference for additional protective measures for severe accidents. On passing, the cause was attributed to impurities in the welds and therefore to fabrication defects. Another case of supposedly serious danger happened when, because of the stringent need for electric power production, a Russian-design reactor built in Bulgaria was restarted after a stoppage, notwithstanding the contrary opinion of a group of European experts. This case, too, is described in Chapter 20. The plant had been shut down because excessive embrittlement of the vessel was feared due to the neutron fluence absorbed in service. During the stoppage, according to some experts, the vessel had at least to be submitted to further inspections and possibly annealed in order to eliminate part of the neutron embrittlement. It was, instead, following the advice of other experts, started up again and operated for several months until, once the winter electricity demand peak had passed, it was stopped again in order to perform the needed operations. 119

120

Nuclear Safety

It has to be said, however, that in retrospect, following tests on material samples, the initial estimates resulted to be too pessimistic. Another example is the corrosion damage caused by boric acid of the vessel upper head of the US reactor at Davis Besse in 2002. A cavity as deep as the carbon steel wall and with similar dimensions in plan was produced, leaving the stainless steel internal liner as the only barrier against the massive efflux of primary fluid (see Chapter 20). Whereas the dangers of the above example never materialized, the behaviour of the reactor pressure vessel during the Three Mile Island accident is exceptional. It withstood the outpouring of about twenty tons of molten core on its bottom, in conditions of highly deteriorated internal cooling. This behaviour indicated to the technical experts the presence of a powerful and up to then neglected barrier in the Defence in Depth, which is now utilized in a planned way as a potential asset.

Figure 14-1. The most relevant areas of a vessel from a structural point of view.

A number of relatively small mishaps have however occurred to vessels: cracks in the control rod drives thimbles in PWRs (Figs 14-1 and 14-2); damage to the internal liner due to erosion by broken metal pieces (almost everything has been found in reactor vessels and in steam generators during periodical inspections, including hammers, files, shoes and pieces of wooden planks, etc.!); small cracks at the junction between the internal liner and base metal due to the liner deposition process; defective materials; excessive neutron embrittlement; deposition of large amounts of boric acid (hundreds of kilograms, see Chapter 20) between the control rod drive thimbles and their thermal insulation; leaks of liquid through junctions; and so on.

14-1-2. Rupture probability of non-nuclear vessels Rupture statistics for non-nuclear vessels are not applicable to nuclear vessels as they differ in many ways, for instance they differ in wall thickness (for most cases), service life, conditions of use, in-service inspections, improvements in steel making technology, control of trace elements, stringent heat treatment specifications and rigorous QA practices. It is however useful to consider the data collected on the ruptures in conventional vessels in order to keep in perspective the importance of the additional precautions adopted for nuclear vessels. Table 14-1 shows a summary of some available statistics for both destructive events and nondestructive breaks, the latter include all the cases of fractures discovered in time or which could become destructive and all those minor fractures, probably not potentially destructive, that required intervention because of their size. The principal causes of the reported fractures are fatigue (mechanical, thermal or corrosion assisted) associated with pre-existing fabrication defects, generally corresponding to structural discontinuities such as appendages, penetrations, etc. A statistical treatment of the data summarised in Table 14-1 leads to the conclusion that, at 99 per cent confidence, a potentially destructive event may happen, in non-nuclear Class 1 vessels, with a probability of 10 3–10 4 per year.

Chapter 14 Notes on some plant components

121

(a)

10 mm

(b)

Figure 14-2. Types of junction between control rod thimbles and vessel body.

Table 14-1. Data on ruptures of conventional vessels Non-destructive events

Source UK Smith & Warwick IRS–TUV German study Group EEI–TVA EEI Boiler Drum & PV data UK steam drum sample NBBPVI (73–78) ABMA

P

Observed data (Ev/ P YV)

Number of vessels

(years vessels, YV)

20 000

3.1 105

65

7000 1.1 106

6.7 104 1.9 106

30 7435

1033 5000

1 104 2.2 104

10 1

1 10 4 10

3000

6 104

27

4.5 10

4

536 000

3 106

1043

3.2 10

4

68 000

7.2 105

Number of events

2 10

4

4.4 10 4 10 4

4

3

Destructive events Confidence limit 95% 2.6 10 6 10

4

1.7 10 2 10 4

5

6 10

4

4

3

Number of events

Confidence limit 95%

5

3.2 10

5

0 40

4.5 10 8.8 10

5

0 0

3 10 4 1.4 10

0

5 10

6

4

5

115

3.5 10

5

0

4.2 10

6

122

Nuclear Safety

14-1-3. Failure probability of nuclear vessels Normal conditions, transients and design accidents Given the absence of statistics for occurred events, the only way to estimate the failure probability of nuclear vessels is by an analytical way on the basis of the probabilistic distribution of the involved parameters and of the available fracture mechanics models. The relevant parameters include: toughness of the material, the number of cracks initially present in the component, the probability that they are detected during the pre-operational and in-service tests, the fatigue crack growth rate, etc. The result of these probabilistic evaluations is useful to verify the safety level of the vessel, to highlight areas on which research effort is still needed, to estimate the safety improvement due to further provisions as an increase of the in-service inspections, changes in design, material and operating conditions, etc. The following describes the method and the results of the most accurate work on this subject: the Marshall Report (UKAEA, 1982). The probability of a catastrophic rupture is determined by the probability associated to: presence of cracks in the original component; detection of them during the pre-operational and in-service inspections; growth of cracks in service; toughness of the material measured by the critical stress intensity factor (see Appendix 7 on Fracture Mechanics); stresses from normal operation; transients; and accidents. Concerning the original presence of cracks, it has to be said that their generation mechanisms are not all well understood. Generally they occur in welds. Concerning their shape, obviously the field of the various possibilities is infinite and therefore, for quantitative evaluations, it is necessary to apply simple conservative assumptions. Usually it is assumed that the cracks are semi-elliptical and superficial, with a depth a. The length 2c of the crack is assumed as a fixed multiplier of its depth (typically a/2c ¼ 1/6). The initial distribution of cracks is given as: NoðaÞ ¼ AðaÞBðaÞ,

ð14:1Þ

where A(a) [n/(mm m3)] is the distribution function of the fabrication cracks of length ranging from a to (a þ da) and B(a) is their probability of non-detection in the pre-service inspection. The current estimates of the total of cracks present after fabrication range from 0.4 to 40 cracks per cubic metre of weld: a figure of about 4 is however certainly conservative even in the light of most recent data. The uncertainty is therefore of one order of magnitude. As far as B(a) is concerned, in the light of the results of the PISC research program sponsored by the OECD, Figure 14-3 gives the best estimate values of the detection probabilities (¼ 1 B(a)) using the ASME XI procedure (PISC). As an example, for a 20 mm deep crack, its detection probability is roughly 25 per cent. Usually the assumption is made that the same non-detection probabilities hold for the in-service inspections too. The critical stress intensity factor, KIC, has, in the light of the many available tests, a unimodal Gaussian distribution. The variation of this parameter with time has to be considered (e.g. as an effect of neutron irradiation).

1

0.5

0 10

20

30 Crack depth ∆z (mm)

80 100

Figure 14-3. Detection probability of a crack of given depth.

Chapter 14 Notes on some plant components

The crack growth rate is given by: da ¼ Cð KI Þn , dN

ð14:2Þ

where N indicates the number of stress cycles of amplitude KI at the crack tip, n has values ranging from 3 and 4, and C has a log–normal distribution for each steel. The probabilities of transients and accidents are obtained from operating experience and from current estimates for probabilistic analyses, respectively. The overall evaluations of rupture probability may be performed in a rigorous, yet onerous, way by Monte Carlo methods, or, especially for sensitivity evaluations, by simplified methods. Figures 14-4 and 14-5 show the global results of these evaluations for normal and transient conditions and for serious accident conditions, respectively. The interest here is the sum of the two contributions. The data shown in the figures does not include the consideration of in-service inspections. These figures have been obtained for a surface semi-elliptical crack with a/2c ¼ 1/6; if, with the same distribution of depth, all the cracks had been considered infinitely long, the final probabilities would have been 10 times higher. The sensitivity to the mean value and to the distribution of KIC is lower than would be thought: less

than one order of magnitude for the variation from 230 to 150 MNm 3/2. The sensitivity of the results to the crack growth rate is strong: the growth rates assumed for the results shown in Figures 14-4 and 14-5 are intended to represent the growth rates in wet conditions and probably, on the basis of the most recent data, they are too high and could have generated excessive failure probability figures by a factor of up to 100. The contribution to the failure probability of the vessel is principally due to the nozzle area and to the vessel bottom as well as to the middle zone corresponding to the core position. If the in-service inspection programme had been considered, significant reductions in the calculated failure probability would have been obtained (up to two orders of magnitude), depending on the inspection intervals and extension as well as on the value of B(a) considered applicable to the same inspections. The above described procedure can also be applied to non-nuclear vessels and a comparison can be made with the statistics of the cracks detected in them: in this way a correspondence will be obtained as, for non-nuclear vessels, the breaks detected decrease with the service life while these procedures leads to an increase of the failure probability with time. This apparent discrepancy can be explained by the fact that in-service inspections are not considered for nuclear vessels.

1.00E−06

Failure probability per vessel year

1.00E−07 High estimate 1.00E−08

Low estimate 1.00E−09

1.00E−10 0

10

123

20 Time (years)

30

40

Figure 14-4. Failure probability for nuclear vessels in normal or transient conditions.

124

Nuclear Safety

1.00E+00

Failure probability per vessel year

1.00E−02

1.00E−04 High estimate 1.00E−06 Low estimate

1.00E−08

1.00E−10 0

10

20 30 Time (years)

40

50

Figure 14-5. Failure probability for nuclear vessels in serious accidents.

Severe accident conditions It is practically impossible to perform a probabilistic treatment of the vessel failure in severe accidents, that is where there is major damage and core melt, because of a lack of sufficient data on the phenomena and on their probabilities. In the following, both experience data (from the Three Mile Island accident) and deterministic considerations justified by the existing knowledge are shown. At least a picture of the important factors for the decrease of the vessel damage probability and indications on the still necessary research will be obtained. In particular, the importance of the prevention of severe accidents will be clearly demonstrated.

14-1-4. Vessel material embrittlement due to neutron irradiation This is one of the major safety concerns for the pressure vessel of PWR reactors and, therefore, for the safety of the reactors themselves. For boiling water reactors this problem is smaller because of the lower neutron flux on the vessel walls, which is a typical characteristic of this type of plant, principally due to dimensional factors (the design pressure of BWRs is roughly one half than that of PWRs and

the core is larger due to the presence of voids). For PWRs, the integrated fast neutron flux of interest (>0.5 MeV) expected at end-of-life is almost always a multiple of 1019 neutrons cm 2, while for BWRs it is a multiple of 1018 neutrons cm 2. It is known that the neutron irradiation causes, in the carbon steels used for vessels, an increase of the transition temperature between the brittle and the ductile behaviour of the steel (RTNDT, Reference Temperature for Non-Ductility Transition). This temperature is typically 10 C at start-oflife and, with increasing irradiation, may increase by many tens of degrees in the course of years. It is obvious that below the transition temperature a crack which reaches a super-critical size may propagate and cause the brittle and catastrophic rupture of the vessel and, moreover, the stresses for which a crack becomes critical are lower. As the vessel must not break, the importance of the control of the embrittlement of the material during the plant life can be easily understood. One of the fundamental safety assumptions of water reactors, in fact, is that the break of the vessel is made impossible by design, construction and operation provisions. It must be remembered that an explosion of the vessel might break all the four barriers against the external releases of radioactive products at the same time (see Chapter 9).

Chapter 14 Notes on some plant components

Other vessels located in the containment, such as the pressurizer and the steam generators, might also potentially damage various barriers at the same time, but this probability is intrinsically lower than that of the reactor vessel as they are more distant from the core (it can be lowered by provisions concerning the strength of the structures and because they are not exposed to neutron damage and can more easily be inspected during service). The embrittlement of the vessel material is mainly due to the fast flux integrated during the service life (the ‘fluence’ (neutrons per square centimetre)), the amount of impurities (Cu, P and Ni in particular) and with the irradiation temperature. The fast flux which may generate the maximum damage is >0.1 MeV although in practice >0.5 MeV (Russia and Eastern Europe) or >1 MeV (according to the practice in other countries) are used for the lower uncertainty in its measurement. It is now believed (EUR, 1996a, 1996b, 1997) that, in future, importance should be given to other parameters too, such as the initial microstructure (initial transition temperature), the interstitial elements (carbon, nitrogen) and the synergy between the various impurities present. In fact, the large dispersion in the results of measurements of transition temperature on irradiated materials indicates that not all the relevant parameters have been detected and controlled. Sometimes, low importance is erroneously given to the irradiation temperature, as usually reference is made to PWR vessels which are operated essentially at the same (high) temperature. For different cases, however, the fact that the embrittlement effect is much stronger at lower temperatures must be taken into account (e.g. (EUR, 1996a) for a typical steel and for a fluence of 1 1019 n cm 2, the increment of RTNDT is 50 C for an irradiation temperature of 315 C and 161 C for an irradiation temperature of 232 C (EUR, 1996a)). The practical consequence of this fact is that structural parts need also to be controlled, which, although exposed to a lower neutron flux than that on the vessel wall in the active core region, are however irradiated at lower temperatures (e.g. external supports of the vessel). The problem of the vessel embrittlement is the subject of great attention both during the design and during operation. In the design phase, usually, the embrittlement during the service life is forecast by the use of empirical formulae (EUR, 1996a) based on

125

specimens irradiated in test reactors or on the result of surveillance programmes of the irradiation effect in power reactors. For the various evaluations of fracture mechanics, empirical values of KIC and of KIa for the material of interest are used, as a function of (T–RTNDT). Various design provisions for the reduction of the integrated flux at end of life exist, among which the following can be quoted: neutron shields around the core, the equivalent use of dummy elements at the core periphery or refuelling cycles which minimize fast neutron leakages (‘low leakage fuel cycles’). No general agreement among designers exists on the maximum end-of-life fluence which can be accepted: some designers specify up to 6 1019 n cm 2 at end of life, while other practices (Germany, Italy) specify a limit of 1 1019 n cm 2. Obviously, if the real embrittlement during the life were excessive, costly provisions should be adopted. The most drastic one is the one applied to various East Europe reactors, that is the in-place annealing of the vessel at temperatures of the order of 470 C for several (e.g. 7) days, which restores the desired toughness characteristics of the material. Another provision adopted is the heating up of the emergency injection water for systems which are initiated first when needed (e.g. heating the pressure accumulator water to 60–80 C). As already said, the uncertainties in forecasting embrittlement are still high. It is necessary to recommend a cautious attitude to designers and the adoption of an end-of-life fluence as close as possible to 1 1019 n cm 2. It must be added that some situations which favour the loss of toughness with passing time are not easily measured during operation. For example, even if the maximum Ni content in base metal and welds is specified to less than 1 per cent, it cannot be avoided that the Ni percentage in the vessel material adjacent to the stainless steel liner reaches values up to 4–5 per cent. As far as provisions affecting both the design and the operation are concerned, the most relevant one is the experimental programme for the measurement of neutron embrittlement. This programme should offer a good indication of the state of the material in the areas of interest (base metal, welds, heat-affected zones) well ahead of time; the specimens, that is, must be located where the neutron

126

Nuclear Safety

flux is somewhat higher than on the material of interest in the vessel. Other recommendations are listed in Section 14-1-8.

14-1-5. Pressurized thermal shock The pressurized thermal shock (PTS) problem has been for a long time under scrutiny by the safety specialists. In practice, in case of accident (e.g. a LOCA), a quick refrigeration of the primary water (and therefore of the vessel wall) takes place, either because of the depressurization following the accident or because of the emergency cold water injection. Under these conditions, the presence of cracks in some areas of the vessel (e.g. near the inlet nozzles of the vessel itself), combined with inadequate ductility of the material, might create critical situations from the structural point of view (unstable crack propagation). The study of this phenomenon has entailed the in-depth examination of thermal–hydraulic aspects (vortices in the vessel and the mixing of injected water with existing water) and of aspects of fracture mechanics (crack instability, ‘warm pre-stressing’ effects, etc.). This issue was addressed in the USA with the emission of a specific rule (Fed Reg, 1983) which requires an accurate analysis of the situation and improvement provisions (reduction of the neutron flux, and so on) in cases where it is envisaged to exceed, during the plant life, a specific value of the Reference Temperature (RTPTS) in the material, defined by the rule itself.

14-1-6. The reactor pressure vessel of Three Mile Island 2 It took ten years to understand the conditions in the damaged TMI core through a considerable international investment. The research program, TMI Vessel Investigation Program (VIP) lasted five years and cost $9 m, with contributions from ten countries besides the USA. A first conclusion on the condition of the vessel concerned the presence of a hot, almost circular, zone of about 1 m in diameter where the maximum temperature had reached 1373 K (1100 C) on the

inside surface; outside this zone the temperatures were lower than 1000 K (727 C) (transition from the ferritic structure to the austenitic one). Cracks and cavities were found in the stainless steel liner of the bottom head, 0.5 cm thick, around three instrumentation nozzles, however, the cracks have only slightly penetrated in the underlying 14 cm of base metal. The cracks have been attributed to the differential thermal expansion between liner and base metal during the vessel cooling which generated tension in the liner. The nozzles in the bottom had been damaged, some of them were intact and some had been completely melted and removed. The distribution of the damaged and undamaged nozzles indicated the presence of a debris bed on the bottom which had protected them and the vessel bottom from the molten mass. It can be also concluded, although without absolute certainty, that the hot zone was due to a thinner layer of this debris (bed or crust). Evaluations about the possibility that the hot zone was due to the impact of molten jets proved negative. The hot zone was due to the permanence for at least 30 minutes of a strong heat source (molten fuel mass) bringing the wall to 1373 K (1100 C): the molten jets may have lasted only 2 minutes. Concerning the rupture modes of the vessel (which was one of the issues in the VIP programme), it has been possible to exclude a rupture in the instrumentation tubes: the formation of crusts and the favourable situation of thermal dispersion prevent the creation of holes corresponding with the instrumentation tubes. It has not been possible to determine the margins against a global rupture of the vessel, and it has been only possible to conclude that the hot zone alone could not constitute a critical situation from this point of view: it would also have been necessary for a large surrounding zone of the vessel wall to be at higher temperatures. On the contrary, outside the hot zone the temperature stayed well below 1000 K (727 C) and gradually reached the saturation temperature of the water in the external and higher wet zones. A very important factor in determining the possible interaction between molten masses and the vessel bottom is that the cooling of the molten mass was also due to convection from the upper part of the vessel and from conduction towards the vessel wall in the lower part. It is thought that water had

Chapter 14 Notes on some plant components

infiltrated between the crust and the metal wall or via cracks in the crust and had caused the further cooling necessary to explain the relatively small dimensions of the hot zone. The results of the VIP programme confirm the importance of proper severe accident management, as the presence of a small amount of water may be decisive. Also the availability of a voluntary depressurization of the primary system is essential, which removes the possibility of many possible scenarios of vessel rupture. The programme also confirmed the need to actively continue studies and research on the external cooling of the pressure vessel in case of severe accident.

Other factors that emerged from the experimental tests are:

14-1-7. General perspective on the effect of severe accidents on the pressure vessel Besides the phenomena already described with reference to the TMI accident, the possible interactions between a molten core and the pressure vessel concern the interactions with the water present on the bottom and the possibility of a steam explosion (which did not occur at TMI). The experimental data available and analytical methods are not yet capable of giving a conclusive demonstration of the non-destructive character of a steam explosion within a pressure vessel, but all the evaluations indicate that this phenomenon is not possible. The thermal energy potentially contained in 1 kg of molten core is equal to 1 MJ and therefore the maximum potential accident, taking into account the weight of the core (close to 100 t, could release an enormous amount of energy. Various factors however exist which can be relied on for a substantial reduction of the severity of a realistic event. First of all, the amount of molten material which could be involved in an explosive event before being cooled (1–2 s) is limited by the mass flow rate of the possible pouring from the core. If it is supposed that, as in TMI, the melt falls into the water through the lateral core bypass, then the flow area is of the order of 0.01 m2 and the flow rate is lower than 1 t s 1. If the fall occurs through the fuel elements the estimated flow area is of about 0.1 m2, with a velocity of the order of 5 m s 1 and a flow rate of about 5 t s 1.

127

Jets of 100 mm diameter may penetrate the water layer and reach the bottom. The penetration length increases with the decrease of the jet diameter; below a certain diameter, however, the atomization regime is entered with a decrease in the penetration distance but with a higher explosion potential. The dimensions of the particles resulting from the dispersion are 2–10 mm (4 mm is indicated by the calculation codes in the pre-mixing phase). Experiments using a mixture containing molten UO2 have rarely shown a steam explosion. Explosions become gradually less likely when the pressure increases beyond a few 100 kPa. A low melt superheating leads to a lower danger of explosion. The formation of steam in the first period of the melt water contact tends to decrease the explosion probability (‘water depletion phenomenon’). Even if an explosion happens, it will not involve all the mass and the conversion from thermal to mechanical energy can be low for the following reasons:

Not all the debris will be so finely subdivided to release heat in the necessary time scale. The molten particles tend to be blanketed by steam when the mixture expands and to exchange less energy with water. The dishomogeneity in the steam content of the mixture leads to dissipation of the shock wave travelling from high pressure to low pressure zones. The mixture may not be ‘well pressed’ so if a large quantity of steam has been generated in the pre-mixing phase and a steam chimney exists above, then the energy of a wave can rapidly decay.

The following rough estimates can be made on the danger of serious damage to the vessel for a steam explosion. It is supposed that not more than 2 per cent of the molten mass participates in the explosion and that the mechanical efficiency is 15 per cent (a rather high figure) so an explosion energy of about 400 MJ is obtained. On the other hand, estimates of the energy necessary to push the vessel head off (if hit

128

Nuclear Safety

by a mass of water coming from below) indicate a figure of 900 MJ for PWRs and 500–800 MJ for BWRs without taking into account the energy necessary to deform the reactor internal structures, which by itself is of the order of 1 GJ. Furthermore, if the calculation model includes the internal vessel structures as well, then the energy necessary to pull the head off turns out to be lower because the impact load is distributed on a circumference and not on its whole surface area. It has to be noted that these evaluations assume the complete integrity of the bolts connecting vessel head and body which otherwise could represent a weak point of the structural complex. Operating experience does not indicate cases of significant deterioration of this bolted joint, given the design, fabrication and periodical control precautions applied to this part of the vessel. For the break of the vessel bottom, energies of the order of 1 GJ are also calculated, even if this issue is the subject of some discussion. The problem of the cooling of debris on the vessel bottom is also actively studied. The TMI accident shows that the probability that the molten core remains contained in the vessel is rather high, even if water is introduced in the vessel in a discontinuous way. It is estimated that in a large LOCA a discrete amount of water remains in the reactor vessel, typically up to the level of the lower core support plate. This is equivalent to the possibility of cooling one half of the molten core in a PWR and even more in a BWR. If it is supposed that all the core collects on the bottom as debris, it would be necessary to dissipate about 2 MW m 2 of heat, which is possible at high pressure but not at low pressure because the ‘dryout’ flux would need to be overcome. The probability that the principal structures, including the vessel bottom, remain intact during the relocation of the fuel is high even if the debris is not significantly cooled: this is borne out by the evidence from TMI. One of the worst scenarios that can be thought of is that of a molten pool with a separation of phases: an oxidic one containing UO2 and a metallic lighter one. In this case, the metallic phase floats on the oxidic one and may transmit to the vessel wall an elevated thermal flux (various megawatts per square metre) which may cause its rupture if an oxide crust is not present on it. It is not known if such a configuration is a realistic one. All these

phenomena are the object of research, including the RASPLAV programme, which is also strongly supported by Russia. A defence strategy recently proposed and presently under study is one which includes the voluntary flooding of the reactor cavity (already mentioned).

14-1-8. Recommendations for the prevention of hypothetical accidents generated by the pressure vessel Since the integrity of the reactor pressure vessel is an essential safety requirement, it is useful to summarize the fundamental recommendations for the certain prevention of accidents. These recommendations concern the materials, the design, the fabrication, the inspection and the operation of the vessel.

Materials

Mechanical properties: safety analysis, fabrication to minimize defects, adequate codes (ASME and similar), control bodies requirements, additional requirements of the system designer. Best quality obtainable by technology: toughness, no deterioration in service, weldability. That is: limits on alloy elements even more stringent than usual specifications (e.g. ASME) (C < 0.15–0.25% for weldability and low transition temperature); low level of impurities taking into account possible synergistic effects. Analysis and mechanical tests; in-service surveillance for irradiation effects; fracture toughness tests (12.5 mm compact tension specimens or thicker) for quality control of components and qualification of welding procedures; low temperature irradiation effects on external vessel supports. Fracture toughness specimens: every area of possible reduction of toughness due to fabrication. Modification of specifications: Adequate investigation; adequate experience; weldability trials; toughness; resistance to neutron irradiation; strain ageing and thermal embrittlement. Weld procedure qualification tests for submerged arc welding of the main vessel shell and cladding: destructive tests; metallographic techniques to check that Heat Affected Zone (HAZ) reheat cracks are absent.

Chapter 14 Notes on some plant components

The following data are necessary for any material: transition temperature; initial temperature of upper shelf; toughness at start of upper shelf and at operating temperature. Procedure for the evaluation of defects found in service, to be agreed upon before start of service:

actual crack configuration; replacement of actual defect with a formal defect which may be assessed using fracture mechanics; evaluation of defect using appropriate methods and sensitivity analysis to assess margins; request of continuation of service justified also with reference to crack dimensions forecast for the next in-service inspection.

Assessment of the absence of danger of stressassisted corrosion for the water chemistry and flow rate conditions applicable.

Fabrication and inspection

Design

Utility check of the adequacy of design transients. Vessel fracture by over-pressurization at low temperature: system provisions. Limitation of severity of over-cooling transients; ECCS water temperature, prevention of re-pressurization at low temperature. Attentive review of capacity and reliability of safety valves also for fluid conditions during an accident (water slugs, etc.). Verification of 2-D stress analyses by some 3-D analyses (inclined penetrations, bottom heads, etc.). 3-D analysis for inlet and outlet nozzles:

attention to LOCA; cold inlet and hot outlet; effect of external support blocks; effect of accident blow down forces; local temperature variations and heat transfer coefficients.

Independent control of stress analyses. Checks on the anticipated crack growth rate. Assurance that the upper shelf material properties apply under all conditions of high stresses during a LOCA. Stress analyses also for breaks in the range of small and intermediate breaks (50–150 mm diameter).

129

Weld procedure qualification; exact simulation of geometries, thicknesses, constraints, physical obstacles for the welder and attention to the welder’s position. Multilayer submerged arc strip cladding: temperature control, post-weld heat treatment in order to eliminate hydrogen (under-cladding cracks). Qualification of weld procedures: control that welds and HAZ have properties at least equivalent to the base material (fracture toughness at the start of upper shelf and at operation temperature). Delta ferrite levels currently monitored during cladding operations. All HAZ in the low-alloy ferritic steel heat treated after welding. Records of positions of repairs to welds and base metal and mechanical properties (toughness included). Non-destructive examinations of plates, forgings and other parts before and after cladding deposition, before and after fabrication, after hydraulic tests. Record of all the results of tests and important fabrication events to be taken (also video records of manual examinations and of oscilloscope traces). Vetting by customer and licensing authority to ensure that the components are inspected satisfactorily. Surveillance by customer and licensing authority at all the fabrication phases. Qualification of ultrasonic operators on adequate equipment. Acceptability and rejection levels established before fabrication begins. Inspection procedures: take into account limitations in ultrasonic methods; multiple methods for examinations after hydraulic test in view of future developments. Demonstration of the capability of the ultrasonic techniques to detect and size defects in geometries of interest. Take into account cladding in calibration systems for ultrasonic inspection. Ensure that defects in non-‘inspectable’ areas are not dangerous.

130

Nuclear Safety

Adequate QA is essential. External design, fabrication and inspection verifications do not relieve the fabricator of responsibility.

Operation

Record of occurred transients. Same pre-service automatic inspection systems applied in-service except for technology advances. Frequency of in-service inspections based on absence of degradation due to crack growth. Preservation of all examination and inspection records.

14-2. Piping 14-2-1. Evolution of the regulatory positions The assumption of a guillotine break of the largest system pipe was adopted by water reactor safety practice right from the very beginning. The safety analyses included the sole thermal–hydraulic consequences of the break, that is the containment pressurization and the coolant loss from the core. Subsequently, for sake of consistency, the mechanical consequences of the break were considered too. These were ‘pipe whip’ (i.e. the possible damage caused to components near the broken pipe by the pipe itself being transformed into a whip by the hydraulic reaction forces of the exiting fluid), the impact of the fluid jet on adjacent surfaces and the loads due to decompression waves propagating inside the broken system with the consequent generation of, even asymmetrical, loads on internal components such as the pressure vessel internals and the core itself. This logical completion of the safety analyses highlighted some negative consequences of having adopted the extreme assumption of the complete rupture of the largest pipe. In particular, for the protection of components from the pipe whip, many cumbersome plastic deformation restraints had to be designed and installed on the pipe runs, in order to prevent the excessive displacement of the pipes themselves. The space occupied by these restraints resulted in a further reduction of the already small space around components and made it more difficult

and more costly in terms of the absorbed doses to operators undertaking periodic inspections. Obviously, the issue also generated strong economic burdens due to the restraints themselves and to the increased heat losses from the piping caused by the presence of the restraints. This situation prompted studies on the conditions under which the sudden break of large pipes was really possible and originated the ‘Leak Before Break’ principle. It was also demonstrated that under certain conditions, it was possible to rely on the fact that the cracks present in the pipes and close to becoming ‘critical’ (i.e. in danger of catastrophic propagation) cause fluid leaks which could be detected by industrial means (see Section 2-3) before reaching a critical length. Today this principle is generally accepted and is usually applied with the following exceptions:

to small pipes (with diameters of 10 cm or less); to steam pipes; to pipes liable to steam/water hammer; to some cases (each experience individually evaluated) of pipes particularly subject to degradation by fatigue or corrosion.

The exceptions apply in the first two cases because of the difficulty of detecting the leaks, and in the last two cases because of the possibility of rupture without previous significant leak. The assumption of complete and instantaneous rupture of the largest pipe continues to be preserved for the evaluation of consequences concerning pressurization and reduction of the cooling capability. This practice also gives protection from partial ruptures of large components, such as large valves, pumps and vessels.

14-2-2. Problems indicated by experience Cracks in primary system (See USNRC, 1997a). It is necessary to repeat here that no case of dangerous cracks or ruptures in large primary pipes has happened in more than 10 000 reactor-years of operating experience. As far as breaks in small pipes (i.e. of diameter less than 5 cm) are concerned, the operating experience (USNRC-OAEOD, 1998) indicates a probability of 0.01 breaks per reactor-year, to be compared with the figures adopted in Probabilistic Safety Analyses

Chapter 14 Notes on some plant components

which range between 0.001 and 0.01 breaks per reactor-year. The incidences of cracks in small pipes are associated with the following phenomena:

Thermal fatigue, caused also by defective closure of isolation valves and by consequent seepage of a fluid at different temperatures within the pipes. A well-studied case was that which occurred at the Oconee power station in the USA in 1997 where a leak greater than 4 l min 1 developed from a fluid make-up and high pressure injection into a primary pipe, because of a loose ‘thermal sleeve’ which did not any longer adequately protect the junction between the small and the large pipe from cyclic temperature variations. The leak was revealed and therefore this is a case of ‘leak before break’ even for a small pipe (a case excluded, as already mentioned, by the conservative assumptions usually adopted). The repair consisted in the installation of a thermal sleeve of a more adequate design.

131

Mechanical vibration fatigue, occurring in small pipes and in ‘socket welds’ (Fig. 14-6.)

In this type of weld, inevitably some stress concentration points are caused due to unwanted but real notches, which are particularly prone to initiate and propagate fatigue cracks. The presence of pressure pulses due to pumps or due to ‘cavitation’ phenomena with rapid evaporation (‘flashing’) tends to enhance this tendency. Some real-life cases are:

Cracks in suction or discharge lines (10 cm) of a charging positive displacement pump in the Diablo Canyon 1 power station (1990), due either to excessive acceleration of the suction and to defective operation of the pressure peak damping chambers or bellows in the discharge side. Cracks due to ‘cavitation’ on the letdown line from the primary system due to intermittent operation of a regenerative heat exchanger (McGuire, 1988).

Equivalent notches and stress concentration points

Weld

Crack

Crack initiated at toe

Figure 14-6. Typical crack in a fillet weld.

132

Nuclear Safety

Cracks due to stress-assisted corrosion (ISCC). Many events of this type have happened in BWRs due to their more uncontrollable water chemistry (excessive oxygen content). However, in PWRs, too, some tens of events have happened (e.g. in the Fort Calhoun power station in 1990, the phenomenon was due to oxygen accumulation in a control rod thimble pipe). Cracks due to the malfunction of compression fittings. These fittings are often used on small pipes (maximum 2.5 cm diameter) and especially in instrumentation pipes. (In 1991, at Oconee, a rupture happened with leaks of up to 300 l min 1).

Leaks and breaks in the secondary circuit Unlike in the primary system, both breaks of small pipes and of large pipes have happened in the secondary system of PWRs (USNRC, 1997b). Numerous cracks have occurred at the inlet of feedwater pipes in the steam generator. A phenomenon responsible for these cracks (tens of cases) has been thermal fatigue due to the start-up of the nonpreheated auxiliary feed-water, during the plant start-up or hot shutdown. Also connected with the auxiliary feed-water, cases of water hammer in the steam generator have happened, due to the stoppage for some time of the feed-water and to the subsequent restart of it (more than thirty events). In all these cases the solution has been found in a different design of the mechanical details (thermal sleeves, water hammer relief valves, etc.). However, the most catastrophic cases to have happened are two cases caused by a break of a main feed-water pipe with corrosion accelerated by water flow. These happened in the Trojan power station in 1985 (368 mm pipe) and in the Surry 2 power station in 1986 (460 mm elbow). In both cases, ferritic steel with low chromium content was involved, with low oxygen water which favours the formation of Magnetite (Fe3O4), which is not very hard and more easily attacked by the formation of soluble ferrous ions in an unfavourable water pH (<8.5 or >11). In the case of Surry 2, four casualties were caused by the explosion. The subsequent modifications included the use of steel with 2.5 per cent chromium, the set up of

a regular control of the pH and an intensification of periodic inspections.

14-2-3. Leak detection in water reactors Requirements An example of the requirements for detection systems is the one represented by the NRC Regulatory Guide 1.45AR335 which is also adopted in many other countries. The principal requirements of the guide are summarized in the following. First of all it is required that identified leaks and non-identified leaks must be distinguished. For the latter, the admissible limit is 3.8 l min 1 (1 USgal min 1). Then, at least three separated detection systems must be available; two systems out of the three have to be chosen among the following ones: sump level measurement, flow rates measurement and radioactivity level in air. Each system must comply with the sensitivity limit of 3.8 l min 1 in one hour. These systems must be designed to resist earthquakes and their instrumentation must be located in the control room.

Systems currently used The most commonly used systems are the following ones, with their corresponding sensitivities:

Monitoring of radioactive particulates in air, by which a 0.38 l min 1 (0.1 USgal min 1) leak can be detected in less than 10 minutes. Monitoring of radioactive gases: 7.6 l min 1 (2 USgal min 1) in 40 minutes. Monitoring of the condensate in the containment air coolers: 3.8 l min 1 (1 USgal min 1) in 1 hour. Sump level and corresponding purging flow rate: 3.8 l min 1 (1 USgal min 1) in 10–20 minutes, except for the effect of absorption of the leaks in pipe insulation layers or the effect of wrong slopes of some floor in the containment. Estimate of the primary water inventory: sensitivity lower than 3.8 l min 1 (1 USgal min 1) in 1 hour.

Chapter 14 Notes on some plant components

Humidity sensors in the form of ribbons located on pipes: method prone to many malfunctions and bypass paths. Temperature sensors on the relief lines: in the TMI accident they didn’t operate well, but the reason was the bad operating practice. Visual inspection: it is always very effective, even if its sensitivity is variable and cannot be generalized.

Other more advanced systems are also available. The principal ones in this category are the following:

Sensors based on detection of the 13N isotope. It was initially adopted at the Bugey power station in France, where the problem of cracks in the control rod housings had indicated the need of a high sensitivity system. It is now installed in 25 French power stations, its sensitivity is of 0.0038 l min 1 (0.001 USgal min 1) in 1 hour. Systems based on acoustic emissions. About 150 sensors are necessary for the pipes of the primary system at an average distance of 1 metre from each other. They are installed in various plants in the USA. Local humidity monitoring. This is a proprietary system used at the Bohunice power station in Slovakia. The operation principle is based on the presence of a porous tube along the whole extent of the pipe to be examined. Dry air is periodically pumped through the tube and monitored at its arrival point. The presence of humidity indicates a leak and the arrival time of the humidity can be correlated with the distance to the leak. The sensitivity is roughly 0.095 l min 1 (0.025 USgal min 1) and the precision in the estimate of the distance is about 1 per cent.

Memorial Institute, Columbus (Ohio). In two phases, with a large international participation, the overall cost of the programme was about US$25 million. The programme was undertaken using large size pipes. Seismic excitation was also simulated. The principal conclusions of the programme were:

14-2-4. Research programmes on piping The most complete research programme on structural (that is, non-chemical) aspects of piping integrity, both in normal operation conditions and during accidents, has been the International Piping Integrity Research Group (IPIRG) programme undertaken between 1986 and 1992 at the Battelle

133

The calculations used to evaluate dynamic stresses are usually conservative (by a factor of up to 5) because of the conservatism in the evaluation of damping and of plasticity in pipes. The secondary stresses are important and may behave as primary stresses in cases of low plasticity. The residual stresses are important factors of fatigue crack growth and of evaluations of ‘leak before break’. They are less important for the evaluation of failure danger. The time history of a dynamic load is important if a plasticity effect exists. Generally the calculations of fracture mechanics model the pipe as not constrained. The effect of real constraints reduces the losses of fluid from a crack and reduces the loads on the crack itself. These effects are opposed to each other and do not have a big effect on large pipes. For small pipes, however, they may lead to overestimates by factors close to 10 of the maximum failure load. Dynamic and thermal ageing phenomena may embrittle either ferritic and austenitic steels. The presence of sulphur in austenitic steels (even below the limits specified by ASME and ASTM standards) may cause a brittle behaviour of the material. Experimental data on elbows and T-shaped joints is still scarce. The limits for fabrication cracks by ASME are not always conservative. The IPIRG programme gives data on the crack growth rate for an unstable crack which is important for the consequent dynamic effects (opening times of up to 50 ms have been measured).

The Battelle Institute and NRC have collected all the data and the results on the pipe stability in a series of five CD-ROMs entitled Pipe Fracture Encyclopedia, US Nuclear Regulatory Commission, Washington DC, 20555.

134

Nuclear Safety

14-3. Valves 14-3-1. General remarks This book is obviously concerned with nuclear power plants, however, except for the aspects concerning the presence of radioactivity, the indications coming from operating experience are similar both for nuclear plants and for fossil-fuelled plants. Therefore, the indications and the suggestions from the latter are applicable to the nuclear power industry. There are many hundreds of important safety valves installed in a nuclear plant. Although they are components common to all process plants, the peculiar needs concerning perfect leak proofing, big sizes, quickness of action and high reliability demanded by nuclear plants make this component a particularly difficult one to build and maintain in compliance with regulations. As an example, the leak-proof specifications of some valves for nuclear plants were considered by many manufacturers, at the start of this industry, ‘beyond the possibility of human technology’. Obviously, system provisions do exist which may alleviate the task of the valves, such as redundancy and diversity incorporated in the design, however, even if these are considered, a valve remains one of the most critical components in a plant.

14-3-2. Some data from operating experience In September 1977, a PWR at the Davis Besse power station in the USA was operating at low power (263 MWt, roughly 9 per cent of nominal power) and with a very low content of fission products in the core when almost all the steam generators’ feedwater was lost due to a series of electrical and mechanical malfunctions. Even though the intervention of one of the two steam driven auxiliary pumps (the other one did not succeed to reach nominal conditions because its speed regulator had seized) took place, a transient increase of primary temperature and pressure started and the electromatic pressurizer valve opened as designed. However, instead of letting the pressure decrease down to 15.5 MPa before reclosing, it performed nine opening-closing cycles around its operation value (15.7 MPa) and finally stuck in the open position.

Coolant was then continuously lost to the condensation tank and the pressurizer level increased (water entrained towards the pressurizer because of the presence of an opening in its upper part and because of other thermodynamic reasons). The operator, at 1 min 47 s from the start of the accident (T ¼1:47), shut down the reactor but the pressure limit for actuation of emergency coolant injection was however reached (T ¼ 2:51). The condensation tank filled up and its rupture disc blew off at T ¼ 6 releasing more than 40 m3 of water in to the containment. At T ¼ 6:14, the operators stopped the high pressure injection pumps, saturation pressure was reached in the primary with the production of steam (T ¼ 8), the level indicator of the pressurizer went off scale and one recirculation pump in each branch of the primary cooling was stopped in order to decrease the heat supplied to the system. At T ¼ 16, the operators manually took control of the feed-water pump which had not automatically reached the nominal operation speed. Subsequently (T ¼ 21) they became aware that the electromatic valve had remained open and they closed the corresponding block valve on the same line, so terminating the loss of coolant. The system was then brought to cold shutdown conditions in a regular way. The causes of the stuck open electromatic valve had been the lack of a confirmation relay in its closure control circuit, the wrong setting in the stroke of its pilot valve and too small tolerances between its stem and the corresponding guide. The behaviour of the operators was judged correct and timely. No core damage or radioactivity releases outside the containment took place. Also the containment atmosphere remained clean other than for contaminated dust found on the floor in various zones of the containment affected by the water and steam spill from the condensation tank. Almost two years afterwards, another plant of the same type had a very similar accident except for the fact that the operators, for a combination of management mistakes and of unfavourable circumstances, realized that the electromatic valve had remained stuck open only after two hours

Chapter 14 Notes on some plant components

and 22 minutes. At this time they closed the block valve on the line so terminating the loss of coolant. It was, however, too late and the plant was already doomed. The core was already damaged, the operators were no longer in an optimal psychological condition and the situation continued to deteriorate until it was put under control again after 16 hours from the start of the accident. This was the Three Mile Island 2 accident which was responsible for a complete change of mindset in all those concerned with nuclear plant safety, in particular on the side of designers and of operators. Luckily, the external radioactivity releases were negligible by virtue of the Defence in Depth incorporated in Western plants and in particular by the presence of the containment. As we know, the core was completely destroyed. Again at Davis Besse, on 9 June 1985, a complete loss of normal and auxiliary feed-water occurred. During that event, some motor-operated valves provided with torque limiters in the auxiliary feedwater line could not be re-opened after having been inadvertently closed. It was determined afterwards that the bypass circuit of the torque switch had not been set to stay closed for a time sufficient to allow the opening of the valve in conditions of high differential pressure. In addition to this opening failure, the failed closure of the motor-operated valves also became a problem after a valve in the auxiliary feed-water system in the US Catawba 2 plant didn’t succeed in closing completely against an elevated differential pressure (14 March 1988). The reactor was shut down and no consequences ensued except for the overfilling of a steam generator. It was determined that the cause had been an underestimate of the friction coefficient between discs and seats of the valve by the valve fabricator. In unit 3 of another US plant, at Millstone, on 17 February 1989, the safety injection system was erroneously actuated with the reactor shut down and depressurized. A motor-operated valve opened but its electrical operator didn’t succeed in closing it (it was closed manually later) against the forces caused by the full flow in the line. It was later determined that the torque limiter had erroneously been actuated, although its setting was the prescribed one. The method for the determination of the intervention

135

level of the torque limiter had been demonstrated to be inadequate. Another type of inadequacy demonstrated by operating experience, this time concerning the in-service seismic qualification tests of components, happened in June 1993 at the Cooper plant in Nebraska. During performance tests of torque limiters used in valves of the suppression chamber ventilation and in the RHR system, it was discovered that in cases of strong dynamic shaking (as could happen in a large or intermediate LOCA), a decoupling mechanism between a valve and a motor could be accidentally opened. In this situation, the affected valves could not have been actuated until the dynamic load had decreased in intensity, so delaying, for possibly a considerable time (up to 15 minutes) the actuation time. The amount of data made available by the various systems for the collection and distribution of operating experience in the nuclear field (NPRDS and Licensee Event Reports (LER) in the USA, and IRS and the IAEA on a worldwide basis) is impressive. It is sufficient to consider that the events collected by the LER system for the motor-operated valves are about 100 per year. From the evidence obtained, compendiums have been prepared that include recommendations and requirements as summarized in Section 14-3-4 below and taken from MPR (1976), USNRC (1989) and supplements and from NUREG-1352 (1990).

14-3-3. The most commonly used types of valve Some frequently used valves are listed below. A description of each of them can be found in specialized publications and handbooks.

simple (globe) valve gate valve cock valve butterfly valve non-return valve stop-check valve electromatic valve pneumatic valve motor-operated valve safety valve pilot operated valve.

136

Nuclear Safety

14-3-4. Types of valve: critical areas, design and operation An annex to NRC Generic Letter 89-10 (USNRC 1989) lists the most common deficiencies of motor valves. Many of them apply to air-operated valves and non-return valves too, and are as follows:

incorrect torque switch bypass settings incorrect torque switch settings unbalanced torque switch spring pack gap or incorrect spring pack preload incorrect stem packing tightness excessive inertia loose or tight stem-nut locknut incorrect limit switch settings stem wear bent or broken stem worn or broken gears grease problems (hardening, migration into spring pack, lack of grease, excessive grease, contamination, non-specified grease) motor insulation or rotor degradation incorrect wire size or degraded wiring disc/seat binding (includes thermal binding) water in internal parts or deterioration due to this undersized motor (for degraded voltage conditions or other conditions) incorrect valve position indication maladjustment or failure of handwheel declutch mechanism relay problems (incorrect relays, dirt in relays, deteriorated relays, wrongly wired relays) incorrect thermal overload switch settings worn or broken bearings broken or cracked limit switch and torque switch components missing or modified torque switch limiter plate improperly sized actuators hydraulic lockup incorrect metallic materials for gears, keys, bolts, shafts, etc. degraded voltage (within design basis) defective motor control logic excessive seating or back-seating force application incorrect reassembly or adjustment after maintenance and/or testing unauthorized modifications or adjustments torque switch or limit switch binding.

Specific malfunctions of non-return valves are:

leaks through the seals of the disc rotation pin blocking of the disc in a closed or open position due to breaks of parts, debris, binding of mechanical pieces inadequate leak proofing in closed position for deposited debris or damage to sealing surfaces. Specific malfunctions of pneumatic valves are:

the possibility of erroneous regulation of the pilot valve the loss of confirmation relays in closed position blockage of the actuation piston.

The most common deficiencies and recommendations are described in the PB-261 Report sponsored by EPRI (MPR, 1976). It is based on operating experience openly available but also on interviews with plant personnel. Here is a summary:

(A) Compatibility of the motor operator with the valve and associated control circuits The problems may concern: oversized motors, damage to valves, difficulties with the torque switches, failures of motors and spurious stop of motors for overload. The symptoms of these events may be: damages to valves (such as stem deformation, fissured discs, seats, fissured body or yoke), lack of operation of the valve, burned out motors. As far as the oversizing of motors is concerned, the following considerations can be made. First of all the high-speed valves are more susceptible (rotation velocity higher than 50–60 turns per minute). The torque for which the torque switch stops the highspeed valves is much lower than the torque applied to the stem before its arrest (inertia). Typical values measured in specific tests are, respectively, 13 kgm and 230 kgm. The reasons for which a motor may be oversized are various:

The oversizing may be deliberate in order to cope with situations of low voltage (typically 80 per cent): cases with an oversize of a factor 1.4 or higher have occurred. The motors are available with fixed power levels. The friction coefficients in the stem taken as a reference for the choice of a motor are generally higher than 0.2, while in reality they will be much lower.

Chapter 14 Notes on some plant components

Many valves are sized to operate with the maximum pressure on one side and with atmospheric pressure on the other, and this causes motor oversizing in many operating circumstances. In some cases, two redundant torque switches have been installed (the less reliable part in a torque limiter) operated by the same shaft, and in order to provide the space for the second switch a larger motor has been adopted. When the power supply voltage is higher than the nominal one, the motor results in being oversized even if it is not. A voltage increase of 5–10 per cent causes increases in the maximum torque by 10–20 per cent in a.c. motors.

As far as the remedies are concerned, an extreme option obviously exists of sizing the stem and the other parts of the valve for the maximum torque which the motor can deliver in the absence of a limiter, taking into account the non-nominal voltage, friction lower than the design one, etc. This remedy (stall torque design) is not in general practicable because of its high cost. A more reasonable way is the good practice of more frequent contacts between valve manufacturer and motor manufacturer. The highest responsibility of these contacts is carried by the valve manufacturer as it has the responsibility of ordering the motor. In practice, the valve manufacturer will determine the maximum torque a valve can accept in closure and communicate this to the motor manufacturer who will suggest a suitable motor, a suitable torque limiter and settings, taking into account the various voltages and frictions possible. An improvement, but not a solution, consists in using in the valve or operator design a Belleville springs pack to damp the impact of the closure component against its seat. In determining the force necessary to actuate the valve in design conditions (for example against the forces due to a LOCA flow rate in the pipe), it must be taken into account that many analytical methods used are unreliable and that the best demonstration is offered by a field test or prototyping in conditions equivalent to the design ones (the tests at reduced pressure are hardly extrapolated). It has to be remembered, also, that any valve which is not blocked (either locked or provided with a control room actuator with a key stored elsewhere) must be considered prone to erroneous positioning and

137

so must be capable of being repositioned, taking into account the opposing forces in the wrong position. Cases of motor undersizing are much less frequent and rather more soluble. As far as the difficulties with the thermal overload motor switch are concerned, it has to be remembered that these mechanisms are generally based on a bimetallic foil, although different types exist (e.g. the more expensive ‘quick trip’ type). The thermal behaviour of the motor is different from that of the bimetallic device and, in particular, a switch regulated for continuous duty motors does not behave as well for discontinuous duty motors as those used for valves. For this reason, the curve interruption time–current of the latter must be lower than that of the former (about 80 per cent). As already mentioned, however, it is difficult to satisfy the two specifications generally imposed by the plant operator:

Stop in less than 15 s for locked rotor situations. Stop at nominal current in more than 20 min (for a foreseen operation time of 15 min).

The risk, which can be shown from the characteristic curves of overload switches, is that they intervene too soon in the operating cycle, so preventing the operation of the valve. For this reason NRC states in RG 1-106AR383 that the thermal protections should be bypassed in case of accident or regulated in a way which simultaneously takes into account all the most unfavourable circumstances (which is, as already said, very difficult to implement). The practical answer adopted in the industry has been to completely eliminate all the thermal protections or to bypass them in all the cases where an accident could happen (safety-related conditions). As a consequence, cases of burnt-out motors have occurred.

(B) Seals on the stem (seal packs, bellows, etc.) Excessive leaks from the seals on the stem of a certain number of valves have also caused unscheduled plant stoppage. It is usually sufficient to increase the compression of the seal pack to solve the problem, if the sealing material is not too old

138

Nuclear Safety

or damaged with loss of resilience. In a nuclear plant, however, there is always the problem of access to inside the containment, which cannot be too frequent. One solution, using bellows and diaphragms, is not often adopted because breakages of these components have happened. Symptoms of an excessive leak have been:

visible water or steam leaks, especially on steam lines, feed-water lines and drain lines; formation of visible boric acid crystals on the stem of PWRs; broken bellows in the spray valves of pressurizers; increase of humidity and of radioactivity in the containment; low pressure alarms due to gas leaks in compressed nitrogen and air systems; loss of radioactive fluid in the collection systems of liquid or gaseous waste; spontaneous change of position of valves for pressure loss in pneumatic valve control circuits.

The problem of the leaks along the stems of valves is usually accepted as normal in conventional and nuclear plants. The situation is kept under control until a suitable time to intervene or when the leaks become unacceptable. Then, generally, the packing follower is adjusted (increasing or decreasing pressure on the packing material) or the packing is replaced. Frequently, temporary drainage lines are installed in order to keep leaks off nearby components. It has been shown that the position of a valve installation has an influence on the frequency of cases of leaks (vertical and horizontal stem valves installed the same system and with similar operating conditions show different behaviour). The horizontally mounted valves are more likely to leak, although the manufacturers usually give assurances that the valves can be mounted in any desired position. In some cases, a modification of a horizontally mounted valve has been successfully implemented. This consists of installing a mechanical support on the stem close to the seal package in order to prevent excessive deformations of the stem itself. It common to see valves mounted vertically but with the actuator in the lower position. Here, as can be predicted, the leaks moved along the stem and damaged both the stem thread and the valve actuator.

Plant operators have found inventive solutions, on a case by case basis. For example, a double sealing package with intermediate drainage has been tried on pressurizer spray valves, without much success, and a solution with a bellows and a reserve sealing pack with intermediate drainage as also been attempted with limited success due to frequent breaks in the bellows. For the leaks from the penetrations of check valves disc pins, the obvious remedy has been to weld a cap around the penetration. The following situations have caused recurrent problems that required long maintenance times and excessive radiological exposure to personnel:

Limited space available for the maintenance of the valve (included one case of a shipment of valves whose sealing packs could not be replaced without completely dismantling the actuator). The presence of spacers in the seal package which cannot be removed without exposing them to the liquid counter-pressure (leaks of radioactive liquids) and the absence, in the same spacers, of holes for their removal.

Valve seals, if based on gaskets, will always leak a little. The surface finish of the stem is 8–12 rms, but the finish of the packing cavity is also important. Sealing packs age and are frequently replaced (especially if used on steam lines). The correct choice of the degree of tightening of the pack, which should take into account the opposing needs of ensuring the absence of leaks and of keeping friction forces at a reasonable level, is necessary. As far as bellows are concerned, they may have a useful life of thousands of cycles before showing fatigue cracks. If the displacement of the stem is large, a problem of frequent ruptures of the bellows may exist unless it is very long (control of the unit deformation of the material). The deformable diaphragm behaviour may differ greatly even within the same production batch. Diaphragm and bellows are usually available for small valves, up to 2 in, except for very low service temperatures (up to 8 in). Plug and butterfly valves do not have any axial stem displacement and use various types of sealing O-rings, if the temperature is lower than 200 C. These types of valves have other limitations such as a susceptibility to develop leak paths and to undergo blockage.

Chapter 14 Notes on some plant components

An industry practice deficiency when preparing of orders is that a maximum acceptable leakage along the stem is not specified. The nuclear industry has inherited this practice from the fossil fuel power station industry, where the accessibility and maintainability problems are considerably less severe.

(C) Body to bonnet gasket joints The problem of leaks in gasket joints is common, especially in steam lines, both for conventional and for nuclear plants. It rarely entails shutting down the plant for necessary maintenance. Some temporary solutions adopted by various plants are:

collecting leaks by temporary provisions and their discharge to collection points on the floor; application of temporary external sealants on the leaking part; sealing weld on the joint, where allowed by its geometry; replacing the gasket and application of a higher tightening force with bolts or studs of stronger material properties; changing gasket thickness from thicker to thinner or vice versa and reassembling the joint.

The uncertainties highlighted by the variety of solutions adopted demonstrate the lack of a universally recognized method for the design of these joints which also satisfies the need for limiting the stresses in the flange and bolts, and the leak proofing requirements. The various standards are quoted in Section 14-3-5. Until the arrival of uniform guidance, an advisable solution, apart from the use of valves without the joint in question (‘bonnetless’ valves) or the systematic use of a sealing weld, is to adopt the value of the gasket tightening force suggested by the manufacturer, under the condition that it complies with the ASME (Section VIII) code for the stresses in the bolted joint. If this is not the case, the tightening force should be decreased until the specifications of the ASME code are met.

because, in many cases, a total and quick closure of the line is required. This means that the opening– closing cycle method for improving leak proofing, adopted on conventional plants, is not allowed on nuclear plants: good leak proofing obtained by this method is frequently considered to be bad practice. The general opinion of the operators is that the degree of leak proofing specified for nuclear plants is very difficult to obtain. Moreover, in certain plants, like BWRs, and with reference to the leak proofing test of the steam isolation valves, the test time of the valves and their possible maintenance operations control the downtime of the plant during the periodic refuelling stops. In fact, the conditions necessary for the leak proofing tests are not compatible with the refuelling operations and therefore the test time of the isolation valves in the steam lines (roughly two days, except for the need for some maintenance) has to be added to the time necessary for the refuelling. Moreover, some data necessary for maintenance are considered by the manufacturers as proprietary and are not shown on the drawings and on the specifications of the valve. A typical example is the difference between the angle of the valve disc or plug and that of their seats. Apparently, however, an art of the valve maintenance exists which overrides the lack of systematic information. As far as the specification leak proofing is concerned, usually reference is made to the ANSI N.278.1 Standard (ANSI, 1975), which gives the following definitions:

Low leakage: when the manufacturer test has to demonstrate a leakage lower than 2 cm3 of water per hour and per inch of nominal diameter. Nominal leakage: if the same quantity is 10 cm3 per hour and per inch.

While, therefore, the design/test leakage is defined with reference to water, the nuclear requirement makes reference to the fluid treated. If it is not water, as for many large ventilation and steam valves, the non-trivial problem of the correlation between losses of water and losses of gas/vapour arises. The following facts are instructive in this connection:

(D) Fluid tightness across the valve seats

A certain amount of leakage from the valves is routine. The problem is aggravated in nuclear plants

139

A large (20 in) isolation valve of a steam line for a BWR is the component involved. The shop test made by the manufacturer using air with a 50 psi differential pressure indicated zero leakage.

140

Nuclear Safety

After installation on the plant the same valve indicated under the same test conditions a leakage of 200–400 cm3 min 1. Subsequently the test was repeated with water using a differential pressure of 200 and of 1250 psi, complying in both cases, and by an ample margin, with the limit of 2 cm3 hr 1 and per inch of diameter.

The development of standards with the support of research is necessary in this field.

in situ, away from the machine shop at the appropriate bench. The only solution to avoid these situations is a design verification system aimed at ascertaining that the valve orders contain all the specifications necessary to avoid the same problems. Some areas where a verification is necessary are:

(E) Misuse of valves for the intended service In the following, some cases of operation difficulties are described which can be attributed to the erroneous choice of the type of valve. The first case is that of the use of rigid disc gate valves with temperature variations higher than 150 C. It is indeed proven that such a valve, if closed in hot conditions during a cool-down transient with T higher than the indicated value, without cycling in open–closed position during the cooldown, will remain stuck closed and will not open again in cold conditions. It is advised not to use such a valve with thermal excursions higher than 95 K or, more conservatively, higher than 65 K. Alternative solutions exist, understandably more costly, such as the use of ‘flexible disc’ valves and parallel faces disc valves. The second case is the use of non-return valves for applications requiring very good leak proofing. The valves on the feed-water lines and those on gas/vapour systems (inerting, air purging, etc.) are examples of valves with high maintenance needs. Moreover, once reconditioned, generally they start leaking again after a few actuation cycles. In the plant experience, even cases of valves on welded lines are recorded where maintenance could not be performed because a relative displacement of the two parts of the valve along the welded pipe axis was required (for example, non-return valves with a diagonal bolted joint on the valve body). Many maintenance specialists even consider the use of gate valves with an angled seat (tapered wedge, usually at 15 with respect to the stem axis) in welded pipes to be bad practice. In fact the maintenance of the seats requires the exact positioning of the resurfacing machine which is practically impossible

The orientation of the valve with respect to the vertical direction. Physical accessibility and space available for the dismantling and in situ repairs. Presence of adequate attachment points, on the valve and possibly on the structures for lifting heavy parts without damaging machined surfaces.

14-3-5. Valve standards Some frequently standards used in the nuclear field are:

API 601 (June 1962) ‘Metallic gaskets for refinery piping: double-jacketed corrugated and spiral wound, API. DIN 2505 (1964) ‘Calculation of flanged joints’, Deutsche Normen. MIL- G-21032D (April 1972) Military Specification ‘Gaskets, metallic–asbestos spiral wound’, Dept. of the US Navy. ANSI B16.5 (1973) ‘Steel pipe flanges and flanged fittings’, ASME. ASME (1974) ‘Boiler and pressure vessel code’, Section VIII, Division 1, 1974 Edition, Pressure vessels, ASME. ASTM F401 (1974) ‘Standard method of test for yield and maintenance factors for gaskets’, ASTM. USNRC RG 1.73 (January 1974) ‘Qualification tests of electric valve operators installed inside the containment of nuclear power plants’. ANSI N278.1 ‘Self-operated and power-operated safety-related valves’, Functional specification standard, ASME. USNRC RG 1.96 (June 1976) ‘Design of main steam isolation valve leakage control systems for boiling water reactor nuclear power plants’. USNRC RG 1.106 (March 1977) ‘Thermal overload protection for electric motors on motoroperated valves’.

Chapter 14 Notes on some plant components

14-4. Containment systems The following deals only with containment leaks that might be expected in an accident. The reader is asked to consult the US Reactor Containment Handbook (ORNL 1965), EUR report 12251 (EUR 1989) and Thompson and Beckerley (1970) for other aspects of containment. There is a tendency in the design phase to specify for the containers a figure for the maximum admissible leakage rate which is close to that which is technically obtainable in ideal conditions, that is after having performed complete maintenance to all the important sealing parts (valves, seals for the personnel and equipment air locks, etc.). Consequently, the values chosen for PWR containments are typically 0.1–0.2 per cent per day and for BWRs 1 per cent per day, referred to the mass contained at design pressure. The difference between the two cases has to be attributed to the presence of much larger isolation components in the BWRs and to the lower dimensions of the corresponding containments (for this reason, the same leak in kilograms per day, that is the same equivalent hole in the containment, is equivalent to a larger percentage of the air content in the containment). In the course of plant operation, however, even if at the start the leak rate was the specified one or lower, a certain deterioration in the containment leak rate takes place and then in case of accident, the leak rate would probably be higher than that measured in the last leakage test. It is therefore very interesting to estimate a leak rate suitable for use in safety analyses, leaving unchanged the figure inserted in the technical specifications for the maximum leak rate to be demonstrated through periodical tests. Obviously, each containment is a particular case and the best way to establish a realistic yet conservative value of the leak rate for safety analyses would be to observe the behaviour of the containment with time and the amount of the leakages measured either in the ‘as found’ conditions (that is before having performed maintenance to the sealing parts) and in the ‘as left’ conditions (that is after maintenance). Unfortunately, however, at the time of the design and of the initial safety analyses this experience is not available and therefore reasonable preventive estimates have to be done, which should be confirmed during the operation.

141

It must be noted that containments show very different behaviours: cases have happened where, after only one week following a leak test and maintenance, the leak rate of some valves have become large again and not within the technical specification limit. These cases happen when a systematic and permanent cause of deterioration of the leak proofing exists, for example the presence of paint on the internal surface of the ventilation conduits with a tendency to flake and therefore to deteriorate the leak proofing of the isolation valves. In other cases, a strict observance of the technical specification limits is reported both in ‘as found’ and in ‘as left’ conditions for long periods of operation of the plant. Some years ago, in-depth studies (OECD 1990; USNRC 1985, 1988) were performed on the deterioration probability of the leak proofing in real containment systems. The picture which emerged is not very reassuring; for an example, the results of the USNRC (1988) study indicate situation given in Table 14-2. This means, for example, that by summing the three values for each of the last two columns in the table, that the probability of overcoming the specification values in case of accident is 15 per cent for BWRs and 46 per cent for PWRs. From data like these, stems the practical rule of multiplying the specification value by 10 in correspondence with a 10 per cent probability and by 100 for a 1 per cent probability, in a probabilistic accident study. From Table 14-2, for example for PWRs, the following empirical law can be derived for the probability p [%] as a function of the multiplication factor of the specification value of the leakage x: p¼

0:545255x

1 : 0:00419 x2 þ1:632846

ð14:3Þ

Table 14-2. Measured containment leaks (USNRC 1988) Leak measured relative to the specifications

BWRs

PWRs

From 1 to 10 times From 10 to 100 times Higher than 100

0.10 0.04 0.01

0.31 0.08 0.07

142

Nuclear Safety

For example, for an increase of at least 10 times with reference to the specifications value (x ¼ 10), the formula gives a probability of 15 per cent, in agreement with the data in Table 14-1 (sum of the last two values in the second column). In some cases the designer assumes in the safety analyses the specification value of the leakage rate to be increased by a certain factor chosen by good judgement. If the leakage rate is 0.2 per cent, in the safety analyses a value of 1 per cent is sometimes used. This is a matter of opinion, however it is certainly better than directly using the specification value without the support of previous applicable experience. It is surprising that this issue does not receive much attention in the field of safety studies. Probably, this is due to the fact that a limited overcoming (even 10 times the specifications value) has a small effect on the result of the risk analyses (usually dominated by very unlikely but very catastrophic accident sequences, involving a large break in the containment). This issue has been dealt with here because, for the plants now under construction and for future ones, the tendency is to restrict the important consequences of severe accidents to within a small distance from the plant, possibly also avoiding the need to evacuate the population. From this perspective, the real leakage of the containment system becomes very important, in conditions where the containment is not severely damaged. At the same time, great importance has to be attached to the accident management provisions, intended to reduce excessive leakages from some components. Two provisions adopted in various plants are:

the pressurization of the space between the two isolation valves on a line after an accident; the flooding of the same space with water in cases where a gas is present instead (a leakage reduction factor of the order of at least 30 is so obtained).

In the systems with double containment with filtering of the effluents from the annulus between the two containments, a small pipe with a manually actuated valve can also be provided, which connects the space between the two isolation valves on a line with the leakage filtration system, if it is convenient to do so.

References ANSI (1975) ‘Self-operated and power-operated safetyrelated valves, functional specification standard’, N.278.1, ASME. EUR (1989) ‘Practices and rules applied for the design of large dry PWR containments within EC countries’, Report EUR 12251 EN, Comm. of European Comm. EUR (1996a) ‘A review of formulas for predicting irradiation embrittlement of reactor vessel materials’, AMES Report N.6, EUR 16455 EN, European Commission DG XI/C/2. EUR (1996b) ‘Dosimetry and neutron transport methods for reactor pressure vessels, AMES Report N. 8, EUR 16470 EN, European Commission DG XI/ C/2. EUR (1997) ‘A comparison of Western and Eastern nuclear reactor pressure vessel steels’, AMES Report N. 10, EUR 17327 EN, European Commission DG XI/C/2. Fed Reg (1983) ‘Fracture toughness requirements for protection against thermal shock events’, USA Code of Federal Regulations, 10/50.61. McGuire, (McGuire Nuclear Plant) (1988), A safety injection/Reactor trip occurred due to a design deficiency of the main turbine controls – Followed by various Equipment Malfunctions, LER (Licensee Event Reports) 369-87-017-01. MPR (1976) ‘Assessment of industry valve problems’, PB-261 474, Ass., Inc, Wash. DC for EPRI; Nov. 76. OECD (1990) ‘Inadequate isolation of containment openings and penetrations’, CSNI Report N.179, OECD/NEA. ORNL (1965) ‘US reactor containment technology’, (2 vols), ORNL-NSIC-5, A compilation of current practice in analysis, design, construction, test and operation, Wm.B. Cottrell and A.W. Savolainen Editors, Oak Ridge National Laboratory, Oak Ridge, Tenn. USA. Thompson, T.J and Beckerley, J.G. (1970) The Technology of Nuclear Reactor Safety, Volume 2 (Reactor Materials and Engineering). Cambridge, MA: The MIT Press. USNRC (1985) ‘Reliability analysis of containment isolation systems’, NUREG/CR-4220. USNRC (1988) ‘Technical findings and regulatory analysis for generic safety issue II.E.4.3, ‘‘containment integrity check’’ ’, NUREG 1273. USNRC (1989) ‘Safety related motor-operated valve testing and surveillance’, USNRC Gen. letter No. 89-10, June 28. USNRC (1990) ‘Action plans for motor-operated valves and check valves’, NUREG 1352, June.

Chapter 14 Notes on some plant components USNRC (1997a) ‘Assessment of pressurized water reactor primary system leaks’, NUREG/CR – 6582, INEEL/ EXT-97-01068. USNRC (1997b) ‘Review of industry efforts to manage pressurized water reactor feedwater nozzle, piping and feedring cracking and wall thinning’, NUREG/ CR-6456, INEEL-96/0089, AEOD/E97-01.

143

USNRC-OAEOD (1998) ‘Rates of initiating events at US nuclear power plants: 1987–1995’, NUREG/CR-5750, INEEL/EXT-98-00401. UKAEA (1982) ‘An assessment of the integrity of PWR pressure vessels’, Marshall. W. (Chairman), LWR Study Group Report, United Kingdom Atomic Energy Authority.

This page intentionally left blank

Chapter 15 Earthquake resistance

15-1. General aspects, criteria and starting data Seismology and seismic engineering have progressed enormously in recent years. In particular, seismic engineering has rapidly developed since the 1950s (USAEC, 1963; Petrangeli, 1987; Livolant et al., 1979; IAEA, 1992; Roesset, 1995; Gurpinar, 1997).AR587 As will be seen, the progress in these fields is still in full swing and much of what is written here should be read with this in mind. With the aim of encouraging research, the organisers of the World Conference of Seismic Engineering in Madrid (1992) distributed an interesting booklet on earthquakes (Gallardo, 1756) (Fig. 15-1), published by Don Isidoro Ortiz Gallardo of Villaroel, a Professor at the Salamanca University in 1756 (during the Enlightenment period) a year after the disastrous Lisbon earthquake, which was felt throughout the Iberian peninsula and in a large part of Europe. Here are some excepts from Gallardo’s book: . . . it can be said, generally, that the origin of earthquakes is the underground fire, which being pushed by the wind through some of the mentioned crossings, streets and fissures enters one or several of the underground caverns where Nature works on producing sulfurs, saltpetre, coal, ammonium, salt, and other similar materials which are very inflammable and combustible. In that way, the lighted fire is so intense that it converts almost instantaneously the saltpetre materials into wind and this latter, unable to bear any oppression, looking for an exit, boils and hits itself against the cavern walls, where it is occluded, until it breaks them; the others enter and so and so; in this way, it runs a long

way into the earth and, finally, bursts up, usually there where it finds the lesser strength. So, on the surface beneath which it runs, it produces the quake and the shaking we perceive, while the various effects we admire and cry for are felt there where it is bursting with horrible noise and destruction. That the phenomenon could follow that path can be inferred from our knowledge of the mechanisms of besieging towns; because, as soon the narrow room of the mine where barrels or powder-bags are deposited is closed and the fuse is lighted, the saltpetre parts of which it is composed are transformed into wind which, unable to bear such a narrow jail tries to get out and, shaking the neighbouring land, it destroys the bastions, towers or walls that limited its freedom. Philosophers have produced rare and even ridiculous divisions and subdivisions of earthquakes, but the most regular and known are those called Quake, Pulse and Inclination; and all these divisions, about which it would be possible to fill several pages, are reduced to the fact that either the soil moves laterally or horizontally as a paralytic, and then is called Quake; or it raises and sinks at steps, imitating in some way the heart beats that we feel in our Arteries, and then it is called Pulse. Or while one part of the site raises, the other sinks, with which the buildings, boulders and mountains tilt and vibrate, and it is called Inclination. Having dutifully reminded ourselves that research is still underway, it is necessary to say that knowledge does exist which allows us, on the basis of experience, to protect ourselves from the consequences of 145

146

Nuclear Safety

Figure 15-1. A 250-year-old text on earthquakes. (Reproduced from Lecciones, Terremotos, with permission from Colegio de Ingenieros de Caminos, Canales y Puertos, Madrid.)

Chapter 15 Earthquake resistance

possible earthquakes. Structures and components behave well in earthquakes if simple design and verification rules are followed. This is true in particular for industrial plants, whose component parts are already normally specified to resist pressures, vibrations of mechanical origin, lateral expansion forces and strong weights. However, potentially weak points also exist, which past earthquakes highlighted. It is necessary to remember that a wide and balanced mindset is required when approaching seismic engineering problems. The scientific and technological progress has been, in fact, very strong in the modelling of some aspects, while in other sectors it is still necessary to revert to methods which, although conservative, are strongly empirical. This is true both for the correct modelling of the reference ground motion and for the study of the response of structures and of components. An example of the first type of study is the structural analysis in the non-linear field of complex constructions. An example of the second is soil liquefaction analyses. It is not necessary and sometimes not even correct to apply refined methods only in a part of the logical sequence of analyses (for instance when performing very refined structural analyses after a very approximate and rough determination of the reference ground motion). Since, obviously, it is not useful to use extremely refined analyses in one part of the problem and rough methods in another part of the same problem, it is necessary to choose, for each evaluation, which precision level to use for the whole analysis in order to obtain an optimal overall use of resources. It has to be remembered, in order to give an economic measure of the importance of this problem of equilibrium, that the complete analysis of a plant may require a total engineering time which ranges from some thousands to some hundreds of thousands of man-hours (corresponding to a very high cost) according to the degree of refinement of the analyses and tests adopted (Stevenson, 1995). Currently, besides methods of seismic qualification based on refined analyses and extensive tests, auxiliary verification methods (based on experience data which make extensive use of seismic inspections, on checklists based on past experience, and on simplified analyses and tests) are gaining ground in practice and in the degree of acceptance by governmental control bodies.

147

These methods based on experience are obviously less costly, but still offer reliable results, even if rather conservative. They are therefore very suitable for a first iteration in a verification to be performed in a short time on an already built plant. An in-depth analysis or experimental test could possibly follow, especially on the most critical aspects highlighted by the first iteration. In cases where the maximum rational rigour in the decisions taken in this rather uncertain field is necessary, the probabilistic method is the one generally adopted. This is one of the areas where the progress in the last ten years has been strong concerning the probabilistic characterization of the reference seismic motion, and concerning the probabilistic treatment of the strength and functionality of structures and components (fragility curves) (Gurpinar, 1997; IAEA, 1993). So far as the applicability of seismic standards valid for general construction to nuclear and process plants (Italian seismic Norms, 1996), the following considerations must be taken into account. Firstly, phenomena not taken into consideration by the standards can happen and therefore the need arises to indicate acceptable verification methods which are logically compatible with the spirit of the standards themselves. A typical case concerns the phenomenon of liquid oscillations in tanks caused by earthquakes and of the possible consequent effects (in particular, for large atmospheric tanks, the impact of the liquid against the roof and consequent damage, the increase of the overturning moment on the tank and possible damage of anchors and elastic–plastic instability of the vertical wall) (Fig. 15-2). Secondly, the objectives themselves and the logic of the standards in force do not cover all the protection needs of an industrial plant. In fact the legislator aims to reach two objectives (Castellani et al., 2000):

The avoidance of any form of damage to structures in case of an earthquake with a return time roughly equal to the normal life of a building (e.g. 100 years). The avoidance of the collapse of the structure, even when damaged, in the case of the most violent earthquake expected on the site.

However, for an industrial plant either nuclear or one at risk of a serious accident, the protection

148

Nuclear Safety

in the material, Xs, always for the same loading scheme and for growing loads:

A

¼

Xu : Xs

ð15:1Þ

It can also be assumed, on the basis of calculation and test results, that the displacement of a representative point of a structure can be calculated with a perfectly elastic scheme (Xe) even if the structure deforms plastically: Xe ¼ Xu :

C

B

Figure 15-2. Weak points of an atmospheric tank in an earthquake. objectives could be expressed as follows:

To ensure the continued operation of the plant should there be an earthquake with a return time equal to its normal life, possibly after an inspection and after a few simple repairs to damaged components. To avoid a serious accident in the case of the most violent earthquake expected on the site.

As can be seen, the two points of view are different and, while the current standard considers damage and collapse, there is also the need to protect a plant’s functionality and prevent accidents. These concepts imply, in particular, the prevention of significant leaks of noxious gases and liquids, the absence of reactions and of uncontrolled and destructive phenomena and the functionality of the safety equipment (shut-down, cooling, containment and control). Consequently, the standards in force make ample use of the problematic concept of ductility of a structure, which is, instead, only partially applicable in the case of plants. The ductility of a structure is the ratio between the maximum displacement of one of its representative points at the moment of collapse (ultimate displacement), Xu and the maximum displacement of the same point at the attainment of yielding conditions

ð15:2Þ

Taking into account the fact that the ductility which can be assigned to a structure reaches in many cases values of 3–4 and higher, it can be easily demonstrated that, for simple structures, the limiting requirement of the maximum elastic stresses in the case of a reference earthquake of the order of 0.1g (seismicity degree 12 or seismic Class I for Italian standards, corresponding to a return time of roughly 150 years) offers protection from collapse for earthquakes with a maximum ground acceleration at least of the order of 0.3 (return time of roughly 500 years or more) (Castellani et al., 2000). Considerations of this type are applicable only to industrial plant structures that are to be protected from collapse, that is to parts of the plant. For all other structures and components, criteria and guidelines more suitable to the real needs of protection from accidents are necessary. These criteria and guidelines must, on one side, comply with the logical approach of the standards in force and adjust them to the specific needs of the plants and take into account those phenomena which the standards do not consider but are still important. This chapter gives some considerations, mainly general, which are useful for a correct approach to the problem and some phenomena and problems of particular relevance are discussed. A more complete and detailed treatment of any single issue may be found in the given references.

15-2. Reference ground motion The seismic motion of a point in the ground is complex and motion along all six degrees of freedom take place (the three translation ones and the three rotation ones (Fig. 15-3)). Prof Gallardo de

Chapter 15 Earthquake resistance

(a)

Z

Y

X

(b)

Z

X

X

X

Figure 15-3. The six real degrees of freedom and the three degrees generally used.

Salamanca (quoted above) reduced them to three principal ones: that is one of horizontal oscillation, one of vertical oscillation and one of rotation around a horizontal axis. In reality the horizontal oscillation and the rotation each count twice if they are applied to any direction in the horizontal plane. Today, we reduce the seismic reference motions to those which experience has indicated are generally prevailing in practice: a horizontal oscillatory

149

translation (in the various possible directions) and a vertical one. Even with this simplification, the problem of defining the seismic ground motion as an input datum in the seismic analysis of the plant is far from trivial: here too some conventionally accepted and usually conservative assumptions are necessary (Castellani et al., 2000; Roesset, 1995). According to what we know today (which supersedes the ‘explosive’ model described by Gallardo), an earthquake is usually started by the sudden relative sliding of contiguous zones of the Earth’s crust along fracture surfaces (faults), due to the internal state of stress of the ground itself. The accumulated elastic energy is then liberated in the surrounding medium producing compression and shear seismic waves which also become surface ones near the free surface of the ground. Even if today it is possible to try to determine the surface ground motion on the basis of assumptions on the original fault sliding event, this is not usually the starting point for the definition of the reference seismic motion in plant analysis. The reference motion is generally (with an enormous simplification) characterized by a maximum peak ground acceleration in the horizontal direction and by a design or verification spectrum derived from a large number of strong earthquakes which have been adequately recorded and analysed. The maximum vertical acceleration, then, is assumed equal to a fraction (50–70 per cent) of the horizontal one. These data are sufficient to perform a modal analysis of the structure but not, obviously, a space– time analysis, for which a reference ground accelerogram is necessary. The response spectrum of a specific earthquake is a diagram of the response (acceleration, velocity and maximum displacement) to the seismic motion of a simple elastic oscillator, characterized by a natural frequency of oscillation and by a damping value. A design or verification spectrum is an average of various spectra of many past earthquakes considered representative of the site of interest. The acceleration design spectrum has obviously, in correspondence with zero period, the value of the maximum ground acceleration chosen as a reference. In fact, this value is the response of a perfectly rigid object resting on the ground. Figure 15-4 shows a design spectrum that is often used for nuclear plants (for a damping equal to 5 per cent of the critical one) and the design spectrum

150

Nuclear Safety

(a) A (g)

3g

1.0

0.1

0.2

2

20

2

20

F (1/s)

(b) A (g)

1.0

0.1

0.2

F (1/s)

Figure 15-4. (a) The design spectrum for nuclear plants and (b) the spectrum of general (Italian) seismic standards. of the Italian standards (Italian seismic Norms, 1996), both normalized to the maximum ground acceleration of 1g. It must be noted that the Italian standard spectrum does not present a decrease at high frequencies. This is frequently made in order to take into account the increase of the natural period of vibration due to a plastic behaviour of the structure, in the cases where this plastic behaviour is allowed but the seismic response calculations are made using linear models. This simplified characterization of the reference seismic motion does not explicitly specify two other fundamental characteristics: its duration and its frequency content. For this reason, in cases where the analysis of the structure and of the components is very complete, in addition to the couple ‘maximum ground acceleration–response spectrum’, one or more accelerograms consistent with the same spectrum, are specified.

The reference spectrum must take into account specific properties of the foundation soil (e.g. very compressible soils have a low shear wave velocity). The design spectra are, as already explained, principally derived from accelerometric records of real earthquakes, obtained by instruments located at a point on the ground. These records, however, do not take into account that the transmission of the ground motion to a structure is different to the transmission of the same motion to an accelerometer. In fact, a structure is very different in size and inertial properties to those of an accelerometer. This kind of problem is called ‘soil–structure interaction’. Neglecting it, as is done in some civil-use standards, leads in general to conservative evaluations which, in the case of massive structures extended in plan and with a high rigidity, can be exceedingly conservative. The soil–structure interaction is usually subdivided into two types or parts, each one corresponding to different phenomena: a ‘kinematic’ interaction and an ‘inertial’ interaction. The kinematic interaction derives from the fact that the seismic motion, at the contact between foundation soil and structure, must comply with the border geometric conditions imposed by the continuity with the structure itself (e.g. the type of ‘rigid body displacements’ in correspondence with a foundation plate). A particular effect of the consideration of the kinematic interaction is to take into account that, for large foundation plates (plan dimensions of many tens of metres), the length of the seismic wave in the ground may be of the same order of magnitude of the plan dimensions of the plate (especially for not very compact soils with low shear wave velocity), so that the motion transmitted to the plate by the ground will not be the one which could be recorded by a point accelerometer, and will be lower, as it corresponds to an average of the ground motions in various points of the same seismic wave. The inertial soil– structure interaction, instead, takes into account the fact that in the transmission of motion from the ground to the structure, the inertia of the structure itself makes it behave elastically (and not rigidly) coupled to the ground and therefore with a mechanical coupling which can be modelled, in a modal response analysis, by elastic constants and damping coefficients (either mechanical or ‘radiation’ damping or material damping, see section on soil–structure interaction on p. 173) in all the degrees of freedom of interest (Castellani et al., 2000).

Chapter 15 Earthquake resistance

A still more complex problem arises when the response spectra available are not deemed directly applicable to the case under examination, for example when they are representative of rock while the soil of interest is made of compressible alluvial deposits. If these situations are to be taken into account, it is necessary to make complex calculations of seismic motion transmission in the ground in order to closely represent the real situation (convolution or deconvolution of the seismic motion of the ground), which frequently use artificial earthquakes corresponding to the desired characteristics (Roesset, 1995). The above illustrates the potential complexity in defining the seismic ground motion for a structural verification. Fortunately, these complex analyses are not usually necessary in practical cases and have only to be considered to validate simpler practices or as evaluation tools for cases which, sometimes because of the conservatism of the analyses used, are classified in a first iteration as critical. A good conservative compromise in the specification of a seismic motion for a structural analysis consists in specifying a reference spectrum (which to some degree takes into account the possibly very peculiar characteristics of the ground of interest) and a maximum ground acceleration and in subsequently applying the so-defined earthquake directly at the base of the structure or, with greater realism, as a set of springs and dampers on which the structure is supposed to rest (a suitable way to simulate the inertial soil–structure interaction) (Fig. 15-5). Simple formulae for the determination of equivalent springs and dampers for soil–structure interaction can be found in seismic engineering textbooks (Castellani et al., 2000; Roesset, 1980). Some examples are also included in the section on soil– structure interaction on p. 173. The definition of maximum ground acceleration and of reference spectrum can be made on the basis of the national standards for conventional buildings (Italian seismic Norms 1996), on the basis of the more recent concepts incorporated in the European standards under preparation (Eurocode, 2002; Italian Guidelines, 1996) and on the basis of guidelines prepared for similar cases in other countries or under the sponsorship of international organizations (Kanagawa, 1994; IAEA, 1985, 1999; Seed, Idriss and Arango, 1983). In nuclear reactors and in other important industrial installations, the following methods are usually applied (Serva, 2001).

151

First of all it is necessary to compile a specific and complete database to construct a seismo-tectonic model of the area, from which the potential earthquakes which could hit the site might be identified. The database must include geological and seismological information. In general four scales of investigation are adopted with increasing detail going towards the site: a regional scale (within 100–300 km), a close regional one, one near the site and the last on the site itself. The principal aim of the regional studies is to supply the knowledge of the tectonic picture and of its general geodynamical features and of identifying and characterizing the seismogenic aspects which may have importance for the seismic hazard on the site. The principal aim of the close regional studies is to characterize the most important seismogenic structures for the assessment of the seismic hazard. The investigations near the site, as already mentioned, are intended to define in greater detail the neotectonic history of the faults with the special aim of defining the possibility of surface faulting on the site (capability of the faults) and of identifying the sources of potential instabilities. The investigations on the site itself should concentrate on the definition of the physical properties of the foundation materials

Structure

Kx Cx Model Kϕ

Kz

Cϕ

Cz

Figure 15-5. Modelling of the inertial soil–structure interaction by springs and dampers.

152

Nuclear Safety

and on the determination of their stability and of their response in case of seismic motion. Usually two levels of reference earthquakes are looked for: SL1 (the lower) and SL2 (the higher). In some countries SL2 is characterized by a probability of not greater than 10 4 a year and SL1 by a probability roughly 100 times higher. SL1 and SL2 can be identified by a deterministic or by a probabilistic method. For SL2, the deterministic method implies:

the reduction of the seismo-tectonic model defined by the four scales of investigation to a set of seismogenic structures; the identification of the maximum potential earthquake to be associated with each seismogenic structure. the performance of the following evaluations: The assumption should be made that, for each seismogenic structure, the maximum potential earthquake happens at the point of the structure which is closer to the site, taking into account the physical dimension of the source. When the site is located within the borders of a seismogenic structure the maximum potential earthquake must be assumed exactly below the site. In this case particular care should be placed in assessing that the structure is not capable (to produce faulting on the site). An appropriate relationship of attenuation with distance should be used in order to determine the level of ground motion that each one of these earthquakes would generate on the site, considering the local characteristics of the site itself.

The probabilistic technique entails the following steps: (1) Refining the seismo-tectonic model in terms of type of source (e.g. volume, area or point source), of geometry and of depth. (2) For each source, identifying the following parameters (uncertainties included):

the magnitude–frequency or intensity– frequency relationships; the maximum magnitude (or cut-off magnitude, that is the one which cannot be physically overcome) or maximum intensity; the relationship of attenuation with distance.

(3) Choosing the appropriate stochastic models (e.g. Poisson, Markov, etc.). (4) Evaluating the best estimate hazard curve, with appropriate confidence intervals. (5) Using for the design or the verifications those values of the ground motion which correspond to the probabilities chosen as a reference criterion. The characteristics of the reference motions for the SL1 and SL2 designs include response spectra for a sufficient number of damping values and space– time histories (variation of ground acceleration with time) compatible with the spectra. Various methods have been used to choose the response spectra, among which the most used ones are those of the Standard Response Spectrum (e.g. that of USNRC Regulatory Guide 1.60,AR345 Fig. 15-6) and that of the Site Response Spectrum. When defining the damping values, it is necessary to remember their dependence on the level of stress/ deformation of the materials (e.g. as in the USNRC Regulatory Guide 1.61, AR346 Table 15-1). The space–time histories are, in general, deemed necessary (except for the use of approximate methods described later) for the evaluation of the response of plant components, for the evaluation of the nonlinear structural behaviour (rarely needed) and for certain evaluations of soil–structure interaction. They should also represent the duration of the shaking, which is frequently correlated with the length of the origin fault and with the velocity of propagation of its rupture. Another input datum is the ratio between maximum vertical and horizontal acceleration of the ground. In the absence of data recorded on the site, this ratio can be decided by good judgement (e.g. 2/3). The records of past earthquakes indicate that this ratio varies between 1/2 and 1, with maximum values for close earthquakes (i.e. a focus at short distance from the record point), and that also varies with the lithological characteristics of the site and with other factors. In some countries, exclusion criteria for nuclear sites are used. For example, in Italy the criterion of historical earthquakes is macro-seismic intensity higher than IX MSK (frequently corresponding to a maximum ground acceleration of about 0.25g). In many countries the criterion of danger of surface faulting on the site is used as an exclusion criterion. In this connection it is surprising that some

Chapter 15 Earthquake resistance

153

Damping %

sp Di c la

0.5

en em

2

c In t,

5

h

200

10 100

Velocity (in s−1)

50

ch in n 6 ratio 3 t: le en cce m a ce la und 1g p s o f Di r gr ) o fo ax (m

n,

10 er

el

5

c Ac

2

g

io at

10 1 5

0.5 10 0.2 1 5 0.5 0.2 2

0.1

0.2

0.5

1

2 5 Frequency (Hz)

10

20

50

Figure 15-6. Design spectrum taken from USNRC Regulatory Guide 1.60.AR345 Table 15-1. Damping as a percentage of the critical one (USNRC Regulatory Guide 1.61).AR346

Structure or component Large components and systems with large pipes (diameter 30 cm or higher) Systems of small piping (up to 30 cm diameter) Welded steel structures Bolted steel structures Pre-tensioned concrete Reinforced concrete

Stresses below yield point

Stresses at yield point or higher

2

3

1

2

2 4 2 4

4 7 5 7

regulations accept faulting under a nuclear site, especially where the evaluation of a fissure forming underground appears extremely problematic and uncertain. However, experts maintain that a design resisting surface faulting can be made, but it is not good practice and probably must be limited with completely reassuring margins. For existing plant, difficult and complex studies may be warranted together with the implementation of costly structural reinforcements, if closure is to be prevented. Up to now the macro-seismic scale (MSK) has been discussed, but whichever intensity scale is used, it indicates, at each level, the amount of observed damage the earthquake will cause. Table 15-2 shows the main characteristics of the Italian Mercalli

154

Nuclear Safety

Table 15-2. The Mercalli intensity scale Degree

Denomination of the earthquake

IV V VII VIII

Moderate Rather strong Very strong Ruinous

IX X

Destructive Completely destructive

XII

Highly catastrophic

Typical ground acceleration

Effects Not perceived in the open. A few perceive it inside houses. Perceived by many in the streets. Chandeliers oscillate. Tiles and chimneys fall. About one quarter of the houses severely damaged and partially collapsed. Destruction of about one half of the buildings. About three-quarters of the buildings collapse. Folds and cracks in the ground and in the streets. No human construction resists. Destruction of the landscape.

intensity scale, together with the typical maximum ground accelerations. The magnitude scales (the best known is the Richter scale) intend to indicate, instead, the severity of the event itself, independently from the distance at which it is observed or recorded. The degrees of the Richter scale are correlated to the response of a certain type of seismograph located at a certain distance from the epicentre and therefore they depend on a conventional definition. They can be correlated however, with the overall energy involved in the seismic event (i.e. by the sliding of the originating fault). In the seismological literature the correlations between intensity and maximum ground acceleration and between magnitude, distance from the focus (or from the epicentre) and maximum horizontal ground acceleration are abundant. One of them is reproduced here (Ambrayses, 1988) for the maximum acceleration (average of the measured values) obtained from European and Middle-Eastern data). log10 a ¼

1:48 þ 0:266M 0:922 log10 ðr2 þ 12:25Þ0:5 þ 0:117SA þ 0:124SS , ð15:3Þ

where a is the maximum horizontal acceleration in g, M is the Richter magnitude (for M > 6.2 the momentum–magnitude, Mw, should be rather higher, e.g. Mw ¼ 7.8 for M ¼ 7), r is the epicentral distance (km), SA and SS are parameters dependent on the nature of soil on site (¼ 0 for bedrock sites indicatively with shear wave velocity Vs > 750 m s 1; for

0.03g

0.25g

0.7g

well compacted materials with Vs ¼ 360 750 m s 1 SA ¼ 1 and SS ¼ 0; for average or low compacted alluvial sites with Vs ¼ 180 360 m s 1, SA ¼ 0 and SS ¼ 1). An example determination of the reference earthquake SL2 on a site follows. It is assumed that the seismological and tectonic investigations have shown the following elements of interest (Fig. 15-7):

A line of active faulting A–B, 100 km long, with a maximum historical earthquake T1 of magnitude 6. A maximum historical earthquake T2 of magnitude 5 which cannot be associated to any seismogenic structure of the region.

