Nuclear safety [2nd ed] 9780128183267, 9780128183274, 0128183276

Introduction -- Inventory and localization of radioactive products in the plant -- Safety systems and their functions --

353 28 5MB

English Pages 565 Year 2020

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover......Page 1
Nuclear Safety......Page 3
Copyright......Page 4
Contents......Page 5
Preface......Page 13
References......Page 15
1.1 Objectives......Page 16
1.2.1 The Early Years......Page 17
1.2.2 From the Late 1950s to the Three Mile Island Accident......Page 18
1.2.3 From the Three Mile Island Accident to the Chernobyl Accident......Page 24
1.2.4 The Chernobyl Accident and After......Page 26
1.2.5 Fukushima Accident and its Lessons......Page 28
EndNotes......Page 29
Further Reading......Page 32
2 Inventory and Localization of Radioactive Products in the Plant......Page 33
References......Page 36
3.1 Plant Systems......Page 37
3.2 Safety Systems and Accidents......Page 38
3.3.1 General Remarks......Page 45
3.3.2 Some Passive Safety Systems for Nuclear Plants......Page 48
3.3.3 Inherently Safe Systems in the Process Industries......Page 52
References......Page 56
Further Reading......Page 57
4.2.1.1 Initial Conditions......Page 58
4.2.1.2 Doppler Coefficient......Page 59
4.2.1.4 Reactivity of the Boron Content......Page 61
4.2.1.5 Reactivity of the Control Rods......Page 62
4.2.2 Example of a Category 2 Accident: Spurious Opening of a Pressurizer Safety Valve......Page 64
4.2.3 Example of a Category 3 Accident: Instantaneous Power Loss to All the Primary Pumps......Page 66
4.2.4 Example of a Category 4 Accident: Main Steam Line Break......Page 67
4.2.5 Example of a Category 4 Accident: Sudden Expulsion of a Control Rod From the Core......Page 69
4.2.6 Example of a Category 4 Accident: Break of the Largest Pipe of the Primary System (Large LOCA)......Page 72
4.2.7 Example of a Category 4 Accident: Fuel Handling Accident......Page 74
4.2.8 Area Accidents......Page 75
4.3 Beyond Design Basis Accidents......Page 76
4.3.2 Accidents Due to Human Voluntary Actions......Page 77
4.4 External Accidents of Natural Origin......Page 78
EndNote......Page 79
References......Page 80
Further Reading......Page 81
5.1 Existing Plants......Page 82
5.2 Future Plants: Extreme and Practicable Solutions......Page 84
5.3 Severe Accident Management: The Present State of Studies and Implementations......Page 88
5.5.1 Loss of Station Electric Power Supply (TE=Transient+Loss of Electrical Supply)......Page 89
5.5.3 Interfacing Systems LOCA (V)......Page 92
5.5.4 Large LOCA With Failure of the Recirculation (ALFC)......Page 93
5.6 “Source Terms” for Severe Accidents......Page 94
References......Page 96
Further Reading......Page 97
6.1 The Most Interesting Releases for Safety Evaluations......Page 98
6.2 Dispersion of Releases: Phenomena......Page 100
6.3 Release Dispersion: Simple Evaluation Techniques......Page 104
6.4 Formulae and Diagrams for the Evaluation of Atmospheric Dispersion......Page 106
6.5 Calculation of Atmospheric Dispersion by Computer Fluid Dynamics Codes......Page 112
EndNotes......Page 114
References......Page 115
7.2 Some Quantities, Terms, and Units of Measure of Health Physics......Page 116
7.3 Types of Effects of Radiation Doses and Limits......Page 118
7.4.2 Evaluation of Doses Due to Submersion in a Radioactive Cloud......Page 119
7.4.6 Direct Radiation Doses......Page 120
References......Page 123
8.2.1 The Objectives and Limits of Release/Dose......Page 124
8.3 Some Plant Characteristics for the Prevention and Mitigation of Accidents......Page 125
8.5 Site Characteristics......Page 126
9.1 Definition, Objectives, Levels, and Barriers......Page 128
9.2 Additional Considerations on the Levels of Defence in Depth......Page 129
References......Page 131
10.1 General Remarks and Requirements......Page 132
Further Reading......Page 133
11.2 Deterministic Safety Analysis......Page 134
11.3 Probabilistic Safety Analysis......Page 137
11.3.2 Fault Trees......Page 139
References......Page 148
12.2 The Reference Points......Page 150
12.3 Foreseeing Possible Issues for Discussion......Page 151
12.5 Clarification Is Not Disrespectful......Page 152
12.6.3.1 Flow Distribution in Lower Plenum......Page 154
12.6.6 Vibration Analysis......Page 155
12.6.6.1 Cross Flow......Page 156
12.6.6.2 Parallel Flow......Page 157
12.6.6.3 Fatigue Analysis......Page 158
12.7 Discussion......Page 159
EndNote......Page 160
References......Page 161
13 Classification of Plant Components......Page 162
References......Page 163
14.1.1 Problems Highlighted by Operating Experience......Page 164
14.1.2 Rupture Probability of Nonnuclear Vessels......Page 165
14.1.3.1 Normal Conditions, Transients, and Design Accidents......Page 166
14.1.4 Vessel Material Embrittlement due to Neutron Irradiation......Page 171
14.1.6 The Reactor Pressure Vessel of Three Mile Island 2......Page 173
14.1.7 General Perspective on the Effect of Severe Accidents on the Pressure Vessel......Page 174
14.1.8.1 Materials......Page 176
14.1.8.3 Fabrication and Inspection......Page 177
14.2.1 Evolution of the Regulatory Positions......Page 178
14.2.2.1 Cracks in Primary System (see USNRC, 1997a)......Page 179
14.2.3.1 Requirements......Page 181
14.2.4 Research Programs on Piping......Page 182
14.3.1 General Remarks......Page 183
14.3.2 Relevant Data From Operating Experience......Page 184
14.3.3 The Most Commonly Used Types of Valve......Page 185
14.3.4 Types of Valve: Critical Areas, Design, and Operation......Page 186
14.3.4.1 Compatibility of the Motor Operator With the Valve and Associated Control Circuits......Page 187
14.3.4.2 Seals on the Stem (Seal Packs, Bellows, etc.)......Page 188
14.3.4.4 Fluid Tightness Across the Valve Seats......Page 190
14.3.4.5 Misuse of Valves for the Intended Service......Page 191
14.3.5 Valve Standards......Page 192
14.4 Containment Systems......Page 193
References......Page 195
15.1 General Aspects, Criteria, and Starting Data......Page 197
15.2 Reference Ground Motion......Page 201
15.3.1 Foundation Soil Resistance......Page 211
15.3.1.1 Soil Bearing Capacity (Soil Stability)......Page 214
15.3.1.2 Mononobe–Okabe Method......Page 216
15.3.2.1 One Degree of Freedom Systems......Page 217
15.3.2.2 Multidegree of Freedom Systems......Page 222
15.3.2.3 Continuous Systems......Page 226
15.3.2.4 Tanks......Page 227
15.3.2.5 Resistance and Functionality of Mechanical, Electrical, and Electronic Components......Page 229
15.3.2.6 Soil–Structure Interaction......Page 232
15.3.2.7 Bridge Cranes......Page 235
15.3.2.8 Buried Structures and Caverns......Page 236
15.3.2.9 Towers and Chimneys......Page 237
15.3.2.11.2 Sequence of Actions and Methods......Page 238
15.3.2.11.3 Typical Weak Points and Ameliorating Provisions......Page 239
References......Page 243
Further Reading......Page 245
16.1 The Physical Phenomenon......Page 246
16.2 Scale of Severity of the Phenomenon......Page 248
References......Page 249
17.2.1 Effects of an Aircraft Impact......Page 250
17.2.2 Overall Load on a Structure......Page 251
17.2.4 Local Perforation of Structures......Page 253
17.2.6 Temporary Incapacity of the Operating Personnel......Page 254
17.3 Pressure Wave......Page 255
17.4 Other Impacts......Page 256
References......Page 257
18.1 General Characteristics......Page 259
18.2 The US General Design Criteria......Page 260
18.4 EUR Criteria......Page 261
18.5 Other General Criteria Compilations......Page 262
18.6.2 Possible Evolution in Safety Evaluation Methods (Mistakes and Limits in Probability Evaluations) and in Safety Criteria......Page 263
References......Page 269
Further Reading......Page 270
19 Nuclear Safety Research......Page 271
Reference......Page 272
20.3 Some Significant Events......Page 273
20.3.1 Mechanical Events......Page 274
20.3.3 System Events......Page 275
20.3.4 Area Events......Page 276
20.3.6 Possible Future Accidents......Page 277
20.4 The International Nuclear Event Scale......Page 278
References......Page 282
21 Underground Location of Nuclear Power Plants......Page 283
References......Page 286
22.2 Types of Nuclear Bomb......Page 288
22.3 The Consequences of a Nuclear Explosion......Page 289
22.4 Initial Nuclear Radiation......Page 290
22.5 Shock Wave......Page 291
22.6 Initial Thermal Radiation......Page 292
22.7 Initial Radioactive Contamination (“Fallout”)......Page 293
22.8.2 The Possible Effects of an Underground Nuclear Explosion......Page 294
References......Page 295
23.1 Types and Indicative Amounts of Radioactive Waste......Page 296
Further Reading......Page 299
24 Fusion Safety......Page 300
Further Reading......Page 305
25.1 Boiling Water Reactors......Page 306
25.2 Pressure Tube Reactors......Page 308
25.3 Gas Reactors......Page 309
25.4 Research Reactors......Page 310
25.6 Generation III/III+ Reactors......Page 311
25.7.1 Small–Medium Size Reactor......Page 312
25.7.2 Molten Salt Fast Reactor......Page 313
25.8 Fuel Plants......Page 315
25.10 VVER Plants......Page 316
25.12 Safe Transport of Radioactive Substances......Page 317
References......Page 320
Further Reading......Page 321
26.2 Possible Accidents and Their Consequences......Page 322
Further Reading......Page 324
27 Erroneous Beliefs About Nuclear Safety......Page 325
References......Page 327
28 When Can We Say That a Particular Plant Is Safe?......Page 328
29.2.1 Tolerable Risk......Page 329
29.2.2 Risk-informed Decisions......Page 331
29.4 Risk From Various Energy Sources......Page 332
29.6 Are the Risk Analyses of Nuclear Power Plants Credible?......Page 333
References......Page 335
Nuclear Safety Standards Series......Page 336
MISC, Other References......Page 337
A1.2 The Reactor......Page 339
A1.3 The Event......Page 342
Further Reading......Page 345
A2.2 Initial Overpressure......Page 346
A2.3 Containment Pressure Versus Time......Page 348
A2.3.3 Heat Exchanged With the Outside Through the Metal Container......Page 349
A2.3.5 Heat Exchanged With Cold Metals......Page 351
A2.3.6 Heat Exchanged With Concrete Layers......Page 352
A2.3.7 Decay Heat......Page 353
A2.3.9 Solar Heat......Page 355
A2.3.11 Considerations on the Performance of the Calculation and on the Choice of the Input Data......Page 356
A2.3.11.2 Choice of the Length of the Time Step and of the Thickness of the Concrete Layers, ΔX......Page 357
A2.3.12 Example Calculation......Page 358
References......Page 362
Appendix 3 Table of Safety Criteria......Page 364
A4.2.2 Source Term at Three Days (I, Cs, Xe)......Page 375
A4.2.4 Ground Shine Long-term Dose......Page 376
A4.3.2 Reference Impact......Page 377
A4.3.3 Fragmentation and Dispersion of Material......Page 378
A4.3.3.1 Alternative Source Term......Page 379
A4.3.4 Doses......Page 380
A4.4.2 Reference Impact......Page 381
A4.4.3 Amount of Significant Fission Products in the Internal Atmosphere of the Cask and External Release in One Day......Page 382
A4.4.4.1 Cesium Doses......Page 383
References......Page 385
A5.1 Analysis of the Core Without Refrigeration......Page 386
References......Page 389
A6.2 Sample of Notable Concepts Adopted in Revision E......Page 390
A6.3 Extracts from EUR Criteria Revision E (2016) (Pressurized Water Reactors)......Page 392
Reference......Page 413
A7.1 Introduction......Page 414
A7.2 Current Practice......Page 415
References......Page 421
Appendix 8 US General Design Criteria......Page 422
A8.1 Introduction......Page 424
A8.3.1 Overall Requirements......Page 425
A8.3.2 Protection by Multiple Fission Product Barriers......Page 426
A8.3.3 Protection and Reactivity Control Systems......Page 428
A8.3.4 Fluid Systems......Page 430
A8.3.5 Reactor Containment......Page 432
A8.3.6 Fuel and Radioactivity Control......Page 434
Appendix 9 IAEA Criteria......Page 436
A10.1 Initial Studies......Page 437
References......Page 444
A11.1 General Remarks......Page 445
A11.3.1 Macro Stampa Dati......Page 446
A11.3.2 Macro Copia_dati......Page 448
A11.3.4 Macro HFG......Page 449
A11.3.6 Macro VFG......Page 450
A11.3.8 Macro GU......Page 451
A11.3.9 Macro GE......Page 452
A11.3.10 Macro DT......Page 453
A11.3.11 Macro PS......Page 454
A11.5.1 Anticipated Transients Without Scram......Page 458
References......Page 459
Appendix 12 The Atmospheric Dispersion of Releases......Page 461
A13.1 Regulatory Framework......Page 467
A13.2.1 The Safety Report......Page 468
A13.2.3 The Environmental Impact Assessment......Page 471
A13.2.5 The Operation Manual, Including the Emergency Procedures......Page 472
A13.2.7 The Preoperational Test Program......Page 473
A13.2.8 The Technical Specifications for Operation......Page 474
References......Page 475
A14.1 Extracts From a Regulatory Guide......Page 476
A14.2 List of Contents and Extracts From a Sample Chapter of the Standard Review Plan......Page 480
A14.3 Sample Chapter......Page 487
A15.3 Mechanical Energy Which Can be Released......Page 492
A15.4.1 Verification of the Tendons......Page 493
A15.5 Experimental Tests on Steel Cages for the Containment of Vessel Explosions......Page 495
Reference......Page 496
A16.1 Population and Land Use......Page 497
A16.4 Extreme Events from Human Activities......Page 498
A16.5 Extreme Natural Events......Page 499
A17.1 Summary Description of the Three Mile Island No. 2 Plant......Page 500
A17.2 The Accident......Page 502
A17.3 The Consequences of the Accident on the Outside Environment......Page 510
A17.4 The Actions Initiated After the Accident......Page 513
References......Page 515
A18.1.3 The Safety Objectives and Limits of Release/Dose, Key Aspect 1: External Releases......Page 516
A18.1.4 The Safety Objectives and Limits of Release/Dose, Key Aspect 2: External Doses......Page 520
A18.1.5 Key Aspect 3: Possible Not Considered Accidents......Page 523
A18.1.6.5 Key Aspect 8: Leak Before Break......Page 524
A18.1.6.11 Key Aspect 14: Consideration of Plant Decommissioning......Page 525
A18.2.2 The PS Code (Microsoft Excel Work Sheet)......Page 526
A18.2.4 RELAP Case and Model......Page 528
A18.2.5 PS Code Tuned Case......Page 529
A18.2.6Comparison of the Calculated Variation With Time of Some Quantities......Page 531
A18.3.3 Dynamic Analysis (Explicit and Matrix Treatment)......Page 532
A18.3.3.1 Two Degrees of Freedom, Excitation Along y Axis: Classical (nonmatrix) Notation......Page 534
A18.3.3.2 Two Degrees of Freedom, Excitation Along x Axis: Matrix Notation......Page 539
A18.3.3.3 Static Analysis of Some Elements......Page 540
A18.3.3.4 Three Degrees of Freedom, Nonstructural Walls Considered, Matrix Notation......Page 543
A18.3.3.5 Static Analysis of Some Elements......Page 549
A18.3.4 Modal Analysis Performed by an Integrated Structural Program......Page 552
References......Page 558
Websites......Page 559
Index......Page 560
Back Cover......Page 565
Recommend Papers

Nuclear safety [2nd ed]
 9780128183267, 9780128183274, 0128183276

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Nuclear Safety

Nuclear Safety Second Edition

Gianni Petrangeli Consultant, Formerly ENEA, Italy Formerly University of Pisa, Italy

Butterworth-Heinemann is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States Copyright © 2020 Elsevier Ltd. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN: 978-0-12-818326-7 For Information on all Butterworth-Heinemann publications visit our website at https://www.elsevier.com/books-and-journals

Publisher: Brian Romer Acquisition Editor: Maria Convey Editorial Project Manager: Joanna Collett Production Project Manager: Sruthi Satheesh Cover Designer: Greg Harris Typeset by MPS Limited, Chennai, India

Contents Preface ................................................................................................................................................ xiii

CHAPTER 1 Introduction ........................................................................................... 1 1.1 Objectives ................................................................................................................... 1 1.2 A Short History of Nuclear Safety Technology ........................................................ 2 1.2.1 The Early Years ............................................................................................... 2 1.2.2 From the Late 1950s to the Three Mile Island Accident................................ 3 1.2.3 From the Three Mile Island Accident to the Chernobyl Accident................. 9 1.2.4 The Chernobyl Accident and After ............................................................... 11 1.2.5 Fukushima Accident and its Lessons ............................................................ 13 Endnotes.................................................................................................................... 14 References................................................................................................................. 17 Further Reading ........................................................................................................ 17

CHAPTER 2 Inventory and Localization of Radioactive Products in the Plant.......................................................................................... 19 References................................................................................................................. 22

CHAPTER 3 Safety Systems and Their Functions .................................................. 23 3.1 Plant Systems ........................................................................................................... 23 3.2 Safety Systems and Accidents ................................................................................. 24 3.3 Future Safety Systems and Plant Concepts ............................................................. 31 3.3.1 General Remarks............................................................................................ 31 3.3.2 Some Passive Safety Systems for Nuclear Plants......................................... 34 3.3.3 Inherently Safe Systems in the Process Industries........................................ 38 Endnotes.................................................................................................................... 42 References................................................................................................................. 42 Further Reading ........................................................................................................ 43

CHAPTER 4 The Classification of Accidents and a Discussion of Some Examples ............................................................................................. 45 4.1 Classification ............................................................................................................ 45 4.2 Design Basis Accidents............................................................................................ 45 4.2.1 Some Important Data for Accident Analysis ................................................ 45 4.2.2 Example of a Category 2 Accident: Spurious Opening of a Pressurizer Safety Valve ........................................................................ 51 4.2.3 Example of a Category 3 Accident: Instantaneous Power Loss to All the Primary Pumps .............................................................................. 53

v

vi

Contents

4.2.4 Example of a Category 4 Accident: Main Steam Line Break ...................... 54 4.2.5 Example of a Category 4 Accident: Sudden Expulsion of a Control Rod From the Core ........................................................................................ 56 4.2.6 Example of a Category 4 Accident: Break of the Largest Pipe of the Primary System (Large LOCA) .......................................................... 59 4.2.7 Example of a Category 4 Accident: Fuel Handling Accident ...................... 61 4.2.8 Area Accidents............................................................................................... 62 4.3 Beyond Design Basis Accidents .............................................................................. 63 4.3.1 Plant-Originated Accidents ............................................................................ 64 4.3.2 Accidents Due to Human Voluntary Actions................................................ 64 4.4 External Accidents of Natural Origin...................................................................... 65 Endnote ..................................................................................................................... 66 References................................................................................................................. 67 Further Reading ........................................................................................................ 68

CHAPTER 5 Severe Accidents ................................................................................ 69 5.1 Existing Plants.......................................................................................................... 69 5.2 Future Plants: Extreme and Practicable Solutions .................................................. 71 5.3 Severe Accident Management: The Present State of Studies and Implementations ....................................................................................................... 75 5.4 Data on Severe Accidents ........................................................................................ 76 5.5 Descriptions of Some Typical Accident Sequences................................................ 76 5.5.1 Loss of Station Electric Power Supply (TE 5 Transient 1 Loss of Electrical Supply) ...................................................................................... 76 5.5.2 Loss of Electric Power With Loss of Coolant Accident (LOCA) From the Pump Seals (SE 5 Small LOCA 1 Loss of Electric Power) ........ 79 5.5.3 Interfacing Systems LOCA (V) ..................................................................... 79 5.5.4 Large LOCA With Failure of the Recirculation (ALFC) ............................. 80 5.5.5 Small LOCA With Failure of the Recirculation ........................................... 81 5.6 “Source Terms” for Severe Accidents..................................................................... 81 References................................................................................................................. 83 Further Reading ........................................................................................................ 84

CHAPTER 6 The Dispersion of Radioactivity Releases ......................................... 85 6.1 6.2 6.3 6.4 6.5

The Most Interesting Releases for Safety Evaluations ........................................... 85 Dispersion of Releases: Phenomena ........................................................................ 87 Release Dispersion: Simple Evaluation Techniques ............................................... 91 Formulae and Diagrams for the Evaluation of Atmospheric Dispersion ............... 93 Calculation of Atmospheric Dispersion by Computer Fluid Dynamics Codes ...... 99 Endnotes.................................................................................................................. 101 References............................................................................................................... 102

Contents

vii

CHAPTER 7 Health Consequences of Releases................................................... 103 7.1 7.2 7.3 7.4

The Principles of Health Protection and Safety .................................................... 103 Some Quantities, Terms, and Units of Measure of Health Physics...................... 103 Types of Effects of Radiation Doses and Limits .................................................. 105 Evaluation of the Health Consequences of Releases ............................................ 106 7.4.1 Evaluation of Inhalation Doses From Radioactive Iodine.......................... 106 7.4.2 Evaluation of Doses Due to Submersion in a Radioactive Cloud.............. 106 7.4.3 Evaluation of the Doses of Radiation From Caesium-137 Deposited on the Ground (“Ground-Shine” Dose)....................................................... 107 7.4.4 Evaluation of the Dose Due to Deposition of Plutonium on the Ground .............................................................................................. 107 7.4.5 Indicative Evaluation of Long Distance Doses for Very Serious Accidents to Nuclear Reactors .................................................................... 107 7.4.6 Direct Radiation Doses ................................................................................ 107 References............................................................................................................... 110

CHAPTER 8 The General Approach to the Safety of the Plant Site Complex............................................................................................. 111 8.1 Introduction ............................................................................................................ 111 8.2 The Definition of the Safety Objectives of a Plant on a Site ............................... 111 8.2.1 The Objectives and Limits of Release/Dose ............................................... 111 8.3 Some Plant Characteristics for the Prevention and Mitigation of Accidents ....... 112 8.4 Radiation Protection Characteristics...................................................................... 113 8.5 Site Characteristics................................................................................................. 113

CHAPTER 9 Defence in Depth............................................................................... 115 9.1 Definition, Objectives, Levels, and Barriers ......................................................... 115 9.2 Additional Considerations on the Levels of Defence in Depth ............................ 116 References............................................................................................................... 118

CHAPTER 10 Quality Assurance ............................................................................. 119 10.1 General Remarks and Requirements...................................................................... 119 10.2 Aspects to Be Underlined ...................................................................................... 120 References............................................................................................................... 120 Further Reading ...................................................................................................... 120

CHAPTER 11 Safety Analysis.................................................................................. 121 11.1 Introduction ............................................................................................................ 121 11.2 Deterministic Safety Analysis................................................................................ 121 11.3 Probabilistic Safety Analysis ................................................................................. 124 11.3.1 Event Trees ................................................................................................ 126 11.3.2 Fault Trees.................................................................................................. 126

viii

Contents

11.3.3 Failure Rates .............................................................................................. 135 Endnote ................................................................................................................... 135 References............................................................................................................... 135

CHAPTER 12 Safety Analysis Review..................................................................... 137 12.1 12.2 12.3 12.4 12.5 12.6

Introduction ............................................................................................................ 137 The Reference Points ............................................................................................. 137 Foreseeing Possible Issues for Discussion ............................................................ 138 Control is not Disrespectful ................................................................................... 139 Clarification is not Disrespectful ........................................................................... 139 Designer Report...................................................................................................... 141 12.6.1 Introduction ................................................................................................ 141 12.6.2 Conclusions ................................................................................................ 141 12.6.3 Hydrodynamic Aspects .............................................................................. 141 12.6.4 Effective Mass of Oscillating System ....................................................... 142 12.6.5 Evaluation of Fluid Damping .................................................................... 142 12.6.6 Vibration Analysis ..................................................................................... 142 12.7 Discussion............................................................................................................... 146 Endnote ................................................................................................................... 147 References............................................................................................................... 148

CHAPTER 13 Classification of Plant Components ................................................. 149 References............................................................................................................... 150

CHAPTER 14 Notes on Some Plant Components ................................................... 151 14.1 Reactor Pressure Vessel ......................................................................................... 151 14.1.1 Problems Highlighted by Operating Experience....................................... 151 14.1.2 Rupture Probability of Nonnuclear Vessels .............................................. 152 14.1.3 Failure Probability of Nuclear Vessels...................................................... 153 14.1.4 Vessel Material Embrittlement due to Neutron Irradiation ...................... 158 14.1.5 Pressurized Thermal Shock ....................................................................... 160 14.1.6 The Reactor Pressure Vessel of Three Mile Island 2 ............................... 160 14.1.7 General Perspective on the Effect of Severe Accidents on the Pressure Vessel ............................................................................... 161 14.1.8 Recommendations for the Prevention of Hypothetical Accidents Generated by the Pressure Vessel ............................................................. 163 14.2 Piping...................................................................................................................... 165 14.2.1 Evolution of the Regulatory Positions....................................................... 165 14.2.2 Problems Indicated by Experience ............................................................ 166 14.2.3 Leak Detection in Water Reactors ............................................................ 168 14.2.4 Research Programs on Piping.................................................................... 169

Contents

ix

14.3 Valves ..................................................................................................................... 170 14.3.1 General Remarks........................................................................................ 170 14.3.2 Relevant Data From Operating Experience .............................................. 171 14.3.3 The Most Commonly Used Types of Valve ............................................. 172 14.3.4 Types of Valve: Critical Areas, Design, and Operation ........................... 173 14.3.5 Valve Standards ......................................................................................... 179 14.4 Containment Systems ............................................................................................. 180 References............................................................................................................... 182

CHAPTER 15 Earthquake Resistance ..................................................................... 185 15.1 General Aspects, Criteria, and Starting Data ........................................................ 185 15.2 Reference Ground Motion ..................................................................................... 189 15.3 Structural Verifications .......................................................................................... 199 15.3.1 Foundation Soil Resistance........................................................................ 199 15.3.2 Resistance of Structures............................................................................. 205 References............................................................................................................... 231 Further Reading ...................................................................................................... 233

CHAPTER 16 Tornado Resistance .......................................................................... 235 16.1 The Physical Phenomenon ..................................................................................... 235 16.2 Scale of Severity of the Phenomenon.................................................................... 237 16.3 Design Input Data .................................................................................................. 238 References............................................................................................................... 238

CHAPTER 17 Resistance to External Impact.......................................................... 239 17.1 Introduction ............................................................................................................ 239 17.2 Aircraft Crash Impact............................................................................................. 239 17.2.1 Effects of an Aircraft Impact..................................................................... 239 17.2.2 Overall Load on a Structure ...................................................................... 240 17.2.3 Vibration of Structures and Components .................................................. 242 17.2.4 Local Perforation of Structures.................................................................. 242 17.2.5 The Effect of a Fire ................................................................................... 243 17.2.6 Temporary Incapacity of the Operating Personnel ................................... 243 17.3 Pressure Wave ........................................................................................................ 244 17.4 Other Impacts ......................................................................................................... 245 References............................................................................................................... 246

CHAPTER 18 Nuclear Safety Criteria ..................................................................... 249 18.1 General Characteristics .......................................................................................... 249 18.2 The US General Design Criteria............................................................................ 250 18.3 IAEA Criteria ......................................................................................................... 251

x

Contents

18.4 EUR Criteria........................................................................................................... 251 18.5 Other General Criteria Compilations..................................................................... 252 18.6 Possible Future Developments of Safety Methods and Criteria ........................... 253 18.6.1 Recent Astonishing Events ........................................................................ 253 18.6.2 Possible Evolution in Safety Evaluation Methods (Mistakes and Limits in Probability Evaluations) and in Safety Criteria ........................ 253 References............................................................................................................... 259 Further Reading ...................................................................................................... 260

CHAPTER 19 Nuclear Safety Research .................................................................. 261 Reference ................................................................................................................ 262

CHAPTER 20 Operating Experience........................................................................ 263 20.1 Introduction ............................................................................................................ 263 20.2 Principal Sources.................................................................................................... 263 20.3 Some Significant Events ........................................................................................ 263 20.3.1 Mechanical Events ..................................................................................... 264 20.3.2 Electrical Events ........................................................................................ 265 20.3.3 System Events ............................................................................................ 265 20.3.4 Area Events ................................................................................................ 266 20.3.5 Reactivity Accidents .................................................................................. 267 20.3.6 Possible Future Accidents.......................................................................... 267 20.4 The International Nuclear Event Scale.................................................................. 268 References............................................................................................................... 272

CHAPTER 21 Underground Location of Nuclear Power Plants ............................. 273 References............................................................................................................... 276

CHAPTER 22 The Effects of Nuclear Explosions ................................................... 279 22.1 22.2 22.3 22.4 22.5 22.6 22.7 22.8

Introduction ............................................................................................................ 279 Types of Nuclear Bomb ......................................................................................... 279 The Consequences of a Nuclear Explosion ........................................................... 280 Initial Nuclear Radiation........................................................................................ 281 Shock Wave............................................................................................................ 282 Initial Thermal Radiation....................................................................................... 283 Initial Radioactive Contamination (“Fallout”) ...................................................... 284 Underground Nuclear Tests ................................................................................... 285 22.8.1 Historical Data on Nuclear Weapons Tests .............................................. 285 22.8.2 The Possible Effects of an Underground Nuclear Explosion ................... 285 22.8.3 The Possible Radiological Effects of the Underground Tests .................. 286 References............................................................................................................... 286

Contents

xi

CHAPTER 23 Radioactive Waste ............................................................................ 287 23.1 Types and Indicative Amounts of Radioactive Waste .......................................... 287 23.2 Principles ................................................................................................................ 290 References............................................................................................................... 290 Further Reading ...................................................................................................... 290

CHAPTER 24 Fusion Safety..................................................................................... 291 References............................................................................................................... 296 Further Reading ...................................................................................................... 296

CHAPTER 25 Safety of Specific Plants and of Other Activities ............................ 297 25.1 25.2 25.3 25.4 25.5 25.6 25.7

25.8 25.9 25.10 25.11 25.12 25.13

Boiling Water Reactors.......................................................................................... 297 Pressure Tube Reactors .......................................................................................... 299 Gas Reactors........................................................................................................... 300 Research Reactors .................................................................................................. 301 Sodium-Cooled Fast Reactors................................................................................ 302 Generation III/III 1 Reactors ................................................................................ 302 Generation IV Reactors.......................................................................................... 303 25.7.1 Small Medium Size Reactor .................................................................... 303 25.7.2 Molten Salt Fast Reactor ........................................................................... 304 Fuel Plants .............................................................................................................. 306 Nuclear Seawater Desalination Plants ................................................................... 307 VVER Plants .......................................................................................................... 307 Ship Propulsion Reactors ....................................................................................... 308 Safe Transport of Radioactive Substances ............................................................ 308 Safety of Radioactive Sources and of Radiation-Generating Machines............... 311 References............................................................................................................... 311 Further Reading ...................................................................................................... 312

CHAPTER 26 Nuclear Facilities on Satellites ....................................................... 313 26.1 Types of Plant ........................................................................................................ 313 26.2 Possible Accidents and Their Consequences......................................................... 313 Reference ................................................................................................................ 315 Further Reading ...................................................................................................... 315

CHAPTER 27 Erroneous Beliefs About Nuclear Safety.......................................... 317 References............................................................................................................... 319

CHAPTER 28 When Can We Say That a Particular Plant Is Safe? ....................... 321 CHAPTER 29 The Limits of Nuclear Safety: The Residual Risk............................ 323 29.1 Risk in General....................................................................................................... 323

xii

Contents

29.2 Risk Concepts and Evaluations in Nuclear Installation Safety............................. 323 29.2.1 Tolerable Risk ............................................................................................ 323 29.2.2 Risk-informed Decisions............................................................................ 325 29.3 Residual Risk: The Concept of Loss-of-Life Expectancy..................................... 326 29.4 Risk From Various Energy Sources ...................................................................... 326 29.5 Risk to Various Human Activities......................................................................... 327 29.6 Are the Risk Analyses of Nuclear Power Plants Credible? .................................. 327 29.7 Proliferation and Terrorism.................................................................................... 329 References............................................................................................................... 329 Additional References ....................................................................................................................... 331 Appendix 1: The Chernobyl Accident .............................................................................................. 335 Appendix 2: Calculation of the Accident Pressure in a Containment ............................................. 343 Appendix 3: Table of Safety Criteria................................................................................................ 361 Appendix 4: Dose Calculations......................................................................................................... 373 Appendix 5: Simplified Thermal Analysis of an Insufficiently Refrigerated Core......................... 385 Appendix 6: European Requirements Revision E, 2016 .................................................................. 389 Appendix 7: Notes on Fracture Mechanics....................................................................................... 413 Appendix 8: US General Design Criteria ......................................................................................... 421 Appendix 9: IAEA Criteria ............................................................................................................... 435 Appendix 10: Primary Depressurization Systems ............................................................................ 437 Appendix 11: Thermal-Hydraulic Transients of the Primary System.............................................. 445 Appendix 12: The Atmospheric Dispersion of Releases.................................................................. 461 Appendix 13: Regulatory Framework and Safety Documents......................................................... 467 Appendix 14: USNRC Regulatory Guides and Standard Review Plan ........................................... 477 Appendix 15: Safety Cage ................................................................................................................ 493 Appendix 16: Criteria for the Site Chart (Italy) ............................................................................... 499 Appendix 17: The Three Mile Island Accident ................................................................................ 503 Appendix 18: Other Examples of Practical Use of This Book ........................................................ 519 Websites............................................................................................................................................. 563 Index .................................................................................................................................................. 565

Preface I have written this book because of my firm belief that it is necessary to try to gather and to preserve in written form, and from one perspective, the accumulated memory and experience in the field of nuclear safety and radiation protection. This is particularly important for countries where nuclear energy exploitation has been stopped, but where it might have to be resumed in future. The main accent of this book is on Nuclear Safety. From another point of view, many areas developed in nuclear safety studies are of interest in the safety of process plants too and, therefore, it is worthwhile writing about them. Given this perspective, I have tried to collect the ideas, the data, and the methods which, in many decades of professional work in several countries, in my opinion are the most useful for evaluation of “integrated system” of the plant safety. I have emphasized the complete site plant system more than single details, so the data and the methods discussed are not those applied in the many specialized disciplines devoted to the in-depth study of safety but are those required for overall, first approximation, assessments. In my opinion, such assessments are the most useful ones for the detection of many safety-related problems in a plant and for the drafting of a complete picture of them. The more accurate and precise the methods are, the more essential it is in the optimization phase of plant design and of its operational parameters. Specialists in reactor engineering, thermal hydraulics, radiation protection, and structural response issues may, therefore, be surprised to read that simple methods and shortcuts suggested here are very useful, as my experience and that of other “generalists” suggestions. In addition, this book aims to cover some general and some unusual topics, such as the overall conditions to be complied with by a “safe” plant, the transboundary consequences of accidents to plants or to specific activities, the consequences of terrorist acts, and so on. On some crucial issues the views of the world’s nuclear specialists are not the same, for example, the views in Western countries compared with those in former soviet-bloc countries on the preChernobyl approach to nuclear safety in Eastern Europe: the West considered the soviet approach to be a relatively lenient one, while the soviets thought that they concentrated on prevention of accidents rather than on the mitigation of them. In these cases the text tries to be objective and to quote the “Eastern” view besides the “Western” one, leaving future engineers and technical developments to decide on this issue. Except where explicitly indicated, the text refers to the pressurized water reactor. Extrapolation to other kinds of plants is, however, possible. The text complies with internationally recognized safety standards, and in particular with International Atomic Energy Agency (IAEA) requirements. On occasions I have digressed, in notes, from the main thrust of the text. I have done this for several reasons: many notes relate facts that qualify or justify what is written in a preceding paragraph; some of them are numerical examples added for clarification, while others are simple comments and personal reflections on the subject. These notes are set at the end of each chapter. I have provided a list of references at the end of each chapter; however a chapter (Additional references) lists some organizations that offer “institutional” references [IAEA, Organization for Economic Cooperation and Development (OECD), and United States Nuclear Regulatory Commission (USNRC) that is one of the richest sources of publications among the regulatory

xiii

xiv

Preface

bodies]. Many of these references can be consulted and even downloaded from the websites listed in the Web sites chapter. Calculation sheets mentioned in the text may be downloaded from the publisher’s website (http://dx.doi.org/10.17632/4hc54vnzx6.2); the way to use them is described in the text. Finally, I wish to underline that all my experience suggests to me, after many positive and negative lessons learned, that today’s nuclear plants can be completely safe and that significant accidents can be avoided. This is, however, only true on the condition that safety objectives are carefully pursued by the organizations involved in the plants; in this arena, as it will be shown, even organizations apparently very far from any specific plant must be, up to a certain extent, included (e.g., the bodies responsible for the general energy strategy of a country and the “media”). This situation does not exclude that future nuclear plants should be “cheaper and safer” than today’s nuclear plants. The organization WENRA (see Section 1.2.4) has very courageously put an accent on the need that future plants be safer than present ones by design: a long-awaited statement by many professionals interested in nuclear safety. I personally, among others, asked the participants to a closed meeting of a top European Organizations to think over the overwhelming benefit of a statement like this in the 1980s, even taking into account the possible wrong use of it by some sectors of public opinion and press. It must be remembered, indeed, that existing safe plants benefit from the accumulated operational experience and ensuing modifications to plant features and their operation: this is an added safety value which, for future different types of plants, must be overcompensated by an increase of safety through design. I also stress the need that future plants be cheaper than present ones: from the safety point of view, this feature will make plant surveillance and safety-useful modifications easier to accept by investors (see Chapter 18: Nuclear Safety Criteria). I am confident that from the list of Generation IV reactors presently under study (Section 1.2.4), one plant with the above-listed characteristics will emerge. Very recently, some facts (see Nuclear News, 2019 for Canada) seem to indicate the start of an investor’s interest in Generation IV reactors (MOLTEN SALT REACTOR and HTGR) beyond the research activities going on in many organizations worldwide. In general terms, cheaper and safer nuclear reactors should have the following good “fundamentals” or “basic characteristics”: • • • • •

Reduced internal pressure of components Reduced presence of highly corrosive fluids Reduced presence of flammable materials Self-shutdown in the case of dangerous disturbances Intrinsically safe siting (reduced danger of destructive earthquakes, inundations, and slides)

The choice of a future, cheaper and safer, reactor type, moreover, should not be influenced (as it might be) by the intertwined relation between peaceful uses of nuclear energy and military uses of it (Uekoetter, 2012; McPhee, 1974). In particular, Thorium-fuelled reactors should not be penalized. This issue is not dealt with in this book for the lack of reliable and public numerical data. However, in the light of past experience and choices, this issue is important. I will be very grateful to my readers for any suggestion concerning any improvements to the text and also corrections to the mistakes which are certainly present in it. I am fully aware, in

Preface

xv

particular, of the subjective nature of the choice of the material: the subject of nuclear safety, as does that concerning the safety of process plants in general, has become, over time, a discipline comprising many specific rather autonomous subsections. It is not easy, therefore, to choose the material to be included in a general text like this one; in this, practical experience of what is necessary while doing assessment work of plants has been my guide.

REFERENCES McPhee J., 1974. The Curve of Binding Energy (Chapters 19 22). Nuclear News, ANS (American Nuclear Society), issue April 2019, International, page 33. Uekoetter, F., 2012. Fukushima and the lessons of history: remarks on the past and future of nuclear power. Source: RCC Perspectives, No. 1, Europe After Fukushima: German Perspectives on the Future Nuclear Power. Rachel Carson Center, pp. 9 32.

CHAPTER

INTRODUCTION

1

1.1 OBJECTIVES The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as the internationally accepted health, safety, and radioprotection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable [the ALARA (as low as reasonably achievable) Principle] in all operational conditions and in case of accidents. These objectives are frequently subdivided into a general objective, a radiation protection objective, and a technical objective, for example, in the International Atomic Energy Agency (IAEA) criteria (see www.iaea.org). The general nuclear safety objective (IAEA Fundamental Safety Principles SF-1, 2006) is to protect individuals, society, and the environment from harm by establishing and maintaining effective defences against radiological hazards in nuclear installations. The radiation protection objective is to ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed limits and ALARA, and to ensure mitigation of the radiological consequences of any accidents. The technical safety objective is to take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation, including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low. The target for existing power plants consistent with the technical safety objective has been defined by the International Nuclear Safety Advisory Group (advisor to the IAEA Director General) as a likelihood of occurrence of severe core damage that is below about 1024 events per plant operating year. Implementation of all safety principles at future plants should lead to the achievement of an improved goal of not more than about l025 such events per plant operating year. Severe accident management and mitigation measures should reduce the probability of large offsite releases requiring short-term offsite response by a factor of at least 10. It has to be observed that these principles, while indicating the need for strict control of radiation sources, do not preclude the external release of limited amounts of radioactive products nor the limited exposure of people to radiation. Similarly, the objectives require to decrease the likelihood and the severity of accidents, but they recognize that some accidents can happen. Measures have to Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00001-9 © 2020 Elsevier Ltd. All rights reserved.

1

2

CHAPTER 1 INTRODUCTION

be taken for the mitigation of their consequences. Such measures include onsite accident management systems (procedures, equipment, operators) and offsite intervention measures. The greater the potential hazard of a release, the lower must be its likelihood. The chapters of this book, except the few of them not concerned with the safety of nuclear installations, deal with the ways for practically achieving these objectives.

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY 1.2.1 THE EARLY YEARS The first reactor, the “Fermi pile” CP1 (or Chicago Pile 1, built in 1942) was provided with rudimentary safety systems in line with the sense of confidence inspired by the charismatic figure of Enrico Fermi and his opinion concerning the absence of any danger from unforeseen phenomena. The safety systems (Fig. 1.1) are as follows: Cadmium solution

Ax man Spectator

(Samuel Allison)

(Norman Hilberry)

ZIP rod 57 layers of uranium and graphite Detector Recorder

Cadmium rod

(Enrico Fermi)

(George Weil)

THE FIRST REACTOR December 2, 1942 FIGURE 1.1 Drawing of the CP1 pile. Scram—this term means “fast shutdown of a reactor”: various explanations have been proposed for its origin. The most credited one assumes that it derives from the abbreviated name of the CP1 safety rod which could be actuated by an axe. In the original design sketches of the pile, the position of the operator of the axe was indicated by “SCRAM,” the abbreviation of “Safety Control Rod Ax Man.” The designated operator was the physicist Norman Hilberry, subsequently Director of the Argonne Laboratory. His colleagues used the name “Mister Scram.” Courtesy Prof. Raymond Murray.

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

• •

3

Gravity-driven fast shutdown rods (one was operated by cutting a retaining rope with an axe). A secondary shutdown system made of buckets containing a cadmium sulfate solution, which is a good neutron absorber. The buckets were located at the top of the pile and could be emptied onto it should the need arise.

Compared with the set of safety systems subsequently considered essential, an emergency cooling system was missing as decay heat was practically absent after shut down, and there was no containment system (except for a curtain!) provided as the amount of fission products was not significant. Other reactors were soon built, for both military and civil purposes, and since they were constructed on remote sites (e.g., Hanford, Washington); they did not need containment systems. In the light of subsequent approaches used in reactor safety, probably, in this first period, not all the necessary precautions were taken; however, it is necessary to consider the specific time and circumstances present (a world war in progress or just finished, status of radiation protection knowledge not yet sufficiently advanced, etc.).1 In the 1980s and 1990s, a revision of the “simplified” approach used for these first reactors (mainly devoted to plutonium production) was made. They were, as a consequence, either shut down or modified. In particular, the following characteristics or problems were removed or solved: • •



the open cycle cooling of the reactors and nonpressure-resistant containments; the disposal of radioactive waste using unreliable methods, such as the location of radioactive liquids in simple underground metallic tanks which were subject to the risk of corrosion and of consequent leaks; and the storage of spent fuel elements in leaking pools of water.

1.2.2 FROM THE LATE 1950S TO THE THREE MILE ISLAND ACCIDENT Since the early 1960s and even before, in the West, the criterion of locating power reactors in a leakproof and pressure-resistant containment vessel was established and consolidated. In those cases where a significant release of radioactive products could be possible, the design pressure of the containment was chosen on the assumption that all the primary (and part of the secondary) hot water (for a water reactor) was released from the cooling systems. Indeed, since the 1950s, the US “Reactor Safeguards Committee,” set up by the Atomic Energy Commission (AEC) with the task of defining the guidelines for nuclear safety, had indicated that for a noncontained reactor, a low population zone should be provided. This distance, R, had to be equal, at least to that given by Eq. (1.1). pffiffiffiffiffiffi R 5 0:016 Pth km

(1.1)

where Pth is the thermal power of the reactor in kilowatts. For a 3000 MW reactor (the usual size today), this exclusion distance is equal to approximately 30 km, which is equal to the distance evacuated after the Chernobyl accident (Bourgeois et al., 1996). Evidently, the reference doses for the short-term evacuation were roughly the same for the two cases. An exclusion distance of this magnitude poses excessive problems to siting, even in a country endowed with abundant land such as the United States; therefore the decision of adopting a containment is practically a compulsory one.

4

CHAPTER 1 INTRODUCTION

The first reactor with leakproof and pressure-resistant containment was the SR1 reactor (West Milton, New York, built in the 1950s). Built to perform tests for the development of reactors for military ship propulsion; this reactor was cooled by sodium and the containment was designed for the pressure corresponding to the combustion of the sodium escaping from a hypothetical leak in the cooling circuit. In Western countries, moreover, it was required that the whole refrigeration primary circuit should be located completely inside the containment, so that, even in the case of a complete rupture of the largest primary system pipe, all the escaped fluid would be confined in the containment envelope. The design pressure of the containment for water reactors (starting with the Shippingport, Pa, reactor, moderated and cooled by pressurized water) was derived on the basis of the assumption of the complete release of the primary water. In Eastern Europe, these criteria were applied to a lesser degree, as it was accepted that the pressure vessel alone would be located within the containment (the rupture of large pipes was considered sufficiently unlikely to justify this assumption) and that the leakproof containment characteristic need not be very stringent. Thus at the second Atoms for Peace conference in Geneva in 1964, the Western visitors were impressed but surprised by the model of the Novovoronezh reactor, which showed only one small containment enclosure around the reactor pressure vessel and was located in a building that from the outside resembled a big public office building. Still many years afterward, the Russian reactors of the VVER 230 series, although provided with complete “Western-style” containment, had a leakage rate from the containment of the order of 25% each day (to be compared with figures of the order of 0.2% each day from typical Western containments).2 Apart from differences of approach between world regions, in this period of time and in all the countries with nuclear reactors, the systems installed in the plants according to the requirements of the safety bodies and having the sole purpose of accident mitigation, were frequently the subject of heated debates; in particular, the emergency core cooling systems and the containment systems were often discussed. More precisely, the opinions on the accident assumptions evolved in the West were divided. The reference situations for the reasonably conceivable accidents were chosen by the judgment of expert committees. These situations included the worst “credible” events (such as the complete severance of the largest primary pipe). The assumptions concerning the initiating event were accompanied by simultaneous conservative assumptions concerning malfunctions in safety systems, such as a “single failure” consisting in the failure, simultaneous with the initiating event (pipe failure and so on), of one active component of one of the safety systems devoted to emergency safety functions during the accident (water injection system, reactor shutdown system, and so on).3 On one side, the more cautious experts, generally members of public safety control bodies, many scholars and members of nongovernmental organizations for the defence of public rights, supported the need for keeping these conservative assumptions; on the other side, more optimistic people (members of manufacturing industries and of electric utilities) maintained that the abovementioned accident assumptions entailed a true waste of resources (those necessary to provide nuclear plants with huge containment buildings and powerful safety systems). It has to be noted that the “optimists” were by no means imprudent or reckless: a sincere conviction existed in the industry that the current accident assumptions were not well founded.4

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

5

Isolation valve

Normal cooling line Pressure channel

Emergency injection line

FIGURE 1.2 Sketch for a discussion on a break in a pressure tube reactor.

The contrast between the optimists and the pessimists was exacerbated by the foreseeable circumstance that not all of the logical consequences of the initially adopted accident assumptions were from the start clear to technical people. As an example, as far as the effectiveness of emergency core cooling systems is concerned, it was not understood from the start that Zircaloy fuel cladding (stainless steel behaves in a similar way) could react with water in an autocatalytic way at relatively low temperatures and could release large quantities of hydrogen. Neither was it understood from the start that the same cladding could swell before rupturing and could occupy the space between fuel rods, preventing the flow of cooling water. The existence of these phenomena was demonstrated by studies and by tests performed by the AEC on the Semiscale facility at the US National Laboratory of Idaho Falls toward the end of the 1960s, when many US reactors had already been ordered and were being designed or built. Similarly, at the beginning of the 1970s, the possibility was demonstrated that the break of a pipe could damage other nearby pipes or other plant components, starting a chain of ruptures (known as the “pipe whip” effect). All of these discoveries, made late in the design and procurement phases of US reactors, persuaded the control bodies to stipulate that the inherent safety systems be improved in order to take them into account. Other requests for improvement concerned the resistance of the plants to natural phenomena or to man-made events, in order to reach a balanced defence spectrum against all of the realistically possible accidents; in such a way the defence against new phenomena became analogs to the defence against the already considered phenomena having a comparable or lower probability. These requests for improvement (“backfitting”) extended the construction times of the plants, together with their costs. It can be understood that the industry, which already considered the initially adopted accident assumptions to be excessive, strongly opposed these aggravating requests. As previously said, up to the Three Mile Island (TMI) accident, not all nuclear technical experts believed in the reasonableness of the current accident assumptions and in the need to pursue them with logical rigor and, in the light of the up-to-date scientific knowledge, up to their extreme consequences.5 The increase in costs as a consequence of the continuous requests for plant improvements was strongly in contrast with the initial industrial expectations, which were concisely summarized by the then chairman of the AEC, Lewis Strauss, who famously stated that nuclear energy would become “too cheap to meter.” In this period, the expression “ratcheting” was created to describe

6

CHAPTER 1 INTRODUCTION

the action of the control bodies in the field of the improvement of the plants concurrently with the indications of the progressing studies and research. This continuous process of improvement produced, where it was performed, very safe but also very costly and rather complicated plants. Indeed, the plants were subject to a series of safety feature additions to a substantially unchanged basic design. In this period a diverse approach to plant siting developed and was consolidated in the United States and in Western Europe. In the United States, the plant siting criteria, as far as demographic aspects were concerned, were substantially decoupled from the design features of the plant. On the contrary, in Europe, criteria for the siteplant complex were adopted. The US site criteria (except for seismic problems and for other external natural or man-made events) can be summarized as follows: • • •

• •

The existence of an “exclusion zone” around the plant, where no dwellings or productive settlements exist, with access under the complete control of the plant management. The existence of a “low population zone” around the plant, which could be quickly evacuated (within hours) in case of accident to the plant. The radioactive products release from the core to the plant containment conventionally established as a function of the plant power only: the Technical Information Document 14844 (TID) release (Di Nunno et al., 1962). A dose limit of 250 mSV (25 rem) total body and of 3 Sv (300 rem) for the thyroid (children) within 2 hours after the accident at the border of the exclusion zone.6 Dose limits equal to the preceding ones for the whole accident duration at the external border of the low population zone.

The exclusion zone was established at a radius of 8001000 m around the plant and the low population zone at roughly 5 km from the plant (US Code of Federal Regulations, 2004a). The conventional release from the core was as follows: • • •

For iodine-131:50% of the core inventory, of which 50% only is available in the containment for external release (deposition and plate out in the primary circuit). The iodine available for external release is 91% elemental, 5% particulate, and 4% organic iodide (methyl iodide). Noble gases are totally released to the containment.

Independent criteria were then established for the design of the plant. In this approach, the decision about the adequacy of a proposed site could be taken only on the basis of the plant power level and, possibly, on the specific characteristics of its fission product removal systems (to be evaluated and possibly validated on a case-by-case basis). In contrast, in Europe, the site selection criteria usually consider the siteplant complex. Therefore for example, if a plant with the usual safety systems could not be located on a specific site because accident doses exceeded the reference limits, it was possible to make the plant acceptable for the same site by the improvement of the systems for fuel integrity protection in case of accidents. The dose limits varied somewhat between various countries, but they were of the order of 5 mSv (500 mrem, effective dose) to the critical group of the population outside the exclusion zone for every credible accident (design basis accidents); some increase of this limit up to the level of tens of millisievert for single specific accidents could also be accepted. In order to evaluate the

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

7

consequences of these accidents, then, no conventional figure for the releases is used (such as the TID figures). On the contrary, conservative but more realistic assumptions are adopted; typically, the iodine released in the containment is assumed equal to the inventory in the fuelclad interface, equal to 1%5% of the total core inventory, instead of the TID 50%. In Europe, the need to take account of the specific plant features for the evaluation of the acceptability of the site arises from the much higher population density in Europe in comparison with that of the United States (approximately 200 inhabitants per square kilometer and 30 per square kilometer, respectively). It is therefore much more difficult to find low population sites in Europe. The different population densities in Europe and the United States have also brought about differences in accident emergency plans: in the United States, the provision of a complete evacuation of the population within 16 km of the plant in a few hours is adopted, while in Europe the maximum comparable distance is equal to 10 km. It is indeed difficult to assure the evacuation of population centers with tens, hundreds, or thousands of inhabitants. Here too, the countries’ differences in demographic conditions have to be compensated by additional plant features (generally, the use of double containment provided with intermediate filtration systems and the use of elevated stacks). The practice in the Far East (Japan, South Korea) is similar to the European one. These differences in the fundamental approach to safety among various countries have always been thought by the general public to be a weakness of the nuclear industry, thereby affecting their acceptance of nuclear energy. These differences have always been a source of confusion in the mind of the public and, therefore, they aggravate the public distrust in the safety of this energy source. Many attempts have been made, in the international and community arenas where nuclear safety is discussed (IAEA, OECD, EU), to adopt unified criteria (see Chapter 18: Nuclear Safety Criteria). The aim of agreeing on common criteria has been reached only at the expense of unification at a higher logical level, therefore leaving untouched the differences previously described, for example, leaving to the freedom of each country the definition of acceptable distances or doses. In this period up to the TMI accident, three other facts influenced nuclear safety technology: defence against nonnatural external events; the preparation of the Rasmussen report, WASH 1400; and the introduction of quality assurance (QA) in design, construction, and operation of plants. The first of these, the defence against nonnatural external events, would not deserve specific mention and discussion, except that its motivation has changed with time. For example, the initial official incentive for the reinforcement of plant structures and components of many reactors consisted in the defence against the accidental fall of an aircraft, while, subsequently, it was provided to defend against sabotage performed by the use of aircraft, but also by explosives of various kinds. In effect, the strengthening of structures and components was initially made in Germany as a consequence of the high number of crashes of the Lockheed Starfighter fighter plane in the 1960s. Subsequently, with the onset of terrorist activity in the 1970s, the need arose to defend nuclear plants against hypothetical external attacks conducted with the use of projectiles and of explosives. At this point, it was discovered that the German protection against the plane crash could also envelope a sufficient number of sabotage events based on the use of explosives. Therefore as many people preferred not to mention these sabotage protections explicitly, the corresponding provisions were named in the official documents as “protection against plane crash.” Plant protection against the various effects of the impact by a fighter aircraft (weighing about 20 t) was adopted at least in Germany, Belgium, Switzerland, and Italy, whereas in other countries

8

CHAPTER 1 INTRODUCTION

the protection against the fall of a smaller sports aircraft was chosen, frequently only if justified by the proximity of an airport. No country explicitly adopted the protection against the impact of a wide-bodied airliner of the Jumbo Jet type (weighing about 350 t), which would be far more onerous (possibly requiring the underground location of plants). It was calculated that the protection against the fall of a fighter aircraft included the protection against the fall of a large airliner too if the impact takes place with less damaging characteristics (lower speed of impact, shallower angle of impact, and so on) than those which would cause the worst structural consequences (see Chapter 17, Resistance to External Impact, for more on aircraft impact.) The second influence, the Rasmussen report, first published in 1975, was sponsored by the Nuclear Regulatory Commission (NRC—the successor to the AEC in control of peaceful applications of nuclear energy and the regulatory body on nuclear safety matters) with the aim of outlining an overall picture of all the conceivable accidents and of their probabilities, in order to identify the risk connected to a nuclear plant. It was the first time a study that included all conceivable accidents had been made. It included less probable scenarios too, such as the catastrophic explosion of a reactor pressure vessel and an estimate of the probability of each of them. It should be understood that the probability data concerning the most unlikely phenomena are scarce or even absent given the impossibility of studying these phenomena by experimental tests and the scarcity of applicable real-life data. In some ways, quantifying these events in a report was a bold decision, but, once the objective of the study was decided upon, nobody questioned the feasibility of it. Subsequently, once the report was published, criticism ensued: some people said that it was inscrutable, others criticized the completeness of the database, and others criticized the inconsistency of the executive summary with the main report. In the second, and final, edition some evident insufficiencies were corrected, but some of the criticisms remained unresolved. Whoever it was who started a risk study of the first cars, of the first railway trains or of the first airplanes, would have met the same difficulties. However, with the passing of time, the report has remained a fundamental reference for any safety and risk evaluation. Nobody could support the validity of the absolute quantitative risk evaluations contained in it, but, at the same time, the validity of this study and of the similar ones which followed is universally acknowledged as far as the relative probability estimates are concerned for detection of weak points in a specific design. In substance, the Rasmussen report and similar studies are possible judgment instruments in the nuclear safety field, although they cannot be used alone. Sound engineering evaluations, based on operating experience, even in different but similar fields, and on research results, are the necessary complement to the probabilistic evaluations. In the history of nuclear safety technology, the Rasmussen report did not solely represent a methodological advancement. Severe accidents (those accidents more serious than those up to then considered credible) were included, especially after the TMI accident, in the design considerations for nuclear plants. Finally, the start of the application of QA in nuclear engineering has to be mentioned. According to this management system, the quality of a product is guaranteed by the control of the production processes, more than by the control of the products themselves. Certainly this represents remarkable progress toward the achievement of products better complying with their specifications; however, the implementation of this system requires a significant effort in the field of activity planning and of the management of the documentation, entailing a corresponding cost burden.

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

9

1.2.3 FROM THE THREE MILE ISLAND ACCIDENT TO THE CHERNOBYL ACCIDENT In March 1979, during a rather frequent plant transient, a valve on top of the pressurizer of the TMI plant (Pennsylvania, United States) remained stuck open, giving rise to a continuous loss of coolant. In an extremely concise way, an opening in that position (although this fact had not been sufficiently studied and publicized in the technical literature) generated over time a situation of a void reactor pressure vessel and of a full pressurizer. This accident demonstrated that the attitude of many technical people toward nuclear safety was careless and optimistic. It could also be concluded that bad “surprises” caused by a nuclear plant could be avoided only at the expense of a strong change in their mindset toward safety itself. These conclusions were shared by practically all technical people and all over the world. Some optimists still existed, however. They were convinced that all the blame for the accident had to be placed on the operators who had not correctly diagnosed the plant conditions in time, and that all the problems could be solved by the use of more stringently screened operators. It can be said that this accident completely changed the attitude of the industry toward safety in all the OECD countries. The provision of features previously considered to be pointless by some (such as the presence of a leakproof, pressure resistant containment) was acknowledged as valid in the light of the possibility of unforeseeable events. Two organizations were created for the exchange of information on operational events at nuclear plants and for the promotion of excellence in the nuclear safety field: the Institute of Nuclear Power Operations in the United States and the World Association of Nuclear Operators (WANO) internationally. In the United States, within the NRC, a specific office was created (Analysis and Evaluation of Operational Data) for the analysis and the dissemination of operating experience. Long lists of “lessons learned” were prepared and a “TMI Action Plan” compiled which contained a large number of specific provisions against the possible repetition of similar accidents in the future. The implementation of these provisions cost each plant an amount of money ranging between several million dollars and several tens of millions of dollars. Above all, two concepts were underlined and reinforced: the concept of defence in depth and the concept of safety culture. According to a number of experts, in particular from the former USSR, the attitude of the industry toward safety also changed in Eastern Europe after the TMI accident: already in early 1980s, Russian designers of VVER reactors proposed a number of measures for safety improvements. The defence in depth initiative is a concept meaning that many, mutually independent, levels of defence against the initiation and the progression of accidents are created. The various levels include physical barriers, such as the fuel cladding, the primary system, and the containment. Five levels are defined: good plant design, control systems, emergency systems, accident management, and emergency plans. The safety culture concept is defined as the set of convictions, knowledge, and behavior in which safety is placed at the highest level in the scale of values in every activity concerning the use of nuclear energy.7 The result of these initiatives, together with the Rasmussen report and the TMI accident convinced many countries to pay attention to severe accidents. Severe accident occurrence was introduced as a consideration in the design and operation of plants. A severe accident is defined as one exceeding in severity the Design Basis Accidents, which are those against which plant safety systems are designed in such a way that:

10





CHAPTER 1 INTRODUCTION

The core does not exceed the limits of irreversible damage of the fuel (e.g., 1200 C maximum temperature and 17% local oxidation of the claddings) (US Code of Federal Regulations, 2004b). The external releases do not exceed the maximum tolerable ones, according to the national criteria in force.

In many cases it is considered, as an accident progressively worsens, that the limit for which it becomes “severe” is the attainment of 1200 C in the fuel cladding since at about this temperature the progression of the watercladding exothermic reaction becomes autocatalytic and proceeds at a high rate. The IAEA definition for severe accidents is “accident conditions more severe than a design basis accident and involving significant core degradation” (IAEA, Safety of Nuclear Plants: Design, SSR-2/1). All the OECD countries (but also others) agreed on the advisability of studying and of implementing severe accident management techniques on their plants. These provide equipment and emergency procedures for severe accidents which, in the extreme case of reaching a situation close to a severe accident, prevent its occurrence or, at least, prevent it from worsening. Examples of typical equipment and procedures for severe accidents are the following: • • •

portable electric energy generators, transportable from the plant to another on the same site or on a different site; procedures to supply electric energy to the essential loads, in case of total loss of electric power; and procedures for the voluntary depressurization of the primary system in case of loss of the high pressure emergency injection systems, and so on.

By the 1980s, practically all the plants in the OECD area were equipped with Severe Accident Management Plans to various degrees of completeness. Some countries have progressed further than others, instigating real plant modifications as a means of implementing their Accident Management Plans. France, Germany, and Sweden (and others) have installed filtered containment venting systems designed to avoid the rupture of the containment in case of a severe accident entailing the slow overpressurization of the building beyond its strength limits (this situation could happen in every accident scenario without sufficient cooling of the core and of the containment). Other countries, such as the United States, concluded that these systems were not needed, on the basis of a costbenefit analysis. In Italy, a set of criteria were developed, the “95%0.1% criterion,” according to which, by the installation of appropriate systems (including a filtered venting system for at least one reactor), a release of iodine higher than 0.1% of the core inventory could be avoided with a probability higher than 95%, conditional upon core melt (defined as attainment of a cladding temperature higher than 1200 C). Obviously, no single events of very low probability were considered, such as a pressure vessel explosion due to a mechanical defect. A similar criterion was adopted in Sweden. Among the proposals at this time was one that concerned a preventative system for the voluntary depressurization of the primary system in pressurized water reactors (PWRs) and for the passive injection of water into the primary system for about 10 hours. This core rescue system could decrease the core melt probability by a factor of at least 10. The system was proposed as a

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

11

modification of the design chosen for the Italian Unified Nuclear Design, but was not considered necessary by the designers at that time. A few years later, the designers applied it, with modifications, to the passive reactor AP600. Another reactor design (this time German) has a similar system. The voluntary primary system depressurization has subsequently been adopted by all the more modern PWR designs, such as the European Pressurized Reactor (EPR) and the System 80.

1.2.4 THE CHERNOBYL ACCIDENT AND AFTER In my opinion and the opinion of other experts, there were two primary causes of the Chernobyl tragedy. The first was that although the plant was certainly very good from a production point of view, it had been designed with excessive optimism as far as safety was concerned. Indeed, in some operating conditions (low power, low steam content in the pressure tubes) the reactor was very unstable, in the sense that an increase in power or a loss of coolant tended to increase its reactivity, increasing the power autocatalytically. In this way, the destruction of the reactor and of the plant could be initiated. Moreover, with completely extracted control rods (a situation forbidden by the operating procedures), the potential instability was more severe and, additionally, the use of the scram acted as an accelerator and not as a brake in the first moments of the rod movement (an “inverted scram”). The second fatal circumstance was that the operators were working, on that night in April 1986, in a condition of frantic hurry for various reasons. Although this reactor had been provided with leakproof and pressure resistant containment as a result of the prevailing changes in attitude already discussed, the containment did not include a significant portion of the reactor itself (a remarkable design decision). In particular, the fuel channel heads were directly put in a normal industrial building. A completely uncontained accident, therefore, happened. The reasons for the adverse design characteristics may have been financial (but expert opinion differs). The general lesson to be learned is always the same: no weak points compromising, safety must be left in a plant. Human errors, as in the cases of TMI and Chernobyl, will succeed in finding them and will cause disasters and fatalities. I do not believe, as some antinuclear people maintain, that “if an accident can happen, sooner or later it will happen”; however, experience indicates that accident possibility must be seriously considered during all the phases of the life of a nuclear plant.8 However, for the sake of completeness, it has to be said that the Chernobyl-type reactors were not well known in the Western world. The pertinent information was kept somewhat confidential because this reactor could potentially be used for plutonium production and therefore it was interesting from a military point of view.9 A confidential safety analysis of an RBMK reactor, similar to the Chernobyl one, was performed some years before the accident by a European design company. It concluded that this reactor, in many respects, did not meet the safety standards in use in the Western world. Copies of this safety analysis were circulated among the experts after the Chernobyl accident. The Chernobyl accident, with its consequences (both local and afar) had not much to teach the Western nuclear safety engineers as the reactor’s shortcomings were all accurately known and avoided in their designs.10

12

CHAPTER 1 INTRODUCTION

Obviously, it was not possible to convince the public that such an accident could only happen in that specific design of reactor. In Italy, for example, some political parties exploited the evident fear generated in the population and, substantially, led the country toward the immediate and sudden dismissal of the nuclear source of power, with understandably prohibitive costs. In general, after Chernobyl and as a consequence of that accident, two ideas gained momentum: 1. Nuclear plant design, evolved by successive additions, had become too complicated and it was useful to think of simpler systems, based on concepts of passive rather than active safety. 2. Accidents, even the most severe ones, should have modest consequences beyond the exclusion zone of the plant and so should require smaller emergency plans, especially concerning the quick evacuation of the population. The United States was frequently against any simplification of its emergency plans in order not to change their well-established system of siting decoupled from the characteristics of the plants. This system, after all, was well accepted by the technical bodies and by the population. The concept of passive safety meant the use of systems based on simple physical laws more than on complex equipment. One example is represented by safety injection systems on water reactors which use gravity as a motive force and not pumps. This principle was, for example, adopted in the passive PWR AP600, certified by the NRC in 1999. It comprises a voluntary fast depressurization system of the primary circuit and the provision of a water reservoir in the containment located at an elevated position with respect to the reactor vessel. Passive cooling of the containment was also incorporated in the design. Evidently, however, neither of these new concepts nor the industrial weight of the NRC certification are sufficient to immediately convince the investors because, up to now (2005), no new AP600 has been ordered. A weak point of this concept has always been the reduced power and its consequent bad scale economy. The 600 MWe rating was initially chosen on the basis of a poll among the US utilities on the basis that this was the preferred size of a power station (lower financial risk and correspondence with the dimension of the electric grids served by the single utilities). The designers thought that they could in any case be competitive because of the use of passive components (i.e., with a reduction of installed components) and because of a general simplification of the plant. It seems now that this objective can be more easily reached by the AP1000 design (namely with a power of 1000 MWe), whose design has been recently (2004) approved by the NRC. A design where the passive safety has been adopted with a higher degree of caution but with a strong tendency toward the reduction of emergency plans is the FrenchGerman EPR of approximately 1400 MWe, where many precautions against severe accidents have been taken (e.g., molten core containment structures, “core catchers,” multiple devices for the quick recombination of hydrogen, and voluntary primary system depressurization). In 2001 The Generation IV International Forum (DOE 1 other members) was created with the purpose to develop more economical and safer nuclear reactors for the future. It can be said that “cheaper” may also mean “safer” plants since some aversion from expenses in plant modifications required for safety reasons, might be attenuated. The following reactors were identified: • •

gas cooled fast reactor; lead cooled fast reactor;

1.2 A SHORT HISTORY OF NUCLEAR SAFETY TECHNOLOGY

• • • •

13

molten salt reactor (including the fast, thorium fueled breeder reactor, also studied by the SAMOFAR Consortium in Europe); sodium cooled fast reactor; supercritical water-cooled reactor; and very high temperature gas reactor.