First of all, on the basis of the length of the fault A–B and considering the existing correlations between length of fault–maximum expected magnitude, the earthquake T1 is associated with a magnitude of 7.3 instead of 6. This earthquake is then displaced at the point closest to the site along the faulting line and subsequently attenuated for the 20 km distance. The maximum acceleration results are equal to 0.8g. The earthquake T2 which cannot be associated to structures is supposed to occur under the site, giving rise to a maximum acceleration of 0.22g. The earthquake SL2 will therefore have a maximum acceleration of 0.8g. An empirical table (Table 15-3) is chosen to correlate the maximum active fault length with the maximum expected magnitude. It must be remembered that the determination of reference earthquakes can be in error. Indeed, cases

Chapter 15 Earthquake resistance

155

faults

F

T1

L = 20 km

T2

SITE

Figure 15-7. Sample case for determination of reference earthquake. Table 15-3. Correlation between fault length and maximum magnitude of earthquake Length of fault (km)

Maximum magnitude

10 20 100 200

6 6.5 7.3 7.8

counterbalance this lack of accurate analysis by over-dimensioning of structures and components, it is possible to define design earthquakes by simpler methods (IAEA, 1985, 1999; Petrangeli et al., 1998). The second of these cited, a draft Italian guide for process plants, is summarized here.

Definition of the vibratory ground motion have happened where the historical data of past earthquakes and geological data are inadequate: a situation which should be corrected by further studies and research. Moreover, at least in principle, cases may exist where the future behaviour of the Earth’s crust in the place of interest has not been announced yet by previous historical events and cannot be foreseen by the observation of already evident tectonic characteristics, either on the surface or below the surface. It is therefore compulsory that a cautious attitude is taken and alternative sites are considered. However, the prevailing experience indicates that, generally, today’s seismic events have already been ‘written’ in the history or in the geology of the site. In cases where it is impossible to accurately analyse a site and, instead, it is possible to

The vibratory motion is defined according to that prescribed in the guidelines on seismic isolation prepared by the Superior Council of Public Works (Italian Guidelines, 1996). The motion is characterized by a given return time Tr (Tr ¼ 150, 500 years) to be correlated with the desired performance of the structure during the earthquakes. The motion is described by a normalized response spectrum (spectral form) and therefore the spectral intensity is given by a scaling factor, ag, which is applied to the spectral form. The scaling factor represents the ordinate of the spectrum at the T ¼ 0 period. The ordinates of the spectrum cannot be related to any single seismic event, but to the complexity of events which can happen on the site. They are

156

Nuclear Safety

Table 15-4. Multiplication factors and return times Classification, S

ag (Tr ¼ 150 years)

ag (Tr ¼ 500 years)

6 9 12

0.04 0.07 0.10

0.15 0.25 0.35

calculated by statistical–probabilistic procedures now in common use.

Table 15-5. Normalized parameters

response

spectrum

0 T < TB

T a¼s 1þ ð0 1Þ TB

TB T < TC

a ¼ s0

TC T < TD

a ¼ s0

k1 TB T k1 k2 TC TD a ¼ s0 TD T

TD T

Scaling factor The ag multiplication factor applied to the spectral form is defined as a function of the return period and of the seismicity level S foreseen by the current seismic classification of the national territory. The values to be used are listed in Table 15-4.

Spectral form The frequency content of the seismic motion is defined by an elastic response spectrum, normalized to ag ¼ 1. This spectrum will be taken as being equal for the two horizontal translation components, which are considered statistically independent of each other. For the vertical component, except for different indications supplied by specific studies for the site, the form of the spectrum will be analogous to that of the horizontal motion, but with ordinates modified as follows:

for T 0.15 s, reduced by a factor 0.7; for T > 0.50 s, reduce by a factor 0.5; for 0.15 s < T 0.50 s, reduce by a factor obtained by linear interpolation between 0.7 and 0.5.

The elastic normalized response spectrum, is defined by the expressions shown in Table 15-5.

where a is the response acceleration and s is a factor which takes into account the stratigraphic and geotechnical conditions of the site (see Table 15-6); ¼ [7/(2 þ )]1/3 0.7, a factor which takes into account an equivalent viscous damping coefficient , different from 5% ( ¼ 1 for ¼ 5%); 0 is a response factor which gives a measure of the dynamic amplification of the response; TB, TC, TD are values of the periods which divide the different branches of the spectrum, dependent from the local geotechnical–stratigraphic characteristics; and k1, k2 are exponents used to describe the two descending sides of the spectrum. The values of these parameters for various soil categories are defined in Table 15-6.

Category of subsoil The subsoil conditions are subdivided into the following three categories (the depths are referred to the foundation bottom level): A – Lithoid formations or homogeneous soils characterized by a value of Vs (Vs is the velocity of a shear wave for shear deformation 10 6) higher than 800 m s 1 or by NSPT 80, except in surface layers with maximum thickness of 5 m.

Table 15-6. Subsoil categories and the normalized response spectrum Subsoil category

Site factor, s

Response factor, 0

Period, TB (s)

Period, TC (s)

Period, TD (s)

k1

k2

A B C

1 1 0.9

2.5 2.5 2.5

0.10 0.15 0.20

0.40 0.60 0.80

3 3 3

1 1 1

2 2 2

Chapter 15 Earthquake resistance

Deposits of sands, gravel and consolidated clay with elevated mechanical characteristics, with a thickness of several tens of meters, characterized by values of Vs 400 m s 1 (NSPT 30) at the depth of 10 m. B – Deposits of fairly well consolidated sands and gravels of medium rigidity, with variable thickness from various tens up to hundreds of meters, characterized by values of Vs increasing with depth, starting from Vs 200 m s 1 (NSPT 15) at the depth of 10 m and equal to at least Vs ¼ 450 m s 1 (NSPT 35) at the depth of 50 m. C – Deposits of non cohesive soils, with or without inserts of soft cohesive soils, characterized by values of Vs increasing with depth without marked discontinuities, starting from Vs 150 m s 1 (NSPT 10) at the depth of 20 m. Deposits of cohesive soils with medium–low rigidity, with a variation of Vs (and of NSPT) as in the preceding point. For soil conditions between two of the categories, the less favourable should be chosen.

Importance coefficients The return time, Tr ¼ 500 years (also indicated as Tr500), is usually chosen in the standards for normal constructions and is consistent with the assumption that the motion intensity has a surpass probability of 10 per cent in 50 years (the useful life of the construction). When the construction has a particular importance (strategical, economical, etc.) reference is made to a higher intensity obtained from a multiplication coefficient of the intensity corresponding to Tr ¼ 500 which implicitly corresponds to a higher return time (usually Tr ¼ 1000 years) or a lower surpass probability. Much higher return times are prescribed for the design of particular new industrial plants (nuclear power stations, LPG plants), for example NFPA indicates a Tr of 10 000 years. For existing structures, with a consequent reduced useful life, an ag factor could be adopted corresponding to lower return times defined on a case by case basis. The values of the scaling factors ag can be modified by a factor, called the importance factor, I. Where possible, the value of I is determined so that

157

the acceleration I ag can be characterized by the average return period Tr considered appropriate for a particular construction. In the absence of a specific evaluation, the following values can be used: I ¼ 1.4 for Tr150 to Tr300 and for Tr500 to Tr1000 I ¼ 1.2 for Tr500 to Tr750

Accelerograms The accelerograms that are going to be used in the analyses must be consistent with the adopted response spectrum (USNRC, 2001), be it the one defined in the preceding tables or a site-specific one. The duration of the accelerograms must be consistent with the magnitude and with the other physical parameters relevant to the events which determine the choice of ag. In the absence of specific studies the minimum duration, , of the stationary part of the accelerograms will take the values indicated in Table 15-7. The stationary part must be preceded and followed by periods of increase from zero and of decrease to zero. The coherence with the reference spectrum has to be verified on the basis of the comparison with spectral ordinates of the accelerograms, for an equivalent viscous damping coefficient of 5%. In the interval of the natural period of the structure the spectral ordinate, in correspondence with each period, must be no lower than 90 per cent of the reference spectral ordinates.

Table 15-7. Duration of the stationary part, , of the accelerograms ag g

0.04 0.10 0.20 0.30 0.40

(s) 3 5 8 10 12

158

Nuclear Safety

15-3. Structural verifications 15-3-1. Foundation soil resistance The first concern in the seismic verification of a plant is that the foundation soil of the buildings and other components doesn’t collapse in an earthquake. With the help of a geologist, the possibility of surface faulting must be ruled out, that is that the sliding along the causative fault of an assumed earthquake cannot directly or indirectly affect the plant. Generally, this means verifying that the plant is not sited on active faults which are capable of sliding. (Attempts have also been made to set up design rules in the presence of surface faulting.) The second and very important verification, for plants resting on saturated sandy soils, that is with a relatively shallow water table, is to ensure that the foundation soil cannot be affected by the very insidious phenomenon of soil liquefaction (IAEA, 1985, 1999; Seed, Idriss and Arnago, 1983; Seed et al., 1985; Seed and deAlba, 1986; Robertson and Campanella, 1985).AR587 When it happens, the shear strength of the soil becomes zero, as in a liquid, and sliding of the foundation soils of buildings and other characteristic phenomena may happen. A typical scenario of many earthquakes (in particular, the 1964 Niigata earthquake in Japan) is that whole buildings effectively ‘lie down’ because the soil resistance disappears. In the Niigata earthquake, according to eyewitnesses, many inhabitants exited overturned buildings by walking on their fac¸ades, which had reached an almost horizontal position. Some buildings were recovered by simply rotating them upright again and consolidating the soil beneath. In order to understand this phenomenon, it has to be remembered that the soil shear strength can be represented by: ¼ c þ ð

0 Þ tan ’,

ð15:4Þ

where is the shear strength of the soil, c is the cohesion (practically zero for sandy soils), is the total pressure of the soil, 0 is the interstitial water pressure, and is the friction coefficient of the soil. When the interstitial water pressure grows with a constant total pressure in the same location, the soil shear strength decreases. Moreover, tests and experience show that in rather loose sands, when the load increases the sand

density increases too and therefore the interstitial water of a saturated sand tends to be expelled. This tendency is opposed by other actions such as surface tension (capillarity) and therefore the interstitial pressure of the water tends to increase, with a consequent decrease of the shear strength (see Equation 15.4). This effect, in the repeated loading cycles caused by an earthquake, tends to increase to a point where the shear strength of the soil is practically zero and liquefaction takes place. In general, the liquefaction danger exists down to a depth of 20 m, for cases where the water table is located within 10 m from the ground surface. At a depth of more than 20 m liquefaction is rare. Moreover, this phenomenon happens in general for medium–fine sands (D60 between 0.02 mm and 0.2 mm) with a low relative density (lower than 60%) and a low value of the standard penetrometer strength (ASTM). The evaluation of the liquefaction hazard is made comparing the maximum shear generated in the soil by the earthquake with the experimental results of the maximum shear stress which the same soil can withstand without undergoing liquefaction. It is not usually necessary to have recourse to sophisticated calculation methods, at least as a first approximation: empirical or semiempirical methods, however, do exist (IAEA, 1985, 1999; Robertson and Campanella, 1985) which allow the presence of this danger to be verified on the basis of the maximum ground acceleration of the reference earthquake, of the water table depth, of the grain size distribution of the sand, and of the value of the standard penetrometer test. It is also to be remembered that, generally, these methods indicate the cases where the consequences of the liquefaction are acceptable and those where remedial actions are required (change of site, soil compaction, interventions on the water table). The various study and evaluation means of this phenomenon can be summarized in various levels of importance, but they are not exclusive to one another:

Historical investigations: Information on the effects caused at the site by past earthquakes (equivalent to the reference earthquake), the evaluation of which relate to the liquefaction phenomenon. Empirical correlations: The susceptibility of soils to liquefaction depends on their characteristics

Chapter 15 Earthquake resistance

(grain size distribution, density, age, etc.) and on the presence of water (depth of the aquifer). On-site investigations: Correlation between liquefaction phenomena observed and soil properties measured in the field. Measurement methods of the resistance to liquefaction using cone penetration (CPT) and standard penetration (SPT) tests have been developed. Laboratory investigations: Comparison between results of cyclical tests (cyclical triaxial) with stresses calculated by numerical methods which simulate the propagation of the seismic waves in the medium. Drawbacks: difficulty of sampling. Advantages: gives an estimate when correlations are not available.

As indicated, for first approximation evaluations, the assessment of the susceptibility to liquefaction can be omitted when the saturated soil is located more than 20 m below the surface. Moreover, as the liquefaction is a threshold phenomenon, the analysis can be omitted when, for a sufficiently long return time, the vibratory ground motion at the surface has a peak acceleration lower than 0.15g. In general the liquefaction potential can be evaluated by one of the methods which use field test data (CPT, SPT), such as those proposed by Seed and deAlba (1986), Seed, Idriss and Arango (1983), Seed et al. (1985) and Robertson and Campanella (1985). For the complete description of the analysis method, reference should be made to the specialized literature. Complementing these empirical methods, analytical methods can be used which better describe the real phenomenon of the dissipation of the interstitial pressure in the soil pores. As already mentioned, a verification of the absence of a liquefaction hazard during an earthquake in a region of saturated sands is essential. Various methods used for this verification are listed in Petrangeli et al. (1998). There follows a widelyadopted, simplified method for assessing the liquefaction danger. The method first of all calculates the shear stress generated by the earthquake in the ground and then the shear stress bearable by the saturated soil. The comparison between the two quantities indicates if a soil liquefaction danger exists or not.

159

The shear stress generated by the earthquake is given by: d ag 0 ¼ , n d 00 g 00

ð15:5Þ

where ag is the horizontal design acceleration, g is the acceleration due to gravity, 0 is the total vertical soil pressure, 00 is the effective vertical soil pressure (i.e. 0 minus the water pressure), d is a stress reduction factor equal to (1 0.015z), z is the depth of the considered element in metres, n is a reduction factor equal to 0.1(M 1), and M is the magnitude of the design earthquake. The reduction factor, n, accounts for the variation of the number of effective stress cycles with the variation of the earthquake magnitude. To calculate the resistance of the soil to liquefaction a ‘normalized’ value of the SPT number of blows per foot, Na, which takes into account the percentage of fine sands (diameters less than 0.074 mm) and of the lithostatic pressure, is calculated by the following formula: Na ¼

1:7N þ Nf , 00 þ 0:7

ð15:6Þ

where N is the real value of the SPT and Nf has the values shown in Table 15-8, with a linear variation between the points. The resistance to liquefaction 1 =00 is found from Table 15-9.

Table 15-8. Values of Nf for fine sands Percentage of fine sand

Nf

5 15 60 100

0 5.5 10 10

Table 15-9. Resistance to liquefaction Na

1 =00

10 20 30

0.12 0.18 0.4

160

Nuclear Safety

The ratio between resistance to liquefaction and stress caused by the earthquake gives the safety factor against liquefaction. For constructions of minor importance, the occurence of a certain percentage of liquefaction can be tolerated. IAEA (1985, 1999) gives further guidance on this. Verification of the soil strength should not, however, neglect the foundation soil bearing capacity for higher loads caused by an earthquake, the resistance of slopes, soil support walls or of other works of interest for safety, also considering potentially induced indirect effects, such as flood waves in streams due to the failure of dams (Hansen, 1970; Meyerhof, 1951; Janbu, 1957; Morgenstern and Price, 1965; Sarma, 1975, 1981; Espinoza, Bourdeau and Muhunthan, 1994). Geological and geotechnical investigations should be carried out to:

get a geotechnical characterization of the site; to quantify the geotechnical parameters to be used in the verifications of the foundation soils; to detect the possibility of instability problems, such as liquefaction, surface ruptures and collapses in case of a reference seismic event.

The amount, the extent and the type of the geotechnical investigations to be performed must be tailored to the relevance of the structures (seismic classification). They should allow an evaluation of the stability of the soils on which the structures are founded and will consider a meaningful amount of ground in relationship with the local geological features and with the dimension of the foundation structures. For example, in case of non-rocky soils, a layer of the dimensions of the foundations should be studied. In order to define the dynamic characteristics of the foundation soils, in relation to the choice of an elastic site-compatible spectrum, it is advisable to evaluate the profile of the shear wave velocity. This profile should be determined on-site by ‘down-hole’ geophysical tests. As an alternative, it can be defined with the aid of empirical correlations with the site penetration resistance (SPT, CPT) or with other geotechnical properties. For a more complete definition of the dynamical characteristics, it might be necessary to define shear wave velocity values compatible with the deformations induced in the ground by the passage of seismic waves.

In general, it is permissible to integrate the in situ data with data obtained in areas having similar geological characteristics.

Soil bearing capacity (soil stability) Soil bearing capacity is the capability of the foundation soils to bear the dynamic loads transmitted by the structure during an earthquake. Generally, direct testing of foundations can be performed using pseudo-static methods, that is calculating the bearing capacity for eccentric and inclined loads, in order to take into account the inclination of the applied force (resulting from the weight and the seismic action). Effectively, it assumes, therefore, a rigid-plastic soil behaviour model in limiting conditions along the points of the potential sliding surface. The limit bearing capacity of the foundation soil, Qlim, can be calculated by the empirical formulation proposed by various authors, such as Hansen (1970) and Meyerhof (1951), who correlate Qlim with the soil resistance characteristics and with the dimensions of the foundation structure. The capacity of the foundation soils to bear the dynamic loads transmitted by the structure is verified when the ratio between the load acting on the foundation and Qlim is higher or equal to 1 but which includes a safety margin (e.g. 1.2). The testing of the stability of slopes has to be examined in two different situations:

The instability involves all or part of the foundation footprint (plant on embankment). The instability may happen at some distance from the structure but this can be affected by the mass of unstable soil (plant downhill of a slope or of an embankment).

The evaluation of the seismic response of a slope may be performed by different analysis methods in relationship with the level of complexity of the problem. The simplest approach is the pseudo-static method, and at the other extreme is complete nonlinear finite element modelling (FEM). The choice of the method depends on various factors:

morphologic and stratigraphic conditions with particular reference to pre-existing sliding surfaces;

Chapter 15 Earthquake resistance

physical–mechanical properties of soils; intensity of the seismic excitation; risk level associated with potential instabilities.

In accordance with what is normally requested by the standards, the slope stability may usually be evaluated using the pseudo-static approach. This approach is usefully employed, in particular, in cases where a differentiated structure is evident between a stronger (and more rigid) volume and a preferential sliding layer. The model of the soil behaviour is that of the rigid-plastic type, characterized by zero deformation until the stress state reaches rupture conditions (limit state conditions, assuming that in the foundation soil the limit shear stress is reached along the points of potential sliding surface). The action of the earthquake on the potential sliding mass is represented by an equivalent static force, generally horizontal but possibly also vertical, proportional to the mass itself. The value of the static force can be assumed to be equal to the product of the sliding mass and 50 per cent of the maximum ground acceleration (ag), in conformity with that recommended by Eurocode 8 (2002). The safety coefficient represents the factor by which it is necessary to reduce the shear resistance along the sliding surface in order to satisfy the equilibrium conditions of the mass under examination. A value of 1.3 can be assumed. For purely rotational rupture mechanisms the safety coefficient coincides with the ratio between the stabilizing moment of the shear forces along the sliding surface and the moment of the external forces. For the calculation itself, several methods are available. These are explained in the specialized literature, such as the proposals by Janbu (1957), Morgenstern and Price (1965), Sarma (1975, 1981), and Espinoza, Bourdeau and Muhunthan (1994). When necessary, the slope stability can be evaluated by numerical methods (FEM non-linear models) which better approximate the complexity of the phenomenon. In order to design new soil support works near the plant, their function after a seismic event also needs to be known. Permanent displacement, sliding or over-turning, of these structures should be avoided and can be accepted only if they are compatible with the functional requirements of the plant. The stability

161

of these works should be evaluated taking into account:

the non-linear soil behaviour during the interaction with the construction; the inertial effect associated with soil masses and support structure mass and with all other loads which may enter in the interaction process; the hydrodynamic effects due to the presence of water in the soil or on the free surface of the structure; the compatibility of the deformations of the soil, of the structure and of possible anchor tendons.

For indicative evaluations, the stability of the works can be evaluated by the simplified limit state method. In particular it has to be assumed that the soil behind the works is in the active limit equilibrium condition while the soil located in front of the foot of the works is in the passive limit condition. For the calculation of the total pressure imposed by the soil on the support works, the Mononobe– Okabe formulation can be used (Castellani et al., 2000).

Mononobe–Okabe method This method applies the Coulomb method to calculating the forces on supporting walls and the stability of slopes in the case of the presence of a horizontal and vertical seismic excitation. In essence, the static forces are accompanied, on the soil wedge which is supposed to detach at the moment of failure (of the wall or of the slope), by a horizontal force and a vertical one of seismic origin, khW and kvW, respectively, where W is the weight of the soil wedge). For an indefinite support wall, the soil is assumed to have a horizontal surface and be composed of non-cohesive and dry material. It is assumed that there is no friction between the soil and wall surface and that the earthquake acts in the horizontal direction only. In collapse conditions the situation is described by Equations (15.7)–(15.9) and shown in Figure 15-8. T ¼ N tan ’:

ð15:7Þ

Imposing the equilibrium conditions and the condition that the rupture, , results in a maximun force S,

162

Nuclear Safety

KhW T H

W

S

N α

ϕ

Figure 15-8. Soil supporting walls.

1 S ¼ H2 2

cos2 ð’ Þ qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ2 , sinð’ Þ 2 cos 1 þ sin ’cos

ð15:8Þ

where is the specific weight of the soil.

¼ tan

1

kh :

ð15:9Þ

Similarly, the other possible cases are calculated (with various soil inclinations, presence of friction on the wall, presence of vertical seismic acceleration) and the stability of slopes without support walls (assuming trial circular rupture surfaces).

15-3-2. Resistance of structures The overall characteristics which make a structure particularly resistant to an earthquake are its symmetry in the distribution of masses and rigidities, its compactness, possibly its low height, the good connection between horizontal and vertical elements, the connection between isolated foundation elements, the uniformity and competency of the foundation soil, the provisions against impact between adjacent structures, and the absence of negative effects of nonstructural elements (filling walls, etc.) (Castellani et al., 2000; Livolant et al., 1979). The absence of P– effects (i.e. the strong increase of the loading characteristics, e.g. moments, because of the deformation of the structure) is also to be considered. In the case of simple structures it is possible to use equivalent static methods to those suggested by national standards in general, however, in many cases a dynamic analysis (also mentioned in

the national standards), possibly a simplified one (Kanagawa, 1994), is advisable. The dynamic methods used are a modal analysis with a spectrum as an input and a space–time history analysis which needs one or more accelerograms for inputs. Analyses of the first type are the most common ones; the second type is used in particular cases or for the accurate study of the response of a plant component placed at a specific place in a structure. The seismic engineering texts (e.g. Castellani et al., 2000) and the many electronic computer programs now available (SAP, MARC, ADYNA, ANSYS, etc.) are a reliable basis for these analyses, but considerable computer-power may be needed, with associated high costs, where a plastic analysis of complex structures has to be performed. Similarly, the inclusion of ductility factors, where allowed and made in a conservative way, has to be done with care and attention: in particular it is necessary to distinguish between ductility of a structure point (section) and the complex of the structure, to avoid an excessively conservative outcome and to highlight the possible onset of self-amplification of the cycle load–deformation phenomena (P– effects), already mentioned above. The following section details some elements of dynamic analysis which are useful for indicative evaluations.

One degree of freedom systems The equation of free motion for the simple oscillator shown in Figure 15-9 is: mv€ðtÞ þ cv_ðtÞ þ kvðtÞ ¼ 0,

ð15:10Þ

with solution: v¼e

!t

ðA sin !D tÞ þ B sin !D tÞ,

ð15:11Þ

with 2 Þ0:5 ,

ð15:12Þ

rﬃﬃﬃﬃﬃﬃﬃﬃ K , and M

ð15:13Þ

!D ¼ !ð1 !¼

rﬃﬃﬃﬃﬃﬃﬃﬃ M , T ¼ 2 K

ð15:14Þ

Chapter 15 Earthquake resistance

v

163

where v indicates the displacement of the oscillator with reference to its base and v€g ðÞ is the ground acceleration as a function of the time . The maximum value of v during the earthquake is the spectral displacement Sd, while the maximum velocity (with reference to the base) and the maximum absolute acceleration may, with good approximation, be given by Equations (15.18) and (15.19).

m

c k

Sv ¼ !Sd

ð15:18Þ

Sa ¼ !2 Sd :

ð15:19Þ

and

Figure 15-9. Simple oscillator. where ! is the natural pulsation of the system in radians per second, 2 f ¼ 2 /T, is the damping factor, which is a fraction of the critical one 2m! (i.e. the damping for which the oscillator, if displaced from its equilibrium position, returns to without oscillations), and !D is the natural pulsation of the damped system (in practice equal to !). The response of a simple oscillator to a sinusoidal oscillation of pulsation !f is a sinusoidal motion with a pulsation equal to the forcing one and with an amplification factor of amplitude M, which is equal to the values shown by Equations (15.15) and (15.16), and Figure 15-10:

M¼

"

1

!2f !2

# 2 !f 2 þ 2 !

0:5

,

ð15:15Þ

which, at resonance, is equivalent to: M!f ¼! ¼

1 : 2

ð15:16Þ

The response of a simple oscillator to a seismic event is given by the value of the spectral response (Fig. 15-6) if the earthquake is defined by its spectrum. Instead, when the earthquake is defined by the space–time history of the ground acceleration, its response can be calculated by the Duhamel integral: vðtÞ ¼

1 !

Zt 0

e

!ðt Þ

v€g ðÞ sin !ðt

Þd,

ð15:17Þ

Figure 15-11 shows the acceleration record of the horizontal motion of the five most destructive seconds of one of the earthquakes with its epicentre in the area of Loma Prieta (California) in 1989 (record M65D000.010 of USNRC (2001)). The maximum acceleration of the record is 0.56g. Figure 15-12 is the same record applying the Duhamel Integral with the MicrosoftÕ ExcelÕ macro integraleduhamel.xls (prepared by the author and enclosed as the download file, DUHAMEL on the book’s accompanying website). The Duhamel Integral has been calculated for 20 simple oscillator frequencies ranging from 0.1 Hz to 20 Hz. Figure 15-13 is the result of the double derivation by finite differences of the data on which Figure 15-12 is based and of the identification of the maximum acceleration of spectral response for each frequency examined. Figure 15-14 shows the calculated value of spectral acceleration, !2Sd, for each frequency. It can be seen that Figures 15-13 and 15-14 agree fairly well, except at extreme frequencies where the various effects of instrumentation characteristics and calculation approximations introduce large discrepancies.

Multi-degree of freedom systems Consider a system modelled by N masses, N springs and N dampers. Its forced oscillations under the action of the N external forces, Pi(t), will be governed by N linear equations of the type shown

164

Nuclear Safety

5

ξ = 0.1

ξ = 0.01

3 M ξ = 0.2 2

ξ = 0.4

1

1.0

2.0

ω f /ω

Figure 15-10. Response of a simple oscillator to a sinusoidal excitation. in Equation (15.20): 8 m1 v€ þ c1 v_1 þ k11 v1 þ k12 v2 þ þ k1N vN ¼ P1 ðtÞ > > < m2 v€2 þ c2 v_2 þ k21 v1 þ k22 v2 þ þ k2N vN ¼ P2 ðtÞ ... > > : mN v€N þ cN v_N þ kN1 v1 þ kN2 v2 þ þ kNN vN ¼ PN ðtÞ ð15:20Þ

where kij are the influence coefficients of the stiffnesses and therefore represents the force on the node i deriving from a unit displacement of the node j, with the other nodes fully restrained.

It will be realized that Equation 15.20 lends itself to matrix notation. The extended notation is used here for sake of more general transparency. Equation 15.20, for the simpler case of an undamped system, , becomes: ½Afv€g þ ½Cfvg ¼ fPg,

ð15:21Þ

where A and C are mass and stiffness matrices, respectively, both symmetrical and defined positive. The terms containing the stiffnesses in general automatically calculated by the usual calculation

Chapter 15 Earthquake resistance

a) - ground acceleration

Acceleration fract. of g

8E−01 6E−01 4E−01 2E−01 0E+00 0E+00 −2E−01

1E+00

2E+00

3E+00

4E+00

5E+00

6E+00

−4E−01 −6E−01 Time

Displacement (m)

Figure 15-11. Acceleration record (horizontal), Loma Prieta (1989).

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10 15 Frequency (Hz)

20

25

Figure 15-12. The Duhamel integral of Figure 15-11.

derived acceleration Derived acc. (m s−2)

14 12 10 8 6 4 2 0

0

5

10 15 Frequency (Hz)

20

25

Figure 15-13. Maximum spectral acceleration of the earthquake represented in Figure 15-11.

165

Nuclear Safety

Acceleration (m s−2)

166

16 14 12 10 8 6 4 2 0 0

5

10 15 Frequency (Hz)

20

25

Figure 15-14. Approximate spectral acceleration of the earthquake represented by Figure 15-11.

programs or they can be evaluated by Castigliano’s theorem, according to which, given the potential elastic energy, E, as a function of vi, is Fi ¼

@E , @vi

4

k43 = K

3

k33 = H = −2 K

2

k23 = K

1

Figure 15-15. Building with rigid girders.

8 m1 v€1 þ k11 v1 þ k12 v2 þ þ k1N vN ¼ 0 > > > > > < m2 v€2 þ k21 v1 þ k22 v2 þ þ k2N vN ¼ 0

: > > > > > : mN v€N þ kN1 v1 þ kN2 v2 þ þ kNN vN ¼ 0 ð15:23Þ Assuming: ð15:24Þ

and fvg ¼ fg sinð!tÞ:

k53 = 0

ð15:22Þ

where Fi are the stiffness terms of the ith equation. For simple systems, as in that of a multi-floor building, the influence coefficients of the stiffnesses are directly calculated from the stiffnesses of the various floors. A framed multi-floor building whose girders can be considered rigid in comparison with the columns (Fig. 15-15) is particularly simple. Here, the reaction forces on a floor are different from zero only for the unit displacement of the immediately adjacent floors (i.e. the coefficients kij with i and j different for more than one unit are equal to zero). The first step for the solution of Equation (15.20) is the solution of the associated system of homogeneous equations, in the case of zero damping:

vi ¼ Vi sin !t,

5

ð15:25Þ

Equation 15.23 has non-identically zero solutions only for N values of the pulsation ! (eigenvalues), obtainable by substituting Equation 15.24 in Equation (15.23) and calculating the N roots of the associated determinant:

!2 m1 þ k11 ; ... . . . k1N

k12 ... ... ... . . .

... ... ... . . .

!2 mN þ kNN ; kN1 . . . . . .

ð15:26Þ

Chapter 15 Earthquake resistance

½ C

!2 ½A ¼ 0:

ð15:27Þ

In correspondence with each eigenvalue, !i, Equation 15.23 can be solved to obtain N solutions, V1, V2, . . ., VN, but for a multiplying constant (as for any set of N homogeneous equations with N unknowns). Each set Vi identifies a vibration mode of the structure defined by:

where !2n ¼ Mn ¼

Kn ¼ 1, n , 2, n , , N, n ¼ nth mode:

ð15:28Þ

The modes satisfy the orthogonality relationships: N X

Mi in im ¼ 0;

m 6¼ n

ð15:29Þ

i¼1

and

167

X

m1 2in

X

in

Kn , Mn

ð15:35Þ

ðgeneralized mass of mode nÞ, ð15:36Þ

X

j ki, j jn

ðgeneralized stiffness of mode nÞ,

ð15:37Þ

and Pn ðtÞ ¼

X

in Pi ðtÞ

ðgeneralized force of mode nÞ, ð15:38Þ

In the case of seismic excitation, this is: N N X X j¼1

i¼1

!

kj, i in jm ¼ 0;

m 6¼ n:

ð15:30Þ

Physically, the orthogonality relationships express the fact that the inertia forces or the elastic forces of each mode do not globally make work for the displacements of another mode. The solutions of the general equation (Equation (15.20)) may be found by imposing the displacement of each mode as a linear combination of the displacements of the node according the N modes (Yn(t) is said to be the generalized coordinate of the mode n): vi ðtÞ ¼

N X

in Yn ðtÞ

ð15:31Þ

ð2Þ 1

ð15:32Þ

i¼1

ð1Þ

½X ¼

1

fvg ¼ jXjfYg

1ðnÞ

nðnÞ

ð15:33Þ

Substituting Equation (15.31) into Equation (15.20), and making use of the orthogonality relationships a set of N decoupled equations is obtained (in reality only if the displacement matrix satisfies certain conditions (Castellani et al., 2000)):

P ðtÞ Y€ n þ 2n !n Y_ n þ !2n Yn ¼ n , Mn

ð15:34Þ

Pi ðtÞ ¼

mi v€g ðtÞ,

ð15:39Þ

where v€g ðtÞ is the ground displacement. Therefore Pn ðtÞ ¼

v€g ðtÞ

X

mi in

ð15:40Þ

(if the excitation is in one direction only the summation in Equation 15.40 includes only the terms relevant to that direction) and Equation (15.34) becomes: P mi in Y€ n þ 2n !n Y_ n þ !2n Yn ¼ v€g ðtÞ P : ð15:41Þ mi 2in P P The Pn terms (¼ mi in = mi 2in ) are the coefficients or factors of modal participation, which physically represent the measure of the work done by a base excitation of the structure on the mode n and therefore a measure of how much the base acceleration is capable of putting the structure in vibration according to the same mode. In order to judge if the number of modes considered in an analysis is sufficient, a criterion exists based precisely on the modal participation coefficients. The sum of their squared values normalized to Mn , for each direction of excitation, is equal to the total mass of the system, M. The criterion states that, for each direction of excitation, the sum of the masses which participate in the jth mode given by: P

2 i mi ij Mj ¼ P P2j Mj , 2 i mi ij

ð15:42Þ

168

Nuclear Safety

must be equal to atPleast 90 per cent of the total mass of the system M ¼ mi. It must therefore be true that P jMj > 0.9M for each vibration direction. Comparing Equation (15.41) with the analogous equation Equation (15.10) for a one degree of freedom system, a perfect correspondence of the terms can be observed and therefore Equation (15.41) will have the same form of solution, that is:

Yn ðtÞ ¼

N P

i¼1 N P

i¼1

mi i, n mi 2i, n

1 !n

Z

t

e

!n ðt Þ

v€g ðtÞ sin !n ðt

Þd:

0

ð15:43Þ

The maximum values of the generalized coordinates of mode n and of their derivatives during the earthquake can be obtained by the response spectra of the earthquake for one degree of freedom systems, that is:

Yn, max ¼

N P

i¼1 N P

i¼1

mi i, n ð15:44Þ

Sd mi 2i, n

Y€ n, max ¼ !2n Yn, max :

ð15:45Þ

The maximum values of the displacements and of the forces of the i node will be: N P

vi, n;max ¼ i, n Yn, max ¼ i, n i¼1 N P i¼1

mi i, n Sd

ð15:46Þ

mi 2i, n

Fi, n;max ¼ mi vi, n;max ¼ mi !2n vi, n;max :

ð15:47Þ

In order to obtain the values of displacements, forces and so on, resulting from the contribution of all the vibration modes and to be used in the verification calculations, generally the quadratic mean of the values corresponding to the various modes is used (or other combination methods). For example, in order to obtain vi: X 0:5 2 vi ¼ : ð15:48Þ N vi, n

In this way a good estimate of the required quantities is obtained, as it has been extensively controlled, except for natural frequencies very close to each other. A complete guide for the combination of modal values can be obtained from the NRC Standard Review PlanAR372 and from a specific USNRC Regulatory Guide 1.92.AR372 The above methods are based on the modal analysis and therefore on the previous determination of frequencies and vibration modes and on the subsequent calculation of the response of various modes to a space–time history (time history of the ground acceleration) or to a design spectrum. These methods are the most used and are valid in the majority of cases. Some peculiar situations (such as the presence of marked non-linearities) require a direct integration of the motion equations, generally performed step-by-step.

Continuous systems Continuous systems can be considered systems with an infinite number of degrees of freedom. Their response to an earthquake can be found by the direct study of the relevant partial derivative equations of the motion or by the reduction to a system with a finite number of degrees of freedom (discretization of the masses and modelling by concentrated masses and springs). In practice, the ‘generalized coordinates system’ is, for simplicity, extensively used to obtain an approximate solution, but it is sufficiently precise for practical uses (i.e. for the first or the first few modes of vibration). Consider a structure which can be modelled as a slender cantilever built in the ground with an arbitrary distribution of the linear mass m(x) with flexural rigidity EI(x) (Fig. 15-16). If the virtual work theorem is applied equating the work of the inertia forces to the elastic work for the virtual displacement dv ¼ p(x)dy, then Equation (15.49) is obtained: y€ M þ yK ¼

v€g L,

ð15:49Þ

where RL 2 M is the generalized mass ð¼ 0 mðxÞpðxÞ dxÞ,

Chapter 15 Earthquake resistance

y (t )

If a spectrum is used, for example the maximum value of x during an earthquake is given by: ymax ¼ Sd

− v″g(t )

RL K is the generalized stiffness ð¼ 0 EIðxÞ @2 p= @ x2 Þ2 dxÞ, and RL L is the modal participation factor ð¼ 0 mðxÞ pðxÞdxÞ. If generalized damping is included, then Equation (15.49) can be rearranged and rewritten as: ð15:50Þ

or y€ þ 2!y_ þ !2 y ¼

v€g ðtÞL , M

ð15:53Þ

Tanks

Figure 15-16. An example of a continuous system.

v€g ðtÞL,

ð!, ÞL , M

where Sd is the spectral displacement which is a function of ! and , as well as the earthquake under consideration. Usually, a method based on a tentative deformed shape is used to study the first mode, but methods exist for higher modes (Biggs, 1964).

v(t ) = p (x)y (t )

M y€ þ C y_ þ K y ¼

169

ð15:51Þ

where ¼ C*/2M*! is the fraction of the critical damping of the system, and 0:5 K !¼ ð15:52Þ M is the eigenfrequency associated to the p(x) mode. It is evident that these equations have the same form as the equation of motion of a simple oscillator with the substitution of the generalized coordinate y in place of x in the simple system. It is therefore evident that, once the estimate of p(x) has been made (even a tentative shape generally gives good results without the need of iterations), the coefficients of the equation can be calculated and the solution can be obtained by the methods valid for one degree of freedom systems (i.e. the Duhamel integral, response spectrum, etc.).

Tanks of liquid, specially of light construction (atmospheric tanks), are subject to peculiar phenomena during an earthquake, all of them are related to the formation of internal waves and to their interaction with the walls and with the roof of the tank. Experience indicates the possibility of damage at the roof–wall join (buckling and breaks), of damages to the base of the lateral wall (‘elephant foot’ buckling), of damage to the anchor components between the tank and its foundation (if existing) and damage to internal components. When testing a tank it is, first of all, necessary to determine the liquid motion and the forces exerted by it on the tank. This phenomenon has been particularly studied in Japan, where experimental tanks have been studied to determine their response in cases of real earthquakes. A simple analysis method is described in ASCE (1986). According to this method, the liquid mass is subdivided into two parts: a lower part which can be considered rigidly connected with the tank and an upper part which oscillates relative to it. The method supplies the formulae for the calculation of forces and of oscillation heights on the basis of the reference spectrum of the earthquake. The walls of the tank can be considered rigid in a first approximation even if methods exist to take into account the effect of the flexibility of the walls on the result (Veletsos, 1974; Kana, 1978; Adams, 1992). The flexibility of the walls is important especially when evaluating the forces caused by the lower part of the liquid. Should atmospheric tanks be rigidly connected to their bases? The alternative solution is not anchoring the tank and to shape its bottom as a cone in order to ensure a lateral retention; pipes and cables connected to the tank should obviously be provided with ample

170

Nuclear Safety

Table 15-10. Natural period of liquid in tanks Depth filled 30% D¼5 m D ¼ 10 m D ¼ 20 m D ¼ 30 m

50%

80%

Cylinder

Sphere

Cylinder

Sphere

Cylinder

Sphere

2.5 3.5 5.0 6.2

3.0 4.0 5.5 7.0

2.3 3.3 4.5 5.2

2.5 3.5 5.0 6.2

2.2 3.5 4.8 5.8

2.1 3.0 4.4 5.3

s s s s

s s s s

flexibility. In the Alaskan earthquake in 1964 unanchored tanks were moved 1.5 m. The choice between one or the other solution is a matter of debate, even if the prevailing opinion is for anchored tanks with attachment zones and anchors generously sized and fitted to the main structure. Tank walls are thick (typically 20 mm) if the design pressure is high (non atmospheric tanks), and therefore the rigidity of the shell is significant. The deformable parts of a pressure tank subject to seismic excitation are, instead, the supporting truss structure (or the support saddles) and the contained liquid, thereby causing the whole structure to behave like a double pendulum. The first pendulum (of inverted type, that is with its mass above and its spring below) has its mass essentially formed by the shell and by that part of the contained liquid (located in the lower part) which follows the tank in its oscillation. The second pendulum, linked to the first one in the upper part, has its mass formed by that part of the liquid (located in the upper part) which oscillates in an autonomous way relative to the shell. The recall forces for the two pendulums are, respectively, the elastic recall force of the support structure and the gravity force. In practical cases the natural period of the first pendulum is much lower than the natural period of the second (e.g. 0.5 s vs. 5 s). The two pendulums are, therefore, decoupled. As a consequence, because the first pendulum is the one which directly receives the ground vibration and the second receives the vibration of the first one, the first pendulum will tend to oscillate with a period close to its natural one without being significantly influenced by the second one. These qualitative analyses are confirmed by dynamic analysis calculation methods (USAEC 1963; ASCE 1986).

s s s s

s s s s

s s s s

s s s s

To verify that the natural period of oscillation of the liquid is significantly different from the one of the structure, the data in Table 15-10 is useful (for cylindrical vertical and spherical tanks). In practice, neglecting the liquid oscillation is, for pressure tanks, generally conservative. In fact, considering all the liquid as a part of the structure leads to increasing the mass participating in the prevailing vibration (the one of the first pendulum) and therefore increases the corresponding horizontal seismic forces. Therefore these tanks are very different from atmospheric pressure tanks (generally cylindrical with a vertical axis) used for oil products and for other liquid products.

Resistance and functionality of mechanical, electrical and electronic components Often it is impractical to model, in the seismic analysis of a plant, all the components located at different heights. The need arises to define methods of identifying a seismic excitation (spectrum or accelerogram) by which resistance and functionality of the essential components can be verified. In reality, recently the problem has been simplified by the development of dynamic analysis computer programs, which makes the modelling of structurecomponent complexes easier. The anchorage of components, especially with cantilevered parts (actuators of valves, and so on), sufficient slack and flexibility in the mechanical and electrical connections (pipes and cables), sufficient gaps between components and between components and structures, are the principal design and installation characteristics to be examined. A specific consideration is deserved by electro-mechanical

Chapter 15 Earthquake resistance

relays which in the past have given unpleasant surprises (chatter during earthquakes and consequent malfunctions of the connected equipment). In these cases, it is necessary to consult an expert specialist or in any case to have the result of shake-table tests for the various relay types of interest. These tests may in some case be already available from manufacturers or suppliers. A sound empirical attitude does not, however, solve all the problems and it is in general necessary to have recourse to specific analyses. Methods of modelling the components together with the structure, if practicable for a reasonable number of components, are available. Otherwise the method for defining the ‘floor’ response spectra at various heights of the structure, for example, Biggs (1972) and Roesset (1995), for which various publications suggest indications and conservative practical rules which protect against the possibility of mistakes (USNRC, 1988).AR379 The following gives some simple methods for a first look at practical cases. The components located on a floor of a structure and which cannot be considered rigidly connected to it, can be subject, during an earthquake, to accelerations considerably higher than those of the floor itself. This fact appears evident if it is considered that resonance can occur between structure frequencies and component frequencies. In this case the amplification ratio of these accelerations can be approximated (in the case of sinusoidal motion) by M ¼ 1/ (2), where is the fraction of the critical damping of the component. For a metallic component with ¼ 0.02, M will be equal to 25, corresponding to an acceleration of the component 25 times that of the floor in resonance conditions. In reality, the floor acceleration is generally composed of various modes, one of which only will be in resonance with the component. However, amplification factors of the order of 10 are not infrequent. Another method, already mentioned above, is to roughly estimate the acceleration of components, in cases where a modal analysis of the structure is available, by evaluating the response of the component to the various modes of the structure considered as stationary sinusoidal vibrations and subsequently to calculate the square root average of the responses (or other meaningful combination). This method, too, can be highly conservative. As already mentioned, the floor response spectra can be used (and this is the most common method).

171

These spectra are defined as the response spectra of the seismic motion at the floor and can usually be obtained by modal analysis or by direct integration of the equations of motion of the structure, always on the basis of a reference time history of the ground motion. These analyses are usually long and complex. In order to avoid an analysis by using the more precise techniques, a simplified and general procedure can be used which gives, according to the author (Biggs, 1972), usually conservative but reasonable results. It is assumed that a modal analysis of both the structure (s) and the component (e) has been performed and therefore that the eigenmodes [ve] and [vs] and the corresponding periods Te and Ts are known. In a qualitative way, considering the mode n for the structure and the mode m for the component, we imagine the complex structure–component as a set of two coupled simple linear oscillators (Fig. 15-17): It can be seen, that if the structure s is much more rigid than the component e, then the motion is transmitted almost rigidly to the component and it is similar to that of the ground. Moreover, if the structure (or the complex soil–structure) is more flexible than e, the motion of e is essentially due to that of s. (It has to be noted that the lowest periods of

e

s

Figure 15-17. Schematic of a structure–component complex.

172

Nuclear Safety

the soil–structure complex can also be rather high (of the order of 1 second) precisely because of the soil– structure interaction, while in general the pipes and the components can be made very rigid in order to stay away from the prevailing periods of the earthquake.) Therefore:

if Te,m > aTs,n, the influence of the soil prevails; if Te,m < aTs,n, the influence of the structure prevails.

The coefficient a is chosen to be 1.25 on the basis of comparisons with the time histories method. Having considered all the meaningful modes, N, of the structure and all the meaningful modes, M, of the component: Ae, m, n ¼ As, n

Ae, m , if Te, m < 1:25Ts, n , As, m

ð15:54Þ

where As,n ¼ A0,nPs,nvs,n with A0,n is Sd the spectral amplitude of the mode considered, Ps,n is the relevant modal participation factor and vs,n is the relative displacement of the mode in correspondence of the component (As,n is therefore known on the basis of the modal analysis of the structure). Ae, m A0e, m, n ¼ Ae, mg , if Te, m > 1:25Ts, n , Ae, m, G ð15:55Þ where Ae,m,G is the maximum component acceleration for mode m, supposing that it is directly placed on the ground and that, therefore, it is known on the basis of a specific modal analysis, required by the application of this method. The ratios ðAe, m =As, m Þ and ðAe, m =Ae, m, G Þ are given by empirical diagrams, summarized in Tables 15-11 and 15-12, as a function of the ratio of the periods ðTe, m =Ts, n Þ and of the damping ratios of the structure and the component. The acceleration of the component in mode m is, then, given by: Ae, m ¼

X

n0

Ae, m, n

0:5 P n00 Ps, n vs, n A0 e, m, n Pn , þ Ps, n vs, n ð15:56Þ

where n is the number of significant modes of s, n0 is the number of modes from Equation (15.54), and n00 is the number of modes from Equation (15.55).

The resulting quantities of interest for all the modes of the component will then be combined by the root mean square or by other algorithms. The authors of this method have conservatively approximated the diagrams/tables and have based these diagrams on three past earthquakes having different characteristics from each other (El Centro in 1940, Taft in 1952 and Parkfield). When modelling a structure it has to be decided if part of it can be considered a ‘component’ and can be decoupled from the main structure (and therefore treated by the preceding methods). Some decoupling criteria follow: Where Rm is the ratio of the mass of the part and the mass of the affected floor of the building and Rf is the ratio of the fundamental frequency of the part and the dominating frequency of the floor motion, then:

if Rm < 0.01, it is possible to decouple for each Rf; if 0.01 < Rm < 0.1, it is possible to decouple if 0.8 > Rf > 1.25; if Rm > 0.1 it is not possible to decouple the component.

A more complete treatment of these guide criteria can be found in the NRC Standard Review Plan and in the connected Regulatory Guides. Table 15-11. Values of Ae,m/As,m for s ¼ 0.05 and for various values of e Te/Ts,n

e ¼ 0.05

e ¼ 0.02

0.3 0.5 0.8 1.0 1.2 1.5

1.1 1.5 3.2 5.3 3.3 2.4

1.2 1.6 4.0 8.4 4.4 2.8

e ¼ 0.01 1.3 1.7 4.5 11.0 5.5 3.5

Table 15-12. Values of Ae,m/Ae,m,G for s ¼ 0.05 Te/Ts,n

s ¼ 0.05

1.1 1.3 1.5 1.7 2.0 2.5

5.0 3.5 2.8 2.3 1.7 1.3

Chapter 15 Earthquake resistance

Soil–structure interaction This issue has been already treated in general terms in section 15-3-1 on foundation soil. Here some practical data and some formulae relevant to modelling the ground (inertial interaction) by equivalent masses, springs and dampers. The coupling between structure and ground must generally be considered elastic and, for dynamic modelling, it is necessary to evaluate the following elements:

For the evaluation of the effect of soil, the simplest assumption is to model the soil by a series of equivalent springs whose constants are determined either on the basis of analyses of the behaviour of a rigid solid on an elastic indefinite semispace or by a finite element evaluation of the stiffness characteristics of the soil–structure couple. The first system uses the following formulae for a circular base structure (Petrangeli et al., 1998):

the equivalent springs of the ground (Fig. 15-5); the damping of the ground.

soil masses and inertias associated with a structure when vibrating, which in a first approximation (especially for large structures) may be neglected when compared with the masses and inertias of the structure itself.

The importance of considering the soil in the dynamic analysis varies according to the types of soil and of structure. As it can be imagined, for example, a deformable structure founded on solid rock and solidly anchored to it can be considered fully constrained in the ground and therefore the influence of the elastic soil–structure coupling can be disregarded. However, this is not the case for a rigid structure on relatively elastic ground (e.g. sand or clay), which will usually require the dynamic analysis of the elastic soil–structure coupling to be taken into consideration. If this is not done, a much more unfavourable structure response will be obtained than in reality (indeed, the elastic coupling of the rigid structure with a soft soil filters the largest part of the high frequencies of the earthquake, whose effect on the rigid structure can be particularly strong). A criterion used to verify if the effect of the soil is important is given in the next equation: T0 <

3 m0 0:5 , Vs d

ð15:57Þ

where T0 is the fundamental period of the structure, d is the maximum dimension of the basis in the direction of the earthquake, m0, is the mass of the structure, is the density of the soil, and Vs is the velocity of the shear waves in soil.

elastic constant of an equivalent horizontal spring

Kx ¼

The following quantities should also be evaluated:

173

8GR R 2E 5E 1þ 1þ ð15:58Þ 1þ ð2 Þ 2H 3R 4R

elastic constant of the equivalent rotational spring (rocking motion)

Kr ¼

8GR3 R 2E 7E 1þ 1þ , 1þ 6H R 10R ð2 Þ ð15:59Þ

where G is the shear modulus of the soil, is the Poisson modulus of the soil, R is the radius of the foundation basis, E is the foundation depth relative to the soil surface, and H is the depth of the soil relative to the rigid basis of the rock (in the case of rigid soil the terms E/R and R/H must be put equal to zero). Analogous formulae are available for other movement directions (vertical oscillation, torsion) and for rectangular base structures (Petrangeli et al., 1998). In any case, the shear modulus of elasticity of the soil G must be known. This is not easily determined and among other things, depends on the type of soil, on the confinement pressure of the soil in the zone of it which acts as a spring for the structure and on the order of magnitude of the soil deformations during an earthquake, also relative to the zone interacting with the structure. In general, G is expressed as a product of a quantity G0 (which is the modulus for low strains) and a factor F which takes into account the effect of the actual expected strain. It has to be remembered that in a strong earthquake the strains/stresses are significant. The value of G0 can be determined measuring the speed of artificially generated shear waves on the site, by laboratory measurements on soil specimens or

174

Nuclear Safety

by empirical correlations. Among the experimental methods, the one considered most reliable is based on the measurement of the shear wave velocity. The value of G is connected to this velocity by the relationship: Vs ¼

0:5 G :

ð15:60Þ

Among the frequently used empirical correlations is the following which is valid for sands: G0 ¼

1200ð3 eÞ2 0:5 0 , 1þe

ð15:61Þ

where 0 is the average of the effective principal stresses in static conditions and e is the void fraction of the soil. Complete treatments of the correlations and of the empirical curves valid for sands and for clays can be found in the specialized literature (Seed and Idriss, 1970). Typical values of the reduction factors to account for large deformations are listed in Table 15-13. The damping of the soil is composed of two terms (in the model of springs and equivalent dampers): the first is the internal damping which is connected with the energy loss in the cyclic deformation of the soil and depends on the type of soil and on its deformation level (some values are listed in Table 15-14); the second is called radiation damping Table 15-13. Values of the ratio between G at a certain value of the shear deformation and G at 10 4% Shear deformation 10 10 10

3 2 1

Factor for sands

Factor for clays

0.95 0.75 0.30

0.80 0.40 0.15

Table 15-14. Values of the internal damping for various values of the shear deformation Shear deformation 10 10 10

3 2 1

Damping for sands

Damping for clays

1.8% 5.5% 16.0%

3% 5% 8%

and this accounts for the energy delivered by the vibrating structure to the ground. The latter term has nothing to do with the energy loss for soil deformation (internal damping) and is representative of an effect which would, in any case, be present in a perfectly elastic material, that is without the nonlinearity (hysteresis) which is responsible for the internal damping. The value of the radiation damping, such as for the equivalent soil springs, can be obtained by formulae like the following:

Radiation damping oscillations

constant

Cx ¼ 0:57 Kx R

Radiation damping oscillations

Cr ¼ where

0:5

constant

3ð1 Þ I0 , 8 R5

horizontal

ð15:62Þ

G

0:5 0:3 , Kr R G ð1 þ B r Þ Br ¼

for

for

rotational

ð15:63Þ

ð15:64Þ

and I0 is the inertia moment of the structure relative to the rotation axis passing through its base. The other symbols have the meaning defined above for the spring constants. The formulae require the Poisson modulus of the soil, which can be assumed equal to 0.35 for unsaturated soils and 0.5 for saturated ones. Some values of the internal soil damping are given by Table 15-14. The values of damping used for soils are the sum of the internal damping and of the radiation damping. (It is suggested that high values are used carefully because the assumptions on which the analytical evaluations are based could lead to large errors.) Sometimes, for sake of conservatism, a condition is artificially imposed that the damping, for each vibration mode of the soil–structure, does not exceed a certain percentage of the critical damping (e.g. 10 per cent). It has to be considered, in these evaluations, that the overall modal damping values should be weighted with the vibration energies relevant to the various parts of the soil–structure.

Chapter 15 Earthquake resistance

It must also be remembered that an uncertainty exists in the calculated values of the soil properties used in the seismic response calculations. Usually for each property a conservative value (with reference to the calculated quantity, e.g. maximum displacements or maximum stresses in the structure) is used. For example, as far as G is concerned, evaluations are often used with values equal to two and a half times the best estimate value. The calculation methods described here have been somewhat simple; it has however to be considered that, when a more accurate evaluation is warranted, finite element methods exist which are capable of modelling the behaviour of the soil–structure. The use of these programs has been proven essential when the economic burden due to the use of simpler and more conservative methods (e.g. those based on equivalent masses and springs) is not considered acceptable or when special effects have to be calculated, such as the mutual interaction between adjacent buildings. However, it is often required that the functionality of an active component is guaranteed during and/or after an earthquake. This guarantee cannot always be given by analytical means (e.g. for almost all the electric and electronic components). In these cases, vibration tests of suitable prototypes have to be performed. These tests are standardized (e.g. see USNRC, 1988).AR379 These standards require that a component is placed on a vibrating table and that it is submitted to a higher vibratory load than that characterized by the floor response spectrum. In some cases, if necessary, the component is even verified for operation during the test. The components are tested together with their support structure to avoid a further uncertainty in the calculation of the dynamic load at the level where they are located. The excitation must include all three axes, unless symmetry conditions exist. Large items (such as a large turbine), or if the functionality is ensured by the sole integrity of the component, can gain qualification by analysis. It is possible to combine experimental tests and analyses. The analysis has to demonstrate that the relative displacements of the structural elements which form the particular piece of equipment, are not such to prevent their movement. In the case of tanks and reservoirs, it is necessary to check both the structure and the liquid, taking into

175

Welded steel sheet

Figure 15-18. Bridge crane account the sloshing too, especially if the spill of a possibly noxious liquid is possible.

Bridge cranes The biggest danger from a bridge crane during an earthquake is its derailment and its fall. For this reason, it is useful to ensure that the extremities of the bridge crane have welded steel sheet restraints (or equivalent structures) which are able to prevent derailment (see Fig. 15-18). A simple calculation shows that for a crane weighting 50 t (the weight of a crane is usually equal to its lifting capacity), and supposing that the lateral stops must resist a horizontal inertia force corresponding to 0.2 g with 0.5 m of lever arm, two welded steel sheet pieces 40 mm thick are sufficient. For the calculation of other stresses, the bridge crane model can be simplified as a distributed mass beam resting on its extremities with an additional mass at the centre submitted to a vertical oscillation complying with the floor response spectrum.

Buried structures and caverns The effect of the earthquake on buried structures, such as pipes and conduits, is either faulting or soil instabilities, slides and liquefaction, or vibrations caused by the transit of the seismic waves. Here only the actions due to the vibratory motion are considered as it is supposed that the other above mentioned phenomena can be excluded. Two loads and therefore two rupture modes are considered: the one due directly to the deformation of the soil and the one due to differential displacement of buildings in which pipes or conduits are located. As far as the load due to the soil deformation is concerned, a simplified analysis is acceptable based on the assumption that the structure deforms as the

176

Nuclear Safety

soil. The stresses can be subdivided according to the type of waves: longitudinal compression waves (P-waves), shear waves (S-waves) and surface waves (Rayleigh and Love waves). It is assumed that the axial deformation is connected with the P-waves and that the flexural one with the S- and surface waves. In this case, the axial deformations, for example, can be calculated with expressions of the type: "max ¼

Vmax , C

d2 y amax ¼ 2 , d x2 C

2EFx A

ð15:66Þ

where cmax is the maximum curvature and amax is the maximum soil acceleration. For the load due to differential motion of buildings, a static equivalent analysis is sufficient. When lines, pipes, conduits and so on connect two buildings, the assumption has to be made that the two buildings move out of phase. In order to calculate the axial stress of a buried line connected to a building, it is assumed that it is subject to friction forces along its surface. The stress is calculated using Equation (15.67): a ¼

ð15:65Þ

where "max is the maximum axial deformation of the structure, Vmax is the maximum velocity of the soil particles and C is the velocity of the waves in the ground. The velocity of the soil particles can be obtained from the reference seismic motion and the velocity C from the soil characteristics (cautiously, it is necessary to consider the shear wave velocity, C ¼ Vs). The flexural deformation can be calculated by a similar expression: cmax ¼

can be calculated by modelling a beam on an elastic foundation. To verify the stability of storage or plant in a cavern, the following real-life data must be considered (Shah and Chu, 1974; Berardi, Capozza and Zonetti, 1977; Capozza and Berardi, 1977; Bender, 1982).

ð15:67Þ

where E is the modulus of elasticity of the line, F is the friction force for unit length between soil and line (¼ CHf ), C is the circumference, is the specific weight of the soil, H is the depth at which the line is placed, f is the friction coefficient, x is the displacement of the building in the longitudinal direction and A is the resisting cross-section of the line. The stresses in the terminal zone of the line, at the contact with the building, due to flexure and shear

The accelerations of the soil, either horizontal or vertical, are lower in a deep cavern (tens to hundreds of metres below grade) than at the surface; the measured ratio is of the order of 0.3– 0.5. In order to evaluate the seismic input data at depth on the basis of those used on the surface, methods of numerical modelling of the propagation of the vibratory motion in soils can be used; these methods are still being improved. The prevailing frequencies of the seismic motion are higher at depth: the more rigid components are more exposed to high values of amplification. The calculations performed in practical cases show that the earthquake stresses in the rock are essentially concentrated near the cavern walls, in a zone of some metres normally affected by the deep anchorages used for the consolidation of the cavern walls. Bender (1982) gives advice on the calculation. The vibration mode of a cavern is mainly compression–traction rather than of shear deformations (the opposite happens near the soil surface). It has been demonstrated by studies that in a competent rock of average quality, caverns up to 30 60 m in plan and 50 m high can be safely built.

In conclusion, it can be said that usually an earthquake is not a prevailing load in caverns, except for the case where weakness lines and joints are present in the rock, which deserve a specific study in the field of rock mechanics.

Towers and chimneys Towers and chimneys are among the most vulnerable structures in seismic excitation because of their slenderness. They can be tested according to Eurocode 8, part 3: Towers, masts and chimneys (2003). Support stays are often used to reinforce them against earthquake effects.

Chapter 15 Earthquake resistance

Seismic isolation In the last few years some innovative anti-seismic techniques have been developed which are capable of improving the protection of structures, industrial plants and their components. They are based on the drastic reduction of the seismic forces acting on the structure by the application, at its base, of very flexible supports (e.g. rubber isolators). These systems filter the seismic energy transmitted by the ground, drastically reducing the stresses. The deformations are concentrated in the isolators, while the building moves almost like a rigid body at low frequency so reducing stresses and differential displacements of the contained objects. The guidelines in Gurpinar (1977) can be used for these structures. Other systems for the reduction of the seismic effect on the structures can be used. These operate by connecting different parts of the structure, for example by braces, to energy dissipators which are capable of absorbing an enormous amount of energy during an earthquake and therefore increasing the damping of the system. They can also be combined with isolators at the base. All these systems, in principle, can be applied to existing constructions.

Seismic review by inspection Potential uses and objectives. This method of seismic qualification consists of an in-depth inspection of the plant in order to identify the evident constructive details which do not satisfy the need of seismic resistance without loss of functionality or of integrity. The objective of the inspection is in general to guarantee that the plant does not exhibit evident weak points in case of an earthquake with reference to the need to avoid the risk of accidents or of loss or prolonged outage of the plant. The inspection is performed by a group of experts which includes experts on the effects of earthquakes on structures and on components, experts on the aspects of functionality and of safety of the plant, and geologists. The seismic inspections are made either as a completion of the seismic analyses of the plant or as the first step of an iterative examination of existing plants not designed according to the most recent standards and knowledge.

177

A seismic inspection is compulsory in the licensing process of nuclear plants in Canada (Duff, 1984) and is performed elsewhere as a good practice and a first step of a seismic review. Damage produced by strong earthquakes on industrial plants has indicated that many weak points could have been detected and corrected, even with a moderate economic investment, by an adequate inspection. The experience shows that about 75 per cent of the weak points are due to mistakes of construction and of installation. Sequence of actions and methods. A knowledge of possible deterioration processes going on in a plant and of its safety aspects, together with that of the seismic criteria adopted in the design, is an essential basis for an effective inspection. A series of information meetings and of real inspections on the plant is, then, the most effective sequential approach. A list of weak points on similar plants resulting from past earthquakes and from analyses should also be available and discussed. A typical sequence of actions is: (1) Selection of the reference earthquake. (2) Definition of the vibratory ground motion. (3) Selection of the evaluation group. The group should comprise experts in the field of seismic engineering assisted by experts on the plant operation and design. The number of experts in the group depends on the complexity of the installation but they must cover mechanical, electrical, structural and chemical engineering, with experience in the seismic design of structures, systems and components of the plants. Somebody with geologic-geotechnical competence should also be available. (4) Gathering and analysis of the design drawings and documents. This activity is frequently difficult because of the incomplete availability of documents. It is therefore sometimes necessary to reconstruct layout or other information by inspection. (5) Plant investigations for: (1) identification of critical structures, systems and components, with on-site verification of the initial choice of essential items; (2) field tests by simplified methods (snap-back tests, impact tests, etc.) having the objective

Table 15-15. Typical weak points and solutions Component

Effect

Solution

Structures on slopes or in proximity of slopes.

Risk of slide.

Foundation soil composed of saturated sands and with uniform grain size.

Liquefaction danger.

Plants in proximity of other works (dams, other plants, etc.) which can be damaged by the earthquake. Discontinuous foundations (e.g. footings) with non-connected elements. Concrete block or masonry partition walls.

Domino effect.

Consolidate the slopes, improve the hydraulic regime of the rain water (guard channels, etc.) Consolidate the soil, lower the water table; for new plants, displace the structure laterally or lower the foundation. Mitigate the risk acting on the other works or on the protection of critical parts of the plant.

Horizontal parts not laterally anchored to the vertical structures (floor slabs resting on rubber supports, floors anchored to structures without floor continuous beams). Elevated and slender structures (chimneys, antennas, towers).

Instrument stands and equipment platforms.

Cable trays (stacked trapeze type and cantilevered). Drilled-in expansion anchors instead of cast-in.

Pipe hangers.

Relative movements of the foundation elements and collapse. Risk of collapse for insufficient lateral restraint.

Loss of support and collapse.

Collapse for excessive deformability or P- effect (increase of the flexural moment due to the weight and to the lateral deformation of the structure). Insufficient lateral restraint.

Excessive flexibility, insufficient anchorage against lateral movements, lack of protection from falling objects. Pull out in case of earthquakes.

Insufficient lateral strength; threaded couplings might un-tighten during earthquakes.

Link the foundation elements to each other. Reconstruct or reinforce the walls; support them by adhering cemented wire nets; dowel to floor or tie into steel work. Add anchors or other types of connection.

Add stays, support struts or other means of lateral anchorage.

Add cross bracing; brace back to wall if tall; anchor well to resist earthquake forces and overturning moments. Add bracing; tie back to walls at suitable intervals and 90 turns, add protective covers, including fire protection; lockweld joints. Qualify by testing. Cast-in anchors recommended. High strength anchor bolts preferred (pre-loaded). Redundant anchors desirable. Avoid grouted-in anchors. Through wall anchors are best. Add lateral restraints or dampers; replace rigid braces with oscillating tie rods and suitable lateral displacement limiters.

Atmospheric tanks for liquids.

Supports for tanks and components on columns.

Risk of excessive oscillation of the liquid with possibility of: impact of the liquid on the roof and pull-out of ground anchors or rupture of the roof and spill of liquid, collapse by buckling of the lateral walls due to flexure moment on the complex of the tank (elephant foot shaped deformations), etc. Columns not braced, single anchors for each leg.

Vibration dampers. Tall, overhung valves and valve operators.

Insufficient, not protected against damage. Excessive deformations in case of earthquakes.

Overhead ductwork. Cantilevered small valves, gauges, fittings, etc.

Collapse on components essential to the protection of the process or to safety. Risk of pull-out.

Small branch pipe or tubing connections.

High amplification, risk of rupture.

Long, vertical pipes supported at top and bottom only. Linear components (pipes or electrical connections) anchored to non-connected adjacent structures and buildings. Overhead lighting (tubular fluorescent and mercury – vapour bulbs). Electrical equipment cabinets, consoles, racks and centres.

Excessive horizontal flexibility.

Field run tubing, small piping and electrical conduits, small valves and fittings.

Excessive flexibility, not systematically anchored to walls, insufficient separation between different groups of redundant components.

Local overhead coolers, heaters, intercoms, etc.

Risk of fall on critical components, excessive instability.

Danger of break of pipes or cables due to differential motion of buildings/structures. Could fall on or impact on safety equipment. Too weak, glass doors, inadequate anchorage, insufficient hinges and locks, upper closure panels not protected from the fall of objects.

Test tanks for the possible damaging effects, reinforce the anchors to the ground and the restraints of the roof, add internal diaphragms in order to limit liquid oscillations.

Add bracing. Double up anchors, with suitable spacing. Tie back to wall where bracing is insufficient or tank is too tall. Add dampers, add protection sleeves. Add lateral restraints or motion-limiting stops, as necessary, to limit earthquake induced stresses. Strengthen (lock) duct joints. Add end restraints, use adequate supports, use backup supports. Restrain valves or use short connections to avoid snapping off during an earthquake. Motion limits, good anchorage, proper flexibility to allow for differential movement in an earthquake. Use lateral restraints at suitable intervals, to avoid horizontal earthquake effects. Ensure deformability and slack to the linear components in order to absorb without rupture the relative displacements of the anchors. Use lateral restraints. Close chain hooks. Protective covers must be well fastened. Use stiff frames, strong hinges/latches (two or more), well anchored, tie cabinets together across the top, reinforce tops against falling objects. Route carefully or protect well to avoid impact interaction with larger pipes, ducts, etc. during an earthquake. Use adequate clamps and supports. Strong supports, use lateral bracing, especially where flexibly supported, add backup supports where consequences of falling in an earthquake are serious. (Continued )

Table 15-15. Continued Component

Effect

Solution

Water, fuel or lubricant lines and storage tanks.

Risk of rupture and of consequent flooding and fire.

High-pressure gas storage bottles. Gaps between adjacent buildings. Components critical for safety or process close to non-critical components.

Risk of fall and of rupture of valves with consequent missile-effect. Impact between buildings. Risk of collapse of ordinary components or structures on critical ones.

Storage batteries.

Batteries could fall down.

Cranes, hoists, jibs, moving bridges or working platforms.

The load could impact laterally or fall down on critical components.

Bridge cranes.

Risk of derailment.

Ladders, handrails, guard rails, stairways, etc.

Could fall down together with critical components attached to them.

Adequate support bracing, use protective curbs and proper drainage, sprinklers, halon or other fire protection features to mitigate effects of an earthquake. Secure bottles to storage racks at top and bottom. Ensure enough gap space or use damping spacers. Increase the separation distance, protect critical components by cages or other devices, improve anchors of ordinary components, add redundant critical components well apart from the existing ones. Reinforce battery racks and anchor them, restrain batteries to racks, place batteries close to floor. Make design provisions for tethering or clamping hoists/cranes in a safe position when out of service. Lower loads onto safe areas when hoisting/handling operations are over. Add welded steel sheet stops to prevent derailment. Secure and lock handrails, ladders, etc.; mount equipment on separate earthquake supports.

Instrument air reservoirs. Building wall penetrations.

Risk of loss of compressed air for critical equipment. Risk of damage of pipes/cables due to the movement of the building.

Electrical equipment connections.

Risk of rupture due to movement of components/ buildings.

Porcelain insulators in open air switchyards. ‘Bucholtz’ buoy protections in electric transformers against internal short circuits. False or suspended ceilings, loose furniture.

Risk of rupture. Oscillation of liquid may trigger the protection and disconnect transformer. Risk of displacement, fall and damage.

Properly support supply-side check valves. Improve anchorage. Use adequate clearance around penetrations, sealed with flexible, fireproof ‘boots’ on the inside, weld penetrations to embedments on the inside and use soft bedding, on the outside, with flexible terminations or bellows. Add short length of armoured, sheathed cable at all connection points, looped to avoid tension during an earthquake. Bottom connections recommended (less concern for relative movements in earthquake). Avoid fragile insulators in critical electric systems. Use other types of protection or anti-sloshing internal diaphragms. Secure ceilings and furniture close to sensitive equipment. Add curbs and railings around critical control consoles to prevent impact from furniture moving in an earthquake.

182

Nuclear Safety

of verifying the natural frequencies, the damping and the quality of restraints; (3) verification of the absence of space interaction of systems; (4) collecting data for subsequent analyses; (5) identification of the ameliorating provisions. (6) Possible simplified determine:

dynamic

analysis

(1) the seismic load of components; (2) the differential displacement they tolerate; (3) the level of forces on supports.

to

can

It is no surprise that experts, during their inspections, also use elementary in situ testing methods. In fact, experience indicates that simple methods get an idea of natural frequencies, of the maximum vibration amplitude under moderate excitation, of the damping, of possible impact areas of components, of the lack or weakness of hangers or of anchorage, and of the possible amplification of the motion of a component on connected secondary components. Systems with high frequencies (rigid), high damping and low vibration amplitudes are usually considered well designed and built. To this end, portable excitation and vibration analysis devices are used. In case of doubt, evidently, more elaborate analyses or tests have to be used. The general attitude of the inspection group will be that of the ‘good sailor’ who ensures that any object on board a ship is securely fastened before confronting rough seas. Typical weak points and ameliorating provisions. Table 15-15 lists a series of typical weak points, the resulting effect of an earthquake and the solutions typically adopted in case of existing plants or where more radical actions cannot be taken.

References Adams, N.J.I. (1992) ‘Seismic design rules for flat bottom cylindrical liquid storage tanks’, Int. Journal Pressure Vessels and Piping, 49, pp. 61–95. ASCE (1986) ‘Seismic analysis of safety-related nuclear structures and commentary on standards for seismic analysis of safety-related nuclear structures’, ASCE Standard ASCE 4-86, New York.

Ambrayses (1988) Engineering Seismology, Earthquake Engineering and Structural Dynamics, Vol. 17, pp. 1–105. Bender, H.F. (1982) ‘Underground siting of nuclear power plants’, E. Schweizerbart’sche Verlagsbuchhandlung (Naegele u. Obermiller), Stuttgart. Berardi, R., Capozza, F. and Zonetti, L. (1977) ‘Analisi di accelerogrammi registrati su roccia in superficie e in sotteraneo nel corso del periodo sismico del 1976 in Friuli’, Rassegna Tecnica dei problemi dell’energia elettrica, 133. Biggs, J.M. (1972) ‘Seismic response spectra for equipment design in nuclear power plants’, 1st International Conference on Structural Mechanics in Reactor Technology, vol. 5, Berlin, Germany, Sept. Biggs, J.M. (1964) Introduction to Structural Dynamics. McGraw-Hill. Capozza, F. and Berardi, R. (1977) ‘Stato dell conoscenze sull’effetto dei terremoti nelle cavita` sotterranee’, Rassegna tec. dei problemi dell’energia elettrica, 132. Castellani, et al. (2000) Costruzioni in zona sismica. Milan: Hoepli. Duff, C.G. (1984) ‘Seismic qualification of nuclear power plants by inspection’, 8th World Conference of Earthquake Engineering, San Francisco. Espinoza, R.D., Bourdeau, P.L. and Muhunthan, B. (1994) ‘Unified formulation for analysis of slopes with general slip surface’, Journal of the Soil Mech. and Found. Div., ASCE, 120(5), pp. 1185–1204. Eurocode (2002) ‘Design provision for earthquake resistance of structures’, Eurocode 8, European Standard EN 1998. Gallardo, D.I.O. (1756) Lecciones entretenidas, y curiosas, physico-astrologico-metheorologicas, sobre la generacion, causas y senales de los terremotos. Madrid. Gurpinar, A. (1997) ‘A review of seismic safety considerations in the life cycle of critical facilities’, Journal of Earthquake Engineering, 1(1). Hansen, J.B. (1970) ‘A revised and extended formula for bearing capacity’, Bulletin No. 28, Danish Geotechnical Institute, Copenhagen, Denmark, 5–11. IAEA (1992) ‘Seismic design and qualification for nuclear power plants’, IAEA Safety Series N.50- SG- D15, Vienna. IAEA (1993) ‘Probabilistic safety assessment for seismic events,’ TECDOC-724, Vienna. IAEA (1985 and 1999) ‘Earthquake resistant design of nuclear facilities with limited radioactive inventory’, TECDOC-348, IAEA, Vienna. Janbu, N. (1957) ‘Earth pressure and bearing capacity calculations by generalized procedure of slices’, Proceeding of the 4th International Conference on Soil Mechanics and Foundation Engineering, 2, pp. 207–12. Kana, D.D. (1978) ‘Seismic response of flexible cylindrical liquid storage tanks’, Nuclear Engineering and Design, 52, pp. 185–99.

Chapter 15 Earthquake resistance Kanagawa (1994) ‘Manual for evaluating the earthquake resistance of high-pressure gas facilities’, Industrial Safety Dept., Environment Division, Kanagawa Prefecture, Jan. Livolant, M., Petrangeli, G., Shibata, H., Idriss, I.M. and Stevenson, J.D. (1979) ‘Seismic analysis and testing of nuclear power plants’, IAEA Safety Series N.50-SG-S2, Vienna. Meyerhof, G.G. (1951) ‘The ultimate bearing capacity of foundations’, Geotechnique, 2, pp. 301–32. Morgensrern, N.R. and Price, V.E. (1965) ‘The analysis of the stability of general slip surfaces’, Geotechnique, 15(1), pp. 79–93. Petrangeli, G. (1987) ‘Impact of seismicity on the design of nuclear power plants’, Proceedings of the International Seminar on the State of the Art in Safety Analysis and Licensing of Nuclear Power Plants, Varna, Bulgaria. Petrangeli, G. et al. (1998) ‘Proposta di linee guida per la verifica sismica di impianti a rischio di incidente rilevante’, Comitato Termotecnico Italiano, Sottocomitato 7: Gruppo ‘Tecnologie di Sicurezza’, Esistenti, Bozza del 7 Luglio. Robertson, P. and Campanella, R. (1985) ‘Liquefaction of sands using CPT’, Journal of the Geotechnical Engineering Division, ASCE, 111(GT3), pp. 384–403. Roesset, J.M. (1995) ‘Seismic design of nuclear power plants: Where are we now?’ Proceedings of SMIRT 13 Post Conference Seminar 16, Seismic Evaluation of Existing Nuclear Facilities, Iguazu, Argentina. Roesset, J.M. (1980) ‘The use of simple models in soil– structure interaction’, Civil Engineering and Nuclear Power, vol. II: Geotechnical Topics, ASCE. Sarma, S.K. (1975) ‘Seismic stability of earth dam embankments’, Geotechnique, 25(4). Sarma, S.K. (1981) ‘Seismic displacement analysis of earth dams’, Journal of the Soil Mech. and Found. Div., ASCE, 105(GT12), pp. 1735–9. Seed, H. and deAlba, P. (1986) ‘Use of SPT and CPT tests for evaluating the liquefaction resistance of sands’, Proceeding of In Situ ’86, Virginia Tech., Blacksburg, VA. Geotechnical Special Publication, 6 ASCE, pp. 281–302.

183

Seed, H. and Idriss, I. (1970) ‘Soil moduli and damping factors for dynamic response analysis’, Report EERC 70, College of Engineering, University of California, Berkeley. Seed, H., Idriss, I. and Arango, I. (1983) ‘Evaluation of liquefaction potential using field performance data’, Journal of Geotechnique Engineering, ASCE, 109(3), pp. 458–82. Seed, H., Tokimatsu, K., Harder, L., Chung, R. and Arango, I. (1985) ‘Influence of SPT procedure in soil liquefaction resistance evaluation’, Journal of Geotechnique Engineering, ASCE, 112(12), pp. 1425–45. Serva, L. (2001) ‘Siting of high risk industrial facilities: the role of natural phenomena such as earthquakes’, ESREL, Torino. Shah, H.H. and Chu, S.L. (1974) ‘Seismic analysis of underground structural elements’, Journal of Power Division, ASCE, 100(PO1). Stevenson, J.D. (1995) ‘US experience in seismic reevaluation and verification programs’, Proceedings of the SMIRT 13 Post Conference Seminar 16, Iguazu, Argentina. USAEC (1963) ‘Nuclear reactors and earthquakes’, TID7024, Aug. USNRC (2001) ‘Technical basis for revision of regulatory guidance on design ground motions: Hazard and risk consistent ground motion spectra guidelines’, NUREG/ CR-6728, October. USNRC (1988) ‘Seismic qualification of equipment in operating nuclear power plants’, Unresolved Safety Issue A-46, NUREG-1030. Veletsos, A.S. (1974) ‘Seismic effects in flexible liquid storage tanks’, Proceedings of the 5th Word Conference on Earthquake Engineering, Rome. Italian seismic Norms (1966) ‘Norme tecniche per le costruzioni in zone sismiche’, Decreto Ministeriale 16 Gennaio. Italian Guidelines (1996) ‘Linee guida per progettazione, esecuzione e collaudo di strutture isolate dal sisma’, Presidenza del Consiglio Superiore dei Lavori PubliciServizio tecnico centrale, Giugno.

This page intentionally left blank

Chapter 16 Tornado resistance

16-1. The physical phenomenon A tornado is generated, according to the current interpretation of the observations made, when a ‘warm air bubble’ formed in contact with the ground for various reasons and kept there by the presence of a thermal inversion layer, finds a way (e.g. because of the discontinuity of the inversion layer) to start its ascension in the atmosphere under the action of the buoyancy force due to the surrounding colder air mass. This rapid ascension of the air column, in the presence of strong translation winds at a certain elevation, is transformed in an upward translation motion and in a rotation around its axis. This phenomenon is similar to the generation of a vortex in the vertical motion of a water mass, which can be easily observed. As in the water vortices, the rotation is generally counterclockwise in our hemisphere, for the action of the rotation of earth (Coriolis force). The ascension of the warm column is aided by the simultaneous condensation of the steam contained and by the consequent release of the corresponding condensation heat. This process originates at a height of 10–15 km and is characterized by cumulonimbus clouds. The rotational speed may range between some metres per second to more than 100 m s 1. The tornado also moves horizontally and its translational speed is usually rather low (up to a few tens of metres per second), which generally allows people who see it arriving to run away in time. The tornado is part of the same family of tropical hurricanes, but its size is much smaller. The dimension of the vortex is of 10–100 m, while the central vortex of a hurricane may be 100–1000 times higher.

The physical effects of the passage of a tornado are:

a very strong wind which may fell trees and knock down buildings, and transport heavy objects significant distances (debris, but also vehicles and animals); a rapid transient decrease in atmospheric pressure which may cause the explosion of closed buildings.

The physical scheme of a tornado includes a central vortex which rotates as a solid cylinder around its axis, surrounded by an atmosphere in which the tangential horizontal speed varies with the inverse power of the distance from the centre of the vortex. In the vertical direction, the pressure and velocities vary only slightly; Figure 16-1 shows these kinetic characteristics. The translational speed of the vortex also needs to be taken into account when calculating the effect of a tornado on buildings. The formulae of interest, modelled as described above, are:

Distribution of the rotation speed V ¼ Kr ð0 < r < Rv Þ K ¼

VV RV

Vr ¼ c ðr > Rv Þ c ¼ Vv Rv

ð16:1Þ ð16:2Þ

where varies between infinity (at the initial instant of the formation of the vortex) and 1 when the rotation has fully propagated towards the outside. Distribution of the pressure due to the vorticity dp V2 ðrÞ ¼

r dr

ð16:3Þ

with obvious meaning of the symbols.

185

186

Nuclear Safety

v P

R

Figure 16-1. Schematic of tornado vortex of radius R, and the velocity and pressure distributions due to rotation.

16-2. Scale of severity of the phenomenon

From the above: "

2 # r 0:5 ð Rv < r < Rv Þ Rv

pðrÞ ¼ V2v 1

The scale usually used is the gravity scale proposed by Prof T. Fujita (Chicago) (Table 16-1).

ð16:4Þ

pðrÞ ¼ 0:5 V2v

Rv r

2

16-3. Design input data ð Rv > r > Rv Þ

1:29 ¼ 0:13 kg s m 4. where 9:8

ð16:5Þ

On the basis of a thorough search of past events, the design values for nuclear reactors in Italy were chosen as shown in Table 16-2.

Chapter 16 Tornado resistance

187

Table 16-1. Fujita scale for tornadoes Degree 0 Degree 1 Degree 2 Degree 3 Degree 4 Degree 5

Winds from 60 to 110 km h 1. It may bend road signs and displace trestles and objects not anchored to ground. Winds from 110 to 170 km h 1. Tree branches are broken off, roofs are ripped away, vehicles are significantly displaced, light trailers can be overturned. Winds from 170 to 240 km h 1. Large trees and telephone poles are uprooted, cars are displaced by small distances and small wooden constructions without foundations are destroyed. Winds from 240 to 320 km h 1. Brick walls can be knocked down, trucks and trains can be overturned, objects weighing several kilograms can be lifted to large heights. Winds from 320 to 410 km h 1. Destruction of masonry buildings without deep foundations, light vehicles and big animals can be moved, objects up to 100 kg are transformed into missiles. Winds from 410 to 500 km h 1. Total disaster, buildings of any kind destroyed, trains and trucks lifted, whatever object protruding from the ground is pulled away and blown away, sometimes several kilometres.

Table 16-2. Tornado design figures adopted in Italy Translation velocity Maximum rotation velocity Maximum resulting velocity Maximum theoretical pressure Maximum depression Missile 1: automobile of 1000 kg Missile 2: Steel pipe * ⁄ ¼ 80 mm, length ¼ 3 m, weight ¼ 35 kg Missile 3: Wooden plank 0.1 m 0.3 m 3.6 m, weight ¼ 50 kg

24 m s 1 73.5 m s 1 97.5 m s 1 600 kg m2 700 kg m2 Impact velocity ¼ 1/6 rotational velocity (12.5 m s 1), impact elevation ¼ 7 m, impact area ¼ 2.1 m2 Impact velocity ¼ 1/3 rotational velocity (¼ 24.5 m s 1), impact of the pipe end perpendicularly to the surface, any impact elevation Impact velocity equal to the rotational velocity (73.5 m s 1), any impact elevation, impact area 3.6 m 0.3 m

The reference tornado in Italy is taken to be Degree 4 on the Fujita scale. In the USA two sets of values are used for this event (Bechtel, 1973). The strongest one (in the central-eastern part of the country, notoriously subject to this phenomenon) has a maximum velocity of 576 km h 1 and therefore belongs to the Degree 5 of the Fujita scale. The design of nuclear plants is not significantly influenced by a design event tornado of intensity 4, except for the need to provide the secondary containment or similar buildings with pressure equalizing automatic panels (or with other provisions) in order to cope with the negative pressure caused by the event (e.g. the Caorso power station in Italy). Design verifications for a tornado usually entail the following:

Testing for positive and negative pressures on the exterior walls of buildings taking into account the

various shape coefficients (Bechtel, 1973) which are customary for the design against strong winds. Analysis of positive–negative pressure gradients created inside buildings and the verification of the internal structures by appropriate computer codes which take into account the possible time variation of the positive–negative pressures present, caused by the movement of the vortex. Analysis of resistance to missiles by using the penetration formulae usually used for impacts (see Chapter 17).

Reference Bechtel Co. (1973) ‘Tornado and extreme wind design criteria for nuclear power plants’, BC-TOP-3, Bechtel Power Co.

This page intentionally left blank

Chapter 17 Resistance to external impact

17-1. Introduction

17-2-1. Effects of an aircraft impact

This chapter considers the external impact of crashing aircraft, sabotage and the effect of explosive pressure wave. The external impact is considered with reference to engineering defence measures: aircraft impact, otherwise, can be prevented, with variable degrees of effectiveness, by provisions such as by modifying flight corridors or by protecting the nuclear power plant with special forces, etc.

Usually the effects of an aircraft impact (or similar) on a plant are assumed to be:

The first type of strong external impact due to human activities considered for nuclear plants was that of a crashing aircraft. This kind of load started to be included among the usual design conditions, together with the pressure wave, in the 1960s and 1970s in Germany as a result of several accidents primarily involving the Lockheed F-104 Starfighter. However, for conservatism, the reference aircraft chosen was the McDonnell-Douglas F-4 Phantom. The same approach was then followed by other countries, such as Belgium, Switzerland and Italy. Subsequently, it became clear that, in some countries, nuclear plants should also be protected against external acts of sabotage, involving aircraft, but also against launched explosive charges. It was then discovered that the protection against aircraft impact of the type described above, also gave protection against many plausible similar events, at least from the structural point of view.

17-2-2. Overall load on a structure The overall dynamic load on structures has been evaluated by tests and analytical evaluations. The corresponding load–time diagram is shown in Figure 17-1 for a Phantom F-4.

Load (1000 kg)

17-2. Aircraft crash impact

a dynamic load at the point of impact, causing static stresses and vibration of structures and components; a localized load at the point of impact with possible penetration of the impacted wall and generation of fragments on the opposite face of the structure (spalling); fire due to the fuel transported by the aircraft; temporary incapacitation of the operating personnel.

11 000 10 000 ≈5400

10

50 Time (ms)

Figure 17-1. Load–time diagram for Phantom F-4.