To be noted, here, is the WENRA (Western National Regulators Association) statement in 2010: New Nuclear Power Plants to be licensed across Europe in the next years will be safer than existing ones, especially through improvements in the design.

A statement like this one by an official international body was awaited by many safety specialists from years 1980s (after TMI accident). This delay was motivated by the possible negative reaction by the public concerning the safety of existing reactors (notwithstanding the favorable factor of the available operating experience).

1.2.5 FUKUSHIMA ACCIDENT AND ITS LESSONS The Fukushima accident happened on March 11, 2011, as a consequence of a destructive tsunami following a Magnitude 9 earthquake offshore the East coast of Japan. A 15-m-high run-up wave hit the Fukushima six boiling water reactors (three of which in operation and all six to be considered “vulnerable”). The inundation design height was 5.7 m above sea level; this subject was still under discussion on the basis of new evidence when the accident happened. All electric power was lost in Reactors 1, 2, and 3 and their core melted with development of an explosive cloud inside the containment, which eventually exploded. No early fatalities due to radiation were recorded, although estimates of future possible deaths (according to the still discussed linear dose-damage assumption) range in the hundreds of cases. Thousand(s) of square kilometers around the plants were evacuated and, after many years, this land is not used for any purpose. Moreover, if the prevailing winds were pointed to south, instead of north-east, the number of evacuated people could be measured in tens of millions. Contamination of sea water is still taking place, even if at a much smaller rate than shortly after the accident. All of about 50 nuclear power reactors operating in Japan were shut down because of the accident and of the consequent concern in the population and among responsible authorities. Seven years after the accident only seven reactors have been started up again. The whole disaster took place because the design tsunami height was not increased as much as prudent estimates indicated. In this case as in other instances in the history of nuclear and of nonnuclear accidents, people who had to take costly decisions preferred to respond to the reductive rule of “We have to do something” in place of the more responsible position of “We have to do all what is necessary to prevent a severe accident from happening in future.” We will refer to these two positions as “halfway safety” and “all the way through safety.” After the accident, several initiatives were taken in countries with nuclear reactors in order to determine the modifications needed to assure the safety of each plant against similar exceptional events. The result of these efforts, among which the “stress tests” of each plant in Europe and

14

CHAPTER 1 INTRODUCTION

elsewhere, was not unanimously considered satisfactory. Sentences like “. . . the not yet learnt Fukushima lessons . . .” have been aired in various occasions by exigent safety experts. Climate change has increased the risk of floods for nuclear plants, and 54 of the 60 in the US are not designed to handle impending flood risks. Gregory Jaczko, former Nuclear Regulatory Commission chairman, says the Trump administration has yet to require nuclear power plant owners to take sufficient steps to combat climate change. Nuclear Smart (2019)

Examples of this “halfway safety” effort are the following. In one instance in a sea-level site on an “internal” sea, high flood waves were excluded because the average depth of that sea is a few tens of meters. In this reasoning line, the fact that the maximum depth of that sea is hundreds of meters and that a (coastal or undersea) slide could happen was completely disregarded. In another case, the protection of a plant against voluntary aircraft crash was claimed to consist in the creation of a fog cloud around the plant. Many doubts arise in this connection: the first one is originated by the warning time needed to create the fog cloud (which might be too long compared with a usually accepted value of around 10 minutes); the second one disregards the possibility to locate the plant by its latitude and longitude and by GPS systems, making the fog cloud almost useless. In some other case, flood waves only originated by earthquakes were considered, disregarding the possibility of other causes, like coastal or underwater slides (see the Vajont and the Storegga slides) and (surface or undersea) flood waves originated by volcano eruptions. In Chapter 18, Nuclear Safety Criteria, some possible revisions of the current criteria as a consequence of the Fukushima and of other recent events will be discussed.

ENDNOTES 1. What radiation dose did Fermi and the other scientists absorb during the first criticality? Taking into account that the reactor was kept in a critical state for roughly half an hour and that the power was equal to about 0.5 W, an order of magnitude evaluation using current data (Glasstone, 1963) shows that the dose due to neutrons and gamma rays was in the order of 10 µSv (1 mrem); very low indeed. 2. According to a number of experts, in particular from the former USSR, this situation is not to be viewed as the outcome of a more rigorous attitude in the West than in the East. There were different safety philosophies in East and West: the former focused on accident prevention without much care of the high cost (at least in the case of VVER reactors), the latter focused more on mitigation of accidents, with a strong effect on the results from costbenefit considerations. The debates on relativism in philosophy (e.g., ethics or epistemology) have some similarity with these arguments. Indeed, relativism has not to be identified, as some of its critics say, with the thesis that all points of view are equally valid, but with the thesis that one thing (moral values, beauty, knowledge, taste, meaning and nuclear safety criteria, too) is relative to some particular framework or standpoint (e.g., the individual subject, a culture, an era, a language or a conceptual scheme). Moreover, no standpoint is uniquely privileged over all others. With these kinds of highly controversial similarities, it is easy to understand that any attempt to resolve the issue by discussions may scarcely be productive and that only the future will indicate where the relative merits are higher.

ENDNOTES

15

3. This method of defining the accidents to be considered in the design was subsequently named the “deterministic method,” to be distinguished from the “probabilistic method” based on the evaluation of the probability of the various accidental events. Presently, however, the choice criteria are generally a combination of the two approaches. 4. “Pipes leak, pipes crack, pipes are corroded, but pipes don’t break,” one of the senior US industry engineers used to repeat. And indeed, in the light of subsequent “experience” (now equivalent to .10,000 reactor-years of operation) very few guillotine breaks of large pipes have happened. Moreover, most of these cases have not happened in primary pipes, but in pipes not submitted to the most stringent design and operation practices (periodic inspections and so on). Only two cases have happened in two feedwater pipes, weakened by erosion. In contrast, the figures based on the assumption of a complete break of the largest pipe in the plant affords protection from a number of different events not explicitly considered, such as the flange bolts breaking in large valves (several cases of “near misses” of this kind have happened), the partial rupture of pump casings caused by rotor failure, etc. 5. Toward the end of the 1960s, two eminent nuclear designers discussed with a safety reviewer the pipe rupture assumptions for a pressure tube reactor under design. The technical problem under discussion is sketched in Fig. 1.2. If the cooling water pipes ruptured, the designers declared that the cooling of the fuel contained in each pressure channel was ensured as a valve at the inlet of each channel (shown in the drawing) would be closed in order to force the emergency cooling water to flow into the channel and to cool the fuel before reaching the rupture point and spilling into the containment. When the safety reviewer pointed out that this design objective would not be reached if the rupture had happened in the position marked with an X, their answer was “Safety is not a game with rigid and meticulous rules, sir! More room should be left to technical judgement!” It has to be appreciated that in the nuclear safety profession everybody knows that an accidental break has to be assumed at every location on every pressure pipe and that, in these conditions, the plant must continue to be safe; so, it is ridiculous that somebody tries to resort to the difference between nuclear safety and a game in order to justify a departure from this rule concerning the break location. Many years afterward, this sentence came again to my mind after the TMI accident in which the only rupture position for which the primary water loss could have created the situation of an “empty pressure vessel and filled up pressurizer” which totally confused the operators and induced them to shut off the emergency injection system was precisely the one which happened, namely at the top of the pressurizer. This anecdote is representative of a state of mind prevalent in the industry in the period of time up to the TMI accident, that is that the current accident assumptions were excessive so that their implementation could be rather flexible without adverse consequences. 6. The reference, in the US criteria, to 250 mSv total body and 3 Sv thyroid doses may be intriguing for some people. Indeed, nowadays, no acceptance criterion includes such high figures: the effective dose limits for design basis accidents (credible accidents) are 10100 times lower. Indeed, in the 1950s and 1960s, the figures adopted in the US criteria were officially considered as maximum tolerable doses for serious accidents. Over time, however, progress in radiation protection knowledge has brought about an additional decrease in the tolerability limits, therefore the figures initially adopted in the United States have become “completely conventional numbers,” losing their (uncertain) original physicalbiological meaning. The question arises as to why these figures have not been updated. Here, as in many other cases in the nuclear safety field, perhaps the consideration has prevailed that any reduction of the limits could be interpreted as a disapproval of already built and operating plants, for which the original figures were adopted. The site criteria have, however, always been thought to give acceptable protection to the population. 7. Two things are surprising when the operating experience of nuclear plants is considered. The first one is the astonishing coincidence of different adverse facts which is at the origin of many serious accidents

16

CHAPTER 1 INTRODUCTION

(TMI and Chernobyl included). The second is the surprising intervention of resolving factors in sequences of events already well advanced in their progress toward a disaster [the Browns Ferry Fire, many discoveries “at the last minute” of very dangerous cracks in pressure vessels, and so on]. It is thought that the motivation of many of these surprising events is the presence of a special atmosphere or mindset in the group of people responsible for the construction and the operation of a plant. This atmosphere can be either favorable or adverse to safety. Perhaps, the possible presence of it should be in some way considered in probabilistic analyses as a “concurrent event” of any accident studied. As an example, letting our imagination wander, the initiating event “small pipe break” could be studied in coincidence with “hectic atmosphere because of the need to conclude an operational phase or a test,” with a probability which now could be estimated of the order of 10%. Obviously, the practical answer to these remarks is “prevention,” namely the strengthening of Defence in Depth and of Safety Culture. 8. The forgotten safety criterion: Many safety criteria have been discussed and written about, but one which requires that a nuclear plant should never be constructed and operated in haste has not been proposed yet. Perhaps, more than one criterion is involved here. For example, one of the specific requirements might be that “no nuclear plant can operate if its power is essential to the grid,” as happens when reserve energy is not available to allow it to be stopped in cases of unforeseen events, emergencies, or to perform inspection, maintenance or tests. In the case of Chernobyl, the existence of a similar criterion would have allowed the power station superintendent to oppose the request to continue to operate beyond the programmed time. Obviously, such a criterion could be opposed by the strong supporters of the cost convenience of nuclear energy. I think, on the contrary, that without subtracting anything from the great merits of nuclear energy, a more realistic attitude is necessary. A good example in which a plant was operated for production needs with a lack of power reserve in the grid, against the opinion of many experts, happened between 1995 and 1996. In that period, a power station was operated in various months in order to support the power demand during the winter period, despite strong doubts about the strength of the reactor pressure vessel (presence of cracks and doubts on the possible excessive neutron embrittlement of the vessel material). These doubts were expressed by a group of European specialists, which opposed the continuation of the plant operation. What the most pessimistic people feared did not happen but, for those knowing the facts, it was a worrying situation: the burst of a reactor pressure vessel of a water reactor must be absolutely prevented within reliable safety margins, as it can give rise to an accident of the severity of the Chernobyl one. 9. At the time when Finland was planning its first nuclear power station, because of existing commercial agreements, technical experts contacted Russian experts in order to explore the possibility of the supply of a Russian-designed reactor. When, during one of the meetings, the Finn responsible for nuclear safety and the Russian responsible for the peaceful use of nuclear energy were discussing the various types of reactors available, the RBMK reactor (the Chernobyl type) was considered too. The Finnish expert asked for a copy of the safety report of this reactor, but the Russian answered that the safety report could be provided only to the buyers of the reactor. The Finn persisted, saying that Finland seriously intended to buy, but received a final answer that this type of reactor could not be sold outside the Soviet Union (for national security reasons). 10. The major lesson which was learnt from the Chernobyl accident was that it was demonstrated that a catastrophic accident could have consequences up to distances not yet imagined before. In this connection, it is not completely true, as many people have said, that the dispersion of the releases up to great distances was due solely to the upward propulsion caused by the explosion and by the fire of the reactor. The very large quantity of radioactive releases was the primary factor, although with an additional contribution by the explosion/fire phenomenon.

FURTHER READING

17

REFERENCES Bourgeois, J., Tanguy, P., Cogn´e, F., Petit, J., 1996. La Surete Nucleaire en France et dans le Monde. Polytechnica, Paris. Di Nunno J., Baker, R.E.D., Anderson, F.D., Waterfield, R.L., 1962. Calculation of distance factors for power and test reactor sites. USAEC, TID-14844. Glasstone, S., 1963. Nuclear Reactor Engineering. Van Nostrand, Princeton, NJ. IAEA Fundamental Safety Principles SF-1, 2006. IAEA Safety of Nuclear Plants: Design, SSR-2/1, 2012. Nuclear Smart Brief, ANS, April 22, 2019. US Code of Federal Regulations, 2004a. Part 100: Reactor Site Criteria, US Government. US Code of Federal Regulations, 2004b. Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors, US Government.

FURTHER READING INSAG-12 Basic Safety Principles for Nuclear Power Plants, 1999. WNA Fukushima Accident. ,www.world-nuclear.org..

CHAPTER

INVENTORY AND LOCALIZATION OF RADIOACTIVE PRODUCTS IN THE PLANT

2

One of the primary objectives of nuclear safety is to contain within the plant the radioactive products present there. It is, therefore, essential to know the amount and the normal location of these products. Almost all the radioactive products are contained in fuel located in the reactor itself or in used fuel which is still stored at the plant, in the spent fuel pool, or, less frequently, in dry containers for temporary storage. Table 2.1 lists the half-life and total radioactivity for the nuclides in a 1000-MWe water reactor in equilibrium conditions (i.e., after a certain operation time). At the start of the operation, the amount of some nuclides with a long half-life continuously increases until it reaches, after several months, a practically constant saturation level. For the preliminary evaluations of the consequences of accidents, it is usually sufficient to consider the doses due to • • • •

noble gases (direct cloud radiation dose); iodine (inhalation dose); cesium (mainly long-term doses due to radiation from the radioactivity deposited on the ground—“ground shine”); tritium (fusion machines and specific reactors), plutonium (fall of satellites, fuel treatment plants that handle plutonium).

The nuclides are grouped according to a criterion adopted in many “source term” (complex of external releases in an accident) studies. This classification takes into account important factors in the release evaluation, such as the volatility of the element or its probable compounds and their chemical/physical properties. In a rather indicative way, it can be assumed that if in an uncontrolled (severe) accident X percent of the noble gases inventory is released, the releases of iodine and of cesium may reach 0.1X percent, and the releases of other products roughly 0.01X percent. Each conceivable accident, however, has specific aspects which may strongly alter these indicative percentages, here mentioned in order to give an average measure of the natural release potential of the various isotopes. The radioactive products contained in the fuel are normally located in the sinterized uranium dioxide of the reactor fuel [the uranium dioxide fuel is shaped into pellets, roughly 1 cm in diameter, inserted in long zirconium alloy (zircalloy) cylinders]. The matrix of these cylinders (roughly 40,000), grouped in bundles to form the fuel elements, is the reactor core. Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00002-0 © 2020 Elsevier Ltd. All rights reserved.

19

20

CHAPTER 2 INVENTORY AND LOCALIZATION OF RADIOACTIVE PRODUCTS

Table 2.1 Nuclides, Half-Life, and Radioactivity for a 1000-MWe Pressurized Water Reactor. Radioactivity Half-life (days)

(Bq 3 1018)

(MCi)

Kr Kr 87 Kr 88 Kr 133 Xe 135 Xe 131 I 132 I 133 I 134 I 135 I 134 Cs 136 Cs 137 Cs 86 Rb 127 Te 127m Te 129 Te 129m Te 131m Te 132 Te 127 Sb 129 Sb 89 Sr 90 Sr 91 Sr 140 Ba 58 Co 60 Co 99 Mo 99m Tc 103 Ru 105 Ru 106 Ru 105 Ru 90 Y

3950 0.183 0.0528 0.117 5.28 0.384 8.05 0.0958 0.875 0.0366 0.28 750 13 11 000 18.7 0.391 109 0.048 0.34 1.25 3.25 3.88 0.179 52.1 11 030 0.403 12.8 71 1920 2.8 0.25 39.5 0.185 366 1.5 2.67

2.072 0.888 1.739 2.516 6.290 1.258 3.145 4.440 6.290 7.030 5.550 0.2775 0.111 0.1739 0.00096 0.2183 0.0407 1.147 0.1961 0.481 4.44 0.2257 1.221 3.478 0.1369 4.07 5.92 0.02886 0.01073 5.92 5.18 4.07 2.664 0.925 1.813 0.1443

56 24 47 68 170 34 85 120 170 190 150 7.5 3 4.7 0.026 5.9 1.1 31 5.3 13 120 6.1 33 94 3.7 110 160 0.78 0.29 160 140 110 72 25 49 3.9

91

59 65.2 0.71

4.44 5.55 5.55

120 150 150

Nuclide Noble gases

Krypton

85

85m

Xenon Iodine

Iodine

Cesium and rubidium

Cesium

Tellurium and antimony

Rubidium Tellurium

Antimony Alkaline earths

Strontium

Volatile oxides

Barium Cobalt Molybdenum Technetium Ruthenium

Nonvolatile oxides

Yttrium

Zirconium

Y Zr 97 Zr 95

INVENTORY AND LOCALIZATION OF RADIOACTIVE PRODUCTS

21

Table 2.1 Nuclides, Half-Life, and Radioactivity for a 1000-MWe Pressurized Water Reactor. Continued Radioactivity Nuclide Niobium Lanthanum Cerium

Praseodymium Neodymium Neptunium Plutonium

Americium

95

Nb La 141 Ce 143 Ce 144 Ce 143 Pr 147 Nd 239 Np 238 Pu 239 Pu 240 Pu 241 Pu 241 Am 140

Half-life (days) 35 1.67 32.3 1.38 284 13.7 11.1 2.35 32 500 8.9 3 106 2.4 3 106 5350 1.5 3 105

(Bq 3 1018)

(MCi)

5.55 5.92 5.55 4.81 3.145 4.81 2.22 60.68 0.002109 0.000777 0.000777 0.1258 0.0000629 Total activity (TBq) 193 3 106

150 160 150 130 85 130 60 1640 0.057 0.021 0.021 3.4 0.0017 Total activity (MCi) 5202

A fraction ranging from 0.5% to 5% (USNRC, 1992) of the more volatile radioactive products (noble gases, iodine, cesium) is contained in the gap between the uranium pellets and the containment cylinder (cladding). For sake of conservatism, however, sometimes the accident release evaluations are made assuming that this percentage is equal to 10% (this is the value suggested, e.g., by USNRC Regulatory Guide 1.25 on fuel element drop accidents). During accidents without core melt but entailing a severe threat to the fuel (of a mechanical and/or thermal nature), these radioactive products may escape from the fuel and be released to the primary system. In general, it is assumed that at least noble gases, iodine, and cesium are released in this way. Even during normal operation, the primary coolant contains a certain amount of radioactivity, partly due to nuclides formed by the irradiation in the core of elements dispersed in the coolant (oxygen, hydrogen, cobalt, iron, etc.) and partly due to the presence of defective (fissured) claddings in the core which let a part of the gap inventory escape into the coolant. The concentration of radioactive products in the water depends on the entity of fissures (in general, it is assumed that 1% 2% of the elements have fissures) and on the effectiveness of the primary water purification system. The degree of contamination of the primary coolant by iodine-131 (the most significant isotope) normally assumed in the study of accidents is equal to roughly 104 105 Bq/g, corresponding to a total of the order of tens of terabequerels for the whole primary system (i.e., hundreds of curies). For iodine-131 (the same considerations are valid for cesium), the effects of the phenomenon of “iodine spike” are, in addition, taken into consideration (this is an increase in the release of these radioactive products from the fissured fuel rods caused by power variations). The phenomena

22

CHAPTER 2 INVENTORY AND LOCALIZATION OF RADIOACTIVE PRODUCTS

involved are connected with the ingress and subsequent exit of water through the gap and with likely fracturing of the fuel matrix. Guidance on figures to be used can be found in USNRC (1996). The normal values are • • •

A factor of 50 on the normal iodine content in the primary water (that is up to a total of 100 1000 TBq for all the primary system). A factor of 500 on the rate of release of the iodine from the fuel, whose order of magnitude can be, for each fissured rod, 1024 1023 TBq/h. A peak time duration of 1 5 hours.

Radioactive products are present in decay storage tanks for gases extracted from the primary water before their release to the atmosphere. Not all the plants use these tanks as the decay of waste gases is frequently obtained by delay lines that temporarily adsorb the gases on activated carbon. Where decay tanks are used, a rupture of one of them is serious. The total inventory of the stored gases is subdivided into several (typically eight) tanks. The most relevant external doses are those connected with the irradiation from the cloud of noble gases, whose total inventory may be of the order of 104 TBq. For completeness, although the accidents discussed may have minor consequences, it must be added that other radioactive products are contained in the plant, mainly in the form of solid waste.

REFERENCES USNRC, 1992. Accident Source Terms for Light-Water Nuclear Power Plants, NUREG-1465. USNRC, 1996. Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, NUREG-0800.

CHAPTER

SAFETY SYSTEMS AND THEIR FUNCTIONS

3

3.1 PLANT SYSTEMS By necessity, a nuclear power plant (NPP) is composed of the parts required to generate electric power (the “process” parts or systems) but also of a complexity of safety systems. The name “safety systems” here indicates all those systems that are not strictly necessary to the plant operation or to health protection under normal conditions, but rather to those that prevent the progression of accidents and therefore avert the large release of radioactive products. Accident prevention is a major activity of designers, operators, and control bodies. Fig. 3.1 will remind the reader of the components of a typical pressurized water reactor (the PWR—the most common design in the world). The process components are the reactor (R) itself, where the nuclear chain reaction takes place and the heat is produced which will finally be transformed into electric energy; the steam generator (SG), where the heat is used to produce high pressure steam; the turbine (T), where the steam energy is transformed into mechanical rotation energy; and, finally, the electric generator (G), which produces the electric energy to be supplied to the grid. As can be seen in the drawing, the process fluid, that is water in the form of liquid or vapor, circulates in two distinct systems, the primary and the secondary system, which mutually exchange heat in the SG. Another important component of the primary system is the pressurizer (PR), whose function is that of an expansion volume and of a pressurization component. The latter function being obtained by electric heaters. The pressurizer keeps the circuit water at a higher pressure than its saturation pressure, thereby suppressing the steam production in the primary system. [The pressurizer was significant in the Three Mile Island (TMI) accident.] The safety systems have three main objectives: the quick emergency shutdown of the chain reaction; the emergency cooling of the reactor after shutdown; and, finally, the containment of radioactive products after their accidental release from the reactor. The quick shutdown is obtained by the insertion, by gravity, of control rods (CR) in the reactor and, as a backup, by the injection of a liquid neutron “poison” (boron) in the primary water. The emergency cooling of the reactor is necessary because the radioactive products accumulated in the nuclear fuel continue to generate heat after the shutdown of the chain reaction (decay heat) (see Figs. 3.2 and 3.3). The emergency cooling systems are both passive ones (i.e., those practically without moving components, such as pumps) and active ones. By way of examples, Fig. 3.1 shows a passive system (accumulators, AC, kept under pressure by compressed nitrogen) and an active system (I). The containment comprises a combination of special buildings and engineered systems. The figure shows a complete “double containment” system, similar to those adopted in many countries. In this design, an internal reinforced concrete building, strong enough to resist the accident pressure of the Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00003-2 © 2020 Elsevier Ltd. All rights reserved.

23

24

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

Primary containment

Secondary containment

Secondary circuit S Steel liner

V

Spray

V

T G

SG

Cooling

C PR AC

V

Pump Filtered suction

CR A

Primary circuit

F R EC

Foundation

FIGURE 3.1 Simplified schematic of a pressurized water reactor.

worst design basis accident (DBA), is internally lined by steel in order to guarantee optimum leakproof characteristics (primary containment). Isolation valves (V) will close in case of accident, always for leak proofing reasons. The first building is enclosed in another reinforced concrete building (secondary containment) in order to further improve the retention of radioactive products and the shielding from direct radiation; it has also the function of affording protection against external impact events. The area between the two containments is kept at a negative pressure with respect to the external environment by means of filtered suction systems (A and F). The primary containment is provided with cooling and water spray systems in order to decrease, in case of accident, both the internal pressure and the amount of free radioactive products.

3.2 SAFETY SYSTEMS AND ACCIDENTS The safety systems are designed to cope with a set of accidental events (DBAs), either originating inside the plant or outside it. This set also includes events of such a low probability that their occurrence during the life of the plant should not be feared.

25

4 kcal/s 25,000

Mw

kg/s

kg/s

90 3

20,000 80

40

Burning kerosene

100 Vaporizing water

Percent of nominal power

3.2 SAFETY SYSTEMS AND ACCIDENTS

2

70 30

15,000 60 2 50 10,000

20

40

1

30

1 5000

10

20

10 0.1 10E2 (=100)

1000 10E3

10E4

1h

10E5 Time after shutdown (s)

10h

1d

10E6

7d

FIGURE 3.2 Decay power for a 2775-MWt reactor ( 6 10% over best estimate).

As an example, the following events are included within the DBAs: an instantaneous guillotine break of the largest pipe of the primary circuit; the sudden expulsion of a CR from the core; and the maximum potential seismic event on the plant site. An accident at a NPP can be caused by many combinations of anomalous initiating event, malfunction, and human error. The types of possible accidental situations are studied in the specific safety analysis of each plant and the safety systems described above are designed to prevent, or

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

Full power seconds

Mwh

10E9

kg

1000 1000

10E8

kg

10E6

Burning kerosene

kcal

Vaporizing water

26

10E5

10E4

100 100 10E5

10E7

10E3

10 10 10E4

2*10E6 10E2 (=100)

10E3

10E4

1h

10E5 Time after shutdown (s)

10h

1d

10E6

7d

FIGURE 3.3 Decay energy for a 2775-MWt reactor.

mitigate the effects of all the accidents chosen as DBAs. Table 3.1 provides an approximate indication of the effectiveness of various safety systems in limiting external releases in a typical loss of coolant accident (the break of a large primary circuit pipe). The figures are for the release of iodine-131 (often assumed as the reference isotope in indicative evaluations of “source terms” and for a 1000-MWe reactor). As can be seen, the reduction of the releases caused by the safety systems is very significant and corresponds to a factor of the order of one million.

3.2 SAFETY SYSTEMS AND ACCIDENTS

27

Table 3.1 An Example of the Effectiveness of Safety System Location

Activity (TBq)

In core In the gaps

3.5 3 10 3.5 3 104

Primary containment

3.5 3 103

Secondary containment

1.8 3 102

Environment

1.8 18

Release of

6

Safety Systems

Effect

• Fast shutdown • Emergency cooling • Primary containment • Removal and cooling systems • Secondary containment • Activated carbon filters

Prevent releases from the fuel matrix and decrease releases from the gaps (dissolution, plate out) Leak proof: reduction factor of 20 for a 0.5% leakage per day and 10 days of pressurization

Segregate radioactive products

131

I due to loss of coolant (current reactors).

The study of the safety of a plant is not, however, limited to the study of the serious and unlikely DBAs. For many years, the most serious accidents, named “severe accidents” have also been the subject of studies and research. Some definitions of safety criteria (IAEA Safety Criteria and EUR Requirements) specify a third class of accidents that lies between the two already mentioned. These include • • •

operating transients without scram (ATWS); complete loss of alternate electric power in the power station; containment bypass accidents.

This class does not require the same conservative design provisions required by DBAs (high safety margins for mechanical strength, strict quality assurance requirements, etc.). However, substantial core integrity is required as a consequence of the implementation of accident management measures. The main reasons for the general interest in severe accidents are primarily the intention of improving the protection of the plant by its extension to the field of the most serious accidents, and the need to know phenomenologies and probabilities of these accidents in order to perform less uncertain evaluations of the global risk of a plant (probability risk assessment or PRA) of the type of the famous Rasmussen report. What are the possible causes, the typical phenomena and the possible course of events in a severe accident? Here a concise and necessarily incomplete description will be attempted. The typical sequences entail damage and melt of the core, interaction of the molten core with the pressure vessel and afterwards with the containment floor and, finally, perforation of the containment itself. The damage and the melt of the core may happen for two reasons only, notwithstanding the large number of the possible sequences: • •

the late or missing shutdown of the chain reaction, when required; insufficient decay heat removal from the reactor.

28

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

For PWRs, in particular, the decay heat dominates the stage in severe accidents. Fig. 3.2 illustrates the behavior of the decay power with time for a 2775-MWt reactor. It shows the correspondence between this power and the amount of water which could be evaporated per second by it (the corresponding amount of equivalent burnt kerosene per second is also shown). As can be seen, after a few hours, a really small flow rate of water is sufficient to cool the core (about 10 L/s, that is the normal flow rate of a 50-mm diameter pipe). Contrasting this is the transient situation of a reactor where the rupture of a large diameter pipe has occurred (a large loss of coolant accident or LOCA). In this case the reactor vessel quickly empties (in a few tens of seconds) and therefore it has to be quickly refilled in order to keep the core covered and therefore adequately cooled. In this situation, it is essential that the emergency cooling systems have large flow rates (of the order of thousands of liters per second). The “reflooding” of the core places the largest flow rate demand on the safety injection systems. The first consequences of uncontrolled overheating of the core are the fissuring of the fuel claddings [at about 1073K 1173K (800 C 900 C)], while their normal operating temperature is about 623K (350 C) and their subsequent oxidation reaction with water or with steam [above 1473K (1200 C)] which generates heat and hydrogen. It is worth remembering (Petrangeli and Sollima, 2008), in calculating the fuel rod overheating, that the decay power is due to alfa or beta radiation for one half of the total only, while the other half is due to gamma radiation which travels in the core some distance before losing all its energy. The consequence is a lower power peaking factor than for the case of power all generated where fission has occurred. It has to be stressed that, during their life in the reactor, the fuel tubes become significantly pressurized because of the development of fission gases inside them (up to several tens of atmospheres) and, therefore, once fissured, they tend to quickly release to the outside (if the reactor pressure is low, as in many accidents) all the accumulated volatile products. The amount of hydrogen which can be generated by a normal size reactor may reach 700 800 kg: a very large quantity! The most severe hazard caused by hydrogen release is that it will be released, sooner or later according to the conservative assumptions made in severe accident studies, into the primary containment atmosphere where it may cause, in the presence of air, explosions, or relatively slow combustion. In both cases, the internal pressure in the primary containment will increase and its integrity will be endangered. The containment safety margins against internal pressure are, however, normally high.1 If the accident is allowed to progress in an uncontrolled way, the temperature of the reactor core will continue to increase and it can be assumed that at about 1973K (1700 C) the not yet oxidized, zircalloy claddings will melt, and at about 3073K (2800 C) the uranium oxide pellets will melt completely. The liquid mass that could be formed in this way (named “corium”) collects on the bottom of the reactor vessel and may perforate it as the generation of decay heat continues. The TMI2 accident progressed up to the threshold of this event, without trespassing it, however. A large quantity of molten and resolidified “corium” was indeed found on the bottom of the vessel, which, however, was not perforated. Once the base of the vessel has been breached, the corium could pour on the bottom of the primary containment, usually made of a very thick layer of reinforced concrete (1 5 m). On contact, any water residing here would be vaporized increasing the pressure inside the containment. Today a “steam explosion” under these conditions (the sudden contact and physical interaction of high temperature corium with water on the containment bottom) is generally thought to be very unlikely and, perhaps, physically impossible, at least not of such a magnitude to cause

3.2 SAFETY SYSTEMS AND ACCIDENTS

29

the rupture of the containment. Contact between the corium and the containment concrete is, on the contrary, certain. The chemical physical attack of the concrete itself with the consequent production of gases (even of explosive ones, such as carbon monoxide and hydrogen) raises the possibility of perforation of the containment wall. Gas production and combustion, and the continued production of heat from the corium will necessarily cause the pressure to increase within the containment up to its rupture value (2 4 times the design pressure), unless the perforation of the containment floor, due to the concrete attack by the corium, intervenes first. This typical scenario is the one foreseen under the extreme assumption of a lack of any intervention able to stop the progress of the accident in the time period from its inception up to the rupture of the containment (which is expected to happen after 20 hours to 5 days, depending on the specific characteristics of the plant). The time periods indicated here refer to a reactor which had operated continuously for a long time before the accident. More than 400 civilian power reactors operate in the world today and they have altogether accumulated more than 10,000 reactor years of operation. The principal accidents which have occurred are the TMI accident (1979) and the Chernobyl accident (1986). The accident at the experimental Windscale reactor (1957, see Chapter 20: Operating Experience) is also an interesting reference for the study of the consequences of serious accidents. The TMI accident (see Chapter 1: Introduction) was due to a relief valve on the pressurizer (indicated S in Fig. 3.1) remaining stuck open during a normal plant transient. The operators did not become aware for hours of this opening in the primary circuit because they had, from the available instrumentation, contrasting indications about the level of water in the circuit itself. Indeed, the pressure and temperature instruments indicated that the water in the core was boiling, while the level instruments in the pressurizer indicated a primary circuit full of liquid. In deciding what to do, they made the wrong choice and believed the level instrumentation. Consequently, they blocked the emergency water injection systems which had been automatically actuated. The core overheated and partially melted. The releases were negligible from the health protection point of view because of the presence of an effective containment. The fact that TMI did not result in a public health catastrophe has to be ascribed to the defence in depth principle systematically adopted as Western safety practice. The concept provides multiple redundant and diverse barriers against radioactive releases, well beyond what could be thought strictly necessary. TMI showed that this principle offers protection against the unforeseen and the unknown possible events. Chernobyl, on the contrary, is an example of what can happen if a completely opposite principle is applied, that to do only what is necessary for safety. In RBMK reactors, like the Chernobyl reactor, the safety margins were not stringent enough. For example, the plant had a containment system for the primary circuit but it was only partial: the reactor itself, and in particular the fuel channel heads, were not included in it. The designers thought that it was sufficient only to install protective monitoring instrumentation. Fig. 3.4 shows the containment for a typical 900 MWt PWR and the Chernobyl reactor containment. In addition to the Chernobyl design deficiencies, there was evidence of human error and the voluntary violation of safety rules, both for production reasons and in the incorrect appreciation of the real danger. Chernobyl can, with good reason, be considered representative of the maximum possible accident to a power reactor. Unfortunately, the abundant information supplied by the designers does not allow us to conclude that the corrective measures adopted in other reactors of the same type (about 20) are

30

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

CHERNOBYL

PWR

60 m

Light upper containment

FIGURE 3.4 Pressurized water reactor (PWR) containment and Chernobyl (RBMK 1000) containment (roughly to the same scale).

sufficient to rule out the danger of another severe accident, possibly with different modalities. The accident, indeed, has highlighted a dangerous vulnerability of this type of reactor, which is generic in nature, and which is not specifically tied with the sequence of events that happened at Chernobyl in 1986. In particular, a weak point of the reactor is its upper closure plate, to which 1700 fuel channels and the CRs are fastened. There is no containment present above the plate: a major hazard during possible accidental internal overpressurization of the reactor. Figs. 3.5 and 3.6 show the significant differences between the dynamics of the Chernobyl and the TMI accidents. Fig. 3.5 illustrates the crucial phase of the Chernobyl accident and shows how it essentially comprised an uncontained “explosion” of the reactor. Fig. 3.6 shows the damaged state of the TMI2 reactor core and vessel after the accident, and results from many years of research (OECD, 1993). As can be seen, in the case of TMI-2, and unlike Chernobyl, a slow “core melt” took place, without explosive phenomena and with the absence of intrinsic instabilities. The following, also derived after many studies, gives a quantitative measure of the sequence of events in the same accident: • 0 100 minutes: Loss of coolant and core exposure; • 100 174 minutes: Start of core damage; • 174 180 minutes: Temporary operation of the primary pump; • 180 224 minutes: Prolonged heating-up of core; • 224 226 minutes: Displacement of core material; and • 226 minutes: Stabilization of the debris. It is possible to classify the types of significant accidents on a scale of increasing severity and, on the basis of available data, assign to them orders of magnitude of releases and of probabilities (see Table 3.2). The download file, DRYCORE (on this book’s Mendeley website, http://dx.doi.org/10.17632/ 4hc54vnzx6.2) provides some data and methodology for evaluations on a barely refrigerated or

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

31

FIGURE 3.5 The destruction of the Chernobyl reactor.

completely dry core. These methods help, for example, in evaluating the time to the start of melt down after shutdown of a core (or part of a core) without refrigeration.

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS 3.3.1 GENERAL REMARKS The nuclear reactors now operating incorporate both passive and active safety features (see Chapter 3-3-1 General remarks). For example, reactors have a passive limitation of power excursions through a negative power coefficient of reactivity, which is, for most of them, the outcome of the

32

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

2B inlet

Upper grid damage

Coating of previously molten material on bypass region interior surfaces

1A inlet

Cavity

Loose core debris Crust

Previously molten material Hole in baffle plate

Ablated incore instrument guide

Lower plenum debris

Possible region depleted in uranium

FIGURE 3.6 The final configuration of the Three Mile Island core. Reproduced from OECD, 1993. The Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results. OECD.

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

33

Table 3.2 A Possible Classification of Accidents, Their External Releases and Their Probabilities (Current Reactors) I Release Fractions

Order of Magnitude of the Release (TBq)

Associated Probability Each Year

1027 1025

0.3 30

1025 1025 1026

1024 1023

300 3000

1026 1027

1022 1021

30,000 300,000

1028

131

Types of Accident A—Maximum design basis accidents (DBA) B—Maximum DBA (degraded safety systems) or accidents with partial core melt C—Severe accidents with quick intervention D—Severe accidents with delayed intervention E—Severe accidents without intervention

early recognition that a power excursion might be difficult to limit in the presence of selfenhancing dynamic reactor features. In contrast, most reactor emergency cooling systems are active. The variety of solutions does not reflect a precise choice in the early days of nuclear power toward active or passive systems, rather it reflects the best choice for the designers of that time. Passive and intrinsic safety solutions were adopted when they were recognized as being effective and economically convenient. Moreover, the fundamental safety functions required in a nuclear reactor are limited to reactor shutdown, reactor and containment cooling, and containment of radiotoxic products. The most natural engineering solutions for these functions were in general adopted, with obvious variations, in all of the reactor designs developed. With the passing of time, in depth safety studies and data from operating experience both tended to widen the safety requirements beyond those originally devised. Plants became more complex and some of the passive safety features originally present tended to disappear. This is evident, for example, in-containment cooling, which was originally entrusted to passive, natural mechanisms. The accidents at TMI and at Chernobyl, although, as discussed, different in many respects from one other, were equally rich in lessons in their applicable technical environment. Additionally, the integral safety studies of typical plants (see Section 1.2), starting with the Rasmussen study, caused the technical experts to completely rethink the safety approach hitherto followed. Now the design engineers and operators were convinced (or even more convinced) that accident prevention and mitigation in nuclear plants deserved very special attention: serious accidents could be avoided, but continued attention to safety in design and operation was warranted, including the consideration of important plant design alternatives. Some facts, in particular, became even more evident than before: first, the potential importance of multiple failures in complex safety systems and second, the possible serious consequence of human errors. Hence, attention focused on passive safety systems and on inherent or intrinsic safety systems. These needed fewer auxiliary systems, they were simpler, with a lower number of parts which could potentially fail, and they did not require as much operator intervention as active systems. “Passive” safety systems are defined as the operating safety features of structures and devices designed to counteract specific events without the reliance on mechanical and/or electrical power,

34

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

forces or “intelligence” signals external to the same structures and devices (Lo Prato et al., 1990; IAEA, 1991). These features should rely only on natural laws and the properties of materials, and should not require any human action. Different degrees of passivity exist, for example, a safety system may operate without external power but may require some sort of active actuating signal. In this case, too, the system is deemed passive even if not to the full definition of the term. “Inherent” safety means the elimination of hazard by choice of material or design concept, for example, the elimination in a plant of any combustible material (if possible) would demonstrate inherent safety from the danger of fire. In the last few years, a great deal has been discussed on the merits of passive and intrinsic safety Although it is evident that a substantial research and development effort on simpler and less vulnerable nuclear plants is still warranted, it appears now more generally recognized that the best possible and safest plant, at this point in time, and one in which serious accidents can be avoided throughout all of its life, probably includes both active and passive features in an optimization perspective. Passive systems, although at first sight attractive for their simplicity, may have drawbacks (e.g., they are less powerful and slower in their action than their active counterparts). Moreover, their reliability is more difficult to evaluate. Safety system development in the process (mainly chemical) industry is somewhat similar where a number of TMI Chernobyl-type of events have occurred, for example, Flixborough, Seveso, Bhopal, and others. The Flixborough nylon plant accident in the United Kingdom (1974) was caused by an open-air explosion of a flammable gas released into the air. It killed the 28 plant employees present and caused extensive property damage in the surrounding area. The failure to perform a full technical assessment of a modification was given as the main cause of the event. The Seveso pesticide plant accident in Italy (1976) is well known for the dangerous release of dioxin due to poor plant safety features and to the underestimation of the possibility of a runaway reaction. The Bhopal incident in India (1984), at another pesticide plant, killed an estimated 4000 (although the total number is still unknown). This disaster was attributed to too large inventory of toxic substances and to very poor staff attention to the operability of safety features. As in the nuclear arena, the process industry plant designs tended to grow bigger and bigger with time, becoming, therefore, more complicated and dangerous as a result of the large amounts of stored chemicals, and the need for complex modifications and operating procedures. The accidents initiated a rethinking period pointing to the study of “more inherently safe” plants. The wording chosen is indicative of the need to eliminate the wrong idea of a completely safe plant. The following two sections, respectively, explore some of the main ideas brought about by this rethink of safety in the nuclear and process industries.

3.3.2 SOME PASSIVE SAFETY SYSTEMS FOR NUCLEAR PLANTS The passive systems and components discussed in the last few years range from complete reactor concepts to single components (Forsberg et al., 1989; Petrangeli, 1992). A rather arbitrary selection of a few of these proposals is presented in this section. These are all well-known concepts in the nuclear industry. Considered among the most interesting ones, these concepts are discussed here. Passive plant reactors (e.g., the AP600W) are proposed future reactors that use the technology of current reactors, but include significant changes in plant design and layout also. Safety, in the

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

35

event of an accident, depends on truly passive safety systems and on safety systems which are passive in operation although started up by a simple action such as valves opening. In the AP600, a passive cooling containment system (PCCS) is provided to remove heat from the steel reactor containment (Petrangeli, 1992). The operation of the passive safety injection system following a LOCA results in steam released from the reactor core being passively condensed inside the containment. Steam condensation reduces containment pressure. In the first instance, the PCCS comprises a large tank above the containment structure that allows the drain of water by gravity on the outside of the steel containment vessel. Second, the opening of air dampers supplies natural circulation air cooling of the external surface of the steel containment. The air and evaporated water exhaust through an opening in the roof of the shield building. The PCCS is capable of removing the thermal energy following a DBA so that the containment pressure remains below the design value with no operator action required for (three) days. The PCCS is designed to reduce containment pressure to less than one half its design pressure within 24 hours following a LOCA. After three days, if there is no supply of water, the heat removal is assured by air alone with an increased pressure (up to about design pressure). In NPPs, the containment is the final barrier that prevents radioactive release to the environment during accident events. Because of containment importance in mitigating the consequences of an accident, it is necessary not only to assess its integrity during an accident, but also to ensure that it is and stays leakproof after the accident has occurred. Typical allowable primary containment leakage rates lie in the range of 0.1% 1% of volume a day, but the operating experience sometimes has indicated “real-world” values above these allowable limits. These are usually due to excessive valve or penetration leakage, valves or penetrations left open after testing, airlock failure, etc. Studies have been made on the following aspects: • • •



containment leak proofing enhancement (e.g., improved choice of valve types, reduction of the number of penetrations, and valves stems leakage reduction); the root causes of leak proofing degradation (e.g., debris reduction and deposition on valve seal surfaces and valves behavior under severe accidents); the concept of a secondary containment to reduce the primary containment releases by hold-up, deposition, filtration, elevated release (e.g., a secondary containment that envelopes possibly affected buildings equipped with filtration systems); and monitoring capabilities to detect preexisting openings in the containment boundary (e.g., monitoring nitrogen leaks in inert containments).

The advanced light water reactor (ALWR) passive plants, use safety grade passive decay heat removal (PDHR) systems in order to enhance the capability (relative to current plants) of maintaining the plant in a safe shutdown condition following non-LOCA events. The approach developed for these systems is founded on meeting the following requirements: •

• •

The PDHR system is used for both the hot stand-by and long-term core cooling modes. This system can operate at full reactor coolant system pressure and places the reactor in the longterm cooling mode immediately after shutdown. The operation in the long-term cooling mode is automatic. The operation of the system does not require any a.c. power, either onsite or offsite.

36

• • •

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

The operation of the system does not require any pumps or valve operation once initial alignment is established. No make-up water is required for a period of at least three days following reactor shutdown. The systems are located entirely within containment.

The PDHR systems, however, do not have the ability to bring the plant to the cold shutdown conditions of 373K (100 C). This is inherent in the passive heat removal process itself because heat removal is accomplished by heat exchangers located within a pool of water, and the temperature on the reactor coolant side of the heat exchanger tubing will, by necessity, exceed the boiling point of water at normal pressure. Cold shutdown can be achieved by the reactor shutdown cooling system, proposed as a non safety-grade system. The AP600 PDHR system, for example, is designed to perform the following functions for non-LOCA events: • •

• •

The automatic actuation to provide reactor coolant and to prevent water release through the pressurizer safety valves. The removal of core decay heat assuming the steam generated in the in-containment refueling water storage tank (IRWST) is condensed on the containment vessel and returned by gravity into the IRWST. The PDHR should provide decay heat removal for at least 72 hours if no condensate is recovered. Cooling the reactor coolant system to 473K (200 C) in about 72 hours. Removal of core decay heat and reduction of reactor coolant system temperature and pressure, during a SG tube rupture event, equalizing primary pressure with SG pressure and terminating break flow, without overfilling the SG.

During the TMI accident, one of the strategies unsuccessfully tried by the operators to regain control of core cooling was to depressurize the reactor system. The reactor was not designed for that operation and the maneuvre did not succeed. A reactor depressurization system would probably have helped. Moreover, even the initial PRAs did highlight the possibility of high pressure severe accident sequences for current light water reactors (LWRs). The idea then started to be studied of designing a depressurization system into LWRs. This was a new concept, especially in PWRs. Boiling water reactors had a relief system in order to cope with loss of condenser accidents. In principle, a primary depressurization system has many advantages: its operation tends to create an immediate, yet temporary, reactor shutdown effect; it decreases the primary water temperature and favors core cooling; finally, it allows water to be supplied to the core either by high pressure injection systems or by low-pressure “jury-rigged” emergency systems (fire truck water, etc.). New passive LWRs incorporate a powerful depressurization system which allows emergency water injection to be made by gravity-driven (passive) arrangements. Moreover, the operation of the primary depressurization system also ensures that the reactor coolant system would be depressurized during a severe accident. Therefore violent ejection of molten core debris from a pressurized reactor coolant system is highly unlikely for the passive plant with a corresponding reduction in the potential for direct heating of the containment atmosphere. This is also applicable to the evolutionary LWRs, in fact Nuclear Regulatory Commission (NRC) staff has concluded (USNRC, 1990) that ALWR designs (evolutionary and passive) should include a depressurization system to preclude the ejection of molten core debris under high pressure from the reactor vessel. Nevertheless,

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

37

the reactor coolant release to containment has the potential for adverse effects on in-containment equipment. Accordingly, the ALWR plants should be designed to minimize such adverse effects by ensuring that the frequency of inadvertent actuation is extremely low (2 3 1023 per year) for passive plants according to US Electric Power Research Institute requirements (EPRI, 1990) ensuring that recovery from such inadvertent actuation is feasible without compromising plant availability for a long period (recovery within 30 days or less according to EPRI requirements). As an example, a short description of the AP600 depressurization system follows. The AP1000 reactor, an upgrade of the AP600 reactor, already built in China and since 2018 in operation, has similar characteristics. In 2019 the fourth unit of AP1000 started operation in the same country. The AP600 automatic depressurization system comprises 16 valves divided into four depressurization stages. These valves are installed in the reactor coolant system at three different locations. The valves in the first three stages are connected to nozzles on top of the pressurizer. The fourth stage valves are connected to the hot leg of reactor coolant loop. The main actuating signals for each depressurization stage come from different level set points in the core make-up tanks (CMTs that provide high pressure make-up by gravity). When the CMT is going to deplete, the depressurization takes place to allow low-pressure injection from the IRWST by gravity. Moreover, the depressurization system, together with passive injection of borated water from the IRWST, could ensure safe shutdowns in the long term in case of ATWS if other active systems are not available for this purpose. The design of hydraulic engineered safety features for LWRs has traditionally been performed according to high reliability and leak proof standards. These systems are usually called into operation to protect the fuel barrier in the case of a loss of the primary system barrier. In addition, being strictly connected to the primary circuit pressure boundary, they have to be equipped with leak proof isolation devices, normally closed during plant operation. Squib valves, initially used for applications in the space industry, have been considered very attractive for use in an advanced passive reactor. These valves are characterized by a no-leak capability and, once actuated, these are designed to maintain the open position. The inlet chamber of the valves is normally closed by a sealing cap. When the valve is actuated, an explosive initiator pushes a plunger that shears the cap off. This kind of actuation has been found to be very reliable from operational experience and qualification tests. These valves require very limited maintenance. In fact no periodic intervention, other than the substitution of the initiator, is necessary. There are additional benefits associated with their use in automatic depressurization systems relating to the possibility of providing a flow area larger than that traditionally obtained with standard safety relief valves. Such a large area is very important in passive reactors to depressurize the primary system at very low pressures, consistent with the operation of injection systems based on gravity. The installation of such valves in the core cooling injection system, in addition to the benefits associated to the leak proof characteristics, ensures, during normal operation, a pressure shielding function on the upstream check valves. Therefore these valves do not remain forced in the closed position for long periods, thus improving their reliability when called to open under a low differential pressure. Density locks (or “hot cold interfaces”) are passive devices which perform a similar function as normally closed valves during normal operating conditions. However, in case of transient or

38

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

accident conditions, they allow cooling flow without the need of a power supply or the motion of mechanical parts. Density locks have been applied in the process inherent ultimate safety (PIUS) reactor concept (Forsberg et al., 1989). In this design, the reactor core is immersed in a large pool of pressurized, cold, borated water. The hot primary water and the cold pool water are in contact at two “hot cold interfaces” (high and low elevation in the cooling circuit) where, during normal operation, substantial mixing is prevented by design details and by pump speed (head) adjustment, governed by the lower interface temperature. In case of uncontrolled accidents of any origin, the core will tend to overheat causing water boiling and a decrease of the hydrostatic head in the riser pipe above it, beyond the correction capability of the pump speed control system. Under these conditions, natural circulation between the cold pool, the core and the riser pipe will be established through the two “hot cold interfaces” along an always-open natural circulation path. The pool of cold, borated water will then enter into the core and will shut the reactor down and remove the decay heat. In a certain sense, PIUS is based on the use of an essentially unstable cooling circuit, which needs active pump action to ensure stability during normal operation; in off-normal conditions, the system automatically switches to its stable condition which also is a safe shutdown condition. Density locks perform a fundamental role in PIUS ensuring core cooling during emergency conditions, and thus the potential for blockages caused by gas collection, material distortion, or plugging by detached insulating materials should be analyzed in depth. The density lock concept has been used in other new reactor schemes. Fluidic diodes and vortex valves are passive devices whose use in future NPPs is currently under evaluation with reference to their potential use as check valves or actuation valves in safetyrelated systems. Fluidic diodes, used in reprocessing plants and chemical industries, are one-way valves with no moving parts. They are characterized by a very high flow resistance in one direction with respect to the other. This characteristic allows them to be used as flow limiters to maintain core coolant boundary integrity in the case of a LOCA event. A potential application in a typical PWR system, might be to install a fluidic diode on the reactor pressure vessel nozzle of the cold legs of the circuit to avoid reverse flow conditions following a pipe break. Due to the diode’s characteristics, instead of a massive release of coolant, only limited leaks would occur. Vortex valves are “normally active/passive during emergency” devices designed to maintain a separation between environments normally operating at different pressures. This function is performed by the fluid movement provided by a normally operating pump. A potential application to NPP safety features is as actuation valves in case of transients or accidents. During normal operation the two environments remain isolated as the vortex valve functions as a standard isolation valve. Following a transient, the pump operation is interrupted and water flows from the environment at high pressure to that at low pressure. Finally, a recently proposed containment system based on passive safety operation is the one described in Gianni Petrangeli (2013), Fig. 18.2 of Appendix 18.

3.3.3 INHERENTLY SAFE SYSTEMS IN THE PROCESS INDUSTRIES In process industry plants, the concept of more inherently safe design is a recurring theme in the three reports of the Advisory Committee on Major Hazards (ACMH—set up in the United

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

39

Kingdom after the Flixborough accident). These reports set the general principles of “new” process industry safety in the United Kingdom and they represent in their field what, for example, the IAEA “Safety Fundamentals” documents do in the nuclear industry. A full account of the developments of this concept is given in Lees (2012; Loss Prevention in the Process Industries), Kletz (1984), and UMIST (1982). The Loss Prevention Bulletin (published by the Institution of Chemical Engineers, England) is also a “must” for interested people. It is available in most technical libraries and a list of its main articles over the years is included Lees (2012; Loss Prevention in the Process Industries). The basic principles of inherently safer designs in the process industry are • • • •

• • •

Intensification: namely carrying out the chemical reaction in a smaller volume in order to have a lower inventory of dangerous substances and smaller consequences of an accident. Substitution: of a dangerous process or substance, for example, a heat transfer medium with a less dangerous one. Attenuation: adoption of a less hazardous process condition, for example, a lower pressure in combination with the improvement of a catalyst. Simplicity: for example, designing a vessel or pipe for full overpressure instead of adopting a pressure-relief system. (As Henry Ford has supposed to have said, “What you don’t fit costs nothing and needs no maintenance.”) Operability: adoption of a process which can be easily controlled and adjusted to off-normal conditions. Fail-safe design: where the failure of the system leads directly to a safe condition. Second chance design: second line of defence.

Interesting examples of proposals in the process industry follow: The first typical example concerns the manufacture of nitroglycerine. It has to be classified as an “intensification” of the process, namely the drastic reduction of the inventory of the dangerous substance. Nitroglycerine is manufactured by the reaction between glycerin and a mixture of concentrated nitric and sulfuric acids. The reaction is highly exothermic and the mixture has to be continuously cooled and stirred otherwise a violent explosion may occur due to the uncontrolled decomposition of nitroglycerine. Originally the reaction was performed in batches using large (1 t) pots. The operator had to continuously monitor the temperature and check that stirring was effective. Since the reaction lasted a rather long time (hours) there was the danger of the operators falling asleep and, therefore, they used to work sitting on onelegged stools, as it can be seen in historical pictures (Fig. 3.7). This kind of process continued to be used until 50 years ago with a number of casualties and complete plant losses. The same reaction is now obtained in a small injector where the acid jet entrains the correct amount of glycerin and, due to the turbulent mixing, the reaction time has been reduced down to minutes. The reaction is complete at the exit of the injector. The amount of nitroglycerine in the reactor is reduced to a few kilograms and the operators can be protected by a blast wall. Another reaction, the adipic acid reaction (used in the manufacture of nylon), was previously performed in a huge reactor with external circuits for cooling. Today, it is carried out in a smaller integral vessel with internal cooling and agitation, and with a very smaller possibility for leaks.

40

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

FIGURE 3.7 Manufacture of nitroglycerine in old times.

A similar evolution has taken place in nuclear reactors which changed from external to internal recirculation units (or to integral proposals for future reactors). It is also worth mentioning the ICI’s Higee process, where the process of gravitational separation is enhanced by centrifugal forces in a rotating unit, with a consequent decrease in amount of substance in the separator. Many examples are available concerning the substitution of one process with a less dangerous one. In a number of cases in the chemical industry the choice has to be made between the availability of a large storage of substances and the reduction of stored substances concurrent with the continuous production of them on site. In the first case, continuity of production is better assured but the risk attributable to the storage is present. The situation is reversed in the second case. The concept of inherent safety leans thinking toward the second choice. It has to be remembered that in the case of Bhopal, the situation was exacerbated because it had been decided to produce methyl isocyanate (MIC—the poison which was released in the accident) on site instead of importing it from another factory. However, the already existing huge MIC tanks continued to be used with the

3.3 FUTURE SAFETY SYSTEMS AND PLANT CONCEPTS

41

consequent risk. In the industry, subsequent major reductions of inventories have taken place on safety grounds brought about by new regulations concerning, in particular, hazardous substances such as ethylene oxide, propylene oxide, and sulfur trioxide. Huge strides are being made in chemical industry safety, in areas that are of strong interest for nuclear plants as well (e.g., a reduction in the possibility of leaks from containments through the reduction in the number and the dimension of penetrations). The simplification of complex designs is also pursued by such measures as design for overpressure and design modification to avoid instrumentation. Simple cases of the latter operation is the use of suitable piping arrangements to avoid reverse flow and to provide for automatic sump voiding (high turns of pipe with antisiphon openings, self-priming siphons, etc.). Concerning the “operability” concept in the previous list of principles of more inherently safe design in the process industry, it seems worth noting that, in the parallel field of nuclear plants, designers tend now to provide a longer “grace period” in case of mistakes or accidents (e.g., an increase of the water inventory in water reactors, and so on). Speculative proposals for the future process plants also exist. One of them considers the advantages of distributed manufacture of chemicals using miniaturized plants at the user’s site. Such plants would be more environmentally friendly and would deliver their products on a “just in time” basis. They should also be completely automated, highly reliable, self-cleaning, and sealed for life. As is apparent from this section, in a number of instances the process industry has gone beyond the study phase and has adopted more inherently safe provisions. Safety experts in the process industry, however, complain that, as yet, not enough has been done (Kletz, 1984). Some of the restraints toward a higher level of inherent safety are •



• • •

the technical options available for the next plant are usually limited by time, so if major advances are to be made there has to be a “plant after next” design policy, namely during the design stage of a plant there is not enough time to discuss and to develop alternative designs); the desire for certainty of production (if a new process or a new equipment is used, then unforeseen difficulties may cause trouble during start-up, perhaps delay, or prevent the achievement of design output or efficiency); the process licensing authorities are often on the side of tradition (possibly to prevent unforeseen snags and surprises); technical misconceptions (e.g., like the belief that the reduction in the inventory of dangerous substances may render the control of the process more difficult); the organization of a company in business areas instead of in functional departments is not favorable to innovation because of the strong influence of the control of expenditures (i.e., illdefined responsibility for design innovation by research departments or design departments).

It has been remarked that it is difficult to convince people close to the industry that there is a need to improve safety levels. Many (not all) are accustomed to think that hazard is inherent in the industry (which may be true to a certain extent) and it does not occur to them that in many cases it may be possible to reduce the risk and consequences of the hazards.3 As more extensively discussed in Chapter 8, The General Approach to the Safety of the Plant Site Complex (Criteria), we now need safer and cheaper nuclear plants.

42

CHAPTER 3 SAFETY SYSTEMS AND THEIR FUNCTIONS

ENDNOTES 1. An explosion of roughly 350 kg of hydrogen occurred during the TMI accident without any damage to the containment. 2. The TMI accident progressed up to the threshold of this event. A large quantity of molten and resolidified corium was indeed found on the bottom of the vessel which, however, was not perforated. 3. The following short story, attributed to a chemical engineer, demonstrates the similarity of thought between safety engineers in the nuclear and process industries. It is so enjoyable, I think that it deserves reproduction here. It has been slightly adapted from Kletz (1984). The tiger and the treasure:

A king offered a challenge to three young men. Each young man would be put in a room with two doors. The young men could open either door they pleased. Behind one door was a hungry tiger, the fiercest and most cruel that could be procured, which would immediately tear them to pieces. But if they opened the other door, they would find a precious treasure. So I leave it to you, which door should they open? The first young man refused to take the chance. He lived safe and died poor. The second man hired risk assessment consultants. He collected all the available data on tiger populations and on ways to detect treasures. He brought in sophisticated technology to listen for growling of tigers and to detect metals and precious stone from some distance. He completed checklists. He developed a utility function and assessed his risk averseness. Finally, sensing that in a few more years he would be in no condition to enjoy the treasure anyway, he opened the optimal door. Some sources maintain that he was eaten by a low-probability tiger. The third man took a course in tiger taming. Is the optimal combination of the course of actions chosen by the two young men who opened the door very dissimilar from the Defence in Depth concept, well established as a foundation block of the nuclear safety? It seems not, and this seems to also be the conclusion of the chemical engineer who invented the story.

REFERENCES EPRI (1990)-NP 6780, Advanced Light Water Reactor Utility Requirements Document. Forsberg, C.W., et al., 1989. Proposed and Existing Passive and Inherent Safety-Related Structures, Systems and Components (Building Blocks) for Advanced Light Water Reactors. ORNL-6554, Oak Ridge National Laboratory. IAEA, 1991. Safety-Related Terms for Advanced Nuclear Plants. IAEA TECDOC 626. Kletz, T.A., 1984. Cheaper, Safer Plants or Wealth and Safety at Work? The Institution of Chemical Engineers, Rugby. Lees, F.P., 2012. Loss Prevention in the Process Industries. Butterworth Heinemann, Oxford. Lo Prato, E., Petrangeli, G., Tononi, R., Zaffiro, C., 1990. Terminology for Future Nuclear Power Plants. IAEA TECDOC 550.

FURTHER READING

43

OECD, 1993. The Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results. OECD. Petrangeli, G., 1992. Fifty years from the Fermi Pile. Proceedings of CIRTEN Safety Technologies and Safeguards 1992. Pisa University. Petrangeli, G., 2013. Common sense considerations on nuclear safety today. Atoms for Peace 3 (4), 270 284. Petrangeli, G., Sollima, C., 2008. Gamma Decay Heat Distribution in Core: A Known Issue Revisited, Science and Technology of Nuclear Installations (volume 2008). Article ID 796268. UMIST, 1982. Inherently safe plant. Proceedings of Safety in the Chemical Industry 1982. University of Manchester Institute of Science and Technology. USNRC, 1990. SECY 90.016 Evolutionary Light Water Reactor Certification Issues and Their Relationships to Current Regulatory Requirements.

FURTHER READING US Code of Federal Regulations, 2004. Part 100: Reactor Site Criteria. US Government.

CHAPTER

THE CLASSIFICATION OF ACCIDENTS AND A DISCUSSION OF SOME EXAMPLES

4

4.1 CLASSIFICATION Accidents are usually grouped as follows: • • • • • •

Accidents of internal or external origin. Area accidents (fires, internal floods). Accidents of natural origin. Accidents of human origin (explosion of a tank near the plant, sabotage, etc.). Voluntary accidents (sabotage). Design basis accidents (DBAs), beyond DBAs, severe accidents (see Section 1.2 and Chapter 3: Safety Systems and Their Functions). DBAs are usually subdivided into four categories:

• • • •

Operational transients. Moderate frequency sequences. Rare sequences. Limiting accidents.

The EUR criteria give an idea of the probabilities assigned to these accidents (see Appendix 6 on EUR criteria).

4.2 DESIGN BASIS ACCIDENTS DBAs are those accidents chosen by the deterministic method or with the help of probabilistic considerations, in order to design all the plant systems, but particularly the safety ones. Some of the following considerations are of interest for DBAs and for the other accidents. Most of the quoted data are taken from examples of typical 1000 MWe pressurized plants.

4.2.1 SOME IMPORTANT DATA FOR ACCIDENT ANALYSIS 4.2.1.1 Initial Conditions • •

The core nominal power is usually increased by 6 2% in order to take into account possible calorimetric errors. The average coolant temperature is taken as the nominal one 6 2 C due to measurement errors.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00004-4 © 2020 Elsevier Ltd. All rights reserved.

45

46

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Table 4.1 Fast Shutdown Signals and Corresponding Delays [Core Safety Limits, P 5 15.51 MPa (2250 psig)]

• •



Origin of Fast Shutdown

Trigger Level in the Analyses

Time Delay (s)

High neutron flux Core ΔT (excess temperature) Core ΔT (excess power) High pressurizer pressure Low pressurizer pressure Low recirculation flow Turbine trip Low-low level in steam generator High level in steam generator, feedwater pumps stop, feedwater system valves shut-off, turbine trip

118% Automatically variable Automatically variable 16.65 MPa (normal 15.51 MPa) 12.31 Mpa 87%

0.5 6 6 2 2 1 1 2 2

The pressurizer pressure is varied by 6 200 kPa ( 6 2 bar) in order to take into account normal fluctuations and measurement errors. The initial values of the various parameters quoted are chosen in such a way to minimize the initial departure from nuclear boiling ratio (DNBR—the power ratio margin from nucleate boiling, usually kept higher than 1.3 in normal operation and in ordinary transients). The fast shutdown trigger levels and the corresponding time delays considered in the analyses (including errors) are of the order of magnitude indicated in Table 4.1 and Fig. 4.1.

4.2.1.2 Doppler Coefficient It is well recognized that the Doppler coefficient is one of the most important counter-reactions during reactivity excursions. The increase of the fuel temperature causes an increase in the amplitude of the uranium-238 neutron capture resonances and, therefore, a decrease in the core reactivity. In some transients, it is conservative to assume a most negative Doppler coefficient (when a higher power and temperature decrease is contrary to a conservative evaluation, e.g., for steel overcooling reasons) and in others (the majority), the opposite applies. Fig. 4.2 shows the curves for the two cases. According to the two curves, at practically zero initial power, an increase in power until 10% causes a reduction in reactivity ranging from 20.1% to 20.2%. The Doppler coefficient varies with the fuel burn-up, that is with the operation time, becoming less negative (i.e., less effective as a safety counterreaction) when the burn-up increases. In fact, with time, four phenomena cause a variation of the coefficient: •



The variation of the composition of the gap gases in the fuel rods (which includes helium at the start only, but then also fission gases); the conductivity of the gap decreases with increasing time and, therefore, the fuel tends to become hotter. The densification of the fuel pellets which tends to increase the gap with an effect similar to the preceding phenomenon.

4.2 DESIGN BASIS ACCIDENTS

140 Overpower DT trip 120 Overpower trip 100

% Power

Operating point Over-temperature DT trip

80

60

Technical specifications safety limit

Steam generator safety valves open

40

20

0 573

593

613

633

Tavg (K)

FIGURE 4.1 Core safety limits (P 5 15.51 MPa/2250 psig).

PCM per percent power

0

0

20

40

60

80

−5 Most negative Doppler power coefficient −10 −15 −20 −25

FIGURE 4.2 Doppler coefficient for transient analyses.

Least negative Doppler power coefficient

Percent power

100

120

47

48





CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

The increase in the content of plutonium-240 which shows strong resonance peaks for neutron capture in the thermal zone and the consequent magnification of the uranium-238 effect (which, on the contrary, tends to decrease). The deformation by mechanical creep of the claddings, which tends to decrease the gaps and, therefore, the Doppler effect.

The last factor predominates over the others and, at the end of the core life, the Doppler coefficient is less effective. The two curves in Fig. 4.2 to be used for transient analysis, are the result of the fuel burn-up and the uncertainties of evaluation. As can be seen from the figure, the variation of power from 0% to 100% entails a variation of Doppler reactivity of the order of 1% 1.5%; this figure doesn’t include the effect of the variation of the moderator temperature, which is separately evaluated.

4.2.1.3 Coefficient of Moderator Temperature and of the Voids The moderator temperature reactivity coefficient is also important for safety. In fact, when the moderator temperature increases, its density decreases and, as a consequence, the moderating effectiveness also decreases. This decrease causes an increase in the loss of neutrons from the core and an increase in the parasite captures, so that the reactivity tends to decrease. As, however, PWRs adopt chemical shim, that is the control of reactivity through dissolution of boric acid in the reactor water, the presence of this neutron absorber decreases the safety effectiveness of the moderator temperature coefficient; in fact, if the temperature increases, the amount of boron contained in the reactor water decreases and consequently the reactivity increases. For this reason, when the boron concentration is high (start of life, cold conditions) the overall temperature coefficient of the reactor water may be positive. Additionally, it must be emphasized that, in any case, the power coefficient (which includes the Doppler effect) must be always negative. Figs. 4.3 and 4.4 show the behavior of the temperature reactivity coefficient of the reactor water.

4.2.1.4 Reactivity of the Boron Content The content of boron in the cooling water is usually measured in parts per million (ppm). Generally, boric acid is used as the soluble boron compound: 1000 ppm of boron corresponds to about 0.6% of boric acid. The reactivity of the dissolved boron is equal to about 800 900 pcm per 100 ppm, therefore in an operating condition with 1000 ppm boron, the reactivity in the dissolved boron is roughly 8% 9%. The usual values of the boron content are 2000 ppm boron at start of life and in cold conditions, 1000 ppm in hot conditions and only some hundreds of parts per million at end of life and hot conditions. It has to be remembered that boric acid may precipitate from the solution as various kinds of deposits (crud) which form on the inside primary system surfaces and especially on the hot surfaces of the fuel elements. Subsequently, in case of thermal or hydraulic transients, some of these deposits may peel off from the core giving rise to a reactivity transient. Over the years, no accidents due to this phenomenon have happened, notwithstanding the fact that the boron deposition on core surfaces has been observed and studied. The maximum reactivity which could be released can be evaluated to the order of 0.1% in half a second (Petrangeli, 1967).

4.2 DESIGN BASIS ACCIDENTS

49

20

Moderator temperature coefficient (PCM/°C)

10

2000 ppm

0 −10 0

100

200

300 1500 ppm

400

−20 −30

1000 ppm

−40 −50

500 ppm

−60 0 ppm

−70 −80 −90

Moderator temperature (K−273)

FIGURE 4.3 Moderator temperature coefficient (start of life, no rods). 0

Moderator temperature coefficient (PCM/°C)

−10 0

50

100

150

200

250

−20

300 Unrodded

350

−30 −40 −50 500 ppm

−60

Rodded

−70

0 ppm

−80 −90

Moderator temperature (K−273)

FIGURE 4.4 Moderator temperature coefficient (end of life).

4.2.1.5 Reactivity of the Control Rods The reactivity of the complex of control rods is typically of the order of 10%. The reactivity available for fast shutdown, however, depends on the position of the rods (e.g., rods are usually inserted under zero power and hot circuit conditions, but less often inserted under full power conditions), on the axial shape of the neutron flux and on the core burn-up. Moreover, in order to evaluate the reactivity available for a fast shutdown, the assumption is usually made that the most reactive rod stays stuck in its position (generally, it is considered completely extracted).

50

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

2.5

Reactivity, %

2 1.5 1 0.5 0 0

20 40 60 80 Control rod position, percentage withdrawal

100

FIGURE 4.5 Integrated worth of a control rod (indicative).

Reactivity (Dk/k * 10E-4)

100

10

1 0.01

0.1

1

10

Reactor start-up rate

FIGURE 4.6 Start-up rate as a function of reactivity.

Overall, the reactivity available for a fast shutdown typically ranges between 6% (under hot conditions and zero power conditions) and 9% (at full power). Theoretically, a single rod may reach a worth of 2% or more (as an example, a rod at the center of the core with all the other rods inserted, which increases the worth of the rod) but the reactivity corresponding to the ejection of any rod (one of the DBAs) is always kept below the “prompt reactivity” value (0.6%): typically a limit of 0.5% is adopted. The integrated worth of a control rod has the shape shown in Fig. 4.5. Fig. 4.6 shows the typical trend of the start-up rate, expressed in decades of growth of the neutron flux per minute, as a function of reactivity. The relationship connecting the start-up rate to the period T (s) is:

4.2 DESIGN BASIS ACCIDENTS

51

Table 4.2 The Reactivity Balance of a Power Water Reactor Motivation

Reactivity (%) Rods

Cold shutdown (variation between hot and cold core) Doppler Xenon Samarium Operation margin Fuel burn-up (life)

Start-up rate 5

Boron 2

2.2 2.2 0.8 0.8 9

26 decades =min T

(4.1)

4.2.1.6 Reactivity of Fission Products (Xenon and Samarium) Core reactivity is strongly influenced by the dynamic variation of the fission products as a consequence of the operational states of the core. Of course, the fission products accumulated in the core as a function of the fuel burn-up have also a strong influence on reactivity. Xenon-125 and samarium-149 are, in different ways, the most important nuclides in this context. Under stationary power operation conditions, the reactivity absorbed by xenon and samarium varies between 2% and 3%. However, after shutdown, the reactivity of xenon may increase many times showing the well-known peak at about 11 hours. The negative reactivity due to samarium increases asymptotically up to a few percent.

4.2.1.7 Reactivity Balance Taking into account the above sections, the typical reactivity balance of a PWR could be similar to that shown in Table 4.2. The use of burnable poisons in the core to compensate for the burn-up reactivity of the fuel, normally adopted at least for the first cycle of the core, significantly reduces the need for compensating reactivity by soluble poison (Table 4.2 does not consider the use of burnable poisons).

4.2.2 EXAMPLE OF A CATEGORY 2 ACCIDENT: SPURIOUS OPENING OF A PRESSURIZER SAFETY VALVE This scenario assumes that a pressurizer safety valve opens and stays open during the full power operation of the reactor. In the following, results are from studies made on a modern 1000-MWe reactor, but it can reasonably well apply to any PWR. After the opening of the valve, the primary system starts to quickly depressurize while the mixture of water and steam contained in the pressurizer reaches the temperature and pressure conditions of the primary hot leg. The valve has a flow area of 27.9 cm2 and the voiding of the

52

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Primary pressure (105 Pa)

100

80

60 Safety report 40

ps.xls program (steam efflux)

20

ps.xls program (homogeneous efflux)

1200

2400

3600

4800

6000

Time (s)

FIGURE 4.7 Spurious opening of a safety valve on the pressurizer: calculated primary system pressure trend.

pressurizer, for this opening, takes place in about 600 seconds. Approximate simple formulas for efflux flow rate are given in Appendices 11, A-11.6, A-11.7, A-11.8. Subsequently, the depressurization of the entire primary system continues following the trend shown in Fig. 4.7, where the curves obtained by the simple code ps.xls (available on the downloadable file “Primary System” on this book’s Mendeley website) are also shown (the pertinent calculation will be commented on later). The reactor is shut down by the intervention of the low primary pressure signal at 10.93 MPa (abs) [109.3 bar (abs)]. The normal primary pressure from which the transient starts is 15.82 MPa (abs) [158.2 bar (abs)]. At a pressure of 10.93 MPa (abs), the safety injection system is automatically actuated which starts to inject water in the primary system through the high-pressure pumps. Conservatively, it is assumed that one high-pressure injection pump only operates (single failure), the injection flow rate is initially equal to about 1200 kg/min (20 kg/s), increasing to 2700 kg/min (45 kg/s) when the primary pressure decreases to 5 MPa (abs) [50 bar (abs)]. Subsequently, as the primary pressure continues to decrease, the safety accumulators and the low-pressure injection pumps start operating. During this accident scenario, the heat transfer from the fuel rods to the water does not usually reach the threshold of nucleate boiling, that is, the conditions of “film boiling” are not reached. In other words, the DNBR (or “burn-out” ratio) never goes below 1, with some safety margin.

4.2 DESIGN BASIS ACCIDENTS

53

In the transient described, the maximum fuel clad temperature is of the order of 843 K (570 C), well below the limit of 1477 K (1204 C) specified by the US regulations (US Code of Federal Regulations, 2004) universally followed in other countries. For interest, the other limits given in the above-mentioned regulations applicable to DBAs are listed here: • • •

Maximum oxidation of the cladding in the core: 17%. Less than 1% of the total clad metal consumed by the metal water reaction that generates hydrogen. The core geometry variation due to thermal and mechanical effects (swelling due to creep, etc.) insufficient to prevent its ability to cool.

None of these limits are reached in this accident, weighting the scenario as lower among other DBAs. Throughout accident duration, when very soon the primary system saturation conditions are reached (after about 600 seconds), the average steam water mixture quality in the primary system always stays at a very low level. Obviously, if, as at Three Mile Island, the safety injection was shut off, the accident would continue to the start of core melt and beyond.1

4.2.3 EXAMPLE OF A CATEGORY 3 ACCIDENT: INSTANTANEOUS POWER LOSS TO ALL THE PRIMARY PUMPS This scenario assumes that the accident starts at full power, then evolves through a number of stages concurrently with a progressive slowing down of the pumps. The initiating cause may only be the instantaneous loss of all the external electric power sources. The fast shutdown is quick (,2 seconds) actuated by the slowing down of the primary recirculation. The actuation signals vary according to design preference and they may comprise loss of pump speed, inadequacy of their electric power supply (voltage and frequency), and reduction of recirculation flow rate. The temperature of the primary water, as well as the primary pressure, initially tend to increase and subsequently to decrease after the reactor scram has operated a few seconds from the start of the accident. The heat loss from the secondary side occurs by steam dump to the atmosphere as the turbine generator combination stops on the scram signal. The condenser is lost if there is a total loss of electric power. The safety and steam dump valves open within seconds of the start of the accident. During the first seconds of the transient, the greater risk is the reduction of the DNBR (its limit is generally 1.3) and fuel damage: the coast-down curve of the pumps’ flow rate, influenced by the pump flywheel inertia, can prevent this danger. A typical curve of the pumps’ coast-down is shown in Fig. 4.8. It is generally assumed that after half an hour the operators will regain the plant control and start a controlled cooling of it. This cooling down will generally be performed through the manual actuation of the high-pressure safety injection pumps and by controlling their flow rate by the actuation of the relevant control valves. At a certain point in this process, the automatic initiation of the safety injection system has to be prevented by changing the set points of the same automatic action. This initiation could have

54

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Recirculation flow rate (%)

100

50

10

10

20

Time (s)

FIGURE 4.8 Total loss of power supply to the pumps: coast-down of the flow rate.

negative consequences (pressure). The pressure accumulators have to be disabled at the appropriate moment (when the pressure approaches the initiation value of roughly 4 MPa). At the start of the accident, on sensing the low-voltage signal on the station auxiliary bus, the diesel generators automatically start and all the emergency loads are progressively connected to them (emergency safety features) as soon as each generator has reached its working voltage and frequency. In this scenario, it is assumed that no single failure aggravates the plant conditions, mainly because the most critical situation (DNBR) is reached within a few seconds from the start of the accident, that is, before the intervention of any safety system (except, naturally, for the reactor scram, for which the usual assumption of the worst stuck rod is made). As far as modeling the decrease of flow rate with time after the loss of electric power is concerned, the codes used balance the momentum in each cooling circuit and in the core. This momentum balance is combined with the continuity equations, with the momentum balance of the pumps and with the pump characteristic curves. In these calculations the head losses are overestimated for sake of conservatism.

4.2.4 EXAMPLE OF A CATEGORY 4 ACCIDENT: MAIN STEAM LINE BREAK In this scenario, it is assumed that one of the outlet lines of a steam generator suddenly breaks. The concept of “leak before break,” which excludes the guillotine break of the large primary lines,

4.2 DESIGN BASIS ACCIDENTS

55

cannot be applied to the steam lines because it is difficult to demonstrate that a steam leakage from a quasicritical crack can be detected in time with certainty. This accident, therefore, has to be considered less unlikely than a primary pipe break. According to the position of the rupture, to the initial reactor conditions and to the accompanying malfunctions assumed, a variety of accidents with different consequences arise. In general, however, the rapid voiding of the affected generator causes: •

• •

a decrease of the primary temperature and, therefore, a significant increase of the core reactivity (the moderator temperature coefficient is usually negative), with a consequent increase of the neutron flux and possible overheating of the claddings and of the primary overpressure. In this regard, it should be remembered that, as a consequence of the usual assumption of the most reactive rod being stuck, the applicable peaking factors of the neutron flux are particularly high, although they are partly compensated by the increase in the void fraction near the extracted rod; the pressurization of the room where the rupture happens (container or nearby building); the release of radioactive products due to leakages from primary to secondary which, although small (of an order of magnitude of some kilograms per minute) must always be considered, exacerbated by the possible damage of the fuel during the violent transient following the break.

The accident is analyzed for various locations of the steam line break (anywhere along its length, e.g., before or after the isolation valve/s, inside or outside the container). Various initial operating conditions (full power or hot shutdown), as well as various additional malfunctions (loss of the external power supplies, highest worth control rod fully extracted, etc.) are possible. Some of these situations, in fact, are the worst for potential fuel damage, others for the primary overpressure or for external radiological consequences. In order to understand the various possible situations, the following facts have to be remembered: •

• •





the isolation valves take several seconds to shut (conservatively, 10 seconds) and in this time a significant amount of water can leave the steam generators. It has to be assumed that this water is contaminated, because of the unavoidable leaks between primary and secondary systems during normal operation, and it has to be remembered in this connection that the primary system typically contains some thousands of Gigabecquerels of iodine-131 and that the secondary water contains only a few tens of Gigabecquerels of it; a flow limiter (Venturi tube) is usually installed at the exit of each steam generator. This reduces the equivalent efflux area to about one third of its real value; the injection of highly borated water (e.g., with 5000 ppm boron) by the high pressure injection system pumps has some tens of seconds delay after the corresponding actuation signal, due to the pumps’ inertia and to the water expulsion from the lines containing a lower boron concentration (e.g., 2000 ppm); that besides the radioactive products present in the water from the start, during the transient an additional release from the fuel elements can happen if the DNBR goes below the safety limit (e.g., ,1.3) (i.e., the release of the radioactive products contained in the gap between pellets and cladding, conservatively assumed equal to 10% of the total fuel rod inventory for volatile products, like noble gases, iodine, and cesium (USNRC Regulatory Guide 1.25, 1972) depending on the particular characteristics of the reactor under consideration (e.g., volume of water in the primary and secondary systems, and in the pressurizer, the scram signals and line

56

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

isolation signals adopted) the worst transient among the possible ones may vary. In general, the transients starting from zero power are considered the worst ones because the scram intervenes later, given the usual characteristics of the protection systems. Figs. 4.9 4.11 show the trends of some particularly significant quantities for some steam line break accidents. As it can be seen, the accident causes a quick depressurization and temperature decrease in the primary system, with consequent significant thermal stresses in the structure. The containment pressure, too, may reach significant levels. The outside doses may be of the order of 1 Sv to the thyroid of an individual for a 2-hour exposure at the edge of the exclusion zone.

4.2.5 EXAMPLE OF A CATEGORY 4 ACCIDENT: SUDDEN EXPULSION OF A CONTROL ROD FROM THE CORE This accident might happen if one of the control rod drive housings circumferentially breaks and is projected into the containment by the primary system pressure. In this scenario, the control rod

Primary pressure (105 Pa)

150

100

10

100

500

Time (s)

FIGURE 4.9 Main steam line break at full power with external electric power supply available: primary pressure as a function of time.

Exit temperature of primary coolant (K−273)

4.2 DESIGN BASIS ACCIDENTS

57

350

300

250

200

150

100

500

Time (s)

FIGURE 4.10 Main steam line break at full power with external electric power available: core exit temperature.

drive and the control rod itself would be expelled (in a few hundredths of a second) and the rod would be completely and rapidly expelled from the core. This accident has been included in the DBAs since the early days of the peaceful use of nuclear energy. Relevant protection initially comprised: •



a procedure for the management of the control rods’ location in the core which limited the maximum reactivity connected with a control rod expulsion: these limits were established in such a way that the consequences of the expulsion on the fuel were not destructive (average enthalpy in the hottest point of the most endangered fuel rod ,1.17 MJ/kg) (USNRC R.G. 1.77); the protection of the containment wall from possible perforation by the missile (control rod housing), usually implemented by a steel shield (centimeters thick) or by a concrete shield, located above the control rod housings complex.

At the start of the 1990s, several cases of through-wall cracks were found in French reactors (Bourgeois et al., 1996). Similar cracks were found in other reactors. These were attributed to

58

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Containment pressure (105 Pa)

3

2

1

10

100

1000 Time (s)

FIGURE 4.11 Main steam line break at full power inside the containment: containment pressure versus time.

stress-assisted corrosion of Inconel 600, the material used for the housings. A systematic replacement of all the pressure vessels’ heads was implemented, with substitution of Inconel 600 housings with Inconel 690 ones. Moreover, the leak detection systems were improved and a device capable of preventing the expulsion of the corresponding rod drive mechanism, in case of a break of the housing, was installed. Additionally, the most dangerous event since TMI occurred at the Davis Besse power station in February 2002 (see Chapter 20). In general, it is possible to ensure that the additional reactivity due to a control rod expulsion is of the order of 0.15% (but, in any case, well below 0.6%, which would originate a “prompt criticality”). The accident reactivity excursion is mitigated by the Doppler coefficient and is terminated by the reactor scram. Roughly 10% of the fuel can be damaged (DNBR ,1) and the effective wholebody doses outside the plant may reach 10 20 mSv in two hours at the edge of the exclusion area. The releases from the plant are due either to the leakages from the containment (assumed to be single containment type with ground release) and those from the secondary steam dump and the leaks between the primary and secondary systems (some liters per minute). The containment pressure increases because of the release of primary liquid. The release from the secondary system is

4.2 DESIGN BASIS ACCIDENTS

59

caused by the opening of the relief and safety valves. The reactor power in the transient may reach 200% 400% of the nominal power (the highest values correspond to zero initial power), obviously for very short times. The analysis of this accident scenario is performed by suitable computer codes, capable of simulating the multidimensional neutron kinetics and the thermal hydraulic behavior of the fuel and of the reactor cooling systems.

4.2.6 EXAMPLE OF A CATEGORY 4 ACCIDENT: BREAK OF THE LARGEST PIPE OF THE PRIMARY SYSTEM (LARGE LOCA) Since the early days of nuclear power generation, this accident has been considered to be the most serious of the DBAs. It remains so to this day as it originates a large part of the specifications of the plant safety systems. Operating experience and probabilistic studies, however, indicate that the largest risk of severe accidents (more serious than the DBAs) comes from other accident sequences (e.g., small breaks). In particular, a break in a small instrumentation line in the vessel bottom is very dangerous: in fact, in this case, the primary system depressurizes rather slowly as the rupture allows liquid water to escape, while a large mass of coolant is lost. The safety injection systems might in some reactors not operate properly as the reactor pressure stays high (preventing the safety injection) while the coolant level in the core decreases, with consequent uncovering of the fuel elements and their overheating. Very different is the case of a small break in the upper part of the primary system. In this case, in fact, steam exits from the break, the primary pressure tends to decrease rapidly and liquid water is forced to vaporize with consequent rapid cooling and decrease of the pressure. At low pressure, all the safety injection systems may operate injecting water in the circuit and cooling the core. In a large LOCA, a very rapid depressurization occurs and the primary circuit loses almost all the water (only a small part of it remains, at low temperature, on the vessel bottom) in 15 20 seconds. In the meantime the reactor shuts down (even if the power could initially increase slightly if the void coefficient is positive) and the safety injection through the accumulators and then through the high and low pressure pumps, starts. The core is reflooded in some tens of seconds (when the fuel reaches its worst conditions in the transient) then, the core cools steadily. The operators then initiate the long-term cooling procedure. The container is pressurized, but usually this is favorable to core reflooding. Therefore the calculation of the transient in the core is performed under conditions of minimum pressurization of the containment (indeed the minimum intervention thinkable of its cooling systems is assumed: e.g., of the spray system). Table 4.3 shows the sequence of events for a typical accident of this type. Figs. 4.12 4.17 depict the important phenomena of the transient and show the critical parameters. The difficulty of keeping a high mixture level in the core is evident. The presence of a second clad temperature peak is a consequence of this fact (see Table 3.1 in Chapter 3: Safety Systems and Their Functions, for a list of typical external releases in this type of accident).

60

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Table 4.3 Sequence of Events in a Large LOCA Event

Value

Break Peak power Pressurizer pressure at scram actuation and initiation of safety injection Scram and safety injection signal Accumulator discharge starts Core reflood starts Maximum secondary pressure High-pressure safety injection start Accumulator voiding Low-pressure safety injection start Clad temperature peak Signal of actuation of recirculation from containment bottom

Time (s) 0 0.2 10 11 15 30.7 5.4 31 78 31 300 1500 7000

114% 10.9 MPa (abs) 4.1 MPa (abs) 8.4 MPa (abs)

1423 K

Core power (normalized to 1)

1.2

1

0.8

0.6

0.4

1

FIGURE 4.12 Large LOCA: core power.

2

3

4

Time (s)

4.2 DESIGN BASIS ACCIDENTS

61

Containment pressure (×105 Pa)

3

2

1

100

200

300

400

Time (s)

FIGURE 4.13 Large LOCA: containment pressure.

4.2.7 EXAMPLE OF A CATEGORY 4 ACCIDENT: FUEL HANDLING ACCIDENT This accident is classified among the most serious of DBAs because, although it concerns only one fuel element, it may happen outside the containment, that is in the fuel building which is provided with a dynamic containment system (blowers and filters) that allows a certain amount of external releases. It is assumed that during the handling of a spent fuel element, it falls in the pool on the spent fuel elements rack. The element will be damaged and it is usually assumed that all the gap radioactive products (10% of the total volatile products of all the rods) are released. This assumption, as the others made in Regulatory Guide 1.25, are conservative and it is usually possible to demonstrate that no more than 30% of the rods are damaged. A decontamination factor of 100 is assumed for iodine in the pool water and a factor of 10 and of 1.5, respectively, for inorganic and organic iodine, in an activated carbon filter 5 cm thick. With these assumptions, the 2-hour effective whole-body dose at the edge of the exclusion zone may be of the order of 5 mSv, which is significant.

62

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Mass of water supplied to core (kg)

40,000

30,000

20,000

10,000

100

200

300

400

Time (s)

FIGURE 4.14 Large LOCA: mass of water supplied to core during reflooding.

4.2.8 AREA ACCIDENTS Accidents originating inside the plant but which affect the entire plant area are termed area accidents. In particular, these maybe fires and internal floods, typically started by breaks in the service water system. The physical separation of redundant sections of plant protection systems is usually one of the fundamental defences against the consequences of these events. Operational experience indicates the possibility of rather peculiar accidents of this kind. For example, the complete loss of external electric supplies caused by a grass fire which was allowed to grow too much in the power station switchyard; the fire triggered the fire protection of the transformers, so electrically isolating the power station from outside. An accurate examination of the risks relevant to each specific plant may reveal all the possible accidents and suggest pertinent prevention/mitigation provisions. For fires, in particular, every regulatory system has issued guide criteria and requirements which, in general, necessitate the implementation of a complete fire protection program. This

4.3 BEYOND DESIGN BASIS ACCIDENTS

63

Mixture level (m)

2

1

100

200

300

400

Time (s)

FIGURE 4.15 Large LOCA: mixture level in the core during reflood.

includes provisions for the separation of redundant safety systems, other prevention measures, antifire equipment, and operating procedures.

4.3 BEYOND DESIGN BASIS ACCIDENTS During the long debates on nuclear safety, the need arose to study some accidents which can neither be termed DBAs (because of their low probability) nor severe accidents (since they do not lead to severe core damage). They are dealt with using specific prevention and mitigation measures even if, because of their low probability, the corresponding margins of safety are rather smaller than those adopted for DBAs. The most important among these accidents are: • •

transients without scram [anticipated transients without scram (ATWS)]; and total loss of external and internal electric power supplies (station blackout).

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

Heat transfer coefficient in the core (1.16 W/m2s K)

64

400

300

200

100

100

200

300

400

Time (s)

FIGURE 4.16 Large LOCA: heat transfer coefficient in the core (hot spot).

By analogy, the voluntary accidents of human origin are included here and dealt with in a similar way.

4.3.1 PLANT-ORIGINATED ACCIDENTS As far as ATWS accidents are concerned, usually a duplicated and diversified fast shutdown system is required, see US Code of Federal Regulations (2006) and the EUR criteria (see the pertinent Appendix). The need to cope with a station blackout has shown the need to foresee the voluntary depressurization of the primary system with water injection by independent means. See the EUR criteria in Appendix 6 for a list of other accidents of this type.

4.3.2 ACCIDENTS DUE TO HUMAN VOLUNTARY ACTIONS The spectrum of situations considered in the protection framework against these types of accident varies from country to country. Usually, in all cases protection is provided against malevolent

4.4 EXTERNAL ACCIDENTS OF NATURAL ORIGIN

65

Clad temperature (K-273)

1200

1000

800

600

100

200

300

400

Time (s)

FIGURE 4.17 Large LOCA: clad peak temperature.

intrusion in the plant by the use of access control measures. Other protections adopted are those against aeroplane crash and external impact, and those against pressure waves (see Chapter 17).

4.4 EXTERNAL ACCIDENTS OF NATURAL ORIGIN Chapters 15 and 16 discuss accidents resulting from earthquakes and tornadoes. Protection against floods has to be considered in the choice and the improvement of a site: usually, no possible flood water is permitted to reach the level of the station, whose elevation is frequently raised by an embankment. Obviously, the choice of a site includes the study of the possible collapse of nearby dams and of the consequent flood waves. Other possible events are much more specific in nature (oscillations of lakes due to earthquakes or to wind, sand storms, volcanic eruptions, etc.) and must be studied on the merits of the local conditions.

66

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

ENDNOTE 1. As discussed, the accident can be summarily studied also using simple calculation methods similar to the one included on this book’s Mendeley website. Given the limitations of the downloadable file PRIMARY SYSTEM (one volume only represents the primary system), only the phases when saturation conditions are present can be studied: this means that, if the initial transient of the pressurizer has to be simulated, up to the moment when saturation conditions are reached in the primary system (at about 600 seconds after the accident initiation), then the pressurizer has to be studied separately from the primary system, while, if the complex of the primary system has to be studied, this can be done only after the first 600 seconds. In Fig. 4.7, the pressure curves (dotted lines) obtained from ps.xls, assume steam and homogeneous efflux. A better approximation could be obtained by subdividing the transient in phases, to which one or the other of the assumption above would be applied, according to the estimated level of the water in the primary system. It is worth repeating, however, that simple codes like ps.xls are only suitable for a first orientation and for overall comparative evaluations. They are not suited for accurate studies of accidents. The following lists the input data for ps.xls in the steam efflux case: Ab 5 27.9 cm2 As 5 0 cm2 DP1 5 2 DP2 5 0.2 DT 5 1 second FL1 5 0 FL2 5 0 GS 5 0 kg/s HA 5 49 kcal/kg KA1 5 711 kcal/s KA2 5 12 kcal/s KQD 5 1.45 Mp 5 298,830 kg P 5 2871.3 MWt P0 5 94 kg/cm2 PA1 5 40 kg/cm2 PA2 5 15 kg/cm2 QS 5 0 kcal/s TU0 5 600 seconds TU1GS 5 600 seconds TU2GS 5 6000 seconds TU1QS 5 0 seconds TU2QS 5 0 seconds TUF 5 6000 seconds VA1 5 0 m3 VA2 5 675 m3 Vab 5 463.3 m3 VAT1 5 118 m3 VAT2 5 1012 m3 Vp 5 463.3 m3

REFERENCES

67

Where the symbols have the following meanings: A1 and A2 are the intermediate pressure (B4 MPa) and low pressure (B1.5 2 MPa) accumulators, respectively; Ab is the area of the break in the primary system; As is the equivalent efflux area of the depressurization line; DP1 and DP2 are the pressure variations in each step, high (from about 0.2 to 0.5 MPa) and low (20 50 kPa), respectively; DT is the time increment in a calculation step; ECCS is the emergency core cooling system; FL1 and FL2 are useful “flags” for calculating efflux from the depressurized line and from the rupture, respectively; GS is the efflux flow rate from the ECCS system; HA is the accumulator and ECCS water enthalpy; KA1 and KA2 are the efflux coefficients from accumulators A1 and A2, respectively; KQD is the decay power multiplier (51.05 for ANS curve); Mp is the mass of water in the primary system (liquid and steam); P is the thermal power rating; PA1 and PA2 are the A1 and A2 accumulator pressures, respectively; TU0 is the start time of the transient; TU1GS and TU2GS are the start and shut-off times, respectively, of the ECCS system; TU1QS and TU2QS are the start and end times for heat exchange with steam generators; TUF is the end time of the calculated transient; VA1 and VA2 are the volumes of water in accumulators A1 and A2, respectively; Vab is the primary volume below the assumed rupture; VAT1 and VAT2 are the total volumes of accumulators A1 and A2, respectively. Vp is the primary system volume. In the ps.xls calculation, the possibility of simulating heat exchange with steam generator water has not been used; indeed, since the depressurization is rather slow and the primary system is always nearly filled up with steam water mixture, it is believed that the pressure behavior can be simulated using the assumption that all the steam generator water and the primary water will be mixed together. In order to implement this model, the initial mass of water has been assumed equal to that of the primary system (210,000 kg) plus that of the steam generators (80,000 kg). Consequently, the volume of the system has been adjusted on the initial assumption that all the water is in a liquid state. The decay power multiplier KQD has been chosen in such a way as to agree with the power curve used in the safety report (i.e., KQD 5 1.45).

REFERENCES Bourgeois, J., Tanguy, P., Cogn´e, F., Petit, J., 1996. La Surete Nucleaire en France et dans le Monde. Polytechnica, Paris. Petrangeli, G., 1967. Factors involved in the evaluation of the maximum credible boron release from the core surfaces of a PWR with chemical shim, Euratom, EUR 3609 e. US Code of Federal Regulations, 2004. Part 50.46: Acceptance criteria for emergency cooling systems for light water nuclear power reactors, US Government. US Code of Federal Regulations, 2006. Part 50.62: Requirements for reduction of risk from ATWS; US Government. USNRC Regulatory Guide 1.25, 1972. Assumptions used for evaluating the potential radiological.

68

CHAPTER 4 THE CLASSIFICATION OF ACCIDENTS

FURTHER READING USNRC Regulatory Guide 1.77, Assumptions used for evaluating a control rod ejection accident for pressurized water reactors, 1974 consequences of a fuel handling accident in the fuel handling and storage facility for boiling and pressurized water reactors, 1972.

CHAPTER

SEVERE ACCIDENTS

5

5.1 EXISTING PLANTS Severe accidents (Sehgal, 2011) are defined as those which entail at least an initial core damage, in many cases specified as the overcoming of the regulatory fuel limits, such as a temperature of 1473K (1200 C) in the fuel claddings. In the calculation of maximum cladding temperatures in core after shutdown, it is usually assumed that the decay heat power is distributed in the core as the fission power. This is not completely true since the decay heat is about one half given by fission products and heavy particles and for the other half by gamma rays. This last fraction of decay heat has, differently from the first part, the possibility of traveling some distance in the core before being absorbed and converted into heat power. This fact results in a calculated fuel cladding peak temperature significantly lower than the value calculated by the above usual assumption (Petrangeli and Sollima, 2008) and may allow a rewarding increase in the reactor power. I have received communication from ANS/Standards that this issue will be dealt with in depth in the forthcoming revision of the Standard ANSI/ANS-19.3.4-2002 (R 2017). The need to consider severe accidents aside from Design Basis Accident (DBAs) became apparent after the final edition of the Rasmussen report was issued in 1978, when it demonstrated that core melt could have a probability (of the order of 1 in 20,000 reactor-years) which was higher than that at the time rather implicitly estimated for the then worldwide reactor list (which was roughly 500 units). This probability figure indicated an expected core melt event every 40 years on the average. Since many reactors had at that time been operating for about 20 years, the outlook was not completely reassuring. It has, however, to be considered that the same Rasmussen report envisaged that only one in about 100 core melt events could cause severe health consequences (up to 10 casualties). In any case, the prevailing ideas of nuclear safety were not substantiated by these figures. Therefore responsible people started to think about the best way severe accidents could be prevented, or at least mitigated. The Three Mile Island (TMI) event reinforced and confirmed this need for progress in nuclear safety. Although none of the Rasmussen report sequences replicated exactly the course of events in TMI, the report sequence TMLB was rather close to what happened there. TMI was certainly a severe accident, even if the degree of devastation suffered by the core was not clear from the start. TMI was a real shock for all in the nuclear industry. Many, dubious that the efforts made for nuclear safety were really needed, were indeed struck by the new evidence: human errors, communication defects among organizations, and insidious design weaknesses. That a core melt accident could happen and had happened was indeed a wake-up call! Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00005-6 © 2020 Elsevier Ltd. All rights reserved.

69

70

CHAPTER 5 SEVERE ACCIDENTS

It is true that the foresighted adoption of Defence in Depth provisions at TMI prevented any casualties. It can be recalled that only 666 GBq (18 Ci) of iodine was released to the environment, with a correspondingly minute virtual dose at the fence of 0.8 mSv. Besides the post-TMI plant improvement programs (prevention) which cost millions of dollars for each plant, in the Western countries investigations were started on what else could reasonably be done to the plants with the goal of stopping the progression of an impending severe accident or to mitigate its consequences. Since then, the studies and the programmed and implemented provisions against severe accidents have been assigned to three consecutive phases of action. In the first phase, soon after TMI, mitigation measures against the “certain” consequences of a core melt (the slow overpressurization of the containment up to its burst and the attack of the containment bottom by the molten core deposited there after reactor vessel perforation) were implemented. For the protection of the containment against overpressure (caused by burning of hydrogen gas which would definitely be produced), procedures for the more or less filtered venting of it were adopted (filtered venting), as it was considered preferable to release some radioactive gases rather than risk bursting the containment. For the protection of the containment bottom, plant-specific procedures were adopted, generally consisting of additional passive protective means and bottomflooding procedures. As already mentioned, in this first phase, only the “certain” consequences of a core melt were considered. Theoretically possible but less well known (and, in any case, low probability) phenomena (like steam explosions due to the contact of a molten core with water having such a high intensity to be able to threaten the integrity of the containment) were left out. In the second phase, lasting from about 1982 to about 1985, studies of severe accident prevention and mitigation were more systematic. Additional probabilistic studies were performed and mechanistic models, more elaborate than the Rasmussen report ones, were developed (Sehgal, 2011). This work, in particular, indicated which phenomena, besides the above-mentioned “certain” ones, were important for risk reduction. They are briefly listed in the following (which also includes the “certain” ones) • •



• •

Slow containment overpressurization. Scenarios of core melt with high primary pressure: direct containment heating (DCH—due to the violent expulsion of part of the molten core from the vessel and to its fragmentation in the atmosphere with consequent combustion and heat production) and destructive forces on the vessel (due to the expulsion of molten material from the vessel at high pressure). Lack of leak proofing of the containment systems: containment bypass sequences (the V sequences of Rasmussen) and presence of leaks higher than the design values in the containment, either because of defects which existed before the accident (preexisting openings) or because of the actions of the aggressive containment environment (pressure, temperature, aggressive and heat generating aerosols, radiations). Destructive reactivity accidents due to accidental expulsion of control rods or to control rod melting before fuel melting during a severe accident. Destructive steam explosions either inside or outside the reactor vessel.

5.2 FUTURE PLANTS: EXTREME AND PRACTICABLE SOLUTIONS

• •

71

Destructive hydrogen explosions. Attack of the containment bottom by molten masses and lack of coolability of core debris.

The studies of this period led to a definition of severe accident protection criteria (see Section 1.2 and Chapter 18: Nuclear Safety Criteria) similar to those already in force in Italy and to those developed in Sweden. In Italy, it was thought possible to provide a defence against severe accidents by accident management provisions and by some reasonable plant modification, up to the point of limiting iodine and caesium releases to 0.1% with a probability higher than 95% in the case of core melt (conditioned probability). The absolute probability of this release would be lower than the product of the core melt probability and 0.05 (51 2 0.95). The releases of other elements were defined on the basis of their “propensity” to external release, according to the mechanistic models and the then available data. This period of time is also characterized by some new scientific views on some phenomena of interest, which were somewhat different from those prevailing (e.g., enhanced importance of the release of iodine as a compound with caesium, and the enhanced importance of aerosols) and by some characteristic technical choices (huge filtered venting systems, such as the Swedish FILTRA, see Figs. 5.1 and 5.2, installed on the Ba¨rsebeck reactor). The third phase of the studies on severe accidents started after Chernobyl. This terrible accident taught the industry that even a small contamination risk, like the one which affected Western Europe as a consequence of the accident, may generate panic in the population and turn public opinion against nuclear energy power generation. Therefore the third phase of the studies on severe accidents is characterized by release restrictions even more stringent than those taken as a reference in the second phase: in practice, many, especially European, countries strive for severe accident releases so small that population evacuation and land decontamination measures can be eliminated or reduced to a very low level, at least for health reasons (leaving alone possible needs for psychological well-being of the population). This, in particular, is the position taken by France, by Germany and, at the appropriate time, by Italy. Now, reference levels of 1 10 TBq of caesium should be reached (the second phase reference releases of the above-mentioned studies were 0.1% iodine and caesium, corresponding to about 160 TBq of caesium). Therefore this change of position corresponds to a reduction factor of about 100! In order to comply with this stringent goal, it is understandable that attention has been mainly switched to future reactors which now include substantial design modifications. Moreover, the importance of a “perfectly” leak-proof containment in case of severe accident is now clear. Another tendency consolidated in the third phase is the use, when possible and advantageous, of plant solutions based on “intrinsic” or “passive” safety.

5.2 FUTURE PLANTS: EXTREME AND PRACTICABLE SOLUTIONS The ability to choose between extreme solutions and simpler, more easily implemented, solutions is hindered by the uncertainty still present in our knowledge of some key phenomena in the field of severe accidents listed in the preceding section. The practical feasibility of the studied solutions

72

CHAPTER 5 SEVERE ACCIDENTS

To stack

40 m

From containment

FIGURE 5.1 Schematic of the FILTRA system.

must always take account of inherent drawbacks compromising safety itself (in many cases a safety provision adopted with certain situations in mind is detrimental in other conditions) and cost (which, if excessive, could put a plant out of the market). Among the extreme solutions imagined are the following: •





A super-strong pressure containment, passively cooled in order to sustain without failure slow overpressurizations, hydrogen detonations, and overpressurizations from DCH. As an alternative, the containment arrangement described in Chapter 18, Nuclear Safety Criteria (Section 18.6) can be considered. (The plant with a containment not designed for extreme external impacts is surrounded by an “open” cylindrical containment resisting to such impacts.) A structural cage around the vessel resistant to the burst of the vessel itself (destructive steam explosion, destructive reactivity accident) or to jet force caused by its perforation in conditions of high pressure in the primary system (the energies involved are illustrated in Fig. 5.3). A “core catcher” to contain the molten core, as a protection for the bottom of the containment.

5.2 FUTURE PLANTS: EXTREME AND PRACTICABLE SOLUTIONS

73

FIGURE 5.2 FILTRA on site.

Fig. 5.4 shows one of these extreme approaches studied by the KfK Karlsruhe Nuclear Research Centre. Appendix 15 on Safety Cage shows an example of dimensioning a solution of the “extreme” type, with the objective of listing the orders of magnitude of the dimensions and of the provisions required. “Practicable” solutions have been the subject of an international study promoted by Italy (Petrangeli et al., 1995; Theofanous and Corradini, 1995). In order to give an idea of the solutions suggested in this study, the following summary is given which relates to one of the two reactors taken as a reference: the AP600 design equipped with a passive pressurized reactor. A first cornerstone of the defence strategy, already incorporated in the AP600 design, is the voluntary depressurization of the primary system in case of the danger of inadequate core cooling. A feature of this type was proposed and thoroughly studied for the first time at the start of the 1980s for pressurized reactors (see Appendix 10 on Primary Depressurization Systems). The primary depressurization eliminates at the source, all the severe accident sequences with a pressurized primary system (i.e., DCH, destructive reaction forces due to perforation of the vessel, etc.). Moreover, in case of malfunction of the high-pressure cooling systems, it allows the cooling of the core by intermediate pressure accumulators and low-pressure systems. A second cornerstone of the proposed defence strategy is the voluntary flooding of the reactor cavity and the cooling of the molten core inside the vessel. The final proof that this measure is

74

CHAPTER 5 SEVERE ACCIDENTS

Total missile mass: 200 t Kinetic energy of missile: 150 MJ

ENERGY DISSIPATION: 4–70 MJ (bolts) 3–70 MJ ( upper internals) 2–150 MJ ( pipes) 700 MJ kin. Energy

1–260 MJ barrel

Molten core

2 GJ expl. FIGURE 5.3 Possible partition of energy associated with a steam explosion in the vessel.

effective for all plant sizes, including the largest (1300 MWe) does not yet exist. The expectations are, however, good at least up to 1000 MWe and studies are underway. The problem of the high leak-proof level of the containment would be tackled by the reduction of the number and of the size of the penetrations, by the collection of the leaks in closed rooms with discharge to the stack, by continually monitoring for excessive leaks (at least in the containment configuration pertinent to operation conditions) and by the pressurization (or flooding or draining) of the space between the two seals of each penetration after the accident.

5.3 SEVERE ACCIDENT MANAGEMENT

75

Reinforced concrete (200 cm) Section A–A

Double containment 100 cm

Steel shell (38 mm) A

A

Safety cage

Natural convection cooling

Core melt cooling device 65 m

FIGURE 5.4 Conceptual scheme of a composite containment for a power water reactor (internal steel shell and external structure in reinforced concrete; from J. Eibl). Courtesy Forschungszentrum, Karlsruhe, Germany.

The probability of destructive reactivity accidents is considered negligible, but an uncertainty remains for up to 1 hour between the melting of the control rods and the fuel melting in the core. The situation might be more critical for a Boiling Water Reactor (BWR) where the reflooding of the core would be performed by fresh water, not containing any neutron poison.

5.3 SEVERE ACCIDENT MANAGEMENT: THE PRESENT STATE OF STUDIES AND IMPLEMENTATIONS A Nuclear Energy Agency report (NEA, 1995) contains the summary and conclusions of an international specialist meeting on the implementations of severe accident management, in the framework of an Organisation for Econimic Cooperation and Development (OECD) activity lasting many years on the subject of accident management. The document makes clear that, at last, an international consensus exists on intervention measures applicable to water reactors, such as the following: the injection of water in a damaged core, the cooling of the containment and the need to provide

76

CHAPTER 5 SEVERE ACCIDENTS

reserve systems for the emergency electric power supply. The troubles in reaching this agreement demonstrate the degree of difficulty in the technical problems of the severe accidents: every intervention can, here more than in other cases, result in a counter-productive action (e.g., the water on the core provides the necessary cooling but may enhance the metal water reaction; containment cooling will condensate the steam and may so deinert the already present hydrogen). The degree of knowledge is not yet complete in this area, for example, the cooling mechanisms of the “core on the floor” are not yet known to the desired degree. However, the uncertainties are not such as to prevent definite action in the field of accident management which leans essentially on the optimization of the accident management procedures (IAEA, SSG 54).

5.4 DATA ON SEVERE ACCIDENTS Table 5.1 shows some data which can be useful in performing order of magnitude evaluations on phenomena connected with severe accidents. The transfer of scientific knowledge on phenomena into actions and procedures is a difficult process (see the above quoted case of the pouring of water on a degraded core): research still plays an important part in the implementation of accident management. Moreover, additional work is needed in the field of severe accident management under low power or shutdown conditions.

5.5 DESCRIPTIONS OF SOME TYPICAL ACCIDENT SEQUENCES The following describes some typical severe accident sequences for a PWR. The nomenclature, the choice of the critical sequences, and the descriptions made by the US Nuclear Industry Degraded Core Rule Making (IDCOR) program (IDCOR, 1984) is adhered to in line with a general illustration of the trend of the phenomena. As far as the quoted numerical figures are concerned, other studies may differ in some degree. The plant considered by IDCOR is ZION, a typical PWR. Table 5.2 gives a summary of the events with the most significant external releases, and the consequences.

5.5.1 LOSS OF STATION ELECTRIC POWER SUPPLY (TE 5 TRANSIENT 1 LOSS OF ELECTRICAL SUPPLY) This sequence is caused by a loss of all the external electric supplies of the power station with subsequent loss of all the sources of alternate emergency electric power. Scram follows, then the coast-down of the pumps starts and the loss of the auxiliary feedwater to the steam generators takes place. Under these conditions, no core cooling system is available, except the passive pressure accumulators. The containment engineered safeguards are not available, either. This sequence could be considered similar to that at TMI, although here the lack of some essential safeguards is due to the loss of electric power and not to an erroneous diagnosis of the situation by the operators.

5.5 DESCRIPTIONS OF SOME TYPICAL ACCIDENT SEQUENCES

77

Table 5.1 Severe Accident Data (Indicative Figures) Production of hydrogen per kilogram of zirconium Zircaloy in a 600 MWe PWR reactor Structural steel in the core Hydrogen combustion heat Heat developed in the metal water reaction Fe . 0.4 MJ/kg Penetration velocity of a molten core in the containment floor

Gas generated by the attack of floor by a molten core

Limit power for coolability of a molten core on the floor Total mass of molten fuel and structural materials (corium) in a B1000 MWe PWR Maximum theoretical energy of a steam explosion Theoretical total energy Mass of molten core which may reasonably react with water Assumed mechanical efficiency of the steam explosion Assumed maximum pressure (for steam explosion) in the vessel cavity Exit velocity of a “corium” jet from a hole in the bottom of the vessel for an internal pressure of 15 MPa (150 bar) Minimum primary pressure for which DCH is possible Maximum thermal energy released in a very serious reactivity accident (AP600) Maximum mechanical energy released in a very serious reactivity accident (AP600) Pressure generated in a containment (AP600) by detonation of H2 at 13% without steam starting from 150 kPa (1.5 bar) Bursting pressure of a containment in quasistatic conditions Removal coefficient for released iodine and caesium in the ground after penetration of the containment floor (collapse mode ε of the Rasmussen report)

44.4 g 19,000 kg 29,000 kg 121 MJ/kg (57.8 kcal/mole) Zr . 6.7 MJ/kg Siliceous concrete Limestone concrete Siliceous concrete Limestone concrete

0.0001 m/s (40 cm/h) 0.00005 m/s (20 cm/h) 0:07 kgH2 O kgcalc 0:26 kgCO2 kgcalc 1 0:065 kgH2 O kgcalc 0.02 m2/MWt (MWt of the core at full power) 110 t (incl. 61 t UO2 1 19 t Zr 1 29 t stainless steel) 1 MJ/kg corium 110,000 MJ 10% 2% 15% (probable value 4% 5%) B10 MPa (B100 bar) 60 m/s B2 MPa (20 bar) 80,000 MJ 80,000 MJ 3 10% fragmented fuel 3 3% (efficiency) 5 240 MJ 2.9 MPa (29 bar) (duration 13 ms) 2 4 pd (pd 5 design pressure) B100

From a thermohydraulic point of view, the steam generators eliminate heat at the start, but afterwards their water reserve finishes. The primary pressure increases because of decay heat up to the point where the pressurizer relief valves (PORV) open. The primary system loses water through the

78

CHAPTER 5 SEVERE ACCIDENTS

Table 5.2 Events and Consequences of Some Significant Sequences Sequences With the Most Significant External Releases

Probability for reactor-year Uncovering of the top of the core (h) Start of melting (h) Vessel break (h) Containment break due to overpressure (h) Start of radioactive products release (h) Release fractions of radioactive products Xe Kr I Br Cs Rb Te Sb Sr Ba Ru Mo External consequences: Prompt casualties Immediate physical damage Late tumors index (fractional increase of cases beyond normal occurrence within 80 km from the plant and within 30 years from the accident) External costs (106 US$) Whole body dose (man Sv)

TE 5 Transient 1 Loss of Electric Power

SE 5 Small LOCA 1 Loss of Electric Power

2E 7 2.3 3.1 4 32 32

6E 6 2.2 3 3.8 32 32

24

1 2E 3 2E 3 2E 5 ,1E 5 ,1E 5

1 2E 3 2E 3 2E 5 ,1E 5 ,1E 5

1 8E 5 8E 5 8E 5 5E 5 ,1E 5

0 0 1E 4

0 0 1E 4

0 0 2E 5

700 8E3

70 8E3

60 9E2

V 5 Interfacing Systems LOCA 1E 7 20 23 26

LOCA, Loss of Coolant Accident.

PORV up to the point where the core starts to uncover. After that, the additional heat produced by the metal water reaction increases the steam production rate. When a significant part of the core is molten, its support plate fails and the “corium” enters the lower plenum of the vessel. The possibility of a steam explosion is negligible. It is then assumed that the vessel fails at a weld of one of the lower head penetrations and that, therefore, the corium is released at high pressure, together with hydrogen and water, into the reactor cavity. The molten core migrates, through the instrumentation tunnel, on the floor of the lower compartment of the containment. The residual vessel water flows (including the water supplied by the passive accumulators) in the same space. The corium continues to flow in the cavity because the core continues to melt. Here, too, the probability of a steam explosion is considered negligible. It is estimated that the water in the cavity completely vaporizes in about 9 hours, that the corium again reaches the concrete melting temperature after about 1 hour and that at this point the erosive attack of the bottom starts. Hydrogen is produced by the interaction of corium with the concrete

5.5 DESCRIPTIONS OF SOME TYPICAL ACCIDENT SEQUENCES

79

and it partially burns until the temperature is reached where a global combustion initiated by the corium takes place. Hydrogen and the other noncondensing gases generated by the concrete molten core reaction slowly pressurize the containment which is assumed to burst (at a pressure of about 2.9 times the design value) 32 hours after the start of the accident. As far as the behavior of the radioactive products of the core is concerned, almost all the volatile ones are released in the upper plenum before the vessel rupture. The remainder is deposited in the cooling circuits and in the steam generators. After vessels burst, a small part of the radioactive products enters the cavity and is swept away in the containment compartments where it is deposited on the various horizontal surfaces and adheres on the vertical ones due to condensation of steam. The material deposited in the upper plenum and in the circuits heats the structures up, vaporizes again, and is deposited in the high parts of the circuits and in the vessel down-comer, where it is effectively trapped, dissipating the generated heat through the thermal insulation toward the containment. At the moment of the containment failure, vapors escape from the primary system toward the containment, because of the depressurization, and hence toward the environment. The external consequences are not disastrous. No quick casualties are envisaged and late developing cancers are few (with reference to the natural occurrences): about 0.5% of the natural occurrence in a radius of 80 km from the plant. In this evaluation a reasonable implementation of the existing emergency plan is assumed. As far as possible effects of operator actions are concerned, if electric power is recovered before the core is uncovered, cooling is reestablished and the accident is terminated without damage, or with only modest damage, to the core. The operator has also to open the PORV in order to decrease the pressure in the primary system and to allow the use of the low-pressure injection pumps for cooling the core. If the power is recovered after vessel break, flooding of the cavity will take place as an effect of the containment spray system and consequently the end of the accident destructive processes will occur.

5.5.2 LOSS OF ELECTRIC POWER WITH LOSS OF COOLANT ACCIDENT (LOCA) FROM THE PUMP SEALS (SE 5 SMALL LOCA 1 LOSS OF ELECTRIC POWER) The assumption here is that, as a consequence of the total loss of electric power and with a delay of about 45 minutes, the pumps’ seals are damaged because of the loss of the cooling system. This sequence of events and the consequences are very similar to the preceding scenario (Section 5.5.1). In this case no safety valve opening takes place because the pressure is kept low by the efflux through the pumps’ seals.

5.5.3 INTERFACING SYSTEMS LOCA (V) This sequnce is caused by the break of the two double-disk valves between the primary system and the residual heat removal (RHR) system. The release of high-pressure water in the low-pressure pipe causes the seals in the RHR pumps to break discharging water into the pump room (auxiliary building). The following systems are assumed to be operational: the auxiliary feedwater system, the relief valves of the steam generators and one train of the high-pressure injection system. The accumulators

80

CHAPTER 5 SEVERE ACCIDENTS

are available, as well as the containment cooling system. It is assumed that the operator manually blocks the reactor pumps at the start of the emergency core cooling system (ECCS). The start-up of ECCS ensures core cooling until, at 6 hours into the accident, the water tank (RWST) for the fuel-handling pools empties. The core remains covered for 20 hours because of the reflux refrigeration in the steam generators and the operation of the auxiliary feedwater. A large amount of steam is released in the auxiliary building during this period. After 20 hours the core starts to uncover and overheats, zircaloy is oxidized and subsequently the fuel starts to melt. Steam is continuously released in the auxiliary building, the core drops down in the vessel lower plenum and the vessel itself is perforated at about 26 hours. The discharge of corium into the cavity causes a quick attack of the concrete in the absence of water. Gases are evolved and released in the auxiliary building through the primary system. During discharge of gases and vapors in the auxiliary system, a simultaneous transport of radioactive products takes place; these products finally deposit on interior surfaces because of the continuous condensation of steam. It is estimated that the percentages released to the outside are rather small and the external consequences are negligible. No short-term casualties result and only an increase of a fraction per ten thousand of the natural occurrence of tumors in the surrounding zone are estimated. Procedures have been, moreover, studied to further mitigate the consequences of the accident by the intervention of operators. The first is based on keeping the RHR pumps submerged by flooding their room by the use of fire-fighting hoses routed through the stairs. In this way the wash down of fission products is increased and their release is decreased. The second technique, even more effective, is based on preserving core cooling through • • • • •

the RWST tank; the boric acid mixer; the fuel pool; portable pipes and hoses; a jury-rigged sump pump to take water from the bottom of the RHR pumps’ room and make it available again for injection in the reactor by the ECCS system.

5.5.4 LARGE LOCA WITH FAILURE OF THE RECIRCULATION (ALFC) This scenario assumes a break in the cold leg of the primary circuit with operation of the ECCS in the injection phase (although it could also fail in the recirculation phase). It is assumed that the auxiliary feedwater of the steam generators operates correctly, as well as the fan coolers of the containment. Additionally, it is assumed that one train of the containment spray system operates in the ECCS injection phase. After the break, scram occurs, pumps slow down progressively, and the auxiliary feedwater starts. The ECCS operates until the moment the recirculation mode is switched from the containment bottom (after 30 minutes), which does not succeed. The core remains without refrigeration except for the effect of the water present in it which is sufficient for 50 minutes. The metal water reaction starts after 1.1 hours and about 450 kg (49% of the claddings have reacted) of hydrogen are produced in the vessel. Core melt starts after 1.7 hours and the penetration of the vessel by corium intervenes after approximately 2.3 hours. Afterwards, the corium, the remaining water and

5.6 “SOURCE TERMS” FOR SEVERE ACCIDENTS

81

the hydrogen are released in the cavity [presumably two hydrogen deflagrations occur which increase temperature and pressure in the containment up to 650 C and 150 kPa (1.5 bar), respectively, for a short time]. The pressure in the containment increases in an initial period [up to 230 kPa (2.3 bar) at 3.5 hours] and is then controlled again by the fan coolers. The reactor cavity remains flooded and the molten core is cooled, so the concrete is not massively attacked by the corium and the production of gases which would tend to repressurize the containment, is avoided. The containment building remains intact and no unforeseen releases of fission products occur.

5.5.5 SMALL LOCA WITH FAILURE OF THE RECIRCULATION This scenario assumes that a break occurs in the cold leg of the reactor recirculation system. The thermohydraulic behavior is similar to the preceding scenario but with an expanded time scale: switch to recirculation mode after 6.5 hours, fuel top uncovered after 7.2 hours, start of rapid metal water reaction after 8 hours. Roughly 600 kg of hydrogen (65% of the claddings, that is more than in the preceding case due to the presence of steam water in the core for a longer time). After 12 hours, the fuel starts to melt and the vessel is perforated after 13.8 hours. Here, too, a generalized combustion of hydrogen takes place, but the containment is not damaged and the releases are small.

5.6 “SOURCE TERMS” FOR SEVERE ACCIDENTS In 1962, the US Atomic Energy Commission (at the time the regulatory body on the peaceful uses of nuclear energy) published a technical information document, TID-14844 (Di Nunno et al., 1962), in which a release (“source term”) within the containment was defined for a light water reactor, corresponding to a typical accident with core melt, to be used for the verification of the compliance with the site acceptance criteria from the radiological point of view contained in the rule 10 CFR 100 (see Section 1.2). It is worth noting that the “source term” envisaged the immediate release into the containment of • •



100% of the core inventory of noble gases; 50% of the core inventory of iodine isotopes (of which 50% is assumed to be immediately deposited on various surfaces of the containment so that the iodine available for external release through the containment leaks is equal to 25% of the total); 1% of the remaining “solid” fission products, which, however, were always neglected by the standards and in the subsequent practice (e.g., in NRC Regulatory Guides 1.3 and 1.4, 1.183, 1.195 for the calculation of external consequences).

Iodine, moreover, was assumed to be mainly in elemental form (I2, 91%), for 5% in particulate form (particles or aerosols) and for 4% in the form of organic iodide (methyl iodide and similar compounds). It is surprising to consider that these simple rules have dominated a large part of the nuclear safety technology for more than 20 years. They had important consequences on the plants either

82

CHAPTER 5 SEVERE ACCIDENTS

from the amount of releases, from the assumption of practically instantaneous release from the core, or from their composition and chemical physical form. The engineered safety features, for example, have been optimized for the removal of elemental and organic iodine, while the closure time of the isolation valves has been established on the basis of the immediate release from the core. The Technical Information Document 14844 (TID) releases, as they were then named, have been used for the verification of the resistance to radiations of equipment inside the containment, as well as for the evaluation of control room habitability after an accident and for the design of liquid and gas sampling systems. After publication of the Rasmussen report (1975) and the TMI accident, the validity of the “old and glorious” TID was questioned, much research on the subject was carried out and, in 1992, after years of debate in all the scientific and regulatory centers all over the world, a NRC report was published (USNRC, 1992a) containing a new proposal of “source term,” which should replace the TID. The new proposed releases for a PWR are shown in Table 5.3, expressed as a fraction of core inventory. The releases for a BWR are slightly different. The new proposal derives from the consideration of the sequences studied in USNRC (1990) and USNRC (1992b), and intends to represent an average of meaningful cases. The releases due to interaction of the molten core with concrete (late out of vessel releases) are those deriving from the assumption of an absence of water above the molten layer. If the case where a water layer is present is of interest, then the release will be lower due to the effect of removal of the water. As far as the chemical physical form of iodine is concerned, the following suggestions are given: • • •

at least 95% in the form of caesium iodide (CsI, aerosol); 5% in the form of I or of HI with at least 1% in each one of the two forms; the iodine dissolves in the containment water as I2 and may subsequently evolve as elemental iodine if the water pH is low (also as a consequence of radiolysis). In this case organic forms of iodine can be formed (to be particularly feared as they are difficult to remove by filters and by other systems). In the case where a pH control is envisaged for the containment water with the

Table 5.3 New Source Terms

Duration (h) Noble gases Iodine Caesium Tellurium Strontium Barium Ruthenium Cerium Lanthanum

Gap

Prompt Releases in the Vessel

Releases Outside the Vessel

Late, in Vessel, Releases

0.5 0.05 0.05 0.05 0 0 0 0 0 0

1.3 0.95 0.35 0.25 0.15 0.03 0.04 0.008 0.01 0.002

2 0 0.29 0.39 0.29 0.12 0.10 0.004 0.02 0.015

10 0 0.07 0.06 0.025 0 0 0 0 0

REFERENCES

83

goal of keeping it above 7, then it is possible to assume that not .1% of dissolved iodine is freed from the water and can produce organic iodine. Moreover, the other isotopes, besides noble gases and iodine, released are assumed to be in particulate form. The report on the new source terms (USNRC, 1992a) also gives guidance on the removal factors by filters, containment spray systems and water pools. Typical values for these factors are • •



Removal by carbon filters 90% 99% for elemental iodine and 30% 99% for organic iodides. Decrease of the radioactivity in suspension in a containment by a factor of about 100 as a result of a spray system in the first half an hour (subsequently the removal is much slower and depends on the water pH), under the condition that all the volume of the containment can be considered covered by the spray. Removal by a factor between 10 and 100 as a result of the passage of the effluents through the pool water of a BWR.

It is worth repeating that the “source term” has the purpose of replacing, using the modern research data now available, the releases given in the TID-14844 report in their specific applications, essentially of US interest. The new source term represents a reasonable average reference for severe accidents with extensive core melt. Obviously, for each specific case of interest, that is for every accidental sequence which has to be studied in depth, the calculation codes used to determine the new source term (SCDAP-RELAP and MELCOR) are capable of adequately supplying the required specific answer. It has to be expected, however, that the new source terms will be extensively applied, in particular for order of magnitude evaluations, to those scenarios of main interest in this book.

REFERENCES Di Nunno, J., Baker, R.E.D., Anderson, F.D., Waterfield, R.L., 1962. Calculation of Distance Factors for Power and Test Reactor Sites. USAEC, TID-14844. IAEA, 2019. SSG-54, Accident Management Programmes for Nuclear Power Plants. IDCOR, 1984. Nuclear Power Plant Response to Severe Accidents. Technology for Energy Corp., Knoxville, TN. NEA, 1995. Summary and Conclusions. Report NEA/CSNI/R(95)16: Specialist Meeting on Severe Accident Management Implementation. Niantic CT, 12 14 June, Nuclear Energy Agency. Petrangeli, G., Sollima, C., 2008. Gamma decay heat distribution in core: a known issue revisited. Sci. Technol. Nucl. Ins. 2008, Article ID 796268. Petrangeli, G., Zaffiro, C., Arru, L., 1995. Design of containment systems against severe accidents. Nuclear Europe Worldscan 15 (5/6), May/June. Sehgal, B.R., 2011. Nuclear Safety in Ligth Water Reactors. Elsevier. Theofanous, T.G., Corradini, M.L., 1995. The containment of severe accidents in the advanced passive light water reactors. ANPA March. USNRC, 1990. Severe Accident Risks: An Assessment for Five US Nuclear Power Plants. NUREG 1150. USNRC, 1992a. Accident Source Terms for Light Water Nuclear Power Plants. NUREG 1465. USNRC, 1992b. Estimates of Radionuclide Release Characteristics into Containment Under Severe Accidents. NUREG CR5747.

84

CHAPTER 5 SEVERE ACCIDENTS

FURTHER READING USNRC Regulatory Guide, 1974a. 1.3 Assumptions Used for Evaluating the Potential Radiological Consequences of a Loss of Coolant Accident for Boiling Water Reactors. USNRC Regulatory Guide, 1974b. 1.4 Assumptions Used for Evaluating the Potential Radiological Consequences of a Loss of Coolant Accident for Pressurized Water Reactors. USNRC Regulatory Guide, 2000. 1.183 Alternative Radiological Source Terms for Evaluating Design Basis Accidents at Nuclear Power Reactors. USNRC Regulatory Guide, 2003. 1.195 Methods and Assumptions for Evaluating Radiological Consequences of Design Basis Accidents at Light-Water Nuclear Power Reactors.

CHAPTER

THE DISPERSION OF RADIOACTIVITY RELEASES

6

6.1 THE MOST INTERESTING RELEASES FOR SAFETY EVALUATIONS This chapter deals with some simple and quick methods for the evaluation of the dispersion in the environment of gaseous releases (gases, volatile products, aerosols, and particulates). Chapter 7, Health Consequences of Releases, describes some methods for evaluating the health consequences of releases. There are three steps in the evaluation of the consequences of accidents: 1. Evaluation of the releases (the source term; amount, chemicalphysical form, trend with time). 2. Evaluation of the dispersion of releases in the environment. 3. Evaluation of the health consequences (see Chapter 7: Health Consequences of Releases). The gaseous releases that are dealt in here, are the most relevant ones for the evaluation of the immediate accident consequences and for the preparation of short-term emergency plans. Solid and liquid releases are less important for a nuclear power station because the radioactive products released to the environment are mainly gaseous and have high velocity (which may cause adverse consequences outside the plant). However, liquid releases have to be taken into account under some circumstances. The situation, then, is very different from many nonnuclear process plants where the prevailing accidental release from the point of view of the consequences may frequently be the release of flammable or toxic liquids. The radioactive isotopes, which could in theory be released during an accident from a nuclear power station, are listed in Table 2.1. In practice, however, as recalled in Chapter 2, Inventory and Localization of Radioactive Products in the Plant, for order of magnitude evaluations and in order to only evaluate the scale of the accident consequences, it is sufficient to evaluate the following effects: • • •

direct radiation dose from noble gases (xenon-133, krypton-85) contained in the plume released; inhalation dose from iodine-131; radiation dose due to ground-shine from cesium-137 deposited on the ground (this effect is generally important only over long periods, i.e., weeks or months).

In some cases, the safety reports used for licensing evaluate only the releases of the above-listed isotopes, even if this practice does not satisfy many specialists. Ultimately, it is totally unsatisfactory when the consequences of releases evaluated in this manner are relatively close to the limits fixed for them in the design criteria. Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00006-8 © 2020 Elsevier Ltd. All rights reserved.