189

190

Nuclear Safety

The velocity of impact (assumed normal to the impacted surface) is 215 m s 1. The equivalent diameter of the loading area is 2.60 m. The two-step shape of the load curve is due to the presence of two phases: initial impact of the body and subsequent impact of the engines (more rigid). In the Italian criteria (see Appendix 1), it is supposed that the reference impact happened at 45 relative to the normal of the surface and that this event was equivalent to a normal impact with velocity equal to 150 m s 1. The estimated load curve is shown in Figure 17-2. In practice (with reference to Fig. 17-2), the second impact of the engines is eliminated. The impact area is assumed, as in the first case, equal to 7 m2. These assumptions are not accepted by all the experts because they do not take account of the fact that the engines, in the first phase of the impact, may break off the aircraft body and proceed towards the target as autonomous missiles, without the energy absorbing effect of the body itself. In order to perform an indicative evaluation of the load which could correspond to other types of aircraft and to other impact speeds, the following simple concepts are suggested:

Load (1000 kg)

G1 and G2 are the weights of the two aircraft and V1 and V2 their impact velocities, respectively. It is assumed that G ¼ G1/G2 and V ¼ V1/V2. The ratio, L, between the linear dimensions, l, and the product of the area of part of the aircraft times the square of its velocity, will vary with the weight of the aircraft as this quantity is proportional to the lift which must equal the weight (it is supposed that this is true in conditions of impact also). The following is obtained: L2V2 ¼ G and therefore L ¼ G0.5/V.

≈5000

50

10 Time (ms)

Figure 17-2. Example of another load–time diagram.

The flexural moment on the body will vary according to the product of the weights for the lengths and therefore according to the ratio G ¼ G0.5/V. The design mechanical stresses will be the same, so from ¼ My/tkl3, the thickness, t, of the body varies with the ratio T ¼ GV/G0.5. The impact force will presumably vary as crLT, that is as the product between the buckling stress of a cylinder times the area of the resistant cross-section; as cr in a cylinder varies as T/L, the impact forces, Fi, will vary as T 2, that is as GV2: Fi ¼ GV2

ð17:1Þ

The preceding relationships agree with the data for the Phantom F-4 within 10 per cent compared with those of a completely different aircraft, the Learjet of roughly 10 t studied in report CEA-IPSN, 1977, for various impact velocities. The influence of velocity too, according to these last data, is well represented by the above discussed formulae. Table 17-1 shows the weights and wing spans of several aircrafts. The simple laws described above, when applied to a Boeing 747 with an impact velocity of about 200 m s 1 would generate a peak force of about 17 times the one associated with a Phantom F-4. Even taking into account the larger impact area, it is therefore difficult to protect a plant against this impact (unless it is located in a cavern or sufficiently underground). The protection against a Phantom F-4 hitting at a velocity of 215 m s 1 requires a minimum reinforced concrete thickness of 1.8 m and, at 150 m s 1, a minimum thickness of 1.2 m is needed. These thicknesses also take into account the penetration strength. CEA-IPSN (1977) gives the result of studies for the evaluation of oblique impact loads, that is not normal to the surface. It may be interesting to know that the two Boeing 767s which hit the World Trade Center in New York on 11 September 2001, had estimated velocities of 686 km h 1 and 859 km h 1, respectively.

Chapter 17 Resistance to external impact

191

Table 17-1. Data for various aircraft Aircraft

Full load weight (t)

Engine weight (kg)

Wing span (m)

Learjet 23 Boeing 707-320 Boeing 757-200 Airbus A300 Boeing 747-200C Boeing 767 Phantom F-4E Airbus A330-200 Boeing 737-600

About 10 About 150 116 132 350 180 20 230 56

2 1295 4 8100 2 18 000–19 000 2 23 000 4 21 300 2 27 000–28 000 2 1700 2 29 000–32 000 2 8000–9000

About 13 44 38 45 60 52 12 60 34

17-2-3. Vibration of structures and components The dynamic load dealt with in the preceding section has to be considered as a quasi-static load imposed on the structure as a whole but also as the cause of vibration of the components located inside. It is estimated that the acceleration due to an aircraft impact at the foundation level may reach and overcome the values typical of a design earthquake in a moderately seismic area. The response spectrum of the aircraft impact pulse is rather ‘hard’, that is dominated by high frequencies. For this reason, the components subjected to the highest loads are the most rigid ones, especially if the plant is located on rigid foundation soil (rock). In some designs, the external structures of the plant are mechanically decoupled from the internal ones on which the plant components are fixed. In this way the vibration transmitted to the components is reduced. The decoupling, obviously, is obtained by inserting joints and gaps in the structures. Figure 17-3 shows qualitatively the relative position of the response spectra of the seismic excitation, of the deflagration of an explosive cloud and of an aircraft impact.

17-2-4. Local perforation of structures Parts of an impacting aircraft, especially the engines, cause local effects such as perforation and missile generation in the rear side of an impacted wall. Many formulae exist for the evaluation of these effects, not all of them applicable in the range of

parameters of interest here (CEA-IPSN, 1977; Riera, 1982, 1989). x¼

1:5 G 4 V 3, f t0:5 D1:8

ð17:2Þ

where, x is the penetration depth (cm), ft is the compression resistance of the concrete (kg cm 2), V is the impact velocity (m s 1), G is the impacting weight (kg), and D is the effective diameter of the impacting body (aircraft or engine) (cm). This formula is valid for impact velocities ranging from 150 and 300 m s 1 and has been verified by experimental tests. The protection against ‘spalling’ is obtained by empirically increasing by 25 per cent the thickness calculated by the formula. An increase of thickness up to 1.8 m guarantees an absence of damage due to the simultaneous explosion of the normal weapons carried by a fighter aircraft (missiles), but not of the possibly carried bombs (which is justified on a probabilistic basis if the bombs are not triggered to explode). This thickness also offers protection against other types of impacts, such as an oblique one due to the separation of an engine and that of a missile due to the explosion of a nuclear plant turbine (for which in general 80 cm are sufficient). The depth of penetration in the soil (of interest for buried lines and tunnels) can be evaluated according to: x0 ¼

GV , D2

ð17:3Þ

192

Nuclear Safety

acceleration earthquake spectrum (Arbitrary scale)

aircraft impact spectrum

explosive cloud deflagration spectrum

2

30

Frequency (Hz)

Figure 17-3. Structural response spectra for various phenomena.

where x0 is the penetration depth (m), D is the diameter of the missile (m), is a constant dependent on the type of soil (¼ 9 10 6 for sandy soil), G is the weight of the missile (kg), and V is the vertical component of the velocity (m s 1). For a Phantom F-4, a depth of about 6 m is obtained, which corresponds to the effect of a bomb of about 100 kg of explosive.

17-2-5. The effect of a fire It is assumed that the impacting aircraft has up to 10 t of aviation fuel on board, so the potential damage if a fire breaks out is significant and therefore the design of the structure and of the surrounding spaces must be such to eliminate this danger. A measure commonly adopted is to encircle the buildings with deep trenches filled by gravel. These have the function of collecting the spilt fuel and of preventing its ignition in the open air. Obviously, the resistance of the external structures to the impact stops fuel from entering the building.

17-2-6. Temporary incapacity of the operating personnel It is believed that the operating personnel would be so shocked by the impact, that they are unable

to operate the plant for hours afterwards. For this reason, every plant protected from external impacts as described in this chapter is also provided by an emergency system which can automatically operate for many hours and which is able to guarantee the safety of the plant. This system is also a protection against the effects of an explosive wave hitting the plant from outside and the possible use of toxic gases. Obviously, the whole system, provided with an adequate redundancy, is also protected by the external impact.

17-3. Pressure wave The design pressure wave is supposed to be due to the release of explosive gases, either accidental or maliciously. Generally, the following assumptions are made:

The cloud’s size includes all of the station buildings. The wave has the characteristics of the deflagration, not of the detonation. It is thought, in fact, that a detonation can only happen close to the release point and therefore the plant is protected by the normal safety distances, see Figures 17-4 and 17-5 (obviously this concept does not apply to voluntary events).

180 000

Pressure difference due to explosion

Possible explosive weight (kg)

Chapter 17 Resistance to external impact

100 000

10 000

193

p0, peak pressure in free field

>0 <0 Time

2000 1000 100 1000 Safety distance (m)

Figure 17-6. Time history of the pressure difference generated by an explosive wave.

Figure 17-4. Example of safety distances used.

Possible attacks with penetrating (RPG, Rocket Propelled Grenades, bazooka) grenades must be analysed on a case-by-case basis:

Overpressure (105 Pa)

0.5

0.3

0.1

0.2

1 Time (s)

Figure 17-5. Example of pressure wave adopted for the design.

17-5. Other impacts As mentioned above, the missile due to plant turbine case burst is covered by the design basis for the aircraft impact. This event is also made unlikely by the radial placement of the turbine axis with reference to the important plant buildings. However, even if a ‘high (parabola-shaped) trajectory’ missile is considered, which is not influenced by the power station ‘layout’, the necessary reinforced concrete thickness (about 80 cm) is lower than that required for the aircraft impact. The turbine missile can be several tonnes and travel with a speed of the order of 100 m s 1 (Zwicky, 1957).

Location of the redundant components in positions well apart from each other and not simultaneously in sight from a single virtual aiming point. Location of the essential components far from the external building walls. The use of multiple protection barriers.

In deciding about protection, it must be remembered that these projectiles may perforate several metres of reinforced concrete. The elements of protection against a malicious action carried out by the use of an explosive vehicle are the subject of USNRC (1978) adopted in the USA. In it, in particular, various types of barriers are examined with an indication of the maximum impact kinetic energy they can withstand. The reference kinetic energy for the design is not available. Under the assumption, however, that its order of magnitude is 500 000 ft lb, it would correspond to a 6 t truck at the speed of 60 km hr 1. Besides the protection afforded by barriers, sometimes the reinforcement of structures exposed to a possible explosive blast is considered. It is useful to remember in this connection that the time history of the pressure difference with reference to the preexisting one, generated by an explosive wave at a point a certain distance from the blast, is of the type shown in Figure 17-6. The curve shown in Figure 17-6 occurs in the free field without obstructions or obstacles. If the explosive wave meets an indefinite and rigid wall perpendicular to the propagation direction, then the maximum pressure on the wall (reflected peak pressure) will be composed of the sum of the reflected

194

Nuclear Safety

Pressure (105 Pa)

1000 100 Spherical wave

10

Semi-spherical wave

1 0.1 0.1

1 Normalized distance

10

Figure 17-7. Peak lateral pressure.

pressure, equal to 2p0 plus the so called dynamic pressure, that is the arrest pressure of the air mass put in motion by the wave itself. In total, it will be given by: 7pa þ 4p0 p0r ¼ 2p0 , ð17:4Þ 7pa þ p0 where pa is the pre-existing ambient pressure. Equation 17.4 shows that, in theory, the reflected peak pressure may have a value eight times the peak pressure in the free field for strong values of the shock wave. A ‘practical’ maximum is, however, 4 (see also Chapter 22). Each wall parallel to the propagation direction of the explosion wave will be exposed to a pressure equal to p0. The value of this pressure is read from theoretical or experimental diagrams such as Figure 17-7.AR587 The two curves represent a spherical explosion (in free air) and a semi-spherical explosion (near the ground). The distance in the abscissa is equal to the real distance (m) divided by the weight of the explosive (in this case TNT) elevated to the power of 1/3, according to the explosion law: r z ¼ 1=3 m kg 1=3 ð17:5Þ W

In evaluating the effect of a pressure wave on a building, the dynamic and resonance (with the building eigenfrequencies) effects have also to be taken into account, therefore other pressure wave data are necessary (e.g. its duration).AR587

References Riera, J.D. (1982) ‘An approach to evaluate the design load–time history for normal engine impact taking into account the crash–velocity distribution’, Nuclear Engineering and Design, 71, North Holland. Riera, J.D. (1989) ‘Penetration, scabbing and perforation of concrete structures hit by solid missiles’, Nuclear Engineering and Design, 115, North Holland. USNRC (1978) ‘Protection against malevolent use of vehicles at nuclear power plants’, NUREG/CR-6190. Zwicky Jr., E.E. (1957) ‘An analysis of turbine missiles resulting from last-stage wheel failure’, General Electric TR67SL211. CEA-IPSN (1977) ‘Analyse de la Protection des Centrales Nucleaires Vis-a`-Vis du Risque Aerien’, Rapport DSN 106, CEA- IPSN – DSN (77).

Chapter 18 Nuclear safety criteria

18-1. General characteristics Since the advent of the nuclear industry, it had been thought necessary to define a set of general safety and radiation protection criteria for nuclear plants. Indeed, although there were doubts on safety which characterized the birth of these plants, the practice of deriving the safety requirements from the indications of common cautiousness and from experience was not adopted, although this ‘trial and error’ approach had been adopted for many other types of industrial undertakings and for other activities (e.g. the fire protection of buildings and plants). Instead an a-priori defined set of rules was preferred which would protect workers and the surrounding population from the consequences of hypothetical accidents. On the other hand, the realistic accident situations and their possible complications appeared from the start so numerous that an actual document of rules was necessary (in addition to research programmes on a multiplicity of different fields).1

18-2. The US general design criteria The first collection of internationally accepted safety criteria is given in the ‘General design criteria for nuclear plants’ (see Appendix 8). They consist of 52 criteria and were written at the beginning of the 1970s. They are still used today with some additions to keep them up to date. The GDC are regulatory criteria, that is they have been established by the central national institutions in order to protect the population. The fundamental assumptions in the GDC have withstood the test of time and it is surprising that no substantial modifications have been necessary.

As it can be easily seen the criteria are of a general character, but they also define some specific important technical details, such as:

the assumption of a loss of coolant up to the complete break of the largest pipe; the assumption of the quick expulsion from the core of the most reactive control rod; the requirement of a negative power reactivity coefficient in every situation; the need for a containment which is leak proof in accident conditions (high pressure); a rather complete definition of the single failure criterion (see also Appendix 3).

However, it is evident that the precise safety level of plants constructed according to general criteria like these cannot be unequivocally determined by them only. From the start of the 1970s, many plants have been constructed in the USA and elsewhere according to the GDC, yet their safety level is very different. It is understood that a series of regulatory standards, in order to be complete (that is such to sufficiently define the safety level of the plant), must include also more specific documents than the GDC or similar compilations. In the US case, the following principal NRC standards exist:

The regulatory guides.AR297–AR468 The standard review plan. The technical positions inserted in the Code of Federal Regulations or independently published.

The regulatory guides are documents which describe at least one acceptable way to satisfy the various requirements of the GDC or of other texts. The degree of technical detail is high and goes down to the definition of numerical values of key parameters for the analytical demonstrations. The designer can choose to adopt the method indicated 195

196

Nuclear Safety

in the regulatory guide or to propose and validate another acceptable method to the NRC. They are collected in ten divisions, according to the type of plant or activity to which they pertain:

Power reactors Research and test reactors Fuel and materials facilities Environment and siting Materials and plant protection Products Transportation Occupational health Antitrust and financial review General

The Standard Review Plan, SRP (USNRC, 1996) is, instead, a document (but it could be defined as an encyclopaedia because of the amount of material it contains!) which also indicates in great detail the ways (methods and depth) by which the NRC analyst must control the various parts of the safety analysis. A copy of the list of contents, some extracts from one regulatory guide and one chapter of the SRP are in Appendix 14. The regulatory guides and the SRP are frequently updated in order to keep up with the progress of knowledge and technical standards. It is necessary to note here that a complete and central set of technical standards is not agreed upon in every country. In France, for example, the central institutions indicate the objectives, leaving the designers and the operators with the task of completely defining the ways to comply with them, except for a central control of adequacy. This diversity, however, is not at odds with the need that a complete set of standards must give the fine technical detail, be it issued by a central authority or not.

We will look at the safety requirements category. Appendix 9 reproduces its list of contents. Among the main characteristics of the IAEA criteria, are the facts that they are recent and therefore they include post-Chernobyl reflections, they represent a common agreement between many national positions, and they tend to be more generic than other criteria (which are more country specific). The complete adoption of the Defence in Depth principle has to be noted in its more evolved version, which includes five superimposed levels of defence, concisely summarized as follows: good design, good control, adequate emergency systems, accident management (various levels of seriousness considered), internal and external emergency plans. The IAEA criteria are a constant general reference in all the international reviews of nuclear plants. Appendix 3 lists the contents of some other compilations of general design criteria, where EUR, GDC, OPB 88/97 and PUN are compared with the content of IAEA criteria.

18-4. EUR criteria This set of recent criteria (see Appendix 6) has been written by a group of European utilities with the following principal aims:

18-3. IAEA criteria

The IAEA document concerning the General Design Criteria: ‘Safety of nuclear power plants: Design requirements’, was published in 2000 (see www. iaea.org).AR49 The IAEA documents of regulatory interest are divided into the following categories:

Safety fundamentals, which present the objectives, the concepts and the basic safety principles.

Safety requirements, which establish the requirements to be complied with in order to guarantee safety. Safety guides, which recommend actions, conditions or procedures to comply with the safety requirements.

The promotion of standardized designs, rewarding for the owner and presumably acceptable for the public. The encouragement of the harmonization of safety requirements. The encouragement of fair competition among different designers.

These criteria cover the field of water reactors, although the largest part of them can be applied to other types of reactors. Appendix 6 reproduces some parts of the section specifically dealing with safety (Vol. 2, Chapter 1, Part 2) which are particularly important for the

Chapter 18 Nuclear safety criteria

determination of the safety level of the plant. They are:

A list of the design basis conditions, divided into four categories. The criteria of normal release of radioactivity. The frequencies and the acceptance criteria for normal, transient and accident conditions. The limit releases for the conditions more serious than the design ones (Design Extension Conditions, DEC) with reference to the absence of emergency actions within 800 m and 3 km from the plant. The limit releases for the limitation of the economic impact. The limit releases for design conditions. The reference doses for the personnel (included the objective of 0.7 Sv-person for the annual effective collective dose). The probabilistic safety objectives (10 5 per reactor year for the damage of the core and 10 6 per reactor year for releases higher than the limit ones, according to the lines of INSAG 3,AR185 which seem to represent a common basis of the most recent regulatory positions. Single failure criterion in the form chosen (similar to the one of the IAEA criteria, that is applied to the group of systems which have to cope with an accident condition). A list of the complex sequences to be considered among the DEC. The classification criteria for structures, systems and components (very complete and clear). General criteria for accident management (procedures based on the state of the plant or symptombased procedures, etc.). General radiation protection criteria in the design. Some important definitions.

18-5. Other general criteria compilations The Russian criteria are the ‘General Provisions governing the safety of power stations’ (OPB 88/97, 1997). They are similar to the US GDC, except that they include some modern concepts such as the one concerning the defence against severe accidents and that they are a little different in some parts, such as for the negative power reactivity coefficient and for the part concerning the containment.

197

The Italian criteria for the Unified Nuclear Design (PUN) (ENEA/DISP, 1987) were prepared between 1983–86 for the Italian standardized reactors then being designed. They were accompanied by criteria for severe accidents. In June 1985, an Italian criterion was announced (Petrangeli and Zaffiro, 1985) for the limitation of the consequences of a severe accident by simple plant modifications and by a management system of the same accidents: It is deemed realistic to ensure, by additional provisions of accident management, with a confidence limit of the order of 95 per cent, that the external iodine or caesium releases, in situations which otherwise would lead to uncontrolled severe accidents (core melt, and so on), be kept within the limit of the 0.1 per cent of the core inventory. The question that this criterion intended to answer was the following: What are the maximum realistically thinkable releases, in severe accident conditions, which are consistent with the best use of the capabilities of present design plants, if a structure of accident management (procedures, equipment, training) is created? The implementation of this criterion was studied both for pressurized and for boiling water reactors. As an example, as far as the plant modifications are concerned, for pressurized plants the following provisions were considered necessary: alternative means for cooling of components in extreme emergency situations, containment venting, a refractory liner on the cavity walls below the vessel, improvements in the control of leaks from the containment, if accidentally higher than the specified ones. The EPRI document ‘Utility requirement document’ (EPRI, 1990) which preceded the similar European effort for the EUR, had similar standardization aims. The two sets of criteria are similar even if they cannot be considered identical. The differences, however, are such that two plant designs, performed according to two sets of criteria should not significantly differ. The UK’s pressurized reactors criteria have been issued by the Nuclear Installations Inspectorate (NII, 1979) and by the (at the time) national utility (Central Electricity Generating Board, CEGB) (CEGB, 1982). In a more or less direct way, they

198

Nuclear Safety

define an overall probability of less than 10 6 per year (10 7 per each sequence and per year) for a large release of radioactivity, defined as the one which would cause a maximum effective dose outside the plant higher than Emergency Reference Level (¼10 rem). Other compilations of criteria, such as Finland’s, the Netherland’s, etc. are not explicitly discussed here as the examples given give enough general information.

References CEGB (1982) ‘Pressurized water reactor design safety guidelines’, Central Electricity Generating Board, London. ENEA/DISP, ‘Criteri Generali di Progetto per Centrali Nucleari di Tipo ad Acqua Leggera in Pressione’ (General Design Criteria for Pressurized Light Water Nuclear Power Plants), Roma, Italy, 1987, Doc.DISP(87)10. EPRI (1990) ‘Utility requirement document’, Electric Power Research Institute, Inc, USA. NII (1979) ‘Safety assessment principles for nuclear power reactors’, HM Nuclear Installations Inspectorate, London: Her Majesty’s Stationery Office. OPB-88/97, PNAE G-01-11-97, approved by GAN RF Decree 9 of 14.11.1997 (1997) ‘General provisions governing the safety of power stations’, NP 001 97 – Gosatomnadzor. Petrangeli, G. and Zaffiro, C. (1985) ‘Regulatory implications of source term studies’, IAEA Int. Symposium, Columbus, Ohio. USNRC (1996) ‘Standard review plan’, NUREG 0800.

Chapter notes 1 Simpler, yet very reassuring, methods such as the one then used for the safety demonstration of the first elevators, were inadequate. In 1849, in New York, a new type of building was invented and subsequently commercialized. It was based on the use of prefabricated cast iron elements (columns, beams,

ornaments) connected by bolts. This innovation gave origin to a new architectural style, the one based on ‘cast iron’ buildings, various example of which still exist (Soho). In addition to the possibilities of prefabrication and the rapidity and economy of construction, the cast iron buildings could be much higher than the masonry buildings up to then used. At that time, the highest buildings reached a maximum of six or seven floors (no higher than the ancient Romans built). Although the technological obstacle to the increase in height of buildings was eliminated, a human obstacle still remained: people were unhappy about having to climb or descend on foot more than a few flights of stairs and they thought that the lifts and elevators of the time were unsafe. This situation lasted until, in 1854, a daring and creative industrialist, Elisha Otis, invented and tested in public the first elevator provided with a safety brake which was simple and robust enough to convince the public. The public demonstration was made at the New York ‘Crystal Palace’ where the first World Fair of America was held. Otis had built there an open elevator of his new type, powered, like those of that time, by a steam engine. While he himself was using it and being transported by it up and down, he suddenly cut the lifting rope under the eyes of an astonished public, in order to demonstrate the good operation of his safety brake and, at the same time, his full confidence in it. Incidentally, the brake was based on a steel leaf spring, of the type currently used on coaches, inserted between the lifting rope and the elevator so that, once the load was lost due to the break of the rope, it automatically extended laterally pushing two wedges in two mating racks fixed on the walls (or columns) of the elevator pit. This rudimentary brake was improved and others were invented later: all of them, however, characterized by the maximum operating simplicity. ‘The safety elevator raises the roof! (of buildings)’ was a popular advertisement at that time and in fact in the immediately subsequent years, the cast iron buildings in New York reached ten storeys and, then, with further improvements in building technology, the skyscraper heights that we now know. Cast iron technology disappeared because of its low resistance to fire but the simple invention that it prompted, the safety elevator, is still the factor which makes the highest building usable.

Chapter 19 Nuclear safety research

Nuclear safety activities have always been supported by a significant research effort. In fact, the majority of accident situations studied are not directly observable as they are extremely rare or even beyond any practical possibility of happening. Therefore, these situations are reproduced in laboratories or in experimental facilities, sometimes on a large scale. At the start, the research was mainly concentrated on reactivity accidents (SPERT and BORAX experiments in the USA). Subsequently, in the 1960s, the most studied issue was a large LOCA. After Three Mile Island, the attention moved to small LOCAs because that event, together with the results of the Rasmussen Report, highlighted their danger, and to severe accidents. Obviously, the subjects considered by safety research have been over the years much more numerous than those listed above. The main subjects have been:

The thermal–hydraulic behaviour of the plant and fuel behaviour during transients and accidents. Reactor physics in transients and accidents. Physical phenomena specific to severe accidents (attack of the container bottom, direct containment heating, steam explosions, production and behaviour of hydrogen, behaviour of the fission products in the form of aerosols or of gases and vapours, loading of the reactor vessel by the molten core and its coolability, coolability of the molten core outside the pressure vessel, etc.). Problems of strength of materials (irradiation effect on the pressure vessel, behaviour of the pipes in various loading conditions, ‘leak before break’ and detection of pipe leaks, steam generator problems). Structural plant problems (strength against fluid dynamic vibrations of internal origin, against earthquakes, against aircraft impact, etc.).

Containment problems (measure of the leaks, distribution of the hydrogen produced, thermal– hydraulic transients and removal of fission products). Safety systems of advanced type (primary system depressurization in PWRs, containment of molten masses on the containment floor, etc.). Optimization of the instrumentation and control systems and of the man–machine interface. Probabilistic methods for safety studies. Ageing of components and of structures. Microprocessor-based protection systems. Optimization of fire-extinguishing systems. Research on advanced concepts for future reactors. Plant decommissioning and management of radioactive waste. Radiation protection. Human factors of safety (emergency procedures, training, simulators, etc.).

The safety research budget on a worldwide basis gradually increased until the 1980s, when it started to decrease dangerously. It can be calculated that the world annual investment on nuclear research has been of the order of $1 bn (of which roughly $200 m has been spent in the USA alone). Even during the period of high investment (Birkhofer, 1984), the cost of the safety research in terms of nuclear energy production (calculated on the basis of $0.05 kWh 1), has been only a few units.

Reference Birkhofer, A. (1984) ‘Advances and trends in reactor safety research and technology’, 5th International Meeting on Thermal Nuclear Reactor Safety, Karlsruhe.

199

This page intentionally left blank

Chapter 20 Operating experience

20-1. Introduction The study of the operating experience available on similar installations is one of the principal sources of guidance criteria for the optimization of plants. During the design, operation and safety evaluation phases of every plant, data should be continuously collected to give information which can be recycled into future activities. The following question should be asked about the occurrence of an event at a plant: Could it happen in the plant I am considering now? If the answer is ‘yes’ then appropriate measures of prevention/mitigation should be taken, within the minimum technical times but without unjustified haste. Various sets of design and safety criteria require that, during the important phases of a plant’s life, the collection and recycling of experience are systematically performed within the responsible organization (see Appendix 3).

The Licensee Event Report (LER) from the USNRC collects all the operating experience on US plants and it is accessible to similar foreign organizations on the basis of bilateral agreements.

20-3. Some significant events Some particularly remarkable operating experience events are described here, for their frequency and peculiarity, and for their unforeseeable characteristics. More information can be found in the systematic compilations available.

20-3-1. Mechanical events

20-2. Principal sources The first source of data, because of its universal nature, is the Incident Report System (IRS). This is jointly operated by the OECD and by the IAEA with information on events supplied by member countries. Often the contribution of the various countries is not in proportion with the respective number of operated plants due to local organization problems. Hopefully this situation will improve. The next source is the private service supplied by the World Association of Nuclear Operators (WANO) to its members. It represents a responsible and commendable response of the nuclear operators worldwide to the need to pool the available experience in order to attain ever safer plant operation.

Many cases of cracks in piping have occurred (especially in welds, although almost all have been discovered before the pipes have broken). The most common causes are inter-granular stress corrosion cracking, and thermal fatigue from the movement of variable temperature fluids. A particularly dangerous breach in a pressure vessel happened in a steam generator where a crack (about 70 per cent of the circumference with a depth equal to a significant fraction of the thickness) was discovered on a circumferential weld. At some points the crack was ‘through wall’. It was discovered during a visual inspection thanks to the humidity patch on the external insulation layer of the component. In another case, again during a periodic inspection, eight out of twelve flange bolts in a large valve were found broken. The breakage of other bolts would have caused a large LOCA. Stress corrosion was responsible.

201

202

Nuclear Safety

In BWRs, a mixture of hydrogen and oxygen is continuously produced. This is collected in the condenser and eliminated. However, in one case, the mixture accumulated in the body of a valve located in a high portion of the primary system. The mixture also found an ignition source and exploded damaging the valve, even in the absence of external leaks. Again, involving the hydrogen–oxygen mixture in BWRs, there are many cases of explosion in the exhaust lines from the condenser. These lines are now equipped with large venting ports closed by rupture discs in order to limit the external effects of the explosion. There are many cases of distortion of the valve stems in motorized valves due to an excessive torque transmitted by the motor, notwithstanding the presence of a torque limiter. The non-return valves almost always leak abundantly when they are actuated in closure. Few safety criteria, in fact, consider them a valid isolation means, as they can be only credited with a limited leak, and they are not completely leak proof. Only a very small number of large pipes have broken during more than 10 000 reactor-years. There have been only three cases of PWR feed-water pipes breaking, that is pipes not in Class 1 (less protected by design and inspection than those in the primary circuit). The assumption of a large LOCA, however, has been very useful in supplying margins against other unforeseeable events, some of which have been mentioned above. There have been many cases of leaks from isolation valves and from other containment penetrations with rates higher than the specification limits. Also stubborn cases have occurred where the excessive leak showed up again a few days after its elimination. In the Davis Besse plant in the USA, because of leaks from cracks on the control rod housings, a large corrosion was found (2002) on the head of the pressure vessel, having a depth equal to that of the base metal (only the stainless steel liner was left for the containment of the pressurized water) and plan dimensions of the same order of magnitude. Many mistakes were made in order to arrive at that point!

20-3-2. Electrical events

The explosive valves used in the liquid poison injection system in BWRs have the characteristic of not being subject to leaks as their closure is ensured by a membrane which is destroyed by the explosive charge. They, moreover, have a high reliability because of the absence of mobile mechanical parts. Operating experience, however, indicates a certain number of cases where the electric connections for their actuation were erroneously made, making the valve inoperable. If this mistake is due to erroneous installation instructions, then the latter comprise a dangerous common cause failure. The defective operation of the electro-mechanical lifting jacks of the control rods of a PWR was a mystery for a long time, leading to imaginative explanations, until it was discovered that the ‘sneaky currents’ which caused the unsatisfactory operation were due to a design or procurement mistake. The internal electric insulation of the mechanism was for a lower voltage than the working voltages.

20-3-3. System events

The fact that in a small LOCA with the rupture on the top of the pressurizer it is possible to have the pressurizer almost full of water and the vessel almost empty was demonstrated in a couple of transients in Belgium and in the USA, but in a more dramatic way in the Three Mile Island Accident. Multiple malfunctions during a thunderstorm This event happened many years ago on a BWR of the dual cycle type (similar, therefore, to Dresden 1). In that period on the plant the general mood of the people was not good because of conflict between the staff and management. Plant operation was being maintained by managers and operators called in from outside. One night, during an intense thunderstorm, the power station connection to the external grid broke down and the reactor was shut down while the primary circuit safety valves opened. The reactor was provided with an isolation condenser which would ensure cooling for hours, but it was necessary to replace the primary water lost through the safety

Chapter 20 Operating experience

valves. Several attempts were made to provide electric power to the feed-water and injection pumps using an external low power emergency line, but its protection switch triggered open whenever the attempts were made (it was later discovered that the protection was set at a too low value). Attempts were also made to start the emergency diesel generator which stopped almost immediately (later a bolt was found in the feed air shutter mechanism, which blocked its operation). While the level of water in the reactor went down to dangerous levels, an attempt was made to convince by telephone the ‘dispatcher’ responsible for the grid to allow the plant to be tied in again to the external line, even in the absence of the prescribed preventive controls. The dispatcher resisted at length before granting a permit outside the normal rules, while the attempts at starting the pumps continued, and a short gush of water was supplied to the core. This prevented the impending uncovering of the high part of the fuel elements. Finally, in view of the imminent danger the requested permit was obtained, the power station was again connected to the grid and the emergency ceased. The Windscale accident (HMSO, 1957) in the UK in 1957 is one of the worst to ever happen. An unexpected release of ‘Wigner’ energy from the graphite of a reactor which used this material as a moderator, caused the fire of the graphite itself and the release of about 7.4 1014 Bq of iodine 131, which was detected as far away as Vienna. The phenomenon was not well known and the accident has to be ascribed to the newness of the technology. The boldness of the engineer in charge who ordered water to be poured into the reactor in order to extinguish the fire, was also exceptional. The possible negative consequences of this operation (explosions of various type) were totally uncertain and it was performed because it was the only potential resolution. Explosions didn’t happen and the reactor fire was extinguished, but the story goes that the engineer’s hair suddenly turned white! The Kyshtym accident (Urals, USSR) also happened in 1957 in a radiochemical plant for the recovery of plutonium. One of the three tanks of highly radioactive liquid waste was left without cooling and its instrumentation was defective. Overheating up to 380 C resulted together with

203

the blast of an equivalent to 10 t of TNT which caused the tank to burst almost lifting the upper concrete shield, weighing 160 t. 7.4 1016 Bq of activity were released and 10 000 people in an area of more than 20 000 km2 were evacuated. The operators succeeded in running far from the plant, alarmed by the heat emanating from the tank and there were no casualties. The accident at Saint Laurent les Eaux, in France, happened in 1969 at one of the French gas– graphite reactors having a power of 1350 MWt. Partial damage of the fuel because of overheating happened. The external releases were minor.

20-3-4. Area events

Grass was allowed to grow in an open air switchyard without cutting it in time. One day the tall grass caught fire with the plant in operation. All the protection systems of the switchyard were triggered and all the external lines were lost. The emergency generators operated as planned. A ‘flood’ of solid boric acid on the upper head of a pressurized reactor. A large amount of solid boric acid (hundreds of kilograms) was deposited because of a small leak of primary (borated) water on the vessel head, inside the thermal insulation cover of the head itself. This situation remained undetected until the first refuelling stop of the reactor (when the insulation cover was removed). Boric acid could have caused corrosion of other points of the vessel head, but, fortunately, this did not happen. The fire at the Browns Ferry station in 1975 (WASH 1975, Appendix XI) is one incident that has shaped today’s views on nuclear safety. In one of the station’s BWRs, during a plant stoppage, a check for leaks in the containment electrical penetrations was made using the tried and tested method of observing a candle flame positioned near the point under examination. Movement of the flame indicates a leak, and although this method may seem primitive, it is effective. However, the candle method has at least one drawback: fire. A candle at Browns Ferry, first ignited the expanded polyurethane used as a sealant and subsequently many electric cables caught fire. The fire spread and, because, at that

204

Nuclear Safety

time, the rules on the separation of redundant divisions of electric supplies were not yet well established, the possibility of injecting water into the primary system for cooling of the shutdown core was lost. The operators struggled for more than nine hours to restore the operation of the necessary components (primary relief valves and primary feed-water pumps) before they succeeded. Moreover, the operators were very inventive on that occasion and, even if the normal operations of these components had not succeeded, they had prepared a special temporary connection to the auxiliary steam generator of the station in order to operate a feed-water pump and, therefore, they would have in any case controlled the difficult situation. The accident did not cause any radioactive release to the outside. The fire at the Vandellos 1 station in Spain in 1989 (CSN, 1990) was an incident rich in lessons to be learnt on the ways to effectively fight fires (typical common cause of failure in nuclear plants). A sequence of events was started by a fracture in a turbine blade. Strong vibration of the turbinegenerator system followed together with a fire of the turbine lubrication oil and of the alternator hydrogen coolant. The fire spread generating many types of subsequent faults, including an internal station flood. Here too, the personnel succeeded in maintaining the operation of the minimum number of components necessary to cool the (gas–graphite, UK-type) reactor. No external radioactivity releases took place. Many lessons were learnt about fire aspects of design of power stations.

20-3-5. Reactivity accidents

The accident at the SL1 research reactor, USA, where a control rod was accidentally extracted by an operator causing a reactivity excursion and three casualties, entered the nuclear energy history books. More recently, and even more incredible than the SL1 accident, was the accident at the Tokaimura fuel fabrication plant in Japan (IAEA, 1999), where an accidental criticality took place in a process vessel simply because operators, in order to reach a higher productivity level, used amounts

of enriched uranium much higher than the values specified in the safety procedures. The Chernobyl accident also has been a terrible reactivity accident. It is more completely described in Appendix 1.

20-3-6. Possible future accidents The following accident scenarios have not occurred. They should be prevented so they never enter the operational experience records.

Unwanted boron dilution in PWRs (USNRC, 2004) Boron dilution can be expected during an accident or transient if the primary coolant level decreases for some time below the hot legs vessel nozzles and boiling occurs in the core. Under these conditions, if the steam generators can still operate as a heat sink, the steam produced in the core (practically deprived of any boron content) condenses within the steam generator tubes and the deborated condensate may flow into the primary cold legs and there produce a boron dilution of the water present. Tens of tons of unborated condensate can be produced in about 100 s by this mechanism. Subsequently in the transient, water level may increase again in the primary system, due, for example, to ECCS intervention, natural circulation may be resumed and a boron deprived water slug may flow from the cold legs to the core. Simple calculations show that in absence of active mixing within the downcomers and the lower plenum, a dangerous reactivity increase of a core section may occur, which might give rise to prompt recriticality and to a destructive power excursion. A sequence like the one described might happen, for example after a small break LOCA, after a PRISE (primary to secondary leak) accident, after an ATWS or after a total Loss of Feed-Water. This possible phenomenon must be taken into account in the Emergency Operating Procedures, since fast operator action will prevent the accumulation of unborated water slugs. As in many

Chapter 20 Operating experience

other cases, it is wise to try to implement corrective actions as soon as possible: indeed, some unforeseen phenomenon or event might unexpectedly aggravate the situation. A timely corrective action is always more beneficial. In some plant (e.g. some VVERs), this phenomenon is prevented by design since the ECCS injection point is located in the loop seal of the cold legs, where the unborated water would accumulate: upon actuation of ECCS, the boron concentration in the slug would be rapidly increased, thus preventing any recriticality danger.

Uncontrolled leak in the vessel bottom A 5 cm diameter hole in the vessel bottom would be much more dangerous than a 10 cm hole in the vessel head. In fact, a hole in the vessel bottom

205

would be covered by water until the core was uncovered, in the absence of timely ECCS injection. The problem is that the efflux of liquid water instead of steam would not depressurize the primary system quickly enough and, therefore, the passive injection accumulators and the Low Pressure Injection System would not be operated because of the relatively high primary pressure. In case of a malfunction of the high pressure injection, then, the core could be uncovered and overheat with possible damage and melt.

20-4. The International Nuclear Event Scale The International Nuclear Event Scale (INES) was conceived as an instrument for communicating to the public, in a rapid and coherent way, the severity of the events which take place at nuclear plants.

Table 20-1. Definitions for the INES scale Level

Definition

Criteria

Examples

7

Major accident

Chernobyl NPP (USSR, today Ukraine), 1986

6

Serious accident

5

Accidents with off-site risk

External release of a large fraction of the radioactive material in a large facility (e.g. the core of a power reactor). This would typically involve a mixture of short and long lived radioactive fission products (in quantities radiologically equivalent to more than tens of thousands of terabecquerels of iodine-131). Such a release would result in the possibility of acute health effects over a wide area, possibly involving more than one country; long-term environmental consequences. External release of radioactive material (in quantities radiologically equivalent to the order of thousands to tens of thousands of terabecquerels of iodine-131). Such a release would be likely to result in full implementation of countermeasures covered by local emergency plans to limit serious health effects. External release of radioactive material (in quantities radiologically equivalent to the order of hundreds to thousands of terabecquerels of iodine-131). Such a release would be likely to result in partial implementation of countermeasures covered by emergency plans to lessen the likelihood of health effects. Severe damage to the installation. This may involve severe damage to a large fraction of the core of a power reactor, a major criticality accident or a major fire or explosion releasing large quantities of radioactivity within the installation.

Kyshtym, reprocessing plant, USSR, (now Russia), 1957

Windscale pile, UK, 1957

Three Mile Island NPP, USA, 1979

(Continued )

206

Nuclear Safety

Table 20-1. Continued Level

Definition

Criteria

Examples

4

Accident without significant off-site risk

External release of radioactivity resulting in a dose to the critical group of the order of a few millisieverts (doses are effective dose equivalents, whole body doses). With such a release the need for off-site protective actions would be generally unlikely except possibly for local food control. Significant damage to the installation. Such an accident might include damage leading to major on-site recovery problems such as partial core melt in a power reactor and comparable events at non-reactor installations. Irradiation of one or more workers resulting in an overexposure where a high probability of early death occurs.

Windscale Reprocessing plant, UK, 1973

3

Serious incident

2

Incident

1

Anomaly

0

Deviations below scale

External release of radioactivity resulting in a dose to the critical group of the order of tenths of millisievert. With such a release, off-site protective measures may not be needed. On-site events resulting in doses to workers sufficient to cause acute health effects and/or an event resulting in a severe spread of contamination for example a few thousand terabecquerels of activity released in a secondary containment where the material can be returned to a satisfactory storage area. Incidents in which a further failure of safety systems could lead to accident conditions, or a situation in which safety systems would be unable to prevent an accident if certain initiators were to occur. Incidents with significant failure in safety provisions but with sufficient defence in depth remaining to cope with additional failures. These include events where the actual failures would be rated at level 1 but which reveal additional organizational inadequacies or safety culture deficiencies. Anomaly beyond the authorized regime but with significant defence in depth remaining. This may be due to equipment failure, human error or procedural inadequacies and may occur in an area covered by the scale, e.g. plant operation, transport of radioactive material, fuel handling, waste storage. Examples include: breaches of technical specifications or transport regulations, incidents without direct safety consequences that reveal inadequacies in the organizational system or safety culture, minor defects in pipework beyond the expectations of the surveillance programme. Deviations where operational limits and conditions are not exceeded and which are properly managed in accordance with adequate procedures. Examples include: a single random failure in a redundant system discovered during periodic inspections or tests, a planned reactor trip proceeding normally, spurious initiation of protection systems without significant consequences, leakages within the operational limits, minor spreads of contamination within controlled areas without wider implications for safety culture.

Saint Laurent NPP, France, 1980

Buenos Aires Critical Assembly, Argentina, 1983 Vandellos NPP, Spain, 1989

Chapter 20 Operating experience

It is the result of an international group of experts from the IAEA and the OECD. Table 20-1 lists the severity scale and definitions.

References CSN (1990) ‘Informe final del accidente del 19 de Octobre de 1989 en la C.N. Vandellos I’, Consejo Seguridad Nuclear.

207

HMSO (1957) ‘Accident at the Windscale N.1 Pile on 10 October 1957’, Her Majesty’s Stationery Office. IAEA (1999) ‘Report on the preliminary fact finding mission following the accident at the nuclear fuel processing facility at Tokaimura, Japan’, Vienna. USNRC (2004) ‘A prioritization of generic safety issues’, NUREG-0933, June. WASH (1975) ‘Reactor safety study’, An assessment of Accident Risks in U.S. commercial Nuclear Power Plants, United States Regulatory Commission, WASH1400(NUREG-75/014).

This page intentionally left blank

Chapter 21 Underground location of nuclear power plants

The first studies on underground siting of nuclear power plants date back to the 1950s. Four principal alternatives of underground siting exist (Fig. 21-1):

Surface mounded: Plant built at ground level with external surfaces of the vital parts covered with soil or with special material. Pit siting or ‘cut and cover’: Underground with embankment. Plant located in a deep excavation. At the end of the construction the works are covered by the excavated soil or by other material. Cavern siting or ‘deep in rock’: Plant built in a cavern dug in the rock of a hill. Deep location: Similar to cavern siting, but plant buried at great depth.

In the case of plants located deep in rock, the studies and the solutions implemented follow either one of the following two possibilities: location of the turbine-generator system at depth close to the reactor cavern or location of this system on the surface. Indeed, the turbine-generator system is less ‘vital’ to safety than the reactor, the auxiliary building and the fuel building. Figure 21-2 shows the layout of the cavern power station SENA with the turbinegenerator plant located on the surface. Underground locations of NPP are few: the Halden (Norway) 20 MWt test reactor, the A¨gesta (Sweden) 60 MWt power station for district heating (demolished in 1974 because it was uneconomic), the Chooz (France) 900 MWt SENA power station (twin of the Trino Vercellese plant in Italy), the Lucens (Switzerland) 30 MWt plant decommissioned after a

partial core melt happened in 1969, some military plants. Various feasibility studies have been made in recent times in Sweden, Germany, Switzerland, the USA and Japan, which have not proceeded to implementations. The advantages expected from an underground location are:

Safe protection against violent sabotage actions and against very severe war events. Better mitigation of the consequences of possible severe accidents.

As far as the first point is concerned, the underground location is certainly the most effective solution, even against extreme attacks. In fact, even without having recourse to a location in deep rock, a sub-surface location can be implemented in such a way as to resist any conventional weapon (penetrating bombs carrying more than one ton of explosive (BENDER, 1981) and nuclear bombs. The increase in cost is, however, significant. Many evaluations have been made (e.g. Pinto, 1980; Kroger et al., 1976; Grifoni et al., 1989; Lyczkowski and Ching, 1979; USNRC, 1977), which, although not completely in agreement with each other, show an increase of the kilowatt-hour cost by the order of 10–40 per cent, with the higher values for the location in deep rock. The increase in cost is also due to the increase in the construction time (from 18 months or more for ‘nondeep’ plants to 30 months for ‘deep’ ones). However, high cost and long construction times have to be weighed against the potential benefit objective of improving the resistance against severe accidents. In fact, while the strength of the container

209

210

Nuclear Safety

Surface mounded location

Underground location with embankment

Location in a hill cavern

100 – 400 m

Deep location

Figure 21-1. Various types of underground location of plant (reprinted from Nuclear Engineering and Design, Vol. 38, Kroger et al., 1976, pp. 207–27, with permission from Elsevier).

against a catastrophic burst due to internal pressure in case of a severe accident can be made very high in underground plants, the same cannot be said for the causes of local leakage from the containers, which

may allow significant external releases. An underground plant needs a large number of penetrations in the containment for mechanical connections (pipes) with the outside for air purging, fluid releases and,

Chapter 21 Underground location of nuclear power plants

211

Caverns for reactor and auxiliaries Figure 21-2. The French–Belgian SENA plant located in a cavern (reprinted from Nuclear Engineering and Design, Vol. 38, Kroger et al., 1976, pp. 207–27, with permission from Elsevier).

212

Nuclear Safety

in the case of an external turbine-generator system, for the exit of the steam and the inlet of the feedwater. The underground location does not greatly change the possibility of releases through these paths in case of severe accident and malfunction of isolation devices or for damage caused by the accident itself. Further evidence of the existence of this problem is the difficulty and failure of preventing leaks to the surface in underground nuclear explosives tests (see Section 22-8), although the general validity of this comparison is questionable. A potential advantage of underground plants from the safety point of view is the possibility of using gravity driven emergency water injection systems and therefore more passive and potentially more reliable systems than the normal ones which use pumps. It can be concluded, in any case, that the defence from severe accidents is improved but not automatically implemented by the underground location of the plants. The lower violence of seismic phenomena at depth is among the potential advantages from the point of view of safety and cost. Many measurements and studies indicate, for depths of hundreds of metres, a decrease of the order of 50 per cent in the maximum horizontal accelerations and more regular response spectra. Outweighing the advantages, there are various disadvantages and problems, such as higher cost which has already been mentioned, and the fact that suitable underground sites, especially ‘location at depth’ sites, are difficult to find. Many technological difficulties, mainly connected with the huge dimensions of the excavation capable of containing the construction works of a power station, have to be overcome. Large communication ways have to be designed between the underground rooms and the outside for the transfer of large equipment during a plant’s life. Active and passive systems capable of isolating, in accident conditions, these communication passages, have to be built into the plant to avoid the direct release to the external environment of fission products.

A safety problem deriving from the specific characteristics of this type of location is the one connected to a higher vulnerability to the risk of flooding. Other disadvantages are:

An increased possibility of contamination of underground water, due to the increased difficulty of controlling contaminated water leaks which might occur in the containment bottom. More difficult operation because of a more compact system layout, which might mean increased inspection and maintenance difficulties, and a reduction in the reliability and safety performance. An increase of occupational doses could result. Possible problems to the well-being of personnel caused by the underground working environment. The requirement for isolation systems in the communication lines with the outside in accident situations causes complications with personnel evacuation procedures.

In conclusion, the clearly negative aspects, or the very uncertain ones, have, up to now, outweighed, in the judgement of many, the positive aspects which can be summarized as better protection against external events connected with human activities, better defence against severe accidents and in a lower vulnerability to earthquake. The comparative judgement may, however, change with time according to circumstances.

References BENDER (1981), Proceedings of the ‘Symposium on Underground Siting of Nuclear Power Plants’, Hannover, Germany, March, E. Schweizerbart’sche Verlagsbuchhandlung (Naegele u. Obermiller) Stuttgart, F. Bender Editor. Grifoni, S. et al. (1989) ‘Problematiche relative alla sistemazione in caverna di centrali nucleari’, Energia Nucleare, 6(1), April 1989.

Chapter 21 Underground location of nuclear power plants Kroger, W. et al. (1976) ‘Underground siting of nuclear power plants with emphasis on the ‘‘cut and cover’’ technique’, Nuclear Eng. & Design, 38, pp. 207–227. Lyczkowski, R.W. and Ching, J.T. (1979) ‘Safety consideration and economic advantage of a new underground nuclear power plant design’, Nuclear Eng. & Design, 53, pp. 257–261.

213

Pinto, S. (1980) ‘Underground construction of nuclear power reactors’, Swiss Federal Institute for Reactor Research, Nuclear Eng. & Design, 61, pp. 441–458. USNRC (1977) ‘Underground siting of nuclear power plants: potential benefits and penalties’, NUREG-0255.

This page intentionally left blank

Chapter 22 The effects of nuclear explosions

22-1. Introduction This chapter on the effects of the explosion of nuclear weapons has been inserted in a book primarily concerned with the safety of nuclear installations for two reasons. Firstly, those concerned with nuclear safety may be asked questions on the effects of nuclear bombs (perhaps in discussions concerning the differences between the effects of an hypothetical accident of extreme severity in a nuclear reactor and those of the blast of a nuclear bomb). Secondly, because it may be useful, in general, to have a complete picture of the risks of various nuclear applications and of possible types of defence. Most of the information contained within this chapter has been extracted from Glasstone and Dolan (1977), Becket (1983) and Van Vliet (1992). From the outset, it must be stated that all the numbers quoted here may be subject to large uncertainties, because of the secrecy which surrounds this issue, because of the understandable absence of a complete experimental basis (given the possible damage to our planet by realistic experiments) and because the consequences depend highly on the specific technical features of each weapon.

Thermonuclear fission–fusion bombs with an energy output of up to many tens of megatons, where the percentage of fission energy over the total energy may vary from case to case, but which is typically assumed to be equal to 50 per cent. In this chapter reference will be made to a weapon of one megaton energy. Scaling laws to evaluate the consequences of other energies will, however, be given. Fusion bombs, where the rapid compression of the fusion material is obtained by conventional explosives. These bombs are usually named ‘neutron bombs’ as the radiological effect is mainly due to neutrons emitted in the blast.

In addition to a distinction on the basis of the type of reaction used, the bombs are said to be ‘clean’ or ‘dirty’ according to the radioactive contamination they cause. Typically, the neutron bombs are clean; those based on fission–fusion are ‘dirty’. Another category, ‘salted’, are weapons in which a layer of uranium-238 has been inserted, in order to increase the consequent radioactive contamination.

22-3. The consequences of a nuclear explosion

22-2. Types of nuclear bomb

Figure 22-1 shows the destruction distances (prompt mortality) of a 1 Mt bomb, releasing 50 per cent fission and 50 per cent fusion energy.

It can be said, with some simplification, that three types of nuclear bomb exist:

Fission bombs, of the type detonated at Hiroshima and Nagasaki, with a ‘power’ (or, better, ‘energy output’) ranging from several tens to several hundreds of kilotons (thousands) of tons of equivalent TNT.

Initial nuclear radiation is directly emitted by the nuclear reaction, conventionally in the first minute after the explosion. It essentially comprises gamma and neutron radiation, which therefore propagates at velocities equal or close to the velocity of light. Its energy is equal to about 5 per cent of the total produced by the explosion. One metre of concrete 215

216

Nuclear Safety

1 Megaton explosion

Prompt lethality

7 Days exposure to initial fallout EMP Initial thermal radiation and fire storm Destructive shock wave Initial nuclear radiation >10 Gy 1

10

100

1000

Distance (km)

Figure 22-1. Indicative consequences of a 1 Mt explosion.

might adequately shield a human being at distances further than 1 km from ‘ground zero’. At these distances the other destructive effects, however, prevail (shock wave and, above all, thermal radiation and fire storm). In the figure, 10 Gy (1000 rad) have been chosen as the lethal dose, as at this value the probability of prompt death is high (LD50 ¼ 3–5 Gy, see Chapter 7). The destructive shock wave is directly caused by the blast and by its reflections on solid walls. The energy transported in this way is about 50 per cent of the total and it is the highest proportion with reference to the others (nuclear radiation energy and thermal energy). Up to about 3 km from the explosion, concrete buildings may collapse. The duration of the pulse is 0.4–1 s. The propagation velocity is slightly higher than the velocity of sound. The initial thermal radiation is emitted by the fireball generated by the bomb and lasts for about 10 s for 1 Mt. The fraction of energy transported is about 35 per cent of the total. The consequences are the direct ignition of everything combustible in a radius of about 10 km and the generation of fire storms with high velocity winds (>100 km h 1 up to several kilometres distant) generated by direct heating and by fires caused by the radiation. It should be remembered that large fire storms were caused during the intense conventional bombing of German cities during the Second World War even though substantially lower overall energy was released.

Initial fallout is the deposition on the ground of the radioactive particles generated in the explosion during the first 24 hours after the event. The particles which are deposited later are smaller (order of magnitude of 1 m) and reach the ground sometimes a year later. Here, too, the lethality limit has been assumed to be 10 Gy accumulated within seven days of exposure in the contaminated zone. The total radioactivity generated is equal to about 3000 times the one contained in a 1000 MWe reactor at equilibrium (but, for iodine-131, it is about equal and after 24 hours the total radioactivity decreases, at least, by 2000 times). A fraction of this radioactivity, highly dependent on the explosion height (ranging from 10 per cent for elevated explosions to 70 per cent for surface ones), originates the initial fallout. However, this value of the ratio of total radioactivity released by a bomb and the total radioactivity contained in a reactor at equilibrium does not apply to the various isotopes or different decay times, for example the above quoted ratio of 3000 becomes 1 for iodine-131 and even 1/10 for caesium-137, which is responsible for 40 per cent of the long time ‘fallout’ doses of the bombs exploded in the atmosphere (Glasstone and Dolan, 1977). As a further example, the caesium-137 released by the Chernobyl accident was equal to about 500 times the caesium-137 released by the Hiroshima bomb (Glasstone and Dolan, 1977). These differences are due to the fact that the isotope composition of the resulting radioactive

Chapter 22 The effects of nuclear explosions

products is different for an explosion and for a reactor core at equilibrium (i.e. after a practically infinite time of operation). Finally, a phenomenon which may indirectly entail casualties is the electromagnetic pulse (EMP). An atomic explosion causes highly variable ionization currents and the consequent electromagnetic fields generate electric currents in conducting objects. Serious faults and malfunctions of control and operation systems are likely: the ubiquitous microprocessor-based systems are particularly sensitive to EMP effects.

The next section briefly discusses these phenomena. Only relatively low altitude air explosions are dealt with (underwater and high-elevation explosions are not discussed, underground explosions are discussed in Section 22-8).

22-4. Initial nuclear radiation The dose resulting from the initial nuclear radiation depends in a complex way on the explosion power and on distance, and on the density variations of air due to the blast (the ‘hydrodynamic’ increment due to the rarefaction of air behind the shock wave at high explosion energies). Tables 22-1 and 22-2 detail three values of gamma and neutron doses, respectively, and distance (in air from the explosion centre) for three typical explosion energies. Other values can be interpolated or extrapolated. The uncertainty is equal to a factor of two in both ways. Protection from the initial radiation is obtained by shielding layers. For gamma rays, every material is useful, but preferably those with a high atomic Table 22-1. Gamma doses 100 kt 1000 kt 10 000 kt

1 Gy

10 Gy

100 Gy

2400 m 3200 m 5000 m

1700 m 2700 m 4200 m

1200 m 2000 m 3400 m

Table 22-2. Neutron doses 100 kt 1000 kt 10 000 kt

1 Gy

10 Gy

100 Gy

2000 m 2500 m 3000 m

1600 m 2000 m 2500 m

1100 m 2500 m 2000 m

217

Table 22-3. Approximate dose transmission factors through various structures 1 m soil Dwellings (high floors) Dwellings (low floors) Concrete shelter (25 cm walls) Concrete shelter (60 cm walls)

Gamma rays

Neutrons

0.003 0.8 0.5 0.15 0.01

0.005 0.9 0.5 0.4 0.15

weight. For neutrons, the shielding is more complex as they must be slowed down first (light elements are effective for this) and then absorbed. Moreover, as the interaction of neutrons with matter generates gamma radiation, the latter must also be shielded by heavy elements. Table 22-3 lists some (indicative) data of an experimental and/or analytical origin concerning the transmission factor of various structures for the two types of radiation.

22-5. Shock wave The intensity of the shock wave generated by an explosion depends on the height of the explosion and distance from the explosion. However, for objects on the ground and for explosions within a few kilometres, the peak pressure generated is shown in Figure 22-2 for the equivalent energy of 1 kt. For other energies a scaling law can be used: D ¼ D1 W1=3 ,

ð22:1Þ

where D1 is the distance where a pressure for 1 kt occurs and W is the equivalent energy of the explosion considered. Equation 22.1 is valid only for surface explosions and impact points, otherwise other correction coefficients should be used. The pressure acting on a structure hit by the wave is not equal to the above mentioned peak pressure unless the structure is hit sideways, that is when the structure wall considered is parallel to the direction of propagation of the wave. In any other case, the maximum dynamic pressure on the wall is higher than the peak one by a factor of 2–4 (theoretically, 8) for a wall perpendicular to the wave direction of propagation, due to the reflection of the wave itself.

218

Nuclear Safety

Pressure (105 Pa)

1000 100 10 1 0.1 0.01 10

100

1000

10 000

Distance (m)

Figure 22-2. Peak pressure for a 1 kt explosion. Diagrams exist for the preventive evaluation of the possible damage to various structures, drawn on the basis of experimental and theoretical data. As an example, a reinforced concrete office building, designed to resist an earthquake, can be severely damaged by a 1 Mt explosion up to about 10 km distant.

22-6. Initial thermal radiation The overall duration of the emission of initial thermal energy varies with energy between values of a fraction of a second for low energies and values of tens of seconds for the higher energies (10 Mt and higher). As already mentioned, it is assumed that about 35 per cent of the energy released is transmitted as initial thermal radiation. The total energy deposited on objects on the ground and for unit surface is, then, approximately proportional to the inverse of the cube of the distance in air. It can be assumed that any combustible material catches fire for a value of this specific energy equal to 40 J cm 2 (¼ 400 kJ m 2). For an explosion of 1 Mt, about 40 J cm 2 at 3000 m in air from the explosion centre can be observed. Other values can be obtained by the simple scaling laws above. The ‘mushrooms’ of higher energy explosions tend to have heights equal to their widths, while those of small energy have heights greater than width because of the relative importance of the buoyancy and lateral forces. Figure 22-3, gives an idea of the dimension and typical form of the ‘fireball’ generated by the explosion.

22-7. Initial radioactive contamination (‘fallout’) The following steps give an indicative estimate of the dose from the fallout of an explosion: (1) Calculation by interpolating the dose intensity at the moment of arrival of the radioactive particulate (reference dose intensity). (2) Calculation of the accumulated dose for the given permanence in the considered position, by multiplying the initial dose intensity by a factor given by diagrams like Figure 22-4, as a function of the arrival time of the contamination (dependent on the wind velocity and of the distance). This method does not take into account the shielding effect of the ground roughness, nor the dimensions of the initial radioactive cloud. These effects, given the largely indicative character of these estimates, are to be considered as secondary. Rain or snow are much more important than these effects on the distribution of the contamination by causing a washout of the radioactive cloud and a ‘patchy’ distribution of the unit dose.

22-8. Underground nuclear tests 22-8-1. Historical data on nuclear weapons tests Testing has been a fundamental factor in the design of nuclear weapons. Therefore, up to now, six countries have performed about 1900 tests, of

Chapter 22 The effects of nuclear explosions

219

40 km

100 kt

10 Mt

Figure 22-3. Relative dimensions of the radiating surfaces of two different explosions.

Factor

10 Factor, 1h

1

Factor, 1d 0.1

Factor, 4d

0.01 1

10 Initial time (h)

100

Figure 22-4. Dose factor for permanence in the contaminated place.

which 518 have been in the atmosphere, underwater or in space, and the remainder underground (Robbins, 1991). In 1963, the first international treaty against testing nuclear weapons was signed and after that, only France (atmospheric and underwater tests until 1974) and China (until 1980) continued. After 1980, all the tests have been underground. One of the positive results of the G7 Group, enlarged to include

the new Russia, is that a total stop of the nuclear tests has been agreed upon.

22-8-2. The possible effects of an underground nuclear explosion Underground nuclear explosions are usually performed at a depth of hundreds of metres in order to

220

Nuclear Safety

avoid any consequences, radioactivity releases in particular, on the surface. The known effects of an underground explosion are the melting of rocks near the bomb and their fracturing for an extended surrounding volume. Certain events are seismic waves produced by the explosion and the ensuing surface disturbances in lakes and lagoons. The radioactive products (with a long half life and at a few hours from the time of the blast) released in the rock cavities have the following order of magnitude:

strontium-90: about 3500 TBq per megaton; caesium-137: about 5500 TBq per megaton; plutonium-239: about 5 TBq per test (corresponding to about 2.5 kg Pu).

Activation products have also to be considered which are generated by the intense neutron flux. In contrast to atmospheric explosions, a small amount of carbon-14 is generated by activation of nitrogen14 and a small amount of tritium. If salt water is present, the isotope sodium-24 is produced by activation of sodium-23. In the ground, silicon, aluminium and manganese are also activated, which have short half lives and rapidly decay. Besides these known effects, some accidental ones may also occur, such as in the experimental test at Baneberry, Nevada, in 1970 (10 kt at 270 m depth). A release of the majority of the explosion products and debris occurred which was pushed to a height of 3 km. After that event the Americans adopted more efficient containment measures. Another feared effect is the later penetration of water into the fractured rocks down to the blast cavity: it is thought that thermal highly radioactive springs could be created with a release of radioactivity at the surface. In underground tests performed below a water body, as in the case of the tests at the Mururoa Atoll, underwater rock slides creating anomalous waves and tsunamis. An event of this kind really happened at Mururoa (25 July 1975) when an underwater slide of about 106 m3 of coral rock was created leaving a cavity of about 140 m in diameter, accompanied by

the generation of a tsunami which caused damage and injured people in the Tuamotu archipelago. Unfortunately, the event could have been foreseen, as the operators did not succeed in taking the weapon down to the planned 800 m underground: it got stuck at 400 m, but the test was performed anyway.

22-8-3. The possible radiological effects of the underground tests Given the order of magnitude of the source of the most meaningful isotopes (strontium-90, caesium-137 and plutonium-239), the calculation of external releases is based on an estimate of the percentage of radioactivity released in the atmosphere. A criterion which has been used for estimating the possible damage consists in assuming that the external release is in the interval of 1–10 per cent of the generated radioactivity. The consequences, then, can be evaluated by the usual methods used for the calculation of radioactivity concentration as a function of distance downwind and the estimate of the health effects of direct exposure, of inhalation and of ingestion. The evaluations of the assumed accidental releases that happened during the underground tests indicate an average external release of about 40 TBq per test. The Baneberry case is probably unique in its severity. A release of 40 TBq of caesium and strontium is, however, serious (when compared to the maximum acceptable releases from future European reactors, even in a severe accident, which might be expected of the order of terabecquerels of iodine-131, corresponding to fractions of terabecquerels of caesium-137).

References Becket, B. (1983) Weapons of Tomorrow. Plenum Press. Glasstone, S. and Dolan, P.J. (1977) ‘The effects of nuclear weapons’, USDOD and ERDA. Robbins, A. (1991) Radioactive Heaven and Earth, The Apex Press, New York. Van Vliet, P. (1992) Armi Nucleari, Fratelli Melita editori, La Spezia.

Chapter 23 Radioactive waste

23-1. Types and indicative amounts of radioactive waste Radioactive waste is generated by the following activities:

medical uses (radiodiagnostics and radiotherapy) and industrial uses without nuclear reactors (radiography of mechanical components, irradiation of goods for disinfection/sterilization/ conservation); operation and decommissioning of nuclear plants.

The waste is mainly classified according to its radioactivity level and to its decay time. These two characteristics principally influence the choice of the best method for waste treatment and its storage/ disposal. A classification internationally used is shown in Table 23-1, together with the suggested management method. In order to get an idea of the quantity of radioactive waste produced by the various activities, it is useful to consider that in a country like Italy the medical and industrial waste (not including nuclear reactor waste) is as much as 1500 m3 per year. The LILW-SL waste produced per year by a 1000 MWe reactor is similar. The fuel discharged by a similar reactor is approximately 30 t in the non-conditioned state. As far as the low- and medium-activity waste are concerned, when disposal at sea was abandoned following the international agreement for the protection of sea, a disposal system based on burial in trenches, adopted in the USA after the Second World War (SNSF – Simple Near Surface Facility) has been gradually replaced by ever more elaborate methods based on the acknowledgement of the importance of introducing redundancy in the safety systems. This approach substantially aims at designing the storage

with the concept of entrusting safety to various natural and artificial components, each one representing a barrier to the diffusion of radionuclides into the biosphere. Various types of repositories have been conceived and implemented over the years (Cumo, Tripputi, Spezia, 2002). In the near surface type, based on various engineered barriers (ENSF – Engineered Near Surface Facility), the disposal structures can be positioned above or below ground. The repository at Dukovany in Czech Republic, at l’Aube in France and at El Cabril in Spain are above ground. The repositories at Drigg in the UK and at Rokkasho in Japan are below ground. Deep repositories offer an alternative. Waste is often stored 100 m deep in caverns (mined cavity), or using abandoned mines and galleries, or in deep geological repositories. The SFR repositories at Forsmark (Sweden) and at Olkiluoto and Loviisa in Finland belong to the first type, the repositories at Richard in the Czech Republic, and at Morsleben and Konrad in Germany, belong to the second type, the repository at Wellenberg in Switzerland belongs to the third type. Table 23-2 lists the safety features of some repositories. At the scientific level, generally the solution considered more appropriate for the final disposal of high-level waste is the placement of it in adequate deep geological repositories. However, no solutions of this type have been implemented yet, except for the Waste Isolation Pilot Plant (WIPP) in 1999, located in New Mexico (USA). The reasons for the postponement of a decision of this type are essentially the following:

Recently produced radioactive waste releases large quantities of heat. As the decay of radioactivity or 221

222

Nuclear Safety

Table 23-1. Classification of radioactive waste Category

Characteristic

Suggested management

VLLW (very low-level waste)

Waste which decays in a few months (maximum several years) to levels lower than the limits fixed for unconditional release. Low- and medium-activity waste with limited content of -emitting nuclides.

Temporary storage and disposal as conventional waste.

Low- and medium-activity waste which exceed the limit of 4000 Bq g 1 for -emitting nuclides. Waste which exceeds the limit of 4000 Bq g 1 for -emitting nuclides and shows a significant production of heat (>100 W m 3).

Conditioning in a concrete matrix and disposal in medium depth storage (>100 m). Conditioning in vitrified matrix and disposal in a deep geological formation (100–800 m) after a storage period of 30–50 years in adequate engineered structures.

LILW-SL (low- and intermediate-level waste – short lived) LILW-LL (low- and intermediate-level waste – long lived) HLW (high-level waste)

thermal power is very high in the first decades, it is convenient to store this waste for this time period in alternative facilities in order to subsequently simplify the management of the storage facility. The spent fuel could become an energy resource in the future. The time needed to qualify a site and install a final repository at depth is very long, so an intermediate solution of some decades has to be implemented in any case. Reversible options allow the possibility of taking advantage of research. The deep repository solution seems to many to be an irreversible concept. Doubts exist about the capability of science to ensure adequate safety levels in the required time span (hundreds of thousands years).

The trend emerging from various international experiences is to keep many alternatives open. Prevailing opinion can be summarized in the following way:

It is necessary to make choices which are not only scientifically and technically correct but also based on a democratic process. A decision has in any case to be taken. Abstaining from any decision is a decision in itself. Temporary storage is not a final solution, it is a way of buying some time. This remark has not to be seen necessarily in a critical sense. This position may be justified and correct if it is deemed that

Conditioning and disposal in an engineered surface site.

the uncertainties are too large to allow a wellpondered decision. If it is so, it is necessary to clearly and publicly affirm that at the moment only an intermediate solution can be pursued and implemented, and to indicate guidelines and research efforts for the definition of a final solution. The ability of retrieving the waste influences the decision on the type of final repository. If it is proposed to implement a final repository in the framework of a design which allows waste recovery, then the design has to demonstrate that retrievability does not detract from safety, otherwise it cannot be accepted. The concepts of interim experimental and research plants which may possibly evolve into final repositories is another solution.

23-2. Principles The general principles which have to be adhered to by the relevant legislation have been recognized internationally and the ‘Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management’ treaty has been signed by many countries. In summary, these principles are: (1) Protecting human health. (2) Protecting the environment.

Chapter 23 Radioactive waste

223

Table 23-2. Safety features of some repositories Country/facility/type of storage

Safety and radiation protection requirements

Finland: VLJ Olkiluoto (deep cavern) VLJ Loviisa (deep cavern)

France: L’Aube (surface)

dose limit for critical group <0.1 mSv y 1 dose limit in accident conditions <5 mSv

dose limit for post-closure period is 0.25 mSv y 1 for the public for the reference scenario; for the operation period limits are 20 mSv y 1 and 1 mSv y 1 for operators and public, respectively

dose limit for public 0.3 mSv y

United Kingdom Drigg (surface)

In the safety analysis a risk objective of 10

Spain: El Cabril (surface)

Radiological risk imposed by safety authority <10 equivalent dose of 0.1 mSv y 1

Sweden: SFR Forsmark (deep cavern)

Individual doses to critical group <0.1 mSv y

Switzerland: Wellenberg (deep)

Dose limit <0.1 mSv y

Germany: Morsleben (deep geologic) Konrad (deep geologic)

USA: Barnewell (South Carolina) Richland, Hanford (Washington) Cline (Utah) LANL (New Mexico) RWMC INEL (Idaho) Oak Ridge (Tennessee) (surface) Japan: Rokkasho (surface)

1

6

y

1

is adopted 6

y

1

or

1

1

Safety evaluations must ensure doses <0.25 mSv y 1 for individuals of the population; in case of non-voluntary intrusion after the release of the site (foreseen after 100 years of institutional control) the limits are 1.0 mSv y 1 for continuous exposure and 5.0 mSv for acute exposure

The dose values imposed are 1 mSv y 1 (300 years) and for the subsequent period of uncontrolled release of the site 0.01 mSv y

(3) Protecting the transboundary territories. (4) Protecting the future generations. (5) Not imposing inappropriate burdens on future generations. (6) Availability of adequate national legislation and regulations. (7) Ensuring the control and the minimization of the production of radioactive waste. (8) Ensuring an integrated management of the radioactive waste.

1

(9) Guaranteeing safety of the waste management plants for their full life.

Reference Cumo, M., Tripputi Ivo, Spezia U. (2002) Nuclear Plant decommissioning, Universita` di Roma La Sapienza, Scuola di Specializzazione in Sicurezza e Protezione, Tipografia della Pace, Roma.

This page intentionally left blank

Chapter 24 Fusion safety

Among the various possible nuclear fusion processes, the most promising one for energy production is that between the hydrogen isotopes of deuterium (D) and tritium (T). D þ T ¼4 He þ neutron þ energy ð17:6 MeVÞ ð24:1Þ The neutron generated has an energy of 14.06 MeV. In order to obtain the fusion of two nuclei, it is necessary to provide them with the energy necessary to overcome the repulsion forces between the nuclei. This energy corresponds to temperatures of 108 C millions, where the gases are in a fully ionized state (plasma) (ENEA/DISP 1986). Some think that fusion may also happen in ‘cold’ conditions if certain peculiar situations are created. In the following, reference will be made, however, to experimental machines and to reactor designs based on hot fusion. The research programmes on controlled nuclear fusion currently underway in the world aim at demonstrating the scientific feasibility of its use for the generation of electric energy. The Joint European Torus (JET), which represents the most advanced experiment on fusion at this time, has produced (9 November 1991) for the first time fusion energy ‘equivalent to 2 MW for 2 s using a D–T (deuterium–tritium) plasma, with 10–15 per cent tritium. This first experiment with tritium was followed on 9 December 1993 by an experiment with up to 50 per cent tritium at the Plasma Physics Laboratory of Princeton (USA) which produced power of 5–28 MW with the Tokamak Fusion Test Reactor (TFTR) machine. Subsequently (1997) JET has produced more than 15 MW in a transient lasting about 2 s. For a demonstration of the scientific and technological feasibility of a fusion reactor, it is however necessary to produce a plasma where the fusion

reaction lasts for a sufficiently long time (that is hundreds of seconds). To reach this objective, it will be necessary to design the basic technologies of a reactor: superconducting magnets, shields, walls resistant to high fluxes of heat, atoms, ions, electrons and neutrons, injection and discharge of fuel, recovery of tritium, safety issues, etc. In fact, JET and TFTR, although representing the outcome of many years of research, are still limited to the studies of plasma physics. Before fusion energy can be used for the generation of electric energy, it will be necessary to develop this technology at the industrial level and demonstrate its economic competitiveness. In the framework of the European Fusion Programme, based mainly on magnetic confinement Tokamak machines, the complete physical and technological basic demonstration of fusion was approached by the NET conceptual design (Fig. 24-1) at Garching (Munich, Germany), and merged into the ITER design, presently in a phase of engineering design subsequent to a first phase of conceptual design. ITER is the result of a 1987 agreement, a joint research enterprise for the design of an experimental fusion reactor, supported by the EU, the USA, Japan and by the Community of Independent States. Before getting to this stage, it is firstly necessary to develop and test materials which can withstand a very high neutron flux, with the principal aim not to generate an excessive decay power (DeMarco, 2001). In order to cope with these needs, it has now been decided to build a dedicated experimental facility, the International Fusion Materials Irradiation Facility (IFMIF), based on the Li(d, n) reaction. In parallel with the operation of IFMIF, the DEMO design (Demonstration Reactor), should get to an engineering demonstration and supply all the necessary elements for an economic evaluation of the process. 225

226

Nuclear Safety Biological shield

Inner PF Coil

Flange zone

Inboard blanket Cryostat

Outboard blanket

Plasma

First wall

Outer PF coil

Vacuum system TF coils Shield Divertor

01 2345

Vacuum duct & shield VERTICAL SECTION OF THE NUCLEAR ISLAND OF A FUSION DEVICE

Scale metres

Figure 24-1. The NET fusion machine. As far as the future of commercial fusion power reactors are concerned, various studies have been performed or are in progress. Based on these, it should then be possible and meaningful to perform a preliminary safety analysis on a plant of this type. The detailed designs presently in progress for the next machine (i.e. ITER) have, moreover, many features in common with these reactor conceptual studies and confirm their credibility. Among the conceptual fusion reactor studies presently available, one of the most complete is the STARFIRE reactor developed in the USA, which will be taken here as a reference. The STARFIRE reactor study foresees an overall thermal power of the fusion reactions of 4000 MW, with a gross electric output of 1440 MW, of which 1200 MW are the net output, while 240 MW are necessary for the operation of the various plant systems. 2560 MW would be discharged as thermal energy. The resulting net efficiency would therefore seem only slightly lower than that of other energy sources. For an evaluation of accidents it is important to define the amounts of energies involved (Table 24-1). Table 24-2 compares the relevant energies of the STARFIRE plant and a light water fission reactor

(LWR) of the same power. It can be readily seen that the energies involved are of the same order of magnitude for the two types of plant. The radiation protection problems which emerge during the operation of a fusion prototype reactor, either in normal or in accident conditions, are essentially connected with the presence of tritium, with the generation of neutrons with energies of 2.45 and 14.1 MeV (derived from the D–D and D–T reactions) and with the delayed radiation (and related thermal decay power), for the activation of the structures of the machine. Tritium decays with half life of 12.33 years, emitting a beta radiation with average energy of 5.7 keV and a maximum energy of 18 keV. The exposure paths are either by inhalation and ingestion or through the skin. The biological half life of tritium, either ingested or inhaled, is 10 days. Due to the easy absorption of water by the body, it is more dangerous in the form of tritiated water than as elemental tritium (conservatively, a factor of 25 000 is considered in safety analyses, even if recent studies tend to divide this factor by two). Tritium, from a physical–chemical point of view, is a very mobile element and in particular it penetrates through metals. Where accumulation of

Chapter 24 Fusion safety

Table 24-1. Potential energies STARFIRE fusion reactor

present

in

the

System

Energy form

Quantity (103 MJ)

Plasma

Thermal: Electromagnetic

0.92 2

electromagnetic

50 10 1.1

Magnets: toroidal field poloidal field ohmic heating Aluminum–water reaction Beryllium–air reaction Graphite–air reaction

Table 24-3. Comparison of inventories of meaningful radioactive products for 1200 MWe reactors Reactor

Fusion (GBq)

Fission (GBq)

Radioactive products Tritium Material activation

3.7 109 2.6 1011

Fission products

Absent

Total (order of magnitude)

1010–1011

2.5 106 0.3 108 2.6 108 Total: 2.9 108 Xe þ Kr: 1.4 1010 I: 2.2 1010 Cs: 7.4 108 Sr: 1.8 108 Te: 3.7 109 Pu: 1.8 108 Other: . . . 1010–1011

Negligible Chemical

227

60 200

Table 24-2. Comparison between relevant energies

Reactor

Fission 1200 MWe, type PWR (103 MJ)

Fusion 1200 MWe type STARFIRE (103 MJ)

Type of energy Coolant energy

200

200

Decay heat power: after 1 min 15 after 1 hr 310

4.5 250

Other energies

Sensible heat of the core: 100

Sensible heat of the blanket: Plasma: 3 Magnets: 61

it can be foreseen, it is immobilized by absorption on suitable solid materials. The radioactivity induced by neutrons of 14 MeV is concentrated on the structural materials of the reactor components exposed to the plasma (first wall and blanket). As far as the environmental impact is concerned, the long-lived radionuclides are decisive (half life longer than one year). This activity is characterized by a low mobility. The release paths to the environment are:

erosion or corrosion by the primary coolant and substitution of parts of the reactor; melting and volatilization of part of the material in accident conditions. Table 24-3 compares the radioactivity present in a fusion and in a fission reactor.

Beryllium is used as a liner for the first wall, and this has a high risk of explosion. It is highly reactive with air, water and carbon dioxide, releasing high amounts of energy. Finally, it has to be stressed that this element is extremely toxic and if inhaled it causes lung illnesses, and, in contact with the skin, dermatitis and conjunctivitis. A concentration of 2 g m 3 is the permitted limit for a working exposure of 8 hours. Graphite, used as a neutron reflector at the outside periphery of the blanket, can release large amounts of energy by combustion, if exposed to air at high temperature (see Table 24-1). The principal safety problems for a fusion reactor, as a consequences of design basis accidents, seem to be:

possible release of tritium; possible release of activated material; possible release of toxic products (in particular beryllium).

It appears that the quantities of radioactivity which can be potentially released are not negligible, even if they are lower by an order of magnitude than the corresponding quantities of fission (Table 24-4). The evaluations in the table have been made as best estimates of important accidents. In any case, however, the lower radiological risk of radioisotopes released by fusion reactors has to be taken into account.

228

Nuclear Safety

Table 24-4. Accident releases to the containment system for a design LOCA Plant

Fusion (GBq)

Fission (GBq)

Release Tritium Activation products Fission products

9.2 106 1.1 106 Absent

2.5 106 110 Xe þ Kr: 3.7 107 I: 1.8 107 Cs: 7.4 106 Sr: 3.3 105

At the present state of the study of fusion power reactors it is not, however, possible to have a complete picture of the aspects connected to the safety in normal and accident conditions. The principal uncertainties are connected with the plasma physics, with the choice of the confinement system, with the type of materials used (first wall, blanket, etc.), with the fusion power density, with the type of coolant to be adopted, with the value of involved energies. A complete analysis of the accidents would require the consideration of more severe scenarios, with a probability lower than that of the design basis accidents, but with more serious consequences in terms of release to the outside. At the present state, the safety evaluations performed for fusion reactors are confined to the consideration of degraded scenarios of this type only from the point of view of the comparison between possible design alternatives and of the choice of materials, without arriving at the evaluation of the consequences. It has, however, to be noted that the amounts of involved energies and the inventory of radioactive products justify the idea of more serious accidents than the design basis ones. These accidents must be

conveniently evaluated on the basis of a final plant design and of a systematic analysis of the possible accident sequences. An important aspect for the safety of fusion reactors consists in the possibility to decrease in future the decay heat and the radioactive products inventory. In fact, the use of materials with reduced or short-lived activation and with low tritium retention, together with a limited operation power density, would minimize the above mentioned safety problems, bringing the plant towards intrinsic safety conditions (for which no active systems are necessary). The developments of robotics, together with a complete automation of the plants, will bring the occupational dose (radioactive, electromagnetic and radio-frequency) down to acceptable values during the operation and the maintenance of these plants. On the other hand, other safety problems might arise during the evolution of present experimental plants towards the fusion reactor. As far as the safety aspects of experimental fusion machines (JET, etc.) in comparison with those of fusion reactors are concerned, it can be considered that they have a tritium inventory at least 100 times lower and an inventory of activation products roughly 1000 times lower. The accident releases which can be originated by these machines are, consequently, lower by orders of magnitude.

References DeMarco, F. (2001) ‘A look to the future of nuclear fusion’, Universita` di Pisa, Conferenza ‘E. Fermi’, 5–16 October. ENEA/DISP (1986) ‘Rapporto sugli aspetti di sicurezza e protezione sanitaria dei reattori a fusione’, DOC./ DISP/(86) 6, Roma, Dic.

Chapter 25 Safety of specific plants and of other activities

25-1. Boiling water reactors In comparison with the pressurized water reactor, the boiling water reactor (BWR – Fig. 25-1) has two principal different characteristics:

It does not have steam generators and, therefore, a direct communication exists between the reactor and turbine, connected via quick, highly reliable, isolation valves. The core is refrigerated by a steam–water mixture, instead of liquid water.

A series of design and safety consequences are derived from these two characteristics which make the two reactors rather different from each other. Consequently, the different safety aspects are of prevailing interest, for example:

It is not considered economically convenient to place the turbine with the reactor in a containment building (although in the past, small reactors with this characteristic have been built). Isolation of the reactor cooling system from the outside is by means of quick isolation valves. Inherent in this feature are the problems of their reliability in closure and their leakproof characteristics (to the point that some experts say, but without sufficient reason, that BWRs have to be considered substantially ‘open’ towards the outside environment). On the other hand, no problems have been attributed to the steam generators. A quick release system of the primary steam– water mixture into a closed tank-condenser is necessary (as the primary liquid, with significant radioactivity, cannot be released to the outside). In case of problems with the turbine-condenser system, and therefore the unavailability of the

condenser, the immediate cooling of the core can be ensured only by such a system. Therefore, in BWRs a (huge) reactor depressurization system (ADS – Automatic Depressurization System) has always been incorporated, together with a closed water reservoir for steam condensation. Since, for the reasons explained above, a large mixing condenser is required which is isolated from the outside environment, then it can also be used to condense the steam–water mixture in a primary pipe break accident (LOCA). Hence, the concept of a pressure suppression container has been born. It is composed of a ‘dry well’ (normally dry), which encloses all the primary pipes which might potentially break, and a ‘wet well’ or suppression pool where the mixture which has accidentally escaped in the dry well is routed and where it is condensed by mixing with cold water. A rupture of a steam pipe outside the above mentioned isolation valves must be controlled by their quick closure (typically in 5 s). It can easily be seen that in the few seconds necessary for the valves to close, a large quantity of steam–water mixture may be released and that, because of its radioactivity, it may cause the most serious accident from among the design basis ones. Finally, because of the cooling effect of the suppression pool water, the container may also have a relatively small volume (e.g. 10 000 m3 instead of the 60 000 m3 of a PWR) and therefore the defence against a hydrogen explosion in severe accidents may be obtained by inerting in a nitrogen atmosphere. In practice, the reactor is normally operated with a nitrogen enriched atmosphere in the container. This poses some additional problems when it is necessary for an operator to enter the container for 229

230

Nuclear Safety

Figure 25-1. Advanced boiling water reactor.

inspection/maintenance. In this case, it is necessary to de-inert the container (a lengthy operation) or use breathing apparatus (which, for other reasons, is not advisable). Not all BWR containments can be reasonably inerted. The most recent type (Mark III) has a volume of roughly 30 000 m3 and is not inerted. The reactor normally contains a steam–water mixture so that any fast increase in pressure produces steam condensation, an increase of the water mass present and, because of the negative void coefficient for safety reasons, an increase in the core reactivity. It is easily seen that in a BWR the ATWS accident (transients with failure to scram) is particularly serious and represents one of the dominant severe accidents in overall risk evaluations. An accident caused by the spurious and complete closure of isolation valves on steam

lines has also been studied, even though it is highly unlikely, but it can be demonstrated that it is controllable by the ADS system. The problem of water chemistry is a little more complex for a BWR because of the larger size of the reactor cooling circuit (which includes the turbine condenser too) and of the practical impossibility of keeping in the water an excess of hydrogen for oxygen suppression, as it is done for PWRs. It is thought, however, that satisfactory solutions have been found, after a long series of problems of the appearance of cracks in metallic materials. The BWR, because of the lower density of the steam–water mixture in the core compared with a PWR, tends to have, for the same power, a larger vessel than a PWR. However, it has to be remembered that a BWR has an operating pressure equal

Chapter 25 Safety of specific plants and of other activities

to about one half that of a PWR. A favourable consequence of this is that the fast fluence on the vessel material is much lower than that of a PWR and therefore the neutron embrittlement problem is much smaller. The BWR has a free surface between the water and steam mixture in the core. Consequently, if the vessel moves, the water oscillates in the core and this causes local power oscillations due to the interaction with the neutron regime. BWRs, therefore, are not suitable on board ships.

25-2. Pressure tube reactors From the onset of the peaceful use of nuclear energy, a line of water power reactors was developed (particularly in Canada) where a single reactor vessel is not used and, instead, the fuel and the cooling water are contained in a series of closely placed tubes. Heavy water (D2O) is used so that natural uranium (that is not enriched in the uranium-235 fissile isotope) can be used with an economic advantage. Heavy water has a lower moderating effect than light water (because of the higher atomic weight of deuterium compared with hydrogen) so the water circulating in the pipes (kept within the strict amounts necessary for cooling) is not sufficient for reactor moderation and therefore all the tubes are contained in a closed tank (calandria) full of additional heavy water. In order to keep the tank at low temperature and pressure, each fuel containing pressure tube is contained in a second tube (guard or calandria tube) with a gap filled with an inert gas between the two. This arrangement allows the second tube to be made strong enough to withstand the accidental rupture of the first one, so preventing the propagation of the ruptures to other tubes (an important feature from the safety point of view). Unlike the Canadian design, the Chernobyl tube reactor (light water cooled and graphite moderated) did not possess a similar safety characteristic and a break in the pressure tube could perhaps (at a low probability level) propagate through various mechanisms to other tubes. It has to be noted that in the history of nuclear technology, attempts have been made to cool tube reactors by light water. The results have not been positive because of the instability caused by the positive reactivity coefficient for loss of cooling

231

water (a feature similar to the Chernobyl one). Hence, this reactor design has been abandoned. Obviously an attractive aspect of these reactors was the lack of pressurized heavy water and therefore the drastic reduction of leaks of precious heavy water from the circuit. The tube reactors can be refuelled during their operation, which is impossible in both PWRs and BWRs of the ‘vessel’ type. To this end, a special refuelling machine is used which connects in a leakproof way under pressure with any single tube for the time needed for the replacement of fuel. (This feature makes these reactors suitable for plutonium production, as it is possible to optimally choose the permanence of the fuel inside the reactor.) In Canada, where ‘parks’ of CANDU tube reactors have been built (up to eight 600 MWe reactors on the same site), ‘vacuum building’ containment has also been used which consists in building, for each park of reactors, a central empty containment, connected with the containments of any single reactor by a duct provided with a rupture disc or similar device. In the event of a LOCA accident in one of the reactors, the corresponding rupture disc opens and the air–steam mixture under pressure has the whole volume of the vacuum building in which to expand. In this way, the containment of each reactor can be rather small with overall economic advantages. Some safety advantages are:

Modularity. As the dimensions are independent from the technological limit of the vessel dimensions, existing for the other reactors. Presence of an easy alternative scram mechanism, consisting in the fast dumping of the calandria moderation heavy water. Relatively easily replaceable used tubes. Significant safety disadvantages are:

Tritium contamination. Much more serious than for light water reactors. More susceptible to seismic damage.

25-3. Gas reactors The graphite-moderated gas-cooled reactor was the most popular design in the early days of nuclear power generation, especially in the UK and France.

232

Nuclear Safety

Obviously, the principal initial attractive feature of this design has been the possibility of using natural uranium as a fuel. Subsequently, in order to increase efficiency, a switch was made to enriched fuel with the Advanced Gas Reactor (AGR). These reactors have been successfully operated but, after a long debate on their economic aspects, are now being replaced by the more common water reactor. It should be noted here that gas–graphite reactors do not need a pressure resisting containment even according to the best international safety standards. This is due to particular features of these reactors among which one can quote the low radioactivity content of the cooling fluid, carbon dioxide (CO2), and the slow progress of design basis accidents in comparison with the more sensitive behaviour of water-cooled reactors. The high temperature gas reactors, with fuel consisting of microspheres of uranium dioxide coated by additional refractory layers made of carbon (graphite, silicon carbide, pyrolithic carbon) are now considered very interesting. In particular, the Pebble Bed Modular Reactor (PBMR), which is supported by an international consortium (in which ESKOM, the South Africa utility, is strong), seems to have good prospects (ESKOM, 2001). The PBMR is fed by fuel spheres similar to those of the experimental German AVR reactor which operated for 21 years without faults. Each module will have a thermal power of about 265 MWt and a net electric power of about 116 MWe (overall efficiency of about 43 per cent due to the high maximum temperature of the cycle, 900 C). The cooling is by helium at a maximum pressure of about 7 MPa which directly operates a gas turbine. The support bearings are of the magnetic type, and therefore do not have any cooling water in them (which gave serious trouble to previous prototype reactors, e.g. Fort St Vrain). The only water present in the system is that in the secondary side of the two refrigerators for the removal of waste heat of the Brayton cycle adopted. It is, however always at a lower pressure than the gas circuit and therefore it cannot come into contact with the system graphite. The system has many intrinsic safety characteristics:

The power coefficient is strongly negative. The decay heat, even in the absence of emergency cooling, with a depressurized system and without fast shutdown, can be simply eliminated through

the reactor vessel preventing the fuel from reaching damaging temperatures (the AVR reactor demonstrated this with a famous test). Even if a pipe ruptures, air cannot enter the system and a graphite oxidation (fire) cannot occur. Even if the two inlet and outlet gas pipes in the vessel completely rupture, the air will start to circulate in the reactor after 9 hours, with a release of only one millionth of the core radioactivity per day. Even in the case of the worst scenario, the virtual dose at the plant border will amount to that corresponding to one day of natural background and no emergency plan would be needed outside the plant (beyond 400 m from the reactor).

The consortium which is developing the reactor maintains that the cost of the energy produced, for a 10 module power station, is competitive with that of a coal-fired power station. The PBMR is very interesting from the safety point of view even if the design of the system appears rather complex. The intrinsic safety characteristics declared seem to be feasible, under the condition that the detail system design is submitted to an attentive safety analysis, and this includes surveillance systems for structures and components.

25-4. Research reactors Many types of research reactor exist for physics and materials research, for irradiation, for isotope production. They are also used now for direct medical use. A very widely used type worldwide is the pool reactor with various types of fuel elements. From the safety point of view, usually these reactors have a small internal energy (no pressure circuit) and the intrinsic characteristic of neutron stability. They generally do not need a pressure container and are located in leakproof buildings with a small design pressure difference from the outside. Relatively high power research reactors do exist (up to 100 MWt) for which the safety issue is more complex.

25-5. Sodium-cooled fast reactors Sodium-cooled fast reactors promise to definitely solve the fuel availability problem as they can convert

Chapter 25 Safety of specific plants and of other activities

non-fissile isotopes into fissile ones. Some of these reactors have been successfully operated and some of them have been plagued by many problems. This type of reactor is being developed only by some countries; many countries with a nuclear industry have abandoned them, mainly for safety and for non-proliferation reasons (associated with the need to reprocess fuel and with production of plutonium). From a safety point of view, these reactors have the following advantages:

Low operating pressure (similar to the hydrostatic pressure of the plant). Large thermal inertia. Reduced dimensions with the consequent possibility of considering small modular reactors with intrinsic emergency cooling.

233

chemical behaviour of the mixtures involved (strongly aggressive for structural materials), including the possibility of explosive phenomena and of accidental criticality. These plants are strongly shielded and are housed in buildings with dynamic leak-proofing, maintained by a ventilation system with filters. Various problems of dispersion of radioactivity in the environment, due to the irradiated fuel storage pools, exist. The pools should always be provided with a corrosion resistant metal liner, with the further possibility of collection and control of the possible leaks, should they happen. A periodical maintenance/ repair programme should also be implemented. The large fuel enrichment plants, present in very few countries in the world, show problems similar to those of the fabrication plants.

They have, however, some problematic aspects:

The possibility of reaction of the coolant (sodium) with water and air (fire). Positive void reactivity coefficient of the reactor, made tolerable by the high thermal inertia of the sodium coolant in the amounts generally used and by the consequent difficulty for the reactor to reach boiling conditions. Presence of negative structural effects in the core (deformations, creep, etc.).

25-6. Fuel plants The fuel fabrication plants are usually rather free from serious hazards, the only possible problem being an accidental criticality (e.g. Tokaimura accident in 1999). The containment is usually ensured by buildings kept at slight under-pressure (of the order of one centimetre of water or less) in comparison with the outside to prevent the exit of an internal contaminated atmosphere due to the suction caused by the wind in some parts of the external surface of the structure. The relevant ventilation system is provided with filters. Obviously, special plants for research on the fuel exist, such as those dealing with plutonium, and these have specific safety problems. Reprocessing plants are required only in a few countries and they show much more serious problems than the fabrication plants because of the very high radioactivity content and the uncertainties in the

25-7. Nuclear seawater desalination plants Water desalination (generally, seawater desalination) can be performed by various processes, the most common being:

thermal methods by distillation (e.g. multistage evaporation); mechanical methods (e.g. inverse osmosis).

In both cases, the reactor which provides thermal or electric energy may be similar to those used for energy production, except that the power must match the water production rate. Some aspects connected with the desalination process which may be relevant to nuclear safety are:

In thermal desalination, any possible leaks from the reactor circuit towards the desalinated water produced by the system, must be prevented by the correct choice of operating pressures in the various circuits and by the use of an intermediate circuit. In some cases, there is a strong need (security, transport costs, etc.) to locate the desalination plant close to consumption centres, therefore there is a trend towards suburban sites. A safety consequence of this, for example, is the use of small reactors located inside a small container which is resistant to the rupture of the reactor pressure vessel. The continuity of supply of the desalinated water can be ensured by using reserve desalinated water storage tanks.

234

Nuclear Safety

25-8. VVER plants VVERs are PWRs designed in Russia. There are three main types: the Type 230 (oldest, 440 MWe); the Type 213 (440 MWe); and the Type 1000 (the most recent, 1000 MWe). The Type 1000 is very similar to one of the Western-designed plants now operating. Types 230 and 213 show rather different characteristics and are less advanced from the safety point of view. In particular, the containment has lower leak proofing than the Type 1000, the reactor protection systems are slower and less advanced, and the reactor vessel is more vulnerable to neutron embrittlement. However, these reactors exhibit a slower dynamical behaviour than that of many Western reactors, due to the larger water amount in the reactor and to other reasons, so that other less favourable characteristics are compensated. The good operating experience of these reactors supports their good design characteristics.

In comparison with other nuclear activities, transportation has the following specific characteristics:

It is performed in the open air, where it is not easy to define protected zones and have them complied with (monitored zone, controlled zone). It is usually performed by non-specialized operators (according to instructions from a radiation protection organization). It is performed by ordinary machines (transportation, lifting and tying means) and by specific machines (containers), to which safety is generally entrusted.

The IAEA has issued fundamental standards,AR46 The various national standards are referred to these. The IAEA standards include:

The classification of the containers into three types:

25-9. Ship propulsion reactors Currently, all the nuclear-propelled ships are military, but at one time experimental, nuclearpowered, merchant ships were built. The most famous of these was the US ship, the NS Savannah, which hosted a small PWR (74 MWt) located in a small volume pressure containment (with a high design pressure). The ship was also provided with a small conventional engine as a reserve to the principal turbine engine. The main safety issue of these reactors was to guarantee the protection of the population during the stay in a harbour. To this end, every hosting port was provided with an emergency plan according to which, in case of accident, the ship would be taken offshore by ‘always available’ tugs. In the many years of operation no event happened that required the activation of such a plan.

industrial robust type (similar to one of the UNO standards for dangerous goods (UNO, 1995)); type A, with limited contained amount per package and per shipment, resistant to a fall from 1.2 m (solids) and from 9 m (liquids and gases), resistant to punching by a 6 kg tool falling from 1 m; type B, with the same characteristics as the type A and with the additional worst sequence of events including a fall from 9 m, immersion in 15 m of water, 800 C fire for half an hour.

The hazard level labels (irradiation). The approval of the shipments for important amounts of radioactive and fissile materials; The limitation of the levels of external radiation either in contact with the packages and at 1 m distance (for example, 2 mSv hr 1 in contact and 0.1 mSv hr 1 at 1 m and 4 Bq cm 2 of transferable surface contamination. After accident corresponding to the qualification tests the limits are higher, for example 10 mSv hr 1 at 1 m for type B).

25-10. Safe transport of radioactive substances

25-11. Safety of radioactive sources and of radiation generating machines

The transportation of radioactive material, in comparison to other dangerous substances, has the additional risk of irradiation even in normal conditions.

The sources in a ‘sealed’ form, used for industrial, medical and scientific research applications can be classified as large, medium and small. The first ones are used in irradiation plants and in radiotherapy

Table 25-1. Data of some isotopes for evaluation of accidents CHARACTERISTIC DATA OF COMMONLY USED ISOTOPES EMISSION a

Type of particle

T1/2

H13 C614 Na1122

b b b

12,35 a 5730 a 2,60 a

P1532

b

S1635

NUCLIDE

E [MeV]

g, X

b %

E [MeV]

%

14,29 g

0,06 0,49 215 1,28 695

100 100 89,8 100 100

b

87,44 g

0,049

100

K1942

b

12,4 h

Co2760

b

5,27 a

0,822 1,64 0,096

17,5 82,1 99,9

Kr3685 Rb3786

b b

10,72 a 18,7 g

99,6

Sr3890

b

29,12 a

0,251 8,8 0,709 0,196

I53131

b

8,04 g

0,069 0,097 0,192

2,1 7,4 89,4

Cs55134

b

2,06 a

0,023 0,21

27 70

Cs55137

b

30,0

0,173 0,425

94,6 5,4

Ra88226

a

1620 a

Pu94239

a

24065 a

Am95241

a

432,2 a

0,233

4,602 4,785 Various around 5

5,55 94,4 100

Various around 5,5

100

E[MeV]

511

%

181

0,32 1,52 24,99 1,332 0,514 1,077

0,1 18 1,2 100 0,43 8,78

0,030x 0,080 0,28 0,364 0,64 0,72 0,563 0,569 0,605 0,796 0,662

6 2 6 79 9 3 8,4 15,4 97,6 85,4 86

Gamma specific constant (mSvm2)/(TBqh)

444 212

S.E.V. [cm Pb]

1 0,1

50

1,2

356

3,7

18

1

83

0,3

91,2 100

Various from 0,18 to 2,2 0,13 0,038 0,051 0,026 0,06

7 0,3 0,5 2,5 36,3

124

0,6

308

1,4

4

MAC in water Bq/ml Soluble and Insolub.

MAC in air Bq/l Solub. and Insolub.

1110 296 15

74 37 2,2

7,5 7,5 22 111 11 7,5 11

74 1,1 3,3 3,3 25,9 1,5 0,1

26 7,5 0,15 15 0,37 22

111 3,7 0,7 0,015 0,074 0,074 3,7

3,3 15

0,37 0,148

7,5 15 0,0037 11,1 1,85 11,1

0,74 0,19 3,7 10 2,2 2,2 10 3,7 10

1,5 11,1

7,4 10 1,5 10

4

5 4

5 3

Legend: Gamma specific constant [K]: D [intensity irradiation dose, mSv/hr] ¼ K C [source activity, TBq]/d [distance, m]2; (the constant K is used to calculate the irradiation dose intensity given by a certain amount of an isotope at a certain distance) S.E.V ¼ Pb halving thickness [cm] MAC ¼ maximum admissible concentration.

236

Nuclear Safety

facilities, the second ones are employed in industrial gammography, in curietherapy, in level and density meters, etc. The activities for large sources range from 37 TBq to 37 PBq, for medium and small sources from 37 kBq and some tens of gigabecquerels (ENEA, 1988). The radiation generating machines are those producing X-rays (used for Xr-diagnostics, Xrtherapy, industrial Xr-graphy) and particle accelerators used in the medical, industrial and research fields. Peak voltage range from 100 kV to 500 kV, and the energy of the accelerator particles may reach gigaelectron-volts. Possible accidents are:

detachment of the source from its support; blockage of the source in the irradiation position; abandonment of sources in a public place; the effect of earthquakes; accidental emission of an X-ray beam.

The accidents with a contamination hazard are caused predominantly from the use of non-sealed sources and of damaged sealed sources, due to:

fire explosion flooding container break

erroneous handling earthquake.

The necessary data for the evaluation of the severity of hypothesized or of really happened accidents are of the type of those included in Table 25-1, only for some of the interesting isotopes. Legend: – Gamma specific constant [K]: D [intensity irradiation dose, mSv/hr] ¼ K C [source activity, TBq]/d [distance, m]2; (the constant K is used to calculate the irradiation dose intensity given by a certain amount of an isotope at a certain distance) – S.E.V ¼ Pb halving thickness [cm] MAC ¼ maximum admissible concentration

References ENEA/DISP (1988) ‘Mezzi e metodi per la gestione delle emergenze nucleari’, Rome. ESKOM (2001) ‘The pebble bed modular reactor’, Nuclear News, September. UNO (1995) ‘Recommendations on the transport of dangerous goods’, Ninth revised edition (ST/SG/AC.10/1/ Rev.9), UN, New York and Geneva.

Chapter 26 Nuclear facilities on satellites

26-1. Types of plant The most common use is radioisotope-powered thermoelectric generators for the electric loads on board. Power is typically about 1 kWe, subdivided between three or more units. Radioisotope-powered heat generators (2.7 g of plutonium, 1 W) are currently used to guarantee the suitable thermal conditions for the equipment on board during a mission. Both types of generators are usually powered by the heat produced by plutonium-238, which has an optimal thermal power to weight ratio (¼ 0.57 W g 1). The reason for the use of radioisotopes is that space missions require absolutely reliable sources of electric energy and heat, without any need for maintenance, that are capable of operating for

years in severe environmental conditions. For these reasons, radioisotopes are practically the only choice, where bulky solar cells systems are not suitable. In the past, a real reactor, the SNAP-10A, was built and used. Other systems were tested only on the ground (Angelo and Buden, 1985). The use of these devices is based on more than thirty years of operation experience on space vehicles of various types. As an example, the US Department of Energy (DoE) has up to now supplied 44 radioisotope-powered thermoelectric generator systems, used in 24 space missions. The most recent thermoelectric generator built by the DoE, the General Purpose Heat Source Radioisotope Thermoelectric Generator (GPHS-RTG), (Fig. 26-1), produces 290 W of electric energy with less than 11 kg of plutonium dioxide. Three units are installed on the Cassini vehicle for the exploration of Saturn,

Cooling pipes

Cooling

Gas management

Aluminium shell Thermal source

Safety valve

Support

Flange Insulation

Si–Ge Thermocouples

Support

Figure 26-1. The satellite GPHS-RTG module. 237

238

Nuclear Safety

launched in 1997, corresponding to a total initial activity of 15 000 TBq. Currently, plutonium is used in oxide form which is more robust in accident conditions than the metallic plutonium initially used.

26-2. Possible accidents and their consequences The GPHS thermoelectric generator is designed to withstand a variety of accident events, including an unforeseen re-entry to the earth. In particular, the plutonium dioxide is protected by a graphite shield. However, events can be imagined, such as the explosion of the vehicle or the impact of the GPHS module on a hard surface (rock), which might cause the release of plutonium, either at stratospheric elevations or on the ground. The probabilities of these events are of the order of 10 7–10 6 per mission. For a release on the ground, the area significantly contaminated extends for 1–2 km from the impact point so the problems are concentrated in a relatively small area. For a release at high altitude, the consequences are evaluated assuming that the plutonium is released in part as vapour or as breathable particles of a diameter smaller than 10 m (ranging from 20 to 70 per cent of the total, according to the re-entry angle with reference to the terrestrial vertical direction),

in part (4–7 per cent) as dust of 10–6000 m diameter and, for the remaining portion, as larger particles. The ‘footprint’ of the particulate on the ground is thought to reach up to 300 km. Part of the finer particulate may fall to ground after months or years from the accident and will extend to the whole planet. The maximum individual doses, without emergency actions, are estimated of the order of a fraction of 1 Sv. The maximum collective doses are thought to be of the order of 106 Sv-person, distributed over a great part of the world population and therefore with additional consequences very small in comparison with other causes. The extent of land contaminated with more than 10 kBq m 2 is about 5000 km2. Other satellites with isotope generators or with a nuclear reactor, designed with lower strength characteristics than the one of the Cassini mission, could originate wider consequences, for example fragments of the reactor of the satellite Cosmos 954, which fell in Northern Canada in 1978, were found over more than 100 000 km2. No health consequences were present because of the low population density.

Reference Angelo, J.A. and Buden, D. (1985) Space Nuclear Power. Malabar, FL: Orbit Book Co.

Chapter 27 Erroneous beliefs about nuclear safety

It is worth mentioning and discussing some beliefs prevalent in the field of nuclear safety. A shutdown plant cannot have an accident! The opposite is true, since the probabilistic safety analyses addressing this problem have concluded that a large part of the risk of a nuclear plant is related to plant situations of shutdown or low power. A plant is shutdown for inspection and periodic maintenance, and often safety systems are disabled, the containment opened, and ‘unusual’ operations are performed which decrease the usual defences, so that accidents are possible which could not happen in other conditions. In a pressurized reactor, a ‘solid system’ has to be avoided by all means! A ‘solid system’, in the jargon of PWR operators, is a primary cooling system completely filled with water, that is without the steam bubble in the pressurizer. In solid system conditions, the pressure resisting structures of the primary system are in effect exposed to undue overstressing as a compressible element in the fluid part of the system is lacking: one can think of an effect of local overheating and consequent thermal expansion of the fluid, or of the start up of a high head pump connected with the primary system, etc. Operators are warned about the danger of a solid system condition during their training. Experience indicates that sometimes the risks of this operating condition are exaggerated, almost identifying it with a situation of unavoidable accident to the primary structures. It must be remembered that, during the Three Mile Island accident, the operators blocked the operation of the safety injection system which had regularly been automatically started, precisely for the fear of being in a solid system condition (on the basis

of the indications of the pressurizer level). It is necessary, in fact, to remember that other protections exist against the over-pressurization of the primary system, such as safety valves. However, they could be damaged, (as they were at Three Mile Island) by a liquid efflux, having been designed for a steam efflux. The fear of damaging them or causing a leak in them after re-closure was, therefore, well founded. What had not perhaps been sufficiently made clear to the operators was that between the two possible evils (the safety valve not perfectly re-closing after opening because of the discharge of liquid, and lack of emergency core cooling), the potentially more serious situation was the second. Pouring water on an overheated core must be avoided! This ‘myth’ has been dangerously circulated in the field of nuclear safety for years, before being firmly refuted by an international group of experts on accident management (NEA, 1995). Indeed, pouring large amounts of cold water on an overheated, possibly partially molten, core without mature deliberation may in principle cause:

instantaneous thermal stresses and structural damage; production of large quantities of hydrogen by metal–water reactions; possible steam explosions.

A core in these conditions must be cooled and the means available in a water reactor is, indeed, cold water. It is up to the judgement of the operator to decide, case by case, the way by which the cooling operation has to be performed. For example, proceeding by low duration injections and observing the result before continuing, or conveniently graduating the liquid injection flow rate. 239

240

Nuclear Safety

However, the injection of cold water in an overheated core must always take place, even if it means going through a transient seemingly worse situation. Timely action is beneficial, as this limitates the possibility of unforeseen aggravating phenomena. The actuation of the containment spray must be avoided in a severe accident! There is some truth in this (possibly) common mistake. The spraying of water, in fact, causes the condensation of the steam in the containment, which may ‘de-inert’ the possible hydrogen–oxygen explosive mixture. It can be concluded that in some cases this de-inerting has to be avoided. However, in many other cases the spraying of the containment must be performed, for example if this is a condition for the cooling of the core. This issue must be studied, case by case, during the preparation of the severe accident management programme available at all plants. The operators should have all the diagnostic and intervention means needed for taking the correct decision in any situation, including the instrumentation for the difficult measurement of the explosivity within the container. The containment is a passive system! Fortunately, this belief is not heard anymore, but, at one time, some people thought that the containment function was predominantly performed by the container shell and that, with an integer containment, a substantial separation of the internal atmosphere from the outside could be relied on. In reality, the containment is a machine which, in order to be able to perform its function, must pass from a state of multiple communication with the outside through the hundreds of mechanical penetrations usually present, to a state of isolation from the outside, by the closure of isolation valves and analogous devices. It must be remembered that the specified maximum design leakage of a containment is equivalent to the presence of a small hole, typically of about three millimetres diameter in the container shell. It is therefore vital that all the active isolation devices perfectly close in case of actuation of the containment isolation. Pipes crack, leak, wear out . . . but they don’t break! This was one of the ‘battle cries’ of many optimistic engineers (after one of them, an expert nuclear engineer, created it), who had a critical

attitude, before Three Mile Island, towards the precautions imposed by the nuclear safety criteria and, in particular, towards the assumption of a break in the largest pipe of the plant and of the consequent need for the provision of a pressure resisting and leak-proof containment. A guillotine break of the largest primary pipe has never happened, however the corresponding conservative assumptions made from the outset has provided a useful ‘envelope’ for a series of other events (lack of valve re-closure, break of sealing and closure devices of components, cracks of various types in many pipes, etc.) which the subsequent experience has demonstrated to be both possible and insidious. Catastrophic breaks of large pipes have happened on the secondary cooling circuit, less protected by the safety standards. In order to avoid criticality in new fuel storage it is sufficient that it is not completely flooded! This mistake is not made any more. However, it is worthwhile repeating that the maximum reactivity of fresh fuel storage is generally obtained when the room is full of partial density water, that is for a situation of water sprayed on the fuel, more than for the complete flooding of it. Performing analyses with conservative assumptions always favours safety! Why is this apparently correct statement not always true? Because the analyses performed with too many conservative assumptions, in the end gives a completely distorted picture of the real behaviour of the system studied. The following consideration of Prof Norman Rasmussen, co-ordinator of the famous Reactor Safety Study Wash-1400 (the Rasmussen report), is relevant (OECD, 1994): One unexpected event at TMI was the presence of a hydrogen-steam bubble in the primary vessel during the course of the accident. The fact that non-condensable hydrogen might be trapped in the vessel head was, as far as I can remember, never discussed during the RSS. The principal reason for this was that the RSS analysis made the conservative assumption that large amounts of hydrogen could only be generated if a significant fraction of fuel melted. Further, to be conservative, it was assumed this molten fuel would melt through the

Chapter 27 Erroneous beliefs about nuclear safety

bottom head of the vessel. Thus, a situation in which large amounts of hydrogen could be trapped in the vessel was never encountered. Any analysis should be done in the most realistic way, using, at any step, the most probable assumptions, except for adding, at the end, for conservatism, a generous safety factor to the result, following the indications of an uncertainty analysis. In this process, it is, moreover, very useful to have the best estimate analysis followed by an analysis

241

of the sensitivity of the result to variation in the assumed parameters.

References NEA (1995) ‘Summary and conclusions’, Specialist Meeting on Severe Accident Management Implementation, NEA/ CSNI/R(95)16, Niantic, CT, 12–14 June. OECD (1994) ‘Three Mile Island reactor pressure vessel investigation project’, Paris.

This page intentionally left blank

Chapter 28 When can we say that a particular plant is safe?

Putting the title of this chapter another way: Is it possible to conclude that a nuclear plant is safe and, if it is, what are the conditions which make this conclusion possible? The answer to the first sub-question is: ‘Yes, it is possible’. The conditions for such a conclusion to be valid are:

The plant has been conceived and built within a legal framework that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities. The plant site has been chosen by a competent organization, following the stringent safety and radiation protection criteria internationally available and in the spirit of trying to have the site problems solved in the most natural way by the choice made, without putting the burden to compensate for possible specific deficiencies on the plant design. The decision process has been submitted with a positive result to the examination of an independent control body, competent and accurate, without overcoming the limits of good common sense. The plant has been conceived, designed and built following the best internationally available criteria and standards important for safety and for radiation protection, utilizing a QA programme which ensures the correctness of the process, by competent, cautious and accurate organizations, provided with all the technical, management and financial means necessary to obtain an excellent result.

The whole process has been submitted to the surveillance of an independent and highly competent technical control body, capable, with the cooperation of the plant builder, and as far as possible, of foreseeing the possible technical licensing problems before it is too late to solve them. All the organizations involved in the construction, the control and the operation of the plant are permeated by a genuine safety culture, which puts safety first in the scale of values the plant must demonstrate to have. All the members of the organizations involved have been trained to the best professional standards with continuing professional development schemes. The operation is performed in connection with national and international organizations which have the aim of collecting and disseminating operating experience thoroughly and quickly. The plant is operated within an industrial system provided with a sufficient reserve of electric power or other commodity produced by the plant, in such a way that, when necessary for sufficient safety reasons, the plant can be stopped and maintained even for a time period of months. Working conditions for plant operators are conducive to solving problems. The psychological atmosphere in the plant is marked by alacrity and by serenity at the same time, in order to facilitate the adequate examination and solution of the problems and doubts evidenced by the plant operation.

243

This page intentionally left blank

Chapter 29 The limits of nuclear safety: the residual risk

29-1. Risk in general Some data on the risk levels of interest cannot be omitted from a book on nuclear safety. First of all, apologies are presented to the reader because some sentences among the following ones may appear disturbing and cynical: on the other side, the risk treatments must necessarily mention casualties with the cold attitude which is intrinsic in any statistical/probabilistic treatment while the idea of death is, for the majority of us, disquieting and problematic, for some even unbearable and for very few serene. Risk is generally defined as the likelihood that some harm might happen (HSE, 1992). In quantitative evaluations risk is defined as the probability that some negative event happens. So, for example, when it is said that a certain activity entails a death risk of 10 4 (which may be referred to the entire duration of the activity or to a defined time period which should be specified, for example one year), it is meant that whoever performs that activity has a probability of dying as a consequence of it equal to 0.0001 in the specified period. In other words, on the average, for every 10 000 people performing that activity, one will die in the reference period.

29-2. Risk concepts and evaluations in nuclear installation safety 29-2-1. Tolerable risk The concept of tolerable risk for nuclear power stations was introduced for the first time in the report of the Sizewell B public inquiry (HSE, 1988/1992) in the UK, in which tolerable levels of individual and

social risk to workers and public were mentioned. ‘Tolerability’ does not mean acceptability. A risk is defined as ‘acceptable’ when it has to be taken as it is. The concept of tolerable risk can be applied to a risk which can be lived with in view of the accompanying benefits of the activity which cause it. Moreover the risk has to be kept under review and, if possible, still further reduced. Figure 29-1 illustrates the idea of tolerable risk in relation to the concept of ALARP (As Low As Reasonably Practicable – the UK expression substantially equivalent to ALARA (see Chapter 7). The implementation of the Tolerability Principle or Criterion implies the availability of instruments for performing the evaluation of costs and benefits of a certain decision concerning safety measures. A cost–benefit analysis has to be made for decisions concerning the adoption of additional safety measures. Since one of the main benefits to be examined is the saving of human lives, it can be understood how conceptually difficult it is to quantify this benefit, since everybody refuses to define a monetary value of the human life. As it is clearly stated in USNRC (2000), no mechanistic ‘rule book’ for cost–benefits analyses involving human life or permanent detriment to a person can be defined. However, since a cost–benefit analysis, in principle, appears the logical way to proceed for delicate decisions, a flexible, pragmatic and informed attitude should be maintained when performing it. A useful tool in this exercise has been identified by observing what people are able to accept as a small additional risk of death or other harm to themselves in return for financial and other benefits. From these data, a human life value can be inferred by statistical treatment. This exercise has resulted in minimum statistical values for human life exceeding E1 m at 245

246

Nuclear Safety

Unacceptable region

Risk cannot be justified except in extraordinary circumstances

Tolerable only if risk reduction is impracticable or its cost is grossly disproportionate to the improvement gained

The ALARP (ALARA) or tolerability region (risk is undertaken only if benefit is desired)

Tolerable if cost of reduction would exceed the improvement gained

Broadly accepted region (No need of detailed working to demonstrate ALARP (ALARA))

Necessary to maintain assurance that risk remains at this level

Figure 29-1. Levels of risk and ALARP (ALARA).

time of writing. Timing of danger (immediate or deferred danger) and type of danger (dreadfulness of imagined situations) are also important factors in these analyses. Determining the additional cost of safety measures is also difficult, but it is, however, a conceptually simpler task than the evaluation of the benefit of additional safety measures.

29-2-2. Risk-informed decisions Risk-informed regulation by the USNRC has gained momentum in the last few years and has produced

remarkable results (USNRC, 2000).AR443–AR446. The USNRC’s policy for implementing risk-informed regulation was expressed in the 1995 policy statement on the use of probabilistic risk assessment (PRA) methods in nuclear regulatory activities. The policy statement says: The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the NRC’s deterministic approach and supports the NRC’s traditional defence-in-depth philosophy. Since adequate protection is presumably provided by existing regulations, the NRC has determined

Chapter 29 The limits of nuclear safety: the residual risk

that, for nuclear power plants and fuel cycle facilities, proposed safety improvements beyond adequate protection should be adopted only if they provide ‘substantial’ additional protection and the direct and indirect costs are justified. In the nuclear reactor safety arena, regulatory analysis guidelines and backfitting analysis guidelines have been developed for assessing a ‘substantial’ improvement and calculating the cost–benefit trade-off. In the nuclear materials safety arena, the NRC has directed the staff to develop similar guidelines for fuel cycle facilities. Risk-informed requirements must maintain reasonable assurance of adequate protection. A challenge in the transition to risk-informed regulation will be to maintain an acceptable level of safety while (1) improving efficiency, effectiveness, and realism in agency decisions, practices, and processes, (2) increasing public confidence in the agency, and (3) reducing unnecessary regulatory burden on licensees. Since risk information is to be used to complement the traditional deterministic approach, riskinformed activities must preserve certain key factors of the deterministic approach. Among these factors are the fundamental safety principles of defence-indepth, safety margins, the principle of ALARA, radiation protection, and the agency’s safety goals. The NRC has used these principles in its regulatory programmes to maintain acceptable risk levels. They ensure that the nuclear industry is safe. In riskinforming its requirements and practices, the NRC must use these principles to complement risk information in ensuring that regulations focus on the issues important to safety and account for uncertainties affecting regulatory decisions. Risk assessment insights will make, in the NRC view, regulatory decisions more effective and efficient and reflect realism.

29-3. Residual risk: the concept of loss-of-life expectancy One way of expressing the death risk connected to a certain activity is to indicate the years or the days of life lost on average (Loss-of-life expectancy (LLE) or Years of lost life (YOLL)) by the individuals considered as a consequence of that activity. It is clear how one measure can be converted into the other one. If for a person the additional death risk

247

(due to the exposure to the considered activity) is of 10 4 per year and if the average life in the absence of this activity is 75 years (which corresponds to an average death risk of 1/75 ¼ 0.013 33 year 1), then the new average death risk will be (0.013 33 þ 0.0001), or 0.013 43 year 1, equal to 1/74.46. The life lost on the average for that risk is roughly 0.54 years (¼ 365 0.54 ¼ 197 days). This calculation is inaccurate because the natural death risk is not uniformly distributed over the life span. In order to account for this, the following approximate formula can be used: LLE ¼ 1:1 106 r ðdaysÞ ðr < 10 3 Þ,

ð29:1Þ

where r is the risk per year (¼ 10 4 in the preceding example). For the example given, Equation 29.1 gives an average life reduction of 110 days. If the considered risk refers to the working activity, say between the ages of 20 and 65 years, the value given by the formula must be approximately halved. No human activity is immune from risk and many activities also entail the certain likelihood of death risk. Nuclear plants are no exception, even if this activity is for the workers of the related plants and for the population near them, less risky than other energy producing plants and incomparably less risky than many other human activities.

29-4. Risk from various energy sources This issue has been studied at length during the years when the nuclear controversy was at its maximum level. Table 29-1 shows the ‘external’ costs, that is the costs connected with the effects on the environment, of energy generation for various energy systems in the EU. The value of life for statistical uses applicable in the EU has been taken equal to E3.1 m. Consistent values have been assumed for various other health damages. The data are essentially from the EU EXTERNE (Externalities for Energy) programme published in recent years and from other recent European sources (e.g. University of Stuttgart, Institute for Energy Economy and for rational uses of Energy). The total costs also include those of global heating, at the low estimate of (E2.4 t 1 CO2) and

248

Nuclear Safety

Table 29-1. External costs of energy generation by various systems (emission costs corresponding to the 15 member states of the EU before April 2004). (Strupczewski 2001) Energy source

Loss-of-life duration (YOLL TWh 1)

Health costs (meuro kWh 1)

Total costs (meuro kWh 1)

German coal Polish coal German lignite Russian natural gas German natural gas Biomass (wood) River hydro (500 kW plants) Wind (1.5 MW) Solar (polycrystalline cells) Nuclear plants with reprocessing

58.4 118 90.6 43.2 27 26.5 7.5 8.7 59.4 10

4.85 9.75 7.48 3.56 2.23 2.18 0.62 0.72 4.8 0.82

7.18–20.45 12.25–26.95 10.05–25 4.56–10.4 3.21–8.95 2.18 0.7–1.19 0.82–1.41 5.62–10.44 0.86–1.1

high estimate of (E16.4 t 1 CO2). For nuclear plants the radiological effects have been considered too (1.07 YOLL TWh 1) and the energy consumption (8.9 YOLL TWh 1) due to the fuel cycle, in the assumption that the needed electric energy is that produced in Germany with the present ‘mix’ of sources. If the assumption had been made that the electric energy for the cycle was of nuclear origin, the YOLL estimate would have been lower by an order of magnitude.

exception must be made for the RBMK plants, for which the risk is still, even after the modifications made, probably higher). For plants which would be built now, it is possible to believe in a decrease of the risk by one or two orders of magnitude. The safety objectives (safety goals) valid in the USA can be concisely expressed in the following way:

29-5. Risk to various human activities

This issue too has been studied in depth. Figure 29-2 (courtesy of the Health Physics Society) (Cohen, 1991) gives a measure of the risk in terms of thousands of years of life expectancy lost for various reasons.

29-6. Are the risk analyses of nuclear power plants credible? Here are some risk data for nuclear power plants:

The maximum individual death risk for a nuclear power plant in normal operation and for the most exposed individual of the population is of the order of 10 7–10 6 per year. The death risk for accidents and for the most exposed individual of the population is, as a maximum, of the order of 5 10 7 per year for currently operating plants (unfortunately, an

core melt: 10 4 y 1; prompt death risk near the plant, for accidents: 0.1 per cent of that for normal accidents (i.e. 0.1% 5 10 4 y 1); death risk for the normal plant operation: 0.1 per cent of the death risk for other cancer causes (i.e. about 0.1% 2 10 3 y 1).

The INSAG (safety advisor body for the IAEA director) suggested values are 10 5 y 1 for the target core melt probability and 10 times less for the risk of a large release from the plant due, for example, to an important damage of the containment (see Chapter 1).

As it can be seen, both the risk objectives and the risk analyses on existing plants are reassuring, but, it is frequently asked, how reliable these analyses are? How much the inevitable uncertainties on data and methods can influence the results? Is it possible that some accident sequence has been forgotten in performing a probabilistic analysis? All the available information, including the analyses made before the Three Mile Island accident and the sequence of events in the accident itself, indicate that a corrective

Chapter 29 The limits of nuclear safety: the residual risk 0.0001

0.001

0.01

0.1

249

1 Alcoholic Poverty Smoke (M)

Poor social connections Heart disease Cancer 20% overweight Orphaned as child Motor vehicle accidents Suicide Murder Air pollution Aids Spouse smoking Radon Pesticides Radiation worker Drowning Drinking water Fires and burns Poison Natural hazards Bicycle Electrocution Hazardous waste Nuclear power (antinuclears) Milk (½ litre per day) Living close to a nuclear plant Charcoal broiled steak (2 hectograms per week) Nuclear power (Government estimates-average in USA) 0.0001

0.001

0.01

0.1

1

Figure 29-2. Thousands of days of life expectancy lost for various reasons in the USA. Reproduced and modified from Fig. 32-2 ‘Catalog of risks extended and updated’ by B.L. Cohen, published in Health Physics Vol. 61-3, 1991, published by Health Physics Society. factor is embedded in the risk probabilities: this corrective factor might be identified in the redundancy of the protections adopted in the plants (defence in depth) and in the vastness of the field of theoretical possibilities of accident explored, by definition, in the probabilistic analyses. In simple words, even if a precise accident sequence has been

forgotten in a specific probabilistic analysis, some other sequence would exist among those studied which is similar to it and that has been taken into account. It is for this reason that, even if many correctly hesitate in relying only on probabilistic safety criteria, a general agreement exists on the reliability

250

Nuclear Safety

of the probabilistic risk analyses as a tool for comparing different situations.

management of the plant or of the laboratory which uses these substances.

29-7. Proliferation and terrorism

References

These issues are outside the specific scope of this book but have been mentioned throughout in passing. The fight against proliferation is an organization and international control problem, with some important technical aspects, overseen by the IAEA. The possibility of terrorist use of nuclear substances, either of those connected with the energy cycle or of those for industrial and medical uses, is similarly a problem of national and of international control, besides being a matter of careful

Cohen, B.L. (1991) ‘Catalogue of risks extended and updated’, Health Physics, 61(3). HSE (1988/1992) Report of the Sizewell B public inquiry. London: HMSO. HSE (1992) The tolerability of risk from nuclear power stations. London: HMSO. USNRC (2000) ‘Risk-informed regulation implementation plan’, SECY-00-0213. Strupczewski, A. (2001) Environmental and health impact of energy sources, International Conference on E. Fermi and Nuclear Energy, Pisa, Italy, October 2001.

Additional references

Essential references specifically related to each chapter of this book have been listed at the end of each chapter. However, these additional references give the reader a wider choice of documents. The references are grouped as follows: IAEA OECD NRC MISC

International Atomic Energy Agency Organization for Economic Cooperation and Development United States Nuclear Regulatory Commission for references of other sources

IAEA references Nuclear safety standards series Safety fundamentals AR1 The safety of nuclear installations, No. 10, 19 July 1993. AR2 Radiation protection and the safety of radiation sources: A safety fundamental, Jointly sponsored by FAO, ILO, OECD/NEA, PAHO, WHO, No. 120, 23 February 1996. AR3 Principles of radioactive waste management safety fundamentals, No. 111-F, 17 September 1995. Legal and governmental framework AR4 Legal and governmental infrastructure for nuclear, radiation, radioactive waste and transport safety, GS-R-1, 31 October 2000. AR5 Organization and staffing of the regulatory body for nuclear facilities, GS-G-1.1, 23 September 2002. AR6 Review and assessment of nuclear facilities by the regulatory body, GS-G-1.2, 23 September 2002. AR7 Regulatory inspection of nuclear facilities and enforcement by the regulatory body, GS-G-1.3, 27 September 2002. AR8 Documentation for use in regulating nuclear facilities, GS-G-1.4, 27 September 2002. Emergency preparedness and response AR9 Preparedness and response for a nuclear or radiological emergency. Jointly sponsored by FAO, ILO, OECD/NEA, PAHO, OCHA, WHO, GS-R-2, 25 November 2002. AR10 Preparedness of public authorities for emergencies at nuclear power plants, 50-SG-G6, 25 February 1982. AR11 Preparedness of the operating organization (licensee) for emergencies at nuclear power plants, 50-SG-O6, 3 March 1982. AR12 On-site habitability in the event of an accident at a nuclear facility: Guidance for assessment and improvement, No. 98, 29 November 1989. 251

252

AR13 AR14

Nuclear Safety

Intervention criteria in a nuclear or radiation emergency, No. 109, 24 November 1994. Planning and preparing for emergency response to transport accidents involving radioactive material, TS-G-1.2 (ST-3), 29 August 2002.

Management systems AR15 Quality assurance for safety in nuclear power plants and other nuclear installations, Code and safety guides Q1-Q14, 50-C/SG-Q, 28 March 2001. Assessment and verification AR16 Format and content of the safety analysis report for nuclear power plants, GS-G-4.1, 27 May 2004. AR17 Safety assessment and verification for nuclear power plants, NS-G-1.2, 28 January 2002. AR18 Modifications to nuclear power plants, NS-G-2.3, 13 November 2001. AR19 Periodic safety review of nuclear power plants, NS-G-2.10, 12 September 2003. AR20 Safety assessment for near surface disposal of radioactive waste, WS-G-1.1, 23 September 1999. AR21 Safety assessment of research reactors and preparation of the safety analysis report, 35-G1, 19 December 1994. Site evaluation AR22 Site evaluation for nuclear installations, NS-R-3, 19 December 2003. AR23 External human induced events in site evaluation for nuclear power plants, NS-G-3.1, 19 July 2002. AR24 Dispersion of radioactive material in air and water and consideration of population distribution in site evaluation for nuclear power plants, NS-G-3.2, 23 April 2002. AR25 Evaluation of seismic hazards for nuclear power plants, NS-G-3.3, 21 March 2003. AR26 Meteorological events in site evaluation for nuclear power plants, NS-G-3.4, 16 July 2003. AR27 Flood hazard for nuclear power plants on coastal and river sites, NS-G-3.5, 18 March 2004. AR28 Safety aspects of foundations of nuclear power plants, 50-SG-S8, 20 November 1986. Radiation protection AR29 International basic safety standards for protection against ionizing radiation and for the safety of radiation sources, Co-sponsorship FAO, ILO, OECD/NEA, PAHO, WHO, No. 115, 21 March 1996. AR30 Occupational radiation protection, Co-sponsorship ILO, RS-G-1.1, 13 October 1999. AR31 Assessment of occupational exposure due to intakes of radionuclides, Co-sponsorship ILO, RS-G-1.2, 2 November 1999. AR32 Assessment of occupational exposure due to external sources of radiation, Co-sponsorship ILO, RS-G-1.3, 28 September 1999. AR33 Building competence in radiation protection and the safe use of radiation sources, Co-sponsorship ILO, PAHO, WHO, RS-G-1.4, 28 May 2001. AR34 Radiological protection for medical exposure to ionizing radiation, Co-sponsorship PAHO, WHO, RS-G-1.5, 23 April 2002. AR35 Application of the concepts of exclusion, exemption and clearance, RS-G-1.7, July 2004. Radioactive waste management AR36 Predisposal management of radioactive waste, including decommissioning, WS-R-2, 15 September 2000. AR37 Regulatory control of radioactive discharges to the environment, WS-G-2.3, 15 September 2000. AR38 Predisposal management of low and intermediate level radioactive waste, WS-G-2.5, 24 June 2003. AR39 Predisposal management of high-level radioactive waste, WS-G-2.6, 24 June 2003. AR40 Classification of radioactive waste, 111-G-1.1, 9 June 1994.

Additional references

253

Decommissioning AR41 Predisposal management of radioactive waste, including decommissioning, WS-R-2, 15 September 2000. AR42 Decommissioning of nuclear power plants and research reactors, WS-G-2.1, 7 December 1999. AR43 Decommissioning of medical, industrial and research facilities, WS-G-2.2, 7 December 1999. AR44 Decommissioning of nuclear fuel cycle facilities, WS-G-2.4, 4 July 2001. Rehabilitation of contaminated areas AR45 Remediation of areas contaminated by past activities and accidents, WS-R-3, 19 December 2003. Transport of radioactive material AR46 Regulations for the safe transport of radioactive material, TS-R-1, 2004. AR47 Advisory material for the IAEA regulations for the safe transport of radioactive material, TS-G-1.1 (ST-2), 19 July 2002. AR48 Planning and preparing for emergency response to transport accidents involving radioactive material, TS-G-1.2 (ST-3), 29 August 2002. Nuclear power plant design AR49 Safety of nuclear power plants: Design, NS-R-1, 31 October 2000. AR50 Software for computer-based systems important to safety in nuclear power plants, NS-G-1.1, 14 November 2000. AR51 Safety assessment and verification for nuclear power plants, NS-G-1.2, 28 January 2002. AR52 Instrumentation and control systems important to safety in nuclear power plants, NS-G-1.3, 17 April 2002. AR53 Design of fuel handling and storage systems in nuclear power plants, NS-G-1.4, 12 September 2003. AR54 External events excluding earthquakes in the design of nuclear power plants, NS-G-1.5, 9 January 2004. AR55 Seismic design and qualification for nuclear power plants, NS-G-1.6, 20 November 2003. AR56 Protection against internal fires and explosions in the design of nuclear power plants, Safety guide, NS-G-1.7, 2004. AR57 Design of emergency power systems for nuclear power plants, Safety guide, NS-G-1.8, 2004. AR58 Design of the reactor coolant system and associated systems in nuclear power plants, Safety guide, NS-G-1.9, 2004. AR59 Design of reactor containment systems for nuclear power plants, Safety guide, NS-G-1.10, 2004. AR60 Protection against internal hazards other than fires and explosions in the design of nuclear power plants, Safety guide, NS-G-1.11, 2004. AR61 Design aspects of radiation protection for nuclear power plants, 50-SG-D9, 22 August 1985. AR62 Design of radioactive waste management systems at nuclear power plants, No. 79, 24 October 1986. AR63 Design of spent fuel storage facilities, No. 116, 23 February 1995. Nuclear power plants operation AR64 Safety of nuclear power plants: Operation, NS-R-2, 31 October 2000. AR65 Fire safety in the operation of nuclear power plants, NS-G-2.1, 15 September 2000. AR66 Operational limits and conditions and operating procedures for nuclear power plants, NS-G-2.2, 19 December 2000.

254

Nuclear Safety

AR67 AR68 AR69 AR70

Modifications to nuclear power plants, NS-G-2.3, 13 November 2001. The operating organization for nuclear power plants, NS-G-2.4, 10 January 2002. Core management and fuel handling for nuclear power plants, NS-G-2.5, 30 July 2002. Maintenance, surveillance and in-service inspection in nuclear power plants, NS-G-2.6, 19 November 2002. Radiation protection and radioactive waste management in the operation of nuclear power plants, NS-G-2.7, 19 December 2002. Recruitment, qualification and training of personnel for nuclear power plants, NS-G-2.8, 17 December 2002. Commissioning for nuclear power plants, NS-G-2.9, 18 July 2003. Periodic safety review of nuclear power plants, NS-G-2.10, 12 September 2003. Decommissioning of nuclear power plants and research reactors, WS-G-2.1, 7 December 1999. Systems for reporting unusual events in nuclear power plants, No. 93, 14 April 1989. Operation of spent fuel storage facilities, No. 117, 7 February 1995.

AR71 AR72 AR73 AR74 AR75 AR76 AR77 Research AR78 AR79 AR80 AR81 AR82

reactors Decommissioning of nuclear power plants and research reactors, WS-G-2.1, 7 December 1999. Code on the safety of nuclear research reactors: Design, 35-S1, 14 January 1993. Code on the safety of nuclear research reactors: Operation, 35-S2, 14 January 1993. Safety assessment of research reactors and preparation of the safety analysis report, 35-G1, 19 December 1994. Safety in the utilization and modification of research reactors, 35-G2, 15 December 1994.

Fuel cycle AR83 AR84 AR85

facilities Decommissioning of nuclear fuel cycle facilities, WS-G-2.4, 4 July 2001. Design of spent fuel storage facilities, No. 116, 23 February 1995. Operation of spent fuel storage facilities, No. 117, 7 February 1995.

Radiation related facilities and activities AR85a Occupational radiation protection in the mining and processing of raw materials, RS-G-1.6, 2004. AR86 Management of radioactive waste from the mining and milling of ores, WS-G-1.2, 11 November 2002. AR87 Decommissioning of medical, industrial and research facilities, WS-G-2.2, 7 December 1999. AR88 Radiation safety of gamma and electron irradiation facilities, No. 107, 17 June 1992. Waste treatment and disposal facilities AR89 Near-surface disposal of radioactive waste, WS-R-1, 21 June 1999. AR90 Predisposal management of radioactive waste, including decommissioning safety requirements, WS-R-2, 15 September 2000. AR91 Safety assessment for near-surface disposal of radioactive waste, WS-G-1.1, 23 September 1999. AR92 Management of radioactive waste from the mining and milling of ores, WS-G-1.2, 11 November 2002. AR93 Design and operation of radioactive waste incineration facilities, Safety guide, No. 108, 12 October 1992. AR94 Siting of near-surface disposal facilities, 111-G-3.1, 1 December 1994. AR95 Siting of geological disposal facilities, 111-G-4.1, 9 June 1994.

Additional references

255

Safety reports AR96 AR97 AR98 AR99 AR100 AR101 AR102 AR103 AR104 AR105 AR106 AR107 AR108 AR109 AR110 AR111 AR112 AR113 AR114 AR115 AR116 AR117 AR118 AR119 AR120 AR121 AR122 AR123 AR124 AR125

Methods for assessing occupational radiation doses due to intakes of radionuclides, No. 37, 17 August 2004. Safety considerations in the transition from operation to decommissioning of nuclear facilities, No. 36, 11 May 2004. Surveillance and monitoring of near-surface disposal facilities for radioactive waste, No. 35, 12 October 2004. Radiation protection and the management of radioactive waste in the oil and gas industry, No. 34, 19 February 2004. Radiation protection against radon in workplaces other than mines, No. 33, 19 February 2004. Implementation of accident management programmes in nuclear power plants, No. 32, 1 June 2004. Managing the early termination of operation of nuclear power plants, No. 31, 20 October 2003. Accident analysis for nuclear power plants with pressurized water reactors, No. 30, 19 November 2003. Accident analysis for nuclear power plants with pressurized heavy water reactors, No. 29, 19 November 2003. Seismic evaluation of existing nuclear power plants, No. 28, 4 June 2003. Monitoring and surveillance of residues from the mining and milling of uranium and thorium, No. 27, 30 January 2003. Safe enclosure of nuclear facilities during deferred dismantling, No. 26, 6 January 2003. Review of probabilistic safety assessments by regulatory bodies, No. 25, 12 December 2002. Communication planning by the nuclear regulatory body, No. 24, 20 August 2002. Accident analysis for nuclear power plants, No. 23, 22 November 2002. Quality standards: Comparison between IAEA 50-C/SG-Q and ISO 9001:2000, No. 22, 25 March 2002. Optimization of radiation protection in the control of occupational exposure, No. 21, 15 February 2002. Training in radiation protection and the safe use of radiation sources, No. 20, 25 October 2001. Generic models for use in assessing the impact of discharges of radioactive substances to the environment, No. 19, 28 September 2001. Indirect methods for assessing intakes of radionuclides causing occupational exposure, No. 18, 16 June 2000. Lessons learned from accidental exposures in radiotherapy, No. 17, 10 April 2000. Calibration of radiation protection monitoring instruments, No. 16, 7 March 2000. Implementation and review of a nuclear power plant ageing management programme, No. 15, 7 May 1999. Assessment of doses to the public from ingested radionuclides, No. 14, 29 July 1999. Radiation protection and safety in industrial radiography, No. 13, 10 March 1999. Evaluation of the safety of operating nuclear power plants built to earlier standards – a common basis for judgement, No. 12, 18 December 1998. Developing safety culture in nuclear activities – practical suggestions to assist progress, No. 11, 18 December 1998. Treatment of internal fires in probabilistic safety assessment for nuclear power plants, No. 10, 4 November 1998. Safe handling and storage of plutonium, No. 9, 30 October 1998. Preparation of fire hazard analyses for nuclear power plants, No. 8, 28 September 1998.

256

Nuclear Safety

Technical documents AR126 AR127 AR128 AR129 AR130 AR131 AR132 AR133 AR134 AR135 AR136 AR137 AR138 AR139 AR140 AR141 AR142 AR143 AR144 AR145 AR146 AR147 AR148

Remediation of sites with dispersed radioactive contamination, No. 424, 2004. Management of waste containing tritium and carbon-14, No. 421, 15 September 2004. Transition from operation to decommissioning of nuclear installations, No. 420, 14 June 2004. Extent of environmental contamination by naturally occurring radioactive material (NORM) and technological options for mitigation, No. 419, 9 January 2004. Considerations in the development of near-surface repositories for radioactive waste, No. 417, 26 August 2003. Scientific and technical basis for the geological disposal of radioactive wastes, No. 413, 27 February 2003. Methods for the minimization of radioactive waste from decontamination and decommissioning of nuclear facilities, No. 401, 5 July 2001. Introduction of nuclear desalination: A guidebook, No. 400, 6 February 2001. Quality assurance for software important to safety, No. 397, 15 December 2000. Design measures to facilitate implementation of safeguards at future water-cooled nuclear power plants, No. 392, 12 January 1999. Review of fuel failures in water-cooled reactors, No. 388, 6 August 1998. Modern instrumentation and control for nuclear power plants: A guidebook, No. 387, 1 September 1999. Characterization of radioactive waste forms and packages, No. 383, 7 March 1997. Nuclear power plant personnel training and its evaluation: A guidebook, No. 380, 14 June 1996. Design and performance of WWER fuel, No. 379, 11 November 1996. Accident management programmes in nuclear power plants: A guidebook, No. 368, 13 July 1994. Reactivity accidents, No. 354, 23 April 1993. Performance of engineered barriers in deep geological repositories, No. 342, 25 November 1992. Grading of quality assurance requirement: A manual, No. 328, 23 October 1991. Gas-cooled reactor design and safety, No. 312, 8 June 1990. Natural analogues in performance assessments for the disposal of long-lived radioactive wastes, No. 304, 13 October 1989. Flow-induced vibrations in liquid metal fast breeder reactors, No. 297, 1 June 1989. Handling and storage of high-level radioactive liquid wastes requiring cooling, No. 191, 19 March 1979.

TECDOCS AR149 AR150 AR151 AR152 AR153 AR154 AR155

Precursor analyses – The use of deterministic and PSA-based methods in the event investigation process at nuclear power plants, No. 1417, 1 November 2004. Use of control room simulators for training of nuclear power plant personnel, No. 1411, 18 November 2004. Management of life cycle and ageing at nuclear power plants: Improved I&C maintenance, No. 1402, 25 October 2004. Status of advanced light water reactor designs 2004, No. 1391, 29 July 2004. Analysis of differences in fuel safety criteria for WWER and Western PWR nuclear power plants, No. 1381, 22 December 2003. Considerations in the development of safety requirements for innovative reactors: Application to modular high temperature gas-cooled reactors, No. 1366, 30 July 2003. Managing human resources in the nuclear power industry: Lessons learned, No. 1364, 17 July 2003.

Additional references

AR156 AR157 AR158 AR159 AR160 AR161 AR162 AR163 AR164 AR165 AR166 AR167 AR168 AR169 AR170 AR171 AR172 AR173 AR174 AR175 AR176 AR177 AR178

257

Incorporation of advanced accident analysis methodology into safety analysis report, No. 1351, 2 June 2003. Consideration of external events in the design of nuclear facilities other than nuclear power plants, with emphasis on earthquakes, No. 1347, 15 April 2003. Configuration management in nuclear power plants, No. 1335, 13 February 2003. Earthquake experience and seismic qualification by indirect methods in nuclear installations, No. 1333, 5 February 2003. Safety culture in nuclear installations: Guidance for use in the enhancement of safety culture, No. 1329, 3 December 2002. Self-assessment of safety culture in nuclear installations: Highlights and good practices, No. 1321, 26 November 2002. Verification of analysis methods for predicting the behaviour of seismically isolated nuclear structures, No. 1288, 9 July 2002. Present and future environmental impact of the Chernobyl accident, No. 1240, 28 August 2001. Safety aspects of nuclear plants coupled with seawater desalination units, No. 1235, 13 August 2001. Regulatory review of probabilistic safety assessment (PSA) Level 2, No. 1229, 17 July 2001. Seismic evaluation of existing nuclear facilities, No. 1202, 6 March 2001. Applications of probabilistic safety assessment (PSA) for nuclear power plants, No. 1200, 16 March 2001. Current status and future development of modular high temperature gas-cooled reactor technology, No. 1198, 11 April 2001. Mitigation of hydrogen hazards in water-cooled power reactors, No. 1196, 28 March 2001. Benchmark study for the seismic analysis and testing of WWER-type NPPs, No. 1176, 31 October 2000. Probabilistic safety assessments of nuclear power plants for low power and shutdown modes, No. 1144, 15 March 2000. Regulatory review of probabilistic safety assessment (PSA) Level 1, No. 1135, 17 February 2000. Use of operational experience in fire safety assessment of nuclear power plants, No. 1134, 4 February 2000. Simplified approach to estimating reference source terms for LWR designs, No. 1127, 7 December 1999. Root cause analysis for fire events at nuclear power plants, No. 1112, 22 September 1999. Hydrogen as an energy carrier and its production by nuclear power, No. 1085, 3 June 1999. Implementation of Defence in Depth for next generation light water reactors, No. 986, 21 November 1997. Defence in Depth in nuclear safety, No. 10, 26 September 1996.

INSAG AR179 AR180 AR181 AR182 AR183 AR184

Independence in regulatory decision-making, No. 17, 29 January 2004. Maintaining knowledge, training and infrastructure for research and development in nuclear safety, No. 16, 29 January 2004. Maintaining the design integrity of nuclear installations throughout their operating life, No. 19, 5 February 2004. Managing change in the nuclear industry: The effects on safety, No. 18, 5 February 2004. Key practical issues in strengthening safety culture (including booklet), No. 15, 28 October 2002. Maintaining knowledge, training and infrastructure for research and development in nuclear safety, Note No. 4, 10 September 2001.

258

Nuclear Safety

AR185 AR186 AR187 AR188 AR189 AR190 AR191 AR192 AR193 AR194

Basic safety principles for nuclear power plants, 75-INSAG-3 Rev. 1, No. 12, 7 December 1999. The safe management of sources of radiation: Principles and strategies, No. 11, 9 September 1999. Developing safety culture in nuclear activities: Practical suggestions to assist progress, No. 11, 18 December 1998. Examples of safety culture practices, No. 1, 21 January 1998. Potential exposure in nuclear safety, INSAG-9 (Russian edition), 11 July 1996. The Chernobyl accident: Updating INSAG-1, No. 7, 11 January 1993. The safety of nuclear power (a report by the international nuclear safety advisory group), No. 5, 27 February 1992. Safety culture (a report by the international nuclear safety advisory group), No. 4, 15 February 1991. Radionuclide source terms from severe accidents to nuclear power plants with light water reactors, No. 2, 18 March 1987. Summary report on the post-accident review meeting on the Chernobyl accident, No. 1, 2 October 1986.

Accidents AR195 AR196 AR197

The international Chernobyl project. An overview, 6 January 1993. Technical report, 14 September 1991. The international Chernobyl project: Surface contamination maps, 17 May 1991. The radiological accident in Goiaˆnia, 16 September 1988.

OECD references For additional information and procurement, please visit www.oecd.org/bookshop. AR198 Nuclear competence building, Nuclear Development, 11 November 2004. AR199 Debris impact on emergency coolant recirculation: Workshop proceedings, Albuquerque, NM, 25–7 February 2004. AR200 Analytical study: Regulatory and institutional framework for nuclear activities 2002 and 2003 updates, Nuclear Legislation, 5 November 2004. AR201 Analytical study SET: Including 2001 to 2003 updates, Nuclear legislation, 5 November 2004. AR202 Computing radiation dosimetry, CRD 2002, Nuclear science, Workshop proceedings, Sacave´m, Portugal, 22–3 June 2002. AR203 Stakeholder participation in radiological decision-making: Processes and implications, Radiation Protection, 3rd. workshop, Villigen, Switzerland, 21–3 October 2003. AR204 Nuclear Law Bulletin: June, No. 73, Volume 2004, Issue 1, 30 July 2004. AR205 Strategy selection for the decommissioning of nuclear facilities, Radioactive waste management, Seminar proceedings, Tarragona, Spain, 1–4 September 2003. AR206 Shielding aspects of accelerators, targets and irradiation facilities, SATIF 6, Nuclear Science, Workshop proceedings, Standford, CA, 10–12 April 2002. AR207 NEA News, 22(1), 2004. AR208 ‘Croatia: Act on nuclear safety’, Nuclear Law Bulletin, June No. 73 Volume 2004, Supplement 1, promulgated on 21 October 2003. AR209 Uranium 2003: Resources, Production and Demand, 7 July 2004. AR210 Nuclear Energy Data: 2004 Edition, Donne´es sur l’e´nergie nucle´aire: Edition 2004. 18 June 2004.

Additional references

AR211

AR212 AR213 AR214 AR215 AR216 AR217 AR218 AR219 AR220 AR221 AR222 AR223 AR224 AR225 AR226 AR227 AR228 AR229 AR230 AR231 AR232 AR233 AR234 AR235 AR236

AR237 AR238 AR239 AR240

259

Geological disposal: Building confidence using multiple lines of evidence, Radioactive Waste Management, 1st. AMIGO workshop proceedings. Yverdon-les-Bains, Switzerland, 3–5 June 2003. Basic studies in the field of high-temperature engineering, Nuclear Science, 3rd. Information Exchange Meeting, Ibaraki-ken, Japan, 11–12 September 2003. Nuclear production of hydrogen, Nuclear Science, 2nd. Information Exchange Meeting, Argonne, IL, 2–3 October 2003. Large-scale disasters: Lessons learned, 30 April 2004. In Central and Eastern Europe and the NIS: 2003, Nuclear Legislation, Overview, 27 April 2004. Government and nuclear energy, 22 April 2004. The regulatory control of radioactive waste management, Radioactive Waste Management, Overview of 15 NEA member countries, 31 March 2004. NEA News, 21(2), 14 January 2004. The future policy for radiological protection, Radiation Protection, Workshop proceedings, Lanzarote, Spain, 2–4 April 2003. Nuclear Law Bulletin, No. 72 Issue 2, December 2003. ‘Switzerland acts on nuclear energy’, Nuclear Law Bulletin, No. 72 Supplement 2, 21 March 2003. Public confidence in the management of radioactive waste: The Canadian context, Radioactive Waste Management, Workshop proceedings, Ottawa, 14–18 October 2002. Decommissioning nuclear power plants: Policies, strategies and costs, Nuclear Development. Nuclear energy today, Nuclear Development, 11 August 2003. NEA News, 21(1), 21 July 2003. Engineered barrier systems (EBS) in the context of the entire safety case, Radioactive Waste Management, Workshop proceedings, Oxford, 25–7 September 2002. ‘Bulgaria act on the safe use of nuclear energy’, Nuclear Law Bulletin, June No. 71 Vol. 2003, Supplement 1, as last amended on 29 December 2002. ‘Nuclear energy data: 2003 Edition’, Nuclear Law Bulletin, June No. 71 Vol. 2003. Issue 1. Donne´es sur l’e´nergie nucle´aire: Edition 2003, 6 June 2003. Utilization and reliability of high power proton accelerators, Nuclear Science, Workshop proceedings, Santa Fe, NM, 12–16 May 2002. Indemnification of damage in the event of a nuclear accident, Workshop proceedings, Paris, 26–8 November 2001. (Indemnisation des dommages en cas d’accident nucle´aire.) Physics of plutonium recycling, Nuclear Science, Vol. VII: BWR MOX, Benchmark specification and results. Radiological protection of the environment: The path forward to a new policy? Radiation Protection, Workshop proceedings, Taormina, Sicily, 12–14 February 2002. NEA News, 20(2), 15 January 2003. Nuclear Law Bulletin, December, No. 70, Volume 2002, Issue 2. ‘Germany act on the peaceful utilization of atomic energy and the protection against its hazards (Atomic Energy Act)’, Nuclear Law Bulletin, Volume 2002, Supplement 2 to No. 70 as last amended on 22 April 2002. The handling of timescales in assessing post-closure safety of deep geological repositories, Radioactive Waste Management, Workshop proceedings, Paris, 16–18 April 2002. Physics of plutonium recycling: Multiple plutonium recycling in advanced PWRs, Nuclear Science, Vol. VI: 31 October 2002. Stepwise decision-making in Finland for the disposal of spent nuclear fuel, Radioactive Waste Management, Workshop proceedings, Turku, Finland, 15–16 November 2001. Advanced reactors with innovative fuels, Nuclear Science, Workshop proceedings, Chester, UK, 22–4 October 2001.

260

Nuclear Safety

AR241 AR242 AR243 AR244 AR245

AR246 AR247 AR248 AR249 AR250 AR251 AR252 AR253 AR254

AR255 AR256 AR257 AR258 AR259 AR260 AR261 AR262 AR263 AR264 AR265

The use of thermodynamic databases in performance assessment, Data Bank, Workshop proceedings, Barcelona, 29–30 May 2001. Uranium 2001: Resources, Production and Demand, 16 August 2002. Basic studies in the field of high-temperature engineering, Nulcear Science, 2nd. Information Exchange Meeting, Paris, 10–12 October 2001. Advanced nuclear reactor safety issues and research needs, Workshop proceedings, Paris, 18–20 February 2002. Establishing and communicating confidence in the safety of deep geologic disposal: Approaches and arguments (Gestion des de´chets radioactifs Etablir et faire partager la confiance dans la suˆrete´ des de´poˆts en grande profondeur: Approches et arguments), Radioactive Waste Management, 30 May 2002. Analytical study: Regulatory and institutional framework for nuclear activities, Nuclear Legislation, 2001 Update, 30 April 2002. Environmental remediation of uranium production facilities, Nuclear Development, 27 February 2002. Radionuclide retention in geologic media, Radioactive Waste Management, Workshop proceedings, Oskarshamn, Sweden, 7–9 May 2001. Fission gas behaviour in water reactor fuels, Nuclear Science, Seminar proceedings, Cadarache, France, 26–9 September 2000. Better integration of radiation protection in modern society, Radiation Protection, Workshop proceedings, Villigen, Switzerland, 23–5 January 2001. Trends in the nuclear fuel cycle: Economic, environmental and social aspects, Nuclear Development, 06 February 2002. Criteria technical review, Nuclear Fuel Safety, 14 December 2001. Utilization and reliability of high power proton accelerators, Nuclear Science, Workshop proceedings, Aix-en-Provence, France, 22–4 November 1999. Second international nuclear emergency exercise INEX 2: Final report of the Canadian regional exercise (Protection radiologique Deuxie`me exercice international d’urgence INEX 2: Rapport final sur l’exercice re´gional canadien), Radiation Protection, 04 September 2001. Management of depleted uranium, Nuclear Development, 21 August 2001. Scenario development methods and practice, Radioactive Waste Management. An evaluation based on the NEA workshop on scenario development, Madrid, May 1999. Critical issues, Sustainable Development, 28/June 2001. Nuclear production of hydrogen, Nuclear Science, 1st. Information Exchange Meeting, Paris, 2–3 October 2000. Shielding aspects of accelerators, targets and irradiation facilities (SATIF 5), Nuclear Science, Workshop proceedings, Paris, 18–21 July 2000. Policies to enhance sustainable development, 14 May 2001. Investing in trust: Nuclear regulators and the public: Nuclear Regulation, Workshop proceedings, Paris, 29 November–1 December 2000. Evaluation of speciation technology, Nuclear Science, Workshop proceedings, Tokai-mura, Ibaraki, Japan, 26–8 October 1999. Using thermodynamic sorption models for guiding radioelement distribution coefficient (Kd) investigations: A status report, Radioactive Waste Management, 27 April 2001. Gas generation and migration in radioactive waste disposal: Safety-relevant issues, Radioactive Waste Management, Workshop proceedings, Reims, 26–8 June 2000. Second international nuclear emergency exercise INEX 2: Final report of the Hungarian regional exercise (Protection radiologique Deuxie`me exercice international d’urgence INEX 2: Rapport final sur l’exercice re´gional hongrois), Radiation Protection, 9 March 2001.

Additional references

AR266 AR267 AR268 AR269 AR270

AR271 AR272 AR273 AR274 AR275 AR276 AR277 AR278

AR279 AR280 AR281 AR282 AR283 AR284 AR285 AR286 AR287 AR288 AR289 AR290 AR291

261

Pyrochemical separations, Nuclear Science, Workshop proceedings, Avignon, France, 14–16 March 2000. Confidence in models of radionuclide transport for site-specific assessment, Radioactive Waste Management, Workshop proceedings, Carlsbad, NM, 14–17 June 1999. Beneficial uses and production of isotopes, Nuclear Development, 2000 update, 10 January 2001. Nuclear power plant life management in a changing business world, Nuclear Development, Workshop proceedings, Washington, D.C., 26–7 June 2000. Second international nuclear emergency exercise INEX 2: Final report of the Finnish regional exercise (Protection radiologique Deuxie`me exercice international d’urgence INEX 2: Rapport final sur l’exercice re´gional finlandais), Radiation Protection, 4 December 2000. Regulatory and institutional framework for nuclear activities, Nuclear Legislation, 24 October 2000. In Central and Eastern Europe and the NIS: 2000 overview, Nuclear Legislation, 1 September 2000. Geologic disposal of radioactive waste in perspective, 23 August 2000. Porewater extraction from argillaceous rocks for geochemical characterization: Methods and interpretations, Radioactive Waste Management, 22 August 2000. Nuclear education and training: Cause for concern? Nuclear Development, 16 August 2000. Assuring nuclear safety competence into the twenty-first century, OECD Proceedings, Workshop proceedings, Budapest, 12–14 October 1999. Uranium 1999: Resources, Production and Demand, 11 July 2000. Regulatory reviews of assessments of deep geologic repositories: Lessons learnt (Gestion des de´chets radioactifs Evaluation des de´poˆts ge´ologiques profonds dans un contexte re´glementaire: Enseignements tires), Radioactive Waste Management, 11 May 2000. Methodologies for assessing the economic consequences of nuclear reactor accidents, Radiation Protection, 19 April 2000. Core monitoring for commercial reactors: Improvements in systems and methods, OECD Proceedings, Workshop proceedings, Stockholm, 4–5 October 1999. Reform of civil nuclear liability: Budapest Symposium 1999 (Re´forme de la responsabilite´ civile nucle´aire: Symposium de Budapest 1999). Monitoring and data management strategies for nuclear emergencies, Radiation Protection, 24 February 2000. Business as usual and nuclear power, OECD Proceedings, a joint IEA/NEA meeting, 14–15 October 1999. Geological disposal of radioactive waste: Review of developments in the last decade, Radioactive Waste Management, 18 January 2000. Water-conducting features in radionuclide migration, Radioactive Waste Management, Workshop proceedings, Barcelona, 10–12 June 1998. Back-end of the fuel cycle in a 1000 GWe nuclear scenario, OECD Proceedings, Workshop proceedings, Avignon, France, 6–7 October 1998. Advanced reactors with innovative fuels, Nuclear Science, Workshop proceedings, Villigen, Switzerland, 21–3 October 1998. Environmental activities in uranium mining and milling, 21 September 1999. Utilization and reliability of high power proton accelerators, Nuclear Science, Workshop proceedings, Mito, Japan, 13–15 October 1998. Glossary of nuclear power plant ageing (Glossaire du vieillissement des centrales nucle´aires), 07 July 1999. Shielding aspects of accelerators, targets and irradiation facilities, SATIF 4, OECD Proceedings, Workshop proceedings, Knoxville, TN, 17–18 September 1998.

262

Nuclear Safety

AR292 AR293 AR294 AR295 AR296

Physics and fuel performance of reactor-based plutonium disposition, OECD Proceedings, Workshop proceedings, Paris, 28–30 September 1998. Ion and slow positron beam utilization, OECD Proceedings, Workshop proceedings, Costa da Caparica, Portugal, 15–17 September 1998. Low-level radioactive waste repositories: An analysis of costs, 02 February 1999. Use of hydrogeochemical information in testing groundwater flow models, Radioactive Waste Management, Workshop proceedings, Borgholm, Sweden, 1–3 September 1997. Beneficial uses and production of isotopes, 27 November 1998.

USNRC references Regulatory Guides – Division 1 (Power reactors) NRC regulatory guides are classified in the following Divisions: 1 Power reactors 2 Research and test reactors 3 Fuels and materials facilities 4 Environmental and siting 5 Materials and plant protection 6 Products 7 Transportation 8 Occupational health 9 Antitrust and financial review 10 General. Only the active guides of Division 1 and guides relevant to this book from other Divisions are listed here. The list of all guides and procurement information can be found in the web site: www.nrc.gov. (The symbol R means ‘Revision’.) Division 1 AR298 1.1 Net positive suction head for emergency core cooling and containment heat removal system pumps (Safety guide 1), ML003739925, November 1970. AR299 1.3 Assumptions used for evaluating the potential radiological consequences of a loss of coolant accident for boiling water reactors, Rev. 2, ML003739601, November 1970 (R:06/73, 06/74). AR300 1.4 Assumptions used for evaluating the potential radiological consequences of a loss of coolant accident for pressurized water reactors, Rev. 2, ML003739614, November 1970 (R:06/1973, 06/1974). AR301 1.5 Assumptions used for evaluating the potential radiological consequences of a steam line break accident for boiling water reactors (Safety guide 5), ML003739923, (R:03/1971). AR302 1.6 Independence between redundant standby (on-site) power sources and between their distribution systems (Safety guide 6), ML003739924, (R:03/1971). AR303 1.7 Control of combustible gas concentrations in containment following a loss of coolant accident, ML003739927, March 1971 (R:09/1976, 211/1978). AR304 1.8 Qualification and training of personnel for nuclear power plants, Draft RS 807-5, Proposed revision 2, published February 1979, Draft RS807-5, Second proposed revision 2, published September 1980, Draft OL03-5, Third proposed revision 2, published January 1985, Draft DG-1012, Proposed revision 3, published September 1996, DG-1084, Second proposed revision 3,

Additional references

AR305

AR306 AR307

AR308 AR309 AR310 AR311 AR312

AR313 AR314

AR315 AR316

AR317

AR318 AR319

AR320 AR321 AR322 AR323

263

published March 1999 (Rev.2, ML003739928; Rev.3, ML003706932 03/1971) (R:09/1975, R:05/1977, 04/1987, 05/2000). 1.9 Selection, design, qualification, and testing of emergency diesel generator units used as Class 1E on-site electric power pystems at nuclear power plants (Draft RS 802-5, Proposed revision 3, published 11/1988), (Draft DG-1021, Second proposed Revision 3, published 04/1992) (Rev.3, ML003739929, 03/1971), (R:11/1978, 12/1979, 07/1993). 1.11 Instrument lines penetrating primary reactor containment (Safety guide 11), Supplement to Safety guide 11, Backfitting considerations, ML003739934, March 1971. 1.12 Nuclear power plant instrumentation for earthquakes (Draft MS 140-5, Proposed revision 2, published 07/1981) (DG-1016, the Second proposed revision 2, published 11/1992) (DG-1033, the Second proposed revision 2, published 02/1995) (Rev.1, ML003739947; Rev.2, ML003739944) March 1971 (R:04/1974, 03/1997). 1.13 Spent fuel storage facility design basis (for comment) (Draft CE913-5, Proposed revision 2, published 12/1981) (Rev.1, ML003739943) March 1971 (R:12/1975). 1.14 Reactor coolant pump flywheel integrity (for comment) (Rev. 1, ML003739936) October 1971 (R:08/1975). 1.16 Reporting of operating information, Appendix A Technical specifications (for comment) (Rev.4, ML003739954) October 1971 (R:10/1973, 09/1974, 01/1975, 08/1975). 1.20 Comprehensive vibration assessment program for reactor internals during preoperational and initial startup testing (Rev. 2, ML003739957) December 1971 (R:06/1975, 05/1976). 1.21 Measuring, evaluating, and reporting radioactivity in solid wastes and releases of radioactive materials in liquid and gaseous effluents from light water-cooled nuclear power plants (Rev.1, ML3739960) December 1971 (R:06/1974). 1.22 Periodic testing of protection system actuation functions (Safety guide 22) February 1972. 1.23 On-site meteorological programs (Safety guide 23), ML020360030, (Draft SS 926-4, Proposed revision 1, published 09/1980) (Draft ES 926-4, Second proposed revision 1, published 04/1986, ML003739962) February 1972. 1.24 Assumptions used for evaluating the potential radiological consequences of a pressurized water reactor radioactive gas storage tank failure (Safety guide 24) March 1972. 1.25 Assumptions used for evaluating the potential radiological consequences of a fuel handling accident in the fuel handling and storage facility for boiling and pressurized water reactors (Safety guide 25) March 1972. 1.26 Quality group classifications and standards for water-, steam-, and radioactive-wastecontaining components of nuclear power plants (for comment) (Rev.3, ML003739964) March 1972 (R:09/1974, 06/1975, 02/1976). 1.27 Ultimate heat sink for nuclear power plants (for comment) (Rev.2, ML003739969) March 1972 (R:03/1974, 01/1976). 1.28 Quality assurance program requirements (design and construction) (Rev.3, ML003739981) (Draft RS 002-5, Proposed revision 3, published 03/1981) (Draft DG-1010, Proposed revision 4, published 11/1992) June 1972 (R:03/1978, 02/1979, 08/1985). 1.29 Seismic design classification (Rev.3, ML003739983) June 1972 (R:08/1973, 02/1976, 09/1978). 1.30 Quality assurance requirements for the installation, inspection and testing of instrumentation and electric equipment (Safety guide 30) August 1972. 1.31 Control of ferrite content in stainless steel weld metal (Rev.3, ML003739986) August 1972 (R:06/1973, 05/1977, 304/1978). 1.32 Criteria for power systems for nuclear power plants (Rev.2, ML003739990) (DG-1079, Proposed revision 3, issued 04/2003, ML031280598) (Rev.3, ML040680488) August 1972 (R:03/1976, 02/1977, 03/2004).

264

Nuclear Safety

AR324

AR325 AR325a

AR326 AR327 AR328 AR329 AR330 AR331 AR332 AR333 AR334 AR335 AR336 AR337 AR338 AR339

AR340

AR341

AR342 AR343 AR344 AR345 AR346 AR347

1.33 Quality assurance program requirements (operation) (Draft RS 902-4, Proposed revision 3, published 08/1979) (Draft RS 902-4, Second proposed revision 3, published 11/1980) (Rev.2, ML003739995) November 1972 (R:02/1977, 02/1978). 1.34 Control of electroslag weld properties, ML003739997, December 1972. 1.35 In-service inspection of ungrouted tendons in prestressed concrete containments (Rev.2, ML003740001) (Draft SC 810-4, Proposed revision 3, published 04/1979) (Rev.3, ML003740007) February 1973 (R:06/1974, 01/1976, 07/1990). 1.35 Determining prestressing forces for inspection of prestressed concrete containments (ML003740040) (Draft SC 807-4 published 04/1979) July 1990. 1.36 Non-metallic thermal insulation for austenitic stainless steel, ML003740046, February 1973. 1.37 Quality assurance requirements for cleaning of fluid systems and associated components of water-cooled nuclear power plants, ML003740051, March 1973. 1.38 Quality assurance requirements for packaging, shipping, receiving, storage and handling of items for water-cooled nuclear power plants (Rev.2, ML003740057) March 1973. 1.39 Housekeeping requirements for water-cooled nuclear power plants (Rev. 2, ML003740067) March 1973. 1.40 Qualification tests of continuous-duty motors installed inside the containment of water-cooled nuclear power plants, ML003740083, March 1973. 1.41 Preoperational testing of redundant on-site electric power systems to verify proper load group assignments, ML003740090, March 1973. 1.43 Control of stainless steel weld cladding of low-alloy steel components, ML003740095, May 1973. 1.44 Control of the use of sensitized stainless steel, ML003740109, May 1973. 1.45 Reactor coolant pressure boundary leakage detection systems, ML003740113, May 1973. 1.47 Bypassed and inoperable status indication for nuclear power plant safety systems, ML003740127, May 1973. 1.49 Power levels of nuclear power plants (Rev.1, ML003740132) May 1973 (R:1/12/1973). 1.50 Control of preheat temperature for welding of low-alloy steel, ML003740136, May 1973. 1.52 Design, inspection and testing criteria for air filtration and adsorption units of post-accident engineered-safety-feature atmosphere clean-up systems in light water-cooled nuclear power plants (Rev.2, ML003740139) (DG-1102, Proposed revision 3, issued 10/00, ML003756180) (Rev.3, ML011710176) June 1973 (R:1/07/1976, 2/03/1978,3/06/2001). 1.53 Application of the single-failure criterion to nuclear power plant protection systems, ML003740182, (Draft DG-1118, Proposed revision 1, ML021260080, published 05/2002) (Rev.1, ML032670945) (Rev. 2, ML033220006) June 1973 (R:1/10/2003, 2/11/2003). 1.54 Service Level I, II, and III protective coatings applied to nuclear power plants, ML003740187 (Draft DG-1976, Proposed revision 1, ML003739156, published 03/1999) (Rev.1, ML003714475) June 1973 (R:1/07/2000). 1.56 Maintenance of water purity in boiling water reactors (for comment) (Rev.1, ML003740192) June 1973 (R:107/1978). 1.57 Design limits and loading combinations for metal primary reactor containment system components, ML003740195, June 1973. 1.59 Design basis floods for nuclear power plants (errata published 07/30/1980) (Rev.2, ML003740388) August 1973 (R:1/04/1976, 2/08/1977). 1.60 Design response spectra for seismic design of nuclear power plants (Rev.1, ML003740207) October 1973 (R:1/12/1973). 1.61 Damping values for seismic design of nuclear power plants, ML003740213, October 1973. 1.62 Manual initiation of protective actions, ML003740216, October 1973.

Additional references

AR347a

AR348 AR349 AR350 AR351 AR352 AR353 AR354

AR355 AR356 AR357 AR358 AR359 AR360 AR361

AR362 AR363 AR364

AR365 AR366

265

1.63 Electric penetration assemblies in containment structures for nuclear power plants (Draft EE 405-4, Proposed revision 3, published 06/1986) (Rev.3, ML003740219) October 1973 (R:1/05/1977, 2/07/1978, 3/02/1987). 1.65 Materials and inspections for reactor vessel closure studs, ML003740228, October 1973. 1.68 Initial test programs for water-cooled nuclear power plants, November 1977 (R:1/01/1977, 2/08/1978). 1.68.1 Preoperational and initial start-up testing of feedwater and condensate systems for boiling water reactor power plants (Rev.1, ML003740230) December 1975 (R:1/01/1977). 1.68.2 Initial start-up test program to demonstrate remote shutdown capability for water-cooled nuclear power plants (Rev.1, ML003740258) January 1977 (R:1/07/1978). 1.68.3 Preoperational testing of instrument and control air systems (Draft RS 709-4, a proposed revision to Regulatory Guide 1.80, published 10/1980) (ML003740231) April 1982. 1.69 Concrete radiation shields for nuclear power plants, ML003740235, December 1973. 1.70 Standard format and content of safety analysis reports for nuclear power plants (LWR edition) (Rev. 2, ML01610289) (Rev. 3 in three parts, ML011340072, ML011340108, and ML011340116) February 1972 (R:1/10/1972, 2/09/1975, 3/11/1978). 1.71 Welder qualification for areas of limited accessibility, ML003740244, December 1973. 1.72 Spray pond piping made from fiberglass-reinforced thermosetting resin (Rev.2, ML003740253) December 1973 (R:1/01/1978, 2/11/1978). 1.73 Qualification tests of electric valve operators installed inside the containment of nuclear power plants, ML003740261, January 1974. 1.75 Physical independence of electric systems (Rev.2, ML003740265) (DG-1129, Proposed revision 3, published 12/03, ML040020126) February 1974 (R:1/01/1975, 2/09/1978). 1.76 Design basis tornado for nuclear power plants, ML003740273, April 1974. 1.77 Assumptions used for evaluating a control rod ejection accident for pressurized water reactors, ML003740279, May 1974. 1.78 Evaluating the habitability of a nuclear power plant control room during a postulated hazardous chemical release (ML003740298) (Proposed revision 1, DG-1087, published 02/2001, ML010440064) (Revision 1 incorporates guidance from withdrawn Regulatory Guide 1.95) (Revision 1, ML013100014) June 1974 (R:1/12/2001). 1.79 Preoperational testing of emergency core cooling systems for pressurized water reactors (Rev.1, ML003740351) June 1974 (R:1/09/1975). 1.81 Shared emergency and shutdown electric systems for multi-unit nuclear power plants (Rev.1, ML003740343) June 1974 (R:1/01/1975). 1.82 Water sources for long-term recirculation cooling following a loss-of-coolant accident (Draft MS 203-4, Proposed revision 1, published 05/1983) (Rev. 1, ML003740236) (Draft DG1038, Proposed revision 2, ML003739202, published 07/1995) (Rev.2, ML003740249) (Rev.3, ML033140347) June 1974 (R:1/11/1985, 2/05/1996, 3/11/2003). 1.83 In-service inspection of pressurized water reactor steam generator tubes (Rev.1, ML003740256) June 1974 (R:1/07/1975). 1.84 Design and fabrication and materials code case acceptability, ASME Section III. Because this guide is frequently revised, only the current revision and date are listed in the appropriate columns. Previous revisions and their publication dates follow: 0, 06/1974; 1, 04/1975; 2, 06/1975; 2, 09/1975; 4, 11/1975; 5, 03/1976; 6, 05/1976; 7, 08/1976; 9, 03/1977; 10, 08/1977; 11, 11/1977; 12, 03/1978; 13, 07/1978; 14, 11/1978; 15, 05/1979; 16, 05/1980; 17, 12/1980; 18, 08/1981; 19, 04/1982; 20, 11/1982; 21, 9/1983; 22, 07/1984; 23, 9/1985; 24, 06/1986; 25, 05/1988; 26, 07/1989 (Rev.26, ML003740266); 27, 11/1990; 28, 04/1992; 29, 07/1993; 30, 10/1994 (Rev.30, ML003740275); (DG-1049, proposed Revision 31, ML003739376, published 05/1997) (Rev.31, ML003740283) (DG-1090, proposed Revision 32 of RGs 1.84 and 1.85 combined, published 12/2001,

266

Nuclear Safety

AR367 AR368

AR369

AR370 AR371 AR372

AR373 AR374

AR375 AR376

AR377 AR378 AR379

AR380

AR381 AR382

AR383 AR384 AR385

ML013120011) (Regulatory Guides 1.84 and 1.85 have been combined in this Revision 32) (Rev.32, ML030730417) (R:31/05/1999, 2/06/2003). 1.86 Termination of operating licenses for nuclear reactors, ML003740243, June 1974. 1.87 Guidance for construction of Class 1 components in elevated-temperature reactors (supplement to ASME Section III Code Cases 1592, 1593, 1594, 1595, and 1596) (Rev. 1, ML003740252)–06/1975). 1.89 Environmental qualification of certain electric equipment important to safety for nuclear power plants (1974, ML012880422) (Draft EE 042-2, Proposed revision 1, published 02/1982) (Rev.1, ML003740271) November 1974 (R:1/06/1984). 1.90 In-service inspection of prestressed concrete containment structures with Grouted tendons (Rev.1, ML003740281) November 1974 (R:1/08/1977). 1.91 Evaluations of explosions postulated to occur on transportation routes near nuclear power plants (Rev.1, ML003740286) January 1975. (R:102/1978). 1.92 Combining modal responses and spatial components in seismic response analysis (Rev.1, ML003740290) (Draft DG-1108, Proposed revision 2, published 08/01) December 1974 (R:1/02/ 1976). 1.93 Availability of electric power sources, ML003740292, December 1974. 1.94 Quality assurance requirements for installation, inspection and testing of structural concrete and structural steel during the construction phase of nuclear power plants (Rev.1, ML002730305) (Draft RS 908-5, proposed revision 2, published 09/1979) April 1975 (R:1/04/1976). 1.96 Design of main steam isolation valve leakage control systems for boiling water reactor nuclear power plants (Rev.1, ML003740263) May 1975 (R:1/06/1976). 1.97 Instrumentation for light-water-cooled nuclear power plants to assess plant and environs conditions during and following an accident (errata published 07/1981) (Draft RS 917-4, Proposed revision 2, published 12/1979) (Rev.3, ML003740282) December 1975 (R:1/08/1977, 2/12/1980, 3/05/1983). 1.98 Assumptions used for evaluating the potential radiological consequences of a radioactive offgas system failure in a boiling water reactor (for comment), ML003740259, March 1976. 1.99 Radiation embrittlement of reactor vessel materials (Draft ME 305-4, Proposed revision 2, published 02/1986) (Rev.2, ML003740284) July 1975 (R:1/04/1977, 2/05/1988). 1.100 Seismic qualification of electric and mechanical equipment for nuclear power plants (Draft EE 108-5, Proposed revision 2, published 08/1987) (Rev.2, ML003740293) March 1976 (R:1/08/1977, 2/06/1988). 1.101 Emergency planning and preparedness for nuclear power reactors (Revision 1 to this guide entitled ‘Emergency planning for nuclear power plants’ was withdrawn: see 45 FR 69610, 10/21/1980.) (Draft DG-1022, Proposed revision 3, published 02/1992) (Rev.3, ML003740302) (Draft DG-1075, Proposed revision 4, published 03/2000, ML003740302) (Rev.4, ML032020276) November 1975 (R:1/03/1977, 2/10/1981, 3/08/1992, 4/07/2003). 1.102 Flood protection for nuclear power plants, ML003740308, October 1975 (R:1/09/1976). 1.105 Setpoints for safety-related instrumentation (Draft IC 010-5, Proposed revision 2, published 12/81) (Draft DG-1045, Proposed revision 3, ML003739248, published 10/96) (Rev.2, ML003740318; Rev.3, ML993560062) November 1975 (R:1/11/1976, 2/02/1986, 3/12/ 1999). 1.106 Thermal overload protection for electric motors on motor-operated valves (Rev.1, ML003740323) November 1975 (R:103/1977). 1.107 Qualifications for cement grouting for prestressing tendons in containment structures (Rev.1, ML003740374) November 1975 (R:1/02/1977). 1.109 Calculation of annual doses to man from routine releases of reactor effluents for the purpose of evaluating compliance with 10 CFR Part 50, Appendix I (Rev.1, ML003740384) March 1976 (R:1/10/1977).