85

86

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

It is necessary to consider plutonium and tritium only for specific plants and accidents. Some physicalchemical properties of the listed isotopes are particularly important for studying the consequences of accidents, and are briefly discussed here: •





The half life, short or long, of the isotopes: Xenon-133, very abundant among the fission products, has a half-life of roughly five days and, therefore, it is important immediately after an accident. Krypton-85, on the other hand, has a half-life of about 11 years and, therefore, the defence against it does not consist in waiting for its decay. However, it tends to disperse and to dilute in the atmosphere without depositing out on the ground and, therefore, if released to the outside of a plant, it soon becomes innocuous. Even if it remains trapped in the containment after an accident, it is possible to get rid of it by venting it to the outside in favorable meteorological conditions and in a controlled way.1 Cesium-137, too, has a long half-life (about 30 years) but, in addition, tends to deposit on the ground with its compounds. It is, therefore, the cause of prolonged irradiation of people from the ground. Moreover, the measurements performed on the ground after the Chernobyl accident have demonstrated that, even after many years, the deposited cesium remains concentrated in the first centimeters of soil without penetrating in deeply and without dispersing, in contrast with what might be expected. Higher or lower volatility of the nuclide or of its more probable compounds: From this point of view, xenon, krypton, iodine, cesium, and tritium must be considered volatile, in contrast with the other nuclides; Strontium has an intermediate position, approaching that of a nonvolatile element. The higher or lower tendency to be removed and retained by the impact against walls and by rain (natural or artificial): Iodine, except for its organic compounds which tend to be formed in a very modest proportion (from 0.01% to 1% according to the surrounding conditions), must also be considered easily removable even if in some conditions it may, subsequently, reenter the atmosphere in suspension. Cesium, too, is removed rather easily.

In case of accident, the releases outside the plant would probably occur by slow infiltration through the leakage paths of the containment system, generally through the leak paths of the personnel and equipment airlocks, or through the leak paths of the electrical or mechanical penetrations of the containment. These leakages would generally be routed to a high (80100 m) chimney and hence released to the outside. Part of the leaks might, however, bypass the emergency ventilation systems and be directly released to the outside at ground level. In both cases, the dispersion in the environment occurs by diffusion activated by the existing wind and by transport due to the wind itself. In particular cases, the releases might happen in an explosive way and be projected, therefore, to a great height. This happened in the Chernobyl accident. In this case, the dispersion in the environment would occur under the influence of the high altitude air currents and by diffusion (to distances up to several tens of kilometers from the site) with mechanisms a little different from those governing the releases near the ground (or from a chimney).2

6.2 DISPERSION OF RELEASES: PHENOMENA

87

6.2 DISPERSION OF RELEASES: PHENOMENA In general terms, gaseous releases may give rise to dense (heavy) clouds (i.e., heavier than air) or to light clouds. Chlorine and ammonia, for example, give rise to heavy clouds. The dispersion of a light cloud in the environment occurs by diffusion, generally in a turbulent regime. On the other hand, the dispersion of a heavy cloud occurs first by fall and by gravitational spread (in a similar manner as water in a bucket placed on the ground would disperse if the bucket suddenly disappeared). Subsequently, at a certain distance from the source, the heavy cloud is also dispersed by diffusion. In the case of the release of radioactive substances from nuclear plants, light clouds are always formed: only the substances released as particulates or as aerosols show a gravitational motion of deposition toward the ground which is simultaneous to the dispersion by diffusion. The fact that the releases happen at ground level or at the mouth of a chimney has a large influence on their dispersion pattern. As can be seen from Fig. 6.1A, during a ground release all the zone of ground downwind from the release point is exposed to the contamination of the products transported by the cloud. However, during release from an elevated chimney the ground is not contaminated up to a distance D from the release point, and people who stay within this distance are effectively protected by being in its “shadow” (Fig. 6.1B). Moreover, at distance D, at ground level, the contaminant concentration is lower than in the ground release case for two reasons. First, the release plume has diffused in all directions (at a distance D from the plant, the concentration of contaminants at the centerline of the plume is lower than in the ground release case by a factor of two according to the diffusion theory. Second, at distance D the ground is affected by the outside border of the plume (where the concentration, by definition of “plume border,” is equal to 10% of the value at the center of the plume itself), while in the ground release case, at distance D, the centerline concentration is present.3 The following parameters have an overwhelming influence on the atmospheric dispersion: • •

the wind speed; the vertical thermal gradient (i.e., the change of the temperature with height).

The effect of the wind speed on the air turbulence and on its dispersion capabilities is selfevident. The importance of the vertical thermal gradient can be understood by the following points: •



If a small volume of air is ideally displaced because of turbulence from position 1 upwards to position 2 (Fig. 6.2) without heat exchange with the outside (a valid assumption for quick movements due to turbulence), then its pressure, in order to be in equilibrium with the new external environment, must decrease (at low elevations atmospheric pressure decreases by about 9 mmHg every 100 m increase in elevation). (In this example in the figure, the spherical volume of air is displaced by 100 m upward so that a substantial pressure variation occurs.) As the displacement has taken place without thermal exchanges, that is in an adiabatic way, the temperature T2 (kelvin) will be given by the law valid for adiabatic transformations [Eq. (6.1)]: T2 5 T1

 ðk21Þ P2 k P1

(6.1)

88

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

(A)

(B)

D = Protected distance

FIGURE 6.1 Diffusion plume for (A) ground and (B) elevated release from a chimney.



where k is the ratio of specific heat at constant pressure to specific heat at constant volume (for air 5 1.4). If the air temperature at position 2 is higher than the final one of the adiabatic transformation, T2, then the small air volume displaced will be more dense and heavier than the surrounding air and will tend to return in its starting position by gravity (stability). In the opposite case, it will tend to raise even more under the effect of buoyancy (instability). The same reasoning is valid if a downward displacement is assumed.

The vertical thermal gradient of air is adiabatic if it corresponds to an adiabatic transformation, it is superadiabatic if it is algebraically lower than the adiabatic one and it is underadiabatic if it is algebraically higher than the adiabatic one (Fig. 6.3). For a superadiabatic gradient, the temperature decreases with increasing height more than for an adiabatic transformation. The opposite is true for an underadiabatic gradient.

6.2 DISPERSION OF RELEASES: PHENOMENA

100 m

Position 2: pressure = 751 mmHg

0m

Position 1: pressure = 760 mmHg

89

FIGURE 6.2 Adiabatic expansion of an air volume.

Adiabatic

h

Underadiabatic Superadiabatic Inversion

T

FIGURE 6.3 Identification of various distributions of temperature with height.

Therefore a superadiabatic situation (Fig. 6.4) is favorable to the instability of the turbulent movements of the atmosphere and therefore it is favorable to an effective dispersion of contaminants. On the other hand, an underadiabatic situation is stable and unfavorable to dispersion (Fig. 6.5). The peculiar underadiabatic situations where the temperature increases with increasing height are thermal inversions (Fig. 6.6). Generally, they occur on clear nights when the earth more easily loses its heat by radiation toward the sky and therefore the lower atmosphere layers also cool down

Adiabatic gradient h

T

FIGURE 6.4 The case of superadiabatic thermal gradient (good dispersion).

Adiabatic gradient

h

T

FIGURE 6.5 The case of underadiabatic thermal gradient (small dispersion). Adiabatic gradient

h

T

FIGURE 6.6 The case of superadiabatic thermal gradient with overhead inversion (good dispersion only below the inversion layer).

6.3 RELEASE DISPERSION: SIMPLE EVALUATION TECHNIQUES

91

Adiabatic gradient h Category F Category B B h

H

T

FIGURE 6.7 The limit case of a thermal inversion (fumigation conditions).

significantly, while the higher layers remain relatively warm. On the following morning, after some hours of insolation, the ground heats up again and the inversion tends to disappear. The inversion condition is favored by light winds (wind speed lesser than B2 m/s). Another very peculiar condition is fumigation (see Fig. 6.7). It can occur in the first hours of the morning, after a clear night with inversion, when the soil starts to heat up and the inversion raises from ground level up to an elevation H. If the diffusion below the inversion elevation is very good (e.g., in the presence of a breeze), then, always below the inversion layer, the release concentration tends to be constant along the height. This is important because the effect of the presence of the chimney (the “umbrella” effect) is reduced or eliminated. In general, the fumigation conditions do not last more than a few hours. The diffusion characteristics near a plant at a certain moment can be judged by knowing the air temperature as a function of height, together with other factors which are discussed below. The local meteorology of the site of a nuclear plant is the subject of attentive and long studies with the aim of forecasting environment contamination and getting guidance on the most opportune moments to discharge gaseous waste into the atmosphere. A meteorological tower, roughly 100 m high is a characteristic feature on the site of an important power plant. The above parameter has given basic information on the meteorology of atmospheric diffusion. The following parameter gives some simple techniques for evaluating the concentration of contaminants at a specified distance from the release.

6.3 RELEASE DISPERSION: SIMPLE EVALUATION TECHNIQUES “Cloud concentration” (χ seconds per cubic meter) is the measure of air contamination at a certain position for health protection evaluations. Sometimes, the symbol χ/Q is used for the same quantity, where Q is the activity release (Bq). Cloud concentration is inversely proportional to wind speed (sometimes it is given for a wind velocity equal to unity, i.e., 1 m/s).

92



CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

Case 1 (instantaneous release): The radioactivity inhaled by an exposed person during the passage of the contaminated cloud I 5 R 3 Q 3 χ Bq

(6.2) 24

where R is the respiration rate of the exposed person (3.4 3 10 m s for an adult), Q is the activity released (Bq) and χ is the cloud concentration (s/m3). Case 2 (continuous release): The radioactivity inhaled by an exposed person during the passage of the contaminated cloud,



I 5R3

3

Q 3 χ Bq= s t

(6.3)

where R is the respiration rate of the exposed person (3.4 3 1024 m3 s for an adult), Q/t is the activity released by a continuous source (Bq/s), and χ is the cloud concentration (s/m3). In Gaussian theory of diffusion (the most commonly used), χ is a function of wind speed (inverse proportionality), the values of the standard deviation of the Gaussian distribution, the height of release, and the position of a point in space with reference to the release point. The relevant formulae and diagrams, valid within several tens of kilometers from the release point, are given in Section 6.4. For simplified evaluations that usefully support quick decisions, they are not strictly necessary. For now it is sufficient to know that the formulae and diagrams applied to a specific condition are, in current practice, connected with six categories of meteorological diffusion (the Pasquill categories, after the name of the specialist who proposed them).4 The categories and the meteorological conditions in which each of them is applicable, are shown in Table 6.1.

Table 6.1 Relationship Between Turbulence Types (Categories) and Weather Conditions A—Extremely unstable conditions B—Moderately unstable conditions C—Slightly unstable conditions D—Neutral conditions (applicable to heavy overcast conditions, day or night) E—Slightly stable conditions F—Moderately stable conditions Night-time Conditions (Cloud Covera)

Daytime Insolation Wind Speed (m/s)

Strong

Moderate

Light

Thin overcast or .4/8

,3/8

,2 2 4 6 .6

A AB B C C

AB B BC CD D

B C C D D

— E D D D

— F E D D

a

The degree of cloudiness is defined as the fraction of sky covered by clouds above the local apparent horizon.

6.4 THE EVALUATION OF ATMOSPHERIC DISPERSION

93

Although condition F with a wind speed of 2 m/s is shown in the table only as a night-time condition, in reality, it is currently used as a condition applicable to both day and night in conservative evaluations. For rule of thumb, quick and conservative evaluations, a ground release in condition F with a windspeed of 2 m/s is assumed, with • •

24 3 χ 5 3 3 10  s/m , 3at a distance of 1000 m from the release; and 1000 1:522 5 d s/m , at other distances d (m) (i.e., variation of the cloud concentration with distance on the basis of an inverse proportionality to the ratio of the distances with an exponent of 1.52).

χd χ

If the release occurs from an elevated chimney (B80100 m high), χ is assumed to be ten times lower than the value given for the first kilometers from the release. If less favorable meteorological situations are to be evaluated (as an example of “best estimate” calculations), a D condition with a wind speed of 5 m/s is frequently assumed, with a corresponding χ at 1000 m of 1025 s/m3. The concentration of the material deposited on the ground by a cloud generated by an instantaneous release is obtained by the concentration in air multiplied by a deposition velocity v, usually conservatively assumed equal to 0.01 m/s. We define the concentration on the ground Ct 5 χ 3 Q 3 v Bq m22

(6.4)

where χ is the cloud concentration (s/m ), Q is the activity released (Bq), and v is the deposition velocity, usually assumed equal to 0.01 m/s.5 3

6.4 FORMULAE AND DIAGRAMS FOR THE EVALUATION OF ATMOSPHERIC DISPERSION The value of χ at ground level is given, in the absence of precipitations and within a maximum distance of 100 km from the release point, by the following equation of the “generalized Gaussian plume”:     2 2 2 y2 1 h2 Q 2σz e 2σy χ5 πσy σz u

(6.5)

where χ is in Bq s m23 for a release Q (Bq) for an instantaneous source, and is in Bq m23 for a release rate Q (Bq/s) for a continuous source, u is the average wind speed (m/s), h is the height of the release point (m), y is the distance from the plume axis in the transverse direction (m), σy and σz (m) are the PasquillGifford coefficients of atmospheric diffusion, given as a function of x, the downwind distance. The values of σy and σz are given, for the three Pasquill categories B, D, and F considered as the most representative, in Figs. 6.86.10. The distance from the point of release is indicated by x (m). It has to be noted, in order to avoid confusion, that, in the trendline formulae written on top of each graph, x is the abscissa, that is log x and y is the ordinate, that is log σy or log σz, according to the figure considered. This is due to the symbols used by the automatic interpolation program, which always names the abscissa x and the ordinate y. An example will further clarify this point: looking at the upper graph of Fig. 6.8, which gives log σy as a function of log x, where log means

94

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

B, log sigma y (m)

(A)

y = 0.0027x 3 − 0.0585x 2 + 1.2136x − 1.0106 R2 = 1

4.5 4

Log sigma y (m)

3.5 3 2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

6

Log x (m) B, log sigma z (m)

(B)

y = 0.9238x 2 − 3.5634x + 4.4731 R2 = 1

12

Log sigma z (m)

10 8 6 4 2 0 0

2

4

Log x (m) FIGURE 6.8 Diffusion coefficients for category B.

6

6.4 THE EVALUATION OF ATMOSPHERIC DISPERSION

D, log sigma y (m)

(A)

Log sigma y (m)

95

y = 0.0148x3 − 0.1752x2 + 1.5541x − 1.6231 R2 = 1

4 3.5 3 2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

6

Log x (m) D, log sigma z (m) y = 0.0049x3 − 0.1354x2 + 1.4082x − 1.6325 R2 = 1

(B)

3

Log sigma z (m)

2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

6

Log x (m) FIGURE 6.9 Diffusion coefficients for category D.

as usual the logarithm in base 10, for 10,000 m (log x 5 4), a value of about 3 can be read on the line graph for log σy, which means σy 5 1000. Similarly, the trendline formula gives: y

5 log σy 5 0:0027ðlog xÞ3  0:0585ðlog xÞ2 1 1:2136ðlog xÞ  1:0106 5 ð0:0027 3 43 Þ  ð0:0585 3 42 Þ 1 ð1:2136 3 4Þ  1:0106 5 3:08:

Ground concentrations are given in Figs. 6.116.13 for the three categories B, D, and F considered the most representative and for three values of release height (10, 30, and 100 m).

96

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

F, log sigma y (m) y = 0.0044x3 − 0.0713x 2 + 1.2271x − 1.6022 R2 = 1

3.5

Log sigma y (m)

3 2.5 2 1.5 1 0.5 0 0

1

2

3

4

5

Log x (m) F, log sigma z (m) y = 0.0011x3 − 0.144x 2 + 1.5033x − 2.0967 R2 = 1

2.5

Log sigma z (m)

2 1.5

1 0.5 0 0

FIGURE 6.10 Diffusion coefficients for category F.

2

Log x (m)

4

6

6

6.4 THE EVALUATION OF ATMOSPHERIC DISPERSION

Concentrations (per m2)

Concentrations, h = 10 m

1-00E-02 1-00E-03

F

Category B

1-00E-04

Category F Category D

1-00E-05 1-00E-06 100

1000 Distances (m)

FIGURE 6.11 Ground concentrations for height of release of 10 m.

FIGURE 6.12 Ground concentrations for height of release of 30 m.

FIGURE 6.13 Ground concentrations for height of release of 100 m.

10,000

97

98

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

A simple program for calculating the concentrations is in the enclosed download files. Further data can be found in Slade (1968). Under fumigation conditions, the usual assumption of a concentration constant with height below the impervious inversion layer leads to Eq. (6.6):  

χf 5

Q ð2πÞ1=2 σy σz uH



e

y2 2σ2y

(6.6)

where H is the height of the base of the inversion layer (m) (see Fig. 6.7) and the other symbols have the same meaning as before.6 In the case where a release occurs from a building or near it, the formulae for a point release are too conservative at a short distance. Indeed, the turbulent wake of the building ensures an initial dilution of the release. To take into account, this effect consists in using the point release formulae but with an imaginary backward displacement of the source. Fig. 6.14 shows this procedure. The presence of a building may reduce the beneficial effect of an adjacent chimney at short distances, reducing the already mentioned “umbrella” effect. The influence of the building can be considered completely absent only if the height of the chimney is equal to at least 22.5 times that of the building, otherwise the effect of the chimney will be reduced or possibly eliminated by the turbulence generated by the building. In the case when the release occurs from a chimney and the effluent is warmer than the external air and/or it is released to the environment with a significant initial vertical velocity, the buoyancy forces and the kinetic energy will make the releases behave as if they were released from a higher chimney (thermal and kinetic elevation of the plume). There are many studies and evaluation methods that take these effects into account (Slade, 1968). Here, as an example, is the Stu¨mke formula (Eq. 6.7) for the rise of the plume, Δh:

Backing distance

Real release point Point of imaginary backward displaced release

FIGURE 6.14 Effect of a building on a plume.

6.5 COMPUTER FLUID DYNAMICS CODES

Δh 5

  1:5wd 65d 3=2 ΔT 1=4 1 u Ts u

99

(6.7)

where d is the diameter of the chimney outlet (m), w is the exit speed at the chimney mouth (m/s), u is the wind speed (m/s), ΔT and Ts are the temperature difference with reference to the environment and the external temperature, respectively (kelvin).

6.5 CALCULATION OF ATMOSPHERIC DISPERSION BY COMPUTER FLUID DYNAMICS CODES Concerning possible improvements in methods with respect to what explained above, a study has been recently published (Petrangeli, 2011) which is a test of applicability of Computer Fluid Dynamics (CFD) codes to a nuclear plant chimney. Six cases were studied and comparison is made with common methods. A comparison with field test data was made. The tests were done at the Casaccia Nuclear Research Center in 1974 (Cagnetti, 1975). The aim of the tests was to measure the ground contamination in the vicinity of a group of buildings and up to a distance of 850 m downwind. The plan of the site is illustrated in Fig. 6.15. Fig. 6.15 shows the three buidings (A, B, and C). The height of the buildings is also indicated, together with the location and height of the 1-m diameter stack from where the tracer contaminant (uranine aerosol) was released. Besides sampling points near the buildings themselves, two sampling lines were located at 450 and 850 m downwind from the stack. The prevailing wind conditions during the tests were a sea breeze coming from the coastline (2030 km west, wind velocity equal to some meters per second, X (m) LINE L

0

150

50 m

C (h = 16 m)

100 B (h = 16 m) A (h = 6 m)

STACK (h = 14 m from ground)

50

50

FIGURE 6.15 Buildings location in the text field.

100

150

200

Z (m)

100

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

Smoke volumetric (kg/m3)

1e-6

1 e-7

6.6 e-8 kg/m3

2 e-8 kg/m3

1e-8

1e-9 100

200

300

400

500 x (m)

FIGURE 6.16 Result of computer fluid dynamics calculation line and two measurement points.

Category F of the Pasquill Scale). This two sampling lines are not included in Fig. 6.15 because of their distance from the site; they are, however, perpendicular to line L shown in the figure. Only one of the four experiments performed was well centered on the sampling network described: the data from this experiment have been used here for comparison with calculation; the wind velocity and direction shown in Fig. 6.15 are those of this experiment. The calculation model used is described in Petrangeli (2011). The mass flow rate of “smoke” from the stack is 0.046 kg/s; the air flow velocity from the stack is 0.5 m/s; flow exiting form the stack is 0.1 kg/kg. The volumetric “smoke” concentration at the stack exit is, then, 0.12 kg/m3. The volumetric concentration of “smoke” along the line L and up to the two sampling lines at 450 m (x 5 328 m) and at 850 m (x 5 556 m) resulting from the calculation is shown in Fig. 6.16. The two test results at 450 m and at 850 m distance from the release point are also shown (6.6e 2 8 and 2e 2 8 kg/m3, respectively). The ratio between measured and calculated values is in the range between 1.5 and 2, which indicates a very good agreement. The study shows that CFD codes are adequate even in presence of complicated building arrangements. The effect of the presence of a chimney on the ground level concentration of emissions near the plant is to significantly decrease, as mentioned above, the concentrations (in practical cases of interest, by a factor of 510), while the presence of nearby plant buildings is to partly eliminate this beneficial effect due to the effect of the building wake. The author of this paper believes that the practical methods currently used for the evaluation of ground concentrations in these cases deserve some improvement. One line of development suggested here is the use of CFD codes. The author believes that presently available code packages in this field are sufficiently accurate. The main conclusions of this exercise could be the following:

ENDNOTES



• •



101

The use of CFD codes seems suitable for atmospheric dispersion calculations of interest to the nuclear plant designer and safety analyst; in particular, for design studies aimed at the definition of nuclear plant and stack arrangements, the result of this exercise seem to indicate that the methods used here are completely suitable for the comparison of various solutions. The use of CFD codes may avoid wrong decisions, like the elimination of a stack in the design of a nuclear plant; excessive and detrimental overconservatism can also be avoided. In the test case and calculation above described, the contaminant concentration calculated at ground level with ordinary methods (Fig. 6.1) would result about 100 times higher than the measured (and CFD calculated) values, which is not unusual as discussed above. When adequate guidance is provided, as the reference paper attempts to do, the CFD calculation methods are rather robust and simple to perform.

ENDNOTES 1. This happened after the TMI accident, when B3700 TBq (105 Ci) of 85Kr were trapped in the containment. After an exhaustive safety analysis and under the authorization of the US regulatory body, the NRC, it was voluntarily released to the outside about one year after the accident. 2. As already mentioned in Section 1.2, it has often been written that the contamination caused by Chernobyl at great distances was solely due to the violent initial upward projection of the releases. In reality, a ground release too, at distances of several tens of kilometers reaches, by diffusion, a height of several kilometers and, therefore, the exclusive effect of the initial upward momentum on the dispersion of contamination at great distances has not to be considered self-evident. Certainly, an influence at short distances has been present. It is therefore necessary to believe that a large release, even at ground level, may cause extensive contamination at long distance, as is also demonstrated by the case of the contamination generated by the atmospheric leaks (without violent projection) of radioactivity during defective underground tests of nuclear weapons. Another example might be the path of the chlorinated compounds as a danger for the stratospheric ozone layer. Finally, unfortunately, a non-RBMK reactor design could, in theory, give rise to extensive contamination. For example, even without considering the catastrophic burst of a light water reactor vessel, a severe accident in one of these reactors with the subsequent explosion of the containment could give rise to consequences similar to those of Chernobyl. This was the case of the Fukushima accident in 2011 (Fukushima, 2018). 3. Using methods which will later be explained, it can be shown that a 100-m high chimney, in typical meteorological dispersion conditions, affords very good protection of the land up to a few kilometers from the plant and that at this distance the concentration is decreased by a factor of about 10 (sometimes higher than that) with reference to the case without a chimney! 4. Frank Pasquill proposed his scheme in 1958 in a written note which he did not consider worth publishing. Subsequently his method was acknowledged so useful that it was universally adopted. 5. Those surprised by the excessive simplicity of these evaluations, must be, in a certain sense, reassured. In evaluating meteorological dispersion it is much more important to take into account all the dominating factors, than to perform extremely precise evaluations using conceptually defective schemes. For example, it is fundamental, in the dispersion evaluations, to consider the variation of wind direction and speed with time and distance, the effect of rain of various types, and the extent and effect of local topography (presence of settlements on hills or in valleys, and so on). In international comparative exercises performed

102

CHAPTER 6 THE DISPERSION OF RADIOACTIVITY RELEASES

(“benchmarks”), the maximum difference between the results of different groups of evaluators and the difference between anticipated evaluations and measures has been, unfortunately, equal to several orders of magnitude. 6. Example calculation of order of magnitude. The purpose here is to get an idea of the importance of neglecting the fumigation effect in a situation such as that in Fig. 6.7, where the diffusion conditions below the inversion layer correspond to a Pasquill category D. Eq. (6.6), for wind speed, u, and source, Q, equal to 1, and for h 5 H 5 100 m, gives a typical distance of 1500 m. χ 5 5 3 1026 s =m3 However, the use of the fumigation formula gives: χ 5 3:3 3 1025 s =m3 It can be concluded that the effect of the fumigation condition increases by a factor of 10 the ground concentration, nullifying the beneficial effect of the chimney.

REFERENCES Cagnetti, P., 1975. Downwind concentrations of an airborne tracer released in the neighbourhood of a building. Atmos. Environ. 9, 739. Pergamon Press. Fukushima, 2018. Daiichi Muclear Disaster, from Wikipedia. Petrangeli, G., 2011. Location and sizing of a plant stack: design study using CFD. Nucl. Eng. Des. 241, 22482256. Slade, D.H. (Ed.), 1968. Meteorology and Atomic Energy. United States Atomic Energy Commission, USAEC, Division of Technical Information, Oak Ridge, TN.

CHAPTER

HEALTH CONSEQUENCES OF RELEASES

7

7.1 THE PRINCIPLES OF HEALTH PROTECTION AND SAFETY The principles of radiation protection and safety as summarized by the IAEA (INSAG 12) and based on ICRP (2007) are •

• •

• • • • •

A practice which entails or that could entail exposure to radiation should only be adopted if it yields sufficient benefit to the exposed individuals or to society to outweigh the radiation detriment it causes or could cause (justification principle). Individual doses due to the combination of exposures from all relevant practices should not exceed specified dose limits (limitation principle). Radiation sources and installations should be provided with the best available protection and safety measures under the prevailing circumstances, so that the magnitudes and likelihood of exposures and the number of individuals exposed be as low as reasonably achievable, economic and social factors being taken into account, and the doses they deliver and the risks they entail be constrained [optimization principle or as low as reasonably achievable (ALARA)]. Radiation exposures that are not part of a practice should be reduced by intervention when this is justified, and the intervention measures should be optimized. The legal person authorized to engage in a practice involving a source of radiation should bear the primary responsibility for protection and safety. A safety culture should be inculcated that governs the attitudes and behavior in relation to protection and safety of all the individuals and organizations dealing with sources of radiation. In depth defensive measures should be incorporated into the design and operating procedures for radiation sources to compensate for potential failures in protection and safety measures. Protection and safety should be ensured by sound management and good engineering, quality assurance, training and qualification of personnel, comprehensive safety assessments, and attention to lessons learned from experience and research.

7.2 SOME QUANTITIES, TERMS, AND UNITS OF MEASURE OF HEALTH PHYSICS Absorbed dose: the average energy imparted by an ionizing radiation to the mass unity of a matter, unit of measure: gray (Gy) 5 1 J/kg. Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00007-X © 2020 Elsevier Ltd. All rights reserved.

103

104

CHAPTER 7 HEALTH CONSEQUENCES OF RELEASES

Dose: This term has two meanings: • •

a measure of the quantity of radiation present in a radiation field or given by this field: notion expressed by the word “exposure”; a measure of the radiation received or absorbed by a target.

Effective dose: The summation of the tissue equivalent doses, each multiplied by the appropriate tissue weighting factor. Equivalent dose: The dose absorbed by a tissue or organ, multiplied for the pertinent radiation type weighting factor. Unit of measure: sievert (Sv) 5 1 J/kg (sometimes, the previous unit, the rem 5 1/100 Sv, is still used). Genetic effects: The effects on genetic material of somatic or germ cells, used in an imprecise way as a synonym of “hereditary effects.” Hereditary effects: The effects which manifest themselves in descendants of the exposed individual. Nonstocastic (deterministic) effects: The effects for which generally a threshold level of dose exists above which the severity of the effect is greater for a higher dose. Radiation weighting factor: A multiplication factor for the absorbed dose which accounts for the relative effectiveness of the various types of radiation in inducing health effects (see Table 7.1). Radioactivity: The radioactivity of a sample is the number of disintegrations per second. Unit of measure: becquerel (Bq) 5 disintegrations second21 [sometimes, the previous unit, the curie (Ci) 5 37 GBq is still used (1 TBq, a frequently used unit, is thus equal to about 27 Ci)]. Somatic effects: The effects that manifest themselves in the exposed individual. Stochastic effects: The radiation effects, generally occurring without a threshold level of dose, whose probability is proportional to the dose and whose severity is independent of the dose. Tissue weighting factors: To account for the different sensitivity of organs and tissues to the induction of stochastic effects of radiation (see Table 7.2).

Table 7.1 Radiation Weighting Factors. Type and Energy Range of Radiation

Radiation Weighting Factor

Photons Electrons and muons Neutrons ,10 keV Neutrons 10 100 keV Neutrons 100 keV 2 MeV Neutrons 2 20 MeV Neutrons .20 MeV Protons (except recoil protons) .20 MeV α-Particles, fissile fragments, heavy nuclei

1 1 5 10 20 10 5 5 20

7.3 TYPES OF EFFECTS OF RADIATION DOSES AND LIMITS

105

Table 7.2 Tissue Weighting Factors. Tissue or Organ

Weighting Factor

Gonads Bone marrow (red) Colon Lung Stomach Bladder Breast Liver Oesophagus Thyroid Skin Bone surface Remainder

0.2 0.12 0.12 0.12 0.12 0.05 0.05 0.05 0.05 0.05 0.01 0.01 0.05

7.3 TYPES OF EFFECTS OF RADIATION DOSES AND LIMITS So far as the deterministic effects are concerned, the following brief and imprecise facts should be remembered: • • •

The lethal dose at 50% probability (LD50) is equal to about 3 5 Gy, in the absence of a good medical assistance. Impairment of vision may happen between 1 and 10 Gy, according to the type of radiation (high or low linear energy transfer). Permanent sterility may occur between 2.5 and 6 Gy. For the stochastic effects in the population, the following, again brief, reference data should be noted:

• • • • •

Death risk for low doses 5 5 3 1022/Sv. Risk of serious effects in descendants 5 0.5 1.3 3 1022/Sv. As far as the limits adopted in many countries by law are concerned, we have: for workers: 20 mSv for solar year (effective dose); for the population: 10 μSv/year for each practice.

These limits hold for normal operation of the plants and not for accidents. Indeed, other limits for accidents do not exist except those fixed by the local regulatory body, case by case, or for classes of plants and of sources, for example, for a nuclear power station, the most recent trend in Italy was to prevent the overcoming of the reference values for short-term evacuation of the population (taken as equal to 1 rem, which is the lowest value named in foreign and international guidelines) in case of a severe accident. Moreover, it is usual to define a design limit for the collective dose of workers: the present value in many countries is of the order of 1 Sv person/year.

106

CHAPTER 7 HEALTH CONSEQUENCES OF RELEASES

7.4 EVALUATION OF THE HEALTH CONSEQUENCES OF RELEASES As elsewhere in this book, here only simple methods and orders of magnitude are listed which can be useful for quick dose evaluations for preliminary decisions: more precise methods are described in the references and in the abundant literature in the field.

7.4.1 EVALUATION OF INHALATION DOSES FROM RADIOACTIVE IODINE The following is a simple formula that can be used for a quick evaluation. It is most easily remembered if the old units of measurement are used (curie, rem, etc.).1 D 5 10 3 χ 3 R

where D is the effective dose for adults (rem) (for children a multiplication factor ranging from 5 to 10, according to age, has to be used), χ is the cloud concentration (s/m3) (see also Chapter 6: The Dispersion of Radioactivity Releases), and R are the curies of iodine-131 released.2 The dose calculated for all the iodine isotopes (not just for iodine-131) could result in a dose of the order of double that calculated for iodine-131 only. The dose to the thyroid is equal to about 20 times the one here calculated.

7.4.2 EVALUATION OF DOSES DUE TO SUBMERSION IN A RADIOACTIVE CLOUD In some cases the term “submersion doses” may not be appropriate because what is generally meant with this expression are the doses of direct radiation from a cloud of radioactive substances traveling in the vicinity. Here xenon-133 (important for accidents to reactors or to gaseous waste decay tanks) and tritium (e.g., 3H, important for fusion machines) are considered. The doses are roughly: For xenon-133 D5

χ3R 300

which can give lower dose values than other models [this has been taken from Commission of European Communities (CEC) documents]. In order to take into account the finite dimensions of the cloud, the calculated doses should be multiplied by a factor (,1) which, for ground release and for F category ranges from 0.1 at 1 km to 0.7 at 100 km. For tritium (skin irradiation, inhalation): D 5 0:03 3 χ 3 R

1 Relaxation moment! Concerning the use of obsolete units of measure, the subtle truth contained in a popular joke comes to mind. It concerns a professor, very popular with his students, who, answering a question about the reason why he taught so many incorrect notions in his lessons, replied, “This way they understand better!.” 2 It is worth recalling from Chapter 6, The Dispersion of Radioactivity Releases, that χ can conservatively be assumed to equal 1024 1023 s/m3 (Pasquill category F with a wind speed of 2 m/s) at 1 km and variable for other distances as the inverse of the ratio of the distances raised to the power of 1.5 2.

7.4 EVALUATION OF THE HEALTH CONSEQUENCES OF RELEASES

107

Table 7.3 Ground-shine Dose (Caesium-137). First Year

Second Year

0 50 Years

1.2 mSv 120 mrem

800 μSv 80 mrem

16 mSv 1600 mrem

7.4.3 EVALUATION OF THE DOSES OF RADIATION FROM CAESIUM-137 DEPOSITED ON THE GROUND (“GROUND-SHINE” DOSE) The figures of interest for any practical case can be extrapolated from the data shown in Table 7.3, which gives the dose at various times after the deposition of 1 kBq/m2. For contamination deriving from an accident to a reactor, the radiation doses from the ground due to caesium-137 are generally more important than the contribution of other isotopes.

7.4.4 EVALUATION OF THE DOSE DUE TO DEPOSITION OF PLUTONIUM ON THE GROUND A deposition of plutonium might happen as the result of an accident to a space vehicle (238Pu) (see Chapter 26, Nuclear Facilities on Satellites) or because of a very violent accident to a nuclear reactor (239Pu and 240Pu). Plutonium isotopes are highly radiotoxic but plutonium is highly insoluble and in general the highest risk originates from the inhalation of very fine dusts (B5 μm). The conversion factor for the inhalation dose to adult is, for plutonium-238, in average conditions, 4.6 3 1025 Sv/Bq.AR29 Similar figures apply to plutonium-239 and plutonium-240. The mechanisms by which the plutonium might be inhaled are to be evaluated case by case. The specific activity of plutonium-238 is 6.44 3 105 Bq/μg and 2300 Bq/μg for plutonium-239.

7.4.5 INDICATIVE EVALUATION OF LONG DISTANCE DOSES FOR VERY SERIOUS ACCIDENTS TO NUCLEAR REACTORS Fig. 7.1 gives a first impression of possible effective committed doses. It shows data from the Chernobyl, Windscale, and Three Mile Island accidents (collected by G. Santarossa), together with a subjective evaluation of the effects of a maximum severe accident “reasonably” conceivable for a present and future reactor.

7.4.6 DIRECT RADIATION DOSES It is often useful to have an idea of the possible radiation fields caused by a point source. The approximate formula to remember is the following (see Note 1): Rhm 5 0:6 3 C 3 E

where Rhm is rems per hour at 1 m distance in air, C is the source curies, and E is the energy of the emitted radiation (MeV). Fig. 7.2 can also be of help.3 3 As an example, one curie of cobalt-60, which emits γ-radiation at a total of 2.5 MeV, delivers about 1.5 rem/h at the distance of 1 m.

108

CHAPTER 7 HEALTH CONSEQUENCES OF RELEASES

Dose (mSv)

100

10

1

0.1

1

10

100

1000

FIGURE 7.1 Long range doses from accidents.

1 Ci

1 Mev

1m

FIGURE 7.2 Activity dose relationship.

0.6 rem h

Range (km)

7.4 EVALUATION OF THE HEALTH CONSEQUENCES OF RELEASES

Air

1000 m

Water

34 cm

Concrete

16.5 cm

Glass (Ce or Pb)

5–15 cm

Steel

5 cm

Lead

3 cm

FIGURE 7.3 Thicknesses of materials for reduction of 10 in γ-ray intensity.

109

110

CHAPTER 7 HEALTH CONSEQUENCES OF RELEASES

Remember that α-rays are stopped by the thickness of a simple sheet of paper, while β-rays can penetrate several centimeters into human body tissue. γ-rays or neutrons can penetrate much deeper into matter. Fig. 7.3 shows the thickness of various materials able to reduce the intensity of γ-rays by a factor of 10. As can be seen, there is a certain inverse proportionality to the material density.

REFERENCES ICRP, 2007. Recommendations of the International Commission on Radiological Protection. ICRP Publication 103, Pergamon Press. INSAG-12, 1999. Basic Safety Principles for Nuclear Power Plants.

CHAPTER

THE GENERAL APPROACH TO THE SAFETY OF THE PLANT SITE COMPLEX

8

8.1 INTRODUCTION This chapter assumes the point of view of an expert who wishes to evaluate the safety of a modern plant at a specific site and firstly decides to perform checks on those key aspects where it is most likely to find areas that can be improved. The content lists and discusses some of these aspects. It is impossible to be exhaustive in the most general terms as many fundamental aspects are connected with the specific features of each single case, for example, the compliance between plant characteristics and assumptions made in the study of accidents. In any case, if the evaluation of a case under scrutiny shows that any aspect among those listed in the following, has been omitted or not adequately dealt with, then this fact should be noted and corrected.

8.2 THE DEFINITION OF THE SAFETY OBJECTIVES OF A PLANT ON A SITE This section discusses some aspects of the approach to safety which pertains to a plant site complex. In the following, some important issues about the approach to safety will be considered.

8.2.1 THE OBJECTIVES AND LIMITS OF RELEASE/DOSE The limits of release and of dose to the population should be defined for normal operation, operational transients, design basis accidents, and more serious accidents, including severe accidents. Usually this aspect of the basic approach to safety assumes the form of one or more tables where the following data are collected: •



The classes of situations considered in the design of the plant and in the control of site factors (normal operation, anticipated transients, severe accidents, etc.), with an indication of the order of magnitude of the probabilities of the pertinent initiating events or of the accidental sequences (defined as sequence of events originated by the initiating event and by further equipment malfunctions or operating errors). Sometimes (see, e.g., the EUR criteria in Appendix 6) a list of all the representative sequences is also given. The corresponding limits and objectives of release and/or of doses to the critical group of the population, with indication of the emergency actions considered in the demonstration of the compliance with objectives and limits.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00008-1 © 2020 Elsevier Ltd. All rights reserved.

111

112

CHAPTER 8 THE GENERAL APPROACH TO THE SAFETY OF THE PLANT

In particular, the approach to the consideration of beyond design accidents, among which the severe ones, should be especially coherent and complete. The beyond design accidents considered should be clearly identified and the method by which they are prevented and/or mitigated should be explained; for example, it should be clarified if the defence from possible events caused by a molten core outside the “vessel” is based on the containment of the molten core within the vessel itself (flooding of the cavity and cooling of the vessel from outside) or on the refrigeration of the molten core on the floor of the containment. The experimental and theoretical basis of the demonstration of the adequacy of the solutions chosen should be clearly identified. Another typical aspect, which sometimes is not well clarified, concerns the type and extent (in space and time) of the emergency measures which are acceptable in case of the most serious accidents considered and in view of the compliance with the radiological limits and objectives chosen. The foreseen emergency plan is, indeed, a powerful additional safety measure (the fifth level of the Defence in Depth concept) but may also be seen as an indication that the plant per se is not sufficiently safe. For these reasons, a present trend consists in designing plants which do not need stringent emergency plans (e.g., there is a trend toward excluding the evacuation of the population, except from a zone within a few kilometers from the plant). In the extreme, the objective that the most severe accident considered has externally significant consequences completely confined within the plant fence could be adopted. Obviously (but practical experience indicates that it is useful to remind ourselves), where the safety criteria also include an indicative limit of the maximum probability of a “large release of radioactivity” (e.g., no large release with a probability higher than 1026 per year), the amount and the characteristics of the released radioactivity for which the release starts to be defined as “large,” must be clearly defined.

8.3 SOME PLANT CHARACTERISTICS FOR THE PREVENTION AND MITIGATION OF ACCIDENTS Among the factors for accident prevention and mitigation, it is useful to check • •

• • •



the presence of a negative reactivity coefficient for power increase in every operating condition (and preferably also the presence of a negative moderator temperature reactivity coefficient); the abundance of core cooling water (e.g., in the pressurizer and in the steam generators) because the availability of a large amount of water makes transients slower and allows the operators to better intervene; the presence of a fast depressurization function for the primary system (efflux opening of the order of 10 cm in equivalent diameter or higher for a reactor of 1000 MWe); the existence of a robust accident management system, with procedures and equipment that are complete and up to date; that the reactor pressure vessel has dimensions and other characteristics sufficient to keep the fast fluence, and the embrittlement, at low level during its life (construction such to minimize the presence of welds and segregations in the highly irradiated zone); there is a solid and controlled technical basis for the possible application of the “leak before break” concept to the primary pipings (including adequate leak detection methods);

8.5 SITE CHARACTERISTICS

• •



113

the presence of emergency electric power supply sources, including portable ones, but different from the traditional emergency sources, either by type of machine and by type of fuel; that where a microprocessor-based reactor protection system is used, the presence of a backup system of traditional type or of other means to ensure protection against malfunctions, included those involving the software is assured; that the specification of a realistic maximum leakage rate from the containment (“realistic” means a leakage rate which is really obtainable in practice for a period of time of more than one year, indicatively). Use, in the safety analyses, of conservative figures for the same quantity (possibly much higher than the specified ones). This last precaution is suggested in order to cope, without too many difficulties, with possible situations where the result of integral or local leakage tests should not satisfy the specified leakage limits. Indeed, it is usual that a degradation in leakage rate, between two tests made at a distance in time of one year or more, takes place. In this situation, an accident will likely find a containment leakage rate that is larger than the specifications figure.

8.4 RADIATION PROTECTION CHARACTERISTICS It is recommended to pay attention to the following points, in addition to complying with the limits and objectives mentioned in Section 8.2.1: • •

• •

The presence in the design of an objective figure for collective occupational doses per year of plant operation (today this figure could be of the order of 1 Sievert person per year or less). The presence of a plant design policy that includes a review of the design details and of the layout of equipment and structures in view of the minimization of occupational doses (room for maintenance, radiation shields, and provisions for “robotized” inspections, etc.). A written guide should also be available for these reviews. The presence of a policy for the minimization of the solid, liquid, and gaseous waste. The consideration, in the design, of the simplification and optimization of the plant decommissioning from a radiological point of view.

8.5 SITE CHARACTERISTICS Given that the foregoing criteria are met, it is good practice for a nuclear plant site to have certain characteristics objectively favorable to its installation, either in normal operating conditions and in a hypothetical emergency. In particular, the following characteristics are noted: •

The absence of danger of natural destructive phenomena, such as a strong seismicity (e.g., historical earthquakes higher than degree IX on the MCS scale), a danger of surface faulting on the site or of tsunami, a danger of destructive flood waves due to the collapse of dams upstream, etc. In particular, it is advisable that the plant should be immune from the danger of submersion due to floods because of objective situations such as it is being located on a hill or embankment more elevated than the surrounding countryside. In this way the demonstration of

114





CHAPTER 8 THE GENERAL APPROACH TO THE SAFETY OF THE PLANT

safety does not depend on frequently uncertain evaluations of the maximum flood level of rivers or alike; this is valid also for other natural hazards different from flood, given the intrinsic difficulty in forecasting the gravity of natural events in general. Possible excessive conservatism in the design parameters can thus be avoided. Favorable population distribution. Some national criteria specify limits for the distribution of population around the site, obtained by assuming a reference radioactive release from the plant and the limitation of doses outside. A minimum distance from population centers is also usually specified, which increases with increasing population in the center itself (in general, in Europe, it should be necessary to stay a few kilometers apart from centers with some thousands of inhabitants and at least 10 km from centers with tens of thousands of inhabitants). Guaranteed characteristics of accessibility by roads, besides demographic characteristics, in order to have a favorable situation in case of external emergency and of need to evacuate people.

Other essential characteristics of a site are not listed here because they essentially bear on productivity issues, even if they may have an influence on safety too. For example, land average slope (the slope of the surroundings should be compatible with the transportation of huge components) or the availability of abundant quantities of water for the normal cooling of the plant besides the availability of smaller amounts of water for shutdown or emergency conditions.

CHAPTER

DEFENCE IN DEPTH

9

9.1 DEFINITION, OBJECTIVES, LEVELS, AND BARRIERS As already discussed in Section 1.2, the Defence in Depth (DID) concept in nuclear safety consists in providing multiple independent protections against the occurrence of accidents and their progression, in such a way that, should one of them fail, at least another is present whose failure is independent from the operation of the first. It has to be said, however, that the object of independent barriers in totality is only an objective, and it is not always possible in reality in every conceivable accident sequence. The definition of DID has to be understood as a general defence principle, to be implemented to the maximum technically feasible degree. DID is implemented through design and operation provisions in a way to provide a “graded” protection against a vast variety of transients, abnormal events and accidents, including the malfunction of components, human errors in the plant, and events initiated outside it (INSAG 10, INSAG 12, TECDOC 986). The decision to create DID in the plants was taken at the start of nuclear energy development which indicates a remarkable farsightedness, as subsequent history has demonstrated that it has been the best defence against the uncertainties of the technology and the mistakes initially made (see, e.g., the Three Mile Island accident). Obviously, in the first period of nuclear energy, many protests were made against this “waste of resources” which consisted in the construction of costly barriers (e.g., the containment) without, according to some, “a real need” for them. Accordingly, in the most recent documents (IAEA; TECDOC 986), the DID is based on four principal barriers against the external release of radioactive products (fuel matrix, fuel cladding, reactor cooling circuit pressure boundary, and containment system), and on five defence levels in order to best use these barriers (illustrated in Table 9.1). The actual implementation of DID needs the support of some base requirements which apply to all of the five quoted levels. These requirements descend from the technical principles of nuclear safety which lead to the specific measures (IAEA; TECDOC 986; IAEA INSAG 12): • • • • • •

The adoption of proven engineering solutions. The classification and qualification of structures and components. Adequate quality assurance measures, proportionate to the safety classification of structures, systems, and components. A high quality of engineering applied to all aspects of the design, construction, and operation. A safety analysis, including its verification. The provision against common cause faults, such as diversity, physical separation, and barriers for internal and external events.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00009-3 © 2020 Elsevier Ltd. All rights reserved.

115

116

CHAPTER 9 DEFENCE IN DEPTH

Table 9.1 Defence in Depth Levels. Defence Level

Objective

Essential Means

Level 1

Prevention of abnormal operation and of malfunctions

Level 2

Control of abnormal operation and detection of malfunctions

Level 3

Control of accidents included in the design basis

Level 4

Control of the severe accident conditions of the plant, including the prevention of accident progression and mitigation of consequences Mitigation of the radiological consequences of significant releases of radioactive products

Conservative design and high quality of construction and of operation Control, limitation, and protection systems, and other surveillance characteristics Engineered safety systems and accident procedures Additional measures and accident management

Level 5

• • •

External site emergency plan

Good practices of operation and maintenance, including the provisions for the use of the lessons learned from past experience. A safety culture and attention to human factors. The provisions to ensure the documented adequacy of the operation organization and the independent role of the regulatory control bodies.

As it can be observed, practically all the issues of nuclear safety can be viewed as an implementation of DID.

9.2 ADDITIONAL CONSIDERATIONS ON THE LEVELS OF DEFENCE IN DEPTH Among the provisions necessary to ensure the good implementation of defence Level 1, the following ones can be listed • •

• •



A clear definition of normal and abnormal operating conditions. Adequate margins in the design of systems and of components, including those concerning their robustness and strength in accident conditions, in particular, in order to minimize the need to resort to measures of Levels 2 and 3. Intrinsic plant safety characteristics, such as nuclear and thermal hydraulic stability and thermal inertia of the cooling system. Design provisions intended to give operators enough time to respond to events and to ensure an adequate man machine interface, including operator-supporting means intended to facilitate their task. Attentive choice of materials and use of adequate fabrication processes of proven technology, together with the extensive use of tests.

9.2 ADDITIONAL CONSIDERATIONS ON THE LEVELS OF DEFENCE



• • •

117

Exhaustive training of the personnel devoted to operation, maintenance, engineering, and management, chosen by appropriate selection, ensuring behavior fully compliant with a solid safety culture. Adequate operation instructions and reliable control of the state of the plant and of its operating conditions. The recording, evaluating, and use of operating experience. Complete preventive maintenance, with priority established on the basis of safety importance and reliability requirements of systems.

Moreover, Level 1 offers the initial protection basis against important external or internal hazards (e.g., earthquakes, fires, floods), even if some additional protection may be necessary at higher defence levels. The following design principles are followed in order to ensure a high reliability level of the engineered safety features (Level 3): • • • • • • •

Redundancy. Prevention of common mode failures due to internal and external events through spatial or physical separation and structural protections. Prevention of common mode failures due to design, fabrication, construction, commissioning, maintenance, or other human interventions, through diversity or functional redundancy. Automation to reduce vulnerability to human errors, at least in the initial phase of an abnormal event or of an accident. Overall architecture that facilitates periodical tests in order to give demonstration of the availability and of the performance of systems. Qualification of system, structures, and components for the specific environmental conditions which may result from accidents or from external events. Reliability: the auxiliary and support systems are designed, built, commissioned, and operated in conformity with the degree of reliability required by engineered safety features.

Essential objectives of accident management (Level 4), which includes both preventive and protective measures, are • • • •



monitoring of the principal characteristics of the plant state; controlling the core subcriticality; restoring the core cooling and preserving the longtime cooling; protecting the containment integrity (including its leak-proof characteristics) ensuring the removal of heat and preventing loads and dangerous effects on containment and on all the points of possible localized leakage in case of serious damage of the core or of further deterioration of the accident; regaining the control of the plant to avoid further damage.

Accident management is strictly connected with the best use of human factors of safety: essential components for the safety of a plant. In Chapter 18, Nuclear Safety Criteria, the possibility of defining a “sixth level” of DID is mentioned as a consequence of low probability yet possible events like the Fukushima inundation/accident and in order to avoid that such accidents happen again in future.

118

CHAPTER 9 DEFENCE IN DEPTH

To satisfy this hypothetical “sixth level” of DID one of the following provisions should be taken: •

• •

Design the plant to withstand the maximum possible level of the accident type considered (e.g., for a destructive earthquake, design of the plant against a Magnitude 8.5-9 event, which is considered the maximum possible worldwide or against the corresponding maximum possible event in scarcely seismic locations, usually chosen for nuclear plants); Find “precursor signs” of an impending DID sixth-level event (e.g., sometimes this is possible for landslides); Establish a warning system which can detect the already started natural and nonnatural phenomenon (e.g., tsunami, earthquake, suspect aircraft flights) and give some time (typical is a few minutes to 30 minutes) to put the plant in safe conditions (if possible, given its design features).

REFERENCES IAEA, 1996. Defence in Depth in Nuclear Safety. INSAG N.10. IAEA, 1999. Basic Safety Principles for Nuclear Power Plants. INSAG N.12. IAEA TECDOC No. 986, 1997. Implementation of Defence in Depth for Next Generation Light Water Reactors.

CHAPTER

QUALITY ASSURANCE

10

10.1 GENERAL REMARKS AND REQUIREMENTS Quality assurance (QA) is an essential aspect of good management. A definition of QA in the nuclear energy arena is the following All the planned and systematic actions necessary to provide adequate confidence that an item or service will satisfy given requirements for quality. (IAEA, 1988)

QA is implemented through the definition and the realization of a quality assurance program (QAP). The QAP is an integral part of the plant design and shall provide for a disciplined approach to all activities affecting quality, including verification that each task has been satisfactorily performed and that necessary corrective actions have been implemented. It shall also provide the production of documentary evidence to demonstrate that the required quality has been achieved (Technical Meeting IAEA, 2018). The establishment and the implementation of a QAP for a nuclear plant are essential. However, it shall always be recognized that the basic responsibility for achieving quality in performing a particular task (e.g., in design, in manufacturing, in commissioning, in operation) rests with those assigned the task and not with those seeking to ensure by means of verification that it has been achieved. In the general legal framework for the regulation of nuclear power plants of each country, the requirement that an effective, overall QAP be established, should be present. The organization having overall responsibility for a nuclear power plant shall also be responsible for the establishment and implementation of the overall QAP for that plant. This organization may delegate to other organizations the work of establishing and implementing all, or a part, of the program but shall retain responsibility for the effectiveness of the overall program. The following aspects must be included in a QAP: procedures, necessary instructions, and drawings; periodical reviews by management; organization; responsibility, authority, and communication; organizational interfaces; staffing and training; document control; document preparation, review and approval; document release and distribution; document change control; design control; design interface control; design verifications; design changes; procurement control; supplier evaluation and selection; control of purchased items and services; identification and control of materials, parts and components; handling, storage, and shipping; maintenance; process control; inspection and test control; program of inspection; test program; calibration and control of measuring and test equipment; indication of inspection, test and operating status; nonconformance control; Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00010-X © 2020 Elsevier Ltd. All rights reserved.

119

120

CHAPTER 10 QUALITY ASSURANCE

nonconformance review and disposition; corrective actions; records; preparation of QA records; collection, storage, and preservation of QA records; audits; and scheduling of audits.

10.2 ASPECTS TO BE UNDERLINED The QA activities are fundamental in order to attain safety in a plant. Over the years, the QA method has been demonstrated in many sectors of production and service activities as the most effective and efficient means to obtain the desired quality. In many production sectors it has replaced the method of product control, substituting it with the control of the process which originates the product itself. Product controls are included in the more general QA methods. QA is a rather costly activity (a component can cost much more if a stringent QA requirement is specified), therefore every QA requirement must be accurately weighed against its real need: the approach must always be “graded” and proportionate. It has been known in some cases, for defective application of the method to have produced more “paper” than quality and this must, by all means, be avoided. Governmental organizations control safety reviews of the QAP and conduct audits on its implementation: this is an important aspect of the control and supervision activity.

REFERENCES IAEA, 1988. Code on the Safety of Nuclear Power Plants: Quality Assurance. International Atomic Energy Agency, Vienna, IAEA Safety Series N.50-C-QA (Rev.1). Technical Meeting IAEA, 2018. Quality Assurance and Quality Control Activities in Nuclear Power Plants: Lessons Learned and Good Practices, 12 15 November.

FURTHER READING IAEA, 2001. Quality Assurance for Safety in Nuclear Power Plants and other Nuclear Installations Code and Safety Guides Q1 Q14.

CHAPTER

SAFETY ANALYSIS

11

11.1 INTRODUCTION The objective of a safety analysis is to help define and to confirm, through adequate analysis tools, the safety basis for the parts of the plant which are important for safety and to ensure that the general design of the plant is capable of complying with the dose limits in force and with the radioactive releases specified for any plant conditions (IAEA, 2010). Safety analyses, which are a part of the safety evaluations used in the licensing procedure of the plant, should proceed in parallel with the design, with interactions between the two activities. They must be kept up to date during the life of the plant in order to account for the progress of knowledge and in case of plant or site modifications.

11.2 DETERMINISTIC SAFETY ANALYSIS The deterministic approach studies the behavior of the plant in operational states and under specific accident conditions originally identified on the basis of evaluations of prudent engineering or for compliance with the chosen criteria. Today, probabilistic techniques are sometimes used to aid decisions concerning the deterministic approach, for example, if a new candidate appears (e.g., from research or operating experience) for inclusion in the list of design basis accidents (DBAs), the decision on inclusion or not can be aided by a probabilistic comparison with other situations already inserted in the DBA list. Usually the deterministic analyses are performed using conservative assumptions on input data, intermediate parameters for the analyses, and on the behavior of plant systems (single failure, etc.). Consequently, the behavior of the plant as evaluated could be rather different from the most likely one, even if in a sense beneficial to safety (conservative analyses or “licensing basis”). The deterministic analyses have been used for a longer time and, therefore, they are based on a well-consolidated basis, at least for the rare events included among the DBAs. Severe accidents are now also part of the deterministic analyses. However, because of their very low probability, the conservative assumptions used for DBAs are not used. A “best estimate” treatment of the phenomena is preferred in this case. Safety analysis should consider normal operation, operational occurrences, and accidents. The aim of a safety analysis for normal operation should be to assess that normal operation of the plant can be carried out safely. Therefore, it has to confirm that radiological doses to workers and members of the public and planned releases of radioactive materials from the plant are within acceptable limits. All the conditions met during normal operation, without external or internal Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00011-1 © 2020 Elsevier Ltd. All rights reserved.

121

122

CHAPTER 11 SAFETY ANALYSIS

disturbances, should be considered. These include start-up, normal power operation and power changes, various shutdown modes (hot, cold, refueling, etc.), and handling and storage of fresh and irradiated fuel. Both the limits in force, and the ALARA principle (Chapter 7: Health Consequences of Releases) should be complied with. In particular, reduction to the minimum reasonable amount of the radioactive gaseous and solid releases to the environment, and of the waste produced by the plant, should be pursued. In some cases a balance should be made between doses to the population and doses to workers, as some operating decision may increase the first and decrease the other, or vice versa. A typical example is the frequency of replacement of effluent filtering packs as replacement usually means more doses to personnel and less doses to the public. Anticipated operational occurrences are off-normal events, usually plant transients, which can be coped with by the plant protection systems and normal plant systems but which could have the potential to damage the reactor if some additional malfunction should happen. Their typical frequency of occurrence may be more than 1022 per year. Some of the anticipated occurrences [postulated initiating events (PIEs)] are due to the increase of reactor heat removal (as might occur for an inadvertent opening of a steam relief valve, malfunctions in control systems, etc.). Some are due to the decrease of reactor heat removal (such as for feedwater pumps tripping, loss of condenser vacuum, and control systems malfunctions). Some are due to a decrease in reactor coolant system flow rate, as in the case of a trip of one or more coolant pumps. Some are connected with reactivity and power distribution anomalies, such as for an inadvertent control rod withdrawal or unwanted boron dilution due to a malfunction of the volume control system for a PWR. Events entailing the increase or decrease of the reactor coolant inventory may also happen, due to malfunctions of the volume control system or small leaks. Finally, releases of radioactive substances from components may occur. DBAs have a lower frequency of occurrence than operational transients, typically in the range 10221025, (26), and are not expected to occur during the lifetime of the plant. They, however, are considered in the design of the plant safety systems for emergencies. There are also some groups of PIEs that are traditionally included among DBAs which may have lower frequencies (as could be for the largest pipe guillotine break for plants built to modern standards). All the PIEs considered as initiators of anticipated operational occurrences should also be considered as potential initiators of DBAs. The groups of PIEs considered for DBAs are the same listed above for anticipated occurrences: the severity of the specific events considered, though, is here higher. Typically, DBA initiators include steam line breaks, feedwater line breaks, pump shaft break or seizure, control rod ejection due to breakage of the rod thimble housing, boron dilution due to the start-up of an idle loop, inadvertent operation of the emergency core cooling system, small and large loss of coolant accidents, break of a radioactive gas holdup tank, and fuel damage during handling. Radiological limits are established for the various categories of operational occurrences and accidents. Lower limits are used for less infrequent transients and higher limits for more rare events (see, e.g., the EUR criteria in Appendix 6). As the number of PIEs is usually large, the natural tendency is to group them and to study only the one that causes the most serious consequences (bounding case). Maybe that one accident is the worst for one consequence and another one is worse for another consequence (e.g., peak rector pressure or peak fuel clad temperature). In this case, both have to be studied. The safety analysis should demonstrate that the plant can be safely shutdown and maintained in that condition, that the

11.2 DETERMINISTIC SAFETY ANALYSIS

123

residual heat can be removed from the core at any time after the accident and that radioactive releases are minimized and below acceptable limits. Here, it must be underlined that the time span covered by the analytical studies of the various accidents must be long enough to allow the plant to reach a long-term stable shutdown and cooled core state. A tendency exists, in order to save precious computer time or to avoid the numerical difficulties of long calculations, to stop the analytical studies at the intervention of the first plant protection or safety system or shortly later. This inadequate behavior may also have been responsible for preventing the possible peculiar primary system situation that occurred during the TMI accident (pressurizer full of water mixture and core essentially dry) from being public knowledge in the reactor safety profession before the accident. Indeed, this plant situation could have been predicted by thermalhydraulic codes if the transient time studied had been long enough. The analytical studies of accidents can be performed either by a conservative approach or by a best estimate approach. In the first case, conservative assumptions are adopted for initial and boundary conditions and for the various elements of the evaluation (correlations, parameters, equipment availability, etc.). Apart from the obvious advantages (for safety) of this approach, it, however, frequently leads to a completely unrealistic description of the real accident sequence, with a distorted timing of the events and the masking of interesting phenomena (also see Chapter 27: Erroneous Beliefs About Nuclear Safety). Because of these shortcomings and the current maturity of best estimate codes, they should be used in a safety analysis in combination with a reasonably conservative selection of input data and a sufficient evaluation of the uncertainties of the results (USNRC R.G. 1.157). This approach is accepted by regulatory bodies. It may also be acceptable to use a combination of a best estimate code and realistic assumptions on initial and boundary conditions. The safety analysis should be performed within a QA system. The following assumptions should be made in a conservative approach: •

• • •

• • •

The initiating event occurs at an unfavorable time as regards initial reactor conditions (e.g., power level, residual heat level, reactivity and reactivity coefficients conditions, system temperatures, pressures, and coolant inventory). The operation of control systems should not form part of the analysis, unless their intervention may aggravate the accident. Only protection systems should be considered. All nonsafety-grade components should be disregarded, except when there is the possibility that they could aggravate the transient. A single failure criterion should be adopted (the worst single failure should be assumed to occur in the group of safety systems which have to intervene during the accident). For redundant systems it is often assumed that the minimum number of trains start and run. In some cases, the requirement exists that, if n systems are necessary for a specific function, (n 1 2) systems should be provided because one is considered unavailable for maintenance and the other is assumed to fail (e.g., as is the practice in Germany). For European pressurized reactor the redundancy rule is even more stringent (4 3 100% capacity). Safety systems should be assumed to operate at their minimum performance level (with action intervening at the worst end of the possible band). Equipment that cannot be considered fully and demonstrably operable, should be disregarded. Actions of the plant staff should be considered only if there is ample time available, if ample and written information is available for diagnosis or for identification of guiding symptoms, and

124

CHAPTER 11 SAFETY ANALYSIS

if sufficient training has taken place. Plant staff actions are assumed to occur no sooner than 10 minutes after the start of the event. Acceptance criteria should be clearly defined (see Section 8.2.1). An accident may generate more than one unwanted consequences (e.g., excessive system pressure and excessive clad temperatures) and this situation may require different sets of conservative assumptions for the analysis of safety for each possible consequence studied. Severe accidents are also studied using a deterministic approach, with less conservative assumptions than DBAs due to their low probability of occurrence. Probabilistic methods are, however, used for the identification of those accidents which should be considered in a safety analysis.

11.3 PROBABILISTIC SAFETY ANALYSIS Although in many countries it is not compulsory to perform a probabilistic safety analysis (PSA), it has become common practice for new plants and for existing ones. Moreover, international requirements include that safety analysis reports include a summary of the PSA study of the plant. A PSA is a complete and well-structured method for identifying accident scenarios and to obtain numerical risk estimates. The question of whether PSAs, or probability risk assessments can be used to demonstrate the compliance with numerical safety criteria has been debated at length. It is now believed that their use is not advisable because of the uncertainties in methods, in data and, therefore, in their results. Moreover (see Section 18.6.2), the results of probability analyses risk to be misinterpreted (if the probability of an event is very low, many people instinctively think that the event may only happen very far from now in future time). However, all those who experienced the probabilistic method, are convinced, at least, of the following positive aspects of it: •





It forces the analyst to examine the complete set of possible sequences of events which may happen on a plant, without excluding any of them beforehand (as is done in the deterministic method). Therefore the risk of forgetting in the analysis some important sequence or situation is lower. It affords a general vision of the plant from the safety point of view, highlighting specific weak points and, therefore, in particular during the design phase, allowing a well-balanced plant to be conceived. The method gives an idea of the global risk and, notwithstanding its possible imprecision, is useful for comparative considerations between different plants and, therefore, it contributes to the creation of an homogeneous reactor overview from the point of view of risk.

It is common for a PSA to detect weak points of the plant where the normal design process had not been able to reveal weaknesses. This, in particular, happens for support systems of primary safety systems, for example, the space cooling systems for rooms where the safety injection pumps are located. The present trend for the support of plant safety decisions, including those concerning operation, involves both safety analyses: the deterministic and the probabilistic.

11.3 PROBABILISTIC SAFETY ANALYSIS

125

Probabilistic analyses are applicable to level 1, 2, or 3 (IAEA, 1992, 1995, 1996), because they examine the events up to core damage, up to the evaluation of radioactivity releases from the plant, or up to the external radiological consequences. A less general consensus exists on the inclusion of external events (e.g., earthquakes) in the probabilistic analyses. Indeed the degree of uncertainty in the identification of events of this type at very low probability levels is high. For the choice of design earthquakes, since the early days of the peaceful uses of nuclear energy, the USCFR 100 Appendix A (see Ref. USNRC, 2017) specified that the maximum possible event, taking into account the historical and geologic data, be chosen (deterministic approach). This approach is still now widely adopted. In any case, for a probabilistic approach to the design external events, if this approach is the preferred one, the use of methods and of procedures internationally agreed upon is strengthening (USNRC, 1983; Fullwood, 1999), which decreases the uncertainties present in a specific methodological choice. For the probabilistic treatment of a seismic event the following steps are necessary: •

• •

Determine a “seismic hazard” curve for the site which establishes a relationship, for example, between the maximum ground acceleration and the corresponding expected frequency [on a worldwide basis, the Gutenberg correlation between magnitude (M) and annual frequency ( f ) can be included: ln f 5 4.130.844 M]. Perform the dynamic analysis of the plant. Determine the fracture probability of structures and components. This is rather conventionally undertaken using fragility curves which relate the conditioned probability of fracture with the maximum acceleration of the component/structure. The simplification introduced by the fragility curves consists in the fact that they are supposed to depend on three parameters only: a median rupture acceleration, Aˆ, and two logarithmic standard deviations (log-normal distribution), β AR and β AU, related to the intrinsic variability of the component behavior and to the variability of Aˆ, respectively. The fragility curves are based on the (few) results of tests and on good engineering judgement.