Additional references

AR386 AR387 AR388 AR389

AR390

AR391 AR392 AR393 AR394

AR394a AR395 AR396 AR397 AR398 AR399 AR400 AR401 AR402 AR403

AR404

AR405 AR406

267

1.110 Cost–benefit analysis for radwaste systems for light-water-cooled nuclear power reactors (for comment), ML003740332, March 1976. 1.111 Methods for estimating atmospheric transport and dispersion of gaseous effluents in routine releases from light-water-cooled reactors (Rev.1, ML003740354) March 1976 (R:1/07/1977). 1.112 Calculation of releases of radioactive materials in gaseous and liquid effluents from lightwater-cooled power reactors (Rev.0-R ML003740361) April 1976 (R:05/1977). 1.113 Estimating aquatic dispersion of effluents from accidental and routine reactor releases for the purpose of implementing appendix I (Rev.1, ML003740390) May 1976 (R:1/04/ 1977). 1.114 Guidance to operators at the controls and to senior operators in the control room of a nuclear power unit (Draft HF 601-4, Proposed revision 2, published 12/1986) (Rev.2, ML003740393) February 1976 (R:1/11/1976, 2/05/1989). 1.115 Protection against low-trajectory turbine missiles (Rev.1, ML003739456) March 1976 (R:1/07/1977). 1.116 Quality assurance requirements for installation, inspection and testing of mechanical equipment and systems (Rev.0-R, ML003739465) June 1976 (R:05/1977). 1.117 Tornado design classification (Rev.1, ML003739346) June 1976 (R:1/04/1978). 1.118 Periodic testing of electric power and protection systems (Rev.3, ML003739468) (DG-1028, Proposed revision 3, published 09/1994) (Rev.3, ML003739468) June 1976 (R:1/11/1977, 2/06/1978, 3/04/1995). 1.121 Bases for plugging degraded PWR steam generator tubes (for comment), ML003739366, August 1976. 1.122 Development of floor design response spectra for seismic design of floor-supported equipment or components (Rev.1, ML003739367) September 1976 (R:1/02/1978). 1.124 Service limits and loading combinations for Class 1 linear-type component supports (Rev.1, ML003739380) November 1976 (R:1/01/1978). 1.125 Physical models for design and operation of hydraulic structures and systems for nuclear power plants (Rev.1, ML003739388) March 1977 (R:1/10/1978). 1.126 An acceptable model and related statistical methods for the analysis of fuel densification (Rev.1, ML003739385) March 1977 (R:1/03/1978). 1.127 Inspection of water-control structures associated with nuclear power plants (Rev.1, L003739392) April 1977 (R: 1/03/1978). 1.128 Installation design and installation of large lead storage batteries for nuclear power plants (Rev.1, ML003740099) April 1977 (R:1/10/1978). 1.129 Maintenance, testing and replacement of large lead storage batteries for nuclear power plants (Rev.1, ML003740104) April 1977 (R:1/02/1978). 1.130 Service limits and loading combinations for Class 1 plate-and-shell-type component supports (Rev.1, ML003740123) July 1977 (R:1/10/1978). 1.131 Qualification tests of electric cables, field splices and connections for light-water-cooled nuclear power plants (for comment), (ML003740128) (Draft RS 050-2, Proposed revision 1, published 08/1979) August 1977. 1.132 Site investigations for foundations of nuclear power plants (Rev.2, ML032800710) (DG-1101, Proposed revision 2, issued 02/2001, ML010510162) (Rev.1, ML003740350) September 1977 (R:1/03/1979, 2/10/2003). 1.133 Loose-part detection program for the primary system of light-water-cooled reactors (Rev.1, ML003740137) September 1977 (R:1/05/1981). 1.134 Medical evaluation of licensed personnel at nuclear power plants (Draft OL 401-5, Proposed revision 2, published 11/1984) (Draft DG-1068, Proposed revision 3, ML003739137, published 02/1997) (Rev.2, ML003740138) (Rev.3, ML003740140) September 1977 (R:1/03/1979, 2/04/1987, 3/03/1998).

268

Nuclear Safety

AR407 AR408

AR409 AR410

AR411 AR412

AR413 AR414

AR415

AR416

AR417

AR418 AR419

AR420 AR421 AR422

AR423

1.135 Normal water level and discharge at nuclear power plants (for comment) (ML003740143) September 1977. 1.136 Materials, construction and testing of concrete containments (Articles CC-1000, -2000, and -4000 through -6000 of the ‘Code for concrete reactor vessels and containments’) (Draft SC 814-5, Proposed revision 2, published 11/1979) (Rev.2, ML003740155) November 1977 (R:1/10/1978, 2/06/1981). 1.137 Fuel-oil systems for standby diesel generators (Rev.1, ML003740180) January 1978 (R:1/10/ 1979). 1.138 Laboratory investigations of soils and rocks for engineering analysis and design of nuclear power plants (04/1978, ML003740184) (DG-1109, Proposed revision 1, published 08/2001, ML012420328) (Revision 1 was not published) (Revision 2, ML033510166) April 1978 (R:2/12/ 2003). 1.139 Guidance for residual heat removal (for comment) May 1978. 1.140 Design, inspection and testing criteria for air filtration and adsorption units of normal atmosphere cleanup systems in light-water-cooled nuclear power plants (DG-1103, Proposed revision 2, issued 10/2000) (Rev.1, ML003740190; Rev.2, ML011710150) March 1978 (R:1/10/ 1979, 2/06/2001). 1.141 Containment isolation provisions for fluid systems (for comment), ML003740194, April 1978. 1.142 Safety-related concrete structures for nuclear power plants (other than reactor vessels and containments) (DG-1098, Proposed revision 2, published 08/2000) (Rev.1, ML003740197; Rev.2, ML013100274) April 1978 (R:1/10/1981, 2/11/2001). 1.143 Design guidance for radioactive waste management systems, structures and components installed in light-water-cooled nuclear power plants (DG-1100, Proposed revision 2, published 08/2000) (Rev.1, ML003740200; Rev.2, ML013100305) July 1978 (R:1/10/1979, 2/11/2001). 1.145 Atmospheric dispersion models for potential accident consequence assessments at nuclear power plants (reissued 02/1983 to correct page 1.145–7) (Rev.1, ML003740205) August 1979 (R:1/11/1982). 1.147 In-service inspection code case acceptability, ASME Section XI, Division 1 (Draft SC 721-4 published 08/1979) Previous revisions and their publication dates are 0, 03/1981; 2, 06/1983, 3, 07/ 1984; 4, 09/1985; 5, 08/1986; 6, 05/1988; 7, 07/1989 (ML003740209); 8, 11/1990; 9, 04/1992; 10, 07/ 1993; 11, 10/1994 (ML003739955); (DG-1050, Proposed revision 12, ML003739242, published 5/1997), (Revision 12, ML003671361, published 5/1999), (DG-1091, Proposed revision 13, ML013120019, published 12/2001), (Revision 13, ML030730423, published 6/2003), (Corrected reprint of Revision 13, ML040230509, published 1/2004)1205/1999 (R:13/06/2003). 1.148 Functional specification for active valve assemblies in systems important to safety in nuclear power plants (ML003739979) (Draft SC 704-5 published 02/1979) March 1981. 1.149 Nuclear power plant simulation facilities for use in operator training and license examinations (Draft RS 110-5 published 07/1980) (Draft OL 402-5, Proposed revision 1, published 11/1984) (Draft DG-1043, Proposed revision 2, published 06/1995) (DG-1080, Proposed revision 3, ML003739149, published 08/1999) (Rev.1, ML003739984; Rev.2, ML003739988; Rev.3, ML012770164) April 1981 (R:104/1987, 2/04/1996, 3/10/2001). 1.150 Ultrasonic testing of reactor vessel welds during pre-service and in-service examinations (Draft SC 705-4 published 05/1979) (Rev.1, ML003739996) June 1981 (R:102/1983). 1.151 Instrument sensing lines (ML003740003) (Draft IC 126-5 published 03/1982) July 1983. 1.152 Criteria for digital computers in safety systems of nuclear power plants (11/85) (ML003740088) (Draft IC 127-5 published 03/1983) (Draft DG-1039, Proposed revision 1, published 05/1995) (Rev.1, ML003740015) November 1985 (R:1/01/1996). 1.153 Criteria for safety systems (12/85) (Draft IC 609-5 published 12/1982) (Draft DG-1042, Proposed revision 1, published 11/1995) (ML003740019) (Rev.1, ML003740022) December 1985 (R:1/06/1996).

Additional references

AR424 AR425 AR426 AR427 AR428 AR429

AR430

AR431 AR432 AR433 AR434

AR435

AR436 AR437

AR438

AR439 AR440 AR441

AR442

AR443

269

1.154 Format and content of plant-specific pressurized thermal shock safety analysis reports for pressurized water reactors (ML003740028) (Draft SI 502-4 published 01/1986) January 1987. 1.155 Station blackout (issued June 1988, reissued August 1988 with corrected tables) (ML003740034) (Draft SI 501-4 published 03/1986) August 1988. 1.156 Environmental qualification of connection assemblies for nuclear power plants (ML003740042) (Draft EE 404-4 published 05/1987) November 1987. 1.157 Best-estimate calculations of emergency core cooling system performance (ML003739584) (Draft RS 701-4 published 03/1987) May 1989. 1.158 Qualification of safety-related lead storage batteries for nuclear power plants (ML003740047) (Draft EE 006-5 published 08/1987) February 1989. 1.159 Assuring the availability of funds for decommissioning nuclear reactors (Draft DG-1003 published 05/1989, ML003739365) (Draft DG-1106, Proposed revision 1, published 05/2001, ML010170350) (08/90, ML003740066) (Rev.1, ML032790365) August 1990 (R:1/10/2003). 1.160 Monitoring the effectiveness of maintenance at nuclear power plants (Draft DG-1020 published 11/1992) (Draft DG-1031, Proposed revision 1, published 06/1994) (Draft DG-1051, Proposed revision 2, ML003739233, published 08/1996) (Rev.1, ML031430362) (Rev.2, ML003761662) June 1993 (R:1/01/1995, 2/03/1997). 1.161 Evaluation of reactor pressure vessels with Charpy upper-shelf energy less than 50 ft-lb (ML003740038) (Draft DG-1023 published 09/1993) June 1995. 1.162 Format and content of report for thermal annealing of reactor pressure vessels (ML003740052) (Draft DG-1027 published 10/1994) February 1996. 1.163 Performance-based containment leak-test program (ML003740058) (Draft DG-1037 published 02/1995) (Errata to NEI 94-01 published 03/1996) September 1995. 1.165 Identification and characterization of seismic sources and determination of safe shutdown earthquake ground motion (ML003740084) (Draft DG-1015 issued 11/1992, Draft DG-1032, issued 02/1995) March 1997. 1.166 Pre-earthquake planning and immediate nuclear power plant operator post-earthquake actions (ML003740089) (Draft DG-1017 issued 11/1992, Draft DG-1034, ML003739203, issued 02/1995) March 1997. 1.167 Restart of a nuclear power plant shut down by a seismic event (ML003740093) (Draft DG-1018 issued 11/1992, Draft DG-1035, ML003739196, issued 02/1995) March 1997. 1.168 Verification, validation, reviews and audits for digital computer software used in safety systems of nuclear power plants (DG-1054, ML003739159, issued 08/1996) (09/97, ML003740098) (DG-1123, Proposed revision 1, 01/2003, ML030270328) (Rev.1, ML040410189) September 1997 (R:1/02/2004). 1.169 Configuration management plans for digital computer software used in safety systems of nuclear power plants (ML003740102) (Draft DG-1055, ML003739153, issued 08/1996) September 1997. 1.170 Software test documentation for digital computer software used in safety systems of nuclear power plants (ML003740105) (Draft DG-1056, ML003739146, issued 08/1996) September 1997. 1.171 Software unit testing for digital computer software used in safety systems of nuclear power plants (ML003740108) (Draft DG-1057, ML003739141, issued 08/1996) September 1997. 1.172 Software requirements specifications for digital computer software used in safety systems of nuclear power plants (ML003740094) (Draft DG-1058, ML003739228, issued 08/1996) September 1997. 1.173 Developing software life cycle processes for digital computer software used in safety systems of nuclear power plants (ML003740101) (Draft DG-1059, ML003740101, issued 08/1996) September 1997. 1.174 An approach for using probabilistic risk assessment in risk-informed decisions on plant-specific changes to the licensing basis (ML003740133) (Issued with SRP Chapter 19)

270

Nuclear Safety

AR444

AR445 AR446

AR447

AR448 AR449

AR450 AR451 AR452 AR453

AR454

AR455 AR456 AR457

AR458 AR459

AR460 AR461 AR462

(Draft DG-1061, ML003739197, issued 06/1997) (Draft DG-1110, Proposed revision 1, issued 06/2001) (Revision 1, issued 11/2002, ML023240437) July 1998 (R:1/11/2002). 1.175 An approach for plant-specific, risk-informed decision-making: In-service testing (ML003740149) (Issued with SRP Chapter 3.9.7) (Draft DG-1062, ML003739158, issued 06/ 1997) August 1998. 1.176 An approach for plant-specific, risk-informed decision-making: Graded quality assurance (ML003740172) (Draft DG-1064, ML003739212, issued 06/1997) August 1998. 1.177 An approach for plant-specific, risk-informed decision-making: Technical specifications (ML003740176) (Issued with SRP Chapter 16.1) (Draft DG-1065, ML003739150, issued 06/1997) August 1998. 1.178 An approach for plant-specific risk-informed decision-making for in-service inspection of piping (9/98, ML003740181) (Issued with SRP Chapter 3.9.8) (Draft DG-1063, ML003739154, issued 10/1997) (Revision 1, ML032510128, issued 09/2003) (SRP, ML032510135) September 1998 (R:1/09/2003). 1.179 Standard format and content of license termination plans for nuclear power reactors (ML003740212) (Draft DG-1078, ML003739152, issued 04/1998) January 1999. 1.180 Guidelines for evaluating electromagnetic and radio-frequency interference in safety-related instrumentation and control systems (01/00, ML003740218) (Draft DG-1029 published 02/1998, ML003739326) (Rev.1, ML032740277) (DG-1119, proposed Revision 1, ML022390236, published 08/2002) January 2000 (R:1/10/2003). 1.181 Content of the updated final safety analysis report in accordance with 10 CFR 50.71(e) (ML003740112) (Draft DG-1083, ML003739139, issued 03/1999) September 1999. 1.182 Assessing and managing risk before maintenance activities at nuclear power plants (ML003740117) (Draft DG-1082 issued 12/1999) May 2000. 1.183 Alternative radiological source terms for evaluating design basis accidents at nuclear power reactors (ML003716792) (Draft DG-1081, ML003739148, issued 12/1999) July 2000. 1.184 Decommissioning of nuclear power reactors (ML003701137) (Draft DG-1067, ML003739144, issued 06/1997) (Errata to update Reference 1 (ML040920341), published 04/2004) July 2000. 1.185 Standard format and content for post-shutdown decommissioning activities report (ML003701163) (Draft DG-1071, ML003739227, issued 12/1997) (Errata to update Reference 1 (ML040920341), published 04/2004) July 2000. 1.186 Guidance and examples for identifying 10 CFR 50.2 design bases (ML003754825) (Draft DG-1093, ML003739122, published 04/2000) December 2000. 1.187 Guidance for implementation of 10 CFR 50.59, changes, tests and experiments (ML003759710) (Draft DG-1095, ML003698165, issued 04/2000) November 2000. 1.188 Standard format and content for applications to renew nuclear power plant operating licenses (ML012010322) (Drafts were DG-1104, issued 08/2000; DG-1047, ML003739244; and DG-1009) July 2001. 1.189 Fire protection for operating nuclear power plants (ML010920084) (Draft DG-1097, ML003739115, issued 06/2000) April 2001. 1.190 Calculational and dosimetry methods for determining pressure vessel neutron fluence (ML010890301) (Drafts were DG-1053 and DG-1025 (09/1993)) (DG-1025, ML003739334) March 2001. 1.191 Fire protection program for nuclear power plants during decommissioning and permanent shutdown (ML011500010) (Draft DG-1069, ML003739129, published 07/1998) May 2001. 1.192 Operation and maintenance code case acceptability, ASME OM Code (ML030730430) (Draft guide was issued as DG-1089, 12/01, ML013120051) June 2003. 1.193 ASME code cases not approved for use (ML030730440) (Draft guide was issued as DG-1112, 12/01, ML013120071) June 2003.

Additional references

AR462a

1.194 Atmospheric relative concentrations for control room radiological habitability assessments at nuclear power plants (ML031530505) (Draft guide was issued as DG-1111, 12/01, ML013130132) June 2003. 1.195 Methods and assumptions for evaluating radiological consequences of design basis accidents at light-water nuclear power reactors (ML031490640) (Draft guide was issued as DG-1113, 01/02, ML020160023) May 2003. 1.196 Control room habitability at light-water nuclear power reactors (ML031490611) (Draft guide was issued as DG-1114, 03/02, ML020790125) May 2003. 1.197 Demonstrating control room envelope integrity at nuclear power reactors (ML031490664) (Draft guide was issued as DG-1115, 03/02, ML020790191) May 2003. 1.198 Procedures and criteria for assessing seismic soil liquefaction at nuclear power plant sites (ML033280143) (Draft guide was issued as DG-1105, 03/01, ML010650295) November 2003. 1.199 Anchoring components and structural supports in concrete (ML033360660) (Draft was issued as DG-1099, 07/02, ML021910490) November 2003. 1.200 An approach for determining the technical adequacy of probabilistic risk assessment results for risk-informed activities (ML040630078) (Issued with SRP Chapter 19.1, 02/2004, ML040630300) (Draft guide was issued as DG-1122, 11/02, ML023360076) February 2004.

AR463

AR464 AR465 AR466

AR467 AR468

Divisions AR469 AR470 AR471

271

2 2.4 Review of experiments for research reactors, ML003740131, July 1976 (R:05/1977). 2.5 Quality assurance program requirements for research reactors, ML00374035, May 1977. 2.6 Emergency planning for research and test reactors (Rev.1, ML003740234) (Draft HF 201-4, Proposed revision 1, published 3/82) January 1979 (R:103/1983).

Division 3 AR472 3.3 Quality assurance program requirements for fuel reprocessing plants and for plutonium processing and fuel fabrication plants (Rev.1, ML003740245) January 1973 (R:1/03/1974). AR473 3.5 Standard format and content of license applications for uranium mills (for comment) (Draft WM 039-4, Proposed revision 2, published 08/1981) (Rev.1, ML003740157) February 1973 (R:11/1977). AR474 3.6 Content of technical specifications for fuel reprocessing plants (ML003740163) April 1973. AR475 3.7 Monitoring of combustible gases and vapors in plutonium processing and fuel fabrication plants (ML003740201) March 1973. AR476 3.8 Preparation of environmental reports for uranium mills (Rev.2, ML003740211) April 1973 (R:1/09/1978, 2/10/1982). AR477 3.10 Liquid waste treatment system design guide for plutonium processing and fuel fabrication plants (ML003740217) June 1973. AR478 3.11 Design, construction and inspection of embankment retention systems for uranium mills (Rev.2, ML003740223) June 1973 (R:1/03/1977, 2/12/1977). AR479 3.11.1 Operational inspection and surveillance of embankment retention systems for uranium mill tailings (Rev.1, ML003740229) April 1979 (R:1/10/1980). AR480 3.12 General design guide for ventilation systems of plutonium processing and fuel fabrication plants, ML003740232,August 1973. AR481 3.13 Guide for acceptable waste storage methods at UF6 production plants, ML003740240, October 1973. AR482 3.14 Seismic design classification for plutonium processing and fuel fabrication plants, ML003740247, October 1973.

272

Nuclear Safety

AR483

AR484 AR485 AR486 AR487 AR488 AR489 AR490 AR491 AR492 AR493 AR494

AR495 AR496

AR497 AR498 AR499 AR500

AR501 AR502 AR503

AR504 AR505

3.15 Standard format and content of license applications for storage only of unirradiated power reactor fuel and associated radioactive material (Rev.1, ML003740254) (Draft CE 219-4, Proposed revision 1, published 08/1982) October 1973 (R:1/04/1983). 3.16 General fire protection guide for plutonium processing and fuel fabrication plants, ML003740260, January 1974. 3.17 Earthquake instrumentation for fuel reprocessing plants, ML003740294, February 1974. 3.18 Confinement barriers and systems for fuel reprocessing plants, ML003740303, February 1974. 3.19 Reporting of operating information for fuel reprocessing plants, ML003740314, February 1974. 3.20 Process offgas systems for fuel reprocessing plants, ML003740115, February 1974. 3.21 Quality assurance requirements for protective coatings applied to fuel reprocessing and to plutonium processing and fuel fabrication plants, ML003740118, March 1974. 3.25 Standard format and content of safety analysis reports for uranium enrichment facilities, ML003739213, December 1974. 3.26 Standard format and content of safety analysis reports for fuel reprocessing plants, ML003739239, February 1975. 3.31 Emergency water supply systems for fuel reprocessing plants (Rev. O-R, ML003739408) September 1975 (R:05/1977). 3.32 General design guide for ventilation systems for fuel reprocessing plants (for comment), ML003739449, September 1975. 3.33 (Withdrawn: see 63 FR 2426, 1/15/1998) (Assumptions used for evaluating the potential radiological consequences of accidental nuclear criticality in a fuel reprocessing plant, 04/1977, ML003739464.) 3.34 (Withdrawn: see 63 FR 2426, 1/15/1998) (Assumptions used for evaluating the potential radiological consequences of accidental nuclear criticality in a uranium fuel fabrication plant.) 3.35 (Withdrawn: see 63 FR 2426, 1/15/1998) (Assumptions used for evaluating the potential radiological consequences of accidental nuclear criticality in a plutonium processing and fuel fabrication plant, Rev.1, 07/1979, ML003739504.) 3.37 Guidance for avoiding intergranular corrosion and stress corrosion in austenitic stainless steel components of fuel reprocessing plants (for comment), ML003739516, September 1975. 3.38 General fire protection guide for fuel reprocessing plants (for comment), ML003739526, June 1976. 3.39 Standard format and content of license applications for plutonium processing and fuel fabrication plants, ML003739398, January 1976. 3.44 Standard format and content for the safety analysis report for an independent spent fuel storage installation (water-basin type) (Rev.2, ML003739431) (Draft CE 403-4, Proposed revision 2, published 11/1986) December 1978 (R:1/11/1980, 2/01/1989). 3.46 Standard format and content of license applications, including environmental reports, for in situ uranium solution mining (ML003739441) (Draft FP 818-4 published 07/1980) June 1982. 3.47 (Withdrawn: see Regulatory Guide 3.71, ML003739492, 08/1998) (Nuclear criticality control and safety of homogeneous plutonium-uranium fuel mixtures outside reactors, ML003739453.) 3.48 Standard format and content for the safety analysis report for an independent spent fuel storage installation or monitored retrievable storage installation (dry storage) (Rev.1, ML003739463) (Draft FP 029-4 published 12/1980) (Draft CE 406-4, Proposed revision 1, published 10/1986) October 1981 (R:108/1989). 3.49 Design of an independent spent fuel storage installation (water-basin type) (ML003739167) (Draft FP 806-6 published 01/1981) December 1981. 3.50 Standard format and content for a license application to store spent fuel and high-level radioactive waste (Rev.1, 003739463) (Draft FP 907-4 published 03/1981) (Draft CE 402-4, Proposed revision 1, published 09/1986) January 1982 (R:109/1989).

Additional references

AR506

AR507

AR508

AR508a AR509 AR510 AR511 AR512 AR513 AR514 AR515 AR516

AR517 AR518

AR519

273

3.51 Calculational models for estimating radiation doses to man from airborne radioactive materials resulting from uranium milling operations (ML003739497) (Draft RH 802-4 published 05/1979) (Errata published August 1982) March 1982. 3.54 Spent fuel heat generation in an independent spent fuel storage installation (09/84, ML003739446) (Draft FP 034-4 published 12/1980) (Second Draft CE 034-4 published 01/1983) (DG-3010, Proposed revision 1 to RG 3.54, ML003739462, published 09/1997) (Rev. 1, 01/99, ML003761667) September 1984 (R:1/01/1999). 3.55 Standard format and content for the health and safety sections of license renewal applications for uranium hexafluoride production (ML003739469) (Draft CE 227-4 published 01/1984) April 1985. 3.56 General guidance for designing, testing, operating and maintaining emission control devices at uranium mills (ML003739476) (Draft CE 309-4 published 05/1985) May 1986. 3.59 Methods for estimating radioactive and toxic airborne source terms for uranium milling operations (ML003739503) (Draft WM 407-4 published 04/1986) March 1987. 3.60 Design of an independent spent fuel storage installation (dry storage) (ML003739506) (Draft CE 410-4 published 11/1985) March 1987. 3.61 Standard format and content for a topical safety analysis report for a spent fuel dry storage cask (ML003739545) (Draft CE 306-4 published 04/1986) February 1989. 3.62 Standard format and content for the safety analysis report for on-site storage of spent fuel storage casks (ML003739545) (Draft CE 301-4 published 04/1986) February 1989. 3.63 On-site meteorological measurement program for uranium recovery facilities: Data acquisition and reporting (ML003739874) (Draft ES 401-4 published 09/1985) March 1988. 3.64 Calculation of radon flux attenuation by earthen uranium mill tailings covers (ML003739876) (Draft WM 503-4 published 05/1987) June 1989. 3.65 Standard format and content of decommissioning plans for licensees under 10 CFR Parts 30, 40 and 70 (ML003739878) (Draft CE 304-4 published 12/1985) August 1989. 3.66 Standard format and content of financial assurance mechanisms required for decommissioning under 10 CFR Parts 30, 40, 70 and 72 (ML003739882) (Draft DG-3002 published 01/1990) (DG-3014 Part 1, Part 2), published 07/1999, as Proposed revision 1 to Regulatory Guide 3.66) June 1990. 3.67 Standard format and content for emergency plans for fuel cycle and materials facilities (ML003739885) (Draft DG-3005 published 09/1990) January 1992. 3.71 Nuclear criticality safety standards for fuels and material facilities (ML003739492) (Draft DG-3013 published 01/1998) (Guide withdraws Regulatory Guides 3.1, 3.4, 3.43, 3.45, 3.47, 3.57, 3.58, 3.68, 3.70 and 8.12) August 1998. 3.73 Site evaluations and design earthquake ground motion for dry cask independent spent fuel storage and monitored retrievable storage installations (ML033020062) (Draft DG-3021 07/02, ML021710092) October 2003.

Division 4 AR520 4.1 Programs for monitoring radioactivity in the environs of nuclear power plants (Rev.1, ML003739496) January 1973 (R:104/1975). AR521 4.2 Preparation of environmental reports for nuclear power stations (Rev. 2, ML003739519) March 1973 (R:1/01/1975, 2/07/1976). AR522 4.7 General site suitability criteria for nuclear power stations (Revision 2, ML003739894) (DG-4003, Proposed revision 2, published 11/1992) (DG-4004, Second Proposed revision 2, published 2/1995) September 1974 (R:1/11/1975, 2/04/1998). AR523 4.15 Quality assurance for radiological monitoring programs (normal operations): Effluent streams and the environment (Rev.1, ML003739945) December 1977 (R:1/02/1979).

274

Nuclear Safety

AR524

AR525 AR526 AR527

4.17 Standard format and content of site characterization plans for high-level waste geologic repositories (Rev.1, ML003739963) (Draft GS 027-4 published 4/1981) (Draft WM 404-4, Proposed revision 1, published 2/1985) July 1982 (R:1/03/1987). 4.18 Standard format and content of environmental reports for near-surface disposal of radioactive waste (ML003739515) (Draft WM 013-4 published 4/1982) June 1983. 4.19 Guidance for selecting sites for near-surface disposal of low-level radioactive waste (ML003739520) (Draft WM 408-4 published 3/1987) August 1988. 4.20 Constraint on releases of airborne radioactive materials to the environment for licensees other than power reactors (ML003739525) (Draft DG-8016 published 12/1995) December 1996.

Division 5 AR528 5.4 Standard analytical methods for the measurement of uranium tetrafluoride (UF4) and uranium hexafluoride (UF6) (ML003739536) February 1973. AR529 5.5 Standard methods for chemical, mass spectrometric and spectrochemical analysis of nucleargrade uranium dioxide powders and pellets, ML003739552, February 1973. AR530 5.7 Entry/exit control for protected areas, vital areas and material access areas (Draft SG 909-4, Proposed revision 1, published 05/1979) (Rev.1, ML003739976) June 1973 (R:1/05/1980). AR531 5.10 Selection and use of pressure-sensitive seals on containers for on-site storage of special nuclear material, ML003740020, July 1973. AR532 5.11 Non-destructive assay of special nuclear material contained in scrap and waste (Rev.1, ML003740029) (Draft SG 043-4, Proposed revision 1, published 11/1982) October 1973 (R:1/04/ 1984). AR533 5.12 General use of locks in the protection and control of facilities and special nuclear materials, ML003740035, November 1973. AR534 5.13 Conduct of nuclear material physical inventories, ML003740048, November 1973. AR535 5.15 Tamper-indicating seals for the protection and control of special nuclear material (1974, ML003739932; Rev.1, ML 003739938) (Draft DG-5005, Proposed revision 1, ML003739455, published 01/1996) January 1974 (R:1/03/1997). AR536 5.17 Truck identification markings, ML003739939, January 1974. AR536a 5.20 Training, equipping and qualifying of guards and watchmen, ML003739977, January 1974. AR537 5.21 Non-destructive uranium-235 enrichment assay by gamma ray spectrometry (Draft SG 044-4, Proposed revision 1, published 06/1982) (Rev.1, ML003739991) April 1974 (R:1/12/1983). AR538 5.22 Assessment of the assumption of normality (employing individual observed values), ML003739999, April 1974. AR539 5.31 Specially designed vehicle with armed guards for road shipment of special nuclear material (Rev.1, ML003740081) June 1974 (R:1/04/1975). AR539a 5.32 Communication with transport vehicles (Rev.1, ML003739946), June 1974 (R:1/05/1975). AR540 5.33 Statistical evaluation of material unaccounted for, ML003739948, June 1974. AR541 5.44 Perimeter intrusion alarm systems (Revision 2, ML003740097; Revision 3, ML003739217) (Draft SG 479-4, Proposed revision 2, published 05/1979) (Draft DG-5007, Proposed revision 3, published 04/1996) January 975 (R:1/06/1976, 2/05/1980, 3/10/1997). AR542 5.52 Standard format and content of a licensee physical protection plan for strategic special nuclear material at fixed sites (other than nuclear power plants) (DG-5004, Proposed revision 3, published 04/1994) (Revision 2, ML003739231; Revision 3, ML003739235) May 1975 (R:106/1976, 2/07/1980, 3/12/1994). AR543 5.68 Protection against malevolent use of vehicles at nuclear power plants (ML003739379) (Draft DG-5006 issued 11/1993) August 1994.

Additional references

275

Division 6 AR544

6.4 Classification of containment properties of sealed radioactive sources (Rev.2, ML003739414) March 1974 (R:1/05/1975, 2/08/1980).

Division 7 AR545 7.1 Administrative guide for packaging and transporting radioactive material (ML003739261) June 1974. AR546 7.2 Packaging and transportation of radioactively contaminated biological materials, ML003739263, June 1974. AR547 7.3 Procedures for picking up and receiving packages of radioactive material, ML003739403, May 1975. AR548 7.4 Leakage tests on packages for shipment of radioactive materials, ML003739407, June 1975. AR549 7.6 Design criteria for the structural analysis of shipping cask containment vessels, ML003739418, February 1977 (R:103/1978). AR550 7.8 Load combinations for the structural analysis of shipping casks for radioactive material (Draft MS 527-4, Proposed revision 1, published 07/1987) (Draft MS 804-4, Second Proposed revision 1, published 09/1988) (Rev.1, ML003739501) May 1977 (R:1/03/1989). AR551 7.9 Standard format and content of Part 71 applications for approval of packaging of Type B, large quantity and fissile radioactive material (Rev.1, ML003739363) (Draft FC 416-4, Proposed revision 2, published 05/1986) (DG-7003, Proposed revision 2, issued 1/2004, ML033630447) March 1979 (R:1/01/1980). AR552 7.10 Establishing quality assurance programs for packaging used in the transport of radioactive material (Rev.1, ML003739404) (Combined Draft TP 019-4, published 06/1981, and Draft TP 020-4, published 03/1981) (DG-7004, Proposed revision 2, issued 02/2004, ML040410577) Janaury 1983 (R:1/06/1986). AR553 7.11 Fracture toughness criteria of base material for ferritic steel shipping cask containment vessels with a maximum wall thickness of 4 in (0.1 m) (ML003739413) (Draft MS 144-4 published 06/1983) (Draft DG-7001 published 07/1989) June 1991. AR554 7.12 Fracture toughness criteria of base material for ferritic steel shipping cask containment vessels with a wall thickness greater than 4 in (0.1 m) but not exceeding 12 in (0.3 m) (ML003739424) (Draft MS 501-4 published 06/1986) June 1991. Division 8 AR555 8.1 Radiation symbol, ML003739429, February 1973. AR556 8.4 Direct-reading and indirect-reading pocket dosimeters, ML003739448, February 1973. AR557 8.5 Criticality and other interior evacuation signals (Rev. 1, ML003739454) February 1973 (R:1/ 03/1981). AR558 8.10 Operating philosophy for maintaining occupational radiation exposures As Low As Is Reasonably Achievable (Rev. 1-R, ML003739563) April 1974 (R:1/09/1975, 05/1977). AR559 8.19 Occupational radiation dose assessment in light-water reactor power plants: Design stage man-rem estimates (Rev. 1, ML003739550) May 1978 (R:1/06/1979). AR560 8.29 Instruction concerning risks from occupational radiation exposure (Draft OH 902-4 published 05/1980) (Draft DG-8012, Proposed revision 1, published 12/1994) (1981, ML003739401; Revision 1, ML003739438) July 1981 (R:1/02/1996). AR561 8.37 ALARA levels for effluents from materials facilities (ML003739553) (Draft DG-8013 published 10/1992) (Draft DG-8016, Proposed revision 1, ML003739318, published 12/1995) July 1993. AR562 8.38 Control of access to high and very high radiation areas of nuclear plants (ML003739558) (Draft DG-8006 published 10/1991) June 1993.

276

Nuclear Safety

Division 9 AR563 9.1 Regulatory staff position statement on antitrust matters, ML003740156, December 1973. Division 10 AR564 10.1 Compilation of reporting requirements for persons subject to NRC regulations (Rev.4, ML003740185) January 1975 (R:1/07/1975, 2/08/1975, 3/05/1977, 4/10/1981). AR565 10.6 Guide for the preparation of applications for use of sealed sources and devices for performing industrial radiography (Rev.1, ML003740378) (Draft TP 602-4, Proposed revision 1, published 06/1980) (Errata published 07/1984) (Draft FC 401-4, Proposed revision 2, published 10/1984) September 1976 (R:1/12/1981).

Other References AR566 AR567 AR568 AR569 AR570 AR571 AR572 AR573 AR574 AR575 AR576

AR577 AR578 AR579 AR580 AR581 AR582 AR583 AR584 AR585 AR586 AR587 AR588 AR589

American Nuclear Society (1984) ‘Source terms’, Special committee report. American Physical Society (1985) ‘Radionuclide release from severe accident management implementation’, Study group report. ANS (1983) ‘Nuclear safety criteria for the design of stationary PWR plants’, ANSI/ANS 51.1. Bayliss, C. and Langley, K. (2003) Nuclear Decommissioning, Waste Management and Environmental Site Remediation. Elsevier. Beckjord, E.S. (1995) ‘NRC research: A ten-year vision’, USNRC. Bourgeois, J., Tanguy, P., Cogne´, F. and Petit, J. (1996) La surete´ nucleaire en France et dans le monde. Polytechnica, Paris. Crede, C.E. Shock and Vibration Concepts in Engineering Design. Prentice-Hall. CSNI (1990) ‘Inadequate isolation of containment openings and penetrations’, OECD/NEA Report 179. Cumo, M., Tripputi, I. and Spezia, U. (2002) ‘Decommissioning of nuclear plants’, Scuola di specializzazion e in sicurezza nucleare ed industriale, Universita` di Roma. Etherington, H. (ed.) (1958) Nuclear Engineering Handbook. McGraw-Hill. Forasassi, G., Guerrini, B. and Petrangeli, G. (1997) ‘Comparison of some passive safety concepts in nuclear and process industry systems’, Post-SMIRT 14 International Seminar 18 Passive Safety Features in Nuclear Installations, 25–7 August, Pisa. Ford, D. The Cult of the Atom. New York: Simon and Shuster. Gittus, J. (1982) ‘Power degraded core analysis’, ND-R-610(S), United Kingdom Atomic Energy Authority. Glasstone, S. (1963) Nuclear Reactor Engineering. Van Nostrand. Hampton, W. (2001) Meltdown, A Race Against Nuclear Disaster at Three Mile Island, A Reporter’s Story. Cambridge, MA: Candlewick Press. Harbison, S. and Martin, A. An introduction to Radiation Protection. ISBN 0412631105. Institute of Mechanical Engineers (1988) Assuring It’s Safe. ISBN 1860581471. Ishack, G. (1993) ‘Operating experience with motor-operated valves: extracting the lessons learned from the Incident Reporting System’, Report PWG1/OECD/NEA/CSNI. JGA (1991) ‘Recommended practice for LNG above-ground storage’, Japanese Gas Association. Kletz, T. (1996) Dispelling Chemical Engineering Myths. Taylor & Francis. Lamarsh, J.R. and Baratta, A. (2001) Introduction to Nuclear Engineering. Prentice Hall. Lees, F.P. (1996) Loss Prevention in the Process Industries. 3 Vol., Butterworth-Heinemann. Lewis, E.E. Nuclear Power Reactor Safety. ISBN 0471533351. Mazuzan, G.T. and Walker, J.S. (1984) Controlling the Atom, The Beginning of Nuclear Regulation 1946-1962. University of California Press.

Additional references

AR590 AR591 AR592 AR593 AR594 AR595

AR596 AR597

AR598 AR599 AR600 AR601 AR602 AR603 AR604 AR605 AR606 AR607 AR608 AR609 AR610

AR611 AR612 AR613 AR614 AR615 AR616 AR617

277

Newmark, N.M. (1965) ‘Effects of earthquakes on dams and embankments’, Geotechnique, 15(2), pp. 139–59. OECD (1996) ‘State of the art report on key fracture mechanics aspects of integrity assessment’, OECD/GD (96)6, NEA/CSNI/R(95)1. OECD (2000) ‘Report of the senior group on safety research’, OECD/NEA/CSNI. Pearson, G.H. (1953) The Design of Valves and Fittings. London: Pittman and Sons. Petrangeli, G. (1987) ‘Il concetto di rischio e definizione dei rischi’, ANIAI, Rome. Petrangeli, G., Tononi, R., d’Auria, F. and Mazzim, M. (1993) ‘The SSN: An emergency system based on international coolant depressurization for PWRs’, Nuclear Engineering and Design, 143, pp. 25–54. Ramsey, C.B. and Modarras, M. (1988) Commercial Nuclear Power, Assuring Safety for the Future. John Wiley & Sons. Ravindra, M.K. (1992) ‘Seismic assessment of chemical facilities under Califonia risk management and prevention program’, International conference on Hazard Identification and Risk Analysis, Human Factors and Human Reliability in Process Safety, Orlando, FL, January. Robbins, A. (1991) Radioactive Heaven and Earth. New York: The Apex Press. Schweitzer, P.A. (1972) Handbook of Valves. New York: Ind. Press. Shibata, H. ‘Anti-earthquake design of industrial facilities’, Technocrat, 8(11). Stevenson et al. (1992) ‘Advances in the analysis and design of concrete structures, metal containment and liner plates for extreme loads’, Nuclear Engineering and Design, 134. Stevenson et al. ‘Observations on experiences with above-ground piping systems during earthquakes’. Thompson, J. and Beckerley, J.G. (1973) The Technology of Nuclear Reactor Safety. The MIT Press. USNRC (1980) ‘Equipment response at the El Centro steamplant during the 15 Oct. 1979 Imperial Valley earthquake’, NUREG/CR-1665. USNRC (1985) ‘Reliability analysis of containment isolation systems’, NUREG CR-4220. USNRC (1988) ‘Technical findings and regulatory analysis for generic safety issue II.E.4.3 Containment integrity check’, NUREG 1273. USNRC (1990) ‘Results of the public workshops’, Supplement 1 to generic letter 89-10. USNRC (1994) ‘Information on schedule and grouping, and staff responses to additional public questions’, Supplement 6 to generic letter 89-10. USNRC (1996) ‘Consideration of valve mispositioning in PWRs’, Supplement 7 to generic letter 89-10. Voronin, L.M. et al. (1994) Safety of Nuclear Power Plants (Russian edition, derived from the French book Memento de la surete´ nucleaire en exploitation). EDF-EPN-DSN-Paris-ISBN n2-7240-0090-0, Sept. Walker, J.S. (1992) Containing the Atom, Nuclear Regulation in a Changing Environment 1963-1971. University of California Press. Walker, J.S. (2000) Permissible Dose, A History of Radiation Protection in the Twentieth Century. University of California Press. Walker, J.S. (2004) Three Mile Island, A Nuclear Crisis in Historical Perspective. University of California Press. (1989) ‘A scenario of the Three Mile Island Unit 2 accident’, Nuclear Technology. Mark’s Mechanical Engineers Handbook. McGraw-Hill. Power Engineers Valve Manual. Power Engineering Magazine. ‘Prince William Sound earthquake of 1964, oil storage tanks’.

This page intentionally left blank

Appendix 1 The Chernobyl accident

A1-1. Introduction The circumstances leading to and the severe consequences of the Chernobyl accident deserve to be known and considered even outside the circle of directly interested specialists. It was, indeed, a dramatic event, rich in human, social and cultural implications. In this connection, another sad event, which long ago entered the annals of big technological disasters, comes to mind: the sinking of the Titanic. The RMS Titanic was a splendid British ocean liner which sank on her maiden voyage on the night of the 14–15 April 1912 after a collision with an iceberg in the northern Atlantic. Out of the 2200 passengers on board, 1500 died: many of these because there were too few lifeboats. Subsequently, more stringent safety rules and iceberg warning systems were adopted. The Chernobyl reactor, like the Titanic, was a technological masterpiece, but both had inherent and serious flaws in their design. Another technologically advanced design that failed disastrously was the NASA Space Shuttle Challenger. Other technological disasters, such as at Bhopal and Seveso, were more related to simple carelessness in design and operation. This appendix gives a brief description of the Chernobyl reactor and illustrates the accident and its principal causes.

A1-2. The reactor The Chernobyl reactor (Figure A1-1) is of the RBMK type (an acronym of the Russian words for ‘Channel High Power Reactor’). Five reactors of this type were built at various sites in the former USSR and the design is found nowhere else in the world.

It is a boiling water pressure tube (channel) reactor, cooled by light water and moderated by graphite. (In pressure tube (channel) reactors the nuclear fuel, made from low enriched uranium oxide, is contained in a set of parallel and closely spaced tubes or channels.) On passing, it has to be said that water reactors are numerous in the world, although the majority of these reactors are of the ‘pressure vessel’ type, where all the nuclear fuel is contained in a strong vessel and not in a set of parallel pressure channels. In the RBMK, the light water coolant is brought to boiling point in the channels. The steam produced is separated from the residual liquid water in dedicated separator tanks located at an elevated position. It is then routed to the turbines mechanically coupled to the electric power generators. In this way, the heat produced by the chain reaction in the reactor is transformed into electric energy. The first generation units were located in a conventional industrial building and the other units, including the one in which the accident happened, were provided with partially reinforced containment. The plant was, in many respects, well designed in its details and had interesting characteristics both economically (it demonstrated a good use of the uranium) and militarily (it could possibly be used for plutonium production). However, it was inadequate from the point of view of the safety concepts adopted when compared with the Western state of the art. The three major defects, still partially present in the design, are: a tendency to instability and to uncontrolled power excursions (a positive power coefficient), a slow scram system which in certain conditions could act as an accelerator instead of a brake on the chain reaction (a positive fast shutdown), and the absence of a real and complete pressure resisting containment. Even before the accident, an English Working Group stated that a 279

280

Nuclear Safety

Steam separator

Reactor room Reinforced concrete structure

Header

Pump

Pressure resisting rooms Reactor

Suppression water pool

Water

Relief pipes

Safety valves discharge

Figure A1-1. Schematic of the Chernobyl plant. reactor of this type would not meet the safety standards of the Western world. (Report by Nuclear Power Company limited, March 1986, UK). In summary, the RBMK design has some economic and strategic advantages, but these are offset by the shortcoming in design which in 1986 destroyed reactor number 4 of the Chernobyl power station. It is worthwhile describing further the negative safety characteristics of these reactors in order to clarify the technical reasons for the accident, although they were not the only ones, and to see why the very competent designers made their decisions. The design has three principal negative characteristics. The first one is that the reactor power tends to strongly increase when the cooling water inventory in the reactor decreases: the cooling water is a ‘neutron poison’.

The water inventory decreases when more steam is produced in the reactor. In fact, the steam bubbles produced expel the liquid water from the reactor. This is what happens in a boiling kettle which, if initially overfilled, as boiling starts, causes the water to be spilled out. If this kettle is heated on a gas cooker, the water spilled extinguishes the flame and, if the cooker is provided with an automatic gas supply stop, everything terminates without consequences. But this is not so in a RBMK because, as we have just mentioned, when the production of steam bubbles increases, the nuclear power (the heat produced by the cooker in the example) tends to increase instead of decrease. It can be easily seen that these types of reactors are unstable because an increase in power tends to be enhanced instead of being damped. On the other

Appendix 1 The Chernobyl accident

hand, when the power decreases, the steam production tends to decrease too, more liquid water is present inside the channels and the power tends to decrease still more. In the nuclear jargon, this unfavourable characteristic of RBMKs is called the ‘positive void (power) coefficient’. Naturally, the designers incorporated in the plant intrinsic characteristics and automatic control systems which counteracted this tendency towards instability in almost all the operation conditions, except, unfortunately, in some specific conditions, such as the one which occurred at Chernobyl. The second negative characteristic concerns some peculiarities of the emergency fast shutdown system of the reactor. This system is present in all nuclear reactors and causes the entry in the reactor itself of substances capable of arresting the chain reaction in case of danger. In general, these substances are contained in metallic rods which are named ‘control’ or ‘safety’ rods and which can be inserted in or extracted from the reactor. In the case of the RBMK the fast shutdown system was, before the Chernobyl accident, very slow (roughly twenty seconds for the complete insertion of the rods into the core, instead of the usual two seconds). Moreover, rather surprisingly, for those rods which are completely extracted from the reactor, their action, in the initial part of their stroke during their insertion is not a reduction of the chain reaction but rather an acceleration of the reaction itself. This dangerous characteristic of the reactor is called ‘positive fast shutdown’. A third negative characteristic is the absence of a complete pressure containment building around the nuclear part of the plant which would resist the overpressure caused by possible accidents. The majority of the world’s reactors are contained in this manner in order to prevent the release of radioactive substances to the outside even in serious accidents. Figure A1-1 shows that a large part of the building which contained the Chernobyl reactor was very similar to a light factory shed. Aggravating these deficiencies was the fact that the metal vessel containing all the nuclear fuel tubes could not withstand more than a very limited number of fractures. Beyond this number the pressure is so strong that the tank literally uncovers causing the break of all the tubes and the expulsion of nuclear fuel.

281

Given these shortcomings it is natural to ask why these design decisions, so unfavourable to safety, were made. Without going into details, the reasons are probably two: firstly, a desire for maximum economy in fuel consumption and in operation in general, and secondly, the possibility of using the reactor plutonium production for nuclear weapons. Every decision, therefore, was made with excessive confidence in the perfection of the technology, in the belief that all the accident scenarios had been foreseen and in the operators’ correct behaviour.

A1-3. The event Unit 4 of the Chernobyl plant was scheduled to be passed to the maintenance crews for a programmed revision on the morning of 26 April 1986. Therefore, the crews would arrive early and the plant had to be ready so they could do their work. However, before the reactor could be shut down for maintenance it was necessary to perform a programmed test of a new safety device that had been installed on the electric generator, starting from a power of about 700 MWt (the normal operating power was 3200 MWt). The plant management began early and started to reduce power at about 1 a.m. on the night of Friday, 25 April. This operation continued until 2 p.m. when the KievEnergo distributor (dispatcher) organization asked the Chernobyl power plant to continue to maintain the reduced power output without further reduction because the electricity demand in the Kiev industrial zone was still very high before the weekend interruption of work. The distributor is the organization which governs in any country or region the electric grid and has the responsibility of balancing demand and supply. The planned reduction of the reactor power was resumed, with the agreement of the distributor, only at about 11 p.m., meaning that nine hours had been lost from the test schedule and consequently less time before the looming deadline of the following morning’s maintenance shutdown. As can be imagined the operators became anxious. Half an hour into the morning of 26 April another unfortunate event happened. In the manual switch over, during the power descent, of the automatic control of the reactor from one regulator to another (a standard procedure) something happened (for a never clarified

282

Nuclear Safety

reason) which caused the reactor power to drop to only 30 MWt. Was it a malfunction of the controller or an operator error? It has not been possible to ascertain the truth with certainty, however, in my view, simple ‘bad luck’ was heavily involved. A very low power condition might appear trivial in a normal machine – if the power decreases too much, it is made to rise again by the dedicated controls – but in a nuclear reactor and especially in a RBMK, this is not so. Besides the reluctance of any reactor to increase power after a reduction, due to some isotopes which slow the chain reaction down and which are produced precisely in these transients, in an RBMK at low power the steam production in the channels stops and they fill up with water. As described earlier, the nuclear power level tends to decrease even more (the typical instability of RBMKs). Hence, almost one hour of frantic attempts to regain power at any cost followed with the goal of getting an adequate power level to complete the test in time. The reactor engineer believed at this point that the test should have been discontinued but continued to make any possible attempt, even infringing safety rules, as he feared being fired. He attempted any possible manoeuvre, first of all extracting all the reactor control rods (an operation forbidden by the safety rules in force) and succeeded in bringing the reactor to 200 MWt with all the control rods extracted and with the channels almost filled with water. These are the conditions where the RBMK is maximally unstable and the scram is plagued by that tragic defect of accelerating the chain reaction instead of slowing it down at the start of its actuation. It is not clear what happened in the final instant as the reactor ‘blew up’. Some records shown by the Russians in Vienna in August 1986 during the first conference on the accident show that the control rods started to automatically enter the reactor. This could be an indication of an unstable nuclear transient. What is known is that an operator, at 01h 23m 40s, pushed the scram button which introduced all the control rods into the reactor. High radiation alarms, high pressure alarms and high pressure signals for fuel channel ruptures triggered, and finally two very strong explosions occurred. Figure A1-2 shows the trend of the reactor power in the last minutes before the accident.

Pushing the scram button had been the final catalyst: its small positive push of the reactor nuclear power had made the whole system unstable due to the low power and to the large quantity of liquid water in the reactor itself. The power strongly increased causing the fuel channels to burst and the lid of the metal tank which contained them to break. The reactor was almost destroyed and nuclear fuel and burning fragments were dispersed on the plant yard and projected high in the sky (to about 1 km), causing fires on the roof of the turbine building and elsewhere. The following describes the probable course of the accident in greater detail based on observations and direct inspections, on the available knowledge of the phenomena of severe nuclear accidents, on analytical evaluations subsequently made and on the conclusions prevailing among the experts. It has to be noted, however, that the degree of certainty of the conclusions on the precise accident dynamics is not yet satisfactory, so that other studies and research are needed. Once the scram button was pressed, the reactor power started to increase strongly because of the aforementioned characteristic of ‘positive scram’ and because of the progressive increase of the amount of steam in the reactor (caused by the increase of thermal power) and because of the corresponding decrease of water (the water in this reactor is a neutron poison). In the RBMK, the thermal power is generated by the fission chain reaction inside the uranium fuel contained in the fuel channels where the cooling water flows under boiling conditions. It is easy to understand that increasing the thermal power (heat) generated in the fuel means that more heat needs to be transferred to the cooling water. However, temperature limits exist beyond which the uraniumbased fuel, as well as the metal cladding which contains it, start to be damaged. This is what happened at Chernobyl in the first phase of the nuclear power excursion (the self-enhancing power increase phenomenon). The fuel (uranium dioxide) started to melt and to vaporize with a consequent pressure increase and with dispersion of overheated fragments in the cooling boiling water inside the channels. This dispersion caused a general pressure increase in the channels themselves, probably of an explosive type (steam explosion), and their bursting.

Appendix 1 The Chernobyl accident

283

Figure A1-2. Trend of some of the Chernobyl reactor parameters in the last minutes up to the accident.

The steam escaped in the reactor tank which, as noted, could resist only the break of a few tubes (channels). The tank uncovered and all the tubes were ripped off with the external projection of fuel and other incandescent materials. This was the first very strong explosion heard by the witnesses. Unfortunately, this was not the end of the story. Under very high temperature conditions of the fuel and of the metallic channel materials, water and steam may react, here too in an auto–enhancing way, with the metallic materials generating hydrogen and

with the reactor graphite generating carbon monoxide. Hydrogen and carbon monoxide are highly explosive gases and in effect they caused the second explosion. The consequences of the two explosions were the destruction of the reactor, the projection of incandescent and burning materials outside (the flashes, as of fireworks, quoted by many witnesses) and a fire of all the graphite mass. The reactor, according to the subsequent reconstructions, was reduced to the condition shown in

284

Nuclear Safety

Sarcophagus

Reactor Top Plate

Turbine Hall

Reactor Rubble

Figure A1-3. Reconstruction of the reactor after the accident and the ‘sarcophagus’.

Figure A1-3 which also illustrates subsequent work carried out in order to isolate the reactor from the environment (the so called ‘Sarcophagus’). So what was the actual cause of the accident? As frequently happens with accidents, this tragedy was caused by more than one error. At the start of the analysis, understandably, there was a tendency to put the greatest blame on the operators, even though their work records were good, but subsequently the serious safety deficiencies of this type of reactor have emerged. The accident was due to design shortcomings which, together with the special requirements then prevailing and with the operators not being prepared to cope with the difficult situation which developed and not being respectful of the safety rules, especially in the stressed conditions in which they operated, generated this catastrophe. Other accompanying causes have been indicated by the post-accident investigations. These have

mainly focused on the inadequate general management system and on the insufficient level of ‘safety culture’ in which the design and the operation of the Chernobyl reactor occurred.

References IAEA, Vienna, Acts of the post-accident review meeting, August 1986, Vienna. Medvedev G., La ve´rite´ sur Tchernobyl, E’ditions Albin Michel S.A., Paris, 1990. Vargo G.J., The Chernobyl accident, a comprehensive risk assessment, Battelle Press, Columbus, Richland, USA, 2000. Spezia U., Chernobyl, dieci anni dopo il disastro (Chernobyl, ten years after the disaster), Milo (publisher), Vitorchiano (Vt, Italy), 1996.

Appendix 2 Calculation of the accident pressure in a containment

A2-1. Introduction An initial release of a steam–water mixture with a high internal energy into the containment takes place in many water reactor accident scenarios. Typically, it is the water of the primary cooling system which causes an initial overpressure and a subsequent pressure transient in the containment itself. The following paragraphs describe some simple methods, with essential data, for calculating the pressure with time in these two phases. A note concerning measurement units used in these calculations has to be added. Due to the long history of the first creation of the related computer program and of its subsequent improvements and tests, the measurement units don’t all belong to the Standard International (SI) system. They have been left as they were, in order not to lose the benefit, in terms of reliability, of the long testing of the program. The strongest discrepancy from the SI units is that large calories (Cal) are used instead of Joules and bars or kg/cm2 instead of Pascals.

(an intermediate or large LOCA). Therefore, the heat exchanged with objects internal to the containment and between the inside and outside of it can be considered negligible. The initial and final energies of the fluids concerned can be calculated by the following considerations and formulae. Total internal energy ¼ air energy þ water ðliquid and steamÞ energy ðA2:1Þ Air internal energy, Ua ¼ Ma Cv t Cal kg 1 , ðA2:2Þ where Cv is the specific heat at constant volume of air (0.172 Cal kg 1 in normal conditions), Ma is the weight of air in the containment (kg) and t is the temperature in C. Specific internal energy of the water steam mixture, UH2 O ¼ MH2 O ðHH2 O

A2-2. Initial overpressure The initial pressurization of the containment is a constant volume phenomenon (the containment volume) and therefore, in order to calculate the final state parameters (e.g. the pressure), it is necessary to equate the initial and final internal energies of the involved fluids. Here it is assumed that the initial pressurization of the containment is relatively fast, for example corresponding to the break of an intermediate or large recirculation pipe

ðA2:3Þ 1

JpvÞ Cal kg ,

where MH2O is the weight of water–steam (kg), HH2O is the specific enthalpy of water (a function of the mixture quality and of the pressure) (Cal kg 1), J is the inverse of the mechanical equivalent of the calorie (J ¼ 1/(427Kg m/Cal)), p is pressure (kg m 2) and v is the specific volume (m3 kg 1). The quality, X, of the mixture, before and after the pressurization of the containment, can be calculated from the specific volumes of the water and steam which are known. The weight of water and steam is equal to the released amount (e.g. that of the primary cooling water), while the initial volume is 285

286

Nuclear Safety

that of the primary system and the final volume is that of the containment. X¼

v

v1 , vfg

ðA2:4Þ

where vl and vfg are the specific volume of liquid water and the difference between water vapour specific volume and liquid water volume, respectively, and can be obtained from steam diagrams and tables as well as from the approximate formulae A2.5 and A2.6 (CNEN, 1976).

v1 ¼

9:165659e 4 p3 4:159937e 1 p2 ð35:05628 pÞ 120:077 p3 251:462p2 31207:36p 117706:3 ðA2:5Þ

and

vfg ¼

(

) 2:309098e 3 p4 þ 4:162979p3 857:4263p2 14867:06p 3998:127 4 , p 381:89p3 7810:05p2 3776:419p þ 529:4787

ðA2:6Þ

2

were p is pressure (kg cm ). The specific enthalpy HH2O is given by Equation A2.7. HH2 O ¼ Hf þ XHfg ,

ðA2:7Þ

where the enthalpies can also be calculated by the approximate formulae A2.8 and A2.9. 964:3845p3 þ 188946:5p2 þ 2470981p 1649689 Hf ¼ 3 p þ 665:0797p2 þ 16075:48p þ 26716:57

ðA2:8Þ

Hfg ¼

3

231973:9p 5:284174e7 p2 ð1:191874e9 pÞ 1:575882e9 4 p þ 82:67094p3 126285:4p2 þ 2315288p þ 2785184 ðA2:9Þ

The initial values of the internal energies can be calculated directly, while the final ones must be obtained by a trial and error procedure, usually

drawing a graph (e.g. in MicrosoftÕ ExcelÕ ). It is possible to start with a tentative tfinal value from where the partial pressure of air is obtained (by the perfect gas law and the initial values) as well as the partial pressure of steam by diagrams, tables or approximate relationships like that of Equation A2.10 which is very good between 99 C and 374 C, and discrete above 65 C. 8 9 > 10 9 t4 þ 2:284709 10 6 t3 > < 4:241304 = 2:952689 10 4 t2 þ 2:164816 10 2 t > > ; : 5:712048 10 1 9 p¼ 8 11 4 8 3 > 3:211231 10 t > 10 t < 2:066907 = þ 2:049397 10 5 t2 > > : ; 6:895268 10 3 t þ 1 ðA2:10Þ

The final accident pressure can also be calculated by specific diagrams, such as the one shown in Figure A2-1, where Pr is the relative accident pressure in the containment (kg cm 2), T is the corresponding temperature ( C) and V/P is the ratio between containment volume and weight of water released (m3 kg 1). The four curves of the final pressure refer to various values of the specific internal energy of the released liquid. Example: The containment has a free volume of 60 000 m 3, into which 250 t of primary water are released, with an average temperature of 300 C. Initially the pressure in the containment is equal to 1 bar. Therefore V/P ¼ 0.24 m3 kg 1. The specific enthalpy of the liquid water at 300 C is equal to about 314 Cal kg 1 (practically coincident with the specific internal energy). Entering these values into the graph, the relative accident pressure equals about 2.7 kg cm 2 and the final containment temperature is about 125 C.

A2-3. Containment pressure versus time The following describes a simple spreadsheet which can be useful for rough evaluations. Where the assumptions on which it is based do not match those of interest (e.g. an absence of spray systems

Appendix 2 Calculation of the accident pressure in a containment

287

200

1 0.8

150

350

0.6

300

100

0.4 250 (kcal kg)

T (°C)

V/P (m3/kg)

400 (kcal kg)

50

0.2

0

0 0

1

2

3

4 5 Pr (kg cm−2)

6

7

8

Figure A2-1. Loss of coolant accident pressure in a containment. in the containment) the program can be easily modified.

A2-3-1. Introductory remarks During the design of the pressure containment building of a water reactor, the calculation of the transient pressure within it as a consequence of a LOCA is very important. In the first place, the knowledge of the pressure history in the containment, in times subsequent to the rupture, is necessary for the determination of the maximum internal pressure after the accident, which in some cases can be higher than the first initial pressure peak occurring shortly after the break. This, in general, occurs when, for the constructive characteristics of the containment, the dispersion of heat towards the outside is limited. Representative examples of this situation are those containers where an internal liner in reinforced concrete or an external biological shield of the same material which encloses totally or partially the metal container is present (e.g. the Indian Point, Elk River, Connecticut Yankee, Trino Vercellese and similar plants). In such cases, and in the absence of specific pressure abatement systems, such as cold water spray systems inside the containment, in addition to the first pressure peak in the instants immediately following the rupture, a second pressure peak can occur, higher than the first one, due to the release within the containment of the decay heat of the reactor core and to other possible phenomena, even in the realm of the design basis accidents. The second peak will occur at different times after the accident, according to the particular thermal characteristics of the system.

In the second place, the knowledge of the pressure history in the containment is necessary for the evaluation of the release outside it of radioactive substances from the core through the inevitable leaks of the structure. The amount of this release depends, in fact, on the internal pressure.

A2-3-2. Calculation method The step-by-step procedure described here is for use on a MicrosoftÕ ExcelÕ , or similar, spreadsheet. For the generic time interval the amounts of heat exchanged with the containment internal atmosphere on the basis of the conditions existing at the start of the same interval are calculated, assuming that in the interval the temperature of the air–water–steam mixture remains constant. Then, the balance of these quantities is made and, on the basis of the current heat capacity of the mixture, the variation of its temperature in the time interval and the corresponding final pressure are evaluated. The initial conditions for the subsequent time interval are then calculated. The method has been developed for simple pressure containment such as that shown in Figure A2-2 where the heat sources and sinks are solar heat absorbed by the containment (Qs), the heat exchanged with concrete (Qc), the heat exchanged with cold metals (Qmf), the heat exchanged with hot metals (Qmc), core decay heat (Qd) and the heat exchanged by the mixture towards the outside through the containment (Qco). With small and obvious modifications this method can also be adapted to rather different containments, such as double containment.

288

Nuclear Safety

h1 h2 Sco h1 þ h2

ðA2:13Þ

h1 Sco C3

ðA2:14Þ

Sco ðh1 þ h2 Þ , Cc

ðA2:15Þ

C1 ¼ Qcs

C2 ¼ C3 ¼ Qmf Qc

Qco Qmc

Qd

Figure A2-2. Containment scheme.

A2-3-3. Heat exchanged with the outside through the metal container The container considered is painted on its surfaces and the thermal resistance of the metal is negligible compared with the resistance between the metal and the air–steam mixture on one hand and external air or water of the external spray system on the other. With these assumptions and in the case where the external spray is not operating, the formulae giving the amount of heat exchanged in the generic time interval and the metal temperature at the end of the same interval are given in Equations A2.11–A2.15.

Qco ¼ C1 ðTm þ C2 Tco ð0Þ

Te Þ

Qcs

h1 h1 þ h2

! cs h1 Tm þ h2 Te þ Q Sco e h1 þ h2

C3

ðA2:11Þ Q

Tco ¼ e

C3

Tco ð0Þ

1

h1 Tm þ h2 Te þ Scocs h1 þ h2

!

Q

h1 Tm þ h2 Te þ Scocs þ h1 þ h2 ðA2:12Þ

where C1 (Cal/min C), C2 (Cal/ C kg), C3 (Cal/min) are three convenient calculation quantities, Cc is the specific heat of the concrete (Cal/kg C), h1 is the transmission coefficient between the containment metal and the mixture (resistance of the paint and of the paint–mixture interface) (Cal/m2min C), h2 is the transmission coefficient between the containment metal and external air (resistance of the paint and of the paint–air interface) (Cal/m2 min C), Sco is the containment surface area exposed to external air (m2), Tco is the temperature of the containment metal ( C), Tco(0) is the container metal temperature at the start of the interval of time ( C), Te is the temperature of the external air ( C), Tm is the temperature of the air-stream mixture within the containment ( C) and is the time interval (min). In the case where an external spray system operates it is possible to neglect the heat capacity of the containment and the heat released to the outside is calculated on the assumption that the spray water is poured from the top of the containment. The heating of the water itself while it flows along the surface is, moreover, taken into account. Thus Equation A2.16 follows: Qco ¼ Gse CðTm

Tse Þ 1

e

h Sco =c Gse

, ðA2:16Þ

where c is the total container metal thermal capacity (Cal/ C), C is the specific heat of the external spray water (Cal/kg C), Gse is the flow rate of the external spray (kg/min), h is the transmission coefficient between the mixture and the external spray water (Cal/m2min C) and Tse is the temperature of the external spray water ( C). This equation does not include the solar heat because, if the external spray is operated, this contribution has no influence on the transient.

A2-3-4. Heat released by hot metals The hot metals are the primary and secondary systems and the related hot auxiliary systems inside

Appendix 2 Calculation of the accident pressure in a containment

the containment. These plant parts are all thermally insulated by a liner. The heat exchange is calculated assimilating these components to a flat layer of thickness equal to the average value of the thicknesses of all the components themselves, perfectly isolated on one side and lined on the other (towards the mixture) by the usual insulating liner. It is admissible to consider the metal as a capacity without resistance and the liner as a resistance without capacity and, with this scheme, the heat amount and the final temperature are given by Equations A2.17 and A2.18: Qmc ¼ hmc Smc ðTmc Tmc ¼ Tmc ð0Þ

hmc Smc ðTmc Cmc

Tm Þ

ðA2:18Þ

where hmc is the transmission coefficient between hot metals and the mixture (resistance of the isolating liner and the liner–mixture interface) (Cal/m2min C), Smc is the hot metal surface area (m2), Cmc is the thermal capacity of the hot metals (Cal/ C), Tmc is the temperature of the hot metals ( C) and Tmc(0) is the temperature of the hot metals at the start of the time interval ( C).

A2-3-5. Heat exchanged with cold metals The cold metals are those metallic components which during operation are at about the ambient temperature of the containment. They are lined, on exposed surfaces, by a layer of paint. The model used here is a simple capacity (metal) and a resistance (paint and interface paint mixture). Thus Equations A2.19 and A2.20 follow: hmf Smf Qmf ¼ Cmf ðTmf ð0Þ Tm Þ e Cmf 1 ðA2:19Þ Tmf ¼ Tm þðTmf ð0Þ

h Smf

Tm Þ e Cmf

other side, with the air–steam mixture through a paint layer. The calculation method is that described in Jakob (1962) which uses the finite difference method for the solution of the heat transfer equations. The concrete layers have been grouped in a certain number of groups, each with an average thickness and an exposed surface equal to the sum of the surfaces of the concrete layers included in the group. The heat exchanged with one of the groups of layers during the generic time interval is given by Equation A2.21: Qc ¼ hc Sc ðTm

ðA2:17Þ

Tm Þ,

,

289

Tc Þ,

ðA2:21Þ

where hc is the mixture–concrete transmission coefficient (Cal/m2min C), Sc is the concrete surface area (m2), Tm is the temperatures of the mixture ( C) at the start of the interval and Tc is the temperature of the concrete wall ( C) at the start of the interval. The temperatures, T 0, of the layers in which the concrete has been subdivided at the end of the time interval are calculated by Equations A2.22–A2.24: T10 ¼

2N M Tm þ M

2N M

2

T1 þ

2 T2 , M

ðA2:22Þ

for the first layer, T10 ¼

1 Ti M

1

þ

M 2 1 Ti þ Tiþ1 , M M

ðA2:23Þ

for the layers between the first and the last, and Tn0 ¼

1 Tn M

1

þ

M 1 Tn , M

ðA2:24Þ

for the last layer. M is an auxiliary calculation non-dimensional quantity and is given by Equation A2.25:

ðA2:20Þ

where Cmf is the thermal capacity of the cold metals (Cal/ C), hmf is the transmission coefficient between the metal and the mixture (Cal/m2min C), Smf is the cold metal surface area (m2) and Tmf is the temperature of the cold metals ( C).

A2-3-6. Heat exchanged with concrete layers The concrete layers have been modelled as plane insulated layers on one side and in contact, on the

M¼

c Cc 2 x2 , Kc

ðA2:25Þ

where c is the concrete density (kg/m3), Kc is the concrete heat conduction coefficient (Cal/mmin C) and x is the thickness of the concrete layer (m). N is another auxiliary calculation non-dimensional quantity and is given by Equation A2.26: N¼

hc x Kc

ðA2:26Þ

290

Nuclear Safety

The necessary condition for the convergence of the calculation is the one given by Equation A2.27 (Max, 1962): M > 2N þ 2:

ðA2:27Þ

The choice of the intervals x and has been made in a way which abundantly satisfies Equation A2.27, that is, M 2(2N þ 2).

A2-3-7. Decay heat As far as the transfer of the decay heat of the core to the water–steam mixture is concerned, here too the assumptions are made (usual in this type of calculation) of the total and instantaneous transfer of the available energy from the core to the mixture. These assumptions are not likely to be complied with in an accident, especially when it is assumed that the core always remains dry (i.e. no spray or flooding system operates). In reality the heat released is only partially transmitted to the mixture and, moreover, this phenomenon occurs after a delay. The assumption of the total transfer to the mixture of the energy released over time by the core is certainly cautious, while the assumption of an absence of delays in the phenomenon may or may not be cautious according to the aspects of the accident considered. In fact, what can be expected by the assumption of immediate transfer of the heat from the core is a pressure transient characterized at the start by higher values but having a shorter duration. Therefore this assumption is very likely to be conservative for the evaluation of the probability that a second pressure peak higher than the first one in the containment occurs. It will not necessarily be so for the evaluation of prolonged releases of activity from the containment in the absence of pressure abatement systems such as, for example, spray systems. The core decay heat is essentially composed of the decay heat of the fission products, the decay heat of the decay chain of uranium-239 and neptunium-239 produced by neutron capture by uranium-238, the decay heat of other actinides, the control rods and the structural materials and the heat generated by the residual fissions and by neutron capture by the fission products. The heat of the residual fissions is generally

very small 100 s after shutdown and can be completely neglected for the study of medium- and longterm transients. The decay heat of the structural materials can also be neglected. As far as the control rods are concerned, the heat released by them is not completely negligible, but it can probably be ignored if a safety factor for the total decay heat of at least 1.1 is used. The decay heats of the fission products have been amply studied and the values used here are those suggested by Shure (1961). They are very close to the values of the ANS (1994) and ISO (1992) curves. Some values of the decay heat of the fission products for infinite irradiation according to Shure are shown in Table A2-1. For the time interval 150 < t < 4 106 seconds, which generally covers the time span of interest for this transient, Shure suggests the following approximate analytical expression for the decay heat for an infinite irradiation time, valid with a maximum error of five per cent: Mð1, tÞ ¼ 13:01t

0:2834

,

ðA2:28Þ

where M is the percentage of operating power and t is time (s). Table A2-2 lists for various times the total decay power as a fraction of operating power (practically infinite time) according to ANS (1994) and ISO (1992). The decay heat for a finite irradiation time t0, at time t after shutdown, is given by Equation A2.29: Mðt0 , tÞ ¼ Mð1, tÞ

Mð1, t þ t0 Þ

ðA2:29Þ

The decay heat of uranium-239 is an important fraction of the total decay heat. It is directly proportional to the initial conversion ratio of the core. For a conversion ratio equal to 0.5, to an

Table A2-1. Decay heat (Shure, 1961) Time after shutdown (s) 102 103 104 105 106 107 108

Decay power as a percentage of the thermal operating power 3.3 1.87 0.97 0.48 0.268 0.121 0.0515

Appendix 2 Calculation of the accident pressure in a containment

Table A2-2. Decay heat (ANS, 1994; ISO, 1992) Time after shutdown, t (s)

ANS 5.1/94

1 10 102 103 104 105 106 107 108

6.066 10 4.731 10 3.193 10 1.980 10 9.718 10 5.548 10 2.315 10 7.015 10 1.001 10

ISO 10645

2

6.005 10 4.738 10 3.220 10 2.031 10 1.028 10 5.705 10 2.364 10 7.461 10 9.666 10

2 2 2 3 3 3 4 4

2 2

0:278

,

2 2 3 3 4 5

ðA2:30Þ

where Pd is the percentage of the operating power and t is time (s). As usual Equation A2.30 gives the decay heat for an infinite operation time. The power for a finite operation time is given by Equation A2.31. Pd ðt0 , tÞ ¼ Pd ð1, tÞ

Pd ð1, t þ t0 Þ

bring the specific internal energy of the water from the u0 value (Cal/kg) pertinent to cold water to the value u pertinent to the steam–water system present in the containment. Thus Equation A2.32 follows: Qsi ¼ Gsi ðu u0 Þ, ðA2:32Þ

2

approximation of about 15 per cent, the approximate law (Equation A2.30) holds for the total power within the interval 102 < t < 3 105 seconds after shutdown (that is from 100 s to about 3.5 days). Pd ¼ 14:9t

291

ðA2:31Þ

The correction Pd(1, t þ t0) is not negligible in this type of problem. The expression of the decay heat to be inserted in the program is determined case by case by Equation A2.30 or by its equivalent for conversion ratios different from 0.5, and by Equation A2.31, on the basis of the value of the core operation time t0. It will be opportune to add a safety factor of the order of 1.15–1.20 in order to take into account the mistakes due to approximate expressions of the type of Equation A2.30, and the fact that the control rod decay heat has not been taken into account, and so on.

A-2-3.8. Heat removed by the spray system internal to the containment If the mechanical work for the introduction of water into the containment is neglected (a reasonable assumption), the energy absorbed by the sprayed cold water in the interval will be that necessary to

where Gsi is the weight flow rate of the internal spray system (kg/min) and Qsi is the heat absorbed by the internal spray (Cal). In order to use Equation A2.32 in the program it is necessary to use an analytical expression of the internal energy, u, of the steam–water mixture as a function of the total volume, V (m3), its weight and the partial pressure of the steam or temperature as given in Section A2-2.

A2-3-9. Solar heat The solar heat contribution is not negligible in this problem and must, therefore, in general, be included in the calculation. The solar heat impinging on a surface outside the terrestrial atmosphere and normal to the direction of the solar beams, at the average distance from the Earth, is 20 Cal m2 min (mean solar constant). This value undergoes a maximum variation of 3.5 per cent during the year because of the variation of the distance between the Earth and the Sun. In order to evaluate which part of the mean solar constant is absorbed by a surface at ground level it is necessary to evaluate the effects of the inclination of the surface, the latitude and the Sun’s declination, as well as of the transparency of the atmosphere and the surface reflection. In a conservative evaluation and on the basis of data in MARKS, 1958, pp. 12–114, the following multiplication factors can be assumed in order to take into account the aforementioned effects at about 43 degrees of latitude North (readers will insert a latitude of their interest here): For the surface inclination, the latitude, the Sun’s inclination and the distance of the Sun from the Earth: f1 ¼ 0:4 0:965 ¼ 0:386,

ðA2:33Þ

where 0.4 is the surface inclination and latitude nondimensional coefficient and 0.965 is the distance of the Sun from the Earth non-dimensional coefficient. For the transparency of the atmosphere: f2 ¼ 0:6

ðA2:34Þ

292

Nuclear Safety

If the area of the containment surface exposed to the Sun is indicated with Scs (m2) and the conservative assumption of a unit absorption coefficient of the surface is made, it is possible to calculate the heat absorbed in one minute by the containment by A2.35: Qcs ¼ 20 f1 f2 Scs ¼ 4:63 Scs Cal min 1 ðA2:35Þ

A2-3-10. Thermal balance in the interval "s The variation of the internal atmosphere temperature of the containment, Tm, in the time interval , can be evaluated on the basis of the heat quantities exchanged by it (see Equations A2.11, A2.16, A2.17, A2.19, A2.21, A2.31 and A2.32) by the expression: Tm ¼

Q Qd þ Qmc ¼ W

Qco Qmf W

Qc

Qsi

,

ðA2:36Þ where Qd comes from equation A2.31 and W is the thermal capacity of the gas–vapour mixture inside the containment (air, water, steam) and can be expressed with sufficient approximation by Equation A2.37: W ¼ Ca þ PH2 O þV 0:002 T2m 0:185 Tm þ 6:05 Cal C 1 ,

ðA2:37Þ where Ca represents the constant volume thermal capacity of the containment air (Cal/ C), which is assumed to be constant during the transient, PH2O is the total steam–water weight (kg), which is constant only if the internal spray is not operating, and V is the free volume of the containment (m3). The initial conditions for the subsequent interval will then be calculated by Equations A2.12, A2.18, A2.20, A2.22–A2.24.

A2-3-11. Considerations on the performance of the calculation and on the choice of the input data When performing this type of calculation it must be remembered that the transient is very sensitive to relatively small errors in the heat amounts. This is due to the fact that in Equation A2.36 the effective heat quantity Q is small in comparison with most of the other terms and therefore a relatively small error in one of them introduces a large error in Q and therefore in T. This is particularly true in those cases where spray systems are not operating and during a long transient, that is in those cases where the variation of temperature and pressure with time is slow. Table A2-3 lists the values of Q and the values of the various heat quantities as a percentage of Q for values of the time after the occurrence of the accident in a cases of this type. This situation demands an extremely attentive determination of the input data in the calculation (heat exchange coefficients, area of the surfaces exposed to the atmosphere and so on) to ensure that the various heat quantities exchanged by the mixture are evaluated in a conservative way. The following looks at some input data for the calculation whose determination is usually uncertain.

Heat transfer coefficients As far as the heat transfer coefficient between the air– steam mixture in condensation and the various surfaces exposed to it is concerned, various theoretical (Jakob, 1962; McAdams, 1985) and experimental (Kolflat and Chittenden, 1957; Goodwin, 1958; Jubb, 1959; Leardini, Cadeddu and Schiavoni, 1961; Leardini and Cadeddu, 1961; Uchida, Oyama and Togo, 1964) studies exist. A value normally accepted for operational water reactors (initial peak

Table A2-3. Heat rates from various sources Time after the accident 30 min 2 hr 10 hr 1 (day) 3 (days)

Q (Cal h 1) 2900 3380 2180 1730 264

Qd (%)

Qmc (%)

Qmf (%)

Qc (%)

Qco (%)

2900 1680 1500 1500 6700

31 26 36 37 135

34 13 11 9.5 7.3

2600 1300 990 720 1660

480 300 500 700 5000

Appendix 2 Calculation of the accident pressure in a containment

overpressure of some bars) is of 200 Cal m2hr C 1, at least until the pressure stays at high values, that is until the percentage of steam in the containment is significant. In the first instants after the accident the heat transfer coefficient is likely to be higher than the indicated value, by as much as a factor of 10, because of the motion of the air and steam mixture due to the efflux from the reactor pressure boundary. The influence of the value given to the heat exchange coefficient between the air–vapour mixture and the walls on the transient is limited by the fact that generally the walls are covered by paint layers whose resistance has, on the basis of the current evaluations, a value of the order of that of the resistance mixture paint. Moreover, this fact demonstrates the importance of carefully evaluating the thermal resistance of the paint layers in addition to that of the transmission coefficient between mixture and paints. As far as the heat transmission coefficient from the containment outside surface to the atmosphere in the absence of external spray is concerned, it is worthwhile remembering that the contribution of radiation is important. The coefficient values usually range from 5 to 20 Cal m2hr C 1 according to the building layout adopted. If the external spray is supposed to operate, the transmission coefficient between paint and spray water is of the order of 500–5000 Cl m2hr C 1.

Choice of the length of the time step and of the thickness of the concrete layers. X A series of tests performed in a typical case has shown that a maximum acceptable value of the step is about one minute. If a step ten times lower is used no important differences are noted, while with a step ten times longer the transient is completely wrong. The choice of the thickness, X, of the concrete layers does not appear as critical as that of . Indeed, once the necessary stability condition (Equation A2.27) is satisfied with a certain margin, for example putting M 2(2N þ 2), the transient is not very sensitive to the value of X, specially after the first hours from the start of the accident. Hence, if only the long-term transient is of interest, the layers in which the concrete is subdivided can also be very thick.

293

A2-3-12. Example calculation This section describes the sample VBA (Visual BasicÕ for Applications) macro PRESCONT for use with a MicrosoftÕ ExcelÕ 97 spreadsheet which is available on the companion website (file CONTPRESSURE). A simple containment example is examined, without internal or external spray. The decay heat corresponds to a conversion factor of 0.5 (Equation A2.30), an operation time of 15 months and a safety factor of 1.2. Three groups of concrete slabs are considered which can be subdivided for the calculation into a maximum number of 630, 160 and 100 layers. The absolute pressure in the containment before the accident is 1 kg cm 2. The input data are: C6 (Cal/ C):

Thermal capacity of cold metals C10 (Cal/ C): Thermal capacity of metal containment wall CAP (Cal/ C): Total thermal capacity of air in the containment CM and CN: Non-dimensional constants of the concrete (see Equation A2.25 and A2.26) CMC (Cal/ C): Thermal capacity of hot metals D (min): Calculation time step H1 (Cal/m2min C): Transmission coefficient between mixture and containment metal H2 (Cal/m2min C): Transmission coefficient between the containment metal and external air HC (Cal/m2min C): Transmission coefficient between mixture and concrete slabs HMC (Cal/m2min C): Transmission coefficient between hot metals and the mixture HMF (Cal/m2min C): Transmission coefficient between cold metals and mixture IC: Number of layers in the first group of concrete slabs ICM: Number of layers in the second group of concrete slabs

294

Nuclear Safety

Number of layers in the third group of concrete slabs P (MWt): Steady thermal power of reactor PH2O (kg): Weight of water released by the break QS (Cal/min): Solar thermal power absorbed by the metal surface of the containment SC (m2): Containment surface area exposed internally to the mixture and externally to air Surface area of first group of SCC (m2): concrete slabs SCCM (m2): Surface area of second group of concrete slabs Surface area of third group of SCCN (m2): concrete slabs SMC (m2): Hot metal surface area Cold metal surface area SMF (m2): T (s): Current time Containment atmosphere TA ( C): temperature before accident Temperature of the external air TE ( C): TF (min): Time after rupture at which transient calculation is terminated TM ( C): Initial temperature of the containment mixture after efflux TMC ( C): Hot metals initial temperature V (m3): Internal free volume of the containment ICN:

The results of the first calculation step for this example are: The containment pressure, PR (kg/cm2) ¼ 1.996362 The heat exchanged with the concrete of the first group, QC (Cal) ¼ 146666.8 The heat exchanged with the concrete of the second group, QCM (Cal) ¼ 1925000 The heat exchanged with the concrete of the third group, QCN (Cal) ¼ 1925000 The heat exchanged by the mixture towards the outside through the containment, QCO (Cal) ¼ 1466663.8 The decay heat, QD (Cal) ¼ 982505.35 The heat exchanged by the mixture with hot metals, QMC (Cal) ¼ 66500 The heat exchanged with the cold metals, QMF (Cal) ¼ 502030.25 The current time, T (s) ¼ 1

The temperature of the containment metal, TCO ( C) ¼ 32.059002 The temperature of the first layer of the first concrete group, TC1 ( C) ¼ 52.380951 The temperature of the first layer of the second concrete group, TCM(1) ( C) ¼ 52.380951 The temperature of the first layer of the third concrete group, TCN(1) ( C) ¼ 52.380951 The temperature of the mixture, TM1 ( C) ¼ 91.952075 The temperature of the hot metals, TMC ( C) ¼ 298.1 The temperature of the cold metals, TMF ( C) ¼ 50.101512 The program listing follows. Sub PRESCONT() Dim TC(630) As Single Dim TCC(630) As Single Dim TCM(160) As Single Dim TCCM(160) As Single Dim TCN(100) As Single Dim TCCN(100) As Single J=1 T=0 TA = Range(‘‘$f$2’’) For I = 1 To IC TC(I) = TA Next I For I = 1 To ICM TCM(I) = TA Next I For I = 1 To ICN TCN(I) = TA Next I TE = Range(‘‘$h$2’’) TCO = (TA + TE)/2 TMF = TA H1 = Range(‘‘$d$5’’) H2 = Range(‘‘$f$5’’) SC = Range(‘‘$h$5’’) D = Range(‘‘$d$4’’) C1 = H1 * H2 * SC * D/(H1 + H2) C10 = Range(‘‘$b$10’’) C2 = H1 * C10/(H1 + H2) C3 = SC * (H1 + H2)/C10 H3 = H1 + H2 CMC = Range(‘‘$h$6’’) CM = CMC/D CAP = Range(‘‘$h$3’’)

Appendix 2 Calculation of the accident pressure in a containment

PH2 = Range(‘‘$f$3’’) TM = Range(‘‘$d$2’’) V = Range(‘‘$d$3’’) ProgramStart: W = CAP + PH2 + (0.0022 * TM ^ 2 - 0.185 * TM + 6.05) * V QS = Range(‘‘$b$4’’) QCC = C1 * (TM - TE) - H1 * D/H3 * QS QCO = QCC + C2 * (TCO - (H1 * TM + H2 * TE + QS/SC)/H3) * (Exp(-C3 * D) - 1) C4 = Range(‘‘$f$6’’) TMC = Range(‘‘$b$3’’) QMC = C4 * (TMC - TM) * D C6 = Range(‘‘$d$7’’) C7 = Range(‘‘$b$8’’) QMF = C6 * (TM - TMF) * (1 - Exp(-C7 * D)) C8 = Range(‘‘$h$8’’) QC = C8 * (TM - TC(1)) * D C9 = Range(‘‘$d$9’’) QCM = C9 * (TM - TCM(1)) * D C11 = Range(‘‘$h$9’’) QCN = C11 * (TM - TCN(1)) * D T = T + D/2 P = Range(‘‘$b$2’’) QD = 172 * P * D * (14.9 * (60 * T) ^ (-0.278) - 0.076) TM1 = TM - (QC + QCM + QCN + QCO + QMF - QMC QD)/W TCCO = (TCO - (H1 * TM + H2 * TE + QS/SC)/H3) * Exp(-C3 * D) + (H1 * TM + H2 * TE + QS/SC)/H3 C5 = Range(‘‘$b$7’’) TMC = TMC - C5 * (TMC - TM) * D TMF = TM - (TM - TMF) * Exp(-C7 * D) CN = Range(‘‘$f$4’’) CM = Range(‘‘$H$4’’) TCC(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/CM * TC(1) + 2/CM * TC(2) Id = Range(‘‘$d$11’’) For I = 2 To Id TCC(I) = TC(I - 1)/CM + (CM - 2)/CM * TC(I) + TC(I + 1)/CM Next I IC = Range(‘‘$f$10’’) TCC(IC) = TC(Id)/CM + (CM - 1)/CM * TC(IC) TCCM(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/ CM * TCM(1) + 2/CM * TCM(2) Idm = Range(‘‘$f$11’’) For I = 2 To Idm TCCM(I) = TCM(I - 1)/CM + (CM - 2)/CM * TCM(I) + TCM(I + 1)/CM

295

Next I ICM = Range(‘‘$h$10’’) TCCM(ICM) = TCM(Idm)/CM + (CM - 1)/CM * TCM(ICM) TCCN(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/ CM * TCN(1) + 2/CM * TCN(2) Idn = Range(‘‘$b$12’’) For I = 2 To Idn TCCN(I) = TCN(I - 1)/CM + (CM - 2)/CM * TCN(I) + TCN(I + 1)/CM Next I ICN = Range(‘‘$b$11’’) TCCN(ICN) = TCN(Idn)/CM + (CM - 1)/CM * TCN(ICN) For I = 1 To IC TC(I) = TCC(I) Next I For I = 1 To ICM TCM(I) = TCCM(I) Next I For I = 1 To ICN TCN(I) = TCCN(I) Next I TCO = TCCO PA = (TM1 + 273)/(TA + 273) PR = 10 ^ (17.457 - 2795/(TM1 + 273) 1.6799 * Log(TM1 + 273)) + PA T = T + D/2 Range(‘‘b’’ & (J * 5 + 15)) = T Range(‘‘d’’ & (J * 5 + 15)) = TM1 Range(‘‘f’’ & (J * 5 + 15)) = PR Range(‘‘h’’ & (J * 5 + 15)) = QD Range(‘‘b’’ & (J * 5 + 16)) = QCO Range(‘‘d’’ & (J * 5 + 16)) = TCO Range(‘‘f’’ & (J * 5 + 16)) = QMC Range(‘‘h’’ & (J * 5 + 16)) = TMC Range(‘‘b’’ & (J * 5 + 17)) = QMF Range(‘‘d’’ & (J * 5 + 17)) = TMF Range(‘‘f’’ & (J * 5 + 17)) = QC Range(‘‘h’’ & (J * 5 + 17)) = TC(1) Range(‘‘b’’ & (J * 5 + 18)) = QCM Range(‘‘d’’ & (J * 5 + 18)) = TCM(1) Range(‘‘f’’ & (J * 5 + 18)) = QCN Range(‘‘h’’ & (J * 5 + 18)) = TCN(1) TM = TM1 J=J+1 If T < Range(‘‘$d$10’’) Then GoTo ProgramStart: End If End Sub

296

Nuclear Safety

If the program crashes for specific cases, it is useful to repeat the calculation using a shorter value of the time step, D. This program can be easily adapted to other cases, for example by the inclusion of an external and internal spray, activated for a preselected time and duration or by the presence of a second containment.

References ANS (1994) ‘Decay heat power in light water reactors’, ANSI/ANS-5.1-1994, American Nuclear Society, La Grange Park, Illinois 60526 USA. CNEN (1976) ‘Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua’, Comitato Nazionale per l’Energia Nucleare, SATN-1-76, DISP/ CENTR, August 1976. Goodwin, W.W. (1958) ‘Pressure build-up in a container following a Loss of Coolant Accident’, ANS Meeting, June. ISO (1992) ‘Nuclear energy – Light water reactors: Calculation of the decay heat power in nuclear fuels, ISO 10645.

Jakob, M. (1962) Heat Transfer. New York: Wiley. Jubb, D.H. (1959) ‘Condensation in a reactor containment vessel’, Nuclear Engineering, December. Kolflat, A. and Chittenden, W.A. (1957) ‘A new approach to the design of containment shells for atomic power plants’, 19th Annual American Power Conference. Leardini, I. and Cadeddu, M. (1961) ‘Caverns as nuclear power reactor containers’, Energia Nucleare, February. Leardini, I., Cadeddu, M. and Schiavoni, M. (1961) ‘Tests on a cavern for the determination of temperature and pressure transients in a case simulating a major Loss of Coolant-type reactor accident’, Energia Nucleare, February. MARKS, L.S. (1958) Mark’s Mechanical Engineers Handbook. McGraw-Hill. McAdams, W. (1985) Heat Transmission. R.E. Krieger Pub. Co, USA. Shure, K. and Dudziak J. (1961) Calculating energy released by fission products, WAPD-T-1309, Bettis Atomic Power Laboratory, Pittsburgh, Pennsylvania, USA. Uchida, H., Oyama, A. and Togo, Y. (1964) ‘Evaluation of post-incident cooling systems of light water power reactors’, A/Conf. 28/P/436, Geneva 1964 Conference on Peaceful Uses of Atomic Energy, UNO, Geneva, 1964.