A very important factor in safety management and safety analysis is the recognition of the importance of the human intervention in the related activities. Human errors should be avoided by the establishment of clear interfaces between man and machine, and by the preparation of operating and emergency procedures and of maintenance rules and guidelines. Beneficial human intervention, even in extremely degraded situations, should be implemented by adequate training, procedures, and simulation studies and practices. Moreover, one of the most difficult aspects of the probabilistic analyses lies in the probabilistic treatment of human behavior, that is of the operator actions which may have a decisive influence on the development of the accidental sequence under study. Usually, for the sake of conservatism, focus is placed on the probability of operator error (omission, commission, and, more difficult to analyze, diagnosis errors). In the real world, however, the role of operators in an accident sequence is not limited to committing or not committing mistakes in the implementation of operational procedures. In fact, as many events indicate (the Browns Ferry 1975 accident is typical, see Chapter 20: Operating Experience), the operators may react to an unexpected situation with creative and resolving interventions. For the present moment, however, except for specific cases, the

126

CHAPTER 11 SAFETY ANALYSIS

Table 11.1 Nonrecovery Probabilities Recovery Time of the Component (min) Nonrecovery Probability for a Component

In the Control Room

Elsewhere on the Component

1.00 0.25 0.10 0.05 0.03 0.01

,5 510 1020 2030 3060 .60

,15 1520 2030 3040 4070 .70

possibility is taken into account only that the operator makes mistakes in the implementation of emergency procedures, even in the field of the management of severe accidents. Table 11.1 and Figs. 11.1 and 11.2 give an idea of the probabilities used for these analyses (Petrangeli and Zaffiro, 1985). The probabilistic analysis of a plant is usually performed by the construction of event trees, for any single group of similar initiating events, and of fault trees, for any single system or component whose fault probability is important for the study of the various accident sequences.

11.3.1 EVENT TREES Event trees are branched graphs which, starting from the initiating event considered, show (in their most common use) the various possible sequences of plant situations (with corresponding estimated probability) consequent to the good operation or malfunction of safety systems designed to stop the accident or to mitigate its consequences. An event tree, therefore, gives the picture of the various final plant situations, each one with the pertinent overall probability. Fig. 11.3 shows a simplified event tree for the Transient plus Feedwater plus Electri Power (TMLB) sequence of a PWR according to the Rasmussen report (loss of all the external power supplies for at least 3 hours and of auxiliary feedwater due to loss of the diesel generators and of the turbine-driven pump).1

11.3.2 FAULT TREES The fault trees, unlike the event trees, proceed backward from the final event (i.e., the fault of the component or system) to the various causes which may have originated it, with the corresponding probabilities. Fig. 11.4 shows a fault tree for the simple system shown in Fig. 11.5 and for the fault “insufficient flow from V3.” (Some fault tree symbols are shown in Fig. 11.6.) In order to calculate the fault probability of the component under study on the basis of its fault tree, it is possible to proceed directly combining the various probabilities of the events represented

11.3 PROBABILISTIC SAFETY ANALYSIS

1

Error probability

10−1

10−2

10−3

10−4

10−5

1

10 100 Time available (min)

1000

FIGURE 11.1

ff-

si

te

po w

er

00.5 0.1 0.2 0.5 1 2 5 10 20 30 40 50 60 70 80 90

O

Nonrepair probability (%)

Probability of operator error as a function of the time available for the operation.

Pla

1

s nt

ys

tem

s

10 Time available (min)

FIGURE 11.2 Nonrepair probability of a component as a function of the time available.

100

127

128

CHAPTER 11 SAFETY ANALYSIS

T, transient

M, B, lack of recovery of electric power supplies in 3 h

L, failure of the auxiliary feed-water

Core condition

Probability per year

OK 0.2/year

OK

Yes: 1 × 10−1 1 × 10−1

Yes: 1.5 × 10−4

MELT

3 × 10−6

FIGURE 11.3 Event tree (sequence TMLB).

in the tree. This method, however, except for rather simple cases, can be rather tiresome and does not highlight the most important factors. The method more generally used, instead, is based on the use of Boolean algebra (the algebra of binary systems: 1 and 0 seconds) and on the fact that a correspondence exists between its results, when applied to a fault tree, and the results of a direct probabilistic analysis, mentioned above. The advantage of applying Boolean algebra resides in the fact that it quite naturally leads algebraically to the maximum simplification of the fault tree. The correspondences in Fig. 11.7 are defined between the Boolean and the probabilistic logical environments. The sample fault tree of Fig. 11.4 is simplified as follows using Boolean algebra: Fundamental relationships A1 5 A 1 B 1 B1 B1 5 C1UC2 C1 5 C 1 B 1 D1 D1 5 F 1 G 1 B C2 5 D 1 B 1 D1

[Here the 1 (Boolean OR) symbol represents the union symbol , , and the  symbol (Boolean AND) represents the intersection symbol -.] These relationships can be developed and dealt with according to the rules of Boolean algebra, which are similar yet not identical to those of the ordinary algebra. Some of these rules and properties are listed in Table 11.2 [it must be remembered that the 1 (OR) symbol and the  (AND) symbol mean “union” and “intersection,” respectively]. So applying these laws to the fundamental relationships of our example, we get

11.3 PROBABILISTIC SAFETY ANALYSIS

129

Insufficient flow in V3 A1

V3 doesn’t open

Lack of CS signal to V3

Insufficient flow to V3 B1

A

B

Insufficient flow from V1

Insufficient flow from V2 C2

C1

V1 doesn’t open C

Lack of CS signal to V1

01

Insufficient flow from the pump

Pump doesn’t start F

Pump stops

G

FIGURE 11.4 A fault tree for the system shown in Fig. 11.5.

Lack of CS signal to V2

D

B

Insufficient flow from the pump 01

D1

B

V2 doesn’t open

Lack of CS signal to V3 B

130

CHAPTER 11 SAFETY ANALYSIS

Control system (CS)

V1

V3 P

V2

FIGURE 11.5 A simple system.

C1 C2 B1

5C1B1F1G1B 5D1B1F1G1B 5 CUD 1 CUB 1 CUF 1 CUG 1 CUB 1 BUD 1 BUB 1 BUF 1 BUG 1 BUB 1 FUD 1 FUB 1 FUF 1 FUG 1 FUB 1 GUD 1 GUB 1 GUF 1 GUG 1 GUB 1 BUD 1 BUB 1 BUF 1 BUG 1 BUB

But A1 5 A 1 B 1 B1 and (X  X) 5 X, so A1

5 A 1 B 1 CUD 1 CUB 1 CUF 1 CUG 1 CUB 1 BUD 1 B 1 BUF 1 BUG 1 B 1 FUD 1 FUB 1 F 1 FUG 1 FUB 1 GUD 1 GUB 1 GUF 1 G 1 GUB 1 BUD 1 B 1 BUF 1 BUG 1 B

Reducing these equations, using (X 1 X) 5 X, gives A1

5 A 1 B 1 CUD 1 CUB 1 CUF 1 CUG 1 BUD 1 BUF 1 BUG 1 FUD 1 F 1 FUG 1 GUD 1 G

11.3 PROBABILISTIC SAFETY ANALYSIS

Legend of symbols used in fault trees Intermediate event: fault which happens for one or more preceding causes acting through logic gates.

OR - Output fault happens if at least one of the input events happens.

AND - Output fault happens if all the input events happen.

Primary fault.

Event not developed in fault tree (insufficient consequences or basic information).

Transfer ‘from’ or ‘to’: it is used to connect parts of the tree developed elsewhere with the tree under study.

FIGURE 11.6 Symbols used in fault trees.

A

AA

B

B

Boolean UNION = A + B; Probability = P(A) + P(B) − P(A) . P(B)

Boolean INTERSECTION = A . B; Probability = P(A) . P(B)

FIGURE 11.7 Correspondence between Boolean and probabilistic logical environments.

131

132

CHAPTER 11 SAFETY ANALYSIS

Table 11.2 Basic Rules of Boolean Algebra Properties

Expressions

Commutative

A1B5B1A AUB 5 BUA A 1 ðB 1 C Þ 5 ðA 1 B Þ 1 C AUðBUCÞ 5 ðAUBÞUC AUðB 1 CÞ 5 AUB 1 AUC A 1 ðBUCÞ 5 ðA 1 BÞ  ðA 1 CÞ A1151 AU1 5 1 AUðA 1 BÞ 5 A A 1 ðAUBÞ 5 A AUA 5 A A1A5A

Associative Distributive Unity Absorption

Rearranging A1

5A 1 B 1 CUB 1 BUD 1 BUF 1 BUG 1 CUD 1 F 1 CUF 1 FUD 1 FUG 1 G 1 GUD 1 CUG

and using X 1 (X  Y) 5 X repeatedly, gives A1 5 A 1 B 1 F 1 G 1 CUD

The final result allows the easy calculation of the probability of A1 and shows, moreover, the minimal paths (“minimum cut sets,” that is the minimum number of components involved) which may lead to the final event (the “top” event) Al. They are A, B, F, G, and (CD). The calculation of the final probability is particularly easy if the single events are rare, that is, with low probability values. In this case it is generally allowable to neglect in the probabilistic calculation products of events in front of the single events themselves (the result, then, in the case of the probability calculation in presence of various independent originating events and singularly sufficient, is conservative). The calculation and the reduction of fault trees may be done by specific calculation codes (e.g., see Fullwood, 1999). One of the more delicate aspects in setting up fault trees is the method chosen to take into account the “common cause failures” (CCFs) (CEC, 1987). This aspect of the vulnerability of systems is particularly important for systems provided with a high level of redundancy. In this case, the presence of some CCFs may drastically reduce the probability of correct operation of the system upon demand. This effect is so feared that frequently the safety criteria specify a minimum value of the failure probability of a nondiversified system (i.e., a system not made up of systems diverse in operating principle, materials, and so on). Figures for these “cut-off” probabilities are usually of the order of 10251023 per demand (USNRC, 1983). Various methods exist to account for CCFs in an analysis. One among these, at the level of safety system, consists in introducing, in the logic model representing the system, a basic fictitious event that represents the CCF of the

11.3 PROBABILISTIC SAFETY ANALYSIS

133

Table 11.3 Failure Rates Component

Value

Break of very small pipe (up to about 30 L/s)

3E2/year (B) 2E2/year (P) 3E3/year (B) 1E3/year (P) 3E4/year (B) 1E3/year (P) 1E4/year (B) 5E4/year (P) 5E3/year 5E3/year 0.1/year 4.8/year (B, FW) 0.56/year (B, etc.) 6.85/year (P) 1.56/year (B) 1.41/year (P) 1.4E1/year (B) 0 (P)

Break of small pipe (up to about 80 mm diameter) Break of intermediate pipe (up to about 160 mm) Break of large pipe Transient for loss of d.c. bus Transient for loss of a.c. Transient for loss of outside lines Transients not caused by the loss of the electric power generation system

Transients caused by loss of electric power generation system Spurious opening of relief valve Solenoid valves: • failure to operate • plugging • unavailability for test and maintenance Hydraulic operated valves: • failure to operate • plugging • unavailability for test and maintenance Explosive operated valves: • failure to operate • plugging • unavailability for test and maintenance Manual valves: • plugging • unavailability for test and maintenance Nonreturn valves: • failure to open • failure to close Motor-operated relief or safety valves: • failure to open • failure to reclose Electric motor pumps:

1E3/d demand 4E5/d 2E4/d 1E3/d 4E5/d 2E4/d 3E3/d 4E5/d 2E4/d 4E5/d 2E4/d 1E4/d 1E3/d 0.1/d 3E2/d (Continued)

134

CHAPTER 11 SAFETY ANALYSIS

Table 11.3 Failure Rates Continued Component

Value

• failure to start • failure to operate • unavailability for test and maintenance Turbine-driven pumps: • failure to start • failure to operate • unavailability for test and maintenance Diesel engine pumps: • failure to start • failure to operate • unavailability for test and maintenance Heat exchanger: • plugging • break (leaks) Emergency diesel generator: • failure to start • failure to operate • unavailability for test and maintenance Malfunction of external power supply (not an initiating event) Malfunction of various components: • batteries • buses • battery chargers • inverters Unavailability for test and maintenance: • batteries • buses • battery chargers • inverters Battery depletion time

3E3/d 3E5/h 2E3/d 3E3/d 5E3/h 1E2/d 1E3/d 8E4/h 1E2/d 5.7E6/h 3E6/h 3E2/d 2E3/h 6E3/d 2E4/d 4E4/d 9E5/d 4E4/d 4E2/d 1E3/d 6E5/d 3E4/d 1E3/d 57 h

The letters B and P indicate values applicable to BWRs and to PWRs. BWR, Boiling Water Reactor; FW, Feedwater system.

system. Another method, named “of the β-factor,” consists in supposing that the failure rate of a component results from the sum of an individual term and of a common term (λ 5 λi 1 λc, with λc/λ 5 β). Typical values of β are of 0.2 for identical redundant components, 0.02 for partial diversity (diverse “hardware” or “software”), and 0.002 for complete functional diversity of the redundant elements (Smith, 1997). It is necessary to add here that a remarkable freedom exists in the proportion in which event trees and fault trees can be used in a specific probabilistic analysis. Indeed, “large” event trees and

REFERENCES

135

“small” fault trees can be chosen (or vice versa) with all the intermediate grades. Here, reference has been made to the most common way, which uses event trees up to the primary safety systems, and fault trees for the determination of the failure probabilities of the primary systems, also on the basis of the failure probabilities of their support systems.

11.3.3 FAILURE RATES One of the fundamental steps in carrying out a probabilistic analysis is choosing the failure rates of components. In principle, specific plant figures should be used, that is, obtained by the operating experience of the plant itself. When this is not possible, data of similar plants should be used or, in the extreme case, generic applicable data. Table 11.3 lists some data (average values) used in the study NUREG 1150 (NUREG, 1987). Other sources of failure data are described in Fullwood (1999), Taylor (1994), Smith (1997), and Science Direct (2006), as well as many other sources.

ENDNOTE 1. T is the transient of main feedwater loss due to loss of electric power supply. M, B indicate the lack of recovery of the outside lines and the nonoperation of the station diesels for at least 3 hours (in the Rasmussen report, the probability of nonrecovery of the outside lines in 1 hour is assumed equal to 2 3 1021 and the probability, to be combined with the preceding one, of nonrecovery for the other 2 hours of the same lines, is assumed equal to 5 3 1021). L indicates the malfunction of the auxiliary feedwater system and therefore also of the turbine-driven pump.

REFERENCES CEC, 1987. Common Cause Failures Reliability Benchmark Exercise. EUR 11054-EN. Fullwood, R.R., 1999. Probabilistic Safety Assessment in the Chemical and Nuclear Industries. ButterworthHeinemann. IAEA, 1992. Procedures for Conducting Probabilistic Safety Assessments of Nuclear Power Plants (Level 1). Safety series 50-P-4. IAEA, 1995. Procedures for Conducting Probabilistic Safety Assessments of Nuclear Power Plants (Level 2). Safety series 50-P-8. IAEA, 1996. Procedures for Conducting Probabilistic Safety Assessments of Nuclear Power Plants (Level 3). Safety series 50-P-12. IAEA, 2010. SS-G2 Deterministic Safety Analysis for Nuclear Power Plants. NUREG, 1987. Reactor Risk Reference Document. NUREG 1150. Petrangeli, G., Zaffiro, C., 1985. Regulatory Implications of Source Term Studies. IAEA-SM-281/53. Science Direct Topics, 2006. Failure rate data—an overview. ,https://www.sciencedirect.com/topics/.../failure-rate-data..

136

CHAPTER 11 SAFETY ANALYSIS

Smith, D.J., 1997. Reliability, Maintainability and Risk. Butterworth-Heinemann. Taylor, J.R., 1994. Risk Analysis for Process Plant, Pipelines and Transport. E. & F.N. Spon. USNRC, 1983. NUREG CR 2300. PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants: Chapters 18. USNRC, 1989. R.G. 1.157 Best-estimate Calculations of Emergency Core Cooling System Performance. USNRC, 2017. 10CFR 100 Appendix A, Seismic and Geologic siting criteria for Nuclear Power Plants.

CHAPTER

SAFETY ANALYSIS REVIEW

12

12.1 INTRODUCTION A safety review is undertaken by the design, construction and operation organizations, and the control bodies. As all the regulatory documents repeat, for example, and as also explained by those who have for a long time been involved in this activity (Bourgeois et al., 1996), it is essential that this control function is independent, competent, and credible. I will use some experience accumulated over several decades of involvement in safety reviews to add here some further additional and more detailed considerations on the subject with some examples.

12.2 THE REFERENCE POINTS In the early days of nuclear energy, in particular in a country without previous experience, for example, in military applications, it was very difficult for a safety reviewer to obtain data and information on which a review could be based. The available criteria were scarce, the data on already built plants were in some case difficult to obtain and the research was at an initial stage. Today, data and information are much more abundant. These include • •





The international criteria and guides (e.g., IAEA) which offer useful indications, even if necessarily of general nature (see Chapter 18: Nuclear Safety Criteria). Compilations of national regulations, such as the technical positions, the “Regulatory Guides” and the “Standard Review Plan” used in the United States are easily available (see Appendix 14). The proceedings of debates within international and community organizations, such as the International Atomic Energy Agency (IAEA), the Organisation for Economic Cooperation and Development (OECD) Nuclear Energy Agency [Committee for the Safety of Nuclear Installations (CSNI), Committee for Nuclear Regulatory Activities (CNRA), Committee for Radiation Protection and Public Health (CRPPH), Health Protection, Committee for Waste Management (CWM), and the European Union groups]. The results of research in the international field and the proceedings of many conferences on any part of nuclear safety technology.

However, there is no “decision machine” available, either in the form of technical guides or handbooks, and experts are frequently compelled to take subjective technical decisions and to accept the related responsibility. In fact, the practical cases are always so specific that they cannot Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00012-3 © 2020 Elsevier Ltd. All rights reserved.

137

138

CHAPTER 12 SAFETY ANALYSIS REVIEW

be covered by an “all-embracing” handbook. Moreover, even if such a tool existed, in case of judicial trial, the compliance with the handbook could frequently be considered only an extenuation of the possible guilt of the technical expert. “Historical” examples exist of technical specialists who have been sentenced in a case of a pressure vessel explosion, although in due course they had verified its compliance with the technical standards in force. In case of accident, in fact, the technical expert must demonstrate the application of all the means suggested by the “status of the technical knowledge.” Only completely new phenomena escape this criterion.

12.3 FORESEEING POSSIBLE ISSUES FOR DISCUSSION Four of the most respected experts among those responsible for nuclear safety in Europe have written that the principal qualities of the safety controller are the following (Bourgeois et al., 1996): • • • •

independence competence credibility modesty (which they call “the mother of safety”).

My experience suggests that a very productive quality, but the most difficult to develop, is to be able to foresee, so far as possible, the problems which will come up in discussions with the designer or the future operator of the plant. Following the wise words of the above quoted four experts: We have to start from the idea that our counterparts, whatever their responsibility level may be, never primarily intend to put safety in danger. An industrialist who builds a dangerous factory has not the objective of causing an accident. A technician who is going to set a safety valve has not the objective to make it inoperable. Instead, both of them frequently have in their mind a dominant concern which obscures the others: for the first one it may be to produce at low cost in order to conquer larger market shares, for the second, it may be to get rid as soon as possible of a boring task. The function of the safety expert is to make them understand that the neglect of safety may put everything in danger and that it is certainly more effective for them to take care of safety at the correct moment, rather than to awake too late and have to pay for the consequences. Then, the role of the expert is to help people in charge. . .

In order for this action of persuasion and of assistance to be effective in practical cases, it must be initiated, as far as possible, ahead of time. Frequently the plant designs arrive at the safety reviewer’s table when the design phase has been declared practically finished and when many components have already been ordered, that is, when the finished activities represent such a firm precedent that it cannot practically be put in discussion again, unless large penalties and stresses within the owner organization are accepted. In these conditions it has to be hoped that the design can be considered acceptable by the reviewer too, otherwise every objection mentioned would hit a wall of resistance, which might not have existed if the review had taken place at the proper time. It is therefore essential that the reviewer is involved at the initial phases of the design process before any action is taken. At this stage it may be difficult for the reviewer to express a judgement

12.5 CLARIFICATION IS NOT DISRESPECTFUL

139

for lack of data but he or she can give expert comment, possibly conditional to subsequent verifications. From experience, the reviewer can possibly see future problems and give advice. Finally, the good safety controller must have the courage to take responsibility, and always sensibly balance the designer/operator requirements against the safety requirements without hindering the design process unnecessarily. As implemented in some national regulations, this “ahead of time” intervention should be encouraged and explicitly facilitated by a set of rules on safety controls. However, adherence to this policy should not be taken for granted and it is often opposed by some control experts, worried by an excess of responsibility, and by some managers. In this connection, before the TMI accident (see Section 1.2), there were two erroneous attitudes within the nuclear industry, both held in order to “defend itself” from the control bodies: the first one was to “flood them with paper,” that is to overburden them with documents; and the second was to “giving them the minimum possible amount of information.” But these were past times and things are changed somewhat.

12.4 CONTROL IS NOT DISRESPECTFUL Sometimes, in performing the design review, it is possible to get the idea that some remarks may be offensive and so are sometimes deleted: this is a mistake as shown in the following example. In the 1960s and 1970s an experimental pressurized water reactor was built whose reactivity control for fuel burn-up was not performed by “chemical shim” (i.e., by changing the concentration of boric acid in the cooling water), but by “spectral shift.” In practice, cooling water was composed of a mixture of light water and heavy water, in varying proportions during the life of the core: at the start the content of heavy water was higher and decreased with increasing fuel burn-up. At the start of the life, the addition of light water to the primary circuit caused a reactivity increase, as expected. Therefore all the systems were conceived in such a way to avoid an unwanted light water injection. However, there was a flaw in the design which was not discovered until a safety review by a group of European experts found it. The safety injection system, in fact, was designed to inject a solution of strongly borated light water so that, at any time during the life of the core, the negative effect of the injected boron on the core reactivity would take precedence over the positive one due to the injection of light water. A check made during the above-mentioned review showed that, on the contrary, for a period of time at the start of core life, the actuation of the safety injection system would have caused a net increase of reactivity, infringing one of the fundamental system specifications. Although the design team had doubts about the credibility of this finding, the error proved to be real and the safety review committee were thanked for their contribution to perfecting the design.

12.5 CLARIFICATION IS NOT DISRESPECTFUL The solution to any problem found by the controller must be illustrated to the necessary degree of detail, with the maximum confidence in the competence of the recipient but without neglecting any

140

CHAPTER 12 SAFETY ANALYSIS REVIEW

Core Tie rods

Plate

Plate

Followers

FIGURE 12.1 Core support arrangement.

detail, but without assuming that “the designer has certainly thought of that.” A lack of completeness may be costly to all concerned. In this connection, here is a long technical digression, which is useful to think about. Many years ago, two pressurized water reactors were built, with the lower support plate of the core subdivided into two plates, about 3 m apart in the vertical direction and connected by an external row of round rods in traction [tie rods (TR)] and by internal guide tubes for the control rod followers (cruciform) containing fuel rods, as illustrated in Fig. 12.1. The core was supported by the upper plate and through the followers in compression, by the lower plate and, finally, by the TR in tension. The cooling water coming from the downcomer at the periphery of the core, made a turn toward the interior in the TRs zone, then went up along the guide tubes before finally entering in the core. During the safety review of the design by the control body, the fact that, in this configuration, a transversal and longitudinal current of water, flowing around the TR that could cause their vibration, was highlighted; the von Karman vortex wake due to the transversal flow was of particular concern. (It is known that this phenomenon is responsible for the vibration of many chimneys, and, sometimes, in order to break the above-mentioned vortices, they are fitted with an external helical foil along much of their length.) The control body had made a quick check of the natural frequency of the TR and of the probable vortex frequency: f5

0:207u d

(12.1)

where f is frequency, u is water velocity, and d is the round rod diameter, and showed that resonance between forcing frequency and natural rod frequency could exist. The forcing frequency is practically independent from the Reynolds number and therefore from the type of fluid, in the range of Reynolds numbers of interest. On the basis of this first investigation, the designer was requested to give information on the possibility of vibrations of the rods and on significant fatigue stresses. After some months the designer answered with the report which is summarized in the following. The report is long but has been almost fully reproduced here because it gives a good engineering insight. (The original report

12.6 DESIGNER REPORT

141

references have been removed although their citations have been retained to show proper check were made, and the original imperial units have also been kept.)

12.6 DESIGNER REPORT 12.6.1 INTRODUCTION The core support structure consists of a core plate, upon which the fuel assemblies rest, a casting located approximately 120 in. below the core plate, control rod shroud tubes and TR which join the core plate to the casting. This structure is located in the bottom of the reactor pressure vessel. The reactor coolant (water) flows downward around the outside of the core and reverses direction in the bottom portion of the reactor vessel to flow up through the core. Thus the core support structure is in a region of flow direction change and a complex flow pattern exists. The TRs are located around the circumference of the core support structure and are subjected to fluid flow of varying direction and velocity. The possibility of the TRs vibrating in the complex flow pattern has been the subject of considerable analysis and study as the reactor design developed. This study and analysis divided naturally into two parts, one which considered the hydrodynamic aspects of possible TR oscillations and one which determined the vibration deflections and stresses of the TRs under the influence of the possible exciting forces. The following paragraphs describe the results of these analyses and studies.

12.6.2 CONCLUSIONS The primary conclusion is that in the unlikely event that the TRs vibrate in resonance with maximum possible excitation the stresses and deflections in the TRs will be sufficiently small that there is no possibility of fatigue failure. In the actual case, the TRs are not expected to be in resonance with the exciting force because the maximum local cross flow velocity will probably be less than 7 ft./s. Furthermore, at high Reynolds numbers, there are experimental indications that the exciting forces will be aperiodic and that the combination of parallel and cross flow will decrease the stability of the flow which leads to the formation of a regular periodic vortex sheet.

12.6.3 HYDRODYNAMIC ASPECTS 12.6.3.1 Flow Distribution in Lower Plenum The velocity distributions normal and parallel to the TRs, respectively, were obtained from potential flow analog studies of a two-dimensional model of the lower plenum. A wake of highly turbulent, but essentially stagnant fluid, was assumed to exist, protruding downwards into the plenum from the lower edge of the core barrel. The extent of the wake was adjusted to give consistency with the experimentally observed flow nonuniformity at the lower core plate. A maximum cross flow velocity of 7 ft./s occurs just above the middle of the TR. Below this point, the velocity decreases to less than 0.5 ft./s at one-third of the distance between the casting and the core plate. The velocity parallel to the rod decreases from 12 ft./s at a position two-thirds of the distance between the casting and core plate to less than 1 ft./s at the mid-point of the TRs.

142

CHAPTER 12 SAFETY ANALYSIS REVIEW

The maximum cross flow velocity will probably be less than 7 ft./s because some of the net flow will cross through the wake.

12.6.3.2 Transverse Force in Cross Flow The transverse force due to vortex formation (von Karman) in flow normal to the rod is assumed to be periodic with a frequency calculated for a Reynolds number (Re) greater than 103 assuming a constant Strouhal number of 0.21. Although Rouse indicates that alternating side thrust exists for Re as high as 106, there is evidence that for 103 , Re , 105 the flow in the wake behind the cylinder is periodic, while for Re . 105 it is not periodic. For a cross flow of 7 ft./s, the Reynolds number is 4.7 3 105. The magnitude of the transverse periodic force is assumed identical to the drag force on a cylinder in steady flow. For a velocity less than 8 ft./s, the maximum drag force is Fmax 5 1.43 lb/ft. The actual transverse force (lift) is expected to be less than this value. Experimental values for Re 5 735 are CL 5 0.45 compared to CD 5 1.09. The same ratio applied to Re 5 105 gives Fmax 5 0.6 lb/ft. It seems reasonable to expect that the ratio CL/CD measured at Re 5 735 will not change unfavorably as Re increases. As the frequency of the vortex shedding increases, their size becomes smaller rendering the asymmetrical pressure distribution which is associated with a single vortex effective over a smaller area. Also, the combined parallel and normal flow is believed to decrease the stability for the formation of a regular periodic vortex sheet.

12.6.4 EFFECTIVE MASS OF OSCILLATING SYSTEM The effective mass of the vibrating rod is calculated by adding the virtual mass of fluid to that of the rod. For steady flow normal to a cylinder:   ρ meff 5 mrod 1 1 fluid 5 1:098 mrod ρrod

(12.2)

12.6.5 EVALUATION OF FLUID DAMPING The damping of the vibration due to fluid friction is calculated from the drag on a cylinder in steady motion with the mean velocity um 5 4δf, where δ is the deflection and f is the frequency of vibration. The ratio of damping to critical damping becomes C 2CD 5 2 π CC

1 1 1 ρρfluid rod

!

  δ ; D

(12.3)

where CD is the drag coefficient. The damping thus increases with deflection. For CD  1, C/Cc  0.02δ/D.

12.6.6 VIBRATION ANALYSIS The response of the TRs to the effects of the fluid flow was determined using analyses which are conservative in nature. The natural frequency of the TR is a function of the rod diameter and length and the tension in the rod. During assembly of the core support structure, the TRs are placed in

12.6 DESIGNER REPORT

143

tension by tightening the nuts at their lower ends. The torque on the nuts is specified so that the natural frequency of the rods will be approximately 19 cps in air and with no loading due to core weight. The relationship between this natural frequency and the torque on the TR nuts was determined experimentally on the actual structure during initial fit up at the shop. Following installation of the core support structure in the reactor the TRs will be immersed in water which will cause the natural frequency of the rods to drop by approximately 5%. However, installation of the core will increase the tension in the TRs and the natural frequency of the TRs will increase approximately 8%, more than offsetting effect of the water.

12.6.6.1 Cross Flow In determining the effect of the cross flow, the maximum possible velocity of 7 ft./s was used to determine the maximum von Karman vortex frequency of 17.5 cps. The cross flow velocity distribution was taken as shown in Fig. 12.2 which is, of course, an approximation of the actual case.

Cross flow velocity (ft./s)

12 10 8 6 4 2 0 0

20

40 60 80 100 Distance from top of tie rod (in.)

120

140

40 60 80 100 Distance from top of tie rod (in.)

120

140

Cross flow drag force (lb./ft)

1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 0

FIGURE 12.2 Cross flow quantities.

20

144

CHAPTER 12 SAFETY ANALYSIS REVIEW

The exciting force distribution was taken similar to the velocity distribution and, for each velocity, the exciting force was taken as the drag on the rod due to the cross flow. In the case of the 7 ft./s velocity, the drag was determined for a flow velocity of 5 ft./s because the velocity drag curve has a local peak at this velocity. The cross flow drag distribution is also shown in Fig. 12.2. Each TR was considered to be a series of six lumped masses connected by springs. The tension in the rod was included and the ends of the rods were considered to be clamped. This multidegree of freedom system was excited by alternating forces imposed on two of the lumped masses to simulate the assumed loading shown in Fig. 12.2. No damping was assumed and the amplitude of vibration was determined for each of the lumped masses for the first mode of vibration. The amplitude of vibration and the bending moment along the rod are shown in Fig. 12.3. It is seen that the maximum amplitude of vibration is 0.0153 in. and the maximum bending moment is 39.5 in. lb. The corresponding maximum alternating stress is 403 psi. The static deflection of the TR due to the forces shown in Fig. 12.2 was calculated to be approximately 0.007 in. Thus, the amplification, or resonance, factor was found to be 2.18. In comparing this factor with that, which would be expected from a single degree of freedom system with no damping (amplification factor equals 6.5), it was found that the effect of the tension in the rod served to reduce the amplification factor by 2.98. The analysis described above was for the case of the TR natural frequency being slightly greater than the exciting frequency (19 vs 17.5 cps). Although it is felt that the exciting frequency used will be the maximum possible and that the natural frequency used is close to the actual, the case of the natural frequency being in resonance with the exciting frequency was also considered. At resonance, the amplitude of vibration will, of course, become infinite unless damping exists in the system. Damping will certainly exist in the TR system although it will be small. The principal source of damping will stem from internal damping in the TR material. For stainless steel, this will amount to at least 1% of critical damping. The water will also provide a small amount of damping which will depend upon the amplitude of the TR vibration. This damping will be approximately 0.2%. Damping will also stem from very small motions in the top and bottom TRthreaded joints. For a single degree of freedom system at resonance, the amplification factor is approximately 45 for damping equal to 1.2% of critical. Reducing this in proportion to the reduction determined above, to account for tension in the rod, the amplification factor was found to be approximately 15.1. The maximum deflection was then determined to be 0.106 in and the alternating stress was found to be 2780 psi.

12.6.6.2 Parallel Flow The vibration of the TRs due to parallel flow was analyzed based upon a method described by Burgreen et al. The flow velocity was taken as 12 ft./s, the maximum parallel flow velocity, and the hydraulic diameter was taken as 24 in. The maximum deflection was found to be 0.074 in. and the maximum alternating stress was 1950 psi.

12.6 DESIGNER REPORT

145

18 16 Deflection (in. × 1000)

14 12 10 8 6 4 2 0 0

20

40

60

80

100

120

140

Distance from top of tie rod (in.) 50

Bending moment (in. lb)

40 30 20 10 0 −10 −20 −30 −40 −50 0

20

40

60

80

100

120

140

Distance from top of tie rod (in.)

FIGURE 12.3 Vibration data.

12.6.6.3 Fatigue Analysis A fatigue analysis was made to determine whether the TRs will fail due to fatigue in the unlikely event that the rod vibrates in resonance with the von Karman vortex frequency. The modified Goodman diagram was used in this analysis. It was assumed that the stresses and deflections due to the cross and parallel flow vibrations are additive. The maximum deflection becomes, then, 0.180 in. and the maximum alternating stress becomes 4730 psi. The tensile stress in the TRs, with the TR nuts torqued as specified and with the core installed, is approximately 4870 psi. This stress is the mean stress in the TRs.

CHAPTER 12 SAFETY ANALYSIS REVIEW

Alternating stress (PSI × 10−3)

146

20

Sae

10 1

SAFE

45° 10

20

Sb 30

40

Su 50

60

Mean stress (PSI × 10−3)

FIGURE 12.4 Modified Goodman diagram (for stainless steel at 600 F).

The modified Goodman diagram is shown in Fig. 12.4. The values for Su, Sb, and Sae are given for AISI 304 stainless steel at 600 F. The maximum alternating stress and mean stress values given above determine the location of point (1) in Fig. 12.4. This point is well within the “safe” region of the diagram which indicates that the TRs can be allowed to vibrate at resonance without failure. The report concluded with the references cited in the text.

12.7 DISCUSSION The report was read and commented on by the reviewers: not all the doubts were dissipated, but it was thought possible to discontinue any further action on this issue as the designer (a very experienced one) had demonstrated with his report to have seriously considered the issue raised. It was decided at this point to completely trust the designer. During the preoperational tests of the reactor no vibration measurements were performed on the reactor internals as, at that time, the problem of the internal fatigue failures inside the vessel had not yet become the serious safety problem which in subsequent years it became. Today, no newly designed reactor is allowed to start operation without having gone through a complete test routine demonstrating the absence of dangerous vibrations in the vessel internals. After a short operation time, severe failures happened in the vessel internals, among which was the break of the above-mentioned TRs, which might well have been the cause of other damage. The reactor was stopped for about two years for tests and modifications to the internal complex: the TRs, in particular, were removed and replaced with other duly reinforced internals.

ENDNOTE

147

Naturally, the above-summarized short report was read and studied again in order to discover possible defects and erroneous evaluations which would justify the breaks. The defect that the reviewers immediately found, once the real mechanical drawings of the complex were available (which were not enclosed in the above report), was that the writer of the report, in evaluating the peak stresses for the evaluation of the fatigue strength in the rods, did not take into account the stress intensification factor in the notch represented by the upper and lower threads of the rods, which were not protected by stress attenuation grooves or by other provisions. The stress intensification factor might range from 2 to 4, therefore completely capable of reversing the result of the initial evaluations. Another doubt, which unfortunately remained unresolved, concerned the opportunity to base the demonstration of sufficient strength on the presence of traction in the rods, due to the torque imposed on the lower nuts. Indeed, if this confidence could be justified in the case of an isolated rod, the case of many rods in parallel is much more uncertain; indeed, in the absence of an estensimetric measurement on all the rods, it might well be that the subsequent torquing of nuts could totally or partially eliminate the traction in the previously tightened rods. It is in fact necessary to consider the uncertainty connected in part with casual factors like the amount of friction and in part with the conditions of imperfect cleanliness of the threads and of the nuts. At least in this case, if the reviewers had been more determinate in their in-depth study of the design evaluations, perhaps significant industrial damage could be avoided, notwithstanding the fact that the breaks did not impair the ability to shutdown the reactor using the control rods. In any case, the reason why such a mistake, under many respects incredible, happened was never discovered or notified: perhaps it consisted in an erroneous assignment of task (the hydrodynamic analyst was perhaps put in charge of the fatigue verifications too without adequate supervision) or in an erroneous mindset in the treatment of the answers to the questions of the control body (e.g., believing that the design had to be necessarily correct and that the answer to the control body had the only purpose of convincing it, as if the requests of clarification were not also a contribution to the verification of the design!). It is not easy to draw precise and general lessons by facts like this one: it is, however, opportune that the narration of these experiences be freely circulated in order to try to avoid future mistakes of this kind.1

ENDNOTE 1. And perhaps, you will meet this situation too. At the time when the technology of pressurized reactors had not yet been stabilized, a safety reviewer noticed that in a PWR no-isolation valve had been placed in the steam generator outlet steam lines; in this situation, if a rupture of a steam line inside the containment occurs, the water inventory of all the steam generators would be discharged in the containment (together with the inventory of primary water, according to a conservative usual assumption). At the end, after long discussions, the owner of the plant accepted the need to install the big isolation valves, which caused delays and significant extra expense (the plant construction was almost complete). The young reviewer was summoned by his “boss” in order to receive the news of the owner’s decision and to hear also the following (semiserious) remark: “. . . however, don’t

148

CHAPTER 12 SAFETY ANALYSIS REVIEW

find these defects anymore!.” [Reportedly, elsewhere and in a different context, the same concept was probably expressed by the sentence: “Don’t turn over new rocks” (Ford, 1982, p. 198).] All this is understandable, if not condonable. However, it is necessary to remember that it is better to resolve plant deficiencies earlier rather than later. After many years of heated discussions with designers, it is easy to hear sentences like this one: “You made us suffer a great deal, but you were right.”

REFERENCES Bourgeois, J., Tanguy, P., Cogn´e, F., Petit, J., 1996. La suret´e nucleaire en France et dans le monde. Politechnica, Paris. Ford, D., 1982. The Cult of the Atom. Simon and Shuster, New York.

CHAPTER

CLASSIFICATION OF PLANT COMPONENTS

13

A general agreement exists that classification of systems, structures, and components of a plant from the point of view of safety and from the point of view of resistance to external actions (earthquake, and so on) is necessary to make decisions on the following (IAEA, SS-G2, 2010): • • • •



Adequate design, construction, and operation provisions for each class. System characteristics, such as redundancy, emergency power supply, qualification for environmental conditions. Systems to be considered available or not in the deterministic analysis of the postulated initiating events (EUR, Chapter 18: Nuclear Safety Criteria). Gradation of the QA measures, to be proportioned to the importance of the safety component but also to the characteristics of the component such as its complexity and degree of technological innovation. In general, the following classifications should be defined: • Classification on the basis of the safety function, with reference to the requirements above. • Classification for pressure components, on the basis of the mechanical complexity and the pressure level. • Classification for the resistance to earthquakes, with reference to the need that the components continue to be undamaged or functional during and after an earthquake of a certain severity, taking into account the aftershocks and therefore the possible incremental damage. • Classification of the instrumentation and control systems, on the basis of their safety function, which may be different from that of other system types because of the existence of classification schemes specific to their field and commonly used. • Classification for QA requirements.

The various national approaches to the classification systems strongly differ from each other and in every practical case the choice of the classification criteria and the assignment of the various components to the classes identified need a certain degree of reflection and judgment. The subject of classification is made very delicate by the fact that the pertinent choices have a strong economic relevance. Moreover, it is not always possible to correlate the different classes with levels of reliability or unavailability upon demand in the probabilistic safety evaluations, because of the lack of sufficient experimental data. The probabilistic safety analyses should confirm that the structures, systems, and components, which ensure that the risk connected to the plant is low, be classified at the appropriate level. It is necessary to stress the adequacy of the isolation and separation systems adopted for different systems having a possibility of mutual interaction and assigned to different classes. The Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00013-5 © 2020 Elsevier Ltd. All rights reserved.

149

150

CHAPTER 13 CLASSIFICATION OF PLANT COMPONENTS

malfunction of a system or component should not cause the malfunction of another system or component assigned to a superior class. If this possibility exists, the affected system or component should also be classified in the superior class. Some examples of adopted classification systems may be found in IAEA (2014), the IAEA Guide on classification (IAEA, 2010) in EUR (Chapter 18: Nuclear Safety Criteria), the EUR criteria, an extract of which, also including the classification system, is included as Appendix 6. Some examples of system classifications are given in the following paragraphs, as an illustration. These examples comply with the above-listed principles and may be found in IAEA (2014) and EUR (Appendix 6). •

• • •

The system of vessels, pipes, and pressure components which form the primary cooling system of a PWR (reactor vessel obviously included) is in Class 1, the highest one, as the failure (break) of the system constitutes a serious LOCA. The core emergency cooling system is placed in Class 2, as its failure does not cause directly and necessarily an accident. The compressed air system which supports the emergency cooling systems is in Class 3 as it is considered a normal, not highly stressed system. The station fire fighting system is not placed in a safety class (or it is in Class 4) as it is considered that the specific industrial standards in force already offer sufficient guarantee by themselves if needed.

These examples make clear the degree of subjectivity in the classification choices and therefore the importance of giving classification adequate attention.

REFERENCES IAEA, 2010. SS-G2 Deterministic Safety Analysis for Nuclear Power Plants. IAEA, 2014, Safety Classification of Structures, Systems and Components in Nuclear Power Plants Specific Safety Guide. IAEA Safety Standards Series No. SSG-30.

CHAPTER

NOTES ON SOME PLANT COMPONENTS

14

14.1 REACTOR PRESSURE VESSEL 14.1.1 PROBLEMS HIGHLIGHTED BY OPERATING EXPERIENCE During the past 60 years (roughly) of peaceful use of nuclear energy, no case of a nuclear reactor pressure vessel rupture has occurred. This hypothetical event is neither included in the design basis accidents nor, according to the most recent trends, among the severe accidents to be reasonably considered. This is not, as it will be discussed more extensively later, the only possible choice: it, however, has been considered acceptable and practicable. It is also necessary to remember that the burst of a nuclear vessel, without previous mitigation measures, would easily result in an accident of the severity of the Chernobyl one. Every effort, therefore, is made by technical experts involved to prevent a break by design, construction, and operation provisions. In order to meet this goal, however, extraordinary efforts and means are necessary. Indeed, even though there is good design experience for ordinary industrial vessels built and operated at the best quality level, the resulting failure rate is unacceptable for the best nuclear vessels, where the risk is kept at minimum level. It must be remembered that the frequency of catastrophic ruptures in Class 1 industrial, nonnuclear, pressure vessels ranges between 1024 and 1023 per year. The total service time of nuclear pressure vessels for civil and military uses is now somewhat higher than 10,000 reactor-years. Other additional facts must be considered in the operating experience of nuclear pressure vessels. An example was the case of a nuclear reactor steam generator which was built 20 years ago according to the rules then in force. It worried some nuclear experts because of what they thought could have happened. The case is described in Chapter 20, Operating Experience, but here it is recalled that, during a normal inspection of the plant, a patch of damp was discovered on the exterior of the thermal insulation of the vessel. A subsequent in-depth inspection revealed the presence of a circumferential crack along a weld which extended for most of the circumference and had an average depth of roughly 70% of the wall thickness. The rupture of a steam generator in a nuclear plant would probably cause a lower environmental contamination than the rupture of the reactor pressure vessel, but in any case this is a disruptive accident, not considered among the design basis ones or among those taken as a reference for additional protective measures for severe accidents. On passing, the cause was attributed to impurities in the welds and therefore to fabrication defects. Another case of supposedly serious danger happened when, because of the stringent need for electric power production, a Russian-design reactor built in Bulgaria was restarted after a stoppage, notwithstanding the contrary opinion of a group of European experts. This case, too, is described in Chapter 20, Operating Experience. The plant had been shut down because excessive embrittlement Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00014-7 © 2020 Elsevier Ltd. All rights reserved.

151

152

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

of the vessel was feared due to the neutron fluence absorbed in service. During the stoppage, according to some experts, the vessel had at least to be submitted to further inspections and possibly annealed in order to eliminate part of the neutron embrittlement. It was, instead, following the advice of other experts, started up again and operated for several months until, once the winter electricity demand peak had passed, it was stopped again in order to perform the needed operations. It has to be said, however, that in retrospect, following tests on material samples, the initial estimates resulted to be too pessimistic. Another example is the corrosion damage caused by boric acid of the vessel upper head of the US reactor at Davis Besse in 2002. A cavity as deep as the carbon steel wall and with similar dimensions in plan was produced, leaving the stainless steel internal liner as the only barrier against the massive efflux of primary fluid (see Chapter 20: Operating Experience). More recently (Belgium, France), a number of cases happened where cracks were found in the base metal of the pressure vessel wall (segregation of carbon compounds) also with an orientation perpendicular to the vessel wall surface. This subject is currently under investigation and the subject of recommendations (WENRA, 2018). Although the dangers of the above example never materialized, the behavior of the reactor pressure vessel during the Three Mile Island (TMI) accident is exceptional. It withstood the outpouring of about 20 tons of molten core on its bottom, in conditions of highly deteriorated internal cooling. To the technical experts this behavior indicated the presence of a powerful and up to then neglected barrier in the Defence in Depth, which is now utilized in a planned way as a potential asset. A number of relatively small mishaps have, however, occurred to vessels: cracks in the control rod drives thimbles in PWRs (Figs. 14.1 and 14.2); damage to the internal liner due to erosion by broken metal pieces (almost everything has been found in reactor vessels and in steam generators during periodical inspections, including hammers, files, shoes, and pieces of wooden planks, etc.!); small cracks at the junction between the internal liner and base metal due to the liner deposition process; defective materials; excessive neutron embrittlement; deposition of large amounts of boric acid (hundreds of kilograms, see Chapter 20: Operating Experience) between the control rod drive thimbles and their thermal insulation; leaks of liquid through junctions; and so on.

14.1.2 RUPTURE PROBABILITY OF NONNUCLEAR VESSELS Rupture statistics for nonnuclear vessels are not applicable to nuclear vessels as they differ in many ways, for instance, they differ in wall thickness (for most cases), service life, conditions of use, inservice inspections, improvements in steel making technology, control of trace elements, stringent heat treatment specifications, and rigorous QA practices. It is, however, useful to consider the data collected on the ruptures in conventional vessels in order to keep in perspective the importance of the additional precautions adopted for nuclear vessels. Table 14.1 shows a summary of some available statistics for both destructive events and nondestructive breaks, the latter include all the cases of fractures discovered in time or which could become destructive and all those minor fractures, probably not potentially destructive, that required intervention because of their size. The principal causes of the reported fractures are fatigue (mechanical, thermal, or corrosion assisted) associated with preexisting fabrication defects, generally corresponding to structural discontinuities such as appendages, penetrations, etc.

14.1 REACTOR PRESSURE VESSEL

153

FIGURE 14.1 The most relevant areas of a vessel from a structural point of view.

A statistical treatment of the data summarized in Table 14.1 leads to the conclusion that, at 99% confidence, a potentially destructive event may happen, in nonnuclear Class 1 vessels, with a probability of 10231024 per year.

14.1.3 FAILURE PROBABILITY OF NUCLEAR VESSELS 14.1.3.1 Normal Conditions, Transients, and Design Accidents Given the absence of statistics for occurred events, the only way to estimate the failure probability of nuclear vessels is by an analytical way on the basis of the probabilistic distribution of the involved parameters and of the available fracture mechanics models. The relevant parameters include: toughness of the material, the number of cracks initially present in the component, the probability that they are detected during the preoperational and in-service tests, the fatigue crack growth rate, etc. The result of these probabilistic evaluations is useful to verify the safety level of the vessel, to highlight areas on which research effort is still needed, to estimate the safety improvement due to further provisions as an increase in the in-service inspections, changes in design, material, and operating conditions, etc.

154

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

(A)

10 mm

(B)

FIGURE 14.2 Types of junction between control rod thimbles and vessel body.

The following describes the method and the results of the most accurate work on this subject: the Marshall Report (UKAEA, 1982). The probability of a catastrophic rupture is determined by the probability associated to: presence of cracks in the original component; detection of them during the preoperational and in-service inspections; growth of cracks in service; toughness of the material measured by the critical stress intensity factor (see Appendix 7 on Fracture Mechanics); stresses from normal operation; transients; and accidents. Concerning the original presence of cracks, it has to be said that their generation mechanisms are not all well understood. Generally they occur in welds. Concerning their shape, obviously the field of the various possibilities is infinite and, therefore, for quantitative evaluations, it is necessary to apply simple conservative assumptions. Usually it is assumed that the cracks are semielliptical and superficial, with a depth a. The length 2c of the crack is assumed as a fixed multiplier of its depth (typically a/2c 5 1/6).

14.1 REACTOR PRESSURE VESSEL

155

Table 14.1 Data on Ruptures of Conventional Vessels Nondestructive Events

Destructive Events

Source

Number of vessels

Σ (years 3 vessels, Y 3 V)

Number of events

Observed data (Ev/ ΣY 3 V)

Confidence limit 95%

Number of events

Confidence limit 95%

UK Smith & Warwick IRSTUV German study group EEITVA EEI Boiler Drum and PV data UK steam drum sample NBBPVI (7378) ABMA

20,000

3.1 3 105

65

2 3 1024

2.6 3 1024

5

3.2 3 1025

7000 1.1 3 106

6.7 3 104 1.9 3 106

30 7435

4.4 3 1024 4 3 1024

6 3 1024 —

0 40

4.5 3 1025 8.8 3 1026

1033 5000

1 3 104 2.2 3 104

10 1

1 3 1023 4 3 1025

1.7 3 1023 2 3 1024

0 0

3 3 1024 1.4 3 1024

3000

6 3 104

27

4.5 3 1024

6 3 1024

0

5 3 1025

536,000

3 3 106

1043

3.2 3 1024



115

3.5 3 1025

68,000

7.2 3 105





0

4.2 3 1026

The initial distribution of cracks is given as NoðaÞ 5 AðaÞBðaÞ

(14.1)

where A(a) [n/(mm 3 m )] is the distribution function of the fabrication cracks of length ranging from a to (a 1 da) and B(a) is their probability of nondetection in the preservice inspection. The current estimates of the total of cracks present after fabrication range from 0.4 to 40 cracks per cubic meter of weld: a figure of about 4 is, however, certainly conservative even in the light of most recent data. The uncertainty is therefore of one order of magnitude. As far as B(a) is concerned, in the light of the results of the PISC research program sponsored by the OECD, Fig. 14.3 gives the best estimate values of the detection probabilities (51  B(a)) using the ASME XI procedure (PISC). As an example, for a 20-mm deep crack, its detection probability is roughly 25%. Usually the assumption is made that the same nondetection probabilities hold for the in-service inspections too. The critical stress intensity factor, KIC, has, in the light of the many available tests, a unimodal Gaussian distribution. The variation of this parameter with time has to be considered (e.g., as an effect of neutron irradiation). The crack growth rate is given by 3

da 5 CðΔ KI Þn dN

(14.2)

where N indicates the number of stress cycles of amplitude ΔKI at the crack tip, n has values ranging from 3 and 4, and C has a lognormal distribution for each steel.

156

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

1

0.5

0 10

20

30 Crack depth Δz (mm)

80 100

FIGURE 14.3 Detection probability of a crack of given depth.

The probabilities of transients and accidents are obtained from operating experience and from current estimates for probabilistic analyses, respectively. The overall evaluations of rupture probability may be performed in a rigorous, yet onerous, way by Monte Carlo methods, or, especially for sensitivity evaluations, by simplified methods. Figs. 14.4 and 14.5 show the global results of these evaluations for normal and transient conditions and for serious accident conditions, respectively. The interest here is the sum of the two contributions. The data shown in the figures do not include the consideration of in-service inspections. These figures have been obtained for a surface semielliptical crack with a/2c 5 1/6; if, with the same distribution of depth, all the cracks had been considered infinitely long, the final probabilities would have been 10 times higher. The sensitivity to the mean value and to the distribution of KIC is lower than would be thought: less than one order of magnitude for the variation from 230 to 150 MNm23/2. The sensitivity of the results to the crack growth rate is strong: the growth rates assumed for the results shown in Figs. 14.4 and 14.5 are intended to represent the growth rates in wet conditions and probably, on the basis of the most recent data, they are too high and could have generated excessive failure probability figures by a factor of up to 100. The contribution to the failure probability of the vessel is principally due to the nozzle area and to the vessel bottom as well as to the middle zone corresponding to the core position. If the in-service inspection program had been considered, significant reductions in the calculated failure probability would have been obtained (up to two orders of magnitude), depending on the

14.1 REACTOR PRESSURE VESSEL

157

1.00E−06

Failure probability per vessel year

1.00E−07 High estimate

1.00E−08

Low estimate

1.00E−09

1.00E−10 0

10

20 Time (years)

30

40

FIGURE 14.4 Failure probability for nuclear vessels in normal or transient conditions. 1.00E+00

Failure probability per vessel year

1.00E−02

1.00E−04 High estimate 1.00E−06 Low estimate

1.00E−08

1.00E−10 0

10

20 30 Time (years)

40

50

FIGURE 14.5 Failure probability for nuclear vessels in serious accidents.

inspection intervals and extension as well as on the value of B(a) considered applicable to the same inspections. The above-described procedure can also be applied to nonnuclear vessels and a comparison can be made with the statistics of the cracks detected in them: in this way a correspondence will be

158

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

obtained as, for nonnuclear vessels, the breaks detected decrease with the service life while these procedures lead to an increase in the failure probability with time. This apparent discrepancy can be explained by the fact that in-service inspections are not considered for nuclear vessels.

14.1.3.2 Severe Accident Conditions It is practically impossible to perform a probabilistic treatment of the vessel failure in severe accidents, that is where there is major damage and core melt, because of a lack of sufficient data on the phenomena and on their probabilities. In the following, both experience data (from the TMI accident) and deterministic considerations justified by the existing knowledge are shown. At least a picture of the important factors for the decrease in the vessel damage probability and indications on the still necessary research will be obtained. In particular, the importance of the prevention of severe accidents will be clearly demonstrated.

14.1.4 VESSEL MATERIAL EMBRITTLEMENT DUE TO NEUTRON IRRADIATION This is one of the major safety concerns for the pressure vessel of PWR reactors and, therefore, for the safety of the reactors themselves. For boiling water reactors this problem is smaller because of the lower neutron flux on the vessel walls, which is a typical characteristic of this type of plant, principally due to dimensional factors (the design pressure of BWRs is roughly one half than that of PWRs and the core is larger due to the presence of voids). For PWRs, the integrated fast neutron flux of interest ( . 0.5 MeV) expected at end-of-life is almost always a multiple of 1019 neutrons/ cm2, while for BWRs it is a multiple of 1018 neutrons/cm2. It is known that the neutron irradiation causes, in the carbon steels used for vessels, an increase in the transition temperature between the brittle and the ductile behavior of the steel [reference temperature for nonductility transition (RTNDT)]. This temperature is typically—10 C at start-of-life and, with increasing irradiation, may increase by many tens of degrees in the course of years. It is obvious that below the transition temperature a crack that reaches a super-critical size may propagate and cause the brittle and catastrophic rupture of the vessel and, moreover, the stresses for which a crack becomes critical are lower. As the vessel must not break, the importance of the control of the embrittlement of the material during the plant life can be easily understood. One of the fundamental safety assumptions of water reactors, in fact, is that the break of the vessel is made impossible by design, construction, and operation provisions. It must be remembered that an explosion of the vessel might break all the four barriers against the external releases of radioactive products at the same time (see Chapter 9: Defence in Depth). Other vessels located in the containment, such as the pressurizer and the steam generators, might also potentially damage various barriers at the same time, but this probability is intrinsically lower than that of the reactor vessel as they are more distant from the core (it can be lowered by provisions concerning the strength of the structures and because they are not exposed to neutron damage and can more easily be inspected during service). The embrittlement of the vessel material is mainly due to the fast flux integrated during the service life [the “fluence” (neutrons per square centimeter)], the amount of impurities (Cu, P, and Ni in particular) and with the irradiation temperature. The fast flux which may generate the maximum

14.1 REACTOR PRESSURE VESSEL

159

damage is .0.1 MeV although in practice .0.5 MeV (Russia and Eastern Europe) or .1 MeV (according to the practice in other countries) are used for the lower uncertainty in its measurement. It is now believed (EUR, 1996a, 1996b, 1997) that, in future, importance should be given to other parameters too such as the initial microstructure (initial transition temperature), the interstitial elements (carbon, nitrogen), and the synergy between the various impurities present. In fact, the large dispersion in the results of measurements of transition temperature on irradiated materials indicates that not all the relevant parameters have been detected and controlled. Sometimes, low importance is erroneously given to the irradiation temperature, as usually reference is made to PWR vessels which are operated essentially at the same (high) temperature. For different cases, however, the fact that the embrittlement effect is much stronger at lower temperatures must be taken into account [e.g., (EUR, 1996a) for a typical steel and for a fluence of 1 3 1019 n cm22, the increment of RTNDT is 50 C for an irradiation temperature of 315 C and 161 C for an irradiation temperature of 232 C (EUR, 1996a)]. The practical consequence of this fact is that structural parts need also to be controlled, which, although exposed to a lower neutron flux than that on the vessel wall in the active core region, are however irradiated at lower temperatures (e.g., external supports of the vessel). The problem of the vessel embrittlement is the subject of great attention both during the design and during operation. In the design phase, usually, the embrittlement during the service life is forecast by the use of empirical formulae (EUR, 1996a) based on specimens irradiated in test reactors or on the result of surveillance programs of the irradiation effect in power reactors. For the various evaluations of fracture mechanics, empirical values of KIC and of KIa for the material of interest are used, as a function of (TRTNDT). Various design provisions for the reduction of the integrated flux at end of life exist, among which the following can be quoted: neutron shields around the core, the equivalent use of dummy elements at the core periphery or refueling cycles which minimize fast neutron leakages (“low leakage fuel cycles”). No general agreement among designers exists on the maximum end-of-life fluence which can be accepted: some designers specify up to 6 3 1019 n/cm2 at end of life, while other practices (Germany, Italy) specify a limit of 1 3 1019 n/cm2. Obviously, if the real embrittlement during the life were excessive, costly provisions should be adopted. The most drastic one is the one applied to various East Europe reactors, that is, the inplace annealing of the vessel at temperatures of the order of 470 C for several (e.g., seven) days, which restores the desired toughness characteristics of the material. Another provision adopted is the heating up of the emergency injection water for systems which are initiated first when needed (e.g., heating the pressure accumulator water to 60 C80 C). As already said, the uncertainties in forecasting embrittlement are still high. It is necessary to recommend a cautious attitude to designers and the adoption of an end-of-life fluence as close as possible to 1 3 1019 n/cm2. It must be added that certain situations which favor the loss of toughness with passing time are not easily measured during operation. For example, even if the maximum Ni content in base metal and welds is specified to ,1%, it cannot be avoided that the Ni percentage in the vessel material adjacent to the stainless steel liner reaches values up to 4%5%. As far as provisions affecting both the design and the operation are concerned, the most relevant one is the experimental program for the measurement of neutron embrittlement. This program

160

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

should offer a good indication of the state of the material in the areas of interest (base metal, welds, heat-affected zones) well ahead of time; the specimens, that is, must be located where the neutron flux is somewhat higher than on the material of interest in the vessel. Other recommendations are listed in Section 14.1.8.

14.1.5 PRESSURIZED THERMAL SHOCK The pressurized thermal shock (PTS) problem has been for a long time under scrutiny by the safety specialists. In practice, in case of accident (e.g., a LOCA), a quick refrigeration of the primary water (and therefore of the vessel wall) takes place, either because of the depressurization after the accident or because of the emergency cold water injection. Under these conditions, the presence of cracks in some areas of the vessel (e.g., near the inlet nozzles of the vessel itself), combined with inadequate ductility of the material, might create critical situations from the structural point of view (unstable crack propagation). The study of this phenomenon has entailed the in-depth examination of thermalhydraulic aspects (vortices in the vessel and the mixing of injected water with existing water) and of aspects of fracture mechanics (crack instability, “warm prestressing” effects, etc.). This issue was addressed in the United States with the emission of a specific rule (Fed Reg, 1983, Development 2013, PTS Transient 2018) which requires an accurate analysis of the situation and improvement provisions (reduction of the neutron flux, and so on) in cases where it is envisaged to exceed, during the plant life, a specific value of the reference temperature (RTPTS) in the material, defined by the rule itself.

14.1.6 THE REACTOR PRESSURE VESSEL OF THREE MILE ISLAND 2 It took 10 years to understand the conditions in the damaged TMI core through a considerable international investment. The research program, TMI Vessel Investigation Program (VIP) lasted five years and cost $9 m, with contributions from 10 countries besides the United States. A first conclusion on the condition of the vessel concerned the presence of a hot, almost circular, zone of about 1 m in diameter where the maximum temperature had reached 1373K (1100 C) on the inside surface; outside this zone the temperatures were lower than 1000K (727 C) (transition from the ferritic structure to the austenitic one). Cracks and cavities were found in the stainless steel liner of the bottom head, 0.5-cm thick, around three instrumentation nozzles, however, the cracks have only slightly penetrated in the underlying 14 cm of base metal. The cracks have been attributed to the differential thermal expansion between liner and base metal during the vessel cooling which generated tension in the liner. The nozzles in the bottom had been damaged, some of them were intact and some had been completely melted and removed. The distribution of the damaged and undamaged nozzles indicated the presence of a debris bed on the bottom which had protected them and the vessel bottom from the molten mass. It can be also concluded, although without absolute certainty, that the hot zone was due to a thinner layer of this debris (bed or crust). Evaluations about the possibility that the hot zone was due to the impact of molten jets proved negative. The hot zone was due to the permanence for at least 30 minutes of a strong heat source (molten fuel mass) bringing the wall to 1373K (1100 C): the molten jets may have lasted only 2 minutes.

14.1 REACTOR PRESSURE VESSEL

161

Concerning the rupture modes of the vessel (which was one of the issues in the VIP program), it has been possible to exclude a rupture in the instrumentation tubes: the formation of crusts and the favorable situation of thermal dispersion prevent the creation of holes corresponding with the instrumentation tubes. It has not been possible to determine the margins against a global rupture of the vessel, and it has been only possible to conclude that the hot zone alone could not constitute a critical situation from this point of view: it would also have been necessary for a large surrounding zone of the vessel wall to be at higher temperatures. On the contrary, outside the hot zone the temperature stayed well below 1000K (727 C) and gradually reached the saturation temperature of the water in the external and higher wet zones. A very important factor in determining the possible interaction between molten masses and the vessel bottom is that the cooling of the molten mass was also due to convection from the upper part of the vessel and from conduction toward the vessel wall in the lower part. It is thought that water had infiltrated between the crust and the metal wall or via cracks in the crust and had caused the further cooling necessary to explain the relatively small dimensions of the hot zone. The results of the VIP program confirm the importance of proper severe accident management, as the presence of a small amount of water may be decisive. Also the availability of a voluntary depressurization of the primary system is essential, which removes the possibility of many possible scenarios of vessel rupture. The program also confirmed the need to actively continue studies and research on the external cooling of the pressure vessel in case of severe accident.

14.1.7 GENERAL PERSPECTIVE ON THE EFFECT OF SEVERE ACCIDENTS ON THE PRESSURE VESSEL Besides the phenomena already described with reference to the TMI accident, the possible interactions between a molten core and the pressure vessel concern the interactions with the water present on the bottom and the possibility of a steam explosion (which did not occur at TMI). The experimental data available and analytical methods are not yet capable of giving a conclusive demonstration of the nondestructive character of a steam explosion within a pressure vessel, but all the evaluations indicate that this phenomenon is not possible. The thermal energy potentially contained in 1 kg of molten core is equal to 1 MJ and therefore the maximum potential accident, taking into account the weight of the core (close to 100 t, could release an enormous amount of energy. Various factors, however, exist which can be relied on for a substantial reduction of the severity of a realistic event. First of all, the amount of molten material which could be involved in an explosive event before being cooled (12 s) is limited by the mass flow rate of the possible pouring from the core. If it is supposed that, as in TMI, the melt falls into the water through the lateral core bypass, then the flow area is of the order of 0.01 m2 and the flow rate is ,1 t/s. If the fall occurs through the fuel elements the estimated flow area is of about 0.1 m2, with a velocity of the order of 5 m/s and a flow rate of about 5 t/s. Other factors that emerged from the experimental tests are •

Jets of 100 mm diameter may penetrate the water layer and reach the bottom. The penetration length increases with the decrease in the jet diameter; below a certain diameter, however, the

162

• • • • • • • • • •

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

atomization regime is entered with a decrease in the penetration distance but with a higher explosion potential. The dimensions of the particles resulting from the dispersion are 210 mm (4 mm is indicated by the calculation codes in the premixing phase). Experiments using a mixture containing molten UO2 have rarely shown a steam explosion. Explosions become gradually less likely when the pressure increases beyond a few 100 kPa. A low melt superheating leads to a lower danger of explosion. The formation of steam in the first period of the melt water contact tends to decrease the explosion probability (“water depletion phenomenon”). Even if an explosion happens, it will not involve all the mass and the conversion from thermal to mechanical energy can be low for the following reasons: Not all the debris will be so finely subdivided to release heat in the necessary time scale. The molten particles tend to be blanketed by steam when the mixture expands and to exchange less energy with water. The dishomogeneity in the steam content of the mixture leads to dissipation of the shock wave traveling from high pressure to low pressure zones. The mixture may not be “well pressed” so if a large quantity of steam has been generated in the premixing phase and a steam chimney exists above, then the energy of a wave can rapidly decay.

The following rough estimates can be made on the danger of serious damage to the vessel for a steam explosion. It is supposed that not .2% of the molten mass participates in the explosion and that the mechanical efficiency is 15% (a rather high figure) so an explosion energy of about 400 MJ is obtained. On the other hand, estimates of the energy necessary to push the vessel head off (if hit by a mass of water coming from below) indicate a figure of 900 MJ for PWRs and 500800 MJ for BWRs without taking into account the energy necessary to deform the reactor internal structures, which by itself is of the order of 1 GJ. Furthermore, if the calculation model includes the internal vessel structures as well, then the energy necessary to pull the head off turns out to be lower because the impact load is distributed on a circumference and not on its whole surface area. It has to be noted that these evaluations assume the complete integrity of the bolts connecting vessel head and body which otherwise could represent a weak point of the structural complex. Operating experience does not indicate cases of significant deterioration of this bolted joint, given the design, fabrication, and periodical control precautions applied to this part of the vessel. For the break of the vessel bottom, energies of the order of 1 GJ are also calculated, even if this issue is the subject of some discussion. The problem of the cooling of debris on the vessel bottom is also actively studied. The TMI accident shows that the probability that the molten core remains contained in the vessel is rather high, even if water is introduced in the vessel in a discontinuous way. It is estimated that in a large LOCA a discrete amount of water remains in the reactor vessel, typically up to the level of the lower core support plate. This is equivalent to the possibility of cooling one half of the molten core in a PWR and even more in a BWR. If it is supposed that all the core collects on the bottom as debris, it would be necessary to dissipate about 2 MW/m2 of heat, which is possible at high pressure but not at low pressure because the “dryout” flux would need to be overcome.