Appendix 3 Table of safety criteria

This table is intended to serve as a memo for the content of five of the general design criteria for nuclear plants, thought to be rather representative of the overall picture. The first column of the table contains the complete list of the IAEA criteria, which are rather recent and therefore complete. If another criteria has no

correspondence to the IAEA criteria, it has been put at the bottom of the table, after the end of the IAEA criteria. For brevity, the recent US Utility Requirements Document (URD) criteria have not been included, but it does have many points in common with the EUR criteria.

297

298

Table A3-1. Safety criteria GDC – USA IAEA (2000)

EUR (1995)

(1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

1 INTRODUCTION

Introduction

LIST OF ABBREVIATIONS BASIC TERMS AND DEFINITIONS

I GENERALITIES

In general, in IAEA and in EUR much more general safety philosophy is included. GDC goes sometimes into more detail. Many safety issues are dealt with in chapters of EUR different from 2.1, Safety Requirements (example: Ch. 2.8.1.1: principal safety functions).

BACKGROUND

Definitions and explanations

BASIC PROVISIONS

I.1 PREAMBLE

1.1 PURPOSE OF THE DOCUMENT

I.2 OBJECTIVES AND SCOPE

OBJECTIVE SCOPE STRUCTURE

DEFINITION BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

2 SAFETY OBJECTIVES AND CONCEPTS

SAFETY OBJECTIVE 2.2 General Nuclear Safety Objective

2.1 FUNDAMENTAL SAFETY OBJECTIVES AND POLICIES 2.1.1.1 Fundamental safety objectives 2.1.2 QUANTITATIVE SAFETY OBJECTIVES 2.1.2.1 Overall approach to targets and utility limits 2.1.2.2 Radiological impact during Normal Operation and Incident

II CRITERIA

II.1 Radiation protection assignment II.1.1 Population protection II.1.2 Protection of non-exposed workers II.1.3 Protection of exposed workers II.1.4 Balance of exposure (populationworkers, etc.) II.4 Probabilistic

EUR not only uses the expression ‘severe accidents’ but also the expression ‘design extension conditions’. EUR are very complete and quantitative in defining the various safety and radiation protection objectives.

safety objectives (limits for the 4 events categories)

Conditions 2.1.2.2.1 Radioactive discharge criteria during Normal Operation and Incident Conditions 2.1.2.2.2 Doses from direct radiation during Normal Operation and Incident Conditions 2.1.2.3 Operational staff doses during Normal Operation and Incidents 2.1.2.4 Off-site release targets for Accident Conditions 2.1.2.5 Off-site release targets for Severe Accidents 2.1.2.6 Probabilistic safety targets

PUN provides probabilistic limits for internal origin events, while earthquakes and other external events, as a matter of consensus among the experts involved at the time of criteria definition, are dealt with in a deterministic way (maximum potential event).

2.4 Radiation Protection Objective 2.5 Technical Safety Objective

THE CONCEPT OF DEFENCE IN DEPTH

3 REQUIREMENTS FOR MANAGEMENT OF SAFETY

2.1.1.3 DEFENCE IN DEPTH

II Protection by multiple fission product barriers

1.2.17 Limit of 10 7 y for maximum releases considered BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

1

1.2.20 1.2.21 (training centre) 1.2.22 (physical protection and fire safety) 1.2.24 (control of nuclear materials) 5 ASSURANCE OF THE OPERATIONAL SAFETY OF NUCLEAR PLANTS 5.1 Operational management and operational documentation

299

Continued

300

Table A3-1. Continued GDC – USA IAEA (2000)

EUR (1995)

(1971)

MANAGEMENT OF DESIGN PROVEN ENGINEERING PRACTICES OPERATIONAL EXPERIENCE AND SAFETY RESEARCH SAFETY ASSESSMENT

INDEPENDENT VERIFICATION OF THE SAFETY ASSESSMENT QUALITY ASSURANCE

SAFETY FUNCTIONS ACCIDENT PREVENTION AND PLANT SAFETY CHARACTERISTICS RADIATION PROTECTION AND ACCEPTANCE CRITERIA

PUN – ITALY (1987)

NOTES In IAEA the MANAGEMENT RESPONSIBILITY also includes Safety Culture

II.9 Design management 2.1.6.3 Design codes and standards 2.1.6.4 Materials 2.1.1.3.3 Accident prevention

In EUR research in general is not mentioned as a support to design choices. 1.2.18 1.2.19 Safety analysis and probabilistic analysis

2.1.6.15 Quality assurance

I Overall requirements Cr.1 Quality standards and records

1.2.6 (and following)

BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

4 PRINCIPAL TECHNICAL REQUIREMENTS

REQUIREMENTS FOR DEFENCE IN DEPTH

OPB 88/97 (1997) 1.2.8 (Safety culture) and following

RESPONSIBILITIES IN MANAGEMENT

2.1.1.3 DEFENCE IN DEPTH 2.1.1.3.1 Levels of defence 2.1.1.3.2 Barriers and safety functions 2.1.1.3.3 Accident prevention 2.1.1.3.4 Accident mitigation

II.5 Plant systems

II.5.1 System requirements and classifications

5 REQUIREMENTS FOR PLANT DESIGN

SAFETY CLASSIFICATION

2.1.6.8 Classification of Safety Functions and categorization of equipment 2.1.6.8.1 Introduction 2.1.6.8.2 Level of safety functions 2.1.6.8.2.1 Safety functions of level F1 2.1.6.8.2.2 Safety functions of level F2 2.1.6.8.3 Requirements according to level of Safety Functions 2.1.6.8.4 Assignment of equipment and structures to a safety category 2.1.6.8.5 Requirements on equipment and structures according to safety category 2.1.6.8.6 Classification of structures and equipment according to the design and construction codes 2.1.6.8.7 The relation of seismic categorization to safety level of functions

4 BASIC SAFETY PRINCIPLES TO BE IMPLEMENTED DURING THE DESIGN OF NUCLEAR PLANTS AND THEIR SYSTEMS 4.1 General requirements 2 CLASSIFICATION OF SYSTEMS AND OF COMPONENTS (4 SAFETY CATEGORIES: fuel and beyond dba accid., dba with standardized failures of components and comp. essential to safety systems, other systems related to safety., comp. without connection with safety)

II.5.1 System requirements and classifications

GDC do not mention a safety classification

301

Continued

302

Table A3-1. Continued GDC – USA IAEA (2000)

EUR (1995)

GENERAL DESIGN BASIS

2.1.6.5 Plant performance following Accident Conditions 2.1.6.6 Plant performance following DEC

Categories of plant states Postulated initiating events

Internal events Fires and explosions

Other internal hazards

External events

2.1.5 EXTERNAL AND INTERNAL HAZARDS 2.1.5.1 Hazards to be considered 2.1.5.2 Approach to hazards 2.1.5.4 Internal hazards 2.1.5.4.1 Fires 2.1.5.4.2 Release of gas, water, steam or any noxious substance 2.1.5.4.3 Failure of pressure parts, supports or other structural components 2.1.5.4.4 Disruptive failure of rotating machinery or other equipment 2.1.5.4.5 Dropped or impacting loads 2.1.5.4.6 Electromagnetic interference from equipment on site 2.1.5.3 External hazards 2.1.5.3.1 Earthquake 2.1.5.3.2 Extreme weather conditions 2.1.5.3.3 Site flooding 2.1.5.3.4 Aircraft crash

(1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

I Overall Requirements Cr.4 Environmental and dynamic effects design bases

I Overall requirements Cr.3 Fire protection

II.2 External events and area events II.2.5 Fires

I Overall requirements Cr.4 Environmental and dynamic effects design bases

II.2.4 Dynamic effects (segregation of systems with internal energy, pipe whip, compartment pressurization)

II.2 External events and area events II.2.1 Natural external events II.2.2 External events from human activities,

EUR allows for considerations of ‘Leak before Break’ and for ‘Break Preclusion’

reference impact, 20 t (aircraft, pressure wave) II.5.13 Automatic control of the reactor in case of external events from human activities II.2.3 Flooding

2.1.5.3.5 Hazards from adjacent installations and transport activities 2.1.5.3.6 Electromagnetic interference from sources outside the site 2.1.5.3.7 Sabotage I Overall requirements Cr.2 Design bases for protection against natural phenomena

Site related characteristics

Combination of events Design rules (generic) Design limits (generic) Operational states Design basis accidents

Severe accidents

2.1.8.3 Table 3 List of Design Basis Conditions (Categories 1, 2, 3, 4) 2.1.8.4 Hazards (internal, external, human) 2.1.1 FUNDAMENTAL SAFETY OBJECTIVES AND POLICIES 2.1.1.2 Safety policy 2.1.4 DESIGN EXTENSION CONDITIONS (DEC) 2.1.4.1 Design extension approach 2.1.4.2 General assessment rules for DEC 2.1.4.3 Complex sequences 2.1.4.3.1 General approach for Complex sequences 2.1.4.3.2 Complex sequences that must be considered in DEC

1.2.14 (severe accident management) 1.2.15 (Risk reduction; emerg. plans)

303

Continued

304

Table A3.1. Continued IAEA (2000)

DESIGN FOR RELIABILITY OF STRUCT., SYS. AND COMPONENTS Common cause failures Single failure criterion

Fail safe design

EUR (1995) 2.1.4.3.3 ATWS 2.1.4.3.4 Containment bypass accidents 2.1.4.4 Severe accidents 2.1.4.4.1 Prevention of Primary Containment failure 2.1.4.4.2 Mitigation of Severe Accidents by containment system 2.1.4.5 Severe Accident In-Containment Source Term quantification 2.1.4.5.1 General approach to the in-Containment Source Term 2.1.4.5.2 Reference Source Term (RST) 2.1.4.5.3 Required application of RST 2.1.4.5.4 PSA evaluation of Source Term (probabilistic analysis) 2.1.6.13 Accident Management 2.1.9 Appendix A Source term and release quantification methodology for DEC 2.1.6 ENGINEERING REQUIREMENTS 2.1.6.1 Design objectives 2.1.6.2.2 Prevention of common cause failure 2.1.3.4 Single failure criterion

2.1.6.1.1 Simplicity, transparency and

GDC – USA (1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

II.5.1 Systems requirements and classifications

In IAEA the single failure criterion is formulated in a general and articulated way; in GDC it is specifically inserted in various criteria The concept of ‘fail safe’ is inserted in criterion GDC 23

4.1.6 (embedded in various criteria)

1.2.12, 4.4.5.7

Auxiliary services

Equipment outages PROVISIONS FOR IN-SERVICE TESTING, MAINTENANCE, REPAIR, INSPECTION AND MONITORING EQUIPMENT QUALIFICATION AGEING HUMAN FACTORS Design for optimal operator performance OTHER DESIGN CONSIDERATIONS Sharing of structures, systems and components between reactors

forgiving design 2.1.6.1.2 Fault tolerance 2.1.5.2 Approach to hazards

(protection system) IV Fluid Systems Cr.44 Cooling water

4.7 Supporting safety systems

2.1.6.10 Inspection, on-line monitoring, testing and maintenance

2.1.6.9 Equipment qualification 2.1.6.9 Equipment qualification 2.1.6.11 Human factors 2.1.6.11 Human factors

II.7 Human factors

II.5.18 Structures, systems and components common to more units

I Overall Requirements Cr.5 Sharing of structures, systems and components

Systems containing fissile or radioactive materials (generic) Power plants used for cogeneration, heat generation or desalination Transport and packaging for fuel and radioactive waste Escape routes and means of communication Control of access

II.5.7 Cooling of essential systems II.5.11 Instrument air II.5.15 Emergency environment cooling and conditioning

In EUR the sharing of components and systems between various plants is not even mentioned

II.5.17 Production, treatment and disposal of waste 2.1.5.2 Approach to hazards 2.1.6.14 Radiation protection

1.2.23 (communications)

305

Continued

Table A3-1. Continued EUR (1995)

Interactions of systems

2.1.1.3.4 Accident mitigation

Interaction between the electrical 2.1.7.1 Factors affecting power grid and the plant choice of site

Decommissioning

SAFETY ANALYSIS Deterministic approach

Probabilistic approach

Control of the reactor core

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES In GDC no mention is made of possible interaction of systems in general (electric power only is treated)

II Protection by Multiple Fision Products Barriers Cr.17 Electric power systems

2.0.3.16 Chapter 2.16 Decommissioning

5.6 Nuclear plant decommissioning

2.1.3 DESIGN BASIS CONDITIONS 2.1.3.1 Deterministic approach to safety 2.1.2.7 Probabilistic safety assessment methodology 2.1.3.2 Design basis and safety objectives 2.1.3.3 Deterministic safety analysis

6 REQUIREMENTS FOR DESIGN OF PLANT SYSTEMS REACTOR CORE AND ASSOCIATED FEATURES

General Design Fuel elements and assemblies

GDC – USA (1971)

306

IAEA (2000)

II.8 Provisions for decommissioning

Design for decommissioning is dealt with in IAEA but not in GDC

II.6 Analysis of transients and accidents

II.4 Probabilistic safety objectives (including limit to reliability of non-diversified systems, etc.)

II.3- Physical and functional integrity of barriers II Protection by Multiple Fission Product Barriers Cr.10 Reactor Design 2.1.8.5 Table 5 Fuel limits in Design Basis Category 4 Conditions

4.2 Core design and characteristics

4.2.1 Fuel damage limits

II Protection by Multiple Fission Product Barriers

II.3.1 Fuel (integrity criteria in accidents, Doppler effect) 4.2.3 Core and reactivity II.5.2 Reactivity control II.5.3 Chemical and control avoid power volume control pump seal excursions

No mention is made of probabilistic approach in GDC

Reactor shutdown

REACTOR COOLANT SYSTEM Design of the reactor coolant system

In-service inspection of the reactor pressure boundary

2.8.1.1.1.5 Reliability of shutdown capability

Cr.12 Suppression of reactor 4.5.2 (scram requirements) power oscillations III Protection and Reactivity Control Systems Cr.29 Protection against anticipated operational occurrences III Protection and Reactivity Control Systems Cr.25 Protection system requirements for reactivity control malfunctions Cr.26 Reactivity control system redundancy and capability Cr.27 Combined reactivity control systems capability 4.3 Reactor coolant circuit II Protection by Multiple Fission Product Barriers Cr.14 Reactor coolant pressure boundary Cr.15 Reactor coolant system design IV Fluid systems, Cr.30 Quality of reactor coolant pressure boundary IV Fluid Systems Cr.30 Quality of reactor coolant pressure boundary Cr.31 Fracture prevention of reactor coolant pressure boundary Cr.32 Inspection of reactor coolant pressure boundary

injection

II.5.2 Reactivity Control

II.3.2 Reactor coolant pressure boundary

307

Continued

308

Table A3-1. Continued IAEA (2000) Inventory of the reactor coolant Cleanup of the reactor coolant Removal of the residual heat from the core Emergency core cooling

Inspection and testing of the emergency core cooling system

Heat transfer to an ultimate heat sink CONTAINMENT SYSTEM

Design of the containment system

Strength of the containment system Capability for containment pressure tests Containment leakage

Containment penetrations

EUR (1995)

GDC – USA (1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

IV Fluid Systems Cr.33 Reactor coolant makeup IV Fluid Systems Cr.34 Residual heat removal IV Fluid Systems Cr.35 Emergency core cooling

II.5.4 Emergency feedwater and residual heat removal II.5.5 Emergency cooling

IV Fluid Systems Cr.36 Inspection of emergency core cooling system Cr.37 Testing of emergency cooling system IV Fluid Systems Cr.44 Cooling water 4.6 Localizing safety systems II Protection by Multiple Fission Product Barriers Cr.16 Containment design V Reactor Containment Cr.50 Containment design basis V Reactor Containment Cr.53 Provisions for containment testing and inspection V Reactor Containment Cr.51 Fracture prevention of containment pressure boundary V Reactor Containment Cr.53 Provisions for containment testing and inspection V Reactor Containment Cr.52 Capability for containment leakage rate testing V Reactor Containment Cr.54 Piping systems penetrating containment

II.3.3 Containment (double containment, leakage 0.25%/d) In IAEA, severe accidents are dealt with as a consideration. In GDC more detail is included on isolation valve systems.

Cr.55 Reactor coolant pressure boundary penetrating containment Cr.56 Primary containment isolation Cr.57 Closed system isolation valves Containment isolation

II.5.6 Containment auxiliaries

Containment air locks

In IAEA the problem of compartment pressurization is dealt with

Internal structures of the containment Removal of heat from the containment

IV Fluid Systems Cr.38 Containment heat removal Cr.39 Inspection of containment heat removal system Cr.40 Testing of containment heat removal system IV Fluid Systems Cr.41 Containment atmosphere clean up

Control and clean up of the containment atmosphere Covering and coatings INSTRUMENTATION AND CONTROL

General requirements for instrumentation and control systems important to safety

Control Room

Supplementary control room

2.1.6.12 Main and emergency plant control 2.1.6.12 Main and emergency plant control

II Protection by Multiple Fission Product Barriers Cr.13 Instrumentation and control II Protection by Multiple Fission Product Barriers Cr.13 Instrumentation and control III Protection and Reactivity Control Systems Cr.20 Protection system functions Cr.21 Protection system reliability and testability II Protection by Multiple Fission Product Barriers Cr.19 Control room II Protection by Multiple Fission Product Barriers Cr.19 Control room

IAEA also requires consideration of containment cooling for severe accidents also. GDC does not consider this

4.4 Process control

II.5.8 Instrumentation and control

4.4.2 (and following) Control room 4.4.3 Auxiliary control room

II.5.12 Control room

Continued

309

In GDC, this function is required even if accomplished in various locations. In IAEA, a supplementary room is preferentially indicated

310

Table A3-1. Continued GDC – USA IAEA (2000) Use of computer-based systems in systems important to safety Automatic control Functions of the protection system Reliability and testability of the protection system

Use of computer-based systems in protection Separation of protection and control systems

EMERGENCY CONTROL CENTRE EMERGENCY POWER SUPPLY

EUR (1995)

(1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

III Protection and Reactivity Control Systems Cr.20 Protection system functions III Protection and Reactivity Control Systems Cr.21 Protection system reliability and testability Cr.22 Protection system independence Cr.23 Protection system failure modes

4.5 Protection safety systems

II.5.9 Reactor instrumentation

III Protection and Reactivity Control Systems Cr.24 Separation of protection and control systems

4.8 Nuclear fuel and radioactive waste storage system

WASTE TREATMENT AND CONTROL SYSTEMS Control of releases of radioactive liquids to the environment

Control of airborne radioactive material

II.5.10 Electric power

II Protection by Multiple Fission Product Barriers Cr.17 Electric power systems Cr.18 Inspection and testing of electric power systems

VI Fuel and Radioactivity Control Cr.60 Control of releases of radioactive materials to the environment Cr.64 Monitoring radioactivity releases

NOTES

Control of releases of gaseous radioactive material to the environment FUEL HANDLING AND STORAGE SYSTEMS

4.8 Nuclear fuel and radioactive waste storage system

Handling and storage of non-irradiated fuel

VI Fuel and Radioactivity Control Cr.62 Prevention of criticality in fuel storage and handling VI Fuel and Radioactivity Control Cr.61 Fuel storage and handling and radioactivity control Cr.63 Monitoring fuel and waste storage

Handling and storage of irradiated fuel

5.4 Operational radiation safety

RADIATION PROTECTION General requirements Design for radiation protection

2.1.6.14 Radiation protection

Means of radiation monitoring

APPENDIX 1 POSTULATED INITIATING EVENTS

TYPES OF PIE

II.5.14 Fuel storage and handling

II.5.15 Radiation monitoring

IAEA mentions the design for radiation protection GDC does not extensively deal with the radiometric surveillance within the plant

2.1.8.3 Table 3 List of Design Basis Conditions (Categories 1, 2, 3, 4) 2.1.8.4 Hazards (internal, external, human) 1.2.16 (need to specify list elsewhere)

311

Internal events Equipment failures Human error Other internal events External events Combination of events Continued

312

Table A3.1. Continued IAEA (2000)

EUR (1995)

APPENDIX II REDUNDANCY, DIVERSITY AND INDEPENDENCE COMMON CAUSE FAILURES REDUNDANCY DIVERSITY INDEPENDENCE (1) Functional isolation

2.1.6.2 Design measures to achieve reliability of functions 2.1.6.2.2 Prevention of common-cause failure 2.1.6.2.1 Redundancy 2.1.6.2.2.1 Diversity 2.1.6.2.2.2 Independence 2.1.6.2.2.3 Functional isolation 2.1.6.2.2.4 Segregation

(2) Physical separation and layout of plant components REFERENCES ANNEX: SAFETY FUNCTIONS FOR BWRs, PWRs AND PRESSURE TUBE REACTORS GLOSSARY

2.1.6.7 Autonomy objectives 2.1.6.7.1 Overview of autonomy requirements 2.1.6.7.2 Autonomy in respect of operators 2.1.6.7.3 Autonomy in respect of heat sink 2.1.6.7.4 Autonomy in respect of power supply systems 1) Electrical power supply 2) Compressed air

GDC – USA (1971)

II Protection by Multiple Fission Product Barriers Cr.11 Reactor inherent protection

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

3 GOVERNMENT CONTROL OF THE USE OF NUCLEAR ENERGY TO ENSURE NPP SAFETY AND GOVERNMENT REGULATION OF NPP SAFETY

II.3.2 Vessel fluence limit at 1019 n/cm2 for amortization period of the plant

In GDC the requirement of the negative power coefficient is included

2.1.7 SITE CONDITIONS 2.1.7.1 Factors affecting choice of site 2.1.7.2 Hazards 2.1.7.3 Surrounding population 2.1.7.4 Reliability of services 2.1.10 Appendix B Verification process of the EUR environmental impact targets

II Protection by Multiple Fission Product Barriers Cr.17 Electric power systems

4.1.7 Preference for passive systems and natural principles

III Protection and Reactivity Control Systems Cr.28 Reactivity limits

4.1.11 Reset of safety systems possible only by step-by-step actions 4.2.4 Prevention of secondary critical masses in case of core melt 5.2 Pre-operational tests

IV Fluid Systems Cr.41 Containment atmosphere clean-up IV Fluid Systems Cr.43 Testing of containment atmosphere clean-up systems IV Fluid systems Cr.45 Inspection of cooling water system IV Fluid systems Cr.46 Testing of cooling water system

In GDC, the requirement of the double external line is included. EUR includes, differently from other compilations, the generic conditions for the choice of the site GDC explicitly considers control rod expulsion

5.3 Selection and training of operations personnel 5.5 Set of planned measures aimed at the protection of personnel and the public in the event of accidents and during accident management

313

This page intentionally left blank

Appendix 4 Dose calculations

A4-1. Introduction

A4-2-2. Source term at three days (I, Cs, Xe)

This appendix gives some examples of dose calculations which have been used during discussions on conceptual designs of various plants. The dose calculations are of a simple type, suitable for indicative evaluations. More elaborate calculations are usually performed in the final phases of the safety analysis, when systems and components purchase specifications have already been defined.

A4-2. Virtual population dose in a severe accident The following sections describe the virtual population dose for a future reactor (an order of magnitude evaluation in the short term, at three days, and in the long term, several years).

A4-2-1. The reactor and the released isotopes The example is a passive type boiling water reactor of 600 MWe, provided with a double containment and a stack. The quantities of isotopes chosen as guide isotopes in the core (1800 MWt) are, at equilibrium: 131

I Cs 133 Xe 85 Kr 137

1.85 1018 Bq 148 1015 Bq 3.7 1018 Bq 12.95 1015 Bq

The leakage rate assumed for the primary containment (taken into account the probability of leakage rates higher than the specified ones and possible damages to penetrations for severe accidents): 5–10% per diem. The leakage rate assumed for the secondary containment room (systems, collection room or building): 1–10% per diem. (For this assumption to be valid extremely unlikely sequences are excluded, such as the rupture of a steam line with degraded core and valve leak proofing degraded.) The effective release height (e.g. passive routing of the leaks to a stack, collection of leaks in a leakproof room connected with the stack, leaks routed to a chimney through filters, etc.): 80 m. Iodine and caesium equivalent ground releases: n% of the core inventory , wxyz

ðA4:1Þ

where, n ¼ 20, w ¼ 10 for plateout and washout, x takes a value in the range 3–6 for leaks from primary containment in three days, y takes a value in the range 3–30 for leaks from the secondary containment in three days), and z ¼ 10 (a factor for elevated release). The iodine and caesium equivalent ground release range ¼

0:2 core inventory 10 6 30 10

to

¼

0:2 core inventory : 10 3 3 10

So for 131I, the range is (1.1 10 5)(1.85 1018) to (2.2 10 4)(1.85 1018) ¼ 20.35 1012–40.7 1013 Bq. (A realistic reference value ¼ 20.35 1012 Bq.)

315

316

Nuclear Safety

And for 137Cs, the range is ¼ 16.281011–32.56 10 Bq. (A realistic reference value ¼ 18.5 1011 Bq.) For 133Xe, the equivalent ground release range (Equation A4.1), calculated with n ¼ 80, w ¼ 0, x ¼ 3–6, y ¼ 3–30 and z ¼ 5, is 3.29 1015–6.58 1016 Bq. (A realistic reference value ¼ 1.85 1016 Bq.) 12

A4-2-3. Dose at the fence after three days of exposure 131

I (effective dose for adults by inhalation) ¼ ð=QÞ dbf grr, where (s m 3) is the cloud concentration at 1 km, Q (Bq) is the activity release, dbf (the dose biological factor) ¼ 10 and grr (the ground release range) ¼ (20.35 1012)–(40.7 1013) Bq. Assuming /Q at 1 km distance is 1 10 4, then the effective iodine-131 dose for adults by inhalation is 5–100 mSv. (A realistic value is 10 mSv.) 133 Xe (effective dose by cloud irradiation) ¼ ð=QÞð1=dcfÞ grr, where dcf (dose conversion factor (see Chapter 7) ¼ 300 and grr ¼ (3.29 1015)– (6.58 1016) Bq. Assuming /Q is 1 10 4, then the effective xenon-133 dose by cloud irradiation is 0.3–10 mSv. Calculations for all the noble gases give a dose at the fence after three days of 5–120 mSv (about 10 times the value for 133Xe). An effective realistic value is 30 mSv.

A4-2-4. Ground shine long-term dose The integrated dose due to ground shine with absorption in the soil, corresponding to a ground initial concentration of 1 Bq cm 2 of caesium-137 (a contribution by other nuclides exists but is not evaluated here): First year: Second year: 0–50 years:

120 mSv 80 mSv 1.6 mSv

The initial concentration of caesium-137 corresponding to a realistic release of 1.85 1012 Bq is given by: (1.85 1012) [Bq released] 1 10 4 [ð=QÞ, Bq s m 3 at 1 km] (1 10 2)[m s 1: deposition velocity] ¼ 2 106 Bq m 2.

Therefore the ground shine dose from caesium137 is: First year: Second year: 0–50 years: (After 5 years

20 mSv 15 mSv 300 mSv this dose is 80 mSv.)

A4-3. Explorative evaluation of the radiological consequences of a mechanical impact on a surface storage facility for category 2 waste A4-3-1. Type of repository It is assumed that the disposal structure is similar to the French one at L’Aube or to the Spanish one in El Cabril. The waste is assumed to comply with the ANPA Technical Guide No. 26 (ANPA, 1985) and is, therefore, conditioned in a concrete matrix with compression strength of at least 500 000 kg m 2.

A4-3-2. Reference impact It is assumed that the reference impact produces, on clear ground, a conical crater having an angle of 90 and a depth of 4 m. Moreover, it is assumed that the cause of the impact is undefined, possibly to be identified with a plane crash, a launched projectile or a blast from an internal or external explosive charge. The 4 m deep crater has been chosen because it can be related to an explosive projectile of medium size (see a discussion at the Hanover Congress on the nuclear underground sites (BENDER, 1982)). The volume of material expelled from the crater would then be about 70 m3 corresponding to about 140 t. These values can be compared with the effects of mining explosives. The amount of rock (hard limestone rock) demolished in an open air mine is of the order of 7–10 t per kilogram explosive (Colombo, 1997). The rock in our example corresponds (in ideal conditions) to about 20 kg of explosive, an amount considered to be modest. The effect of an airplane crash, then, may cause, according to the usual assumptions, an impact load of about 10 000 t on a surface area of 7 m2, corresponding to about 150 kg cm 2. This load might cause the fall and the

317

Appendix 4 Dose calculations

fragmentation of a column of structure, assumed to be 10–15 m high with a volume of about 70 m3 (see Figure A4-1).

A4-3-3. Fragmentation and dispersion of material It is assumed that the material is fragmented into blocks 0.2–0.3 m in diameter and that a layer 1–3 mm thick of each block is pulverized into fragments ranging between 1 mm and 1–3 mm, with a uniform distribution between the two extremes (see Table A4-1). If an intermediate case is chosen (e.g. a volume equal to 2.5 m3), a weight of finely fractured material of 5 t is obtained, corresponding to a fraction of about 3 per cent of the total. This percentage agrees with the values estimated, for example, for the Chernobyl accident (Vargo, 2000). It is possible to make an assumption, also on the basis of accident data, that the coarser part of the powder produced (from 10 mm to 1 mm), with an overall weight approximately equal to the total one (99 per cent), is deposited over a radius of a few kilometres (2 km are assumed) from the release

10 m

point, with an average concentration: c¼

5000 ¼ 4 10 20002

4

kg=m2

ðA4:2Þ

This evaluation is not conservative since the effect of wind is completely disregarded. This effect causes the angular distribution of the particulate to be nonuniform. An estimate of the concentration of the deposited radioactivity can be made with the following assumptions:

The complex of released radioisotopes is equivalent to an amount of 137Cs. The equivalent value of 137Cs is equal to the value indicated in ANPA Technical Guide No. 26 (1985) as the limit for conditioned category 2, waste (3700 MBq kg 1).

The total radioactivity in the released particulate is, then: R ¼ 5 000 000 3:7 10

6

¼ 20 TBq:

ðA4:3Þ

With this assumption, the concentration on the soil is: C ¼ 0:4 3:7 106 ¼ 1500 kBq m 2 :

ðA4:4Þ

The finest particles (1–10 mm), with an overall weight of about 50 kg and a total radioactivity of 0.2 TBq, can be assumed to be dispersed by diffusion and deposition (Pasquill model). Assuming a stability condition F with wind velocity of 2 m s 1 and a deposition velocity of 10 2 m s 1, the approximate soil concentrations shown in Table A4-2 are obtained. Indeed, the concentration, C, for example at 1 km, is given by: C¼

Q vd Q

¼ 2 10

4

0:2 109 0:01 ¼ 400 kBq m

ðA4:5Þ

Figure A4-1. Fragmentation due to impact. Table A4-1. Fragmentation of material Average dimension of blocks (m) 0.33 0.20

2

Table A4-2. Soil concentrations

Layer volume 1 mm (m3)

Layer volume 3 mm (m3)

1.2 2.1

3.6 6.3

Distance (km) 2 10

Soil concentration (kBq m 2) 100 4

318

Nuclear Safety

and decreases roughly with the 1.5–2 power of the ratio of distances for higher distances (concentrations of 100 and 4 kBq m 2 at 2 and 10 km, respectively, result). The levels of soil contamination calculated may be compared with the caesium-137 contamination in a generic European country after Chernobyl, equal on the average to 10–20 kBq m 2 with peaks up to 100–200 kBq m 2 (Vargo, 2000).

Alternative source term A different approach to the previously considered accident can be pursued, along the following lines:

To assume an applied force of 5000 t for the reference aircraft impact, (as adopted in Italy for power plants), instead of the 10 000 t adopted in the previous evaluation. To allow for the dynamic character of the load applied by the impacting aircraft on the concrete. This would imply an increment in the limit load as allowed by the applicable regulations (e.g. American Concrete Institute ACI 349, (ACI, 2001)). To evaluate the depth of the fractured material as a consequence of the impact by the penetration formulae adopted for nuclear plant evaluations, such as the formula 17.2 in Chapter 17. To add to the aircraft impact a fire of the transported fuel. This could influence the dispersion of the released particulate. In particular, the coarse fraction could be transported and deposited further than the assumed 2 km.

Taking into account the previous assumptions, the volume of fractured material would result in the order of 12 m3 instead of the 70 m3 assumed above. The coarse fraction of the release could be of the order of 860 kg instead of 5 t while the fine fraction would turn out to be equal to 8.6 kg (instead of 50 kg). The uncertainty in the evaluation of the effect of the fire is rather high. Some indications could be obtained from the observation of the behaviour of the Chernobyl release (Vargo, 2000). There, the large (>20 mm) particles were deposited within a radius of 5 km from the plant. With these assumptions, the following distribution of released material is obtained:

Coarse fraction (>20 mm: weight ¼ 860 kg.

Ground concentration ¼ 1.1 10 sponding to 41 kBq m 2. Fine fraction: weight ¼ 17.2 kg.

5

kg/m 2, corre-

This would be dispersed under the influence of the buoyancy effect of the fire. In the case of Chernobyl, the thermal elevation of the plume caused by the fire was of the order of 1000 m (Vargo, 2000) and this figure can be assumed to be valid also for this example. In order to get an idea of the characteristics of a (presumed) fire in a reference plane crash, it is assumed that the full fuel load charge of the aircraft is equal to 10 m3, corresponding roughly to 7 t. This amount of fuel, with a conservative assumption, can be considered to form a square pool with 10 m long sides. The burning velocity of a pool of kerosene of this size is roughly 170 kg m 2 hr 1 (Lees, 1996, Additional References 587). The fuel would be completely burnt in about 25 min. The flame height would be equal to about twice its width, namely 20 m. The usual thermal-elevation formulae can be used to perform a further evaluation of the height to which the radioactive release will be brought by the flame. The Stu¨mke formula (see Equation 6.7) can be used to indicate a plume rise of more than 1000 m. The uncertainty of this evaluation is, however, high since both the wind velocity field and the atmospheric turbulence have a strong influence on the phenomenon. It has to be noted that the presence of a fuel fire should not significantly increase the amount of radioactive particulate released. Indeed, the duration of the fire is short and the radioactive waste packaging is made of ‘fire resistant’ and ‘non-flame propagating’ materials (ANPA, 1985).

A4-3-4. Doses On the assumption that in the vicinity of the plant there is no intake of caesium through the food chain, the doses to the population can be caused by ground shine (on the assumption the population have not been evacuated). The doses at 1 year and at 50 years can be calculated on the basis of the factors shown in Table A4-3, corresponding to a contamination of 1 kBq m 2 (Ferreli and Bologna, 1991).

Appendix 4 Dose calculations

Table A4-3. Dose factors Time after accident (years)

Effective dose (mSv)

1 50

0.012 0.16

Table A4-4. Doses Time after the accident (years) 1 50

Effective dose (mSv) 18 (5) 240 (65)

The inhalation dose gives a negligible contribution. Therefore, within a radius of 1 km from the site, multiplying the values in Table A4-3 by 1500 or 400, the doses shown in Table A4-4 are obtained. At 10 km from the plant, with the above evaluated contamination figures, about 0.05 mSv and 0.65 mSv can be obtained at 1 and at 50 years, respectively.

A4-3-5. Conclusions Although these evaluations are inevitably subjective and need further reflection, the consideration of a severe impact accident seems opportune, taking into account the long life of a repository (centuries). Technical solutions incorporating a special technological protection from the aircraft crash and from explosive events or solutions in which the disposal structure is located at a depth in the ground of at least 20 m should be considered among the alternatives to be examined. The sub-surface solution would offer better protection during the phases of construction and of filling up of the repository.

A4-4. Explorative evaluation of the radiological consequences of a mechanical impact on a transport/storage cask containing spent fuel

319

the fall, punching and submersion. Moreover the cask will be designed to protect it from aircraft impact and consequent fire. The cask considered has two independent leak-proof lids, each one equipped with metallic seals. It is assumed that the cask contains 50 fuel elements of the type used at the Caorso plant and that the maximum temperature of the cladding is 200 C. The interior of the cask is normally kept at negative pressure and in an inert atmosphere.

A4-4-2. Reference impact It is assumed that the cause of the impact is undefined, possibly to be identified but assumed to be due to a plane crash, the launch of a projectile or the blast of an internal or external explosive charge. The effect of a plane crash may cause, according to the usual assumptions, a load of about 10 000 t on a surface area of 7 m2, corresponding to about 1.43 106 kg m2. Notwithstanding the strength characteristics of the cask and its leak-proof seals against impact and other conceivable external loads, it is assumed that in the accident considered, both seals are damaged, allowing a certain communication between its internal and the outside atmosphere and a gas flow dependent on the pressure difference between the inside and outside. Immediately after the deterioration of the seals, the external air will flow into the cask because of the internal under-pressure. Subsequently, as a consequence of the lowering of external atmospheric pressure, part of the gas contained inside the cask might escape to the outside. If it is assumed that the variation of the atmospheric pressure in one day is 1000 Pa (normal variation), the percentage of the internal atmosphere escaped to the outside will be in the same period of time 10/1000 ¼ 1%. It is assumed here that after one day, steps have been taken to stop the release.

A4-4-1. Characteristics of the cask

A4-4-3. Amount of significant fission products in the internal atmosphere of the cask and external release in one day

The cask complies with the international requirements for fuel transportation and therefore it resists

Only caesium-137 and krypton-85 are considered significant. Indeed, the other isotopes (such as xenon

320

Nuclear Safety

and iodine) normally considered in explorative evaluations like this one are either completely decayed 15 years after the removal of the fuel from the reactor, or are not volatile enough to be released at relatively low temperature and through narrow and tortuous leak paths (e.g. imperfections in the metallic seals). In the first place it can be assumed that the amount of the fission products in the gap between the fuel and the cladding is the same as that which was there when the fuel was discharged from the reactor, except for the effects of radioactive decay. Indeed, the phenomenon of diffusion from the fuel to the gap is governed by a diffusion coefficient, 0 , which depends on the temperature (in kelvin) DCs according to an Arrhenius type law (ANS, 1984): D0Cs ¼ 1:22eð

72300=RTÞ

100ðBu=28000Þ

ðA4:6Þ

where R is the gas constant ¼ 1.987 cal mol 1 K 1(8.3143 J mol 1 K 1), T is the temperature (K) and Bu is the fuel burn-up (MWD t 1). The ratio between the diffusion coefficient at the average operating temperature of the fuel (roughly 1300K) and at the fuel temperature after shutdown and during the storage (some hundreds of kelvin, typically 500K) is practically infinite. The inventory of radioactive isotopes in the gap is, then, practically equal to that at the discharge from the reactor. Therefore, for the Caorso reactor (860 MWe) and on the basis of the data on the content of fission products in a 1000 MWe reactor, the following evaluation can be made: In all the fuel (560 elements), after 15 years decay: 85

7

Kr: 5:6 10

860 1000 2ð15=10:82Þ

¼ 17 585 000 Ci ð650 600 TBqÞ

137

Cs: 4:7 106

860 1000 2ð15=30:13Þ

¼ 2 924 533 Ci ð108 208 TBqÞ

In the gap of 50 elements, assumed equal to1 per cent of the gap itself: 85

Kr:

17 585 000 50 ¼ 15 700 Ci ð580 TBqÞ 100 560

137

Cs:

2 924 553 50 ¼ 2611 Ci ð97 TBqÞ 100 560

Assuming, moreover, that five fuel elements leak as a result of the event, corresponding to 10 per cent of the total (therefore, equal to ten times the percentage of fissured rods normally assumed in safety analyses for the normal operation of a reactor), then values available for release are obtained that are equal to one tenth of those indicated above. The external release in one day will be, for the considerations made above on the consequence of the variation of the atmospheric pressure, equal to one hundredth of the available activity values: 85

Kr: 0.6 TBq Cs: 0.1 TBq

137

The release is assumed to be at ground level in cases where no accompanying fuel failure is postulated and at hundreds of metres high in the case where a fire is occurs. A fire of short duration (less than one hour), such as one resulting from a plane crash or a manually extinguished fire could have a limited influence on the amount of the release since the thermal time constant of the cask wall (more than 0.3 m of steel or cast iron) should be higher than the fire duration. In these conditions, the increase in the internal cask pressure caused by the fire could be high enough to change the amount (but not the order of magnitude) of the previously described release assumptions. A simple thermal analysis shows that a conservative estimate of the internal pressure increase caused by the fire in half an hour could be of the order of 3000 Pa (namely a factor of three over the above described assumptions). In conclusion, the release in a fire could be of the order of three times the one assumed above, in a time frame of less than one hour. The two releases should not be combined.

A4-4-4. Effective committed doses Caesium doses The cloud resulting from the release can be considered dispersed by diffusion and deposition (Pasquill model). If a stability condition, F, is assumed with a 2 m s 1 wind velocity and a deposition velocity of 0.01 m s 1, the ground concentrations shown in Table A4-5 (roughly) result.

321

Appendix 4 Dose calculations

Table A4-5. Ground concentrations Distance (km) 1 2 10

Table A4-8. Doses at 2 km

Soil concentrations (kBq m 2)

1 50

200 50 2

1 50

Effective dose (mSv) 0.012 0.16

Table A4-7. Doses at 1 km Time after the accident (years) 1 50

Effective dose (mSv) 0.6 8

Table A4-9. Doses at 10 km

Table A4-6. Unit doses Time after the accident (years)

Time after the accident (years)

Effective dose (mSv) 2.5 30

The ground concentration (e.g. at 1 km) is C ¼ 2 10 4 0.1 109 0.01 ¼ 200 kBQ m 2 (see Equation A4.5) and roughly decreases with the 1.5–2 power of the ratio of distances (resulting in concentrations of 50 kBq m 2 and 2 kBq m 2 at 2 km and 10 km, respectively. The levels of ground contamination calculated above, can be compared with the contamination levels in a generic European country after Chernobyl, on the average equal to 10–20 kBq m 2 with peaks of 100–200 kBq m 2 (Vargo, 2000). On the assumption that the food chain is controlled after the accident and so the caesium intake is zero, the doses to the population can be due only to ground shine (if the population has not been evacuated). The doses at one year and at 50 years can be calculated on the basis of the factors shown in Table A4-6 corresponding to a contamination of 1 kBq m 2 (Vargo, 2000). The inhalation dose gives a negligible contribution. Therefore, within a radius of 1 km from the site, multiplying the figures of the preceding table by 200, the results shown in Table A4-7 are obtained.

Time after the accident (years) 1 50

Effective dose (mSv) 0.025 0.3

At 2 km from the site, the doses are given by Table A4-8. At 10 km, the doses are given in Table A4-9.

Krypton-85 effective doses The krypton-85 doses are due to immersion in a finite dimension cloud. For a diffusion category F and at a distance of 1 km, the conversion coefficient between the effective dose and cloud concentration (Vargo, 2000) is 3.6 10 5 rem per Ci s m 3 (2.7 10 13 Sv per Bq s m 3). Therefore, for a cloud concentration of 2 10 4 0.6 TBq s m 3, the following effective dose results: 1 10 9 Sv, that is practically zero.

A4-4-5. Conclusions The preceding evaluations, despite the high level of protection already incorporated in the casks, support the need for technological solutions which offer special protection against aircraft crash and against explosive events or solutions such as where the storage structure is located at least 20 m below ground level.

References ACI (2001) Code Requirements for Nuclear Safety Related Concrete Structures and Commentary, ACI 349, American Concrete Institute, USA.

322

Nuclear Safety

ANPA (1985) ‘Gestione dei rifiuti radioattivi’, Guida Tecnica 26. ANS (1984) ‘Report of the special committee on source terms’, American Nuclear Society, September. Colombo, G. (1997) ‘Manuale dell’Ingegnere, Nuovo Colombo’, L-37 (83a), Ulrico Hoepli Editore, Milano.

Ferreli, A. and Bologna, L. (1991) ‘Reattori nucleari: Termine di sorgente e piani di emergenza’, Commissione Tecnica. Vargo, G.J. (2000) The Chernobyl Accident: A Comprehensive Risk Assessment. Columbus: Battelle Press. Bender F., Herausgegeber (1982) ‘Underground siting of nuclear power plants’, Hanover Symposium, Stuttgart.

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core

A5-1. Analysis of the core without refrigeration The simple spreadsheet macro dryco.xls (available on the companion website) calculates the distribution of temperatures in a core (in downloadable file DRYCORE) without any refrigeration except for the radiation heat transfer towards the vessel and towards the surrounding concrete cavity. The calculation is a simplified one and is based on that used for the Rasmussen Report (Rasmussen, 1978). As explained at the beginning of Appendix 2, some of the units are not in the S.I. System, for historical reasons. The core is subdivided into ten circular rings, as illustrated in Figure A5-1. The input data are the temperature at the centre of the core, the total decay heat, and the dimensions of the core, the vessel and the external cavity. It is assumed that heat transfer occurs only in the radial direction. In reality, 10–12 per cent of the heat is dissipated axially (Rasmussen, 1978). The core power peaking factor (radial) is assumed to be 1.5, with a linear distribution as a function of the radius. In normal operation, however, an axial peaking factor of 1.4–1.5 should also be taken into account. The emissivity of the surfaces is set to 0.7. The dimensions of the rods (radius 0.535 cm) and the distance between a ring and the subsequent one (0.357 cm) corresponds to the dimensions in a water reactor.

For the heat transfer from a layer at temperature T1 to the subsequent one at temperature T2, the principal formula used (Rasmussen, 1978) is: Q ¼ 1:35 10

7

½ðT1 =100Þ

FA

4

ðT2 =100Þ4 Cal s 1 ,

ðA5:1Þ

where F, the radiation coefficient ¼ 1=ðð1="r Þþ ð1="o 1ÞÞ¼ 0.54, ("r is the emissivity of the radiating surface and "o is the emissivity of the irradiated surface), and A is the area of the radiating surface (m2). A typical problem solved by the spreadsheet macro is the following one: Given the temperature at the core centre and the decay power, not including the dimensions of the various parts, the concrete temperature necessary to dissipate the heat produced has to be calculated. The problem, once the input data are added to the spreadsheet, is easily solved by subsequent iterations given the rapidity of the calculation. The formulae for calculating the decay heat are also given as a function of the time elapsed since the shutdown and the operating power. Input data H, the height of the core ¼ 353 cm Qtot, the total core decay thermal power at time t ¼ 544 Cal s 1 qm, the average thermal power for unit volume of core ¼ Cal s 1 cm 3 R, the core external radius ¼ 152 cm Rev, the vessel external radius ¼ 200 cm To, the core centre temperature ¼ 2047.15 K 323

324

Nuclear Safety

Region n = 10 Region 1

Vessel

Concrete cavity

Figure A5-1. Core regions.

Output data Tcls, the reactor cavity concrete temperature ¼ 133.97893 K Tv, the vessel temperature ¼ 1142.46 K Note on this sample calculation: 0K for 1800 MWt, 150 days decay and central temperature equal to about 2050K (zircaloy melting point). (1) Kqd, the decay power coefficient ¼ 1.05 Qde1, the decay power at time t ¼ 543.76 866 Cal s 1 P, the operating power ¼ 1800 MWt t ¼ 12 9600 00 s (2) Qde2/P, the ratio between decay and operating power (10–150 s after shutdown) ¼ 0.0 039 523 (or 1700.3099 Cal s 1) (3) Qde3/P, the ratio between decay and operating power (150–4 106 s after shutdown) (equivalent to Qde1 for Kqd ¼ 1.05) ¼ 0.001 262 The decay power at a certain time and for a certain operating power are depicted by list items 1, 2 and 3.

Item 1 gives the decay power as a function of the time in seconds after the shutdown and the operating power (both to be inserted as inputs to the spreadsheet). The formula also requires a coefficient, Kqd, which represents a multiplication factor for the decay power and which takes the value 1.05 for the decay heat according to the ANS formula (ANS, 1971). Some think that the ANS formula is too conservative, so here is a way to change the decay power by a Kqd factor chosen by the user. For example, many experts think that the power (ANS 5%) is more representative of the real situation. This corresponds to a Kqd value of 1. The formula is valid in the range 150 < t < 4 106 s. Item 2 gives the ratio between decay power and operating power for 10 < t < 150 s, according to the ANS formula. Item 3 is equivalent to item 1 with Kqd ¼ 1.05 (ANS) with the only difference being that it gives the ratio between the powers, as does item 2, but for the long term.

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core

325

Table A5-1. Spreadsheet for calculations Qtot[Cal s 1] H [cm] Fuel ring number, n (106 rings in total)

16 26 36 46 56 66 76 86 96 106

544 353 Radius corresponding to n, x (cm)

qm[Cal s 1cm 3] ¼ R[cm] ¼ Lateral area in x, A (cm2)

2.123 10 5 152 Thermal power produced within radius x, Qx (Cal s 1)

To[K] ¼ Rev[cm] ¼ Temperature in x, Tn (K )

23.367 37.637 51.907 66.177 80.447 94.717 108.987 123.257 137.527 151.797

53744.1 86565.1 119386.1 152207.1 185028.1 217849.1 250670.1 283491.1 316312.1 349133.1

18.737769 47.745591 89.16686 142.25443 206.26115 280.43987 364.04346 456.32475 55.5366 663.93187

2047.15 2032.8911 2009.7015 1976.9607 1933.5523 1877.6273 1806.1204 1713.6724 1589.8208 1409.3021

The example shows the case of a 1800 MWt core after 150 days of decay, with the central temperature equal to about the melting point of zircalloy (about 1800 C (2100 K)). It can be seen that the concrete temperature necessary to remove the heat is about 130 K, which is within an acceptable range (a more precise input decay power, 543.7688 817 Cal/s instead of 544 Cal/s, would have given 297 K). The same spreadsheet can be used to show that the central region formed by four fuel elements, even after only 30 days of decay, could save its integrity (temperature lower than 1500 K) if exposed to an environment kept at some hundreds degrees kelvin.

A5-2. Other formulae and useful data for the indicative study of the cooling of a core after an accident The data listed here are those given in Rasmussen (1978). In the case where the core is totally submerged by water, in a boiling regime, the heat transfer coefficient, hB, can be assumed to be equal to 1600 Cal m 2hr K. On the other hand, when the core is partially submerged, then it will be necessary to determine the level of the water–steam mixture: above this

2047,15 200

level the heat transfer will take place towards the steam, below this level it will be towards the mixture. The heat transfer coefficient towards steam can be assumed equal to the one given by the Dittus-Boelter formula: h¼

3:026x10 3 Cp G0:8 Wm 2 K 1 , D0:2

ðA5:1Þ

where Cp is the specific heat of the steam (Jkg 1 K 1), G is the steam flow rate (kgs 1m 2) and D is the equivalent diameter of the channel (m). The calculation of the mixture level is made by trial and error using Equations A5.2 and A5.3: M ¼ Atot Y L 1

T kg, 2

ðA5:2Þ

where M is the weight of water in the core (kg), Atot is the total vessel cross-section occupied by the mixture (m2), Y is the level of the mixture above the vessel bottom (m), T is the void fraction at the top of the mixture (it is assumed that the void fraction varies linearly with height) and L is the liquid density (kg m 3). QDK ¼ sUT T Atot hfg W,

ðA5:3Þ

where QDK is the total decay power in the zone covered by the mixture (W), S is the steam density (kg m 3), UT is the steam separation velocity at the top of the mixture (ms 1) and hfg is the evaporation enthalpy (J/kg).

326

Nuclear Safety

A constant value of 1.4 ms 1 for UT can be assumed, but it can be calculated by the Wilson correlation (Equation A5.4): 0:244 ðT Þ1:283 ms 1 , UT ¼ 1:05 ð58:76DÞ

ðA5:4Þ

where D is the hydraulic diameter (m) of the fuel element channel (or ‘box’) or the fuel rod. A typical reflood velocity of the core after uncovering is 5 10 3 m s 1. The thermal constant of the fuel rod is equal to about 1 minute.

The overall thermal capacity of a core for a pressurized reactor of 900 MWe is equal to about 3.35 106 J K 1 (8000 Cal C 1).

References ANS (1971) ‘Decay energy release rates following shutdown of uranium fuelled thermal reactors’, Subcommittee ANS-5, American Nuclear Society Standards Committee, October. Rasmussen (1978) ‘Thermal Analyses’, The Rasmussen Report, WASH-1400, v.VIII, App.A.

Appendix 6 Extracts from EUR criteria (December 2004)

Some pages of the EUR criteria relevant to nuclear safety are reproduced in this appendix (courtesy of the European Utility Requirements Group through its member SOGIN, Italy). The order in which paragraphs are shown has been adjusted to fit into the present context. Most notes are not included. The whole document can be consulted on the EUR website at www.europeanutilityrequirements.org although some areas require access permission. The EUR criteria numbering system has been kept together with the cross-references within the criteria.

Category 2

2-1-8-3. List of design basis conditions

PWR Category 1 Steady-state and start-up conditions and shutdowns

power operation start-up hot standby hot shutdown cold shutdown refuelling shutdown operation with an inactive loop, if applicable

Anticipated operating transients:

temperature increase and decrease at a maximum rate of 55 C per hour step load increase and decrease (10% load) load increase and decrease at a rate of 5% rated load/minute (between 15 and 100% full power) switch-over to hassled operation from full power with steam dump limiting conditions allowed by the technical specifications

inadvertent withdrawal of RCCA bank with reactor subcritical inadvertent withdrawal of RCCA bank with reactor power misalignment of control rod assembly or bank drop inadvertent boric acid dilution, partial loss of core coolant flow inadvertent closure of main steam isolation valve total loss of load and/or turbine trip loss of main feedwater flow to steam generators malfunction of steam generator main feedwater system total loss of off-site power (<2 hours) excess increase in turbine load (at full power) temporary depressurisation of reactor coolant system spurious opening of steam generator safety valve or other secondary side depressurisation caused by a single failure Spurious start-up of safety injection system malfunction of chemical and volume control system very small loss of reactor coolant (e.g. small instrument line break)

Category 3

loss of reactor coolant (small pipe break) small secondary pipe break forced reduction in reactor coolant flow mis-positioning of a fuel assembly in the core withdrawal of a single RCCA at power spurious operation of a pressuriser safety valve rupture of volume control tank rupture of gaseous waste hold–up tank failure of liquid waste effluent tank one steam generator tube break, without previous iodine spike total loss of off-site power (up to 72 hours) 327

328

Nuclear Safety

Notes:

Category 4

main steam-line break main feedwater line break reactor coolant pump locked rotor ejection of any single RCCA loss of reactor coolant up to and including double-ended guillotine failure of largest RCS pipe fuel handling accident one steam generator tube break with previous iodine spiking

2-1-8. TABLES 2-1-8-1. Table 1: Radiological criteria for radioactive releases in normal operation and incident conditions

Annual discharge

Target

Liquid release (liquids except tritium) Gaseous release: Noble gases Halogens and aerosols

10 GBq 50 TBq 1 TBq

(1) Typical values with reference to a 1400 MW plant on inland sites. For units of smaller output, the discharges should be pro-rata to output. (2) Targets are related to a generic inland site. Liquid discharge limits may be less stringent for coastal sites or more severe on very restricted river sites. Design flexibility should be provided for the river sites where the required values may be more stringent. (3) Targets are defined based on the best operating plant values and they should assume circuit activity, circuit leak rate, etc. (4) In some countries, a limit exists for tritium discharges. These discharges are not wholly under the control of the designer. It is expected that, in practice, assuming adequate operational procedures, the designer could show that the annual discharge is less than approximately 40 TBq. (5) For certain sites and certain countries, concentration limits apply. Where applicable, these will be specified for a particular site. (6) Short-lived radionuclides are not to be considered in the targets.

2-1-8-2. Table 2: Frequencies and acceptance criteria for normal operation, incident and accident conditions Acceptance criteria

Frequency of initiating event

Design basis category

Definition

1

Normal operation

2

Incidents

f > 10

3

Accidents (low frequency)

10

2

> f > 10

4

4

Accidents (very low frequency)

10

4

> f > 10

6

2

Plant parameters

Radioactive releases

Process parameters within normal operation range of technical specifications Process parameters within applicable acceptance criteria Plant limits for Category 3 (1) Limited fuel damage Shutdown for inspection may be necessary Acceptance criteria for Category 4 (1) Core coolable geometry retained Plant restart may be impossible

Table 1

Table 1

Appendix B (2)

Appendix B (2)

329

Appendix 6 Extracts from EUR criteria (December 2004)

(1) See Chapter 2.4, Section 2-4-5-9-2-1 for safety category 1 mechanical equipment, Table 5 for fuel and Chapter 2-9, Sections 2-9-3-1-4-5-3 and 2-9-3-1-4-5-4 for Primary Containment (2) See Appendix B for release assessment methodology and release targets NB: This summary table must be read in conjunction with the more detailed requirements in Section 2-1-3.

2-1-B-1. Criteria for limited impact for DEC The criteria for limited impact is set as acceptance criteria for a number of DEC and for probabilistic safety assessment studies. The following sections define the methodology to assess the acceptability of the releases from a specific design versus the criteria for limited impact. Four different design targets are identified in Chapter 2-1 Section 2-1-2-5: (1) (2) (3) (4)

No Emergency Protection Action beyond 800 m No Delayed Action beyond 3 km No Long-term Action beyond 800 m Limited economic impact

Each of the Targets 1–3 shall be verified independently according to the following methodology:

The releases from the plant to the atmosphere are broken down into the nine reference isotope groups. These releases are combined and compared with one criterion according to the linear combination formula:

In the case that the primary containment is kept pressurised well beyond 7 days, but the primary containment has nevertheless reached a relatively low pressure, the calculation of the releases may be stopped at 7 days. Releases shall be calculated by the designer for the reference source term, as required in Appendix A to Chapter 2.1, and for the PSA release categories, as required in Chapter 2-17. Timing and quantities of the releases of the nine reference isotopes listed below as representative of their group shall be derived. The coefficients have been determined on the assumption that other isotopes in the same group will be released with the same release fraction and that the core inventories are typical of a PWR with a fuel cycle of about 18 to 24 months. Isotopes in the nine groups have been considered according to generally accepted criteria. Coefficients for elevated releases have been determined with reference to releases occurring from a stack of about 100 m height. Higher stacks will reduce the effects at short distances and, therefore, the result will be conservative for the ranges under consideration. If a lower stack is provided, special considerations shall be agreed upon with the utilities. The coefficients for ground level releases shall be applied to releases from a height less than 100 m.

2-1-B 1-1. Table B1: Criteria for limited impact for no emergency action beyond 800 m from the reactor

1, 9 Rig Cig þ 1, 9 Rie Cie < criterion, where Rig and Rie are the total releases (at ground and elevated level, respectively) of the nine reference isotopes during the related release period from the containment system, and Cig and Cie are the coefficients given in Tables B1 to B3, related to environment effects of unitary releases. For the fourth Target, only three reference isotopes are given. Each shall be considered as an independent criterion.

Isotope group 133

Xe I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba 131

Coefficients for ground level releases, Cig 6.5 10 5.0 10 1.2 10 1.6 10 2.7 10 1.8 10 8.1 10 1.2 10 6.2 10

8 5 4 4 4 4 4 3 6

Coefficients for elevated releases, Cie 1.1 10 3.1 10 5.4 10 7.6 10 1.2 10 8.1 10 3.7 10 5.6 10 3.1 10

8 6 6 6 5 6 5 5 7

330

Nuclear Safety

The acceptance criterion is that: 1, 9 Rig Cig þ 1, 9 Rie Cie < 5 10

2

2-1B 1-4. Table B4: Criteria for limited impact for economic impact ðreleases in TBqÞ: Isotope

2-1B 1-2. Table B2: Criteria for limited impact for no delayed action beyond 3 km from the reactor

Isotope group 133

Xe I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba 131

I 137 Cs 90 Sr

Coefficients elevated releases, Cie

2-1 B2 Release targets for design basis category 3 and 4 conditions

0 1.2 10 5.6 10 3.8 10 9.9 10 1.3 10 2.9 10 4.5 10 1.5 10

0 3.5 10 8.9 10 7.0 10 3.2 10 2.2 10 4.8 10 8.1 10 2.5 10

In the cases of design basis category 3 and 4 conditions, the same general approach as for DEC shall be used to prove that the design complies with the following design targets:

6 6 6 7 6 6 6 6

7 7 7 7 7 7 7 7

1, 9 Rig Cig þ 1, 9 Rie Cie < 3 10 2 :

(1) No action beyond 800 m (2) Limited economic impact The first target shall be verified according to a combination methodology similar to the one developed for the first three criteria for limited impact:

2-1B 1-3. Table B3: Criteria for limited impact for no long-term actions beyond 800 m from the reactor

Isotope group Xe 131 I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba

4000 30 400

Coefficients for ground level releases, Cig

The acceptance criterion is that:

133

Target (TBq)

131

Coefficients for ground level releases, Cig

Coefficients for elevated releases, Cie

0 1.2 10 6.5 10 2.6 10 1.4 10 2.3 10 7.9 10 7.6 10 1.1 10

0 7.8 10 3.4 10 1.3 10 7.2 10 1.2 10 4.1 10 4.0 10 5.9 10

5 5 5 5 5 5 5 5

7 5 6 7 7 6 6 7

The acceptance criterion is that: 1, 9 Rig Cig þ 1, 9 Rie Cie < 1 10

1

ðreleases in TBqÞ:

The releases from the plant are broken into the three reference isotope groups These releases are combined and compared with one criterion.

The combination shall be made according to the following linear combination formula: 1, 3 Rig Cig þ 1, 3 Rie Cie < criterion, where Rig and Rie are the total releases (at ground and elevated level, respectively) of the three reference isotopes during the entire release period from the containment system, and Cig and Cie are the coefficients given in Table B5, related to environment effects of unitary releases. The second target shall be checked using a methodology similar to the one developed for the economic part of the criteria for limited impact: independent release targets for several representative isotopes. This methodology is developed in Section 2-1 B-2-2. The coefficients presented in Tables B5 and B6 are valid insofar as no core damage occurs during

Appendix 6 Extracts from EUR criteria (December 2004)

the considered accidents, while evaluated with realistic methodologies. These coefficients shall be applicable to all DBC related to core and RCS behaviour. Releases of the most representative chemical species shall be assessed by the designer in general with realistic/best estimate assumptions, with the exception of the conservative assumptions listed in Section 2-1-2-4. In the methodology applicable to DBA release targets, the same limitations and the same warnings are applicable as those given for DEC (see Section 2-1-B-1).

2-1-B-2-1. Table B5: DBA release targets for no action beyond 800 m from the reactor

Isotope group 133

Xe I 137 Cs 131

Coefficients for ground level releases, Cig 1.5 10 8.1 10 1.5 10

8 5 4

Coefficients for elevated releases, Cie 3.0 10 5.5 10 8.5 10

9

Isotope 131

I Cs

137

Target for ground release (TBq)

Target for elevated release (TBq)

10 1.5

150 20

If only ground or elevated release occurs, the target shall be checked for each reference isotope and only for the related release path. If both ground level and elevated releases occur, a combination of limit percentages for each isotope shall be assessed. The method consists in estimating, for each isotope and for each release path, the percentage of release with respect to the target. To satisfy the target, the sum of those percentages, for each reference isotope, shall be lower than 100% value. The same targets apply to both design basis category 3 and 4 conditions.

6

3

for DBC category 3 1, 3 Rig Cig þ 1, 3 Rie Cie < 5 10

Targets set for ground and elevated releases and for only two reference isotopes, 131I and 137Cs, are the following:

6

The acceptance criteria are: 1, 3 Rig Cig þ 1, 3 Rie Cie < 1 10

331

3

2-1-2-2-2. Doses from direct radiation to the public during normal operation and incident conditions The target for direct radiation dose during normal operation and incidents is 0.1 m Sv year 1. The target is independent from plant rated power. This shall be assessed for the most exposed position or surrounding people:

for DBC category 4 (Releases expressed in TBq.)

2-1-B-2-2. Table B6: DBA release targets for economic impact For the limitation of area impacted by food marketing restrictions in DBA, release targets to the atmosphere shall be set. These release targets are more stringent than those given for limited DEC to minimise the impacted area.

at 100 m from the most significant sources with an occupancy factor of 1/30 or at 300 m with an occupancy factor of 1.

2-1-2-3. Operational staff doses during normal operation and incidents The plant designer shall demonstrate that for the operational staff, the following objectives for annual effective doses can be met: (1) Individual effective doses Target for individual effective dose: 5 mSv year 1

332

Nuclear Safety

Individual effective doses shall also comply with local regulations, if these are more stringent. (2) Collective effective dose The collective effective dose shall be ALARA. The target for annual collective effective dose averaged over the plant life is 0.5 man Sv per unit.

2-1-2-6. Probabilistic safety targets In accordance with the safety policy described before, EUR sets probabilistic quantitative design targets as follows:

core damage cumulative frequency shall be lower than 10 5 per reactor year cumulative frequency of exceeding the criteria for limited impact (CLI) defined in appendix B shall be lower than 10 6 per reactor year sequences potentially involving either the early failure of the primary containment (see Section 2-1-4-4-1) or very large releases shall have a cumulative frequency well below the previous target of 10 6 per reactor year.

These targets are associated with the scope, data, methods, assumptions and criteria for core damage which are defined in Chapter 2.17. In particular they include the risks in shutdown modes which have been shown to be a significant contributor in assessments of present reactor designs. The plant designer shall provide a PSA at both level 1 (determination of the frequency of events leading to core damage) and level 2 (determination of frequencies and magnitudes of radioactive release).

2-1-3-4. Single failure criterion An assembly of equipment satisfies the single failure criterion (SFC) if it can perform its safety function despite a single random failure assumed to occur in any part of the assembly during any design condition in which the assembly is required to operate. This includes unrevealed pre-existing failures. Consequential failures resulting from the assumed single failure shall be considered to be an integral part of the single failure.

The SFC shall be applied to each assembly of equipment which performs all actions required to fulfil a level F1 function for a given initiating event in order that the limits specified in the design basis for that event are not exceeded. The need to apply SFC to level F2 functions will be determined on a case-by-case basis. If, for a particular safety function, it is necessary to operate various systems simultaneously or successively, a single failure shall be postulated in any one of the systems in turn, but not simultaneously in more than one of them. In the single failure analysis, the failure may not need to be assumed of a passive component designed, manufactured, installed, inspected and maintained in service to a high quality level. However, when it is assumed that a passive component does not fail, such an approach shall be justified, taking into account the total period of time that the component is required after the initiating event. The treatment of certain components sometimes considered passive, such as check valves, should be based on a realistic assessment, rather than on prescriptive rules. Thus, single failures should be assumed for check valves that have to change state unless sufficient evidence exists to show, in relation to their implicit reliability, that this is unduly conservative. In certain cases it may not be necessary to consider the combination of an event or hazard with a single failure when the probability of the combination is very low (e.g. aircraft crash). Spurious automatic action shall be considered as one mode of failure, unless there are specific measures to inhibit such actions, or probabilistic arguments can be deployed to show this is unreasonable. Single operator errors (excluding diagnostic errors) shall be included in the SFC, but only to a limited extent as for a single spurious automatic action. Components may be withdrawn from service for repair, periodic maintenance or testing. For the systems they belong to, the SFC is not applicable during this limited time period. During this period, the combined frequency of postulated initiating event and loss of safety function or the effect on the system’s capability to perform its safety function shall be demonstrated to be insignificantly low.

Appendix 6 Extracts from EUR criteria (December 2004)

2-1-4-3-2. Complex sequences that must be considered in DEC Some complex sequences shall be considered in the design, and therefore identified as part of DEC on the basis of current licensing practices or of the uncertainties associated with the evaluation of their probability of occurrence. In this case, probabilistic arguments are used only in identifying the initial reactor states and the associated assumptions for safety analysis. These conditions include:

anticipated transients without scram (ATWS) (see Section 2-1-4-3-3) station black out (SBO). In line with the overall frequency targets, SBO sequences and their duration shall be considered as DEC if their combined occurrence frequency is higher than 10 7 per year (see also Section 2-1-6-7-4). In the analysis as DEC, proper credit shall be given to diversified on-site power sources for PWRs, main steam-line break plus consequential steam-generator tube ruptures (SGTR) containment system bypass accidents, Section 2-1-4-3-4 (including multiple SGTR for PWRs).

2-1-6-8. Classification of the safety functions and categorisation of the equipment 2-1-6-8-1 Introduction The safety categorisation and classification shall be carried out on the following basis:

Definition of safety functions required to achieve and maintain a controlled or safe shutdown state. Identification of equipment and structures involved in each function. Assignment of each item of equipment or each structure to a safety category, generally according to the highest safety level of function it has to perform. Assignment of each item of equipment or each structure (where relevant) to a code class, according to the code used for the design (see Chapter 2-5).

The two levels of safety function, plus nonsafety, are defined in this section, together with the

333

requirements associated with each level. The principles for safety categorisation, deriving from the functional level, are also described in this section, together with the requirements for each safety category. The list of function and the relevant levels related to systems generally are given in Chapter 2-8 and for containment in Chapter 2-9. The plant designer shall define in detail the specific provisions to fulfil each function and shall assign each item of equipment or each structure to an appropriate safety category. The plant designer shall then, as appropriate, assign the item to a code class according to the system of codes and standards to which the plant is to be designed and constructed. The objective of the safety categorisation and classification is to specify equipment that is appropriate to the demands of safety, without requiring unduly high levels of quality, equipment qualification, periodic testing, etc. If the designer has developed a Nuclear Island using a different safety classification approach than the one required in Sections 2-1-6-8-2-1 and 2-1-6-8-2-2, the designer shall demonstrate the correspondence of its initial safety classification system with the EUR functional safety classification. If following the initial designer’s approach, any Nuclear Island equipment has a lower safety level than the one it would have following the EUR approach, the designer shall categorise it at the safety level corresponding to the one required in the EUR document.

2-1-6-8-2. Level of safety functions The levels of safety functions are defined as F1and F2. The level F1 is subdivided into sublevels F1A and F1B. The other functions are defined as non-safety. As applied to equipment required to fulfil the safety functions in design basis category 3 and 4 and certain category 2 conditions (see Section 2-1-3-3(2)), the relevant parameters are the timescale following an initiating event related to the need for the safety function and the plant state to be reached. The same applies also to DEC, but with different rankings. According to the above criteria and taking into account the definitions of plant states included in Volume 1, Appendix B, the following classification applies.

334

Nuclear Safety

2-1-6-8-2-1 Level F1 safety functions. Level F1 is subdivided into sublevels F1A and F1B according to the following criteria:

Level F1A: The safety functions needed to reach a controlled state in design basis category 3 and 4 conditions and certain category 2 conditions. Level F1B: The safety functions needed to reach a safe shutdown state in design basis category 3 and 4 conditions and in certain category 2 conditions. If this state is reached before 24 hours the safety level F1B functions shall maintain the plant in this state at least until 24 hours from accident initiation.

Due to its importance for achieving the main safety objectives, maintaining the integrity of the RCS pressure boundary should be considered as a safety level F1 function. 2-1-6-8-2-2. Level F2 safety functions. The safety functions needed to maintain a safe shutdown state beyond 24 hours and up to 72 hours from the initiating events in design basis categories 2, 3 and 4 conditions shall be assigned to level F2. Level F2 also includes safety functions needed in complex sequences up to 72 hours after onset of event. Level F2 shall also include the safety functions needed to reach and maintain a severe accident safe state (SASS).These functions shall be assigned to level F2 if critical to fulfil the overall probabilistic safety targets (see Section 2-1-2-6) or to assure the releases are kept within the targets set for certain DEC. This will be made on a case-by-case basis which can be design dependent. Level F2 shall also include the safety functions needed to reach and maintain a severe accident safe state (SASS) and a safe shutdown state in complex sequences. Safety functions which are not already level F1 and which are relevant to show compliance with the core damage cumulative frequency target of 10 5 per year shall be, in general, assigned to F2. The level of safety functions needed to cope with for hazard of external and internal origins should be assessed on a case-by-case basis, mainly on the basis of the severity of the potential consequences. The level of safety functions needed to cope with accidents not involving the reactor coolant

system and the core such as the fuel handling accidents, accidents involving the radioactive waste management systems, etc., should be defined on a case-by-case basis according to the overall safety classification and categorisation framework, the frequency of the initiating event and the potential consequences. It is not anticipated that these will be higher than level F2.

2-1-6-6-3. Requirements according to level of safety functions There are certain general requirements which can be associated with the different levels of safety functions relating to:

the need to consider the SFC; the requirement for emergency electrical supply; the need for physical separation between functional trains in a system; the need for automatic actuation.

These are summarised in their most general application in the following table: Requirement

F1A

F1B

F2

Single-failure criterion Back-up on-site electrical supply Physical separation between functional trains Automatic actuation

Yes Yes Yes

Yes Yes Yes

No1 No2 No3

Yes5

No

No4

1 Redundancy may be required for the case of equipment which is inaccessible or, if required, to meet probabilistic targets or for certain hazards. 2 Yes for those functions which require electrical supply of high reliability in the relevant conditions. 3 Yes for specific hazards (e.g. fire). 4 For certain design extension conditions there may be exceptions; to be considered on a case-by-case basis (see Chapter 2-19). 5 There may be exceptions for some slowly developing accidents.

2-1-6-8-4. Assignment of equipment and structures to a safety category Equipment and structures are assigned to the following categories:

Safety category I Safety category II Non-safety.

Appendix 6 Extracts from EUR criteria (December 2004)

The designer shall assign each structure and each item of equipment to an appropriate safety category, primarily according to the highest level of the safety function they perform as follows: Highest safety function level performed

Safety category

F1A, F1B F2 Non-safety

I II Non-safety

2-1-6-8-5. Requirements on equipment and structures according to safety category Certain requirements are imposed on structures and equipment according to their safety category. These requirements are as follows: Safety category of structure or equipment Requirement

I

II

NS

Quality assurance (QA) Application of nuclear codes Qualification In-service inspection/ periodic tests Seismic qualification Reliability data

Yes Yes

Yes1 No2

No No

Yes Yes

No3 No4

No No

Yes Yes

No2 Yes

No Yes5

1 Sufficient to assure required reliability. QA typically to EN ISO 9001. 2 Appropriate codes shall be used, but they may be non-nuclear ones, see Section 2-1-6-8-6. 3 For structures or equipment used under severe accident conditions, demonstration of survivability is required. 4 Except as required to support the reliability data. 5 Only equipment claimed in PSA.

2-1-6-8-6. Classification of structures and equipment according to the design and construction codes The designer shall assign each safety category I structure and piece of equipment (mechanical, electrical, I&C) to an appropriate class of the nuclear

335

design and construction codes to which the item is being designed and constructed. See Chapter 2-5 for the definition of these level 3 codes. Safety category II and non-safety category structures and equipment shall be designed to appropriate codes (Chapter 2-5 gives the general outline, which will be specified in more detail in Volume 3).

2-1-6-8-7. The relation of seismic categorisation to safety level of functions All structures and equipment required to fulfil level F1 safety functions shall be seismic category I. Such structures and equipment shall be qualified to withstand the effects of a design basis earthquake (DBE) (i.e. to remain structurally intact, leaktight in the case of fluid retaining equipment, and functionally operable to the extent required by its safety role). Structures and equipment required to fulfil level F2 safety functions during or after an earthquake shall be identified, on a case-by-case basis, to establish the need for seismic qualification or other means of ensuring its capability to withstand earthquakeinduced effects to the extent required by its contribution to nuclear safety. Such equipment shall be seismic category I. In addition, non-seismic-category I components and structures, whose failure in DBE conditions could impair the correct functioning of seismic category I equipment, shall be assigned to seismic category S. (See Chapter 2-4, Section 2-4-4-2-1).

2-1-6-13. Accident management Accident management includes pre-planned and ad hoc operational practices which, in circumstances in which the design basis specification of the plant is exceeded, would make optimum use of existing plant equipment to restore control. This applies to design extension conditions (i.e. to prevention of core damage and mitigation of severe accidents) (see Section 2-1-4). Accident management procedures and equipment should be provided which would allow the plant to be restored to a safe state, using what is still available. Physical state-based and/or symptom-based accident management procedures should be developed,

336

Nuclear Safety

verified and validated. Unambiguous criteria shall be established for the conditions in which particular procedures would be stated, and the time interval for each action defined. If it is not possible to ensure that core damage can be prevented, the design shall allow sufficient time to obtain the necessary expertise for on-site accident management and to organise off-site emergency measures. This relates to autonomy requirements, included in Section 2-1-6-7 and requirements in Chapters 2-8 and 2-9. Sufficient instrumentation whose operability must be demonstrated under the relevant conditions, shall be provided to allow the necessary actions to be carried out and the response monitored.

2-1-6-14. Radiation protection The design for normal operation shall provide a high degree of assurance that releases of radioactive materials are as low as reasonably achievable (ALARA) and will stay below specified limits. Suitable provisions shall be made in the design and layout of the plant to minimise exposure and contamination from all sources of radioactivity. Such provisions shall include adequate design of systems and components with respect to low radiation exposure during maintenance and inspection, shielding from direct radiation, reduction of corrosion-product activation by specification of appropriate materials, means of monitoring, control of access to the plant, minimisation of the time to be spent in contaminated areas, and suitable decontamination facilities. The plant arrangements shall provide for control of access into radiation and contamination areas and should also minimise contamination resulting from the movement of radioactive materials and personnel within the plant. The plant arrangements should provide for efficient operation, inspection, maintenance, and replacement as necessary to minimise radiation exposure (see also Chapter 2-14 Section 2-14-4).

The designer shall provide a dose assessment which includes doses arising during maintenance. Attention shall also be given to the actions that operators may be asked to perform during and after an accident condition or a DEC. Equipment accessibility and proper evaluation of radiation dose rate where the presence of the operator is required shall be carried out.

Definitions (extracts) Delayed actions: Actions involving public temporary relocation, based on projected doses up to 30 days caused by ground shine and aerosol resuspension, which may be implemented after the practical end of the releases phase of an accident. Long-term actions: Actions involving public permanent resettlement, based on projected doses up to 50 years caused by ground shine and aerosol resuspension. Doses due to ingestion are not considered in this definition. Controlled state: In DBC 2 (incident conditions), or DBC 3 & 4 conditions (accident conditions) or in complex sequences, the plant is in a controlled state if the following conditions are ensured by operator actions or by the active or passive safety features:

reactivity control heat removal releases to the environment are in accordance with: EUR Section 2-1-8-1 for incident; Section 2-1-B-2 for accident; and Section 2-1-B for complex sequences.

Safe shutdown state: In incident or accident conditions or in complex sequences, the plant is in a safe shutdown state if the following conditions are ensured by operator actions or by the active or passive safety features:

reactivity control core heat removal limitations of releases in accordance with EUR plant parameters are well below the design limits for components and structures.

Appendix 7 Notes on fracture mechanics

A7-1. Introduction The field of fracture mechanics has progressed a long way since the first studied by A.A. Griffith (1893– 1963). It is useful to recall the simple yet brilliant logic behind them. Fundamentally Griffith (Ewing and Hill, 1967) understood that as a crack propagated in a stressed material an energy exchange took place. On one hand, the crack propagation required energy for the creation of further fracture surfaces in front of the crack point and, on the other hand, energy was released by the zone of material which was unloaded by the propagation itself. Figure A7-1 illustrates this phenomenon and the concept of ‘critical crack length’. Curve A represents the energy necessary to create rupture surfaces corresponding to a certain crack

length L. The curve is substantially a straight line as the area of the rupture surfaces is proportional to the crack length and the rupture energy is proportional to this area. Curve B represents the energy released for the extension of the crack from zero length up to length L. This curve has a parabolic shape as the energy released is proportional to the volume of material unloaded by the propagation (indicated around the crack in the left part of the diagram), which in turn is roughly proportional to the square of the crack length. The third curve represents the difference between released energy and rupture energy for the various lengths of crack; the quantity Lg represents the critical crack length, that is the value for which the increase of length of the crack releases more energy than is consumed in the creation of new rupture surfaces.

Fracture Mechanics - Griffth (1920) P B: Released energy

Energy

L

P

Lg

Crack length A: Absorbed energy

Figure A7-1. Energy balance in crack propagation. (Griffith, 1920).

337

338

Nuclear Safety

In analytical terms, Griffith arrived at the conclusion shown in Equation A7.1: Mode I

1 rupture work for unit area 2GE ¼ , Lg ¼ deformation energy for unit volume s2 ðA7:1Þ where Lg is the crack length (m) (with reference to the geometry depicted in Figure A7-1), G is the energy needed for a unit increase of the crack surface (J m 2), E is Young’s modulus (N m 2) and s is the tension in the plate (N m 2). G has the order of magnitude of 1–2 105 J m 2 for construction steels and s is usually in the range of 70–150 106 N m 2, so for a construction steel plate stressed at 150 106 N m 2, the following result is obtained: Lg ¼

Mode II

2 ð1:5 105 Þ E ¼ 0:91 m: ð150 106 Þ2

Among other things, Griffith’s energy formulation gives a logical explanation to the fact that, notwithstanding the very high stresses present at the crack tip, the resistance to its propagation is high for ductile materials.

Mode III

A7-2. Current practice Two of today’s approaches to fracture study are summarized here. The first is based on the use of the stress intensity factor K. The second is based on the J integral. The latter approach is suitable for situations of ductile fracture with strong deformations (ductile materials, low stress triaxiality, and so on). The approach based on the K factor is based on the possibility of representing the stress field around the crack tip by, precisely, a stress intensity factor K, which in turn is dependent on the way the crack is invited to propagate, on the mode of application of the load, on the level and variation of the stress in the material far from the crack tip and, finally, on the type of crack (thickness, elliptical or with constant depth, etc.). The three stress modes usually considered are shown in Figure A7-2. The various load application modes are shown in Figure A7-3.

Figure A7-2. Modes of crack stressing (KI, KII, KIII).

(b)

(a) σ0

y

P X

2a

2a P

σ0 KI = σ0 ∏a

KI =

P ∏a

Figure A7-3. Modes of load application.

Appendix 7 Notes on fracture mechanics

The coordinate system generally adopted to describe the stress field around the crack is shown in Figure A7-4. An example of the distribution of stresses around the crack in biaxial geometry is given in Figure A7-5. σy τxy τyz τxz

y σx

x

σz

θ

r

339

The expressions for O(r) in Figure A7-5 represent distributions of stresses in the zones far removed from the crack tip and dependent on the complete stress state of the structure. Figure A7-6 shows KI for the case of a longitudinal crack of various depths in a cylinder wall (such as, for example, in a pipe or the reactor vessel). A variety of already calculated cases exists for the distribution of stresses around a crack tip for various types of cracks and of loading conditions. Guidance on this can be found in specialist texts on fracture mechanics (Milella, 1999; Miannay, 1997; Wilkowski et al., 1997). Figure A7-7 shows the material properties KIC and KIA (intensity factors for crack initiation and for crack arrest of a propagating crack), with reference to a typical pressure vessel steel.

z

Figure A7-4. Coordinate system. 6

σy

y

τ

σ = A0 + A1X + A2X 2 + A3X 3 5

σx

σx

F1

τ

a

r

σy (y = 0)

q

x Crack

Magnification factor

σy R

4

F2 3

F3

σx =

σy =

τxy =

KI

cos

3ϑ  ϑ  ϑ 1 − sin sin + O (r) 2  2 2 

cos

3ϑ  ϑ  ϑ + O (r) 1 − sin sin 2  2 2 

2πr

KI 2πr

KI 2πr

cos

ϑ

sin

2

ϑ

cos

2

3ϑ

+ O (r)

2

σz = 0(planestress) σz = ν(σy + σx) (planestrain)

Figure A7-5. Stresses around the crack tip.

F4 2

1   a2 2a 4 a3 KI = (π ∗ a) A0F1 + A1F2 + A2F3 + A F  π 2 3 π 3 4  0.0

0.1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 Fractional distance through wall [a/t]

0.9

1.0

Figure A7-6. KI for a longitudinal crack in the wall of a cylinder.

340

Nuclear Safety

Figure A7-7. Critical toughness and arrest toughness of a construction steel as a function of temperature (relative to the transition one).

The temperature RTndt is the transition temperature between brittle and ductile rupture. It can be determined by tests on specific toughness specimens or it can be correlated (for increased easiness) with an energy value absorbed in the common Charpy V test (generally 5.1 105 or 8.7 105 J m 2, corresponding to 30 or 50 ft lb 1, respectively. The way in which the various types of data are used is generally the following one:

KI is determined for the crack to be studied. KIC is determined for the material corresponding to the conditions at the crack tip. The comparison between this value and KI indicates if the crack will start to propagate in an unstable way or not. If it can be controlled, then the possibility exists that the crack which started to propagate is arrested at a certain point. For this investigation, KI, corresponding to various stages of extension of the crack has to be again determined. These values have to be compared with the corresponding KIA. If, for a certain stage of crack propagation it is found that KI is lower than KIA, then the crack will stop at that point.

In the case of a reactor pressure vessel the crack may stop because, with its extension, it arrives to

zones of the material which are less embrittled than the one from where the crack has started. In other cases the arrest may occur because the material reached during the propagation is less stressed than the initial one. It is useful to remember the existence of the phenomenon of ‘warm pre-stress’ according to which, in general terms, if a component containing a crack is loaded in warm conditions (i.e. in conditions of good ductility), it is not susceptible to unstable crack propagation for lower load conditions, even if correspondingly the temperature and ductility are lower. This principle, which finds its evident logical basis in the effect of ‘protective’ plasticization at the crack tip, is usually accepted in the following, less ample, formulation: ‘after an initial pre-load, no unstable crack propagation will occur if the stress intensity factor is constant or decreasing’. The J integral method is more widely used especially in cases of strong plasticization of the material during its rupture. This method substantially follows the K factor approach with the difference that the parameter to be evaluated is, now, a special integral operator, called the J integral (Rice, 1968).

Appendix 7 Notes on fracture mechanics

y

T

ds

In order to clarify the physical meaning of K and, above all, of J, these quantities can be simply related to each other and with a concept already used by Griffith, that is with the specific potential energy related with the crack area, GR (see Equation A7.3):

n

u

0

ny

n

nx= cosθ = θ

dy

0

nx

ds

ny= sinθ =−

dy ds dx ds

J ¼ GR, for plane problems K2I ¼ GR E, for plane stress states

x

ðwhere E is Young’s modulusÞ

Figure A7-8. Definition of the symbols used in the expression of the J integral.

The integral is defined in Equation A7-2 with the symbols indicated in Figure A7-8: Z

Wdy

@U , @A

T

GR E , for plane strain states 1 2 ðwhere v is the Poisson modulusÞ

K2I ¼

ðA7:4Þ ðA7:5Þ

ðA7:6Þ

References

!

u ds, @x

!@

ðA7:3Þ

assuming a small plastic area at the crack tip, and where R is the specific potential energy related to crack area (J m 2), U is the potential energy (J) and A is the crack area (m2). GR is then the variation of the elastic potential energy of deformation of the material corresponding to the unit variation of the crack area. The following relationships hold:

dx

J¼

GR ¼

X

Γ

y

341

ðA7:2Þ

where T is the stress vector (kg m 2), u is the displacement (m) and W is the strain energy density (J m 3). The integral is calculated along any path which includes the crack tip, as indicated in the figure. It is invariant of the specific path chosen. The value of J that is critical for the material is measured on special samples.

Ewing, D.J.F., Hill, R.J., Journal of Mechanics and Physics of solids, No. 15, p. 115, 1967. Miannay, D.P. (1997) Fracture Mechanics, Springer. Milella, P.P. (1999) ‘Meccanica della frattura’, Ansaldo Nucleare, Corso Perrone, 25, Genova. Rice, J.R., (1968) ‘A path independent integral and the Approximate Analysis of strain Concentration by Notches and Cracks’ Journal of Applied Mechanics, pp. 379–386, 1968. Wilkowski, G.M., et al. (1997) ‘State-of-the-art report on piping fracture mechanics’, NUREG/CR-6540; BMI 2196.

This page intentionally left blank

Appendix 8 US general design criteria

The following text is reproduced from the US (1971) ‘General Design Criteria (CFR Part 50, App. A)’.

The criteria document numbering references have been retained.

Applicability

Criterion title

I. Overall Requirements:

Quality Standards and Records Design Bases for Protection Against Natural Phenomena Fire Protection Environmental and Dynamic Effects Design Bases Sharing of Structures, Systems, and Components Reactor Design Reactor Inherent Protection Suppression of Reactor Power Oscillations Instrumentation and Control Reactor Coolant Pressure Boundary Reactor Coolant System Design Containment Design Electric Power Systems Inspection and Testing of Electric Power Systems Control Room Protection System Functions Protection System Reliability and Testability Protection System Independence Protection System Failure Modes Separation of Protection and Control Systems Protection System Requirements for Reactivity Control Malfunctions Reactivity Control System Redundancy and Capability Combined Reactivity Control Systems Capability Reactivity Limits Protection Against Anticipated Operational Occurrences Quality of Reactor Coolant Pressure Boundary Fracture Prevention of Reactor Coolant Pressure Boundary Inspection of Reactor Coolant Pressure Boundary Reactor Coolant Makeup Residual Heat Removal

II. Protection by Multiple Fission Product Barriers:

III. Protection and Reactivity Control Systems:

IV. Fluid Systems:

and

cross-

Criterion number 1 2 3 4 5 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Continued

343

344

Nuclear Safety

Table A8-1. Continued Applicability

Criterion title

Criterion number

V. Reactor Containment:

Emergency Core Cooling Inspection of Containment Heat Removal System Testing of Emergency Core Cooling System Containment Heat Removal Inspection of Containment Heat Removal System Testing of Containment Heat Removal System Containment Atmosphere Cleanup Inspection of Containment Atmosphere Cleanup Systems Testing of Containment Atmosphere Cleanup Systems Cooling Water Inspection of Cooling Water System Testing of Cooling Water System Containment Design Basis Fracture Prevention of Containment Pressure Boundary Capability for Containment Leakage Rate Testing Provisions for Containment Testing and Inspection Systems Penetrating Containment Reactor Coolant Pressure Boundary Penetrating Containment Primary Containment Isolation Closed Systems Isolation Valves Control of Releases of Radioactive Materials to the Environment Fuel Storage and Handling and Radioactivity Control Prevention of Criticality in Fuel Storage and Handling Monitoring Fuel and Waste Storage Monitoring Radioactivity Releases

35 36 37 38 39 40 41 42 43 44 45 46 50 51 52 53 54 55 56 57 60 61 62 63 64

VI. Fuel and Radioactivity Control:

A8-1. Introduction Pursuant to the provisions of x50.34, an application for a construction permit must include the principal design criteria for a proposed facility. The principal design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety; that is, structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. These General Design Criteria establish minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have been issued by the Commission. The General Design Criteria are also considered to be generally applicable to other types of nuclear power units and are intended to provide guidance in establishing the principal design criteria for such other units.

The development of these General Design Criteria is not yet complete. For example, some of the definitions need further amplification. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include: (1) Consideration of the need to design against single failures of passive components in fluid systems important to safety. (See Definition of Single Failure.) (2) Consideration of redundancy and diversity requirements for fluid systems important to safety. A ‘system’ could consist of a number of subsystems each of which is separately capable of performing the specified system safety function. The minimum acceptable redundancy and diversity of subsystems and components within

Appendix 8 US general design criteria

a subsystem, and the required interconnection and independence of the subsystems have not yet been developed or defined. (See Criteria 34, 35, 38, 41, and 44.) (3) Consideration of the type, size, and orientation of possible breaks in components of the reactor coolant pressure boundary in determining design requirements to suitably protect against postulated loss-of-coolant accidents. (See Definition of Loss of Coolant Accidents.) (4) Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems and reactivity control systems. (See Criteria 22, 24, 26, and 29.) It is expected that the criteria will be augmented and changed from time to time as important new requirements for these and other features are developed. There will be some water-cooled nuclear power plants for which the General Design Criteria are not sufficient and for which additional criteria must be identified and satisfied in the interest of public safety. In particular, it is expected that additional or different criteria will be needed to take into account unusual sites and environmental conditions, and for water-cooled nuclear power units of advanced design. Also, there may be water-cooled nuclear power units for which fulfillment of some of the General Design Criteria may not be necessary or appropriate. For plants such as these, departures from the General Design Criteria must be identified and justified.

A8-2. Definitions and explanations Nuclear power unit. A nuclear power unit means a nuclear power reactor and associated equipment necessary for electric power generation and includes those structures, systems, and components required to provide reasonable assurance the facility can be operated without undue risk to the health and safety of the public. Loss of coolant accidents. Loss of coolant accidents mean those postulated accidents that result from the loss of reactor coolant at a rate in excess of the capability of the reactor coolant makeup system from breaks in the reactor coolant pressure

345

boundary, up to and including a break equivalent in size to the double-ended rupture of the largest pipe of the reactor coolant system.1 Single failure. A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 Anticipated operational occurrences. Anticipated operational occurrences mean those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power.

A8-3. Criteria A8-3-1. Overall requirements Criterion 1 – Quality standards and records. Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. Criterion 2 – Design bases for protection against natural phenomena. Structures, systems, and components

346

Nuclear Safety

important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems, and components shall reflect: (1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and (3) the importance of the safety functions to be performed. Criterion 3 – Fire protection. Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Noncombustible and heat resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety. Firefighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these structures, systems, and components. Criterion 4 – Environmental and dynamic effects design bases. Structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

Criterion 5 – Sharing of structures, systems, and components. Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

A8-3-2. Protection by Multiple Fission Product Barriers Criterion 10 – Reactor design. The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences. Criterion 11 – Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity. Criterion 12 – Suppression of reactor power oscillations. The reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed. Criterion 13 – Instrumentation and control. Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges. Criterion 14 – Reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.

Appendix 8 US general design criteria

Criterion 15 – Reactor coolant system design. The reactor coolant system and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences. Criterion 16 – Containment design. Reactor containment and associated systems shall be provided to establish an essentially leak-tight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require. Criterion 17 – Electric power systems. An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that

347

core cooling, containment integrity, and other vital safety functions are maintained. Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies. Criterion 18 – Inspection and testing of electric power systems. Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components. The systems shall be designed with a capability to test periodically (1) the operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation, including operation of applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system. Criterion 19 – Control room. A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design certifications under part 52 of this chapter

348

Nuclear Safety

who apply on or after January 10, 1997, applicants for and holders of combined licenses under part 52 of this chapter who do not reference a standard design certification, or holders of operating licenses using an alternative source term under x50.67, shall meet the requirements of this criterion, except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent (TEDE) as defined in x50.2 for the duration of the accident.

A8-3-3. Protection and Reactivity Control Systems Criterion 20 – Protection system functions. The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety. Criterion 21 – Protection system reliability and testability. The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Criterion 22 – Protection system independence. The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other

defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Criterion 23 – Protection system failure modes. The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g. electric power, instrument air), or postulated adverse environments (e.g. extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced. Criterion 24 – Separation of protection and control systems. The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. Criterion 25 – Protection system requirements for reactivity control malfunctions. The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods. Criterion 26 – Reactivity control system redundancy and capability. Two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.

Appendix 8 US general design criteria

Criterion 27 – Combined reactivity control systems capability. The reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained. Criterion 28 – Reactivity limits. The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold water addition. Criterion 29 – Protection against anticipated operational occurrences. The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.

A8-3-4. Fluid Systems Criterion 30 – Quality of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage. Criterion 31 – Fracture prevention of reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions (1) the boundary behaves in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other

349

conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of irradiation on material properties, (3) residual, steady state and transient stresses, and (4) size of flaws. Criterion 32 – Inspection of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed to permit (1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program for the reactor pressure vessel. Criterion 33 – Reactor coolant makeup. A system to supply reactor coolant makeup for protection against small breaks in the reactor coolant pressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from the reactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary. The system shall be designed to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation. Criterion 34 – Residual heat removal. A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 35 – Emergency core cooling. A system to provide abundant emergency core cooling shall be provided. The system safety function shall be

350

Nuclear Safety

to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 36 – Inspection of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system. Criterion 37 – Testing of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 38 – Containment heat removal. A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation

(assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 39 – Inspection of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system. Criterion 40 – Testing of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole, and under conditions as close to the design as practical the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 41 – Containment atmosphere cleanup. Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure. Criterion 42 – Inspection of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.

Appendix 8 US general design criteria

Criterion 43 – Testing of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of associated systems. Criterion 44 – Cooling water. A system to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems, and components under normal operating and accident conditions. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 45 – Inspection of cooling water system. The cooling water system shall be designed to permit appropriate periodic inspection of important components, such as heat exchangers and piping, to assure the integrity and capability of the system. Criterion 46 – Testing of cooling water system. The cooling water system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and the performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.

351

A8-3-5. Reactor Containment Criterion 50 – Containment design basis. The reactor containment structure, including access openings, penetrations, and the containment heat removal system shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident. This margin shall reflect consideration of (1) the effects of potential energy sources which have not been included in the determination of the peak conditions, such as energy in steam generators and as required by x50.44 energy from metal-water and other chemical reactions that may result from degradation but not total failure of emergency core cooling functioning, (2) the limited experience and experimental data available for defining accident phenomena and containment responses, and (3) the conservatism of the calculational model and input parameters. Criterion 51 – Fracture prevention of containment pressure boundary. The reactor containment boundary shall be designed with sufficient margin to assure that under operating, maintenance, testing, and postulated accident conditions (1) its ferritic materials behave in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the containment boundary material during operation, maintenance, testing, and postulated accident conditions, and the uncertainties in determining (1) material properties, (2) residual, steady state, and transient stresses, and (3) size of flaws. Criterion 52 – Capability for containment leakage rate testing. The reactor containment and other equipment which may be subjected to containment test conditions shall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure. Criterion 53 – Provisions for containment testing and inspection. The reactor containment shall be designed to permit (1) appropriate periodic inspection of all important areas, such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows.

352

Nuclear Safety

Criterion 54 – Piping systems penetrating containment. Piping systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability, and performance capabilities which reflect the importance to safety of isolating these piping systems. Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to determine if valve leakage is within acceptable limits. Criterion 55 – Reactor coolant pressure boundary penetrating containment. Each line that is part of the reactor coolant pressure boundary and that penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis: (1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or (4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment. Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for inservice inspection, protection against more severe natural phenomena, and additional isolation valves and containment, shall include consideration of the population density, use characteristics, and physical characteristics of the site environs.

Criterion 56 – Primary containment isolation. Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis: (1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or (4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment. Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Criterion 57 – Closed system isolation valves. Each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

A8-3-6. Fuel and Radioactivity Control Criterion 60 – Control of releases of radioactive materials to the environment. The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. Sufficient holdup

Appendix 8 US general design criteria

capacity shall be provided for retention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment. Criterion 61 – Fuel storage and handling and radioactivity control. The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions. These systems shall be designed (1) with a capability to permit appropriate periodic inspection and testing of components important to safety, (2) with suitable shielding for radiation protection, (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal capability having reliability and testability that reflects the importance to safety of decay heat and other residual heat removal, and (5) to prevent significant reduction in fuel storage coolant inventory under accident conditions. Criterion 62 – Prevention of criticality in fuel storage and handling. Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe configurations. Criterion 63 – Monitoring fuel and waste storage. Appropriate systems shall be provided in fuel storage

353

and radioactive waste systems and associated handling areas (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions. Criterion 64 – Monitoring radioactivity releases. Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents. [36 FR 3256, Feb. 20, 1971, as amended at 36 FR 12733, July 7, 1971; 41 FR 6258, Feb. 12, 1976; 43 FR 50163, Oct. 27, 1978; 51 FR 12505, Apr. 11, 1986; 52 FR 41294, Oct. 27, 1987]

Notes 1 Further details relating to the type, size, and orientation of postulated breaks in specific components of the reactor coolant pressure boundary are under development. 2 Single failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.

This page intentionally left blank

Appendix 9 IAEA criteria

Safety of nuclear power plant: Design – Requirements – Safety Standards Series No. NS-R-1, ISBN 92-0-101900-9). This appendix comprises the list of contents for the above IAEA document and is included to show an example of the contents of a modern set of Design Safety Criteria for Nuclear Plants. The complete document can be obtained from the IAEA or viewed at www.iaea.org. CONTENTS 1. INTRODUCTION Background (1.1) Objective (1.2–1.4) Scope (1.5–1.7) Structure (1.8) 2. SAFETY OBJECTIVES AND CONCEPTS Safety objectives (2.1–2.8) The concept of Defense in Depth (2.9–2.11) 3. REQUIREMENTS FOR MANAGEMENT OF SAFETY Responsibilities in management (3.1) Management of design (3.2–3.5) Proven engineering practices (3.6–3.8) Operational experience and safety research (3.9) Safety assessment (3.10–3.12) Independent verification of the safety assessment (3.13) Quality assurance (3.14–3.16) 4. PRINCIPAL TECHNICAL REQUIREMENT Requirements for Defense in Depth (4.1–4.4) Safety functions (4.5–4.7) Accident prevention and plant safety characteristics (4.8) Radiation protection and acceptance criteria (4.9–4.13)

5. REQUIREMENTS FOR PLANT DESIGN Safety classification (5.1–5.3) General design basis (5.4–5.31) Design for reliability of structures, systems and components (5.32–5.42) Provision for in-service testing, maintenance, repair, inspection and monitoring (5.43–5.44) Equipment qualification (5.45–5.46) Ageing (5.47) Human factors (5.48–5.56) Other design considerations (5.57–5.68) Safety analysis (5.69–5.73) 6. REQUIREMENTS FOR DESIGN OF PLANT SYSTEMS Reactor core and associated features (6.1–6.20) Reactor coolant system (6.21–6.42) Containment system (6.43–6.67) Instrumentation and control (6.68–6.86) Emergency control centre (6.87) Emergency power supply (6.88–6.89) Waste treatment and control systems (6.90–6.95) Fuel handling and storage systems (6.96–6.98) Radiation protection (6.99–6.106) APPENDIX I: POSTULATED INITIATING EVENTS APPENDIX II: REDUNDANCY, DIVERSITY AND INDEPENDENCE REFERENCES ANNEX: SAFETY FUNCTIONS FOR BOILING WATER REACTORS, PRESSURIZED WATER REACTORS AND PRESSURE TUBE REACTORS GLOSSARY CONTRIBUTORS TO DRAFTING AND REVIEW ADVISORY BODIES FOR THE ENDORSEMENT OF SAFETY STANDARDS 355

This page intentionally left blank

Appendix 10 Primary depressurization systems A10-1. Initial studies The importance of a voluntary primary depressurization system in a PWR has been stressed many times in this book. It is an absolute requirement in a BWR in order to cope with the loss of the main condenser, given the fact that steam release to the outside is excluded for the radioactivity content of the reactor water. A system of this type can have several configurations, but only one type (see Figure A10-1), the ‘Core Rescue System’ (CRS), which was greatly studied between 1980–85, is described here. This system was not only a primary depressurization system, as it also included a subsequent passive water injection function in the primary circuit (low pressure and small flow rate) for the long-term refrigeration of the core. The degree to which the CRS was incorporated into plants depended on how far a particular plant design had progressed, ranging from being an integral part of the design from initial conception to being ‘backfitted’. The system operation does not exploit gravity, which is the type to be preferred, and has been replaced, for the borated water injection (accumulators), by gas under pressure. In fact, where significant pressures are needed, gravity can only be employed on sites having a particular topography, as in the case of the SENA power station located inside a cavern in a hill (Chooz, Belgium). Figure A10-1 shows the functional scheme of a CRS where, for clarity, the necessary redundancies of components are not indicated. The principal system parts are (the dimensions refer to a Westinghouse 312 reactor of about 1000 MWe):

An automatic and manual primary system depressurization line which is connected to the pressurizer top and terminates in a mixture condenser.

The line has an equivalent flow area corresponding to a circular opening of 150 mm diameter. It ensures a quick chain reaction shutdown by void formation in the core and a reliable depressurization (that is protected from the effect of partial plugging) down to pressures lower than 1 MPa, even without any other primary water cooling system, in a time of minutes. A series of three compressed gas accumulators and borated water at low pressure (1.8 MPa, relative), each connected to one of the three cold legs of the primary system. The volume of each accumulator is of about 333 m3, 250 m3 of which are occupied by borated water at 2000 ppm boron. These accumulators are normally isolated from the primary system by non-return valves only, as for the intermediate pressure (4.2 MPa, relative) accumulators commonly installed in PWRs. The connection lines with the primary system are of small diameter (approximately 50 mm), sufficient to supply, in case of primary depressurization, a slow and durable injection of borated water (indicative duration in typical cases 10 hours). Borated water injection performs the double function of maintaining the reactor sub-critical in the long term and of refrigerating it by flooding and vaporization (feed and bleed). A mixture condenser of the indicative volume of about 1500 m3, of which 500 m3 are initially occupied by borated water at 2000 ppm boron and the rest by nitrogen. The function of this component is the collection of the fluid discharged by the primary system and the confinement of the fission products contained in it, the dissipation of its thermal energy to the outside environment and the formation of an additional reserve of water for the long-term cooling of the core, that is beyond the 10 hours (by natural or forced circulation, using the low power pumps, according to the 357

358

Nuclear Safety

CW ST

LO S

VB SV

T

EC N2

V

RPS 6" 2"

A

LPA CP

LD

A

5 cm

PR

P

18 ATA

L

M

T

M N RPV

–A: Air operated –CP: Containment pressure –CW: Containment wall –EC: Emergency condenser –L: Vessel water level –LO: Logics –LPA: Low pressure accumulators –M: Motor operated –N: Neutron flux

–P: –PR: –RPV: –S: –ST: –T: –V: –VB:

Pump Pressurizer Reactor pressure vessel Spray Spray tank Temperature Emergency condenser vault Vacuum breaker

Figure A10-1. Core rescue system.

elevation where the condenser is placed). The condenser should be a vessel of very simple shape (for ease of inspection), cooled from the outside by a gravity driven water spray and subsequent submersion. It is connected to the atmosphere of the reactor containment by safety valves and by

vacuum breakers. The design pressure is the same as that of the containment. The actuation of the external spray occurs by high temperature, 343 K (70 C) in the condenser or manually. The condenser is an easily coolable extension of the containment. It has to be noted that this

Appendix 10 Primary depressurization systems

component could also be omitted, discharging the primary fluid of the depressurization line directly into the containment. The drawback of this solution is, however, the contamination of the containment and the absence of a passive ‘heat sink’. Two of the many core danger conditions under which it is necessary to operate the system, that is to open the depressurization line, are:

The presence of a significant neutron flux together with a fast shutdown actuation signal (Anticipated Transient Without Scram (ATWS) case, that is a transient with the failure of the scram to operate). An excessive temperature of the fluid exiting the core or low water level in the vessel (a situation of dangerous overheating of the core). Indicatively the intervention thresholds to be chosen are: 613 K (340 C) and level below 66 per cent of the fuel element height. It is not believed that the value of these thresholds is very critical. It seems prudent, to further decrease the spurious actuation probability of the system, to envisage a delay of 50–200 s between attainment of an actuation threshold and opening of the depressurization valves. This allows the operators to intervene in cases of clearly erroneous demand for the intervention of the system and also corresponds to what is done in BWR automatic depressurization systems. It may also be useful to operate the system in other dangerous situations.

It has been proposed to automatically open the depressurization valves in case of very high pressure in the containment (e.g. two-thirds of the design pressure). This provision could be useful in case of small breaks in the primary system: the largest part of the efflux flow rate would in this way be diverted to the emergency condenser, stopping the pressure increase in the containment. Other situations where the operation of the CRS might be opportune, according to the specific design characteristics of the plant, are listed in Petrangeli (1985), Milella and Petrangeli (1983) and Petrangeli et al. (1993). The energy required to power the instrumentation and commands can be supplied by a small battery. The actuation energy of the valves may be supplied by small compressed air tanks in the same manner as for the safety-relief valves of many BWRs.

359

At the time, this system was studied in depth by DISP, ENEA, the University of Pisa and the ISPRA Research Centre to find its thermal-hydraulic effectiveness and the reduction of core melt probability which its adoption would have caused. The principal results of these studies are summarized in Petrangeli et al. (1993). The thermal-hydraulic effectiveness of the core cooling, even under extreme conditions, was amply proven. The possible reduction of the core melt probability was estimated to be of a factor of at least 10. The probabilistic analysis was submitted to Prof. Rasmussen for review and was approved by him. Other studies which also gave a positive result were made on peculiar effects of the system operation, such as the thermo-mechanical consequences of its spurious actuation on the reactor pressure vessel (Milella and Petrangeli, 1983). The CRS was not, however, adopted for the reactor then currently being designed in Italy (a Westinghouse 900 MWe plant chosen for the Unified Nuclear Design, PUN). The adoption of the system would have introduced expense and delay which were considered excessive. In any case, its adoption would have introduced an improvement in a plant already considered satisfactory. A system of the CRS type was adopted for a German-designed PWR and, ten years later, by Westinghouse for its advanced passive safety reactor AP 600. Figures A10-2 and A10-3, and Table A10-1 show three documents detailing the studies on the CRS. Figure A10-2 is reproduced from an article in Inside NRC, where the system was announced. Figure A10-3 contains the information which was given to CSNI in 1982. Table A10-1 is part of the US Advisory Committee for Reactor Safeguards (ACRS) answer to a communication containing the description of the system.

A10-2. Depressurization systems for modern design reactors The concept of primary depressurization systems for PWRs has become ever more popular with time. All modern plants, including the EPR (European Pressurized Reactor), incorporate an enhanced ‘feed and bleed’ function according to the conceptual lines

360

Nuclear Safety

Figure A10-2. Inside NRC article on CRS. (Courtesy of Peatts/McGraw-Hill.)

Appendix 10 Primary depressurization systems

Figure A10-3. Annex to an ACRS (U.S.A.) letter.

361

362

Nuclear Safety

Table A10-1. Information to CSNI on the CRS Present views and trends at DISP (Italy) on LWR risk reduction (Information notes for CSNI, November 1982.) l. It is recognised that a public demand and expectation for a LWR risk reduction still exists in Italy as in many other countries. 2. Two ways in principle exist in order to pursue a risk reduction objective: – enhanced core melt prevention – mitigation of core melt consequences 3. Mitigation of consequences is a rather new undertaking and many years of intensive research and development effort are thought to be necessary in order to get a complete enough phenomenological knowledge for soundly based design activities and for significant risk reduction. Considerations like the following ones tend to support this view: – many uncertainties exist on phenomena related to core melt, as pointed out by research and design professionals; – the investment forecast on severe core damage research by national and international organisations is long lasting (e.g. inside NRC, May 3, 1982; CEC programs); – past experience indicates a progressive widening of the needed research as research work progresses (consider, for example, the research on ECCS performance after the end-of-1960s’ alarm); – the fact that engineering mitigation features as yet proposed are effective on a part only of the foreseeable containment damage scenarios. 4. Mitigation of core melt consequences doesn’t prevent plant extensive contamination and subsequent occupational health and economic burdens. 5. It is believed that a significant potential of risk reduction still exists in the enhancement of core melt prevention by a more attentive use of proven components; exploitation of this potential is at hand now and should be pursued at least in an interim period of time, while knowledge on core melt mitigation makes sufficient progress. 6. It is believed that the most effective way to effect core melt prevention has to be based on: – the recognition that core integrity can be preserved, despite the wide variety of possible plant accident sequences, by two provisions only: core shutdown and core submersion by boiling water; – the adoption of simple, reliable, passive, direct safety systems as those currently accepted for the prevention against other industrial age common dangers (e.g. fire protection means, transportation vehicle emergency arrest, overpressure protection of industrial and family devices). 7. System concepts which satisfy the above listed criteria have been developed in the last two years and are now undergoing final verification at DISP for use on future PWRs (see Annex for a brief description). It can now be evaluated that their adoption may originate a nuclear plant at least ten times safer than most of the current designs. 8. Further information on these systems will be offered to interested national and international organisations as soon as the verification work progresses, in order to share knowledge and to seek for cooperation. ANNEX SSN þ systems for PWRs: a brief description 1. Main components: – primary system automatic depressurisation line through adequately sized relief valve(s) – low-pressure accumulators for borated water injection lasting about ten hours – spray and submersion cooled direct-contact condenser for heat transmission to the environment – connections for fire-fighting corps mobile pumps and augmented borated water preparation devices for long-term water injection in the primary system (plus additional recirculation means from the direct-contact condenser) 2. Actuating signals: – high core fluid temperature – failed scram (coincidence of significant neutron flux with presence of a scram signal) – (low vessel water level or high-high containment pressure to be considered as possible future developments). 3. Functions: – core shutdown (void formation and boron injection) and core cooling (boiling and bleed) by passive and direct means for at least ten hours in case of any of the dominant core melt sequences of risk studies – core cooling by readily and widely available means in the long term. 4. Possible further developments: – pressurised thermal shock prevention – prevention of radioactivity release from steam generator safety/relief valves Continued

Appendix 10 Primary depressurization systems

363

Table A10-1. Continued Present views and trends at DISP (Italy) on LWR risk reduction (Information notes for CSNI, November 1982.) – prevention of containment contamination by quench tank overflow – simplification or elimination of high pressure safety injection systems and of other cooling systems against external events – extension of the concept to BWRs – use of further passive components 4. Work in progress and possible future activities: – first conceptual design and PRA on risk reduction have been completed and independently reviewed by Prof. Rasmussen. – thermal-hydraulic refined verification are in progress Future possible actions: – further independent PRA – completion of thermal-hydraulic refined verifications and feedback on conceptual design – implementation design work by utility and industry. References – IAEA-Conference, Stockholm Oct.80, Paper CN 39/52 – Report ENEA RT/DISP(82)1 þ Acronym for ‘Sistema di Salvataggio del Nocciolo’, meaning ‘Core Rescue System’. Information to CSNI November ‘82 DISP - Italy

of the depressurization system. Some designs, like AP 600, also have an enhanced depressurization/injection function with a higher injection flow rate than the above described CRS, with the aim of allowing coolant injection into the core by gravity and not by nitrogen accumulator pressure. Voluntary primary depressurization has also been considered as the best means to stop possible Direct Containment Heating (DCH) and to eliminate severe accident sequences with a vessel at high pressure.

References Petrangeli, G. (1985) ‘More intrinsically safe and simplified light water reactors’, RTI – DISP (85), DISP/ENEA. Milella, P. and Petrangeli, G. (1983) ‘Thermo-mechanical effects of a postulated spurious actuation of a core rescue system’, RT/DISP(83)5, DISP/ENEA. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, pp. 25–54.

This page intentionally left blank

Appendix 11 Thermal-hydraulic transients of the primary system

A11-1. General remarks This appendix details a simple calculation program that allows the rough evaluation of transients and accidents in the primary system of a PWR. It can however be adapted to other types of water reactors. As noted at the beginning of Appendix 2, here also, for historical reasons, some units of measurement are not those of the Standard International System. The aim of this program is to evaluate the general trend of the parameters which influence the reactor cooling and heat dissipation to the environment in a large number of incident/accident situations. The emphasis has, therefore, been put on the flexibility and speed of the tool more than on its precision and on its degree of detail. Given the limited and specific objective of the program, a (substantially) single volume primary system scheme has been adopted. The file PRIMARYSYSTEM (which can be downloaded from the companion website) shows the simulated components. The reactor pressure vessel and pressurizer are shown as separate components, while in the program they are part of a single calculation volume. This program has been useful in preliminary sizing safety systems during the design phase and in the quick verification of them during safety reviews. This program was first developed (Petrangeli, 1983; Petrangeli et al., 1993) for the study of a new safety system (the CRS described in Appendix 10) based on the voluntary depressurization of the primary system and on the passive injection (by accumulators under pressure) of cooling water. This basic concept has been subsequently applied to various reactor designs. Calculation tools of this kind are very useful to the designer or to the overall system analyst (even if they leave the true specialists of the branch rather puzzled), as they allow the study of many cases and for transient times as long as are desired. It has been observed, with reference to the Three Mile Island accident, that if the time length of the calculated transients had been prolonged beyond the intervention time of the safety systems, the adopted thermal-hydraulic codes (RELAP and so on) could have shown the danger of getting to a situation where the pressurizer is substantially full of liquid while the reactor vessel is nearly empty. As it is known, this situation may cause the operators to erroneously think that all of the primary system is full and therefore make them shut off the safety injection systems. In fact, the calculations performed were stopped precisely at the moment of their intervention. This practice concerning the duration of the calculations was and is motivated by economic reasons. Unfortunately, the program described here would not have been adequate in the Three Mile Island situation as it is too simple (one volume only). The concept, however, that powerful and complex calculation programs must be accompanied by more simply usable tools has a general validity.

365

366

Nuclear Safety

A11-2. General program characteristics Saturation conditions are assumed in the primary system and, therefore, the initial phase of the pressurizer voiding during an accident cannot be simulated. This phase is not of great interest for the prevention of severe core damage which remains the field of deepest interest in the context for which the program has been written. The principal analytical instruments are the mass and energy conservation equations. The heat supplied to the primary system is principally the core decay heat, set equal to the one given by the ANS curve minus 5 per cent, according to a suggestion by Tong (1982) intended to originate better approximation evaluations (best estimates) as opposed to very conservative evaluations. This curve can be multiplied by a factor higher than one, foreseen by the program (KQD factor) in order to obtain conservative results, even if less similar to reality. (See Table A2-2.) The heat exchanged (in either direction) by the primary system with the steam generators during the accident can be simulated by a term decreasing from a given value at an initial time down to zero at a given subsequent time. This term may simulate, for example, the heat absorbed by the residual water of the secondary side of the steam generators after a stop of the feedwater flow. The loss of water from the primary system can be simulated by an efflux from a depressurization system and from a hypothetical break in the primary system itself. The efflux can be of a liquid, homogeneous mixture or steam, as chosen by the user. The pressure transients in the accumulators are simulated as isothermal transformations. The water injection by an ECCS system can be simulated. The simplicity of the program is responsible for the possibility of interrupting a calculation and of easily resuming it using different input data (e.g. if one wants to change the ECCS flow rate from a certain time on).

A11-3. Program description The program is based on a MicrosoftÕ ExcelÕ 97 spreadsheet which includes some Visual BasicÕ for Applications macros. Macro SP is used for the general control, which when needed calls the other 14 subroutines.

A11-3-1. Macro Stampa dati This prints the input data of the case under study. These are entered by the user into cells A2:H11. These cells are subsequently used by the program as a set of service cells, with their content being varied at any program step. Therefore, at the end of the run, the numbers contained in the cells refer to the values corresponding to the last step. ’ STAMPA_DATI Macro ’ Macro registrata il 03/11/2001 da Petrangeli Gianni Range(‘‘A31:H41’’).Select Selection.PrintOut Copies:=1 Application.CommandBars(‘‘Stop Recording’’).Visible = False Range(‘‘J16’’).Select Application.Goto Reference:=‘‘STAMPA_DATI’’ Application.WindowState = xlMinimized Application.WindowState = xlNormal Application.Goto Reference:=‘‘STAMPA_DATI’’ Range(‘‘A27’’).Select

Appendix 11 Thermal-hydraulic transients of the primary system

367

ChDir ‘‘C:\SP’’ ActiveWorkbook.SaveAs FileName:=‘‘C:\SP\SP.xls’’,FileFormat:=xlNormal, _ Password:=‘‘’’, WriteResPassword:=‘‘’’, ReadOnlyRecommended:=False, _ CreateBackup:=False End Sub The reference cells, containing initial data and the service ones for the calculation of each step are the following: PROGRAM ‘‘PS’’: INPUT DATA AND LAST STEP DATA: Vp (m3) ¼ Vab (m3) ¼

463.3 463.3

DP1 (s) ¼

2

P (MWt) ¼ GS (kg/s) ¼ QS (Cal/s) ¼

2871.3 0 0

TU0 (s) ¼ FL1 ¼ TU0 (s) ¼ P0 (kg/cm2) ¼

600 0 6114.141 70

P1 (kg/cm2) ¼] 70

4/11(2)

VAT1 (m3) ¼ VAT2 (m3) ¼ PA1 (kg/cm2) ¼ DP2 (s) ¼ KA1 (kg/cm2 s) ¼ KQD ¼ TU1GS (s) ¼ TU1QS (s) ¼

118 1012 40 0.2 711 1.45 600 0

VA1 (m3) ¼ VA2 (m3) ¼ PA2 (kg/cm2) ¼ As (cm2) ¼ KA2 (kg/cm2 s) ¼

0 675 15 0 12

TU2GS (s) ¼ TU2QS (s) ¼

6000 0

TUF (s) ¼ FL2 ¼ TU1 (s) ¼ VF (m3/kg) ¼ VFG (m3/kg) ¼ HF (Cal/kg) ¼ HFG (Cal/kg) ¼

6000 0 6114,141 0.0013531 0.0257476 303.48877 358.47058

GUS (kg/s) ¼ GE (kg/s) ¼ QS (Cal/s) ¼ VF1 ¼ VFG1 ¼ HF1 ¼ HFG1 ¼

0 GUB (kg/s) ¼ 0 GA1 (kg/s) ¼ 0 1132.76 0.0013468 x1 ¼ 0.0266207 301.0671 361.50553

DT (s) ¼

Mp (kg) ¼ P0 (kg/cm2) ¼ P1 (kg/m2) ¼ Ab (cm2) ¼ HA (Cal/kg) ¼

79519.2974 94 27.9 49

TU1 ¼

x¼

0.1525122

HS (Cal/kg) ¼ HB (Cal/kg) ¼

661.95934 661.95934 30.93552 GA2 (kg/s) ¼ DT (s) ¼ 265.96065 0.1682713 Mp1 (kg) ¼

301269.55 79519.2974

Symbols Ab, area of break in primary system (cm2) As, equivalent efflux area of the depressurization line (cm2) A1 A2, Accumulators, respectively at intermediate (40 bar) and low (15–20 bar) pressure CRS, Core Rescue System DP1 DP2, variation of the pressure in single step, respectively high (5 bar) and low (15–20 bar) DT, time increment in the generic step (s) ECCS, Emergency Core Cooling System FL1 FL2, service command ‘flags’ for the calculation of the efflux from CRS system (depressurization) and from break G, mass flow rate (kg s 1 or kg cm 2 s 1) GA1 GA2, efflux flow rate from accumulators A1 and A2, respectively (kg s 1) GE, inlet flow rate in the primary system (accumulators þ ECCS) (kg s 1) GS, efflux flow rate of ECCS (kg s 1) GUB, efflux flow rate from assumed break (kg s 1)

368

Nuclear Safety

GUS, efflux from depressurization system (CRS) (kg s 1) HA, enthalpy of the water delivered by accumulators and by ECCS (Cal kg 1) KA1 KA2, efflux coefficients from accumulators A1 and A2, respectively (kg cm2 s 1) KQD, decay power multiplier (¼1.05 for ANS curve) Mp, mass of water in the primary system (liquid þ steam) (kg) P, pressure (kg cm 2) PA1 PA2, A1 and A2 accumulator pressure, respectively (kg cm 2) VA1 VA2, water volume in accumulators A1 and A2, respectively (m3) VAT1 VAT2, total volume in accumulators A1 and A2, respectively (m3) Vab, portion of primary volume below break (m3) Vp, primary system volume (m3) x, x1, average steam quality in the primary system at start and end of step TU1, end time of step (s) TU1GS TU2GS, start and stop time, respectively, for ECCS system (s) TU1QS TU2QS, start and stop time, respectively, for the steam generator heat release or absorption (s) TU0 TUF, start and stop time, respectively, of the calculated transient (s)

11-3-2. Macro Copia_dati This copies the initial data in cells A31:H41 so that they may be kept until the end of the calculation in order to allow the user to evaluate the results. COPIA_DATI() ’ ’ COPIA_DATI Macro ’ Macro registrata il 03/11/2001 da Petrangeli Gianni ’ ’ Range(‘‘A2:H11’’).Select Selection.Copy Range(‘‘A32’’).Select ActiveSheet.Paste Range(‘‘$a$31’’) = ‘‘DATI DI INGRESSO’’ Range(‘‘$a$43’’) = ‘‘RISULTATI DEI PASSI’’ End Sub

11-3-3. Macro HF This evaluates at each step the specific enthalpy of the primary liquid as a function of the initial pressure of the step. Equation A11.1, the approximate formula has been taken from (Santarossa G. et al., 1976) (as have the subsequent properties of the cooling fluid). HF ¼

964:3845p3 þ 188946:5p2 þ 2470981p þ 1649689 , p3 þ 665:0797p2 þ 16075:48p þ 26716:57

ðA11:1Þ

where HF is the specific enthalpy of the liquid water (Cal kg 1) and p is the primary pressure at the start of the step (kg cm 2).

Appendix 11 Thermal-hydraulic transients of the primary system

369

As an example, for a pressure of 70 kg cm 2, Equation A11.1 gives a value of 301.1 (Cal kg 1) compared with a handbook value of 298 (Cal kg 1). Sub HF() ’ ’ HF Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni ’ ’ Range(‘‘$d$17’’) = (964.3845 * Range(‘‘$b$15’’) ^ 3 + 188946.5 * Range(‘‘$b$15’’) ^ 2 + 2470981 * Range(‘‘$b$15’’) + 1649689)/(Range(‘‘$b$15’’) ^ 3 + 665.0797 * Range(‘‘$b$15’’) ^ 2 + 16075.48 * Range(‘‘$b$15’’) + 26716.57) Range(‘‘F18’’).Select End Sub

11-3-4. Macro HFG This evaluates the enthalpy of vaporization at the start of the step with the same units as macro HF using Equation A11.2. 231973:9p3 þ 5:284174 107 p2 þ 1:191874 109 p þ 1:575882 109 HFG ¼ p4 þ 82:67094p3 þ 126285:4p2 þ 2315288p þ 2785184

ðA11:2Þ

As an example, for a pressure of 70 (kg cm 2), Equation A11.2 gives a value of 361.5 (Cal kg 1) compared with a handbook value of 357.3 (Cal kg 1). HFG Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni Range(‘‘$d$18’’) = (231973.9 * Range(‘‘$b$15’’) ^ 3 - 52841740 * Range(‘‘$b$15’’) ^ 2 - 1191874000 * Range(‘‘$b$15’’) - 1575882000)/ (Range(‘‘$b$15’’) ^ 4 + 82.67094 * Range(‘‘$b$15’’) ^ 3 - 126285.4 * Range(‘‘$b$15’’) ^ 2 - 2315288 * Range(‘‘$b$15’’) - 2785184) Range(‘‘H17’’).Select End Sub

11-3-5. Macro VF This evaluates the specific volume of the liquid at the start of the step (Equation A11.3). 9:165659 10 4 p3 þ 4:159937 10 1 p2 þ 35:05628p þ 120:077 , VF ¼ p3 þ 251:462p2 þ 31207:36p þ 117706:3

ðA11:3Þ

where VF is the specific volume (m3 kg 1). For 70 (kg cm 2), Equation A11.3 gives 0.001 35 (m3 kg 1) which is equal to the table value. Sub VF() Range(‘‘$D$15’’) = (0.0009165659 * Range(‘‘$b$15’’) ^ 3 - 0.4159937 * Range(‘‘$b$15’’) ^ 2 - 35.05628 * Range(‘‘$b$15’’’’) - 120.077)/(Range(‘‘$b$15’’) ^ 3 - 251.462 * Range(‘‘$b$15’’) ^ 2 - 31207.36 * Range(‘‘$b$15’’) - 117706.3) End Sub

370

Nuclear Safety

11-3-6. Macro VFG This evaluates the differential specific volume of steam–liquid (m3 kg 1) at the start of the step using Equation A11.4). VFG ¼

2:309098 10 3 p4 þ 4:162979p3 þ 857:4263p2 þ 14867:06p þ 3998:127 p4 þ 381:89p3 þ 7810:05p2 þ 3776:419p þ 529:4787

ðA11:4Þ

For 70 (kg cm 2), Equation A11.4 gives 0.027 (m3 kg 1) compared with a table value of 0.026 (m3 kg 1). Four more macros calculate by identical formulae the values of HF1, HFG1, VF1 and VFG1 for the thermo-dynamic properties of the pressure at the end of the step. Sub VFG() ’ ’ VFG Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni Range(‘‘$d$16’’) = (-0.002309098 * Range(‘‘$b$15’’) ^ 4 + 4.162979 * Range(‘‘$b$15’’) ^ 3 - 857.4263 * Range(‘‘$b$15’’) ^ 2 - 14867.06 * Range(‘‘$b$15’’) - 3998.127)/(Range(‘‘$b$15’’) ^ 4 - 381.89 * Range(‘‘$b$15’’) ^ 3 - 7810.05 * Range(‘‘$b$15’’) ^ 2 - 3776.419 * Range(‘‘$b$15’’) + 529.4787) End Sub

11-3-7. Macro QS This calculates the heat supplied to the primary system or released by it from/to sources other than the core (typically to the steam generator) using Equation A11.5. QS ¼ 1

TU0 TU1QS , TU2QS TU1QS

ðA11:5Þ

where QS is the maximum thermal power exchanged at the instant TU1QS (s), TU1QS and TU2QS are the times (s) of the start and end of the heat exchange, respectively, and TU0 is the initial time of the step (s). QS() Rem Calcola il calore aggiunto da sorgenti diverse dal nocciolo, come ad esempio i generatori di vapore If Range(‘‘$d$9’’) < Range(‘‘$b$14’’) Then If Range(‘‘$f$9’’) > Range(‘‘b$14’’) Then Range(‘‘$d$22’’) = (1 - ((Range(‘‘$b$14’’) - Range(‘‘$d$9’’))/(Range(‘‘$f$9’’) Range(‘‘$d$9’’)))) * Range(‘‘$B$9’’) Else Range(‘‘$d$22’’) = 0 End If End If End Sub

11-3-8. Macro GU This calculates the weight flow rate which exits from the depressurization line and which exits through an assumed break. According to the liquid level in the primary calculated by the program, the efflux is liquid

Appendix 11 Thermal-hydraulic transients of the primary system

371

or non-liquid. In the latter case, it is of steam or of a homogeneous mixture with quality equal to the average one of the primary system according to a choice made by the user as an input datum to the calculation: the parameters FL1 and FL2, refer to the depressurization and to the break, respectively, and are set equal to 0 for steam efflux and to 1 for two-phase efflux. The formulae used for the various cases are: G ¼ ð1:54 10 2 Þp A ðsteamÞ

ðA11:6Þ

G ¼ p1=3 A ðliquidÞ

ðA11:7Þ

G ¼ ðp1=3 1

0:02 X HFGÞ A ðtwo phasesÞ

ðA11:8Þ

2

where G is the weight flow rate (kg s ), p is the primary pressure (kg cm ), A is the efflux area (cm2), X is the average primary steam quality and HFG is the vaporization heat of the water at the primary pressure (Cal kg 1). It is assumed that the opening for the primary depressurization is located on top of the pressurizer (i.e. at the highest point of the system) so liquid efflux will occur only if the program detects a situation where the water volume in the primary system is equal to or higher than the volume of the primary itself. As far as the break is concerned, its location is defined at the start (among the input data) by the volume of the primary system below it and therefore liquid efflux occurs only if the water volume is higher than this given volume. Sub GU() If (Range(‘‘d$15’’) * Range(‘‘$h$2’’)) > Range(‘‘b$2’’) Then Range(‘‘$d$20’’) = Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) Else If Range(‘‘$b$11’’) = 0 Then Range(‘‘$d$20’’) = 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) + Range(‘‘$D$18’’) Else Range(‘‘$D$20’’) = (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) + Range(‘‘f$15’’) * Range(‘‘$f$18’’) End If End If If (Range(‘‘$d$15’’) * Range(‘‘$h$2’’)) > Range(‘‘$b$3’’) Then Range(‘‘$f$20’’) = Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) = Range(‘‘$d$17’’) Else If Range(‘‘$d$11’’) = 0 Then Range(‘‘$f$20’’) = 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) = Range(‘‘$d$17’’) + Range(‘‘$d$18’’) Else Range(‘‘f$20’’) = (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$h$5’’)

372

Nuclear Safety

Range(‘‘$f$18’’) = Range(‘‘$d$17’’) + Range(‘‘f$15’’) * Range(‘‘$d$18’’) End If End If End Sub

11-3-9. Macro GE This evaluates the liquid flow rate entering the primary system using Equation A11.9. It is composed of the efflux of the two series of accumulators (intermediate and low pressure) whose characteristics are specified in the input data and by the efflux of an injection safety system (ECCS), operating between two given times (TU1GS and TU2GS) for a given flow rate GS. 1 G ¼ K p , 2

ðA11:9Þ

where G is the weight flow rate (kg s 1), K is the efflux coefficient (kg5cm s 1) and p is the pressure difference between accumulators and primary system (kg cm 2). The program sets the efflux from each series of accumulators to zero when their pressure is lower than the primary one and when the water volume in them is zero. Sub GE() Rem calcola la portata entrante nel primario durante il passo (accumulatori 1 e 2 ed ECCS) Rem Qui si calcola la portata uscente dagli accum. A1 If Range(‘‘$d$4’’) > Range(‘‘$b$15’’) Then If Range(‘‘$f$2’’) > 0 Then Range(‘‘$d$21’’) = (Range(‘‘$d$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$d$6’’) Range(‘‘$f$21’’) = Range(‘‘$D$21’’) Else Range(‘‘$d$21’’) = 0 Range(‘‘$f$21’’) = Range(‘‘$D$21’’) End If End If Rem Qui si calcola la portata uscente dagli accum. A2 If Range(‘‘$f$4’’) > Range(‘‘$b$15’’) Then If Range(‘‘$f$3’’) > 0 Then Range(‘‘$d$21’’) = Range(‘‘$d$21’’) + (Range(‘‘$f$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$f$6’’) Range(‘‘$h$21’’) = Range(‘‘$d$21’’) - Range(‘‘$f$21’’) Else Range(‘‘$h$21’’) = 0 End If End If Rem Qui si aggiunge la portata GS degli ECCS If Range(‘‘$d$8’’) < Range(‘‘$b$14’’) Then If Range(‘‘$b$14’’) < Range(‘‘$f$8’’) Then Range(‘‘$d$21’’) = Range(‘‘$d$21’’) + Range(‘‘$b$8’’) End If End If End Sub

Appendix 11 Thermal-hydraulic transients of the primary system

373

11-3-10. Macro DT This calculates the time, DT, necessary to cover the given pressure interval (DP1 or DP2) and essentially includes the mass and energy conservation equations in a finite differences form: Mp1 H1 Mp0 H0 J Vp(P1 P0) ¼ DT(Q þ GE HE GU HU) Mp1¼Mp0 þ (GE GU) DT Where Mp is the primary fluid mass (kg), H is the enthalpy of the primary fluid (Cal kg 1), J is the mechanical equivalent of the Calorie, Vp is the primary volume (m3), P is the primary pressure (kg cm 2), Q is the heat supplied to the primary system or released by it (Cal), GE is the entering flow rate (kg s 1), GU is the exiting flow rate (kg s 1) and 0 and 1 are the indexes for the start and end of the step, respectively. The interval DT for each step is given by Equation A11.10.

M0 HF1

HFG1 HFG0 VF1 þ VF0 VFG1 VFG0

DT ¼ HFG1 ð239 P Kqd 0:124 TU0 0:283 Þ þ Ge Ha HF1 þ VF1 VFG1

, HFG1 HFG0 23:4ðP1 P0Þ þVp VFG1 VFG0

HFG1 HFG1 Gus Hus HF1 þ VF1 Gub Hub HF1 þ VF1 þ Qs VFG1 VFG1 HF0

ðA11:10Þ

where Kqd is the coefficient for the decay heat described in Section A11-2, P is the reactor thermal power (MWth) and Gus and Gub are the flow rate going out from the depressurization system and from the break (kg s 1), respectively. The other symbols have been defined earlier. Sub DT() Range(‘‘$h$22’’) = (Range(‘‘$h$2’’) * (Range(‘‘$d$25’’) Range(‘‘$d$17’’) Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’)) + Range(‘‘$d$15’’) * (Range(‘‘$d$18’’)/Range(‘‘$d$16’’))) + Range(‘‘$b$2’’) * (Range(‘‘$d$26’’)/ Range(‘‘$d$24’’) Range(‘‘$d$18’’)/Range(‘‘$d$16’’) 23.4 * (Range(‘‘$b$23’’) Range(‘‘$b$15’’)))) Range(‘‘$e$22’’) = (239 * Range(‘‘$b$7’’) * Range(‘‘$d$7’’) * 0.124 * Range(‘‘$b$14’’) ^ ( 0.283) + Range(‘‘$d$21’’) * (Range(‘‘$h$6’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) Range(‘‘$d$20’’) * (Range(‘‘$f$17’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) Range(‘‘$f$20’’) * (Range(‘‘$f$18’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) + Range(‘‘$d$22’’)) Range(‘‘$g$22’’) = Range(‘‘$h$22’’)/Range(‘‘$e$22’’) End Sub

11-3-11. Macro PS This is the general program which connects together all the other subroutines. It initially calls the subroutine Stampa Dati which produces a paper copy of the input data supplied by the user. The subroutine Copia Dati copies these data to the spreadsheet. Subsequently, it chooses the pressure interval between the two given

374

Nuclear Safety

values DP1 and DP2 (usually smaller). At the start, DP1 is chosen, then a series of conditions are inserted in the program which implement the following:

The shortest step is chosen if the time interval resulting from the calculation of the step is too long to guarantee the required precision, that is longer than 1000 s (the case for slowly varying pressure). It may happen that even with the shorter step, the time interval is longer than 1000 s and in these conditions, the calculation is repeated using an even shorter DP2. A negative pressure step is chosen if the calculated time interval is negative (in the case of an inversion in the pressure trend).

Then the program calculates all the quantities necessary to find DT using the various subroutines and finally it calculates DT. If it is not necessary to repeat the step in order to change the chosen DP. The program writes the results of the step in the spreadsheet and, having put the input data for the subsequent step in cells A2:H6, it runs the following. Sub SP() Call COPIA_DATI Call STAMPA_DATI Range(‘‘$a$14’’) = ‘‘TU0[s]=’’ Range(‘‘$a$15’’) = ‘‘P0[Kg/cm2]=’’ Range(‘‘$c$14’’) = ‘‘TU1[s]=’’ Range(‘‘$c$15’’) = ‘‘VF[m3/Kg]=’’ Range(‘‘$e$15’’) = ‘‘x=’’ Range(‘‘$c$16’’) = ‘‘VFG[m3/Kg]=’’ Range(‘‘$c$17’’) = ‘‘HF[KL/Kg]=’’ Range(‘‘$e$17’’) = ‘‘HS[Kl/Kg]=’’ Range(‘‘$c$18’’) = ‘‘HFG[KL/Kg]=’’ Range(‘‘$e$18’’) = ‘‘HB[KL/Kg]=’’ Range(‘‘$c$20’’) = ‘‘GUS[Kg/s]=’’ Range(‘‘$e$20’’) = ‘‘GUB[Kg/s]=’’ Range(‘‘$c$21’’) = ‘‘GE[Kg/s]=’’ Range(‘‘$e$21’’) = ‘‘GA1[Kg/s]=’’ Range(‘‘$g$21’’) = ‘‘GA2[Kg/s]=’’ Range(‘‘$c$22’’) = ‘‘QS[KL/s]=’’ Range(‘‘$f$22’’) = ‘‘DT[s]=’’ Range(‘‘$a$23’’) = ‘‘P1[Kg/cm2]’’ Range(‘‘$c$23’’) = ‘‘VF1=’’ Range(‘‘$e$23’’) = ‘‘x1=’’ Range(‘‘$g$23’’) = ‘‘Mp1[Kg]=’’ Range(‘‘$c$24’’) = ‘‘VFG1=’’ Range(‘‘$c$25’’) = ‘‘HF1=’’ Range(‘‘$c$26’’) = ‘‘HFG1=’’ Range(‘‘$a$59957’’) = Range(‘‘$b$10’’) Range(‘‘$b$59957’’) = Range(‘‘$h$3’’) Range(‘‘$c$59957’’) = Range(‘‘$h$2’’) co = 0 Rem impostazione pressione iniziale e tempo iniziale Range(‘‘$b$14’’) = Range(‘‘$b$10’’) Range(‘‘$d$14’’) = Range(‘‘$b$10’’)

Appendix 11 Thermal-hydraulic transients of the primary system

Range(‘‘$b$15’’) = Range(‘‘$h$3’’) Rem inizia il loop principale Do While Range(‘‘$b$14’’) < Range(‘‘$d$10’’) Rem calcolo pressione finale del passo a passo lungo Range(‘‘$b$23’’) = Range(‘‘$b$15’’) - Range(‘‘$b$5’’) GoTo Fine_ciclo_a_passo_temporale_lungo Rem label per cambiare passo Passo_temporale_breve: Range(‘‘$b$23’’) = Range(‘‘b$15’’) - Range(‘‘$d$5’’) Rem fine del passo temporale breve Fine_ciclo_a_passo_temporale_lungo: Call VF Call VF1 Call VFG Call VFG1 Call HF Call Modulo6.HF1 Call HFG Call HFG1 Call GU Call GE Call QS Call DT If Range(‘‘$g$22’’) < 0 Then Range(‘‘$d$5’’) = -Range(‘‘d$5’’) Range(‘‘b$5’’) = -Range(‘‘b$5’’) GoTo Passo_temporale_breve Else End If Rem scrive TU1 in d14 Range(‘‘$d$14’’) = Range(‘‘d$14’’) + Range(‘‘$g$22’’) Rem xo Range(‘‘$f$15’’) = (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) Range(‘‘$d$16’’)

-

375

Range(‘‘$d$15’’))/

Rem si calcola Mp1 e si colloca anche come Mp del passo successivo Range(‘‘$h$23’’) = (Range(‘‘$d$21’’) - Range(‘‘$d$20’’) - Range(‘‘$f$20’’)) * Range(‘‘$g$22’’) + Range(‘‘$h$2’’) Range(‘‘$h$2’’) = Range(‘‘$h$23’’) Rem x1 Range(‘‘$f$23’’) = (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) - Range(‘‘$d$23’’))/ Range(‘‘$d$24’’) Range(‘‘h’’ & ((co + 1) * 12 + 32)) = Range(‘‘h2’’) Range(‘‘g’’ & ((co + 1) * 12 + 32)) = "Mp[Kg]=" Rem Si calcola PA1 del passo successivo e si sostituisce al precedente valore Range(‘‘$d$4’’) = Range(‘‘$d$4’’) * (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))/ (Range(‘‘$f$21’’)/1000 + (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))) Range(‘‘d’’ & ((co + 1) * 12 + 34)) = Range(‘‘$d$4’’)

376

Nuclear Safety

Range(‘‘c’’ & ((co + 1) * 12 + 34)) = ‘‘PA1[Kg/cm2]=’’ Rem Si calcola PA2 del passo successivo e si sostituisce al precedente valore Range(‘‘$f$4’’) = Range(‘‘$f$4’’) * (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))/ (Range(‘‘$h$21’’)/1000 + (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))) Range(‘‘f’’ & ((co + 1) * 12 + 34)) = Range(‘‘$f$4’’) Range(‘‘$e’’ & ((co + 1) * 12 + 34)) = ‘‘PA2[Kg/cm2]=’’ Rem Si calcola VA1 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$2’’) = Range(‘‘$f$2’’) - (Range(‘‘$f$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$2’’) > 0 Then Range(‘‘$f$2’’) = Range(‘‘$f$2’’) Else Range(‘‘$f$2’’) = 0 End If Range(‘‘f’’ & ((co + 1) * 12 + 32)) = Range(‘‘$f$2’’) Range(‘‘e’’ & ((co + 1) * 12 + 32)) = ‘‘VA1[m3/Kg]=’’ Rem Si calcola VA2 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$3’’) = Range(‘‘$f$3’’) - (Range(‘‘$h$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$3’’) > 0 Then Range(‘‘$f$3’’) = Range(‘‘$f$3’’) Else Range(‘‘$f$3’’) = 0 End If Rem Scrittura dati per grafico Range(‘‘a’’ & (59958 + co)) = Range(‘‘$d$14’’) Range(‘‘b’’ & (59958 + co)) = Range(‘‘$b$23’’) Range(‘‘c’’ & (59958 + co)) = Range(‘‘$h$23’’) Rem Scrittura valori VA2,P1,DT,TU1,x,x1,GUS,GUB Range(‘‘f’’ & ((co + 1) * 12 + 33)) = Range(‘‘$f$3’’) Range(‘‘e’’ & ((co + 1) * 12 + 33)) = ‘‘VA2[m3/Kg]=’’ Range(‘‘h’’ & ((co + 1) * 12 + 34)) = Range(‘‘$b$23’’) Range(‘‘g’’ & ((co + 1) * 12 + 34)) = ‘‘P1[Kg/cm2]=’’ Range(‘‘f’’ & ((co + 1) * 12 + 40)) = Range(‘‘$g$22’’) Range(‘‘e’’ & ((co + 1) * 12 + 40)) = ‘‘DT[s]=’’ Range(‘‘h’’ & ((co + 1) * 12 + 40)) = Range(‘‘$d$14’’) Range(‘‘g’’ & ((co + 1) * 12 + 40)) = ‘‘TU1=’’ Range(‘‘$b$14’’) = Range(‘‘$d$14’’) Range(‘‘$b$15’’) = Range(‘‘$b$23’’) Range(‘‘e’’ & ((co + 1) * 12 + 35)) = ‘‘x=’’ Range(‘‘f’’ & ((co + 1) * 12 + 35)) = Range(‘‘$f$15’’) Range(‘‘e’’ & ((co + 1) * 12 + 36)) = ‘‘x1=’’ Range(‘‘f’’ & ((co + 1) * 12 + 36)) = Range(‘‘$f$23’’) Range(‘‘c’’ & ((co + 1) * 12 + 37)) = ‘‘GUS[Kg/s]=’’ Range(‘‘d’’ & ((co + 1) * 12 + 37)) = Range(‘‘$d$20’’) Range(‘‘e’’ & ((co + 1) * 12 + 37)) = ‘‘GUB[Kg/s]=’’ Range(‘‘f’’ & ((co + 1) * 12 + 37)) = Range(‘‘$f$20’’) Range(’’g’’& ((co + 1) * 12 + 37))=‘‘GE[Kg/s]’’ Range(’’h’’& ((co + 1) * 12 + 37))=Range(‘‘$d$21’’) co = co + 1 Loop End Sub

Appendix 11 Thermal-hydraulic transients of the primary system

377

A11-4. Using the program The program CSPSen.xls is available on the companion website. On running the program the initial page of the spreadsheet is displayed with the cells A1:Al1 filled with the input data of a sample case. The numerical data of the sample case have to be replaced by the data of the case to be studied. The spreadsheet program calls macro SP and the calculation proceeds automatically. Initially the input data is printed and then results populate the cells. Usually at least 500 steps are necessary for a transient duration of ten hours. Once the calculation has been performed, it is advised to answer ‘No’ to the question Salvare le modifiche? (‘Save the modifications?’) in order to preserve the sample opening page for future use. The following data are written in the first three columns starting at cell A59995: time, primary pressure and weight of remaining primary fluid. These data can be used to draw two graphs for the pressure and the liquid weight, which are particularly meaningful to evaluate the transient trend. Other graphs and results can be obtained from the result sheet. It is advised to choose, for the transients with liquid efflux, a DP1 of 5 (kg cm 2) and an initial DP2 of 0.5 (kg cm 2). If the calculated DT is in any case too long (indicatively higher than 1000 s) the calculation should be repeated with a lower DP2, down to 0.3–0.2 (kg cm 2). It is advisable not to leave zeros in the input data and to replace them with very small, mutually consistent, numbers.

A11-5. Other formulae for the expanded use of the program The version of the program described here does not foresee the study of Anticipated Transients Without Scram (ATWS) or the calculation of the pressure in a water tank where the primary liquid from the depressurization system is discharged. For additional calculations of this type, the following notes and formulae may be useful.

A11-5-1. ATWS For calculations of this type, the evaluation of the shutdown effect of the depressurization is interesting. The depressurization, in fact, causes a loss of primary liquid and a pressure decrease which increase the steam volume in the core (the void content of the core is increased) with consequent introduction of negative reactivity and shutdown of the chain reaction. These evaluations can be done taking into account that results consistent with refined calculations are obtained by assuming that the core shutdown occurs for an average void ratio in the primary system of 30 per cent. The value of can be calculated by the following formulae: ¼

X 1 þ Xð

¼

1019:2 P

,

ðA11:11Þ

2:28:

ðA11:12Þ

1Þ

where

The values of X (average quality in the primary system) and of P are obtained by the PS program, where the heat supplied to the system must be increased in the first phase of the transient in order to take into account the heat produced by the still active chain reaction. This can be obtained, for example, by artificially increasing the decay heat KQD coefficient.

378

Nuclear Safety

A11-5-2. Pressure in a depressurization water discharge tank Normally it can be assumed that the energy supply to the tank only increases the liquid water temperature. That is, both the energy for the production of steam in the tank and the enthalpy of the water in the tank in comparison with the enthalpy of the incoming water can be disregarded. In this way the temperature increase in the tank is calculated using Equation A11.13. T1

T0 ¼

DTðGUS HUS Ma

QEÞ

,

ðA11:13Þ

where QE is the heat exchanged with the outside of the tank (Cal) in the time step and Ma is the water mass in the tank (kg). The vapour pressure in the tank can be calculated using the approximate Equation A11.14 (or by using the steam tables and saturated steam diagrams). T is the temperature ( C). Pv ¼

4:241304 10 9 T4 þ 2:284709 10 6 T3 2:952689 10 4 T2 þ 2:16481 10 2 T 0:5712048 ð2:066907 10 11 ÞT4 ð3:211231 10 8 ÞT3 þ ð2:049397 10 5 ÞT2 ð6:895268 10 3 ÞT þ 1 ðA11:14Þ

This formula has been developed for high pressures and its approximation is considered unacceptable (error higher than 20 per cent) for temperatures lower than 60 C (corresponding to a vapour pressure of 0.2031 (kg cm 2). More data and formulae for thermo-hydraulic calculations in the primary system and in the depressurization systems can be found in (Petrangeli, 1983).

References Petrangeli, G. (1983), ‘Transient, one-volume calculations for a PWR equipped with a core rescue system (SSN)’, RT/DISP(83)2, ENEA – DISP, Roma, Italy. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, 143, pp. 25–54. Tong, L.S. (1982) ‘Some design issues for future LWRs’, Notes for a seminar, January. Santarossa G. et al. (1976), ‘Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua’, Rapporto interno SATN-1-76, DISP/CENTR Servizio Analisi Termoidraulica e Neutronica, Enea/Disp, Roma, Italy.

Appendix 12 The atmospheric dispersion of releases

This appendix describes four simple programs for calculating the atmospheric dispersion of releases on the basis of the formulae of Chapter 6. As noted at the beginning of Appendix 2, for historical reasons some of the measurement units do not belong to the S.I. system.

Program DR1 is for an instantaneous radioactivity release and calculates the cloud-concentration, (Ci s m 3), and the ground concentration, Ct (Ci m 2), in a ground position chosen downwind from the release point. Program DR2 calculates the cloud-concentration, (Ci s m 2), for a continuous release. Programs DR1FUM and DR2FUM, respectively, perform the same calculations for the fumigation case.

The programs are written in Visual BasicÕ for Applications (VBA) for execution in MicrosoftÕ ExcelÕ . They can be downloaded from the companion website (Files: DISPERSION1, DISPERSION2, FUMIGATION1, FUMIGATION2). Program DR1 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b9’’) u = Range(‘‘b5’’) h = Range(‘‘b7’’) Q = Range(‘‘b8’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 lsz = 0.9238 * x ^ 2 - 3.5634 * x + 4.4731 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 lsz = 0.0049 * x ^ 3 - 0.135 * x ^ 2 + 1.4082 * x - 1.6325 379

380

Nuclear Safety

sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 lsz = 0.0011 * x ^ 3 - 0.144 * x ^ 2 + 1.5033 * x - 2.0967 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b12’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (examples): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 2500 Release height (m) ¼ 100 Release activity (Ci) ¼ 1 Lateral distance, y (m) ¼ 0 Deposition vel. (m s 1) ¼ 0.01

(Pasquill category B, D or F) (average wind speed in x direction) (distance from the point chosen on the ground) (height at which release occurs) (activity released) (lateral distance of chosen point from plume axis) (deposition velocity of particles)

Results: (Ci s m 3) ¼ 8.31155E-06 Ct (Ci m 2) ¼ 8.31155E-08

(cloud concentration at the chosen point) (ground concentration at the chosen point)

Program DR2 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b9’’) u = Range(‘‘b5’’) h = Range(‘‘b7’’) Q = Range(‘‘b8’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 lsz = 0.9238 * x ^ 2 - 3.5634 * x + 4.4731 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2))))

Appendix 12 The atmospheric dispersion of releases

381

Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 lsz = 0.0049 * x ^ 3 - 0.135 * x ^ 2 + 1.4082 * x - 1.6325 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 lsz = 0.0011 * x ^ 3 - 0.144 * x ^ 2 + 1.5033 * x - 2.0967 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 600 Release height (m) ¼ 30 Release activity (Ci/s) ¼ 1 Lateral distance, y (m) ¼ 0

(Pasquill category B, D or F) (average wind speed in x direction) (distance from the point chosen on the ground) (height at which release occurs (stack)) (activity released per second) (lateral distance of chosen point from plume axis)

Results: (Ci m 3) ¼ 0.000125151

(cloud concentration at the chosen point)

Program DR1FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b8’’) u = Range(‘‘b5’’) hi = Range(‘‘b10’’) Q = Range(‘‘b7’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 sy = 10 ^ lsy

382

Nuclear Safety

chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ F Wind (m s 1) ¼ 1 Distance (m) ¼ 1500 Release activity (Ci) ¼ 1 Lateral distance, y (m) ¼ 0 Deposition vel. (m s 1) ¼ 0.01 Inversion height (m) ¼ 100

(Pasquill cat. B, D or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (deposition velocity of particles) (inversion height)

Results: (Ci s m 3) ¼ 7.65607E-05 Ct (Ci m 2) ¼ 7.65607E-07

(cloud-concentration at the chosen point) (ground concentration at the chosen point)

Program DR2FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b8’’) u = Range(‘‘b5’’) hi = Range(‘‘b9’’) Q = Range(‘‘b7’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2))))

Appendix 12 The atmospheric dispersion of releases

Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 1500 Release activity (Ci s 1) ¼ 1 Lateral distance, y (m) ¼ 0 Inversion height (m) ¼ 100

Results: (Ci m 3) ¼ 3.81255E-05

(Pasquill cat. B, D or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (inversion height)

(cloud-concentration at the chosen point)

383

This page intentionally left blank

Appendix 13 Regulatory framework and safety documents

A13-1. Regulatory framework A legal framework has to be established that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities.AR1, AR201 Legislative institutions should produce laws which assign the prime responsibility for safety to the operating organization and establish a regulatory body responsible for a system of licensing, for the regulatory control of nuclear activities and for enforcing the relevant regulations. It is also very useful, although not done everywhere, for the legislative power of a country to define in general terms the safety level which nuclear installation should achieve in order to give the industrial organizations and the regulatory body general guidance in their activities. For example, the classes of nuclear installations, the orders of magnitude of the amount and the probability of the maximum accident release or consequences should be established at the top of the people’s representation structure, with a balanced view of the risks and benefits to society. The prime responsibility for the safety of the installation rests with the operating organization. It is responsible for establishing its safety criteria (which should be approved by the regulatory body) and for the compliance of the design, construction and operation of the installation with them and with relevant safety standards. Procedures and arrangements for the safe control of the installation under all conditions should also be established together with the maintenance of a competent and fully trained staff and for the control of fissile and radioactive materials utilized or generated. It is the responsibility of the regulatory body to set the detailed safety objectives and standards and to

monitor and enforce them. Effective independence of the regulatory body from organizations that promote nuclear activities should be in place in order to ensure the absence of undue pressures from competing interests. An important function of the regulatory body is to communicate to the public any information concerning safety and in particular its regulatory decisions and opinions. In many cases, the regulatory body is supported by a dedicated technical support organization (TSO) which performs technical analyses and studies. These are used in reviews and in other activities by the regulatory body. The personnel of the two organizations may comprise several tens of people to a few thousands people according to the size of the nuclear programme and the activities entrusted to the body itself. Usually the regulatory body has access to confirmatory research, which creates a way to directly get supporting technical information necessary to a well-based regulatory activity. A review of existing regulatory frameworks for various countries is included in (OECD, 1991).

A13-2. Safety documents The principal documents concerning plant safety vary according to the specific requirements of each country, however some conceptual generalizations, accepted everywhere, can be made. The following documentation will be briefly discussed:

The safety report. The probabilistic safety evaluation (PRA or PSA). The environmental impact assessment (EIA). The external emergency plan. The operation manual, including the emergency procedures. 385

386

The The The The

Nuclear Safety

operation organization document. pre-operational test programme. technical specifications for operation. periodic safety reviews.

Other documents result from inspection activities on plant construction and operation.

A13-2-1. The safety report The safety report (SR) is the principal document for the demonstration that the design and the construction of a nuclear plant on a specific site are such that it can be operated without undue risk to the workers and the public. Here the assumption is made that the SR contains the treatment of both the aspects relevant to the site and those concerning the plant (description and analysis). It must be noted, however, that in various regulatory systems, the two issues are dealt with in separate documents. It is easy to understand that this subdivision quickens the time for site selection and for preparatory work on it, however the acceptability of a site also depends on the characteristics of the plant to be installed on it. The problem is easily solved for proven plants. In different cases, various parts of the information on the plant safety characteristics must be presented in advance and inserted in the part of the SR devoted to the site. In case of separation and of advanced presentation of the part of the report relevant to the site, it will be in any case necessary to link the approval of the site to the compliance with some reasonably assumed plant characteristics. The SR is a ‘living’ document which evolves and changes with time. The principal factors of this change are: the progression of the detailed design, the design modifications decided during the construction and the operation of the plant and the needs for adjustments due to the progress of safety knowledge. It has also to be noted that, for the demonstration of the plant safety, more detailed information concerning both design and analyses than is usually included in the SR is also necessary. The corresponding documents are termed ‘support documents’ (following the IAEA (1979) nomenclature). In some regulatory systems (e.g. in the Italian one) these supporting documents take the form of Detailed Design Reports (DDR) which have to be submitted, for approval, to the national control body.

Usually, the principal stages of the SR are:

the preliminary safety report: to be submitted before the site approval and the plant construction permit; and the final safety report: to be submitted before fuel loading.

While the preliminary safety report describes many plant data at the level of initial solutions and plans, the final safety report shows the plant ‘as built’ (in its final form) as a result of the design, validation and modification activities. The content of the SR may, for simplicity, be subdivided in the following five parts:

Site Quality assurance Criteria and standards Design Nuclear safety and radiation protection analysis.

The needs of radiation protection and of containment and mitigation of the effluents must permeate all the content of the SR and therefore are not indicated as separate parts of the SR. It is strongly advised that one or more radiation protection design experts are part of the design organization. In addition to the systems specifically devoted to radiation protection tasks, some design aspects must be the subject of complete evaluation, such as the following: the general and detailed plant layout; the space available for operation, inspection and maintenance tasks; the choice of materials; system specifications and component specifications and location. Other issues which may be part of the SR or be the subject of separate documents, are:

organization for pre-operational tests and operation; pre-operational test programme; operational limits, operation conditions and procedures; emergency plans; decommissioning schemes; physical protection.

The objectives of the SR information on the site are:

assessment of the feasibility of a safe plant on the site;

Appendix 13 Regulatory framework and safety documents

definition of the site parameters necessary to plant design (external events and so on); evaluation of the possible impact of the plant operation on the surrounding population and environment.

These three objectives must be followed keeping in mind both the normal operating conditions and the exceptional and accidental ones. A sample list of the contents of a safety report is given in NRC Regulatory Guide 1.70 (USNRC, 1978). What has to be underlined is that, in the light of experience, many unfavourable characteristics of a site cannot be corrected by design provisions. In other words, various site exclusion criteria exist (an example is included in Appendix 16). A principal section of a safety report should be devoted to the description of the quality assurance programmes of the plant owner and of its contractors during the design, construction, testing and operation of the plant. The methods for the implementation of the quality assurance functions should also be described. The section of the SR devoted to criteria and standards is particularly important. All the standards to be adopted for the plant should be listed, which usually can be divided into three levels of generality: the general criteria (general safety and radiation protection objectives and functional system objectives) and general applicable country laws (health protection limits, fire protection laws, etc.), the guides at the level of system and component (e.g. the NRC Regulatory Guides and the standard review plan) which usually are not compulsory but simply indicate an acceptable way of proceeding, and, finally, the technical standards for components (ASME III Code for Pressure Components, etc.). It is important to note that all the standards (and particularly those concerning components) evolve with time and that, therefore, the specific issue used has to be indicated. How does one proceed if a standard changes during the design? This problem, typically the result of revisions (every five or ten years) of the safety of operating plants, is usually tackled and solved as follows:

If the revision is due to formal improvements and no new safety problem is involved as a consequence of the progress in knowledge, then no special analysis or modification is necessary.

387

If the revision is intended to solve some new safety problem, then: additional, more precise analyses are performed in order to demonstrate, possibly, that the existing design which followed the old standard is still acceptable in the light of the new knowledge; modifications to operation parameters or rules are introduced, if possible, in order to compensate for the ‘inadequacy’ of the standards adopted for the design; if any other action is inadequate, plant modifications have to be made in order to take account of the new knowledge.

The part of the SR devoted to the description of the design should offer a concise yet complete description of the entire plant. It should allow the reviewers:

to obtain an overall view of the systems and structures of the plant, as far as their characteristics and integrated functioning is concerned, either in normal and in transient and accident conditions, including the possibility of external, natural and unnatural, events; to understand and evaluate the design solutions and the main operational limits adopted to satisfy the reference criteria and the safety and protection standards.

In particular, special problems caused by specific site characteristics should be described and discussed. Similarly, possible plant design aspects should be described which have not yet been satisfactorily solved, together with the possible research and development programmes aimed at the identification of a satisfactory solution. A comparison table, moreover, should be supplied showing plant data and corresponding data of other similar recent plants, with the indication of the condition of the other plants (degree of completion and authorization, operational situation, etc.). In general terms, the objective of safety analysis (SA) is to demonstrate that the plant design and its operating procedures (together with well-trained personnel) ensure a high level of protection of the population and workers in case of malfunctions, human errors or assumed external events. Therefore, the contents of the SA is a set of dynamic studies of the most significant transients and

388

Nuclear Safety

accidents, giving an evaluation of their consequences on the plant and on the outside environment. The SA must offer a clear picture of the integrated behaviour of the plant in fault conditions. The integrity and the behaviour of the barriers between the radioactive substances and the environment are the main concern of the plant response evaluation. The information supplied by the SA, together with the information contained in the balance of the SR, should be sufficient to convince reviewers that the plant design is acceptable from a safety and radiation protection point of view, at the authorization stage to which the SR applies. The SA is usually structured as follows:

The initiating events (which in general descend from the general design criteria), usually subdivided in a certain number (often four) operation conditions. The acceptance criteria and the design methods, usually contained in the general criteria and in the system component guides. The analyses and the conclusions.

On the basis of past experiences (see Appendix 17), it is recommended that particular attention is given to the length in (real) time for which the transients and accident are calculated. These parameters can be established tentatively beforehand, but they can be defined only after calculation as they can indicate the presence of situations which may confuse the operators. Moreover, in the evaluations, it should be ensured that sufficient time exists to allow for the correct intervention of the operators, up to the attainment of perfectly stabilized plant conditions.

The PSA, used in this way, can be limited to level 1 or 2, that is at the first core damage or at the releases from the containment, respectively. A complete risk analysis (PRA), performed, for example, to verify the compliance of the plant with preselected risk objectives, must also include level 3, that is the probabilistic evaluation of the accident consequences.

A13-2-3. The environmental impact assessment The environmental impact assessment (EIA) is now compulsory nearly everywhere. It follows official channels that are usually different from those of the safety evaluation and health protection. Many issues, however, of the two processes coincide and it is useful if the two analyses proceed in parallel. The EIA commences with the initial strategic planning of the works. During the development of the two processes (nuclear safety and environmental impact) information exchange should take place between the authorities responsible, for example by a mutual participation of observers in the commission meetings and in working groups.

A13-2-4. The external emergency plan Before fuel loading, an external emergency plan (EEP) must be operative as a part of the Defence in Depth (see Chapter 9). To this end, usually, a dedicated issue of the safety evaluation is prepared, containing the technical basis for the external emergency plan.

A13-2-2. The probabilistic safety assessment

A13-2-5. The operation manual, including the emergency procedures

The probabilistic safety assessment (PSA) is now a companion of the SR for every new plant. In fact, after some initial doubts, it is now recognized as a valid knowledge and evaluation tool for a plant and also as valid help in the design and operation of it (see Chapter 11). It is understood, then, that PSA must be developed in parallel with the design, initially making many working assumptions on the features of the plant as it will be at the end. IAEA requirements demand that a summary of the plant PSA is included in the safety report.

The operation manual, which includes the emergency procedures (EP) and the internal emergency plan, must be available before any operation with nuclear fuel. It is important that the EP includes, in order to prevent severe accidents, the procedures based on the analysis of the plant states (symptom oriented) as well as the more traditional ones based on the analysis of specific accident sequences (event oriented).AR178 In the symptom-based approach, operator actions result from the monitoring of

Appendix 13 Regulatory framework and safety documents

plant symptoms rather than from the identification of the details of the event taking place. For example, the operator responds to the symptom of loss of primary water inventory as opposed to the specific event of a loss of coolant accident. The need for this kind of procedure was indicated by the Three Mile Island accident where the operators were confronted with a confusing situation (see Appendix 17) and were not able to timely identify the precise event taking place. Subsequently, it was confirmed that it was possible to develop emergency procedures on the basis of the damaging symptoms of the event rather than of the origin of the event and its consequences. The two concepts partly overlap, but by following the symptom-based approach it is not necessary to lose precious time in identifying, by a process of selection and elimination, the event origin and features. In general, some critical safety functions are identified (attainment of sub-criticality, availability of coolant in the core, availability of an efficient containment function) and the operator action is to identify which critical safety function is not available to the desired degree and to try, with the support of the emergency symptom-based procedures, to restore the function itself. The difference between event-based procedures and symptom-based procedures is the possibility of quickly diagnosing the plant accident situation. If this diagnosis can be made, then the event-based procedures are followed. If it cannot, then the symptom-based procedures are used. It is apparent from the preceding sentences that both sets of procedures are intended to be used in any nuclear plant. The process of developing modern procedures is still ongoing on many plants and it takes a remarkable effort. Some plants decide to have a dedicated procedure development group of experts. Some other plants carry out procedure development with other work groups, such as operations staff or operational experience feedback staff, as a part time responsibility. In any case, a plant procedures group ensures an efficient and effective method for development, distribution and revision of plant procedures, resulting in lower cost and more uniform quality. Close cooperation between the procedures group and the technical departments on a plant is essential. Symptom-based procedures require the NPP to complete a significant amount of site-specific thermal-hydraulic analyses of bounding scenarios. These analyses ensure that a generic set of operator actions for loss of each critical safety function are

389

sufficient to mitigate the most severe challenge to that critical safety function. Owners Groups may share the same package of procedures but the EPs and the supporting thermal-hydraulic analyses are plant specific. In recent years it has been determined that a potential for external release of radioactive products not only exists while the plant is operating at power but also when it is in a low power or shutdown condition. EPs, therefore, have been expanded in order to cover situations where the reactor cooling system may be depressurized and the vessel head removed. Due to the specific requirements of certain plant configurations that may exist during shutdown, together with the reduced level of automatic protection, many of these procedures are specific to these plant conditions and initiating events and thus are very event specific. It has also been recognized that the operator needs additional guidance for those conditions beyond the design basis accidents where core damage exists or is imminent. Hence the evolution of severe accident management guidelines (SAMGs). Due to the wide variety of conditions that may exist, these guidelines have been written in a symptombased format. Symptom-based, event-based and integrated (a combination of the two) approaches to emergency operating procedures exist. Verification and validation of procedures are two very important elements in the procedures development work. Verification is defined as the process of determining if a procedure is administratively and technically correct. Validation is the process of evaluating procedures to ensure that they are usable and they will function as intended. These two processes should be performed using a graded approach, that is devoting more effort where the consequences of some inadequacy are more serious. Administrative procedures such as record keeping verification and validation can be accomplished through a tabletop review. For emergency operating procedures, verification may include checking the technical information against design documents while validation might include the use of mock-ups of the plant and a full-scope control room simulator, as well as direct use of the plant. Checklists are available for verification and validation (IAEA, 1998).AR178 It is highly recommended that the plant designer participates in the procedure preparation and review phases.

390

Nuclear Safety

A13-2-6. Operation organization document The operation organization document describes the functions, responsibilities and mutual relationships of the plant personnel. The adequacy of its contents directly affects the adequacy of the human element to which the plant is entrusted. Great weight should be placed on this document as its content gives a measure of the attention given to the human factors of safety. The operation organization document should include training and personal/professional development issues.

A13-2-7. The pre-operational test programme The initial test programme concerns a particularly delicate phase in the plant life, in which possible design or construction deficiencies usually come to the open. The test programme comprises two phases: nonnuclear (before fuel loading) and nuclear. The tests are often termed ‘pre-operational’ and ‘nuclear’, respectively. In the pre-operational tests, components and systems are tested. Integrated tests of several interacting systems are performed too. Therefore, the functional consistency of the systems to the design is verified, as well as the absence of vibrations, normal operation in general and the normal expansion and contraction of systems while they heat up and cool down, etc. It is very desirable that operating personnel directly take part in the pre-operational tests, together with the representatives of the contractors, in order to get used to the plant components. It is not usually considered necessary that the preoperational tests programme is explicitly approved by the safety control body, but its contents, time schedule and results are, however, timely communicated to it. On the other hand, the nuclear tests programme must have prior approval because it must fully demonstration the safety characteristics of the plant and because, whilst it is being carried out, the risk of accidents involving radioactive products starts. However, not all conceivable tests can be performed, as some of them would be detrimental to systems and components and therefore dangerous

in view of the subsequent life of the plant (e.g. the capability of a safety injection system to introduce cold water at full flow in an operating plant will never be tested because the water injected would cause an unacceptable thermal transient on structures and components). In these cases, partial yet demonstrative tests are performed. As far as the contents of a test programme is concerned, specific documents should be consulted (Petrangeli, 1985). Here, it is sufficient to say that it is very important that the procedure of any single test includes a clear specification of the acceptance limits of the test, in order to avoid long and costly discussions between the organization responsible for the tests and the safety control body during the performance of the tests themselves. The test period, in fact, is a particularly delicate phase in the life of the plant, either for the intrinsic difficulties of the tuning of the plant and for the huge organization necessary for all the tests and the measures to be performed. The nature of the ‘final exam’ also leads to high psychological tension. Therefore, any unnecessary disturbance or delay must be avoided. It is often convenient to specify three levels of acceptability of each test:

acceptance; acceptance after review by the designer without test programme stoppage; non-acceptance.

As far as possible, the tests should comply with normal operating procedures. The tests are a good opportunity to test the procedures, too and to amend them, if necessary. On the basis of practical experience, at least nine months are necessary for the pre-operational tests and at least three months for the nuclear tests. Causes, sometimes trivial, of delay may always intervene, thus extending the time required. Often a great deal of time is lost because of defective pipe support anchorages, pipe vibrations and fluid leakages from systems and from buildings.

A13-2-8. The technical specifications for operation The objective of the technical specifications (TS) is to define conditions and limits for the operation of the

Appendix 13 Regulatory framework and safety documents

plant, compatible with its safety, and to define the specifications and the programmes for periodic surveillance of the various parts of the plant. The operational limits concern plant parameters such as pressures, temperatures, etc. and the minimum availability of systems and components for the various operating modes (full power, cold shutdown and so on). Particularly important is an initial part of the TS devoted to definitions. An example of a particularly delicate definition is the one concerning the word ‘operable’: one of the most common within the TS! The TS text, with the aid of the initial definitions, must be clear and unmistakable. In fact the TS are the first support of the plant operators for fundamental decisions, such as the continuation of operation at power in the presence of irregular plant situations. Frequently, little time for discussions and interpretation is available when decisions of this kind have to be taken. The probabilistic plant analysis offers a rational basis for decisions concerning the TS, either for the choice of operating limits or for the intervals between tests and inspections of parts of the plant (periodic surveillance). The TS must be available before fuel loading.

A13-2-9. The periodic safety reviews Operating personnel must pay continuous attention to plant safety and conduct periodic reviews in order to improve the plant and its operating procedures as

391

a result of research and of operating experience of similar plants. An operating licence usually requires revision every ten years. As already mentioned in Section 13-2-1 in connection with criteria and standards, the case may occur that new knowledge or new standards may generate doubts about the consistency of the criteria and about the adequacy of the plant or its procedures. In that section it was noted that the situation has to be primarily assessed to see if the discrepancy is formal or substantial in nature. Even in the latter case, various degrees of action are available, such as a more refined analysis, modifications to limits and operating procedures and, finally, plant improvements.

References IAEA (1979), ‘Information to be submitted in support of licensing applications for nuclear power plants’, IAEA Safety Series 50-SG-G2, Vienna. IAEA (1998), ‘Good practices with respect to the development and use of Nuclear Power Plant procedures’, TECDOC 1058, IAEA,Vienna. Petrangeli, G. (1985) ‘Licensing procedures: Parts I–III’, CEE Training Seminar on PWR Safety, Cairo, Nov– Dec. USNRC (1978) ‘Standard format and content of safety analysis reports for nuclear power plants: LWR edition’, Regulatory Guide 1.70, Rev. 3, Nov. OECD, ‘Licensing Systems and Inspection of Nuclear Installations’, OECD, Nuclear Energy Agency, Paris 1991.

This page intentionally left blank

Appendix 14 USNRC Regulatory Guides and Standard Review Plan This Appendix gives an example of a USNRC Regulatory Guide and a chapter of the Standard Review Plan to provide useful reference technical information and data. The numbering system and cross-references of the original documents are retained. All illustrations in the original documents have been removed.

A14-1. Extracts from a regulatory guide REGULATORY GUIDE 1.3 Assumptions used for evaluating the potential radiological consequences of a loss of coolant accident for boiling water reactors. A. INTRODUCTION Section 50.34 of l0 CFR Part 50 requires that each applicant for a construction permit or operating license provide an analysis and evaluation of the design and performance of structures, systems, and components of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility. The design basis loss of coolant accident (LOCA) is one of the postulated accidents used to evaluate the adequacy of these structures, systems, and components with respect to the public health and safety. This guide gives acceptable assumptions that may be used in evaluating the radiological consequences of this accident for a boiling water reactor. In some cases, unusual site characteristics, plant design features, or other factors may require different assumptions which will he considered on an individual case basis. The Advisory Committee on Reactor Safeguards has been consulted concerning this guide and has concurred in the regulatory position.

B. DISCUSSION [. . .] within the guidelines of 10 CFR Part 100. (During the construction permit review, guideline exposures of 20 rem whole body and 150 rem thyroid should be used rather than the values given in x100.1 1 in order to allow for (a) uncertainties in final design details and meteorology or (b) new data and calculational techniques that might influence the final design of engineered safety features or the dose reduction factors allowed for these features.)

C. REGULATORY POSITION (1) The assumptions related to the release of radioactive material from the fuel and containment are as follows: (a) Twenty-five percent of the equilibrium radioactive iodine inventory developed from maximum full power operation of the core should be assumed to be immediately available for leakage from the primary reactor containment. Ninety-one percent of this 25 percent is to be assumed to be in the form of elemental iodine, 5 percent of this 25 percent in the form of particulate iodine, and 4 percent of this 25 percent in the form of organic iodides. (b) One hundred percent of the equilibrium radioactive noble gas inventory developed from maximum full power operation of the core should be assumed to be immediately available for leakage from the reactor containment. (c) The effects of radiological decay during holdup in the containment or other buildings should be taken into account. (d) The reduction in the amount of radioactive material available for leakage to the 393

394

Nuclear Safety

environment by containment sprays, recirculating filter systems, or other engineered safety features may be taken into account. but the amount of reduction in concentration of radioactive materials should be evaluated on an individual case basis. (e) The primary containment should be assumed to leak at the leak rate incorporated or to be incorporated in the technical specifications for the duration of the accident. The leakage should be assumed to pass directly to the emergency exhaust system without mixing in the surrounding reactor building atmosphere and should then be assumed to be released as an elevated plume for those facilities with stacks. (f) No credit should be given for retention of iodine in the suppression pool. (2) Acceptable assumptions for atmospheric diffusion and dose conversion are: (a) Elevated releases should be considered to be at the height equal to no more than the actual stack height. Certain site dependent conditions may exist, such as surrounding elevated topography or nearby structures which will have the effect of reducing the actual stack height. The degree of stack height reduction should be evaluated on an individual case basis. Also, special meteorological and geographical conditions may exist which can contribute to greater ground level concentrations in the immediate neighborhood of a stack. For example, fumigation should always be assumed to occur: however, the length of time that a fumigation condition exists is strongly dependent on geographical and seasonal factors and should be evaluated on a case-by-case basis. [. . .] (b) No correction should be made for depletion of the effluent plume of radioactive iodine due to deposition on the ground, or for the radiological decay of iodine in transit. (c) For the first 8 hours, the breathing rate of persons offsite should be assumed to be 3.47 10 4 cubic meters per second. From 8 to 24 hours following the accident, the breathing rate should be assumed to be of 1.75 10 4 cubic meters per second. After that until the end of the accident, the rate should be assumed to be 2.32 10 4 cubic

meters per second. (These values were developed from the average daily breathing rate [2 107 cm3 day 1] assumed in the report of ICRP, Committee II-1959.) (d) The iodine dose conversion factors are given in ICRP publication 2, Report of Committee II, ‘‘Permissible Dose for Internal Radiation,’’ 1959. (e) External whole body dose should be calculated using ‘‘Infinite Cloud’’ assumptions, i.e., the dimensions of the cloud are assumed to be large compared to the distance that the gamma rays and beta particles travel. ‘‘Such a cloud would be considered an infinite cloud for a receptor at the center because any additional [gamma and] beta emitting material beyond the cloud dimensions would not alter the flux of (gamma rays and) beta particles to the receptor’’ (Meteorology and Atomic Energy, Section 7.4.1.1ARxxx – editorial additions made so that gamma and beta emitting material could be considered). Under these conditions the rate of energy absorption per unit volume is equal to the rate of energy released per unit volume. For an infinite uniform cloud containing curies of beta radioactivity per cubic meter, the beta dose in air at the cloud center is: 0 ðA14:1Þ D ¼ 0:4571E 1

The surface body dose rate from beta emitters in the infinite cloud can be approximated as being one-half this amount. From a semi-infinite cloud, the gamma dose rate in air is given by a formula equal to (A 14-1) with the coefficient 0.457 changed to 0.507; here also, for a semi-infinite cloud, the coefficient is one half. Where: 0 D ¼ beta dose rate from an infinite cloud (rad/sec); E ¼ average gamma or beta energy per disintegration (Mev/dis); ¼ concentration of beta or gamma emitting isotope in the cloud (curie/m3) (f) The following specific assumptions are acceptable with respect to the radioactive cloud dose calculations: (1) The dose at any distance from the reactor should be calculated based on

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

the maximum concentration in the plume at that distance taking into account specific meteorological, topographical, and other characteristics which may affect the maximum plume concentration. These site related characteristics must be evaluated on an individual case basis. In the case of beta radiation, the receptor is assumed to be exposed to an infinite cloud at the maximum ground level concentration at that distance from the reactor. In the case of gamma radiation, the receptor is assumed to be exposed to only one-half the cloud owing to the presence of the ground. The maximum cloud concentration always should be assumed to be at ground level. (2) The appropriate average beta and gamma energies emitted per disintegration, as given in the Table of Isotopes, Sixth Edition, by C.M. Lederer, J.M. Hollander, 1. Perlman University of California, Berkeley; Lawrence Radiation Laboratory; should be used. (g) For BWRs with stacks the atmospheric diffusion model should be as follows: (1) The basic equation for atmospheric diffusion from an elevated release is: =Q ¼

expð h2 =2z2 Þ uy z

ðA14:2Þ

Where . . . (2) For time periods of greater than 8 hours the plume from an elevated release should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Equation A14.2 multiplied by 2.032 y/u. (3) The atmospheric diffusion model for an elevated release as a function of the distance from the reactor, is based on the information in Table A14-1. (h) For BWRs without stacks the atmospheric diffusion model should be as follows: (1) The 0–8 hour ground level release concentrations may be reduced by a factor ranging from one to a maximum of three (see Figure. . . ) for additional dispersion produced by the turbulent

395

wake of the reactor building in calculating potential exposures. The volumetric building wake correction factor, as defined in section 3-3-5-2 of Meteorology and Atomic Energy 1968, should be used only in the 0–8 hour period; it is used with a shape factor of I/2 and the minimum cross-sectional area of the reactor building only. (2) The basic equation for atmospheric diffusion from a ground level point source is: =Q ¼ 1=y z

ðA14:3Þ

Where . . . (3) For time periods of greater than 8 hours the plume should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Equation A14.3 multiplied by 2.032 y/u. (4) The atmospheric diffusion model for ground level releases is based on the information in Table A14-2. (5) . . . D. IMPLEMENTATION The purpose of the revision (indicated . . .

A14-2. List of contents and extracts from a sample chapter of the Standard Review Plan SRP 1: List of contents NUREG-0800 Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants LWR Edition Draft Report for Comment INTRODUCTION SRP NO. CHAPTER 1 INTRODUCTION AND GENERAL DESCRIPTION OF PLANT 1.8 Interfaces for Standard Designs CHAPTER 2 SITE CHARACTERISTICS 2.1.1 Site Location and Description 2.1.2 Exclusion Area Authority and Control

396

Nuclear Safety

Table A14-1 Time Following Accident

Atmospheric Conditions

0–8 hours

See Figure . . .