14.1 REACTOR PRESSURE VESSEL

163

The probability that the principal structures, including the vessel bottom, remain intact during the relocation of the fuel is high even if the debris is not significantly cooled: this is borne out by the evidence from TMI. One of the worst scenarios that can be thought of is that of a molten pool with a separation of phases: an oxidic one containing UO2 and a metallic lighter one. In this case, the metallic phase floats on the oxidic one and may transmit to the vessel wall an elevated thermal flux (various megawatts per square meter) which may cause its rupture if an oxide crust is not present on it. It is not known if such a configuration is a realistic one. All these phenomena have been the object of research, including the RASPLAV program, which was also strongly supported by Russia (Expert Seminar, 2000). A defence strategy includes the voluntary flooding of the reactor cavity (already mentioned) (AP600, AP 1000 reactors).

14.1.8 RECOMMENDATIONS FOR THE PREVENTION OF HYPOTHETICAL ACCIDENTS GENERATED BY THE PRESSURE VESSEL As the integrity of the reactor pressure vessel is an essential safety requirement, it is useful to summarize the fundamental recommendations for the certain prevention of accidents. These recommendations concern the materials, the design, the fabrication, the inspection, and the operation of the vessel.

14.1.8.1 Materials •





• • •



Mechanical properties: safety analysis, fabrication to minimize defects, adequate codes (ASME and similar), control bodies requirements, additional requirements of the system designer. • Discarding top part of ingots during metallurgical work (high carbon segregations, WENRA, 2018) Best quality obtainable by technology: toughness, no deterioration in service, weldability. That is: limits on alloy elements even more stringent than usual specifications (e.g., ASME) (C , 0.15%0.25% for weldability and low transition temperature); low level of impurities taking into account possible synergistic effects. Analysis and mechanical tests; in-service surveillance for irradiation effects; fracture toughness tests (12.5 mm compact tension specimens or thicker) for quality control of components and qualification of welding procedures; low temperature irradiation effects on external vessel supports. Fracture toughness specimens: every area of possible reduction of toughness due to fabrication. Modification of specifications: adequate investigation; adequate experience; weldability trials; toughness; resistance to neutron irradiation; strain aging and thermal embrittlement. Weld procedure qualification tests for submerged arc welding of the main vessel shell and cladding: destructive tests; metallographic techniques to check that heat-affected zone (HAZ) reheat cracks are absent. The following data are necessary for any material: transition temperature; initial temperature of upper shelf; toughness at start of upper shelf and at operating temperature.

164





CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

Procedure for the evaluation of defects found in service, to be agreed upon before start of service: • actual crack configuration; • replacement of actual defect with a formal defect which may be assessed using fracture mechanics; • evaluation of defect using appropriate methods and sensitivity analysis to assess margins; • request of continuation of service justified also with reference to crack dimensions forecast for the next in-service inspection. Assessment of the absence of danger of stress-assisted corrosion for the water chemistry and flow rate conditions applicable.

14.1.8.2 Design • • • • • •

• • • •

Utility check of the adequacy of design transients. Vessel fracture by overpressurization at low temperature: system provisions. Limitation of severity of overcooling transients; ECCS water temperature, prevention of repressurization at low temperature. Attentive review of capacity and reliability of safety valves also for fluid conditions during an accident (water slugs, etc.). Verification of 2-D stress analyses by some 3-D analyses (inclined penetrations, bottom heads, etc.). 3-D analysis for inlet and outlet nozzles: • attention to LOCA; • cold inlet and hot outlet; • effect of external support blocks; • effect of accident blow down forces; • local temperature variations and heat transfer coefficients. Independent control of stress analyses. Checks on the anticipated crack growth rate. Assurance that the upper shelf material properties apply under all conditions of high stresses during a LOCA. Stress analyses also in the range of small and intermediate breaks (50150 mm diameter).

An extreme defence (not yet adopted) against vessel failure damages is the incorporation in the design of a vessel explosion retention cage (see Appendix 15)

14.1.8.3 Fabrication and Inspection • • •

Weld procedure qualification; exact simulation of geometries, thicknesses, constraints, physical obstacles for the welder and attention to the welder’s position. Multilayer submerged arc strip cladding: temperature control, postweld heat treatment in order to eliminate hydrogen (undercladding cracks). Qualification of weld procedures: control that welds and HAZ have properties at least equivalent to the base material (fracture toughness at the start of upper shelf and at operation temperature). Discarding top (and even bottom) parts of ingots during metallurgical work

14.2 PIPING

• • • • • • • • • • • • • • •

165

Delta ferrite levels currently monitored during cladding operations. All HAZ in the low-alloy ferritic steel heat treated after welding. Records of positions of repairs to welds and base metal and mechanical properties (toughness included). Nondestructive examinations of plates, forgings, and other parts before and after cladding deposition, before and after fabrication, after hydraulic tests. Record of all the results of tests and important fabrication events to be taken (also video records of manual examinations and of oscilloscope traces). Vetting by customer and licensing authority to ensure that the components are inspected satisfactorily. Surveillance by customer and licensing authority at all the fabrication phases. Qualification of ultrasonic operators on adequate equipment. Acceptability and rejection levels established before fabrication begins. Inspection procedures: take into account limitations in ultrasonic methods; multiple methods for examinations after hydraulic test in view of future developments. Demonstration of the capability of the ultrasonic techniques to detect and size defects in geometries of interest. Take into account cladding in calibration systems for ultrasonic inspection. Ensure that defects in non-“inspectable” areas are not dangerous. Adequate QA is essential. External design, fabrication, and inspection verifications do not relieve the fabricator of responsibility.

14.1.8.4 Operation • • • •

Record of occurred transients. Same preservice automatic inspection systems applied in-service except for technology advances. Frequency of in-service inspections based on absence of degradation due to crack growth. Preservation of all examination and inspection records.

14.2 PIPING 14.2.1 EVOLUTION OF THE REGULATORY POSITIONS The assumption of a guillotine break of the largest system pipe was adopted by water reactor safety practice right from the very beginning. The safety analyses included the sole thermalhydraulic consequences of the break, that is, the containment pressurization and the coolant loss from the core. Subsequently, for sake of consistency, the mechanical consequences of the break were considered too. These were “pipe whip” (i.e., the possible damage caused to components near the broken pipe by the pipe itself being transformed into a whip by the hydraulic reaction forces of the exiting fluid), the impact of the fluid jet on adjacent surfaces and the loads due to decompression waves propagating inside the broken system with the consequent generation of, even asymmetrical, loads on internal components such as the pressure vessel internals and the core itself.

166

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

This logical completion of the safety analyses highlighted some negative consequences of having adopted the extreme assumption of the complete rupture of the largest pipe. In particular, for the protection of components from the pipe whip, many cumbersome plastic deformation restraints had to be designed and installed on the pipe runs, in order to prevent the excessive displacement of the pipes themselves. The space occupied by these restraints resulted in a further reduction of the already small space around components and made it more difficult and more costly in terms of the absorbed doses to operators undertaking periodic inspections. Obviously, the issue also generated strong economic burdens due to the restraints themselves and to the increased heat losses from the piping caused by the presence of the restraints. This situation prompted studies on the conditions under which the sudden break of large pipes was really possible and originated the “Leak Before Break” principle. It was also demonstrated that under certain conditions, it was possible to rely on the fact that the cracks present in the pipes and close to becoming “critical” (i.e., in danger of catastrophic propagation) cause fluid leaks which could be detected by industrial means (see Section 2.3) before reaching a critical length. Today this principle is generally accepted and is usually applied with the following exceptions • • • •

to small pipes (with diameters of 10 cm or less); to steam pipes; to pipes liable to steam/water hammer; to some cases (each experience individually evaluated) of pipes particularly subject to degradation by fatigue or corrosion.

The exceptions apply in the first two cases because of the difficulty of detecting the leaks, and in the last two cases because of the possibility of rupture without previous significant leak. The assumption of complete and instantaneous rupture of the largest pipe continues to be preserved for the evaluation of consequences concerning pressurization and reduction of the cooling capability. This practice also gives protection from partial ruptures of large components, such as large valves, pumps (flange detachment, already happened, IAEA 1997) and vessels (in particular, inspection and maintenance flanged openings). For these components (in particular bolted flanges) the “Leak Before Break” situation is not warranted nor the possibility to detect crack propagation by other means like acoustic emission.

14.2.2 PROBLEMS INDICATED BY EXPERIENCE 14.2.2.1 Cracks in Primary System (see USNRC, 1997a) It is necessary to repeat here that no case of dangerous cracks or ruptures in large primary pipes (Class 1 ASME) has happened in .15,000 reactor-years of operating experience. As far as breaks in small pipes (i.e., of diameter ,5 cm) are concerned, the operating experience (USNRCOAEOD, 1998) indicates a probability of 0.01 breaks per reactor-year, to be compared with the figures adopted in Probabilistic Safety Analyses which range between 0.001 and 0.01 breaks per reactor-year.

14.2 PIPING

167

The incidences of cracks in small pipes are associated with the following phenomena: •





Thermal fatigue, caused also by defective closure of isolation valves and by consequent seepage of a fluid at different temperatures within the pipes. A well-studied case was that which occurred at the Oconee power station in the United States in 1997 where a leak greater than 41 min21 developed from a fluid make-up and high pressure injection into a primary pipe, because of a loose “thermal sleeve” which did not any longer adequately protect the junction between the small and the large pipe from cyclic temperature variations. The leak was revealed and therefore this is a case of “leak before break” even for a small pipe (a case excluded, as already mentioned, by the conservative assumptions usually adopted). The repair consisted in the installation of a thermal sleeve of a more adequate design. Mechanical vibration fatigue, occurring in small pipes and in “socket welds” (Fig. 14.6.) In this type of weld, inevitably some stress concentration points are caused due to unwanted but real notches, which are particularly prone to initiate and propagate fatigue cracks. The presence of pressure pulses due to pumps or due to “cavitation” phenomena with rapid evaporation (“flashing”) tends to enhance this tendency. Some real-life cases are Cracks in suction or discharge lines (10 cm) of a charging positive displacement pump in the Diablo Canyon 1 power station (1990), due either to excessive acceleration of the suction and to defective operation of the pressure peak damping chambers or bellows in the discharge side. Equivalent notches and stress concentration points

Weld

Crack

Crack initiated at toe

FIGURE 14.6 Typical crack in a fillet weld.

168

• •



CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

Cracks due to “cavitation” on the letdown line from the primary system due to intermittent operation of a regenerative heat exchanger (McGuire, 1988). Cracks due to stress-assisted corrosion (ISCC). Many events of this type have happened in BWRs due to their more uncontrollable water chemistry (excessive oxygen content). However, in PWRs, too, some tens of events have happened (e.g., in the Fort Calhoun power station in 1990, the phenomenon was due to oxygen accumulation in a control rod thimble pipe). Cracks due to the malfunction of compression fittings. These fittings are often used on small pipes (maximum 2.5 cm diameter) and especially in instrumentation pipes. (In 1991, at Oconee, a rupture happened with leaks of up to 300 L/min).

14.2.2.2 Leaks and Breaks in the Secondary Circuit Unlike in the primary system, both breaks of small pipes and of large pipes have happened in the secondary system of PWRs (USNRC, 1997b). Numerous cracks have occurred at the inlet of feedwater pipes in the steam generator. A phenomenon responsible for these cracks (tens of cases) has been thermal fatigue due to the start-up of the nonpreheated auxiliary feedwater, during the plant start-up or hot shutdown. Also connected with the auxiliary feedwater, cases of water hammer in the steam generator have happened, due to the stoppage for some time of the feedwater and to the subsequent restart of it ( . 30 events). In all these cases the solution has been found in a different design of the mechanical details (thermal sleeves, water hammer relief valves, etc.). However, the most catastrophic cases to have happened are two cases caused by a break of a main feedwater pipe with corrosion accelerated by water flow. These happened in the Trojan power station in 1985 (368 mm pipe) and in the Surry 2 power station in 1986 (460 mm elbow). In both cases, ferritic steel with low chromium content was involved, with low oxygen water which favors the formation of magnetite (Fe3O4), which is not very hard and more easily attacked by the formation of soluble ferrous ions in an unfavorable water pH (,8.5 or .11). In the case of Surry 2, four casualties were caused by the explosion. The subsequent modifications included the use of steel with 2.5% chromium, the set up of a regular control of the pH and an intensification of periodic inspections.

14.2.3 LEAK DETECTION IN WATER REACTORS 14.2.3.1 Requirements An example of the requirements for detection systems is the one represented by the NRC Regulatory Guide 1.45 (2016) which is also adopted in many other countries. The principal requirements of the guide are summarized in the following. First of all it is required that identified leaks and nonidentified leaks must be distinguished. For the latter, the admissible limit is 3.8 L/min (1 USgal/min). Then, at least three separated detection systems must be available; two systems out of the three have to be chosen among the following ones: sump-level measurement, flow rates measurement, and radioactivity level in air. Each system must comply with the sensitivity limit of 3.8 L/min in 1 hour. These systems must be designed to resist earthquakes and their instrumentation must be located in the control room.

14.2 PIPING

169

14.2.3.2 Systems Currently Used The most commonly used systems are the following ones, with their corresponding sensitivities: • • • •

• • • •







Monitoring of radioactive particulates in air, by which a 0.38 L/min (0.1 USgal/min) leak can be detected in ,10 minutes. Monitoring of radioactive gases: 7.6 L/min (2 USgal/min) in 40 minutes. Monitoring of the condensate in the containment air coolers: 3.8 L/min (1 USgal/min) in 1 hour. Sump level and corresponding purging flow rate: 3.8 L/min (1 USgal/min) in 1020 minutes, except for the effect of absorption of the leaks in pipe insulation layers or the effect of wrong slopes of some floor in the containment. Estimate of the primary water inventory: sensitivity ,3.8 L/min (1 USgal/min) in 1 hour. Humidity sensors in the form of ribbons located on pipes: methods prone to many malfunctions and bypass paths. Temperature sensors on the relief lines: in the TMI accident they did not operate well, but the reason was the bad operating practice. Visual inspection: it is always very effective, even if its sensitivity is variable and cannot be generalized. Other more advanced systems are also available. The principal ones in this category are the following: Sensors based on detection of the 13N isotope. It was initially adopted at the Bugey power station in France, where the problem of cracks in the control rod housings had indicated the need of a high sensitivity system. It is now installed in 25 French power stations, its sensitivity is of 0.0038 L/min (0.001 USgal/min) in 1 hour. Systems based on acoustic emissions. About 150 sensors are necessary for the pipes of the primary system at an average distance of 1 m from each other. They are installed in various plants in the United States. Local humidity monitoring. This is a proprietary system used at the Bohunice power station in Slovakia. The operation principle is based on the presence of a porous tube along the whole extent of the pipe to be examined. Dry air is periodically pumped through the tube and monitored at its arrival point. The presence of humidity indicates a leak and the arrival time of the humidity can be correlated with the distance to the leak. The sensitivity is roughly 0.095 L/ min (0.025 USgal/min) and the precision in the estimate of the distance is about 1%.

14.2.4 RESEARCH PROGRAMS ON PIPING The most complete research program on structural (i.e., nonchemical) aspects of piping integrity, both in normal operation conditions and during accidents, has been the International Piping Integrity Research Group (IPIRG) program undertaken between 1986 and 1992 at the Battelle Memorial Institute, Columbus (Ohio). In two phases, with a large international participation, the overall cost of the program was about US$25 million. The program was undertaken using large size pipes. Seismic excitation was also simulated. The principal conclusions of the program were

170

• • • • •

• • • • •

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

The calculations used to evaluate dynamic stresses are usually conservative (by a factor of up to 5) because of the conservatism in the evaluation of damping and of plasticity in pipes. The secondary stresses are important and may behave as primary stresses in cases of low plasticity. The residual stresses are important factors of fatigue crack growth and of evaluations of “leak before break.” They are less important for the evaluation of failure danger. The time history of a dynamic load is important if a plasticity effect exists. Generally the calculations of fracture mechanics model the pipe as not constrained. The effect of real constraints reduces the losses of fluid from a crack and reduces the loads on the crack itself. These effects are opposed to each other and do not have a big effect on large pipes. For small pipes, however, they may lead to overestimates by factors close to 10 of the maximum failure load. Dynamic and thermal aging phenomena may embrittle either ferritic and austenitic steels. The presence of sulfur in austenitic steels (even below the limits specified by ASME and ASTM standards) may cause a brittle behavior of the material. Experimental data on elbows and T-shaped joints are still scarce. The limits for fabrication cracks by ASME are not always conservative. The IPIRG program gives data on the crack growth rate for an unstable crack which is important for the consequent dynamic effects (opening times of up to 50 ms have been measured).

The Battelle Institute and NRC have collected all the data and the results on the pipe stability in a series of five CD-ROMs entitled Pipe Fracture Encyclopedia, US Nuclear Regulatory Commission, Washington DC, 20555.

14.3 VALVES 14.3.1 GENERAL REMARKS This book is obviously concerned with nuclear power plants, however, except for the aspects concerning the presence of radioactivity, the indications coming from operating experience are similar both for nuclear plants and for fossil-fueled plants. Therefore the indications and the suggestions from the latter are applicable to the nuclear power industry. There are many hundreds of important safety valves installed in a nuclear plant. Although they are components common to all process plants, the peculiar needs concerning perfect leak proofing, big sizes, quickness of action, and high reliability demanded by nuclear plants make this component a particularly difficult one to build and maintain in compliance with regulations. As an example, the leak-proof specifications of some valves for nuclear plants were considered by many manufacturers, at the start of this industry, “beyond the possibility of human technology.” Obviously, system provisions do exist which may alleviate the task of the valves, such as redundancy and diversity incorporated in the design, however, even if these are considered, a valve remains one of the most critical components in a plant.

14.3 VALVES

171

14.3.2 RELEVANT DATA FROM OPERATING EXPERIENCE In September 1977, a PWR at the Davis Besse power station in the United States was operating at low power (263 MWt, roughly 9% of nominal power) and with a very low content of fission products in the core when almost all the steam generators’ feedwater was lost due to a series of electrical and mechanical malfunctions. Even though the intervention of one of the two steam-driven auxiliary pumps (the other one did not succeed to reach nominal conditions because its speed regulator had seized) took place, a transient increase in primary temperature and pressure started and the electromatic pressurizer valve opened as designed. However, instead of letting the pressure decrease down to 15.5 MPa before reclosing, it performed nine opening-closing cycles around its operation value (15.7 MPa) and finally stuck in the open position. Coolant was then continuously lost to the condensation tank and the pressurizer level increased (water entrained toward the pressurizer because of the presence of an opening in its upper part and because of other thermodynamic reasons). The operator, at 1 min 47 s from the start of the accident (T 5 1:47), shut down the reactor but the pressure limit for actuation of emergency coolant injection was, however, reached (T 5 2:51). The condensation tank filled up and its rupture disc blew off at T 5 6 releasing .40 m3 of water in to the containment. At T 5 6:14, the operators stopped the high-pressure injection pumps, saturation pressure was reached in the primary with the production of steam (T 5 8), the level indicator of the pressurizer went off scale and one recirculation pump in each branch of the primary cooling was stopped in order to decrease the heat supplied to the system. At T 5 16, the operators manually took control of the feedwater pump which had not automatically reached the nominal operation speed. Subsequently (T 5 21) they became aware that the electromatic valve had remained open and they closed the corresponding block valve on the same line, so terminating the loss of coolant. The system was then brought to cold shutdown conditions in a regular way. The causes of the stuck open electromatic valve had been the lack of a confirmation relay in its closure control circuit, the wrong setting in the stroke of its pilot valve and too small tolerances between its stem and the corresponding guide. The behavior of the operators was judged correct and timely. No core damage or radioactivity releases outside the containment took place. Also the containment atmosphere remained clean other than for contaminated dust found on the floor in various zones of the containment affected by the water and steam spill from the condensation tank. Almost two years afterwards, another plant of the same type had a very similar accident except for the fact that the operators, for a combination of management mistakes and of unfavorable circumstances, realized that the electromatic valve had remained stuck open only after 2 hours and 22 minutes. At this time they closed the block valve on the line so terminating the loss of coolant. It was, however, too late and the plant was already doomed. The core was already damaged, the operators were no longer in an optimal psychological condition and the situation continued to deteriorate until it was put under control again after 16 hours from the start of the accident. This was the TMI 2 accident which was responsible for a complete change of mindset in all those concerned with nuclear plant safety, in particular on the side of designers and of operators.

172

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

Luckily, the external radioactivity releases were negligible by virtue of the Defence in Depth incorporated since the start of peaceful nuclear energy in Western plants and in particular by the presence of the containment. As we know, the core was completely destroyed. Again at Davis Besse, on June 9, 1985, a complete loss of normal and auxiliary feedwater occurred. During that event, some motor-operated valves provided with torque limiters in the auxiliary feedwater line could not be reopened after having been inadvertently closed. It was determined afterwards that the bypass circuit of the torque switch had not been set to stay closed for a time sufficient to allow the opening of the valve in conditions of high differential pressure. In addition to this opening failure, the failed closure of the motor-operated valves also became a problem after a valve in the auxiliary feedwater system in the US Catawba 2 plant did not succeed in closing completely against an elevated differential pressure (March 14, 1988). The reactor was shut down and no consequences ensued except for the overfilling of a steam generator. It was determined that the cause had been an underestimate of the friction coefficient between discs and seats of the valve by the valve fabricator. In unit 3 of another US plant, at Millstone, on February 17, 1989, the safety injection system was erroneously actuated with the reactor shutdown and depressurized. A motor-operated valve opened but its electrical operator did not succeed in closing it (it was closed manually later) against the forces caused by the full flow in the line. It was later determined that the torque limiter had erroneously been actuated, although its setting was the prescribed one. The method for the determination of the intervention level of the torque limiter had been demonstrated to be inadequate. Another type of inadequacy demonstrated by operating experience, this time concerning the inservice seismic qualification tests of components, happened in June 1993 at the Cooper plant in Nebraska. During performance tests of torque limiters used in valves of the suppression chamber ventilation and in the RHR system, it was discovered that in cases of strong dynamic shaking (as could happen in a large or intermediate LOCA), a decoupling mechanism between a valve and a motor could be accidentally opened. In this situation, the affected valves could not have been actuated until the dynamic load had decreased in intensity, so delaying, for possibly a considerable time (up to 15 minutes), the actuation time. The amount of data made available by the various systems for the collection and distribution of operating experience in the nuclear field [Nuclear Plant Reliability Data System (NPRDS) and Licensee Event Reports (LER), in the United States (NRC), and Incident Reporting System (IRS), IAEA, on a worldwide basis] is impressive. It is sufficient to consider that the events collected by the LER system for the motor-operated valves are about 100 per year. From the evidence obtained, compendiums have been prepared that include recommendations and requirements as summarized in Section 14.3.4 and taken from MPR (1976), USNRC (1989) and supplements, from USNRC Generic Letter Supplement 3 (1990), and from Farnan (2016).

14.3.3 THE MOST COMMONLY USED TYPES OF VALVE Some frequently used valves are listed below. A description of each of them can be found in specialized publications and handbooks. • •

simple (globe) valve gate valve

14.3 VALVES

• • • • • • • • •

173

cock valve butterfly valve nonreturn valve stop-check valve electromatic valve pneumatic valve motor-operated valve safety valve pilot-operated valve.

14.3.4 TYPES OF VALVE: CRITICAL AREAS, DESIGN, AND OPERATION An annex to NRC Generic Letter 89-10 (USNRC 1989 and Supplement 3 1990) lists the most common deficiencies of motor valves. Many of them apply to air-operated valves and nonreturn valves too, and are as follows: • • • • • • • • • • • • • • • • • • • • • • • • • • •

incorrect torque switch bypass settings incorrect torque switch settings unbalanced torque switch spring pack gap or incorrect spring pack preload incorrect stem packing tightness excessive inertia loose or tight stem-nut locknut incorrect limit switch settings stem wear bent or broken stem worn or broken gears grease problems (hardening, migration into spring pack, lack of grease, excessive grease, contamination, nonspecified grease) motor insulation or rotor degradation incorrect wire size or degraded wiring disc/seat binding (includes thermal binding) water in internal parts or deterioration due to this undersized motor (for degraded voltage conditions or other conditions) incorrect valve position indication maladjustment or failure of handwheel declutch mechanism relay problems (incorrect relays, dirt in relays, deteriorated relays, wrongly wired relays) incorrect thermal overload switch settings worn or broken bearings broken or cracked limit switch and torque switch components missing or modified torque switch limiter plate improperly sized actuators hydraulic lockup incorrect metallic materials for gears, keys, bolts, shafts, etc.

174

• • • • • • • • • • • •

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

degraded voltage (within design basis) defective motor control logic excessive seating or back-seating force application incorrect reassembly or adjustment after maintenance and/or testing unauthorized modifications or adjustments torque switch or limit switch binding. Specific malfunctions of nonreturn valves are: leaks through the seals of the disc rotation pin blocking of the disc in a closed or open position due to breaks of parts, debris, binding of mechanical pieces inadequate leak proofing in closed position for deposited debris or damage to sealing surfaces. Specific malfunctions of pneumatic valves are: the possibility of erroneous regulation of the pilot valve the loss of confirmation relays in closed position blockage of the actuation piston.

The most common deficiencies and recommendations are described in the PB-261 Report sponsored by EPRI (MPR, 1976). It is based on operating experience openly available but also on interviews with plant personnel. Here is a summary:

14.3.4.1 Compatibility of the Motor Operator With the Valve and Associated Control Circuits The problems may concern: oversized motors, damage to valves, difficulties with the torque switches, failures of motors, and spurious stop of motors for overload. The symptoms of these events may be: damages to valves (such as stem deformation, fissured discs, seats, fissured body, or yoke), lack of operation of the valve, burned out motors. As far as the oversizing of motors is concerned, the following considerations can be made. First of all the high-speed valves are more susceptible (rotation velocity higher than 5060 turns per minute). The torque for which the torque switch stops the high-speed valves is much lower than the torque applied to the stem before its arrest (inertia). Typical values measured in specific tests are, respectively, 13 and 230 kgm. The reasons for which a motor may be oversized are various • • • • •



The oversizing may be deliberate in order to cope with situations of low voltage (typically 80%): cases with an oversize of a factor 1.4 or higher have occurred. The motors are available with fixed power levels. The friction coefficients in the stem taken as a reference for the choice of a motor are generally higher than 0.2, while in reality they will be much lower. Many valves are sized to operate with the maximum pressure on one side and with atmospheric pressure on the other, and this causes motor oversizing in many operating circumstances. In some cases, two redundant torque switches have been installed (the less reliable part in a torque limiter) operated by the same shaft, and in order to provide the space for the second switch a larger motor has been adopted. When the power supply voltage is higher than the nominal one, the motor results in being oversized even if it is not. A voltage increase in 5%10% causes increases in the maximum torque by 10%20% in a.c. motors.

14.3 VALVES

175

As far as the remedies are concerned, an extreme option obviously exists of sizing the stem and the other parts of the valve for the maximum torque which the motor can deliver in the absence of a limiter, taking into account the nonnominal voltage, friction lower than the design one, etc. This remedy (stall torque design) is not in general practicable because of its high cost. A more reasonable way is the good practice of more frequent contacts between valve manufacturer and motor manufacturer. The highest responsibility of these contacts is carried by the valve manufacturer as it has the responsibility of ordering the motor. In practice, the valve manufacturer will determine the maximum torque a valve can accept in closure and communicate this to the motor manufacturer who will suggest a suitable motor, a suitable torque limiter and settings, taking into account the various voltages and frictions possible. An improvement, but not a solution, consists in using the valve or operator design a Belleville springs pack to damp the impact of the closure component against its seat. In determining the force necessary to actuate the valve in design conditions (e.g., against the forces due to a LOCA flow rate in the pipe), it must be taken into account that many analytical methods used are unreliable and that the best demonstration is offered by a field test or prototyping in conditions equivalent to the design ones (the tests at reduced pressure are hardly extrapolated). It has to be remembered, also, that any valve which is not blocked (either locked or provided with a control room actuator with a key stored elsewhere) must be considered prone to erroneous positioning and so must be capable of being repositioned, taking into account the opposing forces in the wrong position. Cases of motor undersizing are much less frequent and rather more soluble. As far as the difficulties with the thermal overload motor switch are concerned, it has to be remembered that these mechanisms are generally based on a bimetallic foil, although different types exist (e.g., the more expensive “quick trip” type). The thermal behavior of the motor is different from that of the bimetallic device and, in particular, a switch regulated for continuous duty motors does not behave as well for discontinuous duty motors as those used for valves. For this reason, the curve interruption timecurrent of the latter must be lower than that of the former (B80%). As already mentioned, however, it is difficult to satisfy the two specifications generally imposed by the plant operator • •

Stop in ,15 seconds for locked rotor situations. Stop at nominal current in .20 minutes (for a foreseen operation time of 15 minutes).

The risk, which can be shown from the characteristic curves of overload switches, is that they intervene too soon in the operating cycle, so preventing the operation of the valve. For this reason NRC states in RG 1-106AR383 that the thermal protections should be bypassed in case of accident or regulated in a way which simultaneously takes into account all the most unfavorable circumstances (which is, as already said, very difficult to implement). The practical answer adopted in the industry has been to completely eliminate all the thermal protections or to bypass them in all the cases where an accident could happen (safety-related conditions). As a consequence, cases of burnt-out motors have occurred.

14.3.4.2 Seals on the Stem (Seal Packs, Bellows, etc.) Excessive leaks from the seals on the stem of a certain number of valves have also caused unscheduled plant stoppage. It is usually sufficient to increase the compression of the seal pack to solve the

176

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

problem, if the sealing material is not too old or damaged with loss of resilience. In a nuclear plant, however, there is always the problem of access to inside the containment, which cannot be too frequent. One solution, using bellows and diaphragms, is not often adopted because breakages of these components have happened. Symptoms of an excessive leak have been • • • • • • •

visible water or steam leaks, especially on steam lines, feedwater lines and drain lines; formation of visible boric acid crystals on the stem of PWRs; broken bellows in the spray valves of pressurizers; increase in humidity and in radioactivity in the containment; low pressure alarms due to gas leaks in compressed nitrogen and air systems; loss of radioactive fluid in the collection systems of liquid or gaseous waste; spontaneous change of position of valves for pressure loss in pneumatic valve control circuits.

The problem of the leaks along the stems of valves is usually accepted as normal in conventional and nuclear plants. The situation is kept under control until a suitable time to intervene or when the leaks become unacceptable. Then, generally, the packing follower is adjusted (increasing or decreasing pressure on the packing material) or the packing is replaced. Frequently, temporary drainage lines are installed in order to keep leaks off nearby components. It has been shown that the position of a valve installation has an influence on the frequency of cases of leaks (vertical and horizontal stem valves installed the same system and with similar operating conditions show different behavior). The horizontally mounted valves are more likely to leak, although the manufacturers usually give assurances that the valves can be mounted in any desired position. In some cases, a modification of a horizontally mounted valve has been successfully implemented. This consists of installing a mechanical support on the stem close to the seal package in order to prevent excessive deformations of the stem itself. It is common to see valves mounted vertically but with the actuator in the lower position. Here, as can be predicted, the leaks moved along the stem and damaged both the stem thread and the valve actuator. Plant operators have found inventive solutions, on a case-by-case basis. For example, a double sealing package with intermediate drainage has been tried on pressurizer spray valves, without much success, and a solution with a bellows and a reserve sealing pack with intermediate drainage as also been attempted with limited success due to frequent breaks in the bellows. For the leaks from the penetrations of check valves disc pins, the obvious remedy has been to weld a cap around the penetration. The following situations have caused recurrent problems that required long maintenance times and excessive radiological exposure to personnel: • •

Limited space available for the maintenance of the valve (included one case of a shipment of valves whose sealing packs could not be replaced without completely dismantling the actuator). The presence of spacers in the seal package which cannot be removed without exposing them to the liquid counter-pressure (leaks of radioactive liquids) and the absence, in the same spacers, of holes for their removal.

Valve seals, if based on gaskets, will always leak a little. The surface finish of the stem is 812 rms, but the finish of the packing cavity is also important. Sealing packs age and are

14.3 VALVES

177

frequently replaced (especially if used on steam lines). The correct choice of the degree of tightening of the pack, which should take into account the opposing needs of ensuring the absence of leaks and of keeping friction forces at a reasonable level, is necessary. As far as bellows are concerned, they may have a useful life of thousands of cycles before showing fatigue cracks. If the displacement of the stem is large, a problem of frequent ruptures of the bellows may exist unless it is very long (control of the unit deformation of the material). The deformable diaphragm behavior may differ greatly even within the same production batch. Diaphragm and bellows are usually available for small valves, up to 2 in., except for very low service temperatures (up to 8 in.). Plug and butterfly valves do not have any axial stem displacement and use various types of sealing O-rings, if the temperature is lower than 200 C. These types of valves have other limitations such as a susceptibility to develop leak paths and to undergo blockage. An industry practice deficiency when preparing of orders is that a maximum acceptable leakage along the stem is not specified. The nuclear industry has inherited this practice from the fossil fuel power station industry, where the accessibility and maintainability problems are considerably less severe.

14.3.4.3 Body to Bonnet Gasket Joints The problem of leaks in gasket joints is common, especially in steam lines, both for conventional and for nuclear plants. It rarely entails shutting down the plant for necessary maintenance. Some temporary solutions adopted by various plants are • • • • •

collecting leaks by temporary provisions and their discharge to collection points on the floor; application of temporary external sealants on the leaking part; sealing weld on the joint, where allowed by its geometry; replacing the gasket and application of a higher tightening force with bolts or studs of stronger material properties; changing gasket thickness from thicker to thinner or vice versa and reassembling the joint.

The uncertainties highlighted by the variety of solutions adopted demonstrate the lack of a universally recognized method for the design of these joints which also satisfies the need for limiting the stresses in the flange and bolts, and the leak proofing requirements. The various standards are quoted in Section 14.3.5. Until the arrival of uniform guidance, an advisable solution, apart from the use of valves without the joint in question (“bonnetless” valves) or the systematic use of a sealing weld, is to adopt the value of the gasket tightening force suggested by the manufacturer, under the condition that it complies with the ASME (Section VIII) code for the stresses in the bolted joint. If this is not the case, the tightening force should be decreased until the specifications of the ASME code are met.

14.3.4.4 Fluid Tightness Across the Valve Seats A certain amount of leakage from the valves is routine. The problem is aggravated in nuclear plants because, in many cases, a total and quick closure of the line is required. This means that the openingclosing cycle method for improving leak proofing, adopted on conventional plants, is not allowed on nuclear plants: good leak proofing obtained by this method is frequently considered to be bad practice.

178

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

The general opinion of the operators is that the degree of leak proofing specified for nuclear plants is very difficult to obtain. Moreover, in certain plants, like BWRs, and with reference to the leak proofing test of the steam isolation valves, the test time of the valves and their possible maintenance operations control the downtime of the plant during the periodic refueling stops. In fact, the conditions necessary for the leak proofing tests are not compatible with the refueling operations and therefore the test time of the isolation valves in the steam lines (roughly two days, except for the need for some maintenance) has to be added to the time necessary for the refueling. Moreover, certain data necessary for maintenance are considered by the manufacturers as proprietary and are not shown on the drawings and on the specifications of the valve. A typical example is the difference between the angle of the valve disc or plug and that of their seats. Apparently, however, an art of the valve maintenance exists which overrides the lack of systematic information. As far as the specification leak proofing is concerned, usually reference is made to the ANSI N.278.1 Standard (ANSI, 1975), which gives the following definitions: • •

Low leakage: when the manufacturer test has to demonstrate a leakage lower than 2 cm3 of water per hour and per inch of nominal diameter. Nominal leakage: if the same quantity is 10 cm3 per hour and per inch.

While, therefore, the design/test leakage is defined with reference to water, the nuclear requirement makes reference to the fluid treated. If it is not water, as for many large ventilation and steam valves, the nontrivial problem of the correlation between losses of water and losses of gas/vapor arises. The following facts are instructive in this connection • • • •

A large (20 in.) isolation valve of a steam line for a BWR is the component involved. The shop test made by the manufacturer using air with a 50 psi differential pressure indicated zero leakage. After installation on the plant the same valve indicated under the same test conditions a leakage of 200400 cm3/min. Subsequently the test was repeated with water using a differential pressure of 200 and of 1250 psi, complying in both cases, and by an ample margin, with the limit of 2 cm3/h and per inch of diameter. The development of standards with the support of research is necessary in this field.

14.3.4.5 Misuse of Valves for the Intended Service In the following, some cases of operation difficulties are described which can be attributed to the erroneous choice of the type of valve. The first case is that of the use of rigid disc gate valves with temperature variations higher than 150 C. It is indeed proven that such a valve, if closed in hot conditions during a cool-down transient with ΔT higher than the indicated value, without cycling in openclosed position during the cooldown, will remain stuck closed and will not open again in cold conditions. It is advised not to use such a valve with thermal excursions higher than 95K or, more conservatively, higher than 65K. Alternative solutions exist, understandably more costly, such as the use of “flexible disc” valves and parallel faces disc valves. The second case is the use of nonreturn valves for applications requiring very good leak proofing. The valves on the feedwater lines and those on gas/vapor systems (inerting, air purging, etc.)

14.3 VALVES

179

are examples of valves with high maintenance needs. Moreover, once reconditioned, generally they start leaking again after a few actuation cycles. In the plant experience, even cases of valves on welded lines are recorded where maintenance could not be performed because a relative displacement of the two parts of the valve along the welded pipe axis was required (e.g., nonreturn valves with a diagonal bolted joint on the valve body). Many maintenance specialists even consider the use of gate valves with an angled seat (tapered wedge, usually at 15 degrees with respect to the stem axis) in welded pipes to be bad practice. In fact the maintenance of the seats requires the exact positioning of the resurfacing machine which is practically impossible in situ, away from the machine shop at the appropriate bench. The only solution to avoid these situations is a design verification system aimed at ascertaining that the valve orders contain all the specifications necessary to avoid the same problems. Some areas where a verification is necessary are • • •

The orientation of the valve with respect to the vertical direction. Physical accessibility and space available for the dismantling and in situ repairs. Presence of adequate attachment points, on the valve and possibly on the structures for lifting heavy parts without damaging machined surfaces.

14.3.5 VALVE STANDARDS Some frequently standards used in the nuclear field are • • • • • • • • • • • • •

API 601 Metallic Gaskets for Piping, 3rd ed. 19727th ed. 1988 Replaced by ASME B16.20 DIN TECHNICAL RULE VDI 2200 Tight flange connections—selection, calculation, design, and assembly of bolted flange Connections, Edition 2007-06 MIL-G-21032D NOT 2 Gasket, Metallic Asbestos, Spiral Wound (S/S By MIL-G-24716 Or Ansi-B16.20) ASME B16. Fittings and Valves Package, 20152019 Boiler and Pressure Vessel Code 2017 Complete Set BPVC-complete CODE - 2017 Section VIII-Rules for Construction of Pressure Vessels USNRC RG 1.73 (January 1974) “Qualification tests of electric valve operators installed inside the containment of nuclear power plants.” ASTM F1574-03a(2017) Standard Test Method for Compressive Strength at elevated temperatures ANSI N.278.1 Standard (ANSI, 1975) “Self-operated and power-operated safety-related valves,” Functional specification standard, ASME. USNRC RG 1.96 (Rev.1, June 1976) “Design of main steam isolation valve leakage control systems for boiling water reactor nuclear power plants.” USNRC RG 1.106 (Rev. 2 2012) “Thermal overload protection for electric motors on motoroperated valves.”

180

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

14.4 CONTAINMENT SYSTEMS The following deals only with containment leaks that might be expected in an accident. The reader is asked to consult the US Reactor Containment Handbook (ORNL 1965), EUR report 12251 [Safety Features of Operating Light Water Reactors of Western Design, Gavrilas M. et al., EUR 1989, reissued 2018)] and Thompson and Beckerley (1970) for other aspects of containment. There is a tendency in the design phase to specify for the containers a figure for the maximum admissible leakage rate which is close to that which is technically obtainable in ideal conditions, that is after having performed complete maintenance to all the important sealing parts (valves, seals for the personnel and equipment air locks, etc.). Consequently, the values chosen for PWR containments are typically 0.1%0.2% per day and for BWRs 1% per day, referred to the mass contained at design pressure. The difference between the two cases has to be attributed to the presence of much larger isolation components in the BWRs and to the lower dimensions of the corresponding containments (for this reason, the same leak in kilograms per day, that is the same equivalent hole in the containment, is equivalent to a larger percentage of the air content in the containment). In the course of plant operation, however, even if at the start the leak rate was the specified one or lower, a certain deterioration in the containment leak rate takes place and then in case of accident, the leak rate would probably be higher than that measured in the last leakage test. After an accident, some leakage deterioration may also happen due to pressure, temperature, and radiation. It is, therefore, very interesting to estimate a leak rate suitable for use in safety analyses, leaving unchanged the figure inserted in the technical specifications for the maximum leak rate to be demonstrated through periodical tests. Obviously, each containment is a particular case and the best way to establish a realistic yet conservative value of the leak rate for safety analyses would be to observe the behavior of the containment with time and the amount of the leakages measured either in the “as found” conditions (i.e., before having performed maintenance to the sealing parts) and in the “as left” conditions (i.e., after maintenance). Unfortunately, however, at the time of the design and of the initial safety analyses this experience is not available and, therefore, reasonable preventive estimates have to be done, which should be confirmed during the operation. It must be noted that containments show very different behaviors: cases have happened where, after only one week following a leak test and maintenance, the leak rate of some valves have become large again and not within the technical specification limit. These cases happen when a systematic and permanent cause of deterioration of the leak proofing exists, for example, the presence of paint on the internal surface of the ventilation conduits with a tendency to flake and therefore to deteriorate the leak proofing of the isolation valves. In other cases, a strict observance of the technical specification limits is reported both in “as found” and in “as left” conditions for long periods of operation of the plant. Some years ago, in-depth studies (OECD 1990; USNRC 1985, 1988) were performed on the deterioration probability of the leak proofing in real containment systems. The picture that emerged is not very reassuring; for an example, the results of the USNRC (1988) study indicate situation given in Table 14.2.

14.4 CONTAINMENT SYSTEMS

181

Table 14.2 Measured Containment Leaks (USNRC 1988) Leak Measured Relative to the Specifications

BWRs

PWRs

From 1 to 10 times From 10 to 100 times Higher than 100

0.10 0.04 0.01

0.31 0.08 0.07

BWR, Boiling water reactor; PWR, pressurized water reactor.

This means, for example, that by summing the three values for each of the last two columns in the table, that the probability of overcoming the specification values in case of accident is 15% for BWRs and 46% for PWRs. From data like these, stem the practical rule of multiplying the specification value by 10 in correspondence with a 10% probability and by 100 for a 1% probability, in a probabilistic accident study. From Table 14.2, for example, for PWRs, the following empirical law can be derived for the probability P (%) as a function of the multiplication factor of the specification value of the leakage x P5

1 0:545255x 2 0:00419x2 1 1:632846

(14.3)

For example, for an increase in at least 10 times with reference to the specifications value (x 5 10), the formula gives a probability of 15%, in agreement with the data in Table 14.1 (sum of the last two values in the second column). In some cases the designer assumes in the safety analyses the specification value of the leakage rate to be increased by a certain factor chosen by good judgment. If the leakage rate is 0.2%, in the safety analyses a value of 1% is sometimes used. This is a matter of opinion, however, it is certainly better than directly using the specification value without the support of previous applicable experience. It is surprising that this issue does not receive much attention in the field of safety studies. Probably, this is due to the fact that a limited overcoming (even 10 times the specifications value) has a small effect on the result of the risk analyses (usually dominated by very unlikely but very catastrophic accident sequences, involving a large break in the containment). This issue has been dealt with here because, for the plants now under construction and for future ones, the tendency is to restrict the important consequences of severe accidents to within a small distance from the plant, possibly also avoiding the need to evacuate the population. From this perspective, the real leakage of the containment system becomes very important, in conditions where the containment is not severely damaged. At the same time, great importance has to be attached to the accident management provisions, intended to reduce excessive leakages from some components. Two provisions adopted in various plants are • •

the pressurization of the space between the two isolation valves on a line after an accident; the flooding of the same space with water in cases where a gas is present instead (a leakage reduction factor of the order of at least 30 is so obtained).

182

CHAPTER 14 NOTES ON SOME PLANT COMPONENTS

In the systems with double containment with filtering of the effluents from the annulus between the two containments, a small pipe with a manually actuated valve can also be provided, which connects the space between the two isolation valves on a line with the leakage filtration system, if it is convenient to do so.

REFERENCES ANSI, 1975. Self-operated and Power-operated Safety-related Valves, Functional Specification Standard. N.278.1, ASME. EUR, 1989. Practices and Rules Applied for the Design of Large Dry PWR Containments within EC Countries. Report EUR 12251 EN, European Commission. EUR, 1996a. A Review of Formulas for Predicting Irradiation Embrittlement of Reactor Vessel Materials. AMES Report N.6, EUR 16455 EN, European Commission DG XI/C/2. EUR, 1996b. Dosimetry and Neutron Transport Methods for Reactor Pressure Vessels. AMES Report N. 8, EUR 16470 EN, European Commission DG XI/C/2. EUR, 1997. A Comparison of Western and Eastern Nuclear Reactor Pressure Vessel Steels. AMES Report N. 10, EUR 17327 EN, European Commission DG XI/C/2. Expert Seminar, 2000. Reviews Results of the NEA RASPLAV Project. NEA Press Communiqu´e, NEA/COM (2000)15,2000. Farnan, M.F., 2016. Motor-Operated Valve Regulatory Activities, Component Performance, NDE & Testing Branch Division of Engineering Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission MOV Users’ Group January. Fed Reg, 1983. Fracture Toughness Requirements for Protection Against Thermal Shock Events. USA Code of Federal Regulations, 10/50.61. Generic Letter 89-10, Supplement 3, 1990. Consideration of the Results of NRC-Sponsored Tests of MotorOperated Valves. IAEA-ebp-wwer-07, 1997. Vwer-1000 Steam Generator Integrity. Kirk, M., Development of the Alternate pressurized thermal shock rule (10 cfr 50.61a) in the United States. Nucl. Eng. Technol. 45(3), June 2013, 277294. MPR, 1976. Assessment of Industry Valve Problems. PB-261 474, Ass., Inc, Wash. DC for EPRI; Nov. 76. McGuire (McGuire Nuclear Plant), 1988. A Safety Injection/Reactor Trip Occurred Due to a Design Deficiency of the Main Turbine Controls  Followed by Various Equipment Malfunctions. LER (Licensee Event Reports) 369-87-017-01. Mukin R.,Clifford I.,Ferroukhi H., Niffenegger M., Pressurized Thermal Shock (PTS) Transient Scenarios Screening Analysis With TRACE Conference Paper (PDF Available) July 2018. OECD, 1990. Inadequate Isolation of Containment Openings and Penetrations. CSNI Report N.179, OECD/ NEA. ORNL, 1965. In: Cottrell, Wm.B., Savolainen, A.W. (Eds.), US reactor containment technology’, (2 vols), ORNL-NSIC-5, A Compilation of Current Practice in Analysis, Design, Construction, Test and Operation. Oak Ridge National Laboratory, Oak Ridge, Tenn. USA. Thompson, T.J., Beckerley, J.G., 1970. The Technology of Nuclear Reactor Safety, Volume 2 (Reactor Materials and Engineering). The MIT Press, Cambridge, MA. UKAEA, 1982. An Assessment of the Integrity of PWR Pressure Vessels. Marshall. W. (Chairman), LWR Study Group Report, United Kingdom Atomic Energy Authority. USNRC, 1985. Reliability Analysis of Containment Isolation Ssystems. NUREG/CR-4220.

REFERENCES

183

USNRC, 1988. Technical Findings and Regulatory Analysis for Generic Safety Issue II.E.4.3, “containment integrity check”. NUREG 1273. USNRC, 1989 Safety-Related Motor-Operated Valve Testing and Surveillance. USNRC Gen. letter No. 8910, June 28. USNRC, 1990. Action Plans for Motor-operated Valves and Check Valves. NUREG 1352, June. USNRC, 1997a. Assessment of Pressurized Water Reactor Primary System Leaks. NUREG/CR  6582, INEEL/EXT-97-01068. USNRC, 1997b. Review of Industry Efforts to Manage Pressurized Water Reactor Feedwater Nozzle, Piping and Feedring Cracking and Wall Thinning. NUREG/CR-6456, INEEL-96/0089, AEOD/E97-01. USNRC, 2012. Regulatory Guide 1.106 Thermal Overload Protection for Electric Motors on Motor-operated Valves. USNRC, 2016. Regulatory Guide 1.45 Guidance on Monitoring and Responding to Reactor Coolant System Leakage. USNRC-OAEOD, 1998. Rates of Initiating Events at US Nuclear Power Plants: 19871995. NUREG/CR5750, INEEL/EXT-98-00401. WENRA, 2018. Recommendation in Connection With Macro-segregation Anomalies Found in French Reactors.

CHAPTER

EARTHQUAKE RESISTANCE

15

15.1 GENERAL ASPECTS, CRITERIA, AND STARTING DATA Seismology and seismic engineering have progressed enormously in recent years. In particular, seismic engineering has rapidly developed since the 1950s (USAEC, 1963; Petrangeli, 1987; Livolant et al., 1979; IAEA, 1992, 2003, 2010; Roesset, 1995; Gurpinar, 1997). As will be seen, the progress in these fields is still in full swing and much of what is written here should be read with this in mind. With the aim of encouraging research, the organizers of the World Conference of Seismic Engineering in Madrid (1992) distributed an interesting booklet on earthquakes (Gallardo, 1756) (Fig. 15.1), published by Don Isidoro Ortiz Gallardo of Villaroel, a Professor at the Salamanca University in 1756 (during the Enlightenment period) a year after the disastrous Lisbon earthquake, which was felt throughout the Iberian peninsula and in a large part of Europe. Here are some excerpts from Gallardo’s book: . . . it can be said, generally, that the origin of earthquakes is the underground fire, which being pushed by the wind through some of the mentioned crossings, streets, and fissures enters one or several of the underground caverns where Nature works on producing sulfurs, saltpetre, coal, ammonium, salt, and other similar materials which are very inflammable and combustible. In that way, the lighted fire is so intense that it converts almost instantaneously the saltpetre materials into wind and this latter, unable to bear any oppression, looking for an exit, boils and hits itself against the cavern walls, where it is occluded, until it breaks them; the others enter and so and so; in this way, it runs a long way into the earth and, finally, bursts up, usually there where it finds the lesser strength. So, on the surface beneath which it runs, it produces the quake and the shaking we perceive, while the various effects we admire and cry for are felt there where it is bursting with horrible noise and destruction. That the phenomenon could follow that path can be inferred from our knowledge of the mechanisms of besieging towns; because, as soon the narrow room of the mine where barrels or powderbags are deposited is closed and the fuse is lighted, the saltpetre parts of which it is composed are transformed into wind which, unable to bear such a narrow jail tries to get out and, shaking the neighbouring land, it destroys the bastions, towers or walls that limited its freedom.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00015-9 © 2020 Elsevier Ltd. All rights reserved.

185

186

CHAPTER 15 EARTHQUAKE RESISTANCE

FIGURE 15.1 A 250-year-old text on earthquakes. Reproduced from Lecciones, Terremotos, with permission from Colegio de Ingenieros de Caminos, Canales y Puertos, Madrid.

15.1 GENERAL ASPECTS, CRITERIA, AND STARTING DATA

187

Philosophers have produced rare and even ridiculous divisions and subdivisions of earthquakes, but the most regular and known are those called Quake, Pulse and Inclination; and all these divisions, about which it would be possible to fill several pages, are reduced to the fact that either the soil moves laterally or horizontally as a paralytic, and then is called Quake; or it raises and sinks at steps, imitating in some way the heart beats that we feel in our Arteries, and then it is called Pulse. Or while one part of the site raises, the other sinks, with which the buildings, boulders and mountains tilt and vibrate, and it is called Inclination.

Having dutifully reminded ourselves that research is still underway, it is necessary to say that knowledge does exist which allows us, on the basis of experience, to protect ourselves from the consequences of possible earthquakes. Structures and components behave well in earthquakes if simple design and verification rules are followed. This is true in particular for industrial plants, whose component parts are already normally specified to resist pressures, vibrations of mechanical origin, lateral expansion forces, and strong weights. However, potentially weak points also exist, which past earthquakes highlighted. It is necessary to remember that a wide and balanced mindset is required when approaching seismic engineering problems. The scientific and technological progress has been, in fact, very strong in the modeling of some aspects, while in other sectors it is still necessary to revert to methods which, although conservative, are strongly empirical. This is true both for the correct modeling of the reference ground motion and for the study of the response of structures and of components. An example of the first type of study is the structural analysis in the nonlinear field of complex constructions. An example of the second is soil liquefaction analyses. It is not necessary and sometimes not even correct to apply refined methods only in a part of the logical sequence of analyses (for instance, when performing very refined structural analyses after a very approximate and rough determination of the reference ground motion). As, obviously, it is not useful to use extremely refined analyses in one part of the problem and rough methods in another part of the same problem, it is necessary to choose, for each evaluation, which precision level to use for the whole analysis in order to obtain an optimal overall use of resources. It has to be remembered, in order to give an economic measure of the importance of this problem of equilibrium, that the complete analysis of a plant may require a total engineering time which ranges from some thousands to some hundreds of thousands of man-hours (corresponding to a very high cost) according to the degree of refinement of the analyses and tests adopted (Stevenson, 1995). Currently, besides methods of seismic qualification based on refined analyses and extensive tests, auxiliary verification methods (based on experience data which make extensive use of seismic inspections, on checklists based on past experience, and on simplified analyses and tests) are gaining ground in practice and in the degree of acceptance by governmental control bodies. These methods based on experience are obviously less costly, but still offer reliable results, even if rather conservative. They are, therefore, very suitable for a first iteration in a verification to be performed in a short time on an already built plant. An in-depth analysis or experimental test could possibly follow, especially on the most critical aspects highlighted by the first iteration. In cases where the maximum rational rigor in the decisions taken in this rather uncertain field is necessary, the probabilistic method is the one generally adopted. This is one of the areas where the progress in the last 10 years has been strong concerning the probabilistic characterization of the reference seismic motion, and concerning the probabilistic treatment of the strength and functionality of structures and components (fragility curves) (Gurpinar, 1997; IAEA, 1993).

188

CHAPTER 15 EARTHQUAKE RESISTANCE

So as far as the applicability of seismic standards valid for general construction to nuclear and process plants (Eurocode, Italian seismic Norms, 2018), the following considerations must be taken into account. First, phenomena not taken into consideration by the standards can happen and, therefore, the need arises to indicate acceptable verification methods which are logically compatible with the spirit of the standards themselves. A typical case concerns the phenomenon of liquid oscillations in tanks caused by earthquakes and of the possible consequent effects (in particular, for large atmospheric tanks, the impact of the liquid against the roof and consequent damage, the increase in the overturning moment on the tank and possible damage of anchors and elasticplastic instability of the vertical wall) (Fig. 15.2). Second, the objectives themselves and the logic of the standards in force do not cover all the protection needs of an industrial plant. In fact the legislator aims to reach two objectives: • •

The avoidance of any form of damage to structures in case of an earthquake with a return time roughly equal to the normal life of a building (e.g., 100 years). The avoidance of the collapse of the structure, even when damaged, in the case of the most violent earthquake expected on the site.

However, for an industrial plant either nuclear or one at risk of a serious accident, the protection objectives could be expressed as follows: •



To ensure the continued operation of the plant should there be an earthquake with a return time equal to its normal life, possibly after an inspection and after a few simple repairs to damaged components. To avoid a serious accident in the case of the most violent earthquake expected on the site.

A

C

FIGURE 15.2 Weak points of an atmospheric tank in an earthquake.

B

15.2 REFERENCE GROUND MOTION

189

As can be seen, the two points of view are different and, while the current standard considers damage and collapse, there is also the need to protect a plant’s functionality and prevent accidents. These concepts imply, in particular, the prevention of significant leaks of noxious gases and liquids, the absence of reactions and of uncontrolled and destructive phenomena and the functionality of the safety equipment (shutdown, cooling, containment, and control). Consequently, the standards in force make ample use of the problematic concept of ductility of a structure, which is, instead, only partially applicable in the case of plants. The ductility of a structure is the ratio between the maximum displacement of one of its representative points at the moment of collapse (ultimate displacement), Xu and the maximum displacement of the same point at the attainment of yielding conditions in the material, Xs, always for the same loading scheme and for growing loads μ5

Xu Xs

(15.1)

It can also be assumed, on the basis of calculation and test results, that the displacement of a representative point of a structure can be calculated with a perfectly elastic scheme (Xe) even if the structure deforms plastically Xe 5 Xu

(15.2)

Taking into account the fact that the ductility which can be assigned to a structure reaches in many cases values of 34 and higher, it can be easily demonstrated that, for simple structures, the limiting requirement of the maximum elastic stresses in the case of a reference earthquake of the order of 0.1 g (seismicity degree 12 or seismic Class I for Italian standards, corresponding to a return time of roughly 150 years) offers protection from collapse for earthquakes with a maximum ground acceleration at least of the order of 0.3 (return time of roughly 500 years or more) (Castellani et al., 2000). Considerations of this type are applicable only to industrial plant structures that are to be protected from collapse, that is to parts of the plant. For all other structures and components, criteria and guidelines more suitable to the real needs of protection from accidents are necessary. These criteria and guidelines must, on one side, comply with the logical approach of the standards in force and adjust them to the specific needs of the plants and take into account those phenomena which the standards do not consider but are still important. This chapter gives some considerations, mainly general, which are useful for a correct approach to the problem and some phenomena and problems of particular relevance are discussed. A more complete and detailed treatment of any single issue may be found in the given references.

15.2 REFERENCE GROUND MOTION The seismic motion of a point in the ground is complex and motion along all six degrees of freedom take place (the three translation ones and the three rotation ones; Fig. 15.3). Prof. Gallardo de Salamanca (quoted above) reduced them to three principal ones: that is one of horizontal oscillation, one of vertical oscillation, and one of rotation around a horizontal axis. In reality the horizontal oscillation and the rotation each count twice if they are applied to any direction in the horizontal plane.

190

CHAPTER 15 EARTHQUAKE RESISTANCE

(A)

Z

Y

X

(B)

Z

X

X

X

FIGURE 15.3 The six real degrees of freedom and the three degrees generally used.

Today we reduce the seismic reference motions to those, which experience has indicated, are generally prevailing in practice: a horizontal oscillatory translation (in the various possible directions) and a vertical one. Even with this simplification, the problem of defining the seismic ground motion as an input datum in the seismic analysis of the plant is far from trivial: here too some conventionally accepted and usually conservative assumptions are necessary (Castellani et al., 2000; Roesset, 1995).

15.2 REFERENCE GROUND MOTION

191

According to what we know today (which supersedes the “explosive” model described by Gallardo), an earthquake is usually started by the sudden relative sliding of contiguous zones of the Earth’s crust along fracture surfaces (faults), due to the internal state of stress of the ground itself. The accumulated elastic energy is then liberated in the surrounding medium producing compression and shear seismic waves which also become surface ones near the free surface of the ground. Even if today it is possible to try to determine the surface ground motion on the basis of assumptions on the original fault sliding event, this is not usually the starting point for the definition of the reference seismic motion in plant analysis. The reference motion is generally (with an enormous simplification) characterized by a maximum peak ground acceleration in the horizontal direction and by a design or verification spectrum derived from a large number of strong earthquakes which have been adequately recorded and analyzed. The maximum vertical acceleration, then, is assumed equal to a fraction (50%70%) of the horizontal one. These data are sufficient to perform a modal analysis of the structure but not, obviously, a spacetime analysis, for which a reference ground accelerogram is necessary. The response spectrum of a specific earthquake is a diagram of the response (acceleration, velocity, and maximum displacement) to the seismic motion of a simple elastic oscillator, characterized by a natural frequency of oscillation and by a damping value. A design or verification spectrum is an average of various spectra of many past earthquakes considered representative of the site of interest. The acceleration design spectrum has obviously, in correspondence with zero period, the value of the maximum ground acceleration chosen as a reference. In fact, this value is the response of a perfectly rigid object resting on the ground. Fig. 15.4 shows a design spectrum that is often used for nuclear plants (for a damping equal to 5% of the critical one) and a typical design spectrum of the Italian standards (Italian Seismic Norms, 2018, based on Eurocodes), both normalized to the maximum ground acceleration of 1 g. It must be noted that the Italian standard spectrum does not present a decrease at high frequencies. This is frequently made in order to take into account the increase in the natural period of vibration due to a plastic behavior of the structure, in the cases where this plastic behavior is allowed but the seismic response calculations are made using linear models. This simplified characterization of the reference seismic motion does not explicitly specify two other fundamental characteristics: its duration and its frequency content. For this reason, in cases where the analysis of the structure and of the components is very complete, in addition to the couple “maximum ground accelerationresponse spectrum,” one or more accelerograms consistent with the same spectrum, are specified. The reference spectrum must take into account specific properties of the foundation soil (e.g., very compressible soils have a low shear wave velocity). The design spectra are, as already explained, principally derived from accelerometric records of real earthquakes, obtained by instruments located at a point on the ground. These records, however, do not take into account that the transmission of the ground motion to a structure is different to the transmission of the same motion to an accelerometer. In fact, a structure is very different in size and inertial properties to those of an accelerometer. This kind of problem is called “soilstructure interaction.” Neglecting it, as is done in some civil-use standards, leads in general to conservative evaluations which, in the case of massive structures extended in plan and with a high rigidity, can be exceedingly conservative. The soilstructure interaction is usually subdivided into two types or parts, each one corresponding to different phenomena: a “kinematic” interaction and an “inertial” interaction. The

192

CHAPTER 15 EARTHQUAKE RESISTANCE

(A) A (g)

3g

1.0

0.1

0.2

2

20

2

20

F (1/s)

(B) A (g)

1.0

0.1

0.2

F (1/s)

FIGURE 15.4 (A) The design spectrum for nuclear plants and (B) a spectrum of general (Italian) seismic standards (Eurocode).

kinematic interaction derives from the fact that the seismic motion, at the contact between foundation soil and structure, must comply with the border geometric conditions imposed by the continuity with the structure itself (e.g., the type of “rigid body displacements” in correspondence with a foundation plate). A particular effect of the consideration of the kinematic interaction is to take into account that, for large foundation plates (plan dimensions of many tens of meters), the length of the seismic wave in the ground may be of the same order of magnitude of the plan dimensions of the plate (especially for not very compact soils with low shear wave velocity), so that the motion transmitted to the plate by the ground will not be the one which could be recorded by a point accelerometer, and will be lower, as it corresponds to an average of the ground motions in various points of the same seismic wave. The inertial soilstructure interaction, instead, takes into account the fact that in the transmission of motion from the ground to the structure, the inertia of the structure itself makes it behave elastically (and not rigidly) coupled to the ground and, therefore, with a mechanical coupling which can be modeled, in a modal response analysis, by elastic constants and damping coefficients (either mechanical or “radiation” damping or material damping, see section on soilstructure interaction on p. 173) in all the degrees of freedom of interest (Castellani et al., 2000).

15.2 REFERENCE GROUND MOTION

193

A still more complex problem arises when the response spectra available are not deemed directly applicable to the case under examination, for example, when they are representative of rock while the soil of interest is made of compressible alluvial deposits. If these situations are to be taken into account, it is necessary to make complex calculations of seismic motion transmission in the ground in order to closely represent the real situation (convolution or deconvolution of the seismic motion of the ground), which frequently use artificial earthquakes corresponding to the desired characteristics (Roesset, 1995). The above illustrates the potential complexity in defining the seismic ground motion for a structural verification. Fortunately, these complex analyses are not usually necessary in practical cases and have only to be considered to validate simpler practices or as evaluation tools for cases which, sometimes because of the conservatism of the analyses used, are classified in a first iteration as critical. A good conservative compromise in the specification of a seismic motion for a structural analysis consists in specifying a reference spectrum (which to some degree takes into account the possibly very peculiar characteristics of the ground of interest) and a maximum ground acceleration and in subsequently applying the so-defined earthquake directly at the base of the structure or, with greater realism, as a set of springs and dampers on which the structure is supposed to rest (a suitable way to simulate the inertial soilstructure interaction) (Fig. 15.5). Simple formulae for the determination of equivalent springs and dampers for soilstructure interaction can be found in seismic engineering textbooks (Castellani et al., 2000; Roesset, 1980). Some examples are also included in the section on soilstructure interaction on page 173.

Structure

Kx Cx Model Kϕ

Kz



Cz

FIGURE 15.5 Modeling of the inertial soilstructure interaction by springs and dampers.

194

CHAPTER 15 EARTHQUAKE RESISTANCE

The definition of maximum ground acceleration and of reference spectrum can be made on the basis of the national standards for conventional buildings (Italian seismic Norms 1996), on the basis of the more recent concepts incorporated in the European standards under preparation (Eurocode, 2002; Italian, 1996) and on the basis of guidelines prepared for similar cases in other countries or under the sponsorship of international organizations (Kanagawa, 1994; IAEA, 1985 and 1999; Seed et al., 1983). In nuclear reactors and in other important industrial installations, the following methods are usually applied (Serva, 2001). First of all it is necessary to compile a specific and complete database to construct a seismotectonic model of the area, from which the potential earthquakes which could hit the site might be identified. The database must include geological and seismological information. In general four scales of investigation are adopted with increasing detail going toward the site: a regional scale (within 100300 km), a close regional one, one near the site and the last on the site itself. The principal aim of the regional studies is to supply the knowledge of the tectonic picture and of its general geodynamical features and of identifying and characterizing the seismogenic aspects which may have importance for the seismic hazard on the site. The principal aim of the close regional studies is to characterize the most important seismogenic structures for the assessment of the seismic hazard. The investigations near the site, as already mentioned, are intended to define in greater detail the neotectonic history of the faults with the special aim of defining the possibility of surface faulting on the site (capability of the faults) and of identifying the sources of potential instabilities. The investigations on the site itself should concentrate on the definition of the physical properties of the foundation materials and on the determination of their stability and of their response in case of seismic motion. Usually two levels of reference earthquakes are looked for: SL1 (the lower) and SL2 (the higher) (IAEA, 2010). In some countries SL2 is characterized by a probability of not greater than 1024 a year and SL1 by a probability roughly 100 times higher. SL1 and SL2 can be identified by a deterministic or by a probabilistic method. For SL2, the deterministic method (introduced for the first time by the USCFR 100 App. A, see References) implies • • •

the reduction of the seismo-tectonic model defined by the four scales of investigation to a set of seismogenic structures; the identification of the maximum potential earthquake to be associated with each seismogenic structure. the performance of the following evaluations • The assumption should be made that, for each seismogenic structure, the maximum potential earthquake happens at the point of the structure which is closer to the site, taking into account the physical dimension of the source. When the site is located within the borders of a seismogenic structure the maximum potential earthquake must be assumed exactly below the site. In this case particular care should be placed in assessing that the structure is not capable (to produce faulting on the site). • An appropriate relationship of attenuation with distance should be used in order to determine the level of ground motion that each one of these earthquakes would generate on the site, considering the local characteristics of the site itself.