8–24 hours

See Figure . . .

1–4 days

See Figure . . .

4–30 days

See Figure . . .

Envelope of Pasquill diffusion categories based on Figure . . ., Meteorology and Atomic Energy-1968, assuming various stack heights; windspeed 1 meter/sec; uniform direction. Envelope of Pasquill diffusion categories, windspeed 1 meter/sec: variable direction within a 22.5 sector. Envelope of Pasquill diffusion categories with the following relationship used to represent maximum plume concentrations as a function of distance: Atmospheric Condition Case 1 40% Pasquill A 60% Pasquill C Atmospheric Condition Case 2 50% Pasquill C 50% Pasquill D Atmospheric Condition Case 3 33.3% Pasquill C 33.3% Pasquill D 33.3% Pasquill E: Atmospheric Condition Case 4 33.3% Pasquill D 33.3% Pasquill E: 33.3% Pasquill F Atmospheric Condition Case 5 50% Pasquill D 50% Pasquill F windspeed variable (Pasquill Types A, B, E, and F, windspeed 2 meter/sec; Pasquill Types C and D windspeed 3 meter/sec): variable direction within a 22.5 sector. Same diffusion relations as given above; windspeed variable dependent on Pasquill Type used: wind direction 33.3% frequency in a 22.5 sector.

Table A14-2 Time Following Accident

Atmospheric Conditions

0–8 hours 8–24 hours

Pasquill Type F, windspeed 1 meter/sec, uniform direction Pasquill Type F, windspeed 1 meter/sec, variable direction within a 22.5 sector (a) 40% Pasquill Type D, windspeed 3 meter/sec (b) 60% Pasquill Type F, windspeed 2 meter/sec (c) wind direction variable within a 22.5 sector (a) 33.3%; 4 Pasquill Type C, windspeed 3 meter/sec (b) 33.3% Pasquill Type D, windspeed 3 meter/sec (c) 33.3% Pasquill Type F windspeed 2 meter/sec (d) Wind direction 33.3% frequency in a 22.5 sector

1–4 days

4–30 days

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

2.1.3 Population Distribution 2.2.1–2.2.2 Identification of Potential Hazards in Site Vicinity 2.2.3 Evaluation of Potential Accidents 2.3.1 Regional Climatology 2.3.2 Local Meteorology 2.3.3 Onsite Meteorological Measurements Programs 2.3.4 Short-term Dispersion Estimates for Accidental Atmospheric Releases 2.3.5 Long-Term Diffusion Estimates 2.3.6 Site Parameter Envelope [Future] 2.4.1 Hydrologic Description 2.4.2 Floods 2.4.3 Probable Maximum Flood (PMF) on Streams and Rivers 2.4.4 Potential Dam Failures 2.4.5 Probable Maximum Surge and Seiche Flooding 2.4.6 Probable Maximum Tsunami Flooding 2.4.7 Ice Effects 2.4.8 Cooling Water Canals and Reservoirs 2.4.9 Channel Diversions 2.4.10 Flooding Protection Requirements 2.4.11 Cooling Water Supply 2.4.12 Groundwater 2.4.13 Accidental Releases of Liquid Effluents in Ground and Surface Waters 2.4.14 Technical Specifications and Emergency Operation Requirements 2.5.1 Basic Geologic and Seismic Information [Future] 2.5.2 Vibratory Ground Motion [Future] 2.5.3 Surface Faulting [Future] 2.5.4 Stability of Subsurface Materials and Foundations 2.5.5 Stability of Slopes CHAPTER 3 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT, AND SYSTEMS 3.2.1 Seismic Classification 3.2.2 System Quality Group Classification 3.3.1 Wind Loadings 3.3.2 Tornado Loadings 3.4.1 Flood Protection 3.4.2 Analysis Procedures 3.5.1.1 Internally Generated Missiles (Outside Containment) 3.5.1.2 Internally Generated Missiles (Inside Containment)

397

3.5.1.3 Turbine Missiles 3.5.1.4 Missiles Generated by Natural Phenomena 3.5.1.5 Site Proximity Missiles (Except Aircraft) 3.5.1.6 Aircraft Hazards 3.5.2 Structures, Systems, and Components to be Protected from Externally Generated Missiles 3.5.3 Barrier Design Procedures 3.6.1 Plant Design for Protection Against Postulated Piping Failures in Fluid Systems Outside Containment 3.6.2 Determination of Rupture Locations and Dynamic Effects Associated with the Postulated Rupture of Piping 3.7.1 Seismic Design Parameters 3.7.2 Seismic System Analysis 3.7.3 Seismic Subsystem Analysis 3.7.4 Seismic Instrumentation 3.8.1 Concrete Containment 3.8.2 Steel Containment 3.8.3 Concrete and Steel Internal Structures of Steel or Concrete Containments 3.8.4 Other Seismic Category I Structures 3.8.5 Foundations 3.9.1 Special Topics for Mechanical Components 3.9.2 Dynamic Testing and Analysis of Systems, Components, and Equipment 3.9.3 ASME Code Class 1, 2, and 3 Components, Component Supports, and Core Support Structures 3.9.4 Control Rod Drive Systems 3.9.5 Reactor Pressure Vessel Internals 3.9.6 Inservice Testing of Pumps and Valves 3.10 Seismic and Dynamic Qualification of Mechanical and Electrical Equipment 3.11 Environmental Qualification of Mechanical and Electrical Equipment 3.12 Interfacing System Loss of Coolant Accident (ISLOCA) – Design Review for Systems Interfacing with the Reactor Coolant System [Future] 3.13 Threaded Fasteners CHAPTER 4 REACTOR 4.2 Fuel System Design 4.3 Nuclear Design 4.4 Thermal and Hydraulic Design 4.5.1 Control Rod Drive Structural Materials 4.5.2 Reactor Internal and Core Support Materials 4.6 Functional Design of Control Rod Drive System

398

Nuclear Safety

CHAPTER 5 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS 5.2.1.1 Compliance with the Codes and Standards Rule, 10 CFR 50.55a 5.2.1.2 Applicable Code Cases 5.2.2 Overpressure Protection 5.2.3 Reactor Coolant Pressure Boundary Materials 5.2.4 Reactor Coolant Pressure Boundary Inservice Inspection and Testing 5.2.5 Reactor Coolant Pressure Boundary Leakage Detection 5.3.1 Reactor Vessel Materials 5.3.2 Pressure-Temperature Limits and Pressurized Thermal Shock 5.3.3 Reactor Vessel Integrity 5.4 Components and Subsystem Design 5.4.1.1 Pump Flywheel Integrity (PWR) 5.4.2.1 Steam Generator Materials 5.4.2.2 Steam Generator Tube Inservice Inspection 5.4.6 Reactor Core Isolation Cooling System (BWR) 5.4.7 Residual Heat Removal (RHR) System 5.4.8 Reactor Water Cleanup System (BWR) 5.4.11 Pressurizer Relief Tank 5.4.12 Reactor Coolant System High Point Vents CHAPTER 6 ENGINEERED SAFETY FEATURES 6.1.1 Engineered Safety Features Materials 6.1.2 Protective Coating Systems (Paints) – Organic Materials 6.2.1 Containment Functional Design 6.2.1.1.A PWR Dry Containments, Including Subatmospheric Containments 6.2.1.1.B Ice Condenser Containments 6.2.1.1.C Pressure-Suppression Type BWR Containments 6.2.1.2 Subcompartment Analysis 6.2.1.3 Mass and Energy Release Analysis for Postulated Loss-of-Coolant 6.2.1.4 Mass and Energy Release Analysis for Postulated Secondary System Pipe Ruptures 6.2.1.5 Minimum Containment Pressure Analysis for Emergency Core Cooling System Performance Capability Studies 6.2.2 Containment Heat Removal Systems 6.2.3 Secondary Containment Functional Design 6.2.4 Containment Isolation System 6.2.5 Combustible Gas Control in Containment 6.2.6 Containment Leakage Testing

6.2.7 Fracture Prevention of Containment Pressure Boundary 6.3 Emergency Core Cooling System 6.4 Control Room Habitability System 6.5.1 ESF Atmosphere Cleanup Systems 6.5.2 Containment Spray as a Fission Product Cleanup System 6.5.3 Fission Product Control Systems and Structures 6.5.4 Ice Condenser as a Fission Product Cleanup System 6.5.5 Pressure Suppression Pool as a Fission Product Cleanup System 6.6 Inservice Inspection of Class 2 and 3 Components 6.7 Main Steam Isolation Valve Leakage Control System (BWR) 6.8 Reactor Coolant Depressurization Systems (PWR)[Future] CHAPTER 7 INSTRUMENTATION AND CONTROLS [Future] CHAPTER 8 ELECTRIC POWER 8.1 Electric Power – Introduction 8.2 Offsite Power System 8.3.1 AC Power Systems (Onsite) 8.3.2 DC Power Systems (Onsite) 8.4 Station Blackout [Future] 8-A Branch Technical Positions (PSB) 8-B General Agenda, Station Site Visits CHAPTER 9 AUXILIARY SYSTEMS 9.1.1 New Fuel Storage 9.1.2 Spent Fuel Storage 9.1.3 Spent Fuel Pool Cooling and Cleanup System 9.1.4 Light Load Handling System (Related to Refueling) 9.1.5 Overhead Heavy Load Handling Systems 9.2.1 Station Service Water System 9.2.2 Reactor Auxiliary Cooling Water Systems 9.2.3 Demineralized Water Makeup System 9.2.4 Potable and Sanitary Water Systems 9.2.5 Ultimate Heat Sink 9.2.6 Condensate Storage Facilities 9.3.1 Compressed Air System 9.3.2 Process and Post-accident Sampling Systems 9.3.3 Equipment and Floor Drainage System 9.3.4 Chemical and Volume Control System (PWR) (Including Boron Recovery System) 9.3.5 Standby Liquid Control System (BWR)

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

9.4.1 Control Room Area Ventilation System 9.4.2 Spent Fuel Pool Area Ventilation System 9.4.3 Auxiliary and Radwaste Area Ventilation System 9.4.4 Turbine Area Ventilation System 9.4.5 Engineered Safety Feature Ventilation System 9.5.1 Fire Protection Program 9.5.2 Communications Systems 9.5.3 Lighting Systems 9.5.4 Emergency Diesel Engine Fuel Oil Storage and Transfer System 9.5.5 Emergency Diesel Engine Cooling Water System 9.5.6 Emergency Diesel Engine Starting System 9.5.7 Emergency Diesel Engine Lubrication System 9.5.8 Emergency Diesel Engine Combustion Air Intake and Exhaust CHAPTER 10 STEAM AND POWER CONVERSION SYSTEM 10.2 Turbine Generator 10.2.3 Turbine Rotor Integrity 10.3 Main Steam Supply System 10.3.6 Steam and Feedwater System Materials 10.4.1 Main Condensers 10.4.2 Main Condenser Evacuation System 10.4.3 Turbine Gland Sealing System 10.4.4 Turbine Bypass System 10.4.5 Circulating Water System 10.4.6 Condensate Cleanup System 10.4.7 Condensate and Feedwater System 10.4.8 Steam Generator Blowdown System (PWR) 10.4.9 Auxiliary Feedwater System (PWR) CHAPTER 11 RADIOACTIVE WASTE MANAGEMENT 11.1 Source Terms 11.2 Liquid Waste Management Systems 11.3 Gaseous Waste Management Systems 11.4 Solid Waste Management Systems 11.5 Process and Effluent Radiological Monitoring Instrumentation and Sampling Systems CHAPTER 12 RADIATION PROTECTION 12.1 Assuring that Occupational Radiation Exposures Are As Low As Is Reasonably Achievable 12.2 Radiation Sources 12.3–12.4 Radiation Protection Design Features 12.5 Operational Radiation Protection Program

399

CHAPTER 13 CONDUCT OF OPERATIONS 13.1.1 Management and Technical Support Organization 13.1.2–13.1.3 Operating Organization 13.2.1 Reactor Operator Training 13.2.2 Training For Non-Licensed Plant Staff 13.3 Emergency Planning 13.4 Operational Review 13.5.1.1 Administrative Procedures – General 13.5.1.2 Administrative Procedures – Initial Test Program 13.5.2.1 Operating and Emergency Operating Procedures 13.5.2.2 Maintenance and Other Operating Procedures 13.6 Physical Security CHAPTER 14 INITIAL TEST PROGRAM AND ITAAC-DESIGN CERTIFICATION 14.2 Initial Plant Test Program – Final Safety Analysis Report 14.3 Inspections, Tests, Analyses, and Acceptance Criteria – Design Certification 14.3.1 Site Parameters (Tier 1) 14.3.2 Structural and Systems Engineering (Tier 1) 14.3.3 Piping Systems and Components (Tier 1) 14.3.4 Reactor Systems (Tier 1) 14.3.5 Instrumentation and Controls (Tier 1) 14.3.6 Electrical Systems (Tier 1) 14.3.7 Plant Systems (Tier 1) 14.3.8 Radiation Protection and Emergency Preparedness (Tier 1) 14.3.9 Human Factors Engineering (Tier 1) 14.3.10 Initial Test Program and D-RAP (Tier 1) 14.3.11 Containment Systems and Severe Accidents (Tier 1) CHAPTER 15 ACCIDENT ANALYSIS 15.0 Accident Analysis – Introduction 15.1.1–15.1.4 Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 15.1.5 Steam System Piping Failures Inside and Outside of Containment (PWR) 15.1.5.A Radiological Consequences of Main Steam Line Failures Outside Containment of a PWR 15.2.1–15.2.5 Loss of External Load; Turbine Trip; Loss of Condenser Vacuum; Closure of Main Steam

400

Nuclear Safety

Isolation Valve (BWR); and Steam Pressure Regulator Failure (Closed) 15.2.6 Loss of Non emergency AC Power to the Station Auxiliaries 15.2.7 Loss of Normal Feedwater Flow 15.2.8 Feedwater System Pipe Breaks Inside and Outside Containment 15.3.1–15.3.2 Loss of Forced Reactor Coolant Flow Including Trip of Pump Motor and Flow Controller Malfunctions 15.3.3–15.3.4 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break 15.4.1 Uncontrolled Control Rod Assembly Withdrawal from a Subcritical or Low Power Startup Condition 15.4.2 Uncontrolled Control Rod Assembly Withdrawal at Power 15.4.3 Control Rod Misoperation (System Malfunction or Operator) 15.4.4–15.4.5 Startup of an Inactive Loop or Recirculation Loop at an Incorrect Temperature, and Flow Controller Malfunction Causing an Increase in BWR Core Flow Rate 15.4.6 Chemical and Volume Control System Malfunction that Results in a Decrease in Boron Concentration in the Reactor Coolant (PWR) 15.4.7 Inadvertent Loading and Operation of a Fuel Assembly in an Improper Position 15.4.8 Spectrum of Rod Ejection Accidents (PWR) 15.4.8.A Radiological Consequences of a Control Rod Ejection Accident (PWR) 15.4.9 Spectrum of Rod Drop Accidents (BWR) 15.4.9.A Radiological Consequences of Control Rod Drop Accident (BWR) 15.5.1–15.5.2 Inadvertent Operation of ECCS and Chemical and Volume Control System Malfunction that Increases Reactor Coolant Inventory 15.6.1 Inadvertent Opening of a PWR Pressurizer Pressure Relief Valve or a BWR Pressure Relief Valve 15.6.2 Radiological Consequences of the Failure of Small Lines Carrying Primary Coolant Outside Containment 15.6.3 Radiological Consequences of Steam Generator Tube Failure 15.6.4 Radiological Consequences of Main Steam Line Failure Outside Containment (BWR) 15.6.5 Loss-of-Coolant Accidents Resulting From Spectrum of Postulated Piping Breaks Within the Reactor Coolant Pressure Boundary

15.6.5.A Radiological Consequences of a Design Basis Loss-of-Coolant Accident Including Containment Leakage Contribution 15.6.5.B Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Engineered Safety Feature Components Outside Containment 15.6.5.D Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Main Steam Isolation Valve Leakage Control System (BWR) 15.7.3 Postulated Radioactive Releases Due to Liquid-Containing Tank Failures 15.7.4 Radiological Consequences of Fuel Handling Accidents 15.7.5 Spent Fuel Cask Drop Accidents 15.8 Anticipated Transients Without Scram [Future] CHAPTER 16 TECHNICAL SPECIFICATIONS 16.0 Technical Specifications CHAPTER 17 QUALITY ASSURANCE 17.1 Quality Assurance During the Design and Construction Phases 17.2 Quality Assurance During the Operations Phase 17.3 Quality Assurance Program Description 17.4 Reliability Assurance Program CHAPTER 18 HUMAN FACTORS ENGINEERING 18.0 Human Factors Engineering CHAPTER 19 SEVERE ACCIDENTS 19.1 Probabilistic Risk Assessment [Future] 19.2 Severe Accident Containment Performance [Future] APPENDIX I INTEGRATED IMPACTS APPENDIX II POTENTIAL IMPACTS

A14-3. Sample chapter The following is a sample chapter from Ch. 6.5.2 ‘Containment Spray as a Fission Product Cleanup System’. 6.5.2 CONTAINMENT SPRAY AS A FISSION PRODUCT CLEANUP SYSTEM REVIEW RESPONSIBILITIES Primary – Materials and Chemical Engineering Branch (EMCB) Secondary – Plant Systems Branch (SPLB)

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

Emergency Preparedness and Radiation Protection Branch (PERB) I. AREAS OF REVIEW . . . (1) Fission Product Removal Requirement for Containment Spray . . . (2) Design Bases . . . (3) System Design The information on the design of the spray system, including any subsystems and supporting systems, is reviewed to familiarize the reviewer with the design and operation of the system. The information includes: (a) The description of the basic design concept; the systems, subsystems, and support systems required to carry out the fission product scrubbing function of the system; and the components and instrumentation employed in these systems. (b) The process and instrumentation diagrams. (c) Layout drawings (plans, elevations, isometrics) of the spray distribution headers. (d) Plan views and elevations of the containment building layout. (4) Testing and Inspections . . . (5) Technical Specifications . . . II. ACCEPTANCE CRITERIA . . . The acceptance criteria for the fission product cleanup function of the containment spray system are based on meeting the relevant requirements of the following regulations: A. General Design Criterion 41 (Reference. . . ) as it relates to containment atmosphere cleanup systems being designed to control fission product releases to the reactor containment following postulated accidents. B. Specific criteria necessary to meet the relevant requirements of General Design Criteria 41, 42, and 43 include: (1) Design Requirements for Fission Product Removal The containment spray system should be designed in accordance with the requirements of ANSI/ANS 56.5 (Reference. . . ), except that requirements for any spray additive or other pH control system in this reference need not be followed. (a) System Operation The containment spray system should be designed to be initiated automatically by an

401

appropriate accident signal and to be transferred automatically from the injection mode to the recirculation mode to ensure continuous operation until the design objectives of the system have been achieved. In all cases, the operating period should not be less than two hours. Additives to the spray solution may be initiated manually or automatically, or may be stored in the containment sump to be dissolved during the spray injection period. (b) Coverage of Containment Building Volume In order to ensure full spray coverage of the containment building volume, the following should be observed: (1) The spray nozzles should be located as high in the containment building as practicable to maximize the spray drop fall distance. (2) The layout of the spray nozzles and distribution headers should be such that the cross-sectional area of the containment building covered by the spray is as large as practicable and that a nearly homogeneous distribution of spray in the containment building space is produced. Unsprayed regions in the upper containment building and, in particular, an unsprayed annulus adjacent to the containment building liner should be avoided wherever possible. (3) In designing the layout of the spray nozzle positions and orientations, the effect of the post-accident atmosphere should be considered, including the effects of post-accident conditions that result in the maximum possible density of the containment atmosphere. (c) Promotion of Containment Building Atmosphere Mixing Because the effectiveness of the containment spray system depends on a well-mixed containment atmosphere, all design features enhancing post-accident mixing should be considered. (d) Spray Nozzles The nozzles used in the containment spray system should be of a design that minimizes the possibility of clogging while producing drop sizes effective for iodine absorption.

402

Nuclear Safety

(e)

(f)

(g)

(h) (i)

The nozzles should not have internal moving parts such as swirl vanes, turbulence promoters, etc. They should not have orifices or internal restrictions which would narrow the flow passage to less than 0.64 cm (0.25 inch) one quarter of an inch in diameter. Spray Solution The partition of iodine between liquid and gas phases is enhanced by the alkalinity of the solution. The spray system should be designed so that the spray solution is within material compatibility constraints. Iodine scrubbing credit is given for spray solutions whose chemistry, including any additives, has been demonstrated to be effective for iodine absorption and retention under post-accident conditions. Containment Sump Solution Mixing The containment sump should be designed to permit mixing of emergency core cooling system (ECCS) and spray solutions. Drains to the engineered safety features sump should be provided for all regions of the containment which would collect a significant quantity of the spray solution. Alternatively, allowance should be made for ‘‘dead’’ volumes in the determination of the pH of the sump solution and the quantities of additives injected. Containment Sump and Recirculation Spray Solutions The pH of the aqueous solution collected in the containment sump after completion of injection of containment spray and ECCS water, and all additives for reactivity control, fission product removal, or other purposes, should be maintained at a level sufficiently high to provide assurance that significant long-term iodine re-evolution does not occur. Long-term iodine retention is calculated on the basis of the expected long-term partition coefficient. Long-term iodine retention may be assumed only when the equilibrium sump solution pH, after mixing and dilution with the primary coolant and ECCS injection, is above 7 (Reference. . . ). This pH value should be achieved by the onset of the spray recirculation mode. Storage of Additives . . . Single Failure . . .

(2) Testing . . . (3) Technical Specifications . . . III. REVIEW PROCEDURES . . . C. Fission Product Cleanup Models The reviewer estimates the area of the interior surfaces of the containment building which could be washed by the spray system, the volume flow rate of the system (assuming single failure), the average drop fall height and the mass-mean diameter of the spray drops, from inspection of the information in the SAR. The effectiveness of a containment spray system may be estimated by considering the chemical and physical processes that could occur during an accident in which the system operates. Models containing such considerations are reviewed on case-by-case bases. NUREG/CR-5966 (Reference. . . ) provides a method for review of containment spray models and evaluating the effectiveness of the spray design in the removal of fission products from the containment atmosphere. This model is used in conjunction with the fission product release assumptions in NUREG1465. In the absence of detailed models, the following simplifications may be used: Experimental results (References. . . ) and computer simulations of the chemical kinetics involved (Reference. . . ) show that an important factor determining the effectiveness of sprays against elemental iodine vapor is the concentration of iodine in the spray solution. Experiments with fresh sprays having no dissolved iodine were observed to be quite effective in the scrubbing of elemental iodine even at a pH as low as 5 (References. . . ). However, solutions having dissolved iodine, such as the sump solutions that recirculate after an accident, may revolatilize iodine if the solutions are acidic (References. . . ). Chemical additives in the spray solution have no significant effect upon aerosol particle removal because this removal process is largely mechanical in nature. (1) Elemental iodine removal during spraying of fresh solution During injection, the removal of elemental iodine by wall deposition may be estimated by w ¼ Kw A/V. (Note: this is the fraction of iodine removed by the spray in one second, order of magnitude ¼ 3 10 3). Here, w is the first-order removal coefficient by wall deposition, A is the wetted surface area,

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

V is the containment building net free volume, and Kw is a mass-transfer coefficient. All available experimental data are conservatively enveloped if Kw is taken to be 4.9 meters per hour (Reference. . . ). During injection, the effectiveness of the spray against elemental iodine vapor is chiefly determined by the rate at which fresh solution surface area is introduced into the containment building atmosphere. The rate of solution surface created per unit gas volume in the containment atmosphere may be estimated as (6F/VD), where F is the volume flow rate of the spray pump, V is the containment building net free volume, and D is the mass-mean diameter of the spray drops. The first-order removal coefficient by spray, s, may be taken to be s ¼ 6 Kg T F/V D, where Kg is the gas-phase mass-transfer coefficient, and T is the time of fall of the drops, which may be estimated by the ratio of the average fall height to the terminal velocity of the mass-mean drop (Reference. . . ). The above expression represents a first-order approximation if a well-mixed droplet model is used for the spray efficiency. The expression is valid for s values equal to or greater than ten per hour. s is to be limited to 20 per hour to prevent extrapolation beyond the existing data for boric acid solutions with a pH of 5 (References. . . ). For s values less than ten per hour, analyses using a more sophisticated expression are recommended. (2) Elemental iodine removal during recirculation of sump solution The sump solution at the end of injection is assumed to contain fission products washed from the reactor core as well as those removed from the containment atmosphere. The radiation absorbed by the sump solution, if the solution is acidic, would generate hydrogen peroxide (Reference. . . ) in sufficient amount to react with both iodide and iodate ions and 32 raise the possibility of elemental iodine re-evolution (Reference. . . ). For sump solutions having pH values less than 7, molecular iodine vapour should be conservatively assumed to evolve into the containment atmosphere (Reference. . . ). Information on the partition coefficients for molecular iodine can be found in References . . ..

403

The equilibrium partitioning of iodine between the sump liquid and the containment atmosphere is examined for the extreme additive concentrations determined in Section III.1.a.(2), in combination with the range of temperatures possible in the containment atmosphere and the sump solution. The reviewer should consider all known sources and sinks of acids and bases (e.g. alkaline earth and alkali metal oxides, nitric acid generated by radiolysis of nitrogen and water, alkaline salts or lye additives) in a post-accident containment environment. The minimum iodine partition coefficient determined for these conditions forms the basis of the ultimate iodine decontamination factor in the staff’s analysis described in subsection III.4.d. (3) Organic iodides It is conservative to assume that organic iodides are not removed by either spray or wall deposition. Radiolytic destruction of iodomethane may be modeled, but such a model must also consider radiolytic production (Reference. . . ). Engineered safety features designed to remove organic iodides are reviewed on a case-by-case basis. (4) Particulates The first-order removal coefficient, p, for particulates may be estimated by p ¼ 3 h F E/ 2 V D, where h is the fall height of the spray drops, V is the containment building net free volume, F is the spray flow, and (E/D) is the ratio of a dimensionless collection efficiency E to the average spray drop diameter D. Since the removal of particulate material depends markedly upon the relative sizes of the particles and the spray drops, it is convenient to combine parameters that cannot be known (Reference. . . ). It is conservative to assume (E/ D) to be 10 per meter initially (i.e. 1% efficiency for spray drops of one millimeter in diameter), changing abruptly to one per meter after the aerosol mass has been depleted by a factor of 50 (i.e. 98% of the suspended mass is ten times more readily removed than the remaining 2%). D. The iodine decontamination factor, DF, is defined as the maximum iodine concentration in the containment atmosphere divided by the concentration of iodine in the containment atmosphere at some time after decontamination. DF for the containment atmosphere achieved by the containment spray

404

Nuclear Safety

system is determined from the following equation (Reference. . . ): DF ¼ 1 þ Vs H/Vc, where H is the effective iodine partition coefficient, Vs is the volume of liquid in containment sump and sump overflow, and Vc is the containment building net free volume less Vg. The maximum decontamination factor is 200 for elemental iodine. The effectiveness of the spray in removing elemental iodine shall be presumed to end at that time, post-LOCA, when the maximum elemental iodine DF is reached. Because the removal mechanisms for organic iodides and particulate iodines are significantly different from and slower than that for elemental iodine, there is no need to limit the DF for organic iodides and particulate iodines. For standard design certification reviews under 10 CFR Part 52, the procedures above should be

followed, as modified by the procedures in SRP Section 14-3 (proposed), to verify that the design set forth in the standard safety analysis report, including inspections, tests, analysis, and acceptance criteria (ITAAC), site interface requirements and combined license action items, meet the acceptance criteria given in subsection II. SRP Section 14-3 (proposed) contains procedures for the review of certified design material (CDM) for the standard design, including the site parameters, interface criteria, and ITAAC. IV. EVALUATION FINDINGS . . . V. IMPLEMENTATION . . . The following guidance is provided to applicants and licensees about the staff’s plans for using this SRP section . . . VI. REFERENCES . . .

Appendix 15 Safety cage

A15-1. General remarks This appendix considers one of the more ‘extreme’ solutions against severe accidents (see Chapter 5) which consists of a steel-reinforced concrete cage built around a PWR vessel with the purpose of absorbing, by plastic deformation, the energy released by a steam explosion (internal or external to the vessel) and which causes its rupture and the violent projection of its pieces into the surrounding space. A possible conceptual scheme is presented with the verification calculations. (The calculations and drawings are due to Dr Eng Giuseppe Pino.) The results of some experimental tests at a reduced scale performed several years ago on safety cages similar to the one described are presented.

A15-2. Available energy This evaluation is undertaken for an AP 600 reactor. The mass of the molten core is about 110 t (61 t of UO2, 18.8 t of Zr, 29.2 t of stainless steel). The initial temperature of the corium ranges between 2000K and 2500K and the final temperature, after quenching in water, is about 400K. On the basis of the specific heat and of the fusion heat, the specific thermal energy is about 1 MJ kg 1 and therefore the total energy amounts to about 110 000 MJ.

A15-3. Mechanical energy which can be released The conversion of thermal energy into mechanical energy in this phenomenon has a low efficiency, ranging from 2 to 15 per cent with a likely value close to 4–5 per cent.

Therefore the mechanical energy produced by the reaction for all the 110 t of corium will range between 2200 MJ and 16 500 MJ, with a likely value of about 5000 MJ. Considering various assumptions on the fall of corium in water within the vessel, it can be concluded that only 2 per cent of the entire mass takes part in the explosion. Therefore, for steam explosions within the vessel, the value of the energy released may range from 45 MJ to 330 MJ. For hypothetical explosions occurring outside the vessel, a rough first evaluation can be made. If the assumption is made of a corium release from penetrations in the vessel bottom head, the mass which could take part in the explosion is the one which could leave the vessel, at the existing internal pressure, in the typical delay time for the triggering of such explosions (about 1–2 s). For a hole of 100 mm of equivalent diameter, the mass concerned is of the order of 7400 kg which can originate 330 MJ of mechanical energy, given the above discussed efficiency levels. Even in the case of an abrupt failure of the vessel bottom head with the release of all the molten core, phenomena exist which prevent all the fallen mass from taking part in the explosion. It is estimated that not more than 10 per cent of it can be involved, with a release of mechanical energy of the order of 1650 MJ. These values of available energy are comparable but lower than those taken into consideration by the Karlsruhe Research Center (KFK) and quoted in the figures given in Chapter 5 (the reactor in that example is different from the one considered here and some of the estimates concerning the conversion of thermal to mechanical energy are rather different). Both evaluations, however, have their validity. 405

406

Nuclear Safety

A15-4. Overall sizing of a structural cage around the pressure vessel The overall sizing of a structural cage around the vessel is illustrated here. The aim of the cage is to absorb the impact of internally originated missiles having an energy corresponding to a steam

explosion, to a pressure failure of the vessel and to a destructive reactivity excursion. The worst case is discussed, corresponding to a steam explosion with a mechanical energy of 1650 MJ. The structural scheme chosen is shown in Figure A15-1. An upper box-like structure, having 0

2

4

6

8

10 m

Upper steel shell 320 cm Webs

cm

Lower steel shell

m

0

0c

63 55

Annular box-like beam for anchorage of tendons Mobile wall

Ungrouted steel bars Φ 3" 0.476 L = 24 m

440 cm 480 cm

Annular tunnel Connections of tendons to anchorages Tendon anchorages

Figure A15-1. Scheme of structural cage for containment of the effects of a stream explosion.

Appendix 15 Safety cage

a hemispherical shape is located above the vessel, is made from a number of webs with a section of 0.03 1 m, positioned along the meridian lines, and of two curved shells at their inside and outside lines having, respectively, a thickness of 20 and 30 mm. The meridian webs are connected to an annular beam, also of a box-like construction, connected by tendons located on its median circumference with the reinforced concrete structure of the reactor building. In a first-trial sizing, 476 tendons

Cage rings

407

were considered, with a diameter of approximately 76.2 mm (equal to 3 inches), ungrouted for the largest part of their length, about 24 m, and grouted in the reinforced concrete structure in their terminal anchorage zone. The weight of the upper hemispherical structure is about 150 t. Verification of the tendons It is assumed that all the mechanical energy availableis transferred to the ‘missile’ (the entire

Copper tile and plastic explosive Vessel Blocks

Figure A15-2. Lateral view and cross-section of the test vessel and cage.

408

Nuclear Safety

vessel), neglecting the deformation and rupture energy of the pipes. It is also assumed that this energy is totally absorbed by the plastic deformation of the tendons, up to an admissible ductility limit of 0.5("u/"e), according to the suggestions of the ASCE (ASCE, 1997) and where "u and "e are the specific elongation at rupture and the specific elongation at elastic limit, respectively. The material chosen is a special T1 steel with the following characteristics: u ¼ 7 107 kg m 2 and "u 16%. The admissible ductility, ¼ 0.5(0.16/0.002) ¼ 40. The overall yield force which the tendons have to exert is Ry ¼ E/(xe( 1/2)), where E is the absorbed energy (kg m) and xe, the elastic deformation of the tendons, is 0.002 24 ¼ 0.048 m. R y ¼ 165 103=ð0:048ð40

1=2ÞÞ ¼ 87 025 t

The overall tendon cross-section required, Aa ¼ 87025000/7 107 ¼ 1.2432 m2, corresponding to 354 76.2 mm bars, which is fewer than the first trial bars. The verification has therefore had a positive result and some resistance margin exists. It can be verified with similar calculations that the upper hemispherical structure is equally adequate, as well as the lateral structure of the reactor cavity (suitably reinforced by additional steel bars, within the limits of practical feasibility).

A15-5. Experimental tests on steel cages for the containment of vessel explosions Some tests were performed in Italy at the end of the 1960s to verify the calculations and effectiveness of the scheme. The case studied was a little different from that caused by an explosive steam explosions in that the rupture of a pressurized vessel was induced

by the instantaneous creation of a supercritical crack and the surrounding cage had to prevent the separation of vessel fragments in order to limit damage to nearby components and structures. The mechanism of loading the cage and the way in which the containment was obtained were however identical to those of the case examined here. Figure A15-2 shows the lateral view (from which it can be understood why the test team called it salama) and a longitudinal section of the vessel and cage. The latter comprised seven rings connected by four longitudinal bars. Some spacer blocks were attached to the rings in order to simulate a full scale structural scheme, where the vessel should have a rather free space around to be filled by the thermal insulation. The crack was suddenly generated by the firing of a small copper tile externally lined by a plastic explosive, placed along the trace of the crack to be generated. The explosion of the plastic projected on the vessel molten copper, converging at the centreline of the small tile and causing a sharp cut in the vessel steel. CO2 bottles at 1–2 (MPa) were used as the pressure vessel. Both longitudinal (linear axial crack) and circumferential (arc of circle crack) breaks were simulated. The behaviour of the cage (rings and bars) was as anticipated assuming a uniform load on the blocks and on the bars (according to the crack position) and a perfectly elastic–plastic behaviour of the material. For the longitudinal cracks, for example, the cage rings were plastically deformed into almost perfect hexagons.

Reference ASCE 40265, 1997, ‘Design of blast resistant buildings in petrochemical facilities’, 1997, USA.

Appendix 16 Criteria for the site chart (Italy)

A16-1. Population and land use The exclusion criteria adopted are the following: (1) A population factor weighted over circular rings lower than 20 000 with a weight given by Table A16-1 (or by an equivalent bi-logarithmic graph). (2) A population factor weighted on the most unfavourable 22 30 0 sector from the origin up to 50 km, lower than 6500 (with the weight given by r 1.5, where r is the distance in kilometres. (3) A distance of at least 10 km from population centres with many hundreds of thousands of inhabitants. (4) A distance of at least 20 km from population centres with many hundreds of thousands of inhabitants. (5) The availability, around the centre of the site, of a circular area of the diameter of about 1 km which can be put under the direct control of the utility. The criteria on the population distribution and on its weight are connected with the assumption of

Table A16-1. Population factor Distance (km)

Factor

1 2 5 10 15 20

1 0.66 0.25 0.07 0.03 0.001

an accidental release of 3.7 1013 Bq of iodine-131 and of the other associated nuclides, with a maximum effective dose to the individual (adult) equal to 0.01 Sv and with a thyroid maximum dose of a few tens of millisieverts. The criteria concerning population centres are connected with the possibility to proceed, in case of very serious accident, to the evacuation of population centres.

A16-2. Geology, seismology and soil mechanics (1) Areas are excluded which have shown tectonic and volcanic activity in recent geological times (upper Pleistocene). (2) Areas are excluded where historical data indicate earthquakes of intensity X or higher on the Mercalli–Cancani–Sieberg scale. Historical data may be completed by seismotectonic studies in order to determine if the areas without such historical earthquakes are in any case susceptible to originate them in the future and should therefore be excluded. (3) Specific sites have to be excluded where in case of earthquake the following occurrences may happen: maximum ground acceleration incompatible with proven features of the design; unacceptable karstic phenomena; surface faulting; liquefaction beyond the design capabilities. (It is observed that this criterion excludes particular sites having the possibility of movement of surface faults.)

409

410

Nuclear Safety

Table A16-2. Condenser water Flowing water

Wet towers

Dry towers

About 50 m3 s 1 for each 1000 MWe unit at less than 3 km distance

About 1.5 m3 s 1 per unit of 1000 MWe with evaporation of one half and restitution of the remaining amount (minimum flow of the water body of 12 m3 s 1 for at least 355 days per year to comply with water heating limits)

No requirement

A16-3. Engineering requirements (1) Availability of condenser water (see Table A16-2). (2) Ground slopes less than 5–10 per cent on the site. (3) Distance from communication lines less than 10 km with elevation differences lower than 100 m.

A16-4. Extreme events from human activities The following criteria have been temporarily adopted (waiting for design solutions): (1) For military airports, a distance of at least 15 km from the runways and at least 8 km from the airport area. (2) For civil airports, a minimum distance of at least 8 km from the airport area (for airports with small tourism airplanes only, having small dimensions and velocities, about 250 km h 1, the distance is halved).

(3) A distance of at least 8 km from important firing ranges and from areas with non-removable military restrictions. (4) Distances from potentially dangerous industrial installations and from communication lines also for the transport of dangerous substances, to be studied case-by-case.

A16-5. Extreme natural events Areas subject to extreme natural phenomena (floods, snow slides and so on) have to be excluded if absolutely safe design provisions cannot be adopted. For floods, in particular, it should be possible to place the plant at an elevation of objective safety (natural or artificial). Particular attention should be given to:

relatively narrow valleys, dominated by lakes, water reservoirs or dams; areas which could be subject, in case of earthquake, to landslides, snow slides and avalanches; coastal areas subject to tidal waves.

Appendix 17 The Three Mile Island accident

A17-1. Summary description of the Three Mile Island no.2 Plant Three Mile Island on the Susquehanna River is located about 16 km SE of Harrisburg Pa, USA. It is a flat island with a surface of several square kilometres. Some years ago it was chosen as the site for a nuclear power station with two units named TMI-1 and TMI-2. Each unit has its own reactor and turbine-generator group for the conversion of steam into electric energy. The two units could supply 1700 MW to the grid, sufficient for the needs of 300 000 families (based on the average consumption of a US family). The power station was the joint property of the Pennsylvania Electric Company, the Jersey Central Power & Light Company and the Metropolitan Edison Company. The three companies were part of a ‘holding’, the General Public Utilities Corporation

(GPU). Operational responsibility was vested in Metropolitan Edison. The nuclear part of the plant (i.e. the reactor and its auxiliary systems – the ‘nuclear island’) had been supplied by the Babcock & Wilcox company. The architect engineer, Burns & Roe, had built the remainder of plant. The plant, equipped with a pressurized water reactor, is represented in a simplified way in Figure A17-1. The vessel (1) contains the reactor core (2) in which the control rods can be inserted from above (3). The cooling system is formed by two circuits (in the figure only one is represented), each one provided with two recirculation pumps (4) and with one steam generator (5). The steam produced in the secondary side of the generator is routed to the turbine (6) and converted to water again in the condenser. The condensate returns to the steam generators through

REACTOR BUILDING (CONTAINMENT) (12)

AUXILIARY (15) BUILDING

COOLING TOWER

Stack

(9)

Ventilation filters Waste gas decay tank Waste gas compressor

Pilot-operated relief valve

Safety valve Core flood tank

(8)

Block valve Pressurizer Steam generator

Vent header

TURBINE BUILDING

(5)

Control (3) rods

Turbine

(6)

High pressure injection pump

Vent valve Makeup tank

Generator

Reactor core Makeup line

(1)

Block valve

(2)

Letdown line

Borated water storage tank

Relief valve Radiation waste storage tank

(14)

Rupture disk Cold leg

(13)

Condensate Condensate pump storage tank

Demineralizer

Drain tank

(11)

Transformer

Condensor

Sump

Reactor coolant pump Sump pump (4)

Circulating water pump

Main feedwater pump

Emergency feedwater pump Hot leg

Figure A17-1. Simplified schematic of the TMI 2 plant. 411

412

Nuclear Safety

the normal feedwater pumps (7). The water is also passed through a filtration and purification device which has the objective of maintaining a high degree of purity and therefore of avoiding corrosion of the mechanical components (steam generators, turbine, piping, etc.). In addition to the normal feedwater system, an auxiliary system exists with three pumps which start automatically in case of need. The transformation of water into steam in the secondary side of the steam generators takes heat and therefore cools the water which circulates in the primary system of the same generators. The two water flows, the primary and the secondary one, are in opposite sides of the metal wall of small pipes located in each steam generator. Through this wall the warmer fluid, primary water, transmits heat to the colder fluid, that is the secondary water, and converts it into steam. The primary water, which therefore leaves the generator at a lower temperature than the initial one, is recirculated by pumps (4) through the reactor core and removes the heat produced by the nuclear chain reaction. Once the warmed primary water leaves the core, it re-enters into the steam generators, so starting again its cooling-heating cycle, transporting the heat of nuclear origin and producing the steam which operates the turbine. The stability of the pressure of the primary system is assured by the pressurizer (8). This is a vertical vessel whose volume is normally 60 per cent filled with water and 40 per cent by steam. The lower part of it (filled with water) is connected by a surge line with one of the two primary cooling circuits: electrical heaters are immersed in the water. The upper part (filled with steam) can be sprayed by cold water. The introduction of cold water by the sprays or the switching on of heaters takes care of the control of the pressure. In fact, when cold water is sprayed, the pressure decreases, and when the heaters are switched on, the opposite happens. When the reactor pressure exceeds a certain value, the relief valve (9) is automatically actuated. This valve is located on the upper part of the pressurizer and discharges steam in a discharge collecting tank (10), partly filled with cold water and provided with an emergency rupture disc (11), which avoids its excessive pressurization. When the pressure within the tank reaches the intervention level of the rupture

disc, it breaks off discharging the excess fluid into the containment building (12). The relief valve is preceded by a block valve. If the relief valve remains stuck open, with consequent excessive loss of steam, the block valve can be closed from the control room, so preventing steam efflux from the pressurizer. The liquids collected on the bottom of the containment building are transferred by a sump pump (13) in the radioactive discharges tank (14) located in the auxiliary building (15). This building is provided with a filtered ventilation system. The reactor is assisted by the following Emergency Core Cooling Systems (ECCS):

A high pressure injection system (HPI) with three pumps for the injection of borated water in the reactor. In emergency operation, which is automatically activated by low pressure of the primary system or by high pressure in the containment building, two pumps activate. Analyses show that only one pump is necessary to prevent core damage in cases of small breaks in the cooling system. A flooding system is provided with two systems containing pressurized borated water, which automatically inject water when the pressure goes below a preset value. This system has the objective of protecting the core in cases of intermediate and large breaks in the primary cooling system. A low pressure injection system provided with two pumps which inject borated water in the reactor. The system is automatically operated by the same types of signal as the high pressure system. This system ensures the cooling of the core in cases of large breaks, while in cases of small breaks it operates after the operation of the high pressure system, when the primary pressure has reached a sufficiently low level. Analyses show that only one pump is necessary to guarantee cooling.

The primary circuit and the steam generators are located inside the containment building in prestressed concrete, with a steel liner to assure it is leak-proof. The atmosphere of the building can be refrigerated by fan cooler groups. Recombiners are provided for the treatment of hydrogen (which is possibly released within the building in an accident).

Appendix 17 The Three Mile Island accident

Moreover, a containment atmosphere spray system exists aimed at reducing the temperature, and consequently the pressure, which could be created in the building itself as a consequence of primary coolant loss.

A17-2. The accident On the night of 27–8 March 1979 the TMI-1 unit was stopped as the refuelling operations were being completed. In fact, about every year and half, the water power stations are stopped in order to replace the more exhausted fuel elements with new ones. The second unit, TMI-2, was operating normally at 97 per cent full power. TMI-2 had started its commercial operation phase only a few months earlier, at the end of 1978, after having passed the commissioning tests. Operation personnel were working on the purification plant of the water extracted from the condenser (which receives and condenses the steam released by the turbine). The operations in progress on that equipment consisted in the replacement of the filtering material (resins), normally performed by removal with compressed air, washing in water and subsequent replacement. Possibly, during the operation of resin removal, the washing water accidentally penetrated the compressed air circuit because of a leaking valve. The presence of water in the compressed air system, which is also used for the operation of the big valves on the feedwater pipes, caused the quick closure of these valves and the complete interruption of the secondary water to steam generators. The Three Mile Island Accident started 36 seconds after 4.a.m. TMI-2 had already met problems with the feedwater purification system 18 months before the accident. During this time, however, no effective measures were taken to guarantee the needed safety of operation of this equipment. It must be noted here that the event described, a sudden and total lack of normal feedwater to steam generators, is considered in the safety analyses of power stations, among the relatively frequent ones and therefore plants are protected against them. As we will see, only a fatal combination of erroneous evaluations by the personnel with a general plant situation characterized by a substantially careless plant management and with the malfunction of

413

another plant component, allowed the events (probable and normally without damaging consequences) to escalate into one of the worst nuclear accidents ever to happen. The interruption of feedwater to steam generators causes a decrease of their water level and within a few minutes, for this type of PWR plant, their complete voiding, when all the residual water has been transformed into steam. For this reason an automatic protection system stops the turbine when the water level in the steam generators decreases to a trigger level. This occurred correctly at TMI-2, two seconds from the start of the accident. When the secondary side of a generator dries off, as at TMI-2, the primary water no longer cools down further and therefore returns to the core inlet as warm as it had left it. Passing through the core, it heats up further and increases to ever higher temperatures. In these conditions, it is dangerous to allow the primary temperature to grow beyond certain limits, so it is necessary to stop the nuclear chain reaction, thus substantially reducing the amount of heat produced by the core. The fast shutdown of the TMI-2 reactor, in the conditions described, occurs in the following way. The increase of primary water temperature causes the expansion of the water itself which can expand in the pressurizer, which, as it has been said, is connected to the primary circuit by a pipe and is only partially filled with water: the other part of it is full of steam, as in a pressure cooker (see Figure A17-2). The flow of water into the pressurizer compresses the steam contained in it and increases its pressure. When the pressure has reached a preset value, the chain reaction is arrested by an automatic shutdown system which causes the control rods to fall into the core. This occurred correctly in TMI-2, eight seconds after the start of the accident. In the meantime another event had happened. It too was normal and foreseen: the opening of the relief valve located on the top of the pressurizer. This had a similar effect to opening the valve on a pressure cooker lid. The combination of opening the relief valve with the arrest of the chain reaction (as if the valve on the pressure cooker was opened and the burner shut off) causes a quick decrease of the primary system pressure. However, the automatic control system of

414

Nuclear Safety

Ins.

Ins. Heaters

Surge line nozzle

Figure A17-2. Pressurizer.

the relief valve is designed in such a way that it causes its re-closure when the pressure again reaches sufficiently low values. This lower pressure was reached in TMI-2, thirteen seconds after the start of the accident, but unfortunately, something

malfunctioned and the valve did not automatically re-close. The relief line stayed open for two hours and twenty minutes, transforming a relatively normal event of feedwater interruption into a much more serious accident of loss of coolant from the primary circuit. This malfunction was the only mechanical fault of the events that brought the accident to its serious final consequences. The other events were human evaluation errors and the poor maintenance conditions of the plant. Two systems had been provided to cope with this mechanical failure. The first system signalled to the operators in the control room the ‘open’ status of the valve and, therefore, the lack of its re-closure. It consisted of an instrument, readable in the control room, which measured the temperature in the pipe connecting the relief valve to the steam condensation tank. When the valve was open, hot steam flowed into the pipe and the temperature indicated by the instrument is high. When the valve was closed, the pipe does not contain hot steam and the indicated temperature was low. Additionally, a light on the control console indicated if the valve had received the opening electric command. This indication was, however, indirect and unsafe: in fact, the valve may receive the ‘close’ command and, at the same time, be still open because of a mechanical fault, for example because of a seizure of parts in its mechanism. Also, it is possible for a blown bulb to go undetected thereby giving an incorrect status reading. Both systems were provided so that an operator on seeing the primary pressure decrease in an abnormal way could check if this fact depended on a stuck open relief valve. At TMI-2, thirteen seconds after the start of the accident, the valve position indicator signalled that the closure command had been given. A second system was provided to compensate for the effects of a mechanical fault of the relief valve. This consisted, very simply, of a block valve located on the same pipe as the relief valve. An operator, correctly diagnosing the failure of the relief valve to close by reading the temperature in the pipe, may stop the steam leak by closing this second valve. Hence the name of block valve. At TMI-2, even with these provisions, the carelessness with which, apparently, the plant was managed before the accident prevented the four men who happened to have to cope with it alone in

Appendix 17 The Three Mile Island accident

the first crucial phases of it from taking the correct actions. During one of the post-accident inquiries (Kemeny, 1979), the shift superintendent for TMI-1 and TMI-2 explained that the temperature in the pipe was high even before the accident because of leaks in the relief valve: ‘I have seen, consulting the recordings after the accident, about 198 F. But I remember previous cases . . . slightly higher than 200 [. . .] knowing that the relief valve had opened, I expected that the temperature in the pipe had stayed high and that some time had been necessary for the pipe to cool down below 200 ’. However, the records show that the temperature reached 285 F. Moreover, one of the emergency procedures of the plant says that a temperature of 200 F indicates that the relief valve is open. Another procedure requires the closure of the block valve when the temperature exceeds 130 F. All this indicated that the plant was operated in the usual way even in presence of evident leakages from the relief valve, contrary to any good practice and in violation of the procedures. This operational malpractice is not general in nuclear plants. In particular, an inquiry performed on some power stations after the TMI-2 accident has confirmed that in similar cases of valves affected by significant leaks, the plant has been stopped and the leak eliminated. The delayed closure of the block valve at TMI-2 prevented the operators from distinguishing an accident situation (relief valve stuck open) from a situation of careless operation (relief valve with continuous leaks). As we have seen, once the chain reaction arrest did intervene because of high pressure, the heat generated by the core substantially decreases but does not completely cease. In fact, the radioactive products of the fission reaction of the uranium nucleus and those generated by other secondary phenomena continue to emit radiation which, once absorbed by the surrounding materials, is transformed into heat. This heat, the core ‘decay heat’, immediately after the arrest equals 7 per cent of the power of the preceding operation. It decreases to 1 per cent after about two hours. The decay heat must be removed from the primary circuit by a cooling system, otherwise the primary water and the reactor core will overheat. In the case of normal feedwater loss to steam

415

generators, an auxiliary feedwater system automatically intervenes which, in a similar way to the main system, supplies water to the secondary side of the steam generators and performs, by steam production, the primary system cooling. Fourteen seconds after the start of the accident at TMI-2 an operator observed that the auxiliary feedwater pumps had automatically started as expected. However, he did not notice the two lights on the control panel indicating that two valves, one on each of the two auxiliary feedwater pipes, were shut and that the water could not reach the generators and so provide cooling. Eight minutes after the start of the accident, however, somebody noticed that the water had not arrived at the generators and another operator opened the two closed valves. This delay in the arrival of the auxiliary feedwater to the generators did not greatly affect the accident, but it did distract the operators. The reason why the two valves were closed is not known exactly. According to the technical specifications for operation they had to be in the open position. Two minutes after the start of the accident, because of the continuous loss of steam from the stuck open relief valve and the consequent decrease in the pressure of the primary circuit, the two powerful pumps on the high pressure emergency injection system (HPI) started up, as anticipated, on a ‘too low’ pressure signal (indicative of the presence of a steam or water leak from the primary system). They started to automatically introduce water into the primary circuit. The HPI system is a part of the emergency cooling systems (ECCS), principally aimed at the protection of the core integrity in case of primary loss of coolant (LOCA). These systems are capable of keeping the core submerged in water and therefore cooled even if the largest primary pipe suddenly broke. In fact we have seen that the decay heat of the shutdown core, that is after the chain reaction ceases, must in any case be removed and, in case of a break in a large pipe, it is not possible to rely on the heat removal capability of the steam generators. As the core is under water, its excessive overheating is prevented. In fact the water heats up and is transformed into steam, so cooling the core. It then escapes from the rupture towards the containment building while new water is introduced into the primary circuit by the ECCS system in order to always keep the core submerged.

416

Nuclear Safety

The HPI system at TMI-2 correctly came into operation because the system was undergoing a loss of coolant accident (LOCA) because of the ‘stuck open’ relief valve. But at the time, the operators did not know that yet. They had neither diagnosed a LOCA nor its cause, because the control room pressurizer water level instrumentation indicated a level that was higher than normal. What was happening was an extremely insidious but not yet well-known phenomenon. In a system of pipes and vessels, fluids tend to move from high pressure zones towards low pressure ones. At TMI-2, the lower pressure zone was closer to the opening towards the outside (relief valve open), that is the pressurizer. For this reason, while steam went out of the pressurizer top towards the outside, at the same time the content of the remaining part of the primary system flowed towards the inside of the pressurizer. Without entering into the details of the complex fluid-dynamic phenomena involved, it can be said that that flow succeeded in keeping the water level in the pressurizer high while the primary system was losing its precious content of water. This phenomenon is in some respects similar, even if not for the same reasons, to the one which happens when a gassed soft drink bottle is opened. The gas is suddenly released entraining to the outside part of the liquid. This does not happen because the bottle is too full of liquid, but because the violently outgoing gas entrains it in part. The operators, concentrating their attention on the fact that the level in the pressurizer was higher than normal, were erroneously convinced that the primary system was full of water and that therefore the core was safe. They, unfortunately, made, at this point and later in the course of the accident, some fatal manoeuvres, all consistent, however, with this erroneous conviction of theirs. One of the operators, about two and a half minutes after the start of the HPI pumps, stopped one of them and reduced the water flow rate of the other to a minimum. Subsequently a controlled spillage of the primary water was started. During the subsequent inquiries, he said: ‘The rapidly growing pressurizer level at the start of the accident made me believe that the high pressure injection (HPI) was excessive and that soon we would have the primary system completely full of water’. The control room instrumentation indicated a loss of coolant accident in progress. The indication of

high temperature in the relief valve pipe has already been discussed. Additionally, the continuous decrease of the primary system pressure, even after the HPI intervention, was a clear indication that the system was losing water. Why didn’t the operators correctly interpret the signals? They simply trusted the high pressurizer level indications. A technical superintendent at TMI-2 who arrived on the plant at 03:45, subsequently said: ‘I had the perception that we were in a very unusual situation, since I had never seen the pressurizer level increase and stay at a high value and, at the same time, the pressure staying low. They [the pressure and the level] had always behaved in the same way’. As a consequence of the described evaluation errors the primary circuit continued to lose water for hours and in addition the automatic core cooling system, correctly activated, could not perform its function of fuel integrity protection. It is now known that if the block valve had been closed after one and half or two hours or if the operation of the HPI only had not been arrested, even without the closure of the valve, the Three Mile Island accident would have been no more than a modest nuisance of operation. For completeness of information it has to be added that the possibility of an accident of the type of TMI-2 had been foreseen by some experts. If these foresights had been confirmed by in-depth theoretical studies and possibly by experimental tests, their results, duly made known to interested people, would have enabled the TMI-2 operators to correctly diagnose the fault and react correctly. In September 1977, for example, an event similar to the TMI-2 had happened at the Davis Besse station, USA. Luckily the reactor was operating only at 9 per cent of normal power and therefore the decay heat was small. Moreover, the block valve was closed twenty minutes after the start of the event. No reactor damage therefore occurred. In any case, an engineer of Babcock & Wilcox, the designer of this plant too, warned, in an internal memorandum written before the TMI-2 accident, that if the event had happened on a plant operating at full power, probably the core would have been uncovered with the possibility of fuel damage. An engineer of the Tennessee Valley Authority (TVA) had described, in a draft technical report, the possibility of the phenomenon of increasing water level in the pressurizer with simultaneous decreasing pressure. Not enough time was available, unfortunately, for these

Appendix 17 The Three Mile Island accident

studies to proceed beyond the stage of first initial draft and to become part of the nuclear science before the TMI-2 accident. As the incident at TMI-2 progressed, the indications that severe core damage was occurring became ever clearer. One hour after the start of the accident, at 05:00, the four primary water recirculation pumps started to strongly vibrate and had to be shut down. The vibration was indicative of the presence of steam in the circuit and therefore of a scarcity of water. At 06:00, alarms indicted high radiation in the containment. This was an indication of a release of radioactive products from a core that had been damaged. At 07:00, radiation levels throughout the plant increased prompting the operators to declare a state of internal emergency. This action is taken when an event threatens ‘an uncontrolled release of radioactivity outside the plant’. At 07:24, the station superintendent, worried by the high radiation levels in the primary containment, declared a general emergency, that is ‘an accident capable of causing serious radiological consequences to the health and safety of the population’. In spite of everything, the station personnel continued to believe that the reactor core was covered by water, but at the same time, by some unknown phenomenon, that it had been damaged. The station superintendent would later say: ‘. . . I don’t think that in my mind I was really convinced that the core had remained completely uncovered or uncovered in a substantial measure at that time (eight o’clock in the morning)’. For several hours, the operators did not understand the real condition of the core. Various strategies were tried during that time in order to terminate an unknown, but indicated, core damage situation. It is not possible to give now the rationale for any single manoeuvre performed but certainly the erroneous conviction that the primary system was full of water stayed for many hours in the minds of the operators. About sixteen hours after the start of the accident, manoeuvres were performed which gave clear indication that the control of core cooling had been regained: the block valve was definitively closed, the high pressure injection (HPI) was started up and one of the recirculation pumps of the primary circuit was started up with one steam generator operating. Soon

417

afterwards the decreasing trend of all the primary circuit temperatures, the correct value of the pressure and the good operating conditions of the pumps clearly indicated that the core cooling was again under control. What had happened in the meantime within the reactor core? During the first sixteen hours of the accident the core had, on several occasions and for long periods, dried (even if not completely) and therefore was without adequate cooling (Figures A17-3 and A17-4). It can be calculated that some parts of the core reached temperatures in excess of 3100K. The many safety tests performed over the years indicate the occurrence of two dangerous phenomena when the core temperature exceeds 1500K. The first one consists in the fact that the small tubes (claddings) containing the core uranium, made of a zirconium alloy, show a vigorous chemical reaction with water or steam at these temperatures to generate hydrogen. The hydrogen, in the presence of oxygen or air, may lead to potentially destructive explosions. The second is caused either by nuclear overheating or by the metal (zirconium)-water reaction. It consists of the mechanical damage of the fuel claddings and of the fuel itself, up to its melting, with the consequent liberation of the accumulated radioactive fission products. The nuclear fission (splitting) reaction of the nucleus of the uranium atom leads to the disappearance of the atom itself and to its transformation into two or more lighter, generally radioactive, atoms. These fission products accumulate in the fuel and their release is prevented by the presence of the cladding. Figure 3-6 shows the damaged areas of the core as now known from the available information (OECD, 1994). It can be calculated that about 50 per cent of the zirconium present in the TMI-2 core reacted with water to produce hydrogen and that practically all the volatile fission products were released by the core into the primary circuit and hence, through the stuck open relief valve, into the containment building. Forty-five per cent (62 t) of the fuel melted and about 20 t migrated from their original position and collected on the vessel bottom head. The formation of hydrogen in the core also occurs by the radiolytic decomposition of water molecules, made of hydrogen and of oxygen. This phenomenon generates a mixture of hydrogen and

418

Nuclear Safety

Figure A17-3. Pressure history and periods when the core was uncovered.

System pressure (MPa)

20 B pump transient (174 to 193)

15

HPI on (200 to 217)

Block valve opened

10

Coolant pumps off (100 m) Core relocation Block valve closed (139 m) (174) (224)

5 (100)

0

Initial core heatup

Loss of coolant (core cooled)

100

Degraded core heatup

200 Time (min)

Figure A17-4. Pressure history and significant events in the first hours. oxygen gas. The considerable production of hydrogen during the TMI-2 accident gave the operators further difficulties: no severe consequence, however, ensued.

Firstly, hydrogen collected, because of its low density, in the highest part of the vessel and other primary circuit components, forming large bubbles which impaired the good circulation of water in the

Appendix 17 The Three Mile Island accident

circuit itself. The phenomenon, an air-lock, which occurs in a domestic central heating system when air collects in the pipes, is familiar to many: the radiator stays cold because the water cannot circulate through it. Secondly, for many subsequent days there was concern about the possibility that radiolytic hydrogen and oxygen could detonate within the vessel and damage it. In reality, the first calculations were too conservative and did not account for other phenomena which in effect prevented the accumulation of oxygen in a measure sufficient to give rise to a detonation. In conclusion, it was probably an unfounded fear. A real explosion, on the other hand, happened in the containment building where the hydrogen that had escaped through the relief valve mixed with the air oxygen causing an explosion about 10 hours after the start of the accident without, however, damaging either the containment or other essential equipment. The sudden pressure rise caused by the explosion was recorded by the instruments and was equal to about 0.2 MPa. In addition to the possible effects of hydrogen, the other danger to the plant was the perforation of the vessel by the molten material (about 20 t) which collected on its bottom. With the aim of understanding how the vessel resisted the high temperatures and stresses imposed on it by contact with the corium, an international research programme, the Vessel Investigation Project (VIP) was launched by the OECD. The VIP results are described in OECD (1994). One of the principal conclusions being that, although the vessel wall locally reached temperatures high enough to possibly make it fail, due to the fact that around the hot zone the vessel was relatively cooler, this failure did not happen. In reality, there was always some water on the vessel bottom throughout the accident and it is thought that this water succeeded in penetrating the solidified corium cracks and the gaps between the corium and vessel, thereby refrigerating the largest part of the vessel. The indication given by the accident that a molten core may be confined inside the pressure vessel has not been forgotten by nuclear safety specialists and now this fact is relied upon in various designs (see Chapter 5).

419

A17-3. The consequences of the accident on the outside environment The commission nominated by President Carter to investigate the accident, the ‘Kemeny Commission’ after the name of its chairman, effectively detected responsibilities and deficiencies, and listed the damages caused by the accident. However, its final report, published at the end of October 1979 (Kemeny, 1979), contained the following statement: ‘We conclude that the most serious health effect of the accident was severe mental stress, which was short lived. The highest levels of distress were found among those living within 5 miles of TMI and in families with preschool children’. The TMI-2 accident has been one of the two most serious events in the nuclear industry since its start. It engaged the US technological apparatus for many months, it has worried practically all the world and has cost an estimated one to two billion dollars. However, it has not had consequences on the external environment beyond inconvenience and the state of concern of the population in the immediate neighbourhood of the plant. This concern, to a large part, is due to evaluation errors. Nuclear power stations have been designed taking into account the possibility of accidents and providing the consequent protection, generally multiple, against their effects. In the TMI–2 accident these protections, notwithstanding the damages to the plant, have not missed their principal aim of protecting the integrity of the people and the environment. The following describes the still negligible health damage of radiological origin due to the accident (NUREG, 1979a; Kemeny, 1979). The radiation damage depends on the amount of radiation dose absorbed: the more sievert (or rem) absorbed by exposure to them the more serious are the consequences on the exposed individual. Up to some hundreds of millisieverts, no consequences arise. Beyond 1 Sv up to 2 Sv, nausea, vomiting and indisposition may occur. At about 5 Sv the probability of death is high. For the TMI accident the highest potential individual irradiation outside the plant site is more conveniently expressed in microsievert. It has been in fact measured in 800 Sv. In order to evaluate the

420

Nuclear Safety

importance of this irradiation it is useful to compare it with the one annually absorbed by every one of us just by living in a place, in a certain type of house, of eating and drinking, watching television, travelling by air, undergoing medical diagnoses, etc. In fact, each of us is subject to cosmic radiation and to radiation emitted by the ground, by construction materials, by food and by various electronic devices. The annual doses absorbed in this way vary from place to place, but, for example, the higher the altitude of a town where an individual lives, the higher is the amount of cosmic radiation absorbed. In many countries, the background individual annual dose ranges between 500 Sv and 2.5 mSv. The maximum potential dose at TMI is lower than the typical difference in annual dose from one part of a country and another. Many will be surprised at this. It must, however, be remembered that we live in a radioactive world. Radioactivity is everywhere around us and is part of our environment. It is true that the TMI accident has had minor health consequences of radiological nature. A similar result is obtained if, instead of the individual dose, the collective dose is considered. It is known that in a population receiving even a small individual dose, statistically, lethal cases of cancer may occur. For TMI, various evaluations of this possible effect have been made, also considering the minute dose received due to the accident by individuals living as far as 80 km from the plant. The total population within this distance is about two million. Of these, in the subsequent years, according to the statistical data, about 325 000 will die of cancer for reasons different from the accident. It is practically certain that the possible additional cases of cancer due to the accident will be less than five, and therefore, as this is so low, they are included within the statistical variation of the cases occurring for other reasons (Kemeny, 1979). The same general conclusion holds for the probability that the subsequent offspring of the population involved in the accident show malformations of some type. This reassuring health picture is derived from the measurements taken by various teams of wellequipped specialists operating around the power station and in the air space of the same zone. However, the governor of Pennsylvania, at the time, officially issued recommendations concerning protec-

tive measures and the evacuation of the population. Late in the morning of 30 March, it was suggested that the population within 16 km of the plant should stay inside their houses to shield them to the maximum possible extent from possible radioactive clouds due to releases from the power station. Soon afterwards, roughly at 12:30, following further consultations with health authorities and experts, the governor recommended that pregnant women and preschool children should leave the zone within a radius of 8 km from the power station and that in this zone all the schools should be closed. At 20:30 of the same day, the governor withdrew the first recommendation but the second was only cancelled on 9 April. These precautionary measures, which were subsequently shown to be excessive, were in the largest part suggested by pessimistic evaluations of the possible evolution of plant phenomena and by incredible fortuitous coincidences. For example, a strong belief in the importance on the decisions of the governor was held by a group of experts from the NRC (Nuclear Regulatory Commission, the US control body on the peaceful uses of atomic energy) who suggested the evacuation of women and children. The same experts, in issuing their recommendation, were influenced by the following coincidence. They were evaluating all the possible modes of release of radioactive products from the plant and were calculating the consequences of a release due to excessive pressure from some radioactive gas storage tanks. The calculation indicated the theoretical possibility of radiation at the fence of the plant of 12 mSv per hour. Fifteen or twenty seconds after having obtained this result, they received the news that on site a radiation field of precisely 12 mSv per hour had been measured. They concluded that the unlikely emission of gases from the tanks had happened and recommended the evacuation to the governor. In reality, the measurement had been made by an helicopter which was flying 40 m above the discharge stack. The measurement was not therefore representative of the radiation field on the ground. Another element of confusion and of pessimism was represented by the exceedingly conservative evaluation of the detonation possibility of the hydrogen bubble in the reactor vessel. The recommendations to stay inside and to evacuate the zone, at least for the people most vulnerable to radiation damage, together with news

Appendix 17 The Three Mile Island accident

from television and the press who were not completely reassuring, caused the understandable fear of the inhabitants of the TMI-2 zone. Radiations, unlike other potentially damaging agents and elements (e.g. fire, water, toxic gases) are not detected by our senses, so we feel unsafe and uncertain because we must rely on measurements and the advice of ‘experts’. In this regard, the astonishment of the Harrisburgh major, who wanted to visit the power station during the crisis on 30 March, is highly indicative: ‘Rather strangely, one of the things that impressed me the most and that gave me the maximum sensation of confidence that everything was under control was that everybody on the site, all the employees, the president and so on, went around in their shirts and bare head. I didn’t see any indication of nuclear protection’. The mobilization of all the industrial and health protection national resources was, however, impressive. About ten laboratories in the USA worked night and day to analyse samples taken from the plant and to perform evaluations of the present situation of the reactor and of its possible evolution. The industries of the nuclear field, such as General Electric and Westinghouse, promptly put themselves at the disposal of Babcock & Wilcox, of Metropolitan Edison and of the NRC for whatever assistance might be needed. The pharmaceutical industry, too, had to make a powerful effort. The Mallincrodt Chemical Company of St Louis, in cooperation with ParkeDavis of Detroit and with a manufacturer of machines for filling vials, based in New Jersey, agreed at short notice to supply the Government Department for Health 250 000 doses of potassium iodide. This substance, if ingested in an opportune dose, protects the individual from the negative consequences of the inhalation of radioactive iodine, potentially released to the atmosphere by a nuclear station accident. In fact the inhaled or ingested iodine, radioactive or not, is absorbed by the thyroid until it is not saturated. At this point, even if additional iodine is ingested, it is eliminated by the body. The previous ingestion of potassium iodide saturates the thyroid with iodine and then the further possible inhalation of radioactive iodine has no health consequences as it is promptly eliminated.

421

The first batch of vials arrived in Harrisburgh within 24 hours and the last batch arrived four days later. It was not necessary to use any of them. Despite, the effectiveness of the emergency plans, the TMI-2 experience has shown that the preparations for an emergency must be increased in every country.

A17-4. The actions initiated after the accident The TMI-2 accident was followed by decontamination operations, that is the removal of radioactive products contained in the systems and in the buildings. This has made it possible to enter the containment building in order to complete the decontamination operations within it and to start the inspections of the reactor. In parallel, in the USA and in all countries interested in nuclear energy, studies were initiated in order to understand the development and the causes of the accident and to identify the possible improvements to power stations and to their management which might prevent accidents of similar severity. The studies in question, initiated immediately almost everywhere after the accident, gave substantial results even in the same year. Modifications made to existing plants were relatively few, but very crucial, and have been promptly made. They mainly concerned the automatic protection systems of the reactors which have now been set in a way which takes into account the behaviour, previously not well known, of the pressurizer level in LOCA accidents concerning, as in TMI-2, the high parts of the pressurizer itself. Numerous other improvements were instigated in the aftermath of the accident. The work done by the NRC (Rogovin, 1980; NUREG, 1979b; NUREG, 1979c) has indicated the need for improvements to the instrumentation, to the containment systems, to operator training, skills in safety issues present in each power station, to the operating procedures, to the safety analyses and to the emergency provisions. The Kemeny commission (Kemeny, 1979) concluded its work by saying that the field in which the more fundamental modifications were necessary is that of the mindset and of the working methods of the industry and of the control bodies in USA. It was of the opinion that: ‘after many years of operation

422

Nuclear Safety

of nuclear power plants, with no evidence that any member of the general public has been hurt, the belief that nuclear power plants are sufficiently safe grew into a conviction. One must recognize this to understand why many key steps that could have prevented the accident at Three Mile Island were not taken’. The most important modifications that the Kemeny commission deemed necessary in order to prevent the further occurrence of accidents of the TMI-2 severity, concern the organization and the intervention procedures of the NRC, the operator training, the management of nuclear plants by the utilities, some technical aspects of the plants, the research on the effects of low radiation doses and the emergency provisions. Studies by various working groups in other countries were substantially in agreement with the NRC and with the Kemeny commission recommendations. In Italy, a country well known to the author, the attempt was made to single out through the work of an expert group, among the proposed improvements, the few which appeared to be most effective in unlikely accident situations of various types. This was because even if the study of many thinkable accidents can be made, it is not possible to be certain that all of them have been foreseen, so an effective protection against the unforeseen is necessary. On the other hand, the core of a reactor may ‘die’ from only two ‘illnesses’ only: the lack of water and the lack of neutron poisons for the shutdown of the chain reaction. The first case has happened in TMI-2. It is also true that the study of possible accidents, even if limited, leads to the provision of abundant water for core submersion and for the shutdown of the chain reaction. The area of possible improvement concerns the systems which diagnose the conditions of possible danger to the core itself. For this reason the group recommended, in the first place, the installation, as far as technologically feasible on each reactor, of instrumentation capable of directly and reliably measuring the water level, and the temperature and power local distribution, in the core. Recommendations were then made concerning the improvement of operator training for accident conditions, of the emergency provisions and of the study of accidents in order to pay more attention to the plant control actions even a long time after the event.

Other more specific recommendations concerned detailed characteristics of plant components. Some recommendations of the American study groups were already implemented in Italy, for example the one concerning the consideration of more simultaneous faults in the study of an accident. The studies initiated soon after the accident continued in the field of emergency provisions, of operator training and on the completion of the recommendations. In the subsequent years, the technical thinking on the accident at ENEA-DISP led to the development of a proposal for the Core Rescue System (CRS) (see Appendix 10) based on the voluntary depressurization of the primary system and on the injection of cooling water by passive systems (Petrangeli et al., 1993). This type of system was subsequently adopted in various new reactor designs (e.g. on the AP 600 Westinghouse reactor). In particular, the voluntary depressurization system of the primary circuit, publicly proposed for the first time (for pressurized reactors) in the course of the mentioned studies in Italy, has become a permanent feature in the new PWR plant designs.

References Kemeny, J.G. (chairman) (1979) ‘Report of the President’s Commission on the accident at Three Mile Island: The need for change; the legacy of TMI’, President’s Commission on the accident at Three Mile Island, 2100 M Street, NW Washington, DC 20037. OECD (1994) ‘Three Mile Island reactor pressure vessel investigation project’, OECD-NEA, Paris: OECD. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, 143, pp. 25–54. Rogovin, M. (1980) ‘Three Mile Island: A report to the Commissioners and to the public’, NRC Special Inquiry Group. USNRC (1979a) ‘Population dose and health impact of the accident at the Three Mile Island nuclear station’ NUREG 0558, May. USNRC (1979b) ‘TMI-2 lessons learned task force: Final report’, NUREG 0585, October. USNRC (1979c) ‘Investigation into the March 28, 1979, Three Mile Island accident by Office of Inspection and Enforcement’, NUREG 0600, August.

Glossary

Active safety systems Systems which need energy and/or intelligence signals to operate. See also ‘Passive safety systems’, which are the contrary of active systems. Barrier (against radioactive releases) Structure, set of structures or of systems which contrast the uncontrolled ‘release’ of radioactive material to the outside or to the inside of a nuclear plant. For the radioactivity connected to fission products, the plant design provides the following barriers: the fuel matrix, the fuel element claddings, the primary circuit(s), the containment system. Best estimate approach Best estimate approach to safety evaluation or best estimate codes are those which are based on a faithful representation of the plant behaviour; they should be used in a safety analysis in combination with a reasonably conservative selection of input data and a sufficient evaluation of the uncertainties of the results; this approach is accepted by regulatory bodies; it may also be acceptable to use a combination of a best estimate code and realistic assumptions on initial and boundary conditions. The best estimate approach is the opposite of a conservative approach. BWR reactor Nuclear reactor where the steam is directly generated in the core (BWR ¼ Boiling Water Reactor). Conservative approach Conservative approach to safety evaluation or conservative code analyses are those where every assumption is chosen in a conservative way, in the light of the phenomenon to be evaluated. This approach is the opposite of the best estimate approach. Containment Set of systems forming the most external barrier(s) against the uncontrolled release(s) in the environment of the radioactivity of fission and activation products. It includes a ‘containment’ (single or double) in reinforced concrete and/or steel, which contains parts of the plant which can

be possible ‘sources’ of radioactive contamination (including the following: reactor and at least part of its cooling circuit) and auxiliary and service systems (isolation, ventilation, ‘removal’ of contamination, and so on). Core (of a reactor) Region of a reactor where the fission chain reactions occur. ‘Corium’ Mixture of nuclear fuel and of structural materials produced by core melt. ‘DBA’ (Design Basis Accident/s) see ‘Design Basis Accidents’. Degraded event sequence Event sequence(s) where it is assumed that a multiple malfunction (or lack of operation) of event prevention systems or of consequences mitigation systems occurs or extremely unlikely fault modes are assumed concerning single components or systems, including those performing the above mentioned functions. Design basis accidents Accidental events against which the plant safety systems are designed. Event Situation, internal or external to the plant, capable of perturbing its operation and due to malfunctions, faults and ruptures of components, systems or structural plant elements relevant to its safety and to the health protection of workers and of population. Excursion (of power) Fast and uncontrolled increase of the power produced in a nuclear reactor following an accident. Fast shutdown Fast insertion in the nuclear reactor core of negative reactivity, thus causing the immediate stop of the fission chain reaction. Feedback Intrinsic, or introduced from outside, functional characteristics of a system, consisting in the fact that the variable at the exit from the system influences the input one, enhancing its value (positive feedback) or attenuating it (negative feedback). Inherent safety ‘Inherent’ safety means the elimination of hazard by choice of material or design 423

424

Glossary

concept, for example the elimination in a plant of any combustible material (if possible) would demonstrate inherent safety from the danger of fire. Loca Loss of coolant accident. Passive safety systems ‘Passive’ safety systems are defined as the operating safety features of structures and devices designed to counteract specific events without the reliance on mechanical and/or electrical power, forces or ‘intelligence’ signals external to the same structures and devices. Primary circuit Barrier against the dispersion of radioactive material, consisting in the primary cooling circuit and in the vessel in which the core is contained. PWR reactor Nuclear reactor where the core power is transported by pressurized water which circulates in a system of ‘primary’ circuits. The production occurs within a set of Heat Exchangers (Steam Generators), using the thermal energy contained in primary water (PWR ¼ Pressurized Water Reactor).

Reactivity Functional parameter of a nuclear reactor, which expresses an instantaneous balance of the neutron multiplication processes and represents an index of the tendency to the variation of the power generated in the core at a certain instant. If reactivity is zero, then the power stays constant; if the reactivity is positive, the power increases and the contrary happens if the reactivity is negative. Release (of fission products) Dispersion of radioactive contamination outside one or more design barriers (s). Severe accident Event(s) or event sequence capable of producing more serious consequences than those anticipated for design accidents (in particular, significant reactor core melt). Source term Complex of radioactive products released from the plant in case of accident (as a function of time and with specification of their physical form). Vessel Pressure vessel containing the reactor.

Web sites

http://books.elsevier.com/companions/0750667230 This book’s companion web site. The following files can be downloaded: CONTPRESSURE.xls, DISPERSION1.xls, DISPERSION2.xls, DRYCORE.xls, DUHAMEL.xls, FUMIGATION1.xls, FUMIGATION2.xls, PRIMARYSYSTEM.xls www.cordis.lu the European Union site www.doe.gov www.europeanutilityrequirements.org www.iaea.org the IAEA site which contains much technical and regulatory information www.insc.anl.gov the site of the ‘International Nuclear Safety Center’ of United States operating

at the Argonne National with much information on plants and specific technical data www.insc.ru the site of Moscow INSC www.nrc.gov www.nucleartourist.com the site of the Nuclear Energy Institute in the US with information on existing reactors www.nuc.berkeley.edu the site of the Nuclear Department of Berkeley University; it is listed here as an example of the U.S. University sites, very interesting in general; each of them has usually links with the others www.oecd.org this is the site of OECD, Paris, very rich in information, for which authorisation is needed.

425

This page intentionally left blank

Index Note: Bold page number indicate the main reference for an entry

Accelerogram, 149, 157 Accidents (examples), 40 Accidents which should not happen, 204 ACMH (Advisory Committee for Major Hazards), 30 Active safety systems, 26 Adiabatic (gradient), 68 Aircraft crash, 189 ALARA, 1 ALARP, 245 ALWR (Advanced Light Water Reactors), 28 AP1000, 10 AP600, 9 Area accidents, 50 ‘As found’ (leakage), 141 ‘As left’ (leakage), 141 Atomic Energy Commission, 3 ATWS, 51, 230, 377 Baneberry (test of), 219 Barriers of defence, 89 Beyond design basis accidents, 51 Bequerel, 80 Best estimate approach, Bhopal, 31 Boiling water (reactors), 229 Bombs (nuclear), 215 Boolean (algebra), 100 Boron dilution accidents, 204 Boron (dissolved) reactivity, 38 Brownsferry (accident), 203 Building effect on dispersion, 75 BWR, 229 Cage (safety), 419 Cassini (Saturn probe), 237 Chernobyl, 279 Claddings, 21 Classification of accidents, 35 Classification of plant components, 117 Cloud concentration, 70 Cloud submersion dose, 81 Coefficient of moderator temperature and of voids, 37

Collective dose (workers), 81 Components (plant), 119 Conservative approach, 95 Containment systems, 141, 285 Control rod ejection accident, 44 Control rods reactivity, 39 Core overheating, 323 Core heat capacity, Core Rescue System (CRS), 8, 357 ‘Corium’, 21 Cosmos, 238 Cost–benefit analysis, 245 Cracks, 120, 337 Criteria (nuclear safety, table), 297 CRS (Core Rescue System), 357 Curie, 80

Damping (earthquakes), 149 Davis Besse, 202 Decay energy, 18 Decay power, 18, 291 Defence in depth, 7, 12, 89 DEMO, 225 Density locks, 29 Deposition velocity, 71 Depressurization (primary, systems), 357 Desalination plants, 233 Design basis accidents, 11, 35 Deterministic effects of radiation, 80 Deterministic method, 10 Deterministic safety analysis, 95 Direct radiation dose, 82 Dispersion of releases, 65, 379 Documentation (safety), 385 Doppler coefficient, 35 Dose, 79, 315 Dose (absorbed), 79 Dose limits, 79 Ductility, 162 Duhamel integral, 163 Dynamic pressure in tanks, 169 Dynamic thermal stress (PTS), 126 427

428

Index

Earthquake, 145 Earthquake (criteria), 145 ECCS (Emergency core cooling systems), 96 Effects of Radiation doses, 80 Effective dose, 79 EIA (Environmental Impact Assessment), 388 Emergency plan (external), 388 Emergency procedures, 388 Enbrittlement (neutron), 124 Enrichment (plants), 233 EPR (European Pressurized Reactor), 10 Equivalent dose, 79 Erroneous beliefs in nuclear safety, 239 EUR criteria, 196, 327 Exclusion zone, 3 Explosions (nuclear), 215 External natural accidents, 51 External impact, 189 EXTERNE, 247 Event tree, 98

Fail safe, 30 Failure rates, 105 Fallout, 216 Fast reactors, 232 Fast shutdown (scram)(trigger limits), 35 Faults, faulting, 149 Fault tree, 99 Filtered containment venting, 53 Fission product reactivity, 39 Flixborough, 26 Floor response spectrum, 171 Fluence, 125 Fluidic diodes, 29 Fracture mechanics, 337 Fragility, 147 Fuel fabrication, 243 Fuel handling accident, 47 Fuel plants, 233 Fujita (scale of), 186 Fumigation, 73 Fusion (safety of . . . reactors), 225 Future accident (to be prevented), 204 Future reactors, 23

Gap (fission products), 63 Gas (reactors), 231 GDC (US General Design Criteria), 343 General design criteria (USA), 355 Genetic effects of radiation, 79 Glossary, 423 GPHS.RTG, 237 Gray, 79

Ground motion (reference), 148 Ground shine dose, 81, 316 Ground (soil) stability (earthquakes), 160

Health consequences of releases, 79 Health Physics units, 79 Heavy clouds, 66 Hereditary effects of radiation, 79, 80 Hiroshima and Nagasaki, 215 History of nuclear safety technology, 2 Hot-cold interface, 29 Human behaviour (probability), 98

IAEA criteria, 196, 355 IFMIF, 225 Impacts (external), 189 INES, event scale, 205 Inhalation dose, 81 Inherent safety, 26 Intensity (seismic), 154 Interfacing systems LOCA, 61 International Nuclear Event Scale (INES), 205 Intrinsic safety, 26 Inverted scram, 9 Inversion, 68 Iodine spike, 15 IPIRG (International Piping Integrity Research Group Program), 133 IRIS reactor, 10 Irradiation embrittlement, 124 IRS (Incident Reporting System), 201 Isolation (seismic), 177 ISCC (Intergranular Stress Corrosion Cracking), 132 ITER, 225

J integral, 338 Justification principle, 79

KI, KIC, KIA, 339 Kyshtym (accident), 203

Large LOCA with failure of recirculation, 62 LD50, 80 Leak before break, 130 Leaks (detection), 132 LER (Licensee Event Report), 201 Levels of defence, 89 Limitation principle, 79 Limits (for reactor operation), 35 Limits of releases on a site, 85

Index Liquefaction, 158 LLE (Loss of life expectancy), 247 LOCA, 46 Long distance dose, 82 Loss of electric power, 58 Loss of electric power with LOCA, 61 Loss of life expectancy, 247 Low population zone, 4 Magnitude (seismic), 154 Marshall Report, 122 Media (and safety), 12 Methyl isocyanate (MIC), 31 Modal (seismic) analysis, 149 Moderator temperature coefficient, 37 Mononobe – Okabe, 161 Most interesting releases, 65 Mururoa, 220 Natural origin accidents, 51 Negative scram: see ‘Inverted scram’, 9 NII criteria, 197 Non-stochastic effect of radiation, 80 Nuclear bombs, 215 Nuclear explosions, 215 Nuclear safety criteria, 195 Nuclides, 13 Objectives (of nuclear safety), 1 Operating experience, 201 Operation manual, 388 Operation organisation document, 340 Optimization principle, 79 Oscillator (simple), 162 Pasquill, 71 Passive safety system, 26 PBMR (Pebble bed modular reactor), 10, 232 Perforation (impact), 191 Periodic safety reviews, 391 PIE (postulated initiating events), 96 Pile (Fermi, CP1), 2 Pipe Fracture Encyclopedia, 133 Pipe whip, 130 Piping, 130 Piping (regulatory positions), 130 Piping (research), 133 PIUS, 29 Plant components, 119 Plant-site complex safety, 85 Plutonium (deposited) dose, 81, 238 PRA, 97 Preoperational test program, 390

429

Pressure in containment, 285 Pressure peak (lateral), 192, 217 Pressure-temperature correlation (water), 378 Pressure tube reactors, 231 Pressure vessels recommendations, 128 Pressure wave, 192 Pressurizer, 18 Primary depressurization systems, 357 Principles of Health Protection and Safety, 79 Probabilistic safety analysis, 97, 388 Probabilistic method, 97 Proliferation, 250 PSA (probabilistic safety analysis), 97, 388 PTS (Pressurised Thermal Shock), 126 PUN criteria, 197 PWR (scheme), 29 Quality assurance, 93 Quality assurance plan, 93 Radiation generating machines, 234 Radiation weighting factor, 80 Radioactive products, 25 Radioactive sources, 234 Radioactive waste, 221 Radioactivity, 80 Rasmussen Report (WASH 1400), 6 Ratcheting, 4 RBMK, 9 Reactivity balance, 40 Reactor Pressure Vessel, 119 Reactor Safeguards Committee, 3 Regulatory framework, 385 Regulatory Guides (NRC), 393 Repair probability, 98 Reprocessing plants, 233 Research (nuclear safety), 199 Research reactors, 232 Release of fission products (conventional from core, TID), 5 Release for accidents (Table), 41 Residual risk, 245 Richter Scale, 154 Risk analyses (credibility), 248 Risk informed method, 246 Risk of human activities, 248 RPV, 119 Rupture probability of pressure vessels, 120, 122 Safe plant (when . . .), 243 Safety analysis, 95 Safety analysis review, 107 Safety approach (general), 122 Safety cage, 405

430

Index

Safety criteria (table), 297 Safety culture, 7 Safety documents, 385 Safety Goal, 248 Safety objectives for sites, 386 Safety Report, 398 Safety systems, 17 Safety systems effectiveness, 21 Saint Laurent Les Eaux, 203 Salama, 408 Satellites (with nuclear plants), 237 Savannah, 234 Scram, 2 Seismic hazard, 98 Seismo-tectonic model, 152 SENA, 209 Severe accidents, 6, 53, 58 Severe accident management, 57 Seveso, 26 Shielding (radiation), 83 Ship propulsion reactors, 234 Sievert, 79 Single failure, 3 Site characteristics, 87 Site criteria (Italian chart), 409 SL1 (accident), 204 Sloshing (of liquids in tanks), 175 SNAP, 237 Sodium cooled fast reactors, 232 Soil resistance (earthquakes), 158, 160 Soil–structure interaction, 150, 173 Solar radiation, 291 ‘Solid’ system, 239 Somatic effects of radiation, 80 Sources (radioactive) and radiogenic machines, 234 Source term, 62, 319 Space-time history, 152 Specific plants and activities, 229 Spectrum (design and verification, for earthquakes), 149 Squib valves, 29 Stack effect on release dispersion, 70 Standard Review Plan, 409 Starfighter, 189 STARFIRE, 226 Start up rate, 39 Stochastic effects of radiation, 80 Storage facility (impact accident), 316 Stress assisted intergranular corrosion, 132 Structures resistance (earthquakes), 162 Submersion doses, 81 Superadiabatic (gradient), 68

Terrorism, 250 Thermal analysis of a dry core, 323 Thermal constant of fuel rod, 326 Thermal plume rise, 75 Thermal shock (vessel), 126 Three Mile Island (TMI) accident, 411 Three Mile Island vessel, 126 Time history seismic analysis, Tissue weighting factor, 80 Tokai Mura (accident), 204 Tolerable risk, 245 ‘Too cheap to meter’, 4 Tornado, 185 Tornado scale, 186 Toughness, 340 Tower (meteorological), 70 Transients (primary, calculation), 365 Transport safety, 234 Tritium, 81, 226 Tsunami, 87 Tube reactors, 231 Underadiabatic gradient, 68 Underground location of nuclear plants, 209 Underground nuclear tests, 218 Underground (buried) structures (earthquake), 175 US general criteria, 195 V sequence, 54 Valves, 134 Vandellos (accident), 204 Vessel, 119 Vessel and severe accidents, 127 Vessel failure prevention, 128 Virtual dose in severe accident, 315 Void coefficient, 37 Voluntary action accidents, 51 Vortex valves, 29 VVER (russian PWRs), 234 WANO, 7, 201 Warm prestressing, 126, 340 Waste (radioactive), 221 Web sites, 425 Wigner energy, 203 Windscale accident, 203 Xenon and Samarium reactivity, 39 YOLL, 247

Technical specifications for operation, 390 Temperature–pressure correlation (water), 378

Zircalloy, 21