15.2 REFERENCE GROUND MOTION

195

The probabilistic technique entails the following steps: 1. Refining the seismo-tectonic model in terms of type of source (e.g., volume, area, or point source), of geometry and of depth. 2. For each source, identifying the following parameters (uncertainties included): a. the magnitudefrequency or intensityfrequency relationships; b. the maximum magnitude (or cut-off magnitude, that is the one which cannot be physically overcome) or maximum intensity; c. the relationship of attenuation with distance. 3. Choosing the appropriate stochastic models (e.g., Poisson, Markov, etc.). 4. Evaluating the best estimate hazard curve, with appropriate confidence intervals. 5. Using for the design or the verifications, those values of the ground motion which correspond to the probabilities chosen as a reference criterion. The characteristics of the reference motions for the SL1 and SL2 designs include response spectra for a sufficient number of damping values and spacetime histories (variation of ground acceleration with time) compatible with the spectra. Various methods have been used to choose the response spectra, among which the most used ones are those of the Standard Response Spectrum (e.g., that of USNRC Regulatory Guide 1.60, Rev.2, 2014, Fig. 15.6) and that of the Site Response Spectrum. When defining the damping values, it is necessary to remember their dependence on the level of stress/deformation of the materials (e.g., as in the USNRC Regulatory Guide 1.61, Table 15.1). The spacetime histories are, in general, deemed necessary (except for the use of approximate methods described later) for the evaluation of the response of plant components, for the evaluation of the nonlinear structural behavior (rarely needed) and for certain evaluations of soilstructure interaction. They should also represent the duration of the shaking, which is frequently correlated with the length of the origin fault and with the velocity of propagation of its rupture. Another input datum is the ratio between maximum vertical and horizontal acceleration of the ground. In the absence of data recorded on the site, this ratio can be decided by good judgment (e.g., 2/3). The records of past earthquakes indicate that this ratio varies between 1/2 and 1, with maximum values for close earthquakes (i.e., a focus at short distance from the record point), and that also varies with the lithological characteristics of the site and with other factors. In some countries, exclusion criteria for nuclear sites are used. For example, in Italy the criterion of historical earthquakes is macroseismic intensity higher than IX MSK (frequently corresponding to a maximum ground acceleration of about 0.25 g). In many countries the criterion of danger of surface faulting on the site is used as an exclusion criterion. In this connection it is surprising that some regulations accept faulting under a nuclear site, especially where the evaluation of a fissure forming underground appears extremely problematic and uncertain. However, experts maintain that a design resisting surface faulting can be made, but it is not good practice and probably must be limited with completely reassuring margins. For existing plant, difficult and complex studies may be warranted together with the implementation of costly structural reinforcements, if closure is to be prevented. Up to now the macroseismic scale (MSK) has been discussed, but whichever intensity scale is used, it indicates, at each level, the amount of observed damage the earthquake will cause.

196

CHAPTER 15 EARTHQUAKE RESISTANCE

Damping %

sp Di la

0.5

ch In t, en m ce

200

2 5 10

100

Velocity (in/s)

50

ch in tion 6 3 a t: ler en cce m a ce la und 1g p o s f Di r gr ) o fo ax (m

10

n,

g

io

t ra

le

ce

5

Ac

2

10 1 5 0.5

10 0.2 1 5 0.5 0.2 2

0.1

0.2

0.5

1

2 5 Frequency (Hz)

10

20

50

FIGURE 15.6 Design spectrum taken from USNRC Regulatory Guide 1.60, Rev.2, 2014.

Table 15.1 Damping as a Percentage of the Critical One (USNRC Regulatory Guide 1.61) Structure or Component Large components and systems with large pipes (diameter 30 cm or higher) Welded steel structures Bolted steel structures Pretensioned concrete Reinforced concrete

Stresses Below Yield Point (SL1)

Stresses at Yield Point or Higher (SL2)

3

4

2 35 3 4

4 7 5 7

15.2 REFERENCE GROUND MOTION

197

Table 15.2 The Mercalli Intensity Scale Degree

Denomination of the Earthquake

IV

Moderate

V VII VIII

Rather strong Very strong Ruinous

IX X

Destructive Completely destructive Highly catastrophic

XII

Effects Not perceived in the open. A few perceive it inside houses. Perceived by many in the streets. Chandeliers oscillate. Tiles and chimneys fall. About one quarter of the houses severely damaged and partially collapsed. Destruction of about one half of the buildings. About three-quarters of the buildings collapse. Folds and cracks in the ground and in the streets. No human construction resists. Destruction of the landscape.

Typical Ground Acceleration

0.03 g

0.25 g

0.7 g

Table 15.2 shows the main characteristics of the Italian Mercalli intensity scale, together with the typical maximum ground accelerations. The magnitude scales (the best known is the Richter scale) intend to indicate, instead, the severity of the event itself, independently from the distance at which it is observed or recorded. The degrees of the Richter scale are correlated to the response of a certain type of seismograph located at a certain distance from the epicenter and, therefore, they depend on a conventional definition. They can be correlated, however, with the overall energy involved in the seismic event (i.e., by the sliding of the originating fault). In the seismological literature the correlations between intensity and maximum ground acceleration and between magnitude, distance from the focus (or from the epicenter) and maximum horizontal ground acceleration are abundant. One of them is reproduced here (Ambrayses, 1988) for the maximum acceleration (average of the measured values) obtained from European and Middle-Eastern data. log10 a 5 2 1:48 1 0:266M 2 0:922 log10 ðr 2 112:25Þ0:5 1 0:117SA 1 0:124SS

(15.3)

where a is the maximum horizontal acceleration in g, M is the Richter magnitude (for M . 6.2 the momentummagnitude, Mw, should be rather higher, e.g., Mw 5 7.8 for M 5 7), r is the epicentral distance (km), SA and SS are parameters dependent on the nature of soil on site (50 for bedrock sites indicatively with shear wave velocity Vs . 750 m/s; for well-compacted materials with Vs 5 360750 m/s, SA 5 1 and SS 5 0; for average or low-compacted alluvial sites with Vs 5 180360 m/s, SA 5 0 and SS 5 1). An example determination of the reference earthquake SL2 on a site follows. It is assumed that the seismological and tectonic investigations have shown the following elements of interest (Fig. 15.7)

198

CHAPTER 15 EARTHQUAKE RESISTANCE

faults

F

T1

L = 20 km

T2

SITE

FIGURE 15.7 Sample case for determination of reference earthquake.

• •

A line of active faulting AB, 100 km long, with a maximum historical earthquake T1 of magnitude 6. A maximum historical earthquake T2 of magnitude 5 which cannot be associated to any seismogenic structure of the region.

First of all, on the basis of the length of the fault AB and considering the existing correlations between length of faultmaximum expected magnitude, the earthquake T1 is associated with a magnitude of 7.3 instead of 6. This earthquake is then displaced at the point closest to the site along the faulting line and subsequently attenuated for the 20 km distance. The maximum acceleration results are equal to 0.8 g. The earthquake T2 which cannot be associated to structures is supposed to occur under the site, giving rise to a maximum acceleration of 0.22 g. The earthquake SL2 will therefore have a maximum acceleration of 0.8 g. An empirical table (Table 15.3) is chosen to correlate the maximum active fault length with the maximum expected magnitude. It must be remembered that the determination of reference earthquakes can be in error. Indeed, cases have happened where the historical data of past earthquakes and geological data are inadequate: a situation which should be corrected by further studies and research. Moreover, at least in principle, cases may exist where the future behavior of the Earth’s crust in the place of interest has not been announced yet by previous historical events and cannot be foreseen by the observation of already evident tectonic characteristics, either on the surface or below the surface. It is, therefore, compulsory that a cautious attitude is taken and alternative sites are considered. However, the prevailing experience indicates that, generally, today’s seismic events have already been “written” in the history or in the geology of the site.

15.3 STRUCTURAL VERIFICATIONS

199

Table 15.3 Correlation Between Fault Length and Maximum Magnitude of Earthquake Length of Fault (km)

Maximum Magnitude

10 20 100 200

6 6.5 7.3 7.8

In cases where it is impossible to accurately analyze a site and, instead, it is possible to counterbalance this lack of accurate analysis by overdimensioning of structures and components, it is possible to define design earthquakes by simpler methods (IAEA, 1985 and 1999; Petrangeli et al., 1998).

15.3 STRUCTURAL VERIFICATIONS 15.3.1 FOUNDATION SOIL RESISTANCE The first concern in the seismic verification of a plant is that the foundation soil of the buildings and other components does not collapse in an earthquake. With the help of a geologist, the possibility of surface faulting must be ruled out, that is, the sliding along the causative fault of an assumed earthquake cannot directly or indirectly affect the plant. Generally, this means verifying that the plant is not sited on active faults which are capable of sliding. (Attempts have also been made to set up design rules in the presence of surface faulting. Some operating nuclear plants, in any case, are located on active faults.) The second and very important verification, for plants resting on saturated sandy soils, that is with a relatively shallow water table, is to ensure that the foundation soil cannot be affected by the very insidious phenomenon of soil liquefaction (IAEA, 1985 and 1999; Seed et al., 1983, 1985; Seed and deAlba, 1986; Robertson and Campanella, 1985). When it happens, the shear strength of the soil becomes zero, as in a liquid, and sliding of the foundation soils of buildings and other characteristic phenomena may happen. A typical scenario of many earthquakes (in particular, the 1964 Niigata earthquake in Japan) is that whole buildings effectively “lie down” because the soil resistance disappears. In the Niigata earthquake, according to eyewitnesses, many inhabitants exited overturned buildings by walking on their fac¸ades, which had reached an almost horizontal position. Some buildings were recovered by simply rotating them upright again and consolidating the soil beneath. In order to understand this phenomenon, it has to be remembered that the soil shear strength can be represented by τ 5 c 1 ðσ  σ0 Þtan ϕ

(15.4)

where τ is the shear strength of the soil, c is the cohesion (practically zero for sandy soils), σ is the total pressure of the soil, σ0 is the interstitial water pressure, and ϕ is the friction coefficient of the soil.

200

CHAPTER 15 EARTHQUAKE RESISTANCE

When the interstitial water pressure grows with a constant total pressure in the same location, the soil shear strength decreases. Moreover, tests and experience show that in rather loose sands, when the load increases the sand density increases too and, therefore, the interstitial water of a saturated sand tends to be expelled. This tendency is opposed by other actions such as surface tension (capillarity) and, therefore, the interstitial pressure of the water tends to increase, with a consequent decrease in the shear strength [see Eq. (15.4)]. This effect, in the repeated loading cycles caused by an earthquake, tends to increase to a point where the shear strength of the soil is practically zero and liquefaction takes place. In general, the liquefaction danger exists down to a depth of 20 m, for cases where the water table is located within 10 m from the ground surface. At a depth of .20 m liquefaction is rare. Moreover, this phenomenon happens in general for mediumfine sands (D60 between 0.02 and 0.2 mm) with a low relative density (lower than 60%) and a low value of the standard penetrometer strength [American Society for Testing of Materials (ASTM)]. The evaluation of the liquefaction hazard is made comparing the maximum shear generated in the soil by the earthquake with the experimental results of the maximum shear stress which the same soil can withstand without undergoing liquefaction. It is not usually necessary to have recourse to sophisticated calculation methods, at least as a first approximation: empirical or semiempirical methods, however, do exist (IAEA, 1985 and 1999; Robertson and Campanella, 1985) which allow the presence of this danger to be verified on the basis of the maximum ground acceleration of the reference earthquake, of the water table depth, of the grain size distribution of the sand, and of the value of the standard penetrometer test. It is also to be remembered that, generally, these methods indicate the cases where the consequences of the liquefaction are acceptable and those where remedial actions are required (change of site, soil compaction, interventions on the water table). The various study and evaluation means of this phenomenon can be summarized in various levels of importance, but they are not exclusive to one another: •







• •

Historical investigations: Information on the effects caused at the site by past earthquakes (equivalent to the reference earthquake), the evaluation of which relate to the liquefaction phenomenon. Empirical correlations: The susceptibility of soils to liquefaction depends on their characteristics (grain size distribution, density, age, etc.) and on the presence of water (depth of the aquifer). Onsite investigations: Correlation between liquefaction phenomena observed and soil properties measured in the field. Measurement methods of the resistance to liquefaction using cone penetration (CPT) and standard penetration (SPT) tests have been developed. Laboratory investigations: Comparison between results of cyclical tests (cyclical triaxial) with stresses calculated by numerical methods which simulate the propagation of the seismic waves in the medium. Drawbacks: Difficulty of sampling. Advantages: Gives an estimate when correlations are not available.

As indicated, for first approximation evaluations, the assessment of the susceptibility to liquefaction can be omitted when the saturated soil is located .20 m below the surface. Moreover, as the liquefaction is a threshold phenomenon, the analysis can be omitted when, for a sufficiently long return time, the vibratory ground motion at the surface has a peak acceleration ,0.15 g.

15.3 STRUCTURAL VERIFICATIONS

201

In general the liquefaction potential can be evaluated by one of the methods which use field test data (CPT, SPT), such as those proposed by Seed and deAlba (1986), Seed et al. (1983, 1985), and Robertson and Campanella (1985). For the complete description of the analysis method, reference should be made to the specialized literature. Complementing these empirical methods, analytical methods can be used which better describe the real phenomenon of the dissipation of the interstitial pressure in the soil pores. As already mentioned, a verification of the absence of a liquefaction hazard during an earthquake in a region of saturated sands is essential. Various methods used for this verification are listed in Petrangeli et al. (1998). There follows a widely adopted, simplified method for assessing the liquefaction danger. The method first of all calculates the shear stress generated by the earthquake in the ground and then the shear stress bearable by the saturated soil. The comparison between the two quantities indicates whether a soil liquefaction danger exists or not. The shear stress generated by the earthquake is given by:    ag τd σ0 5 γ γ n d σ00 g σ00

(15.5)

where ag is the horizontal design acceleration, g is the acceleration due to gravity, σ0 is the total vertical soil pressure, σ00 is the effective vertical soil pressure (i.e., σ0 minus the water pressure), yd is a stress reduction factor equal to (10.015 z), z is the depth of the considered element in meters, γ n is a reduction factor equal to 0.1(M1), and M is the magnitude of the design earthquake. The reduction factor, γ n, accounts for the variation of the number of effective stress cycles with the variation of the earthquake magnitude. To calculate the resistance of the soil to liquefaction a “normalized” value of the SPT number of blows per foot, Na, which takes into account the percentage of fine sands (diameters ,0.074 mm) and of the lithostatic pressure, is calculated by the following formula: Na 5

1:7N 1 ΔNf σ00 1 0:7

(15.6)

where N is the real value of the SPT and ΔNf has the values shown in Table 15.4, with a linear variation between the points. The resistance to liquefaction τ 1 =σ00 is found from Table 15.5. The ratio between resistance to liquefaction and stress caused by the earthquake gives the safety factor against liquefaction.

Table 15.4 Values of ΔNf for Fine Sands Percentage of Fine Sand

ΔNf

5 15 60 100

0 5.5 10 10

202

CHAPTER 15 EARTHQUAKE RESISTANCE

Table 15.5 Resistance to Liquefaction Na

τ 1 =σ00

10 20 30

0.12 0.18 0.4

For constructions of minor importance, the occurrence of a certain percentage of liquefaction can be tolerated. IAEA (1985 and 1999) gives further guidance on this. Verification of the soil strength should not, however, neglect the foundation soil bearing capacity for higher loads caused by an earthquake, the resistance of slopes, soil support walls or of other works of interest for safety, also considering potentially induced indirect effects, such as flood waves in streams due to the failure of dams (Hansen, 1970; Meyerhof, 1951; Janbu, 1957; Morgensrern and Price, 1965; Sarma, 1975, 1981; Espinoza et al., 1994). Geological and geotechnical investigations should be carried out to • • •

get a geotechnical characterization of the site; to quantify the geotechnical parameters to be used in the verifications of the foundation soils; to detect the possibility of instability problems, such as liquefaction, surface ruptures, and collapses in case of a reference seismic event.

The amount, the extent, and the type of the geotechnical investigations to be performed must be tailored to the relevance of the structures (seismic classification). They should allow an evaluation of the stability of the soils on which the structures are founded and will consider a meaningful amount of ground in relationship with the local geological features and with the dimension of the foundation structures. For example, in case of nonrocky soils, a layer of the dimensions of the foundations should be studied. In order to define the dynamic characteristics of the foundation soils, in relation to the choice of an elastic site-compatible spectrum, it is advisable to evaluate the profile of the shear wave velocity. This profile should be determined onsite by “down-hole” geophysical tests. As an alternative, it can be defined with the aid of empirical correlations with the site penetration resistance (SPT, CPT) or with other geotechnical properties. For a more complete definition of the dynamical characteristics, it might be necessary to define shear wave velocity values compatible with the deformations induced in the ground by the passage of seismic waves. In general it is permissible to integrate the in situ data with data obtained in areas having similar geological characteristics.

15.3.1.1 Soil Bearing Capacity (Soil Stability) Soil bearing capacity is the capability of the foundation soils to bear the dynamic loads transmitted by the structure during an earthquake. Generally, direct testing of foundations can be performed using pseudostatic methods, that is, calculating the bearing capacity for eccentric and inclined loads, in order to take into account the inclination of the applied force (resulting from the weight and the seismic action). Effectively, it assumes, therefore, a rigid-plastic soil behavior model in limiting conditions along the points of the potential sliding surface.

15.3 STRUCTURAL VERIFICATIONS

203

The limit bearing capacity of the foundation soil, Qlim, can be calculated by the empirical formulation proposed by various authors, such as Hansen (1970) and Meyerhof (1951), who correlate Qlim with the soil resistance characteristics and with the dimensions of the foundation structure. The capacity of the foundation soils to bear the dynamic loads transmitted by the structure is verified when the ratio between the load acting on the foundation and Qlim is higher or equal to 1 but which includes a safety margin (e.g., 1.2). The testing of the stability of slopes has to be examined in two different situations: • •

The instability involves all or part of the foundation footprint (plant on embankment). The instability may happen at some distance from the structure but this can be affected by the mass of unstable soil (plant downhill of a slope or of an embankment).

The evaluation of the seismic response of a slope may be performed by different analysis methods in relationship with the level of complexity of the problem. The simplest approach is the pseudostatic method, and at the other extreme is complete nonlinear finite element modeling (FEM). The choice of the method depends on various factors: • • • •

morphologic and stratigraphic conditions with particular reference to preexisting sliding surfaces; physicalmechanical properties of soils; intensity of the seismic excitation; risk level associated with potential instabilities.

In accordance with what is normally requested by the standards, the slope stability may usually be evaluated using the pseudostatic approach. This approach is usefully used, in particular, in cases where a differentiated structure is evident between a stronger (and more rigid) volume and a preferential sliding layer. The model of the soil behavior is that of the rigid-plastic type, characterized by zero deformation until the stress state reaches rupture conditions (limit state conditions, assuming that in the foundation soil the limit shear stress is reached along the points of potential sliding surface). The action of the earthquake on the potential sliding mass is represented by an equivalent static force, generally horizontal but possibly also vertical, proportional to the mass itself. The value of the static force can be assumed to be equal to the product of the sliding mass and 50% of the maximum ground acceleration (ag), in conformity with that recommended by Eurocode 8 (2002). The safety coefficient represents the factor by which it is necessary to reduce the shear resistance along the sliding surface in order to satisfy the equilibrium conditions of the mass under examination. A value of 1.3 can be assumed. For purely rotational rupture mechanisms the safety coefficient coincides with the ratio between the stabilizing moment of the shear forces along the sliding surface and the moment of the external forces. For the calculation itself, several methods are available. These are explained in the specialized literature, such as the proposals by Janbu (1957), Morgensrern and Price (1965), Sarma (1975, 1981), and Espinoza et al. (1994). When necessary, the slope stability can be evaluated by numerical methods (FEM nonlinear models) which better approximate the complexity of the phenomenon. In order to design new soil support works near the plant, their function after a seismic event also needs to be known. Permanent displacement, sliding, or overturning of these structures should

204

CHAPTER 15 EARTHQUAKE RESISTANCE

be avoided and can be accepted only if they are compatible with the functional requirements of the plant. The stability of these works should be evaluated taking into account • • • •

the nonlinear soil behavior during the interaction with the construction; the inertial effect associated with soil masses and support structure mass and with all other loads which may enter in the interaction process; the hydrodynamic effects due to the presence of water in the soil or on the free surface of the structure; the compatibility of the deformations of the soil, of the structure, and of possible anchor tendons.

For indicative evaluations, the stability of the works can be evaluated by the simplified limit state method. In particular it has to be assumed that the soil behind the works is in the active limit equilibrium condition while the soil located in front of the foot of the works is in the passive limit condition. For the calculation of the total pressure imposed by the soil on the support works, the MononobeOkabe formulation can be used (Castellani et al., 2000).

15.3.1.2 MononobeOkabe Method This method applies the Coulomb method to calculating the forces on supporting walls and the stability of slopes in the case of the presence of a horizontal and vertical seismic excitation. In essence, the static forces are accompanied, on the soil wedge which is supposed to detach at the moment of failure (of the wall or of the slope), by a horizontal force and a vertical one of seismic origin, khW and kvW, respectively, where W is the weight of the soil wedge. For an indefinite support wall, the soil is assumed to have a horizontal surface and be composed of noncohesive and dry material. It is assumed that there is no friction between the soil and wall surface and that the earthquake acts in the horizontal direction only. In collapse conditions the situation is described by Eqs. (15.7)(15.9) and shown in Fig. 15.8. T 5 N tan ϕ

(15.7)

Imposing the equilibrium conditions and the condition that the rupture, α, results in a maximum force S, KhW

H

T W

S

N α

FIGURE 15.8 Soil supporting walls.

ϕ

15.3 STRUCTURAL VERIFICATIONS

1 S 5 γH 2 2

cos2 ðϕ 2 θÞ  qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 cos2 θ 11 sinϕsinðϕ2θÞ cosθ

205

(15.8)

where γ is the specific weight of the soil. θ 5 tan1 kh

(15.9)

Similarly, the other possible cases are calculated (with various soil inclinations, presence of friction on the wall, presence of vertical seismic acceleration) and the stability of slopes without support walls (assuming trial circular rupture surfaces).

15.3.2 RESISTANCE OF STRUCTURES The overall characteristics which make a structure particularly resistant to an earthquake are its symmetry in the distribution of masses and rigidities, its compactness, possibly its low height, the good connection between horizontal and vertical elements, the connection between isolated foundation elements, the uniformity and competency of the foundation soil, the provisions against impact between adjacent structures, and the absence of negative effects of nonstructural elements (filling walls, etc.) (Livolant et al., 1979). The absence of Pδ effects (i.e., the strong increase in the loading characteristics, e.g., moments, because of the deformation of the structure) is also to be considered. In the case of simple structures it is possible to use equivalent static methods to those suggested by national standards in general, however, in many cases a dynamic analysis (also mentioned in the national standards), possibly a simplified one (Kanagawa, 1994), is advisable. The dynamic methods used are a modal analysis with a spectrum as an input and a spacetime history analysis which needs one or more accelerograms for inputs. Analyses of the first type are the most common ones; the second type is used in particular cases or for the accurate study of the response of a plant component placed at a specific place in a structure. The seismic engineering texts (e.g., Castellani et al., 2000) and the many electronic computer programs now available (SAP, MARC, ADYNA, ANSYS, etc.) are a reliable basis for these analyses, but considerable computer-power may be needed, with associated high costs, where a plastic analysis of complex structures has to be performed. Similarly, the inclusion of ductility factors, where allowed and made in a conservative way, has to be done with care and attention: in particular it is necessary to distinguish between ductility of a structure point (section) and the complex of the structure, to avoid an excessively conservative outcome and to highlight the possible onset of self-amplification of the cycle loaddeformation phenomena (Pδ effects), already mentioned above. The following section details some elements of dynamic analysis which are useful for indicative evaluations.

15.3.2.1 One Degree of Freedom Systems The equation of free motion for the simple oscillator shown in Fig. 15.9 is € 1 cvðtÞ _ 1 kvðtÞ 5 0 mvðtÞ

(15.10)

206

CHAPTER 15 EARTHQUAKE RESISTANCE

v

m

c k

FIGURE 15.9 Simple oscillator.

with solution: v 5 e2ξωt ðA sin ωD tÞ 1 B sin ωD tÞ

(15.11)

ωD 5 ωð12ξ 2 Þ0:5 rffiffiffiffiffi K and ω5 M rffiffiffiffiffi M T 5 2π K

(15.12)

with

(15.13) (15.14)

where ω is the natural pulsation of the system in radians per second, 2πf 5 2π/T, ξ is the damping factor, which is a fraction of the critical one 2mω (i.e., the damping for which the oscillator, if displaced from its equilibrium position, returns to without oscillations), and ωD is the natural pulsation of the damped system (in practice equal to ω). The response of a simple oscillator to a sinusoidal oscillation of pulsation ωf is a sinusoidal motion with a pulsation equal to the forcing one and with an amplification factor of amplitude M, which is equal to the values shown by Eqs. (15.15) and (15.16), and Fig. 15.10: " M5

! #  ω 2 20:5 ω2f f 12 2 1 2ξ ω ω

(15.15)

which, at resonance, is equivalent to Mωf 5ω 5

1 2ξ

(15.16)

15.3 STRUCTURAL VERIFICATIONS

207

5 ξ = 0.1

ξ = 0.01

3 M ξ = 0.2 2

ξ = 0.4 1

1.0

2.0

ω f /ω

FIGURE 15.10 Response of a simple oscillator to a sinusoidal excitation.

The response of a simple oscillator to a seismic event is given by the value of the spectral response (Fig. 15.6) if the earthquake is defined by its spectrum. Instead, when the earthquake is defined by the spacetime history of the ground acceleration, its response can be calculated by the Duhamel integral: vðtÞ 5 2

1 ω

ðt

0

e2ξωðt2τÞ v€g ðτÞsin ωðt 2 τÞdτ

(15.17)

208

CHAPTER 15 EARTHQUAKE RESISTANCE

where v indicates the displacement of the oscillator with reference to its base and v€g ðτ Þ is the ground acceleration as a function of the time τ. The maximum value of v during the earthquake is the spectral displacement Sd, while the maximum velocity (with reference to the base) and the maximum absolute acceleration may, with good approximation, be given by Eqs. (15.18) and (15.19). Sv 5 ωSd

(15.18)

Sa 5 ω2 Sd

(15.19)

and

Fig. 15.11 shows the acceleration record of the horizontal motion of the five most destructive seconds of one of the earthquakes with its epicenter in the area of Loma Prieta (California) in 1989 (record M65D000.010 of USNRC (2001)). The maximum acceleration of the record is 0.56 g. Fig. 15.12 is the same record applying the Duhamel Integral with the Microsoft Excel macro integraleduhamel.xls (prepared by the author and enclosed as the download file, DUHAMEL on the book’s Mendeley website). The Duhamel Integral has been calculated for 20 simple oscillator frequencies ranging from 0.1 to 20 Hz. Fig. 15.13 is the result of the double derivation by finite differences of the data on which Fig. 15.12 is based and of the identification of the maximum acceleration of spectral response for each frequency examined. Fig. 15.14 shows the calculated value of spectral acceleration, ω2Sd, for each frequency. It can be seen that Figs. 15.13 and 15.14 agree fairly well, except at extreme frequencies where the various effects of instrumentation characteristics and calculation approximations introduce large discrepancies.

a) - ground acceleration

Acceleration fract. of g

8E−01 6E−01 4E−01 2E−01 0E+00 0E+00 −2E−01

1E+00

2E+00 2E+00

3E+00 3E+00

−4E−01 −6E−01

FIGURE 15.11 Acceleration record (horizontal), Loma Prieta (1989).

Time

4E+00

5E+00

6E+00

Displacement (m)

15.3 STRUCTURAL VERIFICATIONS

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10 15 Frequency (Hz)

20

25

FIGURE 15.12 The Duhamel integral of Fig. 15.11.

derived acceleration Derived acc. (m s−2)

14 12 10 8 6 4 2 0 0

5

10 15 Frequency (Hz)

20

25

FIGURE 15.13

Acceleration (m s−2)

Maximum spectral acceleration of the earthquake represented in Fig. 15.11.

16 14 12 10 8 6 4 2 0 0

5

10 15 Frequency (Hz)

FIGURE 15.14 Approximate spectral acceleration of the earthquake represented by Fig. 15.11.

20

25

209

210

CHAPTER 15 EARTHQUAKE RESISTANCE

15.3.2.2 Multidegree of Freedom Systems Consider a system modeled by N masses, N springs, and N dampers. Its forced oscillations under the action of the N external forces, Pi(t), will be governed by N linear equations of the type shown in Eq. (15.20): 8 m1 v€ 1 c1 v_1 1 k11 v1 1 k12 v2 1 ? 1 k1N vN 5 P1 ðtÞ > > < m2 v€2 1 c2 v_2 1 k21 v1 1 k22 v2 1 ? 1 k2N vN 5 P2 ðtÞ ... > > : mN v€N 1 cN v_N 1 kN1 v1 1 kN2 v2 1 ? 1 kNN vN 5 PN ðtÞ

(15.20)

where kij are the influence coefficients of the stiffnesses and, therefore, represents the force on the node i deriving from a unit displacement of the node j, with the other nodes fully restrained. It will be realized that Eq. (15.20) lends itself to matrix notation. The extended notation is used here for sake of more general transparency. Eq. (15.20), for the simpler case of an undamped system, becomes: € 1 ½Cfvg 5 fPg ½Afvg

(15.21)

where A and C are mass and stiffness matrices, respectively, both symmetrical and defined positive. The terms containing the stiffnesses, in general, automatically calculated by the usual calculation programs or they can be evaluated by Castigliano’s theorem, according to which, given the potential elastic energy, E, as a function of vi, is Fi 5

@E @vi

(15.22)

where Fi are the stiffness terms of the ith equation. For simple systems, as in that of a multifloor building, the influence coefficients of the stiffnesses are directly calculated from the stiffnesses of the various floors. A framed multifloor building whose girders can be considered rigid in comparison with the columns (Fig. 15.15) is particularly simple. Here, the reaction forces on a floor are different from zero only for the unit displacement of the immediately adjacent floors (i.e., the coefficients kij with i and j different for more than one unit are equal to zero). The first step for the solution of Eq. (15.20) is the solution of the associated system of homogeneous equations, in the case of zero damping: 8 m1 v€1 1 k11 v1 1 k12 v2 1 ? 1 k1N vN 5 0 > > < m2 v€2 1 k21 v1 1 k22 v2 1 ? 1 k2N vN 5 0 >... > : mN v€N 1 kN1 v1 1 kN2 v2 1 ? 1 kNN vN 5 0

(15.23)

vi 5 Vi sin ωt

(15.24)



fvg 5 φ sinðωtÞ

(15.25)

Assuming and

15.3 STRUCTURAL VERIFICATIONS

5

k53 = 0

4

k43 = K

3

211

k33 = H = −2 K

2

k23 = K

1

FIGURE 15.15 Building with rigid girders.

Eq. (15.23) has nonidentically zero solutions only for N values of the pulsation ω (eigenvalues), obtainable by substituting Eq. (15.24) in Eq. (15.23) and calculating the N roots of the associated determinant: 2 ω2 m1 1 k11 ... ... kN1

k12 ... ... ...

... ... ... ...

. . .k1N ... ... 2 ω2 mN 1 kNN

:½C 2 ω2 ½A: 5 0

(15.26)

(15.27)

In correspondence with each eigenvalue, ωi, Eq. (15.23) can be solved to obtain N solutions, V1, V2, . . ., VN, but for a multiplying constant (as for any set of N homogeneous equations with N unknowns). Each set Vi identifies a vibration mode of the structure defined by Φ1;n; Φ2;n; . . .; ΦN;n 5 nth mode:

(15.28)

The modes satisfy the orthogonality relationships: N X i51

Mi Φin Φim 5 0;

m 6¼ n

(15.29)

212

CHAPTER 15 EARTHQUAKE RESISTANCE

and N N X X j51

! kj;i Φin Φjim 5 0; m 6¼ n

(15.30)

i51

Physically, the orthogonality relationships express the fact that the inertia forces or the elastic forces of each mode do not globally make work for the displacements of another mode. The solutions of the general equation [Eq. (15.20)] may be found by imposing the displacement of each mode as a linear combination of the displacements of the node according the N modes [Yn(t) is said to be the generalized coordinate of the mode n] vi ðtÞ 5

N X

Φin Yn ðtÞ

i51

ð1Þ ½x 5 φ1

φð2Þ 1

φðnÞ 1 ðnÞ φn

fvg 5 jX jfYg

(15.31)

(15.32) (15.33)

Substituting Eq. (15.31) into Eq. (15.20), and making use of the orthogonality relationships a set of N decoupled equations is obtained [in reality only if the displacement matrix satisfies certain conditions (Castellani et al., 2000)] P ðtÞ Y€ n 1 2ξ n ωn Y_ n 1 ω2n Yn 5 n  Mn

(15.34)

where ω2n 5

Kn Mn

(15.35)

X m1 Φ2in ðgeneralized mass of mode nÞ Mn 5 X X Φin k Φ ðgeneralized stiffness of mode nÞ Kn 5 j i;j jn

and Pn ðtÞ 5

X

Φin Pi ðtÞ

ðgeneralized force of mode nÞ

(15.36) (15.37)

(15.38)

In the case of seismic excitation, this is, Pi ðtÞ 5 2 mi v€g ðtÞ

where v€g ðtÞ is the ground displacement. Therefore Pn ðtÞ 5 2 v€g ðtÞ

X

mi Φin

(15.39)

(15.40)

(if the excitation is in one direction only the summation in Eq. (15.40) includes only the terms relevant to that direction) and Eq. (15.34) becomes P  mi Φin Y€ n 1 2ξ n ωn Y_ n 1 ω2n Y 5 2 v€g ðtÞ P mi Φ2in

(15.41)

15.3 STRUCTURAL VERIFICATIONS

213

The Pn terms ( 5 Σmi Φin =Σmi Φ2in ) are the coefficients or factors of modal participation, which physically represent the measure of the work done by a base excitation of the structure on the mode n and, therefore, a measure of how much the base acceleration is capable of putting the structure in vibration according to the same mode. In order to judge whether the number of modes considered in an analysis is sufficient, a criterion exists based precisely on the modal participation coefficients. The sum of their squared values normalized to Mn , for each direction of excitation, is equal to the total mass of the system, M. The criterion states that, for each direction of excitation, the sum of the masses which participate in the jth mode given by P ð mi Φij Þ2 2  Mj 5 Pi Pj Mj 2 i mi Φij

(15.42)

must be equal to at least 90% of the total mass of the system M 5 Σmi. It must, therefore, be true that ΣjMj . 0.9 M for each vibration direction. Comparing Eq. (15.41) with the analogous Equation [Eq. (15.10)] for a one degree of freedom system, a perfect correspondence of the terms can be observed and, therefore, Eq. (15.41) will have the same form of solution, that is, PN

mi φi;n 1 2 ω i51 mi φi;n n

Yn ðtÞ 5 2 Pi51 N

ð1

e2ξωn ðt2τÞ v€g ðtÞ sin ωn ðt 2 τÞdτ

(15.43)

0

The maximum values of the generalized coordinates of mode n and of their derivatives during the earthquake can be obtained by the response spectra of the earthquake for one degree of freedom systems, that is, Yn;

PN i51 mi φi;n 5 Sd PN max 2 i51 mi φi;n

Y€ n;

max

5 ω2n Yn;max

(15.44) (15.45)

The maximum values of the displacements and of the forces of the i node will be vi;n;

max

5 φi;n Yn;

Fi;n;

max

max

PN mi φi;n 5 φi;n 2 Pi51 Sd N 2 i51 mi φi;n

5 mi vi;n;max 5 mi ω2n vi;n;max

(15.46) (15.47)

In order to obtain the values of displacements, forces and so on, resulting from the contribution of all the vibration modes and to be used in the verification calculations, generally the quadratic mean of the values corresponding to the various modes is used (or other combination methods). For example, in order to obtain vi: vi 5

X

v2 N i;n

0:5

(15.48)

In this way a good estimate of the required quantities is obtained, as it has been extensively controlled, except for natural frequencies very close to each other. A complete guide for the combination of modal values can be obtained from the NRC Standard Review Plan and from a specific USNRC Regulatory Guide 1.92.

214

CHAPTER 15 EARTHQUAKE RESISTANCE

The above methods are based on the modal analysis and, therefore, on the previous determination of frequencies and vibration modes and on the subsequent calculation of the response of various modes to a spacetime history (time history of the ground acceleration) or to a design spectrum. These methods are the most used and are valid in the majority of cases. Some peculiar situations (such as the presence of marked nonlinearities) require a direct integration of the motion equations, generally performed step-by-step.

15.3.2.3 Continuous Systems Continuous systems can be considered systems with an infinite number of degrees of freedom. Their response to an earthquake can be found by the direct study of the relevant partial derivative equations of the motion or by the reduction to a system with a finite number of degrees of freedom (discretization of the masses and modeling by concentrated masses and springs). In practice, the “generalized coordinates system” is, for simplicity, extensively used to obtain an approximate solution, but it is sufficiently precise for practical uses (i.e., for the first or the first few modes of vibration). Consider a structure which can be modeled as a slender cantilever built in the ground with an arbitrary distribution of the linear mass m(x) with flexural rigidity EI(x) (Fig. 15.16). If the virtual work theorem is applied equating the work of the inertia forces to the elastic work for the virtual displacement dv 5 p(x)dy, then Eq. (15.49) is obtained: €  1 yK  5 2 v€g L yM

y (t )

v(t ) = p (x)y (t )

− v″g(t )

FIGURE 15.16 An example of a continuous system.

(15.49)

15.3 STRUCTURAL VERIFICATIONS

215

where

h Ð i L M is the generalized mass 5 0 mðxÞpðxÞ2 dx , h Ð i L K is the generalized stiffness 5 0 EI ðxÞð@2 p=@x2 Þ2 dx , and h Ð i L L is the modal participation factor 5 0 mðxÞpðxÞdx . If generalized damping is included, then Eq. (15.49) can be rearranged and rewritten as M  y€ 1 C  y_ 1 K  y 5 2 v€g ðtÞL

(15.50)

or y€ 1 2ξωy_ 1 ω2 y 5

2 v€g ðtÞL M

(15.51)

where ξ 5 C /2 M ω is the fraction of the critical damping of the system, and 

ω5

 K 0:5 M

(15.52)

is the eigenfrequency associated to the p(x) mode. It is evident that these equations have the same form as the equation of motion of a simple oscillator with the substitution of the generalized coordinate y in place of x in the simple system. It is, therefore, evident that, once the estimate of p(x) has been made (even a tentative shape generally gives good results without the need of iterations), the coefficients of the equation can be calculated and the solution can be obtained by the methods valid for one degree of freedom systems (i.e., the Duhamel integral, response spectrum, etc.). If a spectrum is used, for example, the maximum value of x during an earthquake is given by ymax 5

Sd ðω; ξÞL M

(15.53)

where Sd is the spectral displacement which is a function of ω and ξ, as well as the earthquake under consideration. Usually, a method based on a tentative deformed shape is used to study the first mode, but methods exist for higher modes (Biggs, 1964).

15.3.2.4 Tanks Tanks of liquid, specially of light construction (atmospheric tanks), are subject to peculiar phenomena during an earthquake, all of them are related to the formation of internal waves and to their interaction with the walls and with the roof of the tank. Experience indicates the possibility of damage at the roofwall join (buckling and breaks), of damages to the base of the lateral wall (“elephant foot” buckling), of damage to the anchor components between the tank and its foundation (if existing) and damage to internal components. When testing a tank it is, first of all, necessary to determine the liquid motion and the forces exerted by it on the tank. This phenomenon has been particularly studied in Japan, where experimental tanks have been studied to determine their response in cases of real earthquakes. A simple analysis method is described in ASCE (1986). According to this method, the liquid mass is subdivided into two parts: a lower part which can be considered rigidly connected with the tank and an upper part which oscillates relative to it. The method supplies the formulae for the calculation of forces and of oscillation heights on the basis of

216

CHAPTER 15 EARTHQUAKE RESISTANCE

the reference spectrum of the earthquake. The walls of the tank can be considered rigid in a first approximation even if methods exist to take into account the effect of the flexibility of the walls on the result (Veletsos, 1974; Kana, 1978; Adams, 1992). The flexibility of the walls is important especially when evaluating the forces caused by the lower part of the liquid. Should atmospheric tanks be rigidly connected to their bases? The alternative solution is not anchoring the tank and to shape its bottom as a cone in order to ensure a lateral retention; pipes and cables connected to the tank should obviously be provided with ample flexibility. In the Alaskan earthquake in 1964 unanchored tanks were moved 1.5 m. The choice between one or the other solution is a matter of debate, even if the prevailing opinion is for anchored tanks with attachment zones and anchors generously sized and fitted to the main structure. Tank walls are thick (typically 20 mm) if the design pressure is high (nonatmospheric tanks), and, therefore, the rigidity of the shell is significant. The deformable parts of a pressure tank subject to seismic excitation are, instead, the supporting truss structure (or the support saddles) and the contained liquid, thereby causing the whole structure to behave like a double pendulum. The first pendulum (of inverted type, that is with its mass above and its spring below) has its mass essentially formed by the shell and by that part of the contained liquid (located in the lower part) which follows the tank in its oscillation. The second pendulum, linked to the first one in the upper part, has its mass formed by that part of the liquid (located in the upper part) which oscillates in an autonomous way relative to the shell. The recall forces for the two pendulums are, respectively, the elastic recall force of the support structure and the gravity force. In practical cases the natural period of the first pendulum is much lower than the natural period of the second (e.g., 0.5 vs 5 s). The two pendulums are, therefore, decoupled. As a consequence, because the first pendulum is the one which directly receives the ground vibration and the second receives the vibration of the first one, the first pendulum will tend to oscillate with a period close to its natural one without being significantly influenced by the second one. These qualitative analyses are confirmed by dynamic analysis calculation methods (USAEC, 1963; ASCE, 1986). To verify that the natural period of oscillation of the liquid is significantly different from the one of the structure, the data in Table 15.6 are useful (for cylindrical vertical and spherical tanks). In practice, neglecting the liquid oscillation is, for pressure tanks, generally conservative. In fact, considering all the liquid as a part of the structure leads to increasing the mass participating in the prevailing vibration (the one of the first pendulum) and, therefore, increases the corresponding horizontal seismic forces. Therefore these tanks are very different from atmospheric pressure tanks (generally cylindrical with a vertical axis) used for oil products and for other liquid products.

Table 15.6 Natural Period of Liquid in Tanks Depth Filled 30%

D55 m D 5 10 m D 5 20 m D 5 30 m

50%

80%

Cylinder

Sphere

Cylinder

Sphere

Cylinder

Sphere

2.5 s 3.5 s 5.0 s 6.2 s

3.0 s 4.0 s 5.5 s 7.0 s

2.3 s 3.3 s 4.5 s 5.2 s

2.5 s 3.5 s 5.0 s 6.2 s

2.2 s 3.5 s 4.8 s 5.8 s

2.1 s 3.0 s 4.4 s 5.3 s

15.3 STRUCTURAL VERIFICATIONS

217

15.3.2.5 Resistance and Functionality of Mechanical, Electrical, and Electronic Components Sometimes it is impractical to model, in the seismic analysis of a plant, all the components located at different heights. A complete model (pland structures plus components) is, however, rather easy to analyze by modern computer codes (e.g., ANSYS). The need arises to define methods of identifying a seismic excitation (spectrum or accelerogram) by which resistance and functionality of the essential components can be verified. In reality, recently the problem has been simplified by the development of dynamic analysis computer programs, which makes the modeling of structurecomponent complexes easier. The anchorage of components, especially with cantilevered parts (actuators of valves, and so on), sufficient slack and flexibility in the mechanical and electrical connections (pipes and cables), sufficient gaps between components and between components and structures, are the principal design and installation characteristics to be examined. A specific consideration is deserved by electromechanical relays which in the past have given unpleasant surprises (chatter during earthquakes and consequent malfunctions of the connected equipment). In these cases, it is necessary to consult an expert specialist or in any case to have the result of shake-table tests for the various relay types of interest. These tests may in some case be already available from manufacturers or suppliers. A sound empirical attitude does not, however, solve all the problems and it is, in general, necessary to have recourse to specific analyses. Methods of modeling the components together with the structure, if practicable for a reasonable number of components, are available. Otherwise the method for defining the “floor” response spectra at various heights of the structure, for example, Biggs (1972) and Roesset (1995), for which various publications suggest indications and conservative practical rules which protect against the possibility of mistakes (USNRC, 1988). The following gives some simple methods for a first look at practical cases. The components located on a floor of a structure and which cannot be considered rigidly connected to it, can be subject, during an earthquake, to accelerations considerably higher than those of the floor itself. This fact appears evident if it is considered that resonance can occur between structure frequencies and component frequencies. In this case the amplification ratio of these accelerations can be approximated (in the case of sinusoidal motion) by M 5 1/(2ξ), where ξ is the fraction of the critical damping of the component. For a metallic component with ξ 5 0.02, M will be equal to 25, corresponding to an acceleration of the component 25 times that of the floor in resonance conditions. In reality, the floor acceleration is generally composed of various modes, one of which only will be in resonance with the component. However, amplification factors of the order of 10 are not infrequent. Another method, already mentioned above, is to roughly estimate the acceleration of components, in cases where a modal analysis of the structure is available, by evaluating the response of the component to the various modes of the structure considered as stationary sinusoidal vibrations and subsequently to calculate the square root average of the responses (or other meaningful combination). This method, too, can be highly conservative. As already mentioned, the floor response spectra can be used (and this is the most common method). These spectra are defined as the response spectra of the seismic motion at the floor and can usually be obtained by modal analysis or by direct integration of the equations of motion of the structure, always on the basis of a reference time history of the ground motion. These analyses are usually long and complex.

218

CHAPTER 15 EARTHQUAKE RESISTANCE

e

s

FIGURE 15.17 Schematic of a structurecomponent complex.

In order to avoid an analysis by using the more precise techniques, a simplified and general procedure can be used which gives, according to the author (Biggs, 1972), usually conservative but reasonable results. It is assumed that a modal analysis of both the structure (s) and the component (e) has been performed and, therefore, that the eigenmodes [ve] and [vs] and the corresponding periods Te and Ts are known. In a qualitative way, considering the mode n for the structure and the mode m for the component, we imagine the complex structurecomponent as a set of two coupled simple linear oscillators (Fig. 15.17): It can be seen, that if the structure s is much more rigid than the component e, then the motion is transmitted almost rigidly to the component and it is similar to that of the ground. Moreover, if the structure (or the complex soilstructure) is more flexible than e, the motion of e is essentially due to that of s. (It has to be noted that the lowest periods of the soilstructure complex can also be rather high (of the order of 1 second) precisely because of the soilstructure interaction, while, in general, the pipes and the components can be made very rigid in order to stay away from the prevailing periods of the earthquake.) Therefore • •

if Te,m . aTs,n, the influence of the soil prevails; if Te,m , aTs,n, the influence of the structure prevails.

The coefficient a is chosen to be 1.25 on the basis of comparisons with the time histories method. Having considered all the meaningful modes, N, of the structure and all the meaningful modes, M, of the component:

15.3 STRUCTURAL VERIFICATIONS

 Ae;m;n 5 As;n

 Ae;m ; if Te;m , 1:25Ts;n As;m

219

(15.54)

where As,n 5 A0,nPs,nvs,n with A0,n is Sd the spectral amplitude of the mode considered, Ps,n is the relevant modal participation factor and vs,n is the relative displacement of the mode in correspondence of the component (As,n is, therefore, known on the basis of the modal analysis of the structure). A0e;m;n 5 As;mg



 Ae;m ; if Te;m . 1:25Ts;n ; Ae;m;G

(15.55)

where Ae,m,G is the maximum component acceleration for mode m, supposing that it is directly placed on the ground and that, therefore, it is known on the basis of a specific modal analysis, required by the application of this method. The ratios (Ae,m/As,m) and (Ae,m/Ae,m,G) are given by empirical diagrams, summarized in Tables 15.7 and 15.8, as a function of the ratio of the periods (Te,m/Ts,n) and of the damping ratios of the structure and the component. The acceleration of the component in mode m is, then, given by Ae;m 5

Xn0

Ae;m;n

0:5

1

Pnv Ps;n vs;n A0e;m;n Pn Ps;n vs;n

(15.56)

where n is the number of significant modes of s, n0 is the number of modes from Eq. (15.54), and nv is the number of modes from Eq. (15.55).

Table 15.7 Values of Ae,m/As,m for ξs 5 0.05 and for Various Values of ξe Te/Ts,n

ξe 5 0.05

ξe 5 0.02

ξe 5 0.01

0.3 0.5 0.8 1.0 1.2 1.5

1.1 1.5 3.2 5.3 3.3 2.4

1.2 1.6 4.0 8.4 4.4 2.8

1.3 1.7 4.5 11.0 5.5 3.5

Table 15.8 Values of Ae,m/Ae,m,G for ξs 5 0.05 Te/Ts,n

ξs 5 0.05

1.1 1.3 1.5 1.7 2.0 2.5

5.0 3.5 2.8 2.3 1.7 1.3

220

CHAPTER 15 EARTHQUAKE RESISTANCE

The resulting quantities of interest for all the modes of the component will then be combined by the root mean square or by other algorithms. The authors of this method have conservatively approximated the diagrams/tables and have based these diagrams on three past earthquakes having different characteristics from each other (El Centro in 1940, Taft in 1952 and Parkfield). When modeling a structure it has to be decided if part of it can be considered a “component” and can be decoupled from the main structure (and, therefore, treated by the preceding methods). Some decoupling criteria follow Where Rm is the ratio of the mass of the part and the mass of the affected floor of the building and Rf is the ratio of the fundamental frequency of the part and the dominating frequency of the floor motion, then: • • •

if Rm , 0.01, it is possible to decouple for each Rf; if 0.01 , Rm , 0.1, it is possible to decouple if 0.8 . Rf . 1.25; if Rm . 0.1 it is not possible to decouple the component.

A more complete treatment of these guide criteria can be found in the NRC Standard Review Plan and in the connected Regulatory Guides.

15.3.2.6 SoilStructure Interaction This issue has been already treated in general terms in Section 15.3.1 on foundation soil. Here some practical data and some formulae are relevant to modeling the ground (inertial interaction) by equivalent masses, springs, and dampers. The coupling between structure and ground must generally be considered elastic and, for dynamic modeling, it is necessary to evaluate the following elements: • •

the equivalent springs of the ground (Fig. 15.5); the damping of the ground. The following quantities should also be evaluated:



soil masses and inertias associated with a structure when vibrating, which in a first approximation (especially for large structures) may be neglected when compared with the masses and inertias of the structure itself.

The importance of considering the soil in the dynamic analysis varies according to the types of soil and of structure. As it can be imagined, for example, a deformable structure founded on solid rock and solidly anchored to it can be considered fully constrained in the ground and, therefore, the influence of the elastic soilstructure coupling can be disregarded. However, this is not the case for a rigid structure on relatively elastic ground (e.g., sand or clay), which will usually require the dynamic analysis of the elastic soilstructure coupling to be taken into consideration. If this is not done, a much more unfavorable structure response will be obtained than in reality (indeed, the elastic coupling of the rigid structure with a soft soil filters the largest part of the high frequencies of the earthquake, whose effect on the rigid structure can be particularly strong). A criterion used to verify whether the effect of the soil is important is given in the next equation

15.3 STRUCTURAL VERIFICATIONS

T0 ,

  3 m0 0:5 Vs ρd

221

(15.57)

where T0 is the fundamental period of the structure, d is the maximum dimension of the basis in the direction of the earthquake, m0, is the mass of the structure, p is the density of the soil, and Vs is the velocity of the shear waves in soil. For the evaluation of the effect of soil, the simplest assumption is to model the soil by a series of equivalent springs whose constants are determined either on the basis of analyses of the behavior of a rigid solid on an elastic indefinite semispace or by a finite element evaluation of the stiffness characteristics of the soilstructure couple. The first system uses the following formulae for a circular base structure (Petrangeli et al., 1998): •

elastic constant of an equivalent horizontal spring Kx 5



      8GR R 2E 5E 11 11 11 ð2 2 vÞ 2H 3R 4R

(15.58)

elastic constant of the equivalent rotational spring (rocking motion) Kr 5

      8GR3 R 2E 7E 11 11 ; 11 6H R 10R ð2 2 vÞ

(15.59)

where G is the shear modulus of the soil, υ is the Poisson modulus of the soil, R is the radius of the foundation basis, E is the foundation depth relative to the soil surface, and H is the depth of the soil relative to the rigid basis of the rock (in the case of rigid soil the terms E/R and R/H must be put equal to zero). Analogous formulae are available for other movement directions (vertical oscillation, torsion) and for rectangular base structures (Petrangeli et al., 1998). In any case, the shear modulus of elasticity of the soil G must be known. This is not easily determined and among other things, depends on the type of soil, on the confinement pressure of the soil in the zone of it which acts as a spring for the structure and on the order of magnitude of the soil deformations during an earthquake, also relative to the zone interacting with the structure. In general, G is expressed as a product of a quantity G0 (which is the modulus for low strains) and a factor F which takes into account the effect of the actual expected strain. It has to be remembered that in a strong earthquake the strains/stresses are significant. The value of G0 can be determined measuring the speed of artificially generated shear waves on the site, by laboratory measurements on soil specimens or by empirical correlations. Among the experimental methods, the one considered most reliable is based on the measurement of the shear wave velocity. The value of G is connected to this velocity by the relationship:  0:5 G Vs 5 ρ

(15.60)

Among the frequently used empirical correlations is the following which is valid for sands: G0 5

1200ð32eÞ2 σ0:5 0 11e

(15.61)

222

CHAPTER 15 EARTHQUAKE RESISTANCE

where σ0 is the average of the effective principal stresses in static conditions and e is the void fraction of the soil. Complete treatments of the correlations and of the empirical curves valid for sands and for clays can be found in the specialized literature (Seed and Idriss, 1970). Typical values of the reduction factors to account for large deformations are listed in Table 15.9. The damping of the soil is composed of two terms (in the model of springs and equivalent dampers): the first is the internal damping which is connected with the energy loss in the cyclic deformation of the soil and depends on the type of soil and on its deformation level (some values are listed in Table 15.10); the second is called radiation damping and this accounts for the energy delivered by the vibrating structure to the ground. The latter term has nothing to do with the energy loss for soil deformation (internal damping) and is representative of an effect which would, in any case, be present in a perfectly elastic material, that is without the nonlinearity (hysteresis) which is responsible for the internal damping. The value of the radiation damping, such as for the equivalent soil springs, can be obtained by formulae like the following: •

Radiation damping constant for horizontal oscillations  ρ 0:5 Cx 5 0:57 Kx R G



(15.62)

Radiation damping constant for rotational oscillations Cr 5

 ρ 0:5 0:3 Kr R ð1 1 Br Þ G

(15.63)

3ð1 2 vÞI0 8ρR5

(15.64)

where Br 5

Table 15.9 Values of the Ratio Between G at a Certain Value of the Shear Deformation and G at 1024% Shear Deformation 23

10 1022 1021

Factor for Sands

Factor for Clays

0.95 0.75 0.30

0.80 0.40 0.15

Table 15.10 Values of the Internal Damping for Various Values of the Shear Deformation Shear Deformation 23

10 1022 1021

Damping for Sands

Damping for Clays

1.8% 5.5% 16.0%

3% 5% 8%

15.3 STRUCTURAL VERIFICATIONS

223

and I0 is the inertia moment of the structure relative to the rotation axis passing through its base. The other symbols have the meaning defined above for the spring constants. The formulae require the Poisson modulus of the soil, which can be assumed equal to 0.35 for unsaturated soils and 0.5 for saturated ones. Some values of the internal soil damping are given by Table 15.10. The values of damping used for soils are the sum of the internal damping and of the radiation damping. (It is suggested that high values are used carefully because the assumptions on which the analytical evaluations are based could lead to large errors.) Sometimes, for sake of conservatism, a condition is artificially imposed that the damping, for each vibration mode of the soilstructure, does not exceed a certain percentage of the critical damping (e.g., 10%). It has to be considered, in these evaluations, that the overall modal damping values should be weighted with the vibration energies relevant to the various parts of the soilstructure. It must also be remembered that an uncertainty exists in the calculated values of the soil properties used in the seismic response calculations. Usually for each property a conservative value (with reference to the calculated quantity, for example, maximum displacements or maximum stresses in the structure) is used. For example, as far as G is concerned, evaluations are often used with values equal to two and a half times the best estimate value. The calculation methods described here have been somewhat simple; it has, however, to be considered that, when a more accurate evaluation is warranted, finite element methods exist which are capable of modeling the behavior of the soilstructure. The use of these programs has been proven essential when the economic burden due to the use of simpler and more conservative methods (e.g., those based on equivalent masses and springs) is not considered acceptable or when special effects have to be calculated, such as the mutual interaction between adjacent buildings. However, it is often required that the functionality of an active component is guaranteed during and/or after an earthquake. This guarantee cannot always be given by analytical means (e.g., for almost all the electric and electronic components). In these cases, vibration tests of suitable prototypes have to be performed. These tests are standardized (e.g., see USNRC, 1988). These standards require that a component is placed on a vibrating table and that it is submitted to a higher vibratory load than that characterized by the floor response spectrum. In some cases, if necessary, the component is even verified for operation during the test. The components are tested together with their support structure to avoid a further uncertainty in the calculation of the dynamic load at the level where they are located. The excitation must include all three axes, unless symmetry conditions exist. Large items (such as a large turbine), or if the functionality is ensured by the sole integrity of the component, can gain qualification by analysis. It is possible to combine experimental tests and analyses. The analysis has to demonstrate that the relative displacements of the structural elements which form the particular piece of equipment, are not such to prevent their movement. In the case of tanks and reservoirs, it is necessary to check both the structure and the liquid, taking into account the sloshing too, especially if the spill of a possibly noxious liquid is possible.

15.3.2.7 Bridge Cranes The biggest danger from a bridge crane during an earthquake is its derailment and its fall.

224

CHAPTER 15 EARTHQUAKE RESISTANCE

Welded steel sheet

FIGURE 15.18 Bridge crane.

For this reason, it is useful to ensure that the extremities of the bridge crane have welded steel sheet restraints (or equivalent structures) which are able to prevent derailment (see Fig. 15.18). A simple calculation shows that for a crane weighting 50 t (the weight of a crane is usually equal to its lifting capacity), and supposing that the lateral stops must resist a horizontal inertia force corresponding to 0.2 g with 0.5 m of lever arm, two welded steel sheet pieces 40 mm thick are sufficient. For the calculation of other stresses, the bridge crane model can be simplified as a distributed mass beam resting on its extremities with an additional mass at the center submitted to a vertical oscillation complying with the floor response spectrum.

15.3.2.8 Buried Structures and Caverns The effect of the earthquake on buried structures, such as pipes and conduits, is either faulting or soil instabilities, slides and liquefaction, or vibrations caused by the transit of the seismic waves. Here only the actions due to the vibratory motion are considered as it is supposed that the other above-mentioned phenomena can be excluded. Two loads and, therefore, two rupture modes are considered: the one due directly to the deformation of the soil and the one due to differential displacement of buildings in which pipes or conduits are located. As far as the load due to the soil deformation is concerned, a simplified analysis is acceptable based on the assumption that the structure deforms as the soil. The stresses can be subdivided according to the type of waves: longitudinal compression waves (P-waves), shear waves (Swaves), and surface waves (Rayleigh and Love waves). It is assumed that the axial deformation is connected with the P-waves and that the flexural one with the S-waves and surface waves. In this case, the axial deformations, for example, can be calculated with expressions of the type εmax 5

Vmax C

(15.65)

where εmax is the maximum axial deformation of the structure, Vmax is the maximum velocity of the soil particles and C is the velocity of the waves in the ground. The velocity of the soil particles can be obtained from the reference seismic motion and the velocity C from the soil characteristics (cautiously, it is necessary to consider the shear wave velocity, C 5 Vs). The flexural deformation can be calculated by a similar expression:

15.3 STRUCTURAL VERIFICATIONS

cmax 5

d2 y amax 5 2 C d x2

225

(15.66)

where cmax is the maximum curvature and amax is the maximum soil acceleration. For the load due to differential motion of buildings, a static equivalent analysis is sufficient. When lines, pipes, conduits, and so on connect two buildings, the assumption has to be made that the two buildings move out of phase. In order to calculate the axial stress of a buried line connected to a building, it is assumed that it is subject to friction forces along its surface. The stress is calculated using Eq. (15.67): σa 5

2EFΔx A

(15.67)

where E is the modulus of elasticity of the line, F is the friction force for unit length between soil and line (5CγHf), C is the circumference, γ is the specific weight of the soil, H is the depth at which the line is placed, f is the friction coefficient, Δx is the displacement of the building in the longitudinal direction, and A is the resisting cross-section of the line. The stresses in the terminal zone of the line, at the contact with the building, due to flexure and shear can be calculated by modeling a beam on an elastic foundation. To verify the stability of storage or plant in a cavern, the following real-life data must be considered (Shah and Chu, 1974; Berardi et al., 1977; Capozza and Berardi, 1977; Bender, 1982). •

• •

• •

The accelerations of the soil, either horizontal or vertical, are lower in a deep cavern (tens to hundreds of meters below grade) than at the surface; the measured ratio is of the order of 0.30.5. In order to evaluate the seismic input data at depth on the basis of those used on the surface, methods of numerical modeling of the propagation of the vibratory motion in soils can be used. The prevailing frequencies of the seismic motion are higher at depth: the more rigid components are more exposed to high values of amplification. The calculations performed in practical cases show that the earthquake stresses in the rock are essentially concentrated near the cavern walls, in a zone of some meters normally affected by the deep anchorages used for the consolidation of the cavern walls. Bender (1982) gives advice on the calculation. The vibration mode of a cavern is mainly compressiontraction rather than of shear deformations (the opposite happens near the soil surface). It has been demonstrated by studies that in a competent rock of average quality, caverns up to 30 3 60 m in plan and 50 m high can be safely built.

In conclusion, it can be said that usually an earthquake is not a prevailing load in caverns, except for the case where weakness lines and joints are present in the rock, which deserve a specific study in the field of rock mechanics.

15.3.2.9 Towers and Chimneys Towers and chimneys are among the most vulnerable structures in seismic excitation because of their slenderness. They can be tested according to Eurocode 8, part 3: Towers, masts and chimneys (2003). Support stays are often used to reinforce them against earthquake effects.

226

CHAPTER 15 EARTHQUAKE RESISTANCE

15.3.2.10 Seismic Isolation In the last few years some innovative antiseismic techniques have been developed which are capable of improving the protection of structures, industrial plants, and their components. They are based on the drastic reduction of the seismic forces acting on the structure by the application, at its base, of very flexible supports (e.g., rubber isolators). These systems filter the seismic energy transmitted by the ground, drastically reducing the stresses. The deformations are concentrated in the isolators, while the building moves almost like a rigid body at low frequency so reducing stresses and differential displacements of the contained objects. The guidelines in EUROCODE (2018) and Gurpinar (1977) can be used for these structures. Other systems for the reduction of the seismic effect on the structures can be used. These operate by connecting different parts of the structure, for example, by braces, to energy dissipators which are capable of absorbing an enormous amount of energy during an earthquake and, therefore, increasing the damping of the system. They can also be combined with isolators at the base. All these systems, in principle, can be applied to existing constructions.

15.3.2.11 Seismic Review by Inspection 15.3.2.11.1 Potential Uses and Objectives This method of seismic qualification consists of an in-depth inspection of the plant in order to identify the evident constructive details which do not satisfy the need of seismic resistance without loss of functionality or of integrity. The objective of the inspection is, in general, to guarantee that the plant does not exhibit evident weak points in case of an earthquake with reference to the need to avoid the risk of accidents or of loss or prolonged outage of the plant. The inspection is performed by a group of experts which includes experts on the effects of earthquakes on structures and on components, experts on the aspects of functionality and of safety of the plant, and geologists. The seismic inspections are made either as a completion of the seismic analyses of the plant or as the first step of an iterative examination of existing plants not designed according to the most recent standards and knowledge. A seismic inspection is compulsory in the licensing process of nuclear plants in Canada (Duff, 1984) and is performed elsewhere as a good practice and a first step of a seismic review. Damage produced by strong earthquakes on industrial plants has indicated that many weak points could have been detected and corrected, even with a moderate economic investment, by an adequate inspection. The experience shows that about 75% of the weak points are due to mistakes of construction and of installation.

15.3.2.11.2 Sequence of Actions and Methods A knowledge of possible deterioration processes going on in a plant and of its safety aspects, together with that of the seismic criteria adopted in the design, is an essential basis for an effective inspection. A series of information meetings and of real inspections on the plant is, then, the most effective sequential approach.

15.3 STRUCTURAL VERIFICATIONS

227

A list of weak points on similar plants resulting from past earthquakes and from analyses should also be available and discussed. A typical sequence of actions is 1. Selection of the reference earthquake. 2. Definition of the vibratory ground motion. 3. Selection of the evaluation group. The group should comprise experts in the field of seismic engineering assisted by experts on the plant operation and design. The number of experts in the group depends on the complexity of the installation but they must cover mechanical, electrical, structural, and chemical engineering, with experience in the seismic design of structures, systems, and components of the plants. Somebody with geologic-geotechnical competence should also be available. 4. Gathering and analysis of the design drawings and documents. This activity is frequently difficult because of the incomplete availability of documents. It is, therefore, sometimes necessary to reconstruct layout or other information by inspection. 5. Plant investigations for a. identification of critical structures, systems, and components with onsite verification of the initial choice of essential items; b. field tests by simplified methods (snap-back tests, impact tests, etc.) having the objective of verifying the natural frequencies, the damping and the quality of restraints; c. verification of the absence of space interaction of systems; d. collecting data for subsequent analyses; e. identification of the ameliorating provisions. 6. Possible simplified dynamic analysis to determine: a. the seismic load of components; b. the differential displacement they can tolerate; c. the level of forces on supports. It is of no surprise that experts, during their inspections, also use elementary in situ testing methods. In fact, experience indicates that simple methods get an idea of natural frequencies, of the maximum vibration amplitude under moderate excitation, of the damping, of possible impact areas of components, of the lack or weakness of hangers or of anchorage, and of the possible amplification of the motion of a component on connected secondary components. Systems with high frequencies (rigid), high damping, and low vibration amplitudes are usually considered well designed and built. To this end, portable excitation and vibration analysis devices are used. In case of doubt, evidently, more elaborate analyses or tests have to be used. The general attitude of the inspection group will be that of the “good sailor” who ensures that any object on board a ship is securely fastened before confronting rough seas.

15.3.2.11.3 Typical Weak Points and Ameliorating Provisions Table 15.11 lists a series of typical weak points, the resulting effect of an earthquake and the solutions typically adopted in case of existing plants or where more radical actions cannot be taken.

228

CHAPTER 15 EARTHQUAKE RESISTANCE

Table 15.11 Typical Weak Points and Solutions Component

Effect

Solution

Structures on slopes or in proximity of slopes

Risk of slide

Foundation soil composed of saturated sands and with uniform grain size

Liquefaction danger

Plants in proximity of other works (dams, other plants, etc.) which can be damaged by the earthquake Discontinuous foundations (e.g., footings) with nonconnected elements Concrete block or masonry partition walls

Domino effect

Consolidate the slopes, improve the hydraulic regime of the rain water (guard channels, etc.) Consolidate the soil, lower the water table; for new plants, displace the structure laterally or lower the foundation Mitigate the risk acting on the other works or on the protection of critical parts of the plant Link the foundation elements to each other

Horizontal parts not laterally anchored to the vertical structures (floor slabs resting on rubber supports, floors anchored to structures without floor continuous beams) Elevated and slender structures (chimneys, antennas, towers)

Instrument stands and equipment platforms

Relative movements of the foundation elements and collapse Risk of collapse for insufficient lateral restraint

Loss of support and collapse

Collapse for excessive deformability or P-δ effect (increase in the flexural moment due to the weight and to the lateral deformation of the structure) Insufficient lateral restraint

Cable trays (stacked trapeze type and cantilevered)

Excessive flexibility, insufficient anchorage against lateral movements, lack of protection from falling objects

Drilled-in expansion anchors instead of cast-in

Pull out in case of earthquakes

Pipe hangers

Insufficient lateral strength; threaded couplings might untighten during earthquakes

Reconstruct or reinforce the walls; support them by adhering cemented wire nets; dowel to floor or tie into steel work Add anchors or other types of connection

Add stays, support struts, or other means of lateral anchorage

Add cross bracing; brace back to wall if tall; anchor well to resist earthquake forces and overturning moments Add bracing; tie back to walls at suitable intervals and 90-degree turns, add protective covers, including fire protection; lockweld joints Qualify by testing. Cast-in anchors recommended. High strength anchor bolts preferred (preloaded). Redundant anchors desirable. Avoid grouted-in anchors. Though wall anchors are best Add lateral restraints or dampers; replace rigid braces with oscillating tie rods and suitable lateral displacement limiters

15.3 STRUCTURAL VERIFICATIONS

229

Table 15.11 Typical Weak Points and Solutions Continued Component

Effect

Solution

Atmospheric tanks for liquids

Risk of excessive oscillation of the liquid with possibility of: impact of the liquid on the roof and pull-out of ground anchors or rupture of the roof and spill of liquid, collapse by buckling of the lateral walls due to flexure moment on the complex of the tank (elephant foot shaped deformations), etc. Columns not braced, single anchors for each leg

Test tanks for the possible damaging effects, reinforce the anchors to the ground and the restraints of the roof, add internal diaphragms in order to limit liquid oscillations

Supports for tanks and components on columns

Vibration dampers Tall, overhung valves, and valve operators Overhead ductwork

Cantilevered small valves, gauges, fittings, etc.

Insufficient, not protected against damage Excessive deformations in case of earthquakes Collapse on components essential to the protection of the process or to safety Risk of pull-out.

Small branch pipe or tubing connections

High amplification, risk of rupture

Long, vertical pipes supported at top and bottom only

Excessive horizontal flexibility

Linear components (pipes or electrical connections) anchored to nonconnected adjacent structures and buildings Overhead lighting (tubular fluorescent and mercury—vapor bulbs) Electrical equipment cabinets, consoles, racks, and centers

Danger of break of pipes or cables due to differential motion of buildings/structures Could fall on or impact on safety equipment Too weak, glass doors, inadequate anchorage, insufficient hinges and locks, upper closure panels not protected from the fall of objects

Add bracing. Double up anchors, with suitable spacing. Tie back to wall where bracing is insufficient or tank is too tall Add dampers, add protection sleeves Add lateral restraints or motionlimiting stops, as necessary, to limit earthquake induced stresses Strengthen (lock) duct joints. Add end restraints, use adequate supports, use backup supports Restrain valves or use short connections to avoid snapping off during an earthquake Motion limits, good anchorage, proper flexibility to allow for differential movement in an earthquake Use lateral restraints at suitable intervals, to avoid horizontal earthquake effects Ensure deformability and slack to the linear components in order to absorb without rupturing the relative displacements of the anchors Use lateral restraints. Close chain hooks. Protective covers must be well fastened Use stiff frames, strong hinges/ latches (two or more), well anchored, tie cabinets together across the top, reinforce tops against falling objects (Continued)

230

CHAPTER 15 EARTHQUAKE RESISTANCE

Table 15.11 Typical Weak Points and Solutions Continued Component

Effect

Solution

Field run tubing, small piping and electrical conduits, small valves and fittings

Local overhead coolers, heaters, intercoms, etc.

Excessive flexibility, not systematically anchored to walls, insufficient separation between different groups of redundant components Risk of fall on critical components, excessive instability

Water, fuel, or lubricant lines and storage tanks

Risk of rupture and of consequent flooding and fire

High-pressure gas storage bottles Gaps between adjacent buildings

Risk of fall and of rupture of valves with consequent missile-effect Impact between buildings

Components critical for safety or process close to noncritical components

Risk of collapse of ordinary components or structures on critical ones

Storage batteries

Batteries could fall down

Cranes, hoists, jibs, moving bridges, or working platforms

The load could impact laterally or fall down on critical components

Bridge cranes

Risk of derailment

Ladders, handrails, guard rails, stairways, etc.

Could fall down together with critical components attached to them Risk of loss of compressed air for critical equipment Risk of damage of pipes/cables due to the movement of the building

Route carefully or protect well to avoid impact interaction with larger pipes, ducts, etc. during an earthquake. Use adequate clamps and supports Strong supports, use lateral bracing, especially where flexibly supported, add backup supports where consequences of falling in an earthquake are serious Adequate support bracing, use protective curbs and proper drainage, sprinklers, halon or other fire protection features to mitigate effects of an earthquake Secure bottles to storage racks at top and bottom Ensure enough gap space or use damping spacers Increase the separation distance, protect critical components by cages or other devices, improve anchors of ordinary components, add redundant critical components well apart from the existing ones Reinforce battery racks and anchor them, restrain batteries to racks, place batteries close to floor Make design provisions for tethering or clamping hoists/cranes in a safe position when out of service. Lower loads onto safe areas when hoisting/handling operations are over Add welded steel sheet stops to prevent derailment Secure and lock handrails, ladders, etc.; mount equipment on separate earthquake supports Properly support supply side check valves. Improve anchorage Use adequate clearance around penetrations, sealed with flexible, fireproof “boots” on the inside, weld penetrations to embedments on the inside and use soft bedding, on the outside, with flexible terminations or bellows

Instrument air reservoirs Building wall penetrations

REFERENCES

231

Table 15.11 Typical Weak Points and Solutions Continued Component

Effect

Solution

Electrical equipment connections

Risk of rupture due to movement of components/buildings

Porcelain insulators in open air switchyards “Bucholtz” buoy protections in electric transformers against internal short circuits False or suspended ceilings, loose furniture

Risk of rupture

Add short length of armored, sheathed cable at all connection points, looped to avoid tension during an earthquake. Bottom connections recommended (less concern for relative movements in earthquake) Avoid fragile insulators in critical electric systems Use other types of protection or antisloshing internal diaphragms

Oscillation of liquid may trigger the protection and disconnect transformer Risk of displacement, fall, and damage

Secure ceilings and furniture close to sensitive equipment. Add curbs and railings around critical control consoles to prevent impact from furniture moving in an earthquake

REFERENCES Adams, N.J.I., 1992. Seismic design rules for flat bottom cylindrical liquid storage tanks. Int. J. Pres. Ves. Pip. 49, 6195. Ambrayses, N.N., 1988. Engineering seismology. Earthq. Eng. Struc. Dynam. 17, 1105. ASCE, 1986. Seismic Analysis of Safety-related Nuclear Structures and Commentary on Standards for Seismic Analysis of Safety-related Nuclear Structures. ASCE Standard ASCE 4-86, New York. Bender, H.F., 1982. Underground Siting of Nuclear Power Plants. E. Schweizerbart’sche Verlagsbuchhandlung (Naegele u. Obermiller), Stuttgart. Berardi, R., Capozza, F., Zonetti, L., 1977 Analisi di accelerogrammi registrati su roccia in superficie e in sotteraneo nel corso del periodo sismico del 1976 in Friuli, Rassegna Tecnica dei problemi dell’energia elettrica, 133. Biggs, J.M., 1964. Introduction to Structural Dynamics. McGraw-Hill. Biggs, J.M., 1972. Seismic response spectra for equipment design in nuclear power plants. First International Conference on Structural Mechanics in Reactor Technology, vol. 5, Berlin, Germany, Sept. Capozza, F., Berardi, R., 1977 Stato dell conoscenze sull’effetto dei terremoti nelle cavita` sotterranee, Rassegna tec. dei problemi dell’energia elettrica, 132. Castellani, et al., 2000. Costruzioni in zona sismica. Hoepli, Milan. Duff, C.G., 1984. Seismic Qualification of Nuclear Power Plants by Inspection. Eigth World Conference of Earthquake Engineering, San Francisco. Espinoza, R.D., Bourdeau, P.L., Muhunthan, B., 1994. Unified formulation for analysis of slopes with general slip surface. J. Soil Mech. Found. Div. 120 (5), 11851204. ASCE. Eurocode, 2002. Design Provision for Earthquake Resistance of Structures. Eurocode 8, European Standard EN 1998.

232

CHAPTER 15 EARTHQUAKE RESISTANCE

Gallardo, D.I.O., 1756. Lecciones entretenidas, y curiosas, physico-astrologico-metheorologicas, sobre la generacion, causas y senales de los terremotos. Madrid. Gurpinar, A., 1997. A review of seismic safety considerations in the life cycle of critical facilities. J. Earthq. Eng. 1 (1). Hansen, J.B., 1970. A Revised and Extended Formula for Bearing Capacity. Bulletin No. 28, Danish Geotechnical Institute, Copenhagen, Denmark, 511. IAEA, 1985 and 1999. Earthquake Resistant Design of Nuclear Facilities with Limited Radioactive Inventory. TECDOC-348, IAEA, Vienna. IAEA, 1992. Seismic Design and Qualification for Nuclear Power Plants. IAEA Safety Series N.50- SG- D15, Vienna. IAEA, 1993. Probabilistic Safety Assessment for Seismic Events. TECDOC-724, Vienna. IAEA, 2003. Seismic Design and Qualification for Nuclear Power Plants. IAEA NS-G-1.6. IAEA, 2010. Seismic haza in Site Evaluation for Nuclear Installations. IAEA SS-G-9. Italian Seismic Norms, 2018. D.M. 17/01/2018 “Aggiornamento delle Norme Tecniche per le Costruzioni”. Janbu, N., 1957. Earth pressure and bearing capacity calculations by generalized procedure of slices. Proceeding of the 4th International Conference on Soil Mechanics and Foundation Engineering, 2, pp. 207212. Kana, D.D., 1978. Seismic response of flexible cylindrical liquid storage tanks. Nucl. Eng. Des. 52, 185199. Kanagawa, 1994. Manual for Evaluating the Earthquake Resistance of High-pressure Gas Facilities. Industrial Safety Dept., Environment Division, Kanagawa Prefecture, Jan. Livolant, M., Petrangeli, G., Shibata, H., Idriss, I.M., Stevenson, J.D., 1979. Seismic Analysis and Testing of Nuclear Power Plants. IAEA Safety Series N.50-SG-S2, Vienna. Meyerhof, G.G., 1951. The ultimate bearing capacity of foundations. Geotechnique 2, 301332. Morgensrern, N.R., Price, V.E., 1965. The analysis of the stability of general slip surfaces. Geotechnique 15 (1), 7993. Petrangeli, G., 1987. Impact of Seismicity on the Design of Nuclear Power Plants. Proceedings of the International Seminar on the State of the Art in Safety Analysis and Licensing of Nuclear Power Plants, Varna, Bulgaria. Petrangeli, G et al., 1998. Proposta di linee guida per la verifica sismica di impianti a rischio di incidente rilevante. Comitato Termotecnico Italiano, Sottocomitato 7: Gruppo ‘Tecnologie di Sicurezza’, Esistenti, Bozza del 7 Luglio. Robertson, P., Campanella, R., 1985. Liquefaction of sands using CPT. J. Geotechn. Eng. Div. 111 (GT3), 384403. ASCE. Roesset, J.M., 1980. The use of simple models in soilstructure interaction, Civil Engineering and Nuclear Power, II, Geotechnical Topics, ASCE. Roesset, J.M., 1995. Seismic design of nuclear power plants: Where are we now? Proceedings of SMIRT 13 Post Conference Seminar 16, Seismic Evaluation of Existing Nuclear Facilities, Iguazu, Argentina. Sarma, S.K., 1975. Seismic stability of earth dam embankments. Geotechnique 25 (4). Sarma, S.K., 1981. Seismic displacement analysis of earth dams. J. Soil Mech. Found. Div. 105 (GT12), 17351739. ASCE. Seed, H., deAlba, P., 1986. Use of SPT and CPT tests for evaluating the liquefaction resistance of sands. Proceeding of In Situ ‘86. Virginia Tech., Blacksburg, VA, pp. 281302, Geotechnical Special Publication, 6 ASCE. Seed, H., Idriss, I., 1970. Soil Moduli and Damping Factors for Dynamic Response Analysis. Report EERC 70. College of Engineering, University of California, Berkeley. Seed, H., Idriss, I., Arango, I., 1983. Evaluation of liquefaction potential using field performance data. J. Geotechn. Eng. 109 (3), 458482. ASCE.

FURTHER READING

233

Seed, H., Tokimatsu, K., Harder, L., Chung, R., Arango, I., 1985. Influence of SPT procedure in soil liquefaction resistance evaluation. J. Geotechn. Eng. 112 (12), 14251445. ASCE. Serva, L., 2001. Siting of High Risk Industrial Facilities: The Role of Natural Phenomena Such As Earthquakes. ESREL, Torino. Shah, H.H., Chu, S.L., 1974. Seismic analysis of underground structural elements. J. Power Div. 100 (PO1), ASCE. Stevenson, J.D., 1995. US experience in seismic reevaluation and verification programs. Proceedings of the SMIRT 13 Post Conference Seminar 16, Iguazu, Argentina. USAEC, 1963. Nuclear Reactors and Earthquakes. TID-7024, Aug. 1963. USCFR, Rev., 2017a. App. A to Part 100, Seismic and Geologic Siting Criteria for Nuclear Power Plants. USNRC, 1988. Seismic Qualification of Equipment in Operating Nuclear Power Plants. Unresolved Safety Issue A-46, NUREG-1030. USNRC, 2001. Technical Basis for Revision of Regulatory Guidance on Design Ground Motions: Hazard And Risk Consistent Ground Motion Spectra Guidelines. NUREG/CR-6728, October. Veletsos, A.S., 1974. Seismic effects in flexible liquid storage tanks. Proceedings of the 5th Word Conference on Earthquake Engineering, Rome.

FURTHER READING USCFR, Rev., 2017b. Appendix S to Part 50—Earthquake Engineering Criteria for Nuclear Power Plants.

CHAPTER

TORNADO RESISTANCE

16

16.1 THE PHYSICAL PHENOMENON A tornado is generated, according to the current interpretation of the observations made, when a “warm air bubble” formed in contact with the ground for various reasons and kept there by the presence of a thermal inversion layer, finds a way (e.g., because of the discontinuity of the inversion layer) to start its ascension in the atmosphere under the action of the buoyancy force due to the surrounding colder air mass. This rapid ascension of the air column, in the presence of strong translation winds at a certain elevation, is transformed in an upward translation motion and in a rotation around its axis. This phenomenon is similar to the generation of a vortex in the vertical motion of a water mass, which can be easily observed. As in the water vortices, the rotation is generally counterclockwise in our hemisphere, for the action of the rotation of earth (Coriolis force). The ascension of the warm column is aided by the simultaneous condensation of the steam contained and by the consequent release of the corresponding condensation heat. This process originates at a height of 1015 km and is characterized by cumulonimbus clouds. The rotational speed may range between some meters per second to .100 m/s. The tornado also moves horizontally and its translational speed is usually rather low (up to a few tens of meters per second), which generally allows people who see it arriving to run away in time. The tornado is part of the same family of tropical hurricanes, but its size is much smaller. The dimension of the vortex is of 10100 m, while the central vortex of a hurricane may be 1001000 times higher. The physical effects of the passage of a tornado are • •

a very strong wind which may fell trees and knock down buildings, and transport heavy objects significant distances (debris, but also vehicles and animals); a rapid transient decrease in atmospheric pressure which may cause the explosion of closed buildings.

The physical scheme of a tornado includes a central vortex which rotates as a solid cylinder around its axis, surrounded by an atmosphere in which the tangential horizontal speed varies with the inverse power of the distance from the center of the vortex. In the vertical direction, the pressure and velocities vary only slightly. Fig. 16.1 shows these kinetic characteristics. The translational speed of the vortex also needs to be taken into account when calculating the effect of a tornado on buildings.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00016-0 © 2020 Elsevier Ltd. All rights reserved.

235

236

CHAPTER 16 TORNADO RESISTANCE

v P

R

FIGURE 16.1 Schematic of tornado vortex of radius R, and the velocity and pressure distributions due to rotation.

The formulae of interest, modeled as described above, are •

Distribution of the rotation speed V 1 Kr ð0 , r , Rv Þ K 5

VV RV

Vr λ 5 c ðr . Rv Þ c 5 Vv Rv



(16.1) (16.2)

where λ varies between infinity (at the initial instant of the formation of the vortex) and 1 when the rotation has fully propagated toward the outside. Distribution of the pressure due to the vorticity dp V 2 ðrÞ 5ρ dr r

with obvious meaning of the symbols.

(16.3)

16.2 SCALE OF SEVERITY OF THE PHENOMENON

237

Table 16.1 Enhanced Fujita Scale for Tornadoes EF0

EF1

EF2

EF3

EF4

EF5

Minor damage Peels surface off some roofs; some damage to gutters or siding; branches broken off trees; shallow-rooted trees pushed over. Confirmed tornadoes with no reported damage (i.e., those that remain in open fields) are always rated EF0 Winds from 138 to 177 km/h Moderate damage Roofs severely stripped; mobile homes overturned or badly damaged; loss of exterior doors; windows and other glass broken.Tree branches are broken off, roofs are ripped away, vehicles are significantly displaced, light trailers can be overturned Winds from 178 to 217 km/h Considerable damage Roofs torn off from well-constructed houses; foundations of frame homes shifted; mobile homes completely destroyed; large trees snapped or uprooted; light-object missiles generated; cars lifted off ground Winds from 218 to 266 km/h Severe damage Entire stories of well-constructed houses destroyed; severe damage to large buildings such as shopping malls; trains overturned; trees debarked; heavy cars lifted off the ground and thrown; structures with weak foundations are badly damaged Winds from 267 to 322 km/h Devastating damage Well-constructed and whole frame houses completely leveled; some frame homes may be swept away; cars and other large objects thrown and small missiles generated Winds from .322 km/h Incredible damage Strong-framed, well-built houses leveled off foundations and swept away; steel-reinforced concrete structures are critically damaged; tall buildings collapse or have severe structural deformations; cars, trucks, and trains can be thrown approximately 1 mile (1.6 km)

From the above:

" ΔpðrÞ 5 ρVv2

 2 # r 1 2 0:5 ð2 Rv , r , Rv Þ Rv 

ΔpðrÞ 5 0:5ρ Vv2

Rv r

(16.4)

2 ð2 Rv . r . Rv Þ

(16.5)

4 where ρ  1:29 9:8 5 0.13 kg s/m .

16.2 SCALE OF SEVERITY OF THE PHENOMENON The scale now used is the gravity enhanced scale proposed by Prof. T. Fujita (Chicago) (Table 16.1) (Enhanced Fujita Scale, 2004).

238

CHAPTER 16 TORNADO RESISTANCE

Table 16.2 Tornado Design Figures Adopted in Italy Translation velocity Maximum rotation velocity Maximum resulting velocity Maximum theoretical pressure Maximum depression Missile 1: Automobile of 1000 kg Missile 2: Steel pipe Ø 5 80 mm, length 5 3 m, weight 5 35 kg Missile 3: Wooden plank 0.1 3 0.3 3 3.6 m, weight 5 50 kg

24 m/s 73.5 m/s 97.5 m/s 600 kg m2 700 kg m2 Impact velocity 5 1/6 3 rotational velocity (12.5 m/s), impact elevation 5 7 m, impact area 5 2.1 m2 Impact velocity 5 1/3 3 rotational velocity (524.5 m/s), impact of the pipe end perpendicularly to the surface, any impact elevation Impact velocity equal to the rotational velocity (73.5 m/s), any impact elevation, impact area 3.6 3 0.3 m

16.3 DESIGN INPUT DATA On the basis of a thorough search of past events, the design values for nuclear reactors in Italy were chosen as shown in Table 16.2. The reference tornado in Italy is taken to be EF5 on the Fujita scale. In the United States two sets of values are used for this event (Bechtel Co, 1973) (USNRC R.G. 1.76. Rev.1). The strongest one (in the central-eastern part of the country, notoriously subject to this phenomenon) has a maximum velocity of 371 km/h and therefore also belongs to the EF5 on the Fujita scale. The design of nuclear plants is not significantly influenced by a design event tornado of intensity 5, except for the need to provide the secondary containment or similar buildings with pressure equalizing automatic panels (or with other provisions) in order to cope with the negative pressure caused by the event (e.g., the Caorso power station in Italy). Design verifications for a tornado usually entail the following: •





Testing for positive and negative pressures on the exterior walls of buildings taking into account the various shape coefficients (Bechtel Co., 1973) which are customary for the design against strong winds. Analysis of positivenegative pressure gradients created inside buildings and the verification of the internal structures by appropriate computer codes which take into account the possible time variation of the positivenegative pressures present, caused by the movement of the vortex. Analysis of resistance to missiles by using the penetration formulae usually used for impacts (see Chapter 17: Resistance to External Impact).

REFERENCES Bechtel Co., 1973. Tornado and Extreme Wind Design Criteria for Nuclear Power Plants. BC-TOP-3, Bechtel Power Co. Enhanced Fujita Scale, 2004. Wind Science and Engineering Center. Texas, Lubbock. USNRC, 2007. Regulatory Guide 1.76 Rev.1 March 2007, Design-Basis Tornado and Tornado Missiles for Nuclear Power Plants.

CHAPTER

RESISTANCE TO EXTERNAL IMPACT

17

17.1 INTRODUCTION This chapter considers the external impact of crashing aircraft, sabotage, and the effect of explosive pressure wave. The external impact is considered with reference to engineering defence measures: aircraft impact, otherwise, can be prevented, with variable degrees of effectiveness, by provisions such as by modifying flight corridors or by protecting the nuclear power plant with special forces, etc.

17.2 AIRCRAFT CRASH IMPACT The first type of strong external impact due to human activities considered for nuclear plants was that of a crashing aircraft. This kind of load started to be included among the usual design conditions, together with the pressure wave, in the 1960s and 1970s in Germany as a result of several accidents primarily involving the Lockheed F-104 Starfighter. However, for conservatism, the reference aircraft chosen was the McDonnell-Douglas F-4 Phantom. The same approach was then followed by other countries such as Belgium, Switzerland, and Italy. Subsequently, it became clear that, in some countries, nuclear plants should also be protected against external acts of sabotage, involving aircraft, but also against launched explosive charges. It was then discovered that the protection against aircraft impact of the type described above, also gave protection against many plausible similar events, at least from the structural point of view.

17.2.1 EFFECTS OF AN AIRCRAFT IMPACT Usually the effects of an aircraft impact (or similar) on a plant are assumed to be: • • • •

a dynamic load at the point of impact, causing static stresses and vibration of structures and components; a localized load at the point of impact with possible penetration of the impacted wall and generation of fragments on the opposite face of the structure (spalling); fire due to the fuel transported by the aircraft; temporary incapacitation of the operating personnel.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00017-2 © 2020 Elsevier Ltd. All rights reserved.

239

CHAPTER 17 RESISTANCE TO EXTERNAL IMPACT

Load (1000 kg)

240

11,000 10,000 ≈5400

10

50 Time (ms)

FIGURE 17.1 Load time diagram for Phantom F-4.

17.2.2 OVERALL LOAD ON A STRUCTURE The overall dynamic load on structures has been evaluated by tests and analytical evaluations. The corresponding load time diagram is shown in Fig. 17.1 for a Phantom F-4. The velocity of impact (assumed normal to the impacted surface) is 215 m/s. The equivalent diameter of the loading area is 2.60 m. The two-step shape of the load curve is due to the presence of two phases: initial impact of the body and subsequent impact of the engines (more rigid). In the Italian criteria (see Appendix 1), it is supposed that the reference impact happened at 45 degrees relative to the normal of the surface and that this event was equivalent to a normal impact with velocity equal to B150 m/s. The estimated load curve is shown in Fig. 17.2. In practice (with reference to Fig. 17.2), the second impact of the engines is eliminated. The impact area is assumed, as in the first case, equal to 7 m2. These assumptions are not accepted by all the experts because they do not take account of the fact that the engines, in the first phase of the impact, may break off the aircraft body and proceed toward the target as autonomous missiles, without the energy absorbing effect of the body itself. In order to perform an indicative evaluation of the load which could correspond to other types of aircraft and to other impact speeds, the following simple concepts are suggested: •

Load (1000 kg)

• •

G1 and G2 are the weights of the two aircrafts and V1 and V2 their impact velocities, respectively. It is assumed that G 5 G1/G2 and V 5 V1/V2. The ratio, L, between the linear dimensions, l, and the product of the area of part of the aircraft times the square of its velocity, will vary with the weight of the aircraft as this quantity is

≈5000

50

10 Time (ms)

FIGURE 17.2 Example of another load time diagram.

17.2 AIRCRAFT CRASH IMPACT

• • •

241

proportional to the lift which must equal the weight (it is supposed that this is true in conditions of impact also). The following is obtained: L2V2 5 G and therefore L 5 G0.5/V. The flexural moment on the body will vary according to the product of the weights for the lengths and therefore according to the ratio G 5 G0.5/V. The design mechanical stresses will be the same, so from σ 5 My/tkl3, the thickness, t, of the body varies with the ratio T 5 GV/G0.5. The impact force will presumably vary as σcrLT, that is, as the product between the buckling stress of a cylinder times the area of the resistant cross-section; as σcr in a cylinder varies as T/L, the impact forces, Fi, will vary as T2, that is, as GV2: Fi 5 GV2

(17.1)

The preceding relationships agree with the data for the Phantom F-4 within 10% compared with those of a completely different aircraft, the Learjet of roughly 10 t studied in report CEA-IPSN (1977), for various impact velocities. The influence of velocity too, according to these last data, is well represented by the above-discussed formulae. Table 17.1 shows the weights and wing spans of several aircrafts. The simple laws described above, when applied to a Boeing 747 with an impact velocity of about 200 m/s would generate a peak force of about 17 times the one associated with a Phantom F-4. Even taking into account the larger impact area, it is, therefore, difficult to protect a plant against this impact (unless it is located in a cavern or sufficiently underground). The protection against a Phantom F-4 hitting at a velocity of 215 m/s requires a minimum reinforced concrete thickness of 1.8 m and, at 150 m/s, a minimum thickness of 1.2 m is needed. These thicknesses also take into account the penetration strength. CEA-IPSN (1977) gives the result of studies for the evaluation of oblique impact loads that is not normal to the surface. It may be interesting to know that the two Boeing 767s which hit the World Trade Center in New York on September 11, 2001, had estimated velocities of 686 and 859 km/h, respectively.

Table 17.1 Data for Various Aircrafts Aircrafts

Full Load Weight (t)

Engine Weight (kg)

Wing Span (m)

Learjet 23 Boeing 707-320 Boeing 757-200 Airbus A300 Boeing 747-200C Boeing 767 Phantom F-4E Airbus A330-200 Boeing 737-600

About 10 About 150 116 132 350 180 20 230 56

2 3 191 4 3 1825 2 3 2853 2 3 5100 4 3 4100 2 3 5100 2 3 1740 2 3 5100 2 3 2600

About 13 44 38 45 60 52 12 60 34

242

CHAPTER 17 RESISTANCE TO EXTERNAL IMPACT

17.2.3 VIBRATION OF STRUCTURES AND COMPONENTS The dynamic load dealt with in the preceding section has to be considered as a quasistatic load imposed on the structure as a whole but also as the cause of vibration of the components located inside. It is estimated that the acceleration due to an aircraft impact at the foundation level may reach and overcome the values typical of a design earthquake in a moderately seismic area. The response spectrum of the aircraft impact pulse is rather “hard,” that is dominated by high frequencies. For this reason, the components subjected to the highest loads are the most rigid ones, especially if the plant is located on rigid foundation soil (rock). In some designs, the external structures of the plant are mechanically decoupled from the internal ones on which the plant components are fixed. In this way the vibration transmitted to the components is reduced. The decoupling, obviously, is obtained by inserting joints and gaps in the structures. Fig. 17.3 shows qualitatively the relative position of the response spectra of the seismic excitation, of the deflagration of an explosive cloud and of an aircraft impact.

17.2.4 LOCAL PERFORATION OF STRUCTURES Parts of an impacting aircraft, especially the engines, cause local effects such as perforation and missile generation in the rear side of an impacted wall. Many formulae exist for the evaluation of these effects, not all of them applicable in the range of parameters of interest here (CEA-IPSN, 1977; Riera, 1982, 1989).

Acceleration earthquake spectrumt (Arbitrary scale)

Aircraft impact spectrum

Explosive cloud deflagration spectrum

2

FIGURE 17.3 Structural response spectra for various phenomena.

30

Frequency (Hz)

17.2 AIRCRAFT CRASH IMPACT

x5

1:5 G 4 V3 ft0:5 D1:8

243

(17.2)

where, x is the penetration depth (cm), ft is the compression resistance of the concrete (kg/cm2), V is the impact velocity (m/s), G is the impacting weight (kg), and D is the effective diameter of the impacting body (aircraft or engine) (cm). This formula is valid for impact velocities ranging from 150 and 300 m/s and has been verified by experimental tests. The protection against “spalling” is obtained by empirically increasing the thickness by 25% calculated by the formula. An increase in thickness up to 1.8 m guarantees an absence of damage due to the simultaneous explosion of the normal weapons carried by a fighter aircraft (missiles), but not of the possibly carried bombs (which is justified on a probabilistic basis if the bombs are not triggered to explode). This thickness also offers protection against other types of impacts such as an oblique one due to the separation of an engine and that of a missile due to the explosion of a nuclear plant turbine (for which in general 80 cm are sufficient). The depth of penetration in the soil (of interest for buried lines and tunnels) can be evaluated according to x0 5

χGV D2

(17.3)

where x0 is the penetration depth (m), D is the diameter of the missile (m), χ is a constant dependent on the type of soil (59 3 1026 for sandy soil), G is the weight of the missile (kg), and V is the vertical component of the velocity (m/s). For a Phantom F-4, a depth of about 6 m is obtained, which corresponds to the effect of a bomb of about 100 kg of explosive.

17.2.5 THE EFFECT OF A FIRE It is assumed that the impacting aircraft has up to 10 t of aviation fuel on board, so the potential damage if a fire breaks out is significant and, therefore, the design of the structure and of the surrounding spaces must be such to eliminate this danger. A measure commonly adopted is to encircle the buildings with deep trenches filled by gravel. These have the function of collecting the spilt fuel and of preventing its ignition in the open air. Obviously, the resistance of the external structures to the impact stops fuel from entering the building.

17.2.6 TEMPORARY INCAPACITY OF THE OPERATING PERSONNEL It is believed that the operating personnel would be so shocked by the impact, that they are unable to operate the plant for hours afterwards. For this reason, every plant protected from external impacts as described in this chapter is also provided by an emergency system which can automatically operate for many hours and which is able to guarantee the safety of the plant. This system is also a protection against the effects of an explosive wave hitting the plant from outside and the possible use of toxic gases. Obviously, the whole system, provided with an adequate redundancy, is also protected by the external impact.

244

CHAPTER 17 RESISTANCE TO EXTERNAL IMPACT

17.3 PRESSURE WAVE The design pressure wave is supposed to be due to the release of explosive gases, either accidental or maliciously. Generally, the following assumptions are made: The cloud’s size includes all of the station buildings. The wave has the characteristics of the deflagration, not of the detonation. It is thought, in fact, that a detonation can only happen close to the release point and, therefore, the plant is protected by the normal safety distances (see Figs. 17.4 and 17.5; obviously this concept does not apply to voluntary events).

Possible explosive weight (kg)

• •

180,000 100,000

10,000 2000 1000 100 1000 Safety distance (m)

FIGURE 17.4

Overpressure (105 Pa)

Example of safety distances used.

0.5

0.3

0.1

0.2

1 Time (s)

FIGURE 17.5 Example of pressure wave adopted for the design.

17.4 OTHER IMPACTS

245

17.4 OTHER IMPACTS As mentioned above, the missile due to plant turbine case burst is covered by the design basis for the aircraft impact. This event is also made unlikely by the radial placement of the turbine axis with reference to the important plant buildings. However, even if a “high (parabola-shaped) trajectory” missile is considered, which is not influenced by the power station “layout,” the necessary reinforced concrete thickness (about 80 cm) is lower than that required for the aircraft impact. The turbine missile can be several tonnes and travel with a speed of the order of 100 m/s (Zwicky, 1957). Possible attacks with penetrating (Rocket Propelled Grenades, bazooka) grenades must be analyzed on a case-by-case basis: • • •

Location of the redundant components in positions well apart from each other and not simultaneously in sight from a single virtual aiming point. Location of the essential components far from the external building walls. The use of multiple protection barriers.

Pressure difference due to explosion

In deciding about protection, it must be remembered that these projectiles may perforate several meters of reinforced concrete. The elements of protection against a malicious action carried out like the use of an explosive vehicle are the subject of USNRC (2013) adopted in the United States. In it, in particular, various types of barriers are examined with an indication of the maximum impact kinetic energy they can withstand. The reference kinetic energy for the design against a vehicle impact is not available. Under the assumption, however, that its order of magnitude is 500,000 ft. lb, it would correspond to a 6-t truck at the speed of 60 km/h. Besides the protection afforded by barriers, sometimes the reinforcement of structures exposed to a possible explosive blast is considered. It is useful to remember in this connection that the time history of the pressure difference with reference to the preexisting one, generated by an explosive wave at a point a certain distance from the blast, is of the type shown in Fig. 17.6. The curve shown in Fig. 17.6 occurs in the free field without obstructions or obstacles. If the explosive wave meets an indefinite and rigid wall perpendicular to the propagation direction, then the maximum pressure on the wall (reflected peak pressure) will be composed of the sum of the

p0, peak pressure in free field

>0 10 Gy 1

10

100 Distance (km)

FIGURE 22.1 Indicative consequences of a 1-Mt explosion.

1000

22.4 INITIAL NUCLEAR RADIATION





281

the generation of fire storms with high velocity winds ( . 100 km/h up to several kilometers distant) generated by direct heating and by fires caused by the radiation. It should be remembered that large fire storms were caused during the intense conventional bombing of German cities during the Second World War even though substantially lower overall energy was released. Initial fallout is the deposition on the ground of the radioactive particles generated in the explosion during the first 24 hours after the event. The particles which are deposited later are smaller (order of magnitude of 1 µm) and reach the ground sometimes a year later. Here, too, the lethality limit has been assumed to be 10 Gy accumulated within seven days of exposure in the contaminated zone. The total radioactivity generated is equal to about 3000 times the one contained in a 1000 MWe reactor at equilibrium (but, for iodine-131, it is about equal and after 24 hours the total radioactivity decreases, at least, by 2000 times). A fraction of this radioactivity, highly dependent on the explosion height (ranging from 10% for elevated explosions to 70% for surface ones), originates the initial fallout. However, this value of the ratio of total radioactivity released by a bomb and the total radioactivity contained in a reactor at equilibrium does not apply to the various isotopes or different decay times, for example, the above-quoted ratio of 3000 becomes 1 for iodine-131 and even 1/10 for cesium-137, which is responsible for 40% of the long time “fallout” doses of the bombs exploded in the atmosphere (Glasstone and Dolan, 1977). As a further example, the cesium-137 released by the Chernobyl accident was equal to about 500 times the cesium-137 released by the Hiroshima bomb (Glasstone and Dolan, 1977). These differences are due to the fact that the isotope composition of the resulting radioactive products is different for an explosion and for a reactor core at equilibrium (i.e., after a practically infinite time of operation). Finally, a phenomenon which may indirectly entail casualties is the electromagnetic pulse (EMP). An atomic explosion causes highly variable ionization currents and the consequent electromagnetic fields generate electric currents in conducting objects. Serious faults and malfunctions of control and operation systems are likely: the ubiquitous microprocessor-based systems are particularly sensitive to EMP effects.

The next section briefly discusses these phenomena. Only relatively low altitude air explosions are dealt with (underwater and high-elevation explosions are not discussed, underground explosions are discussed in Section 22.8).

22.4 INITIAL NUCLEAR RADIATION The dose resulting from the initial nuclear radiation depends in a complex way on the explosion power and on distance, and on the density variations of air due to the blast (the “hydrodynamic” increment due to the rarefaction of air behind the shock wave at high explosion energies). Tables 22.1 and 22.2 detail three values of gamma and neutron doses, respectively, and distance (in air from the explosion center) for three typical explosion energies. Other values can be interpolated or extrapolated. The uncertainty is equal to a factor of two in both ways. Protection from the initial radiation is obtained by shielding layers. For gamma rays, every material is useful, but preferably those with a high atomic weight. For neutrons, the shielding is

282

CHAPTER 22 THE EFFECTS OF NUCLEAR EXPLOSIONS

Table 22.1 Gamma Doses 100 kt 1000 kt 10,000 kt

1 Gy (see Chapter 7)

10 Gy

100 Gy

2400 m 3200 m 5000 m

1700 m 2700 m 4200 m

1200 m 2000 m 3400 m

Table 22.2 Neutron Doses 100 kt 1000 kt 10,000 kt

1 Gy

10 Gy

100 Gy

2000 m 2500 m 3000 m

1600 m 2000 m 2500 m

1100 m 2500 m 2000 m

Table 22.3 Approximate Dose Transmission Factors Through Various Structures 1 m soil Dwellings (high floors) Dwellings (low floors) Concrete shelter (25 cm walls) Concrete shelter (60 cm walls)

Gamma Rays

Neutrons

0.003 0.8 0.5 0.15 0.01

0.005 0.9 0.5 0.4 0.15

more complex as they must be slowed down first (light elements are effective for this) and then absorbed. Moreover, as the interaction of neutrons with matter generates gamma radiation, the latter must also be shielded by heavy elements. Table 22.3 lists some (indicative) data of an experimental and/or analytical origin concerning the transmission factor of various structures for the two types of radiation.

22.5 SHOCK WAVE The intensity of the shock wave generated by an explosion depends on the height of the explosion and distance from the explosion. However, for objects on the ground and for explosions within a few kilometers, the peak pressure generated is shown in Fig. 22.2 for the equivalent energy of 1 kt. For other energies a scaling law can be used: D 5 D1 3 W 1=3

(22.1)

where D1 is the distance where a pressure for 1 kt occurs and W is the equivalent energy of the explosion considered. Eq. (22.1) is valid only for surface explosions and impact points otherwise other correction coefficients should be used.

22.6 INITIAL THERMAL RADIATION

283

Pressure (105 Pa)

1000 100 10 1 0.1 0.01 10

100

Distance (m)

1000

10,000

FIGURE 22.2 Peak pressure for a 1-kt explosion.

The pressure acting on a structure hit by the wave is not equal to the above-mentioned peak pressure unless the structure is hit sideways, that is, when the structure wall considered is parallel to the direction of propagation of the wave. In any other case, the maximum dynamic pressure on the wall is higher than the peak one by a factor of 2 4 (theoretically, 8) for a wall perpendicular to the wave direction of propagation, due to the reflection of the wave itself. Diagrams exist for the preventive evaluation of the possible damage to various structures, drawn on the basis of experimental and theoretical data. As an example, a reinforced concrete office building, designed to resist an earthquake, can be severely damaged by a 1-Mt explosion up to about 10 km distance.

22.6 INITIAL THERMAL RADIATION The overall duration of the emission of initial thermal energy varies with energy between values of a fraction of a second for low energies and values of tens of seconds for the higher energies (10 Mt and higher). As already mentioned, it is assumed that about 35% of the energy released is transmitted as initial thermal radiation. The total energy deposited on objects on the ground and for unit surface is, then, approximately proportional to the inverse of the cube of the distance in air. It can be assumed that any combustible material catches fire for a value of this specific energy equal to 40 J/cm2 (400 kJ/m2). For an explosion of 1 Mt, about 40 J/cm2 at 3000 m in air from the explosion center can be observed. Other values can be obtained by the simple scaling laws above. The “mushrooms” of higher energy explosions tend to have heights equal to their widths, while those of small energy have heights greater than width because of the relative importance of the buoyancy and lateral forces. Fig. 22.3 gives an idea of the dimension and typical form of the “fireball” generated by the explosion.

284

CHAPTER 22 THE EFFECTS OF NUCLEAR EXPLOSIONS

40 km

100 kt

10 Mt

FIGURE 22.3 Relative dimensions of the radiating surfaces of two different explosions.

Factor

10 Factor, 1h

1

Factor, 1d 0.1

Factor, 4d

0.01 1

10 Initial time (h)

100

FIGURE 22.4 Dose factor for permanence in the contaminated place.

22.7 INITIAL RADIOACTIVE CONTAMINATION (“FALLOUT”) The following steps give an indicative estimate of the dose from the fallout of an explosion: 1. Calculation by interpolating the dose intensity at the moment of arrival of the radioactive particulate (reference dose intensity). 2. Calculation of the accumulated dose for the given permanence in the considered position, by multiplying the initial dose intensity by a factor given by diagrams like Fig. 22.4, as a function of the arrival time of the contamination (dependent on the wind velocity and of the distance).

22.8 UNDERGROUND NUCLEAR TESTS

285

This method does not take into account the shielding effect of the ground roughness, nor the dimensions of the initial radioactive cloud. These effects, given the largely indicative character of these estimates, are to be considered as secondary. Rain or snow are much more important than these effects on the distribution of the contamination by causing a washout of the radioactive cloud and a “patchy” distribution of the unit dose.

22.8 UNDERGROUND NUCLEAR TESTS 22.8.1 HISTORICAL DATA ON NUCLEAR WEAPONS TESTS Testing has been a fundamental factor in the design of nuclear weapons. Therefore up to now six countries have performed about 1900 tests, of which 518 have been in the atmosphere, underwater, or in space, and the remainder underground (Robbins, 1991). In 1963, the first international treaty against testing nuclear weapons was signed and after that, only France (atmospheric and underwater tests until 1974) and China (until 1980) continued. After 1980, all the tests have been underground. One of the positive results of the G7 Group, enlarged to include the new Russia, is that a total stop of the nuclear tests has been agreed upon.

22.8.2 THE POSSIBLE EFFECTS OF AN UNDERGROUND NUCLEAR EXPLOSION Underground nuclear explosions are usually performed at a depth of hundreds of meters in order to avoid any consequences, radioactivity releases in particular, on the surface. The known effects of an underground explosion are the melting of rocks near the bomb and their fracturing for an extended surrounding volume. Certain events are seismic waves produced by the explosion and the ensuing surface disturbances in lakes and lagoons. The radioactive products (with a long half life and at a few hours from the time of the blast) released in the rock cavities have the following order of magnitude: • • •

strontium-90: about 3500 TBq per megaton; cesium-137: about 5500 TBq per megaton; plutonium-239: about 5 TBq per test (corresponding to about 2.5 kg Pu).

Activation products have also to be considered which are generated by the intense neutron flux. In contrast to atmospheric explosions, a small amount of carbon-14 is generated by activation of nitrogen-14 and a small amount of tritium. If salt water is present, the isotope sodium-24 is produced by activation of sodium-23. In the ground, silicon, aluminium, and manganese are also activated, which have short half lives and rapidly decay. Besides these known effects, some accidental ones may also occur such as in the experimental test at Baneberry, Nevada, in 1970 (10 kt at 270 m depth). A release of the majority of the explosion products and debris occurred which was pushed to a height of 3 km. After that event the Americans adopted more efficient containment measures. Another feared effect is the later penetration of water into the fractured rocks down to the blast cavity: it is thought that thermal highly radioactive springs could be created with a release of radioactivity at the surface.

286

CHAPTER 22 THE EFFECTS OF NUCLEAR EXPLOSIONS

In underground tests performed below a water body, as in the case of the tests at the Mururoa Atoll, underwater rock slides creating anomalous waves and tsunamis. An event of this kind really happened at Mururoa (July 25, 1975) when an underwater slide of about 106 m3 of coral rock was created leaving a cavity of about 140 m in diameter, accompanied by the generation of a tsunami which caused damage and injured people in the Tuamotu archipelago. Unfortunately, the event could have been foreseen, as the operators did not succeed in taking the weapon down to the planned 800 m underground: it got stuck at 400 m but the test was performed anyway.

22.8.3 THE POSSIBLE RADIOLOGICAL EFFECTS OF THE UNDERGROUND TESTS Given the order of magnitude of the source of the most meaningful isotopes (strontium-90, cesium137, and plutonium-239), the calculation of external releases is based on an estimate of the percentage of radioactivity released in the atmosphere. A criterion that has been used for estimating the possible damage consists in assuming that the external release is in the interval of 1% 10% of the generated radioactivity. The consequences, then, can be evaluated by the usual methods used for the calculation of radioactivity concentration as a function of distance downwind and the estimate of the health effects of direct exposure, of inhalation, and of ingestion. The evaluations of the assumed accidental releases that happened during the underground tests indicate an average external release of about 40 TBq per test. The Baneberry case is probably unique in its severity. A release of 40 TBq of cesium and strontium is, however, serious (when compared to the maximum acceptable releases from future European reactors, even in a severe accident, which might be expected of the order of terabecquerels of iodine-131, corresponding to fractions of terabecquerels of cesium-137).

REFERENCES Becket, B., 1983. Weapons of Tomorrow. Plenum Press. Glasstone, S., Dolan, P.J., 1977. The Effects of Nuclear Weapons. USDOD and ERDA. Robbins, A., 1991. Radioactive Heaven and Earth. The Apex Press, New York. Van Vliet, P., 1992. Armi Nucleari. Fratelli Melita editori, La Spezia.

CHAPTER

RADIOACTIVE WASTE

23

23.1 TYPES AND INDICATIVE AMOUNTS OF RADIOACTIVE WASTE Radioactive waste is generated by the following activities: •



medical uses (radiodiagnostics and radiotherapy) and industrial uses without nuclear reactors (radiography of mechanical components, irradiation of goods for disinfection/sterilization/ conservation); operation and decommissioning of nuclear plants.

The waste is mainly classified according to its radioactivity level and to its decay time. These two characteristics principally influence the choice of the best method for waste treatment and its storage/disposal. A classification internationally used is shown in Table 23.1, together with the suggested management method (IAEA, 2009). In order to get an idea of the quantity of radioactive waste produced by the various activities, it is useful to consider that in a country like Italy the medical and industrial waste (not including nuclear reactor waste) is as much as 1500 m3 per year. The LILW-SL waste produced per year by a 1000 MWe reactor is similar. The fuel discharged by a similar reactor is approximately 30 t in the nonconditioned state. As far as the low-activity and medium-activity waste are concerned, when disposal at sea was abandoned following the international agreement for the protection of sea, a disposal system based on the burial in trenches, adopted in the United States after the Second World War (simple near surface facility) has been gradually replaced by ever more elaborate methods based on the acknowledgment of the importance of introducing redundancy in the safety systems. This approach substantially aims at designing the storage with the concept of entrusting safety to various natural and artificial components, each one representing a barrier to the diffusion of radionuclides into the biosphere. Various types of repositories have been conceived and implemented over the years (Cumo et al., 2002). In the near surface type, based on various engineered barriers [engineered near surface facility (ENSF)], the disposal structures can be positioned above or below ground. The repositories at Dukovany in Czech Republic, at l’Aube in France and at El Cabril in Spain are above ground. The repositories at Drigg in the United Kingdom and at Rokkasho in Japan are below ground. Deep repositories offer an alternative. Waste is often stored 100 m deep in caverns (mined cavity), or using abandoned mines and galleries, or in deep geological repositories. Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00023-8 © 2020 Elsevier Ltd. All rights reserved.

287

288

CHAPTER 23 RADIOACTIVE WASTE

Table 23.1 Classification and Management of Waste Category

Characteristics

Suggested Management

Exempt waste Very short lived waste Very lowlevel waste

No required provision for radiation protection. Effective dose to individuals of the order of 10 µSv or less in a year. Very short lived waste (half-lives of 100 days or less) with activity concentrations above the clearance level. Waste with activity concentration levels in the region or slightly above the levels specified for the clearance of material from regulatory control (operation or decommissioning of nuclear plants). Waste that is suitable for surface or near surface disposal. Wide range of activity concentrations.

Disposal in conventional landfills or recycled. Storage for decay.

Low-level waste

Intermediate level waste High-level waste

Waste that contains long lived radionuclides in quantities that need a greater degree of containment and isolation from the biosphere than is provided by near surface disposal. Waste that contains large concentration of both short and long lived radionuclides, compared to ILW, and needing a greater degree of containment and isolation from the accessible environment for long-term safety. Typical levels of activity concentrations in the range 104 106 TBq/m3. Spent fuel, conditioned waste from reprocessing.

Engineered surface landfill type facilities.

Conditioning and disposal in an engineered surface site or in near surface disposal facility (30 m depth, typical). Disposal in a facility at a depth of between a few tens and a few hundreds of meters. Usually deep geological disposal with engineered barriers is indicated. Heat dissipation is important.

The SFR repositories at Forsmark (Sweden) and at Olkiluoto and Loviisa in Finland belong to the first type, the repositories at Richard in the Czech Republic, and at Morsleben and Konrad in Germany, belong to the second type, the repository at Wellenberg in Switzerland belongs to the third type. Table 23.2 lists the safety features of some repositories. At the scientific level, generally the solution considered more appropriate for the final disposal of high-level waste is the placement of it in adequate deep geological repositories. However, no solutions of this type have been implemented yet, except for the Waste Isolation Pilot Plant (WIPP) in 1999, located in New Mexico (United States). Many (but not the majority) of experts believe, on the contrary, that the best storage for this waste is in a clay bank at an intermediate depth (e.g. 50 m). Indeed, deep repositories are exposed to the risk of flooding (Asse salt mine in Germany) and a repository in clay at the indicated depth allows also for resistance of the containing casks to fault movement due to the good plasticity of the clay material at limited depths. The reasons for the postponement of a decision of this type are essentially the following: •

Recently produced radioactive waste releases large quantities of heat. As the decay of radioactivity or thermal power is very high in the first decades, it is convenient to store this waste for this time period in alternative facilities in order to subsequently simplify the management of the storage facility.

23.1 TYPES AND INDICATIVE AMOUNTS OF RADIOACTIVE WASTE

289

Table 23.2 Safety Features of Some Repositories (Indicative) Country/Facility/Type of Storage Finland VLJ Olkiluoto (deep cavern) VLJ Loviisa (deep cavern) France L’Aube (surface)

Germany Morsleben (deep geologic) Konrad (deep geologic) United Kingdom Drigg (surface) Spain El Cabril (surface) Sweden SFR Forsmark (deep cavern) Switzerland Wellenberg (deep) United States Barnewell (South Carolina) Richland, Hanford (Washington) Cline (Utah) LANL (New Mexico) RWMC INEL (Idaho) Oak Ridge (Tennessee) (surface) Japan Rokkasho (surface)

• • • •

Safety and Radiation Protection Requirements • Dose limit for critical group ,0.1 mSv/year • Dose limit in accident conditions ,5 mSv • Dose limit for postclosure period is 0.25 mSv/year for the public for the reference scenario; for the operation period limits are 20 and 1 mSv/year for operators and public, respectively. • Dose limit for public 0.3 mSv/year

• In the safety analysis a risk objective of 1026/year is adopted • Radiological risk imposed by safety authority ,1026/year or equivalent dose of 0.1 mSv/year Individual doses to critical group ,0.1 mSv/year Dose limit ,0.1 mSv/year • Safety evaluations must ensure doses ,0.25 mSv/year for individuals of the population; in case of nonvoluntary intrusion after the release of the site (foreseen after 100 years of institutional control) the limits are 1.0 mSv/year for continuous exposure and 5.0 mSv for acute exposure

• The dose values imposed are 1 mSv/year (300 years) and for the subsequent period of uncontrolled release of the site 0.01 mSv/year

The spent fuel could become an energy resource in the future. The time needed to qualify a site and install a final repository at depth is very long, so an intermediate solution of some decades has to be implemented in any case. Reversible options allow the possibility of taking advantage of research. The deep repository solution seems to many to be an irreversible concept. Doubts exist about the capability of science to ensure adequate safety levels in the required time span (hundreds of thousands years). The trend emerging from various international experiences is to keep many alternatives open. Prevailing opinion can be summarized in the following way:



It is necessary to make choices which are not only scientifically and technically correct but also based on a democratic process.

290

• •







CHAPTER 23 RADIOACTIVE WASTE

A decision has in any case to be taken. Abstaining from any decision is a decision in itself. Temporary storage is not a final solution, it is a way of buying some time. This remark has not to be seen necessarily in a critical sense. This position may be justified and correct if it is deemed that the uncertainties are too large to allow a well-pondered decision. If it is so, it is necessary to clearly and publicly affirm that at the moment only an intermediate solution can be pursued and implemented, and to indicate guidelines and research efforts for the definition of a final solution. The ability of retrieving the waste influences the decision on the type of final repository. If it is proposed to implement a final repository in the framework of a design which allows waste recovery, then the design has to demonstrate that retrievability does not detract from safety otherwise it cannot be accepted. The concepts of interim experimental and research plants which may possibly evolve into final repositories is another solution.

23.2 PRINCIPLES The general principles that have to be adhered to by the relevant legislation have been recognized internationally and the “Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management” treaty has been signed by many countries. In summary, these principles are 1. 2. 3. 4. 5. 6. 7. 8. 9.

Protecting human health. Protecting the environment. Protecting the transboundary territories. Protecting the future generations. Not imposing inappropriate burdens on future generations. Availability of adequate national legislation and regulations. Ensuring the control and the minimization of the production of radioactive waste. Ensuring an integrated management of the radioactive waste. Guaranteeing safety of the waste management plants for their full life.

REFERENCES Cumo, M., Tripputi Ivo, Spezia U., 2002. Nuclear Plant decommissioning. Universita` di Roma LaSapienza, Scuola di Specializzazione in Sicurezza e Protezione, Tipografia della Pace, Roma. IAEA, 2009. Classification of Radioactive Waste. GSG-1.

FURTHER READING IAEA, 2004. Application of the Concepts of Exclusion, Exemption and Clearance. IAEA Safety Standards Series No. RS-G-1.7.

CHAPTER

FUSION SAFETY

24

Among the various possible nuclear fusion processes, the most promising one for energy production is between the hydrogen isotopes of deuterium (D) and tritium (T). D 1 T 5 4 He 1 neutron 1 energy ð17:6 MeVÞ

(24.1)

The neutron generated has an energy of 14.06 MeV. In order to obtain the fusion of two nuclei, it is necessary to provide them with the energy required to overcome the repulsion forces between the nuclei. This energy corresponds to temperatures of 108 C millions, where the gases are in a fully ionized state (plasma) (ENEA/DISP, 1986). Some think that fusion may also happen in “cold” conditions if certain peculiar situations are created. In the following, reference will be made, however, to experimental machines and to reactor designs based on hot fusion. The research programs on controlled nuclear fusion currently underway in the world aim at demonstrating the scientific feasibility of its use for the generation of electric energy. The Joint European Torus (JET), which represents the most advanced experiment on fusion at this time, has produced (November 9, 1991) for the first time fusion energy equivalent to 2 MW for 2 seconds using a DT (deuteriumtritium) plasma, with 10%15% tritium. This first experiment with tritium was followed on December 9, 1993 by an experiment with up to 50% tritium at the Plasma Physics Laboratory of Princeton (United States) which produced power of 528 MW with the Tokamak fusion test reactor (TFTR) machine. Subsequently (1997) JET has produced greater than 15 MW in a transient lasting about 2 seconds. For a demonstration of the scientific and technological feasibility of a fusion reactor, it is, however, necessary to produce a plasma where the fusion reaction lasts for a sufficiently long time (that is hundreds of seconds). To reach this objective, it will be necessary to design the basic technologies of a reactor: superconducting magnets, shields, walls resistant to high fluxes of heat, atoms, ions, electrons and neutrons, injection and discharge of fuel, recovery of tritium, safety issues, etc. In fact, JET and TFTR, although representing the outcome of many years of research, are still limited to the studies of plasma physics. Before fusion energy can be used for the generation of electric energy, it will be necessary to develop this technology at the industrial level and demonstrate its economic competitiveness. In the framework of the European Fusion Programme, mainly based on the magnetic confinement Tokamak machines, the complete physical and technological basic demonstration of fusion was approached by the NET conceptual design (Fig. 24.1) at Garching (Munich, Germany), and merged into the ITER design, presently in the phase of construction. ITER (2019) is the result of a 1987 agreement, a joint research enterprise for the design of an experimental fusion reactor, supported by the EU, China, United States, Japan, Switzerland, India, Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00024-X © 2020 Elsevier Ltd. All rights reserved.

291

292

CHAPTER 24 FUSION SAFETY

Biological shield

Inner PF coil

Flange zone

Inboard blanket Cryostat

Outboard blanket

Plasma

First wall

Outer PF coil

Vacuum system TF coils Shield Divertor

01 2345

Vacuum duct and shield

Vertical section of the nuclear island of a fusion device

Scale metres

FIGURE 24.1 The NET fusion machine. NET, next european torus; PF, poloidal field; TF, toroidal field.

Korea, and Russia. Before getting to this stage, it is firstly necessary to develop and test materials which can withstand a very high neutron flux, with the principal aim not to generate an excessive decay power (DeMarco, 2001). In order to cope with these needs, it has been decided to build a dedicated experimental facility, the International Fusion Materials Irradiation Facility (IFMIF), based on the Li(d, n) reaction. In parallel with the operation of IFMIF, the DEMO design (demonstration reactor), should get to an engineering demonstration and supply all the necessary elements for an economic evaluation of the process. As far as the future of commercial fusion power reactors are concerned, various studies have been performed or are in progress. On the basis of these, it should then be possible and meaningful to perform a preliminary safety analysis on a plant of this type. The detailed designs for the next machine (i.e., ITER) have, moreover, many features in common with these reactor conceptual studies and confirm their credibility [Safety Tokamak 2012, Safety Fusion (Brunelli, 2012), ITER Updated Safety (Taylor, 2011)]. Among the conceptual fusion reactor studies available, the STARFIRE reactor developed in the United States will be taken here as a reference (Baker, 1981). The STARFIRE reactor study foresees an overall thermal power of the fusion reactions of 4000 MW, with a gross electric output of 1440 MW, of which 1200 MW are the net output, while 240 MW are necessary for the operation of the various plant systems. 2560 MW would be discharged as thermal energy. The resulting net efficiency would therefore seem only slightly lower than that of other energy sources.

FUSION SAFETY

293

Table 24.1 Potential Energies Present in the STARFIRE Fusion Reactor System

Energy Form

Quantity (103 MJ)

Plasma

Thermal Electromagnetic

0.92 2

Electromagnetic

50 10 1.1 Negligible 60 200

Magnets Toroidal field Poloidal field Ohmic heating Aluminumwater reaction Berylliumair reaction Graphiteair reaction

Chemical

Table 24.2 Comparison Between Relevant Energies Reactor Type of energy coolant energy Decay heat power: after 1 min After 1 h Other energies

Fission 1200 MWe, Type PWR (103 MJ)

Fusion 1200 MWe Type STARFIRE (103 MJ)

200

200

15

4.5

310 Sensible heat of the core: 100

250 Sensible heat of the blanket: Plasma: 3 Magnets: 61

For an evaluation of accidents it is important to define the amounts of energies involved (Table 24.1). Table 24.2 compares the relevant energies of the STARFIRE plant and a light water fission reactor of the same power. It can be readily seen that the energies involved are of the same order of magnitude for the two types of plant. The radiation protection problems which emerge during the operation of a fusion prototype reactor, either in normal or in accident conditions, are essentially connected with the presence of tritium, with the generation of neutrons with energies of 2.45 and 14.1 MeV (derived from the DD and DT reactions) and with the delayed radiation (and related thermal decay power), for the activation of the structures of the machine. Tritium decays with half life of 12.33 years, emitting a beta radiation with average energy of 5.7 keV and a maximum energy of 18 keV. The exposure paths are either by inhalation and ingestion or through the skin. The biological half life of tritium, either ingested or inhaled, is 10 days. Because of the easy absorption of water by the body, it is more dangerous in the form of tritiated water than as elemental tritium (conservatively, a factor of 25,000 is considered in safety analyses, even if recent studies tend to divide this factor by two).

294

CHAPTER 24 FUSION SAFETY

Table 24.3 Comparison of Inventories of Meaningful Radioactive Products for 1200 MWe Reactors Reactors

Fusion (GBq)

Fission (GBq)

Radioactive products tritium Material activation

3.7 3 10 2.6 3 1011

Fission products

Absent

Total (order of magnitude)

10101011

2.5 3 106 0.3 3 108 2.6 3 108 Total: 2.9 3 108 Xe 1 Kr: 1.4 3 1010 10 I: 2.2 3 10 Cs: 7.4 3 108 Sr: 1.8 3 108 Te: 3.7 3 109 Pu: 1.8 3 108 Other: . . . 10101011

9

Tritium, from a physicalchemical point of view, is a very mobile element and in particular it penetrates through metals. Where accumulation of it can be foreseen, it is immobilized by absorption on suitable solid materials. The radioactivity induced by neutrons of 14 MeV is concentrated on the structural materials of the reactor components exposed to the plasma (first wall and blanket). As far as the environmental impact is concerned, the long-lived radionuclides are decisive (half life longer than one year). This activity is characterized by a low mobility. The release paths to the environment are • • •

erosion or corrosion by the primary coolant and substitution of parts of the reactor; melting and volatilization of part of the material in accident conditions; Table 24.3 compares the radioactivity present in a fusion and in a fission reactor.

Beryllium is used as a liner for the first wall, and this has a high risk of explosion. It is highly reactive with air, water and carbon dioxide, releasing high amounts of energy. Finally, it has to be stressed that this element is extremely toxic and if inhaled it causes lung illnesses, and, in contact with the skin, dermatitis, and conjunctivitis. A concentration of 2 µg/m3 is the permitted limit for a working exposure of 8 hours. Graphite, used as a neutron reflector at the outside periphery of the blanket, can release large amounts of energy by combustion, if exposed to air at high temperature (see Table 24.1). The principal safety problems for a fusion reactor, as a consequences of design basis accidents, seem to be • • •

possible release of tritium; possible release of activated material; possible release of toxic products (in particular beryllium).

FUSION SAFETY

295

Table 24.4 Accident Releases to the Containment System for a Design LOCA Plant

Fusion (GBq)

Release Tritium Activation products Fission products

9.2 3 10 1.1 3 106 Absent 6

Fission (GBq) 2.5 3 106 110 Xe 1 Kr: 3.7 3 107 I: 1.8 3 107 Cs: 7.4 3 106 Sr: 3.3 3 105

It seems that the quantities of radioactivity which can be potentially released are not negligible, even if they are lower by an order of magnitude than the corresponding quantities of fission (Table 24.4). The evaluations in the table have been made as best estimates of important accidents. In any case, however, the lower radiological risk of radioisotopes released by fusion reactors has to be taken into account. At the present state of the study of fusion power reactors it is not, however, possible to have a complete picture of the aspects connected to the safety in normal and accident conditions. The principal uncertainties are connected with the plasma physics, with the choice of the confinement system, with the type of materials used (first wall, blanket, etc.), with the fusion power density, with the type of coolant to be adopted, with the value of involved energies. A complete analysis of the accidents would require the consideration of more severe scenarios, with a probability lower than that of the design basis accidents, but with more serious consequences in terms of release to the outside. At the present state, the safety evaluations performed for fusion reactors are confined to the consideration of degraded scenarios of this type only from the point of view of the comparison between possible design alternatives and of the choice of materials, without arriving at the evaluation of the consequences. It has, however, to be noted that the amounts of involved energies and the inventory of radioactive products justify the idea of more serious accidents than the design basis ones. These accidents must be conveniently evaluated on the basis of a final plant design and of a systematic analysis of the possible accident sequences. An important aspect for the safety of fusion reactors consists in the possibility to decrease in future the decay heat and the radioactive products inventory. In fact, the use of materials with reduced or short-lived activation and with low tritium retention, together with a limited operation power density, would minimize the above-mentioned safety problems, bringing the plant toward intrinsic safety conditions (for which no active systems are necessary). The developments of robotics, together with a complete automation of the plants, will bring the occupational dose (radioactive, electromagnetic, and radio-frequency) down to acceptable values during the operation and the maintenance of these plants. On the other hand, other safety problems might arise during the evolution of present experimental plants toward the fusion reactor.

296

CHAPTER 24 FUSION SAFETY

As far as the safety aspects of experimental fusion machines (JET, etc.) in comparison with those of fusion reactors are concerned, it can be considered that they have a tritium inventory at least 100 times lower and an inventory of activation products roughly 1000 times lower. The accident releases which can be originated by these machines are, consequently, lower by orders of magnitude.

REFERENCES Baker, C.C., 1981. STARFIRE a Commercial Tokamak Power Plant Design - Science Direct. Brunelli, B., et al., 2012. Safety, Environmental Impact and Economic Prospects of Nuclear Fusion. Springer. DeMarco, F., 2001. A Look to the Future of Nuclear Fusion. Universita` di Pisa, Conferenza ‘E. Fermi’, 516 October. ENEA/DISP, 1986. Rapporto sugli aspetti di sicurezza e protezione sanitaria dei reattori a fusione. DOC./ DISP/(86) 6, Roma, Dic. ITER, 2019. The way to new energy. ,www.iter.org.. Taylor, N., et al., 2011. Updated safety analysis of ITER. Fusion Energy Des. 86 (68), 619622.

FURTHER READING ITER, 1999. Final Design Report, Cost Review and Safety Analysis (FDR). IAEA, Vienna.

CHAPTER

SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

25

25.1 BOILING WATER REACTORS In comparison with the pressurized water reactor (PWR), the boiling water reactor (BWR; Fig. 25.1) has two principal different characteristics: • •

It does not have steam generators and, therefore, a direct communication exists between the reactor and turbine, connected via quick, highly reliable, isolation valves. The core is refrigerated by a steam water mixture, instead of liquid water.

A series of design and safety consequences are derived from these two characteristics which make the two reactors rather different from each other. Consequently, the different safety aspects are of prevailing interest, for example, •





It is not considered economically convenient to place the turbine with the reactor in a containment building (although in the past, small reactors with this characteristic have been built). Isolation of the reactor cooling system from the outside is by means of quick isolation valves. Inherent in this feature are the problems of their reliability in closure and their leakproof characteristics (to the point that some experts say, but without sufficient reason, that BWRs have to be considered substantially “open” toward the outside environment). On the other hand, no problems have been attributed to the steam generators. A quick release system of the primary steam water mixture into a closed tank-condenser is necessary (as the primary liquid, with significant radioactivity, cannot be released to the outside). In case of problems with the turbine-condenser system and, therefore, the unavailability of the condenser, the immediate cooling of the core can be ensured only by such a system. Therefore, in BWRs a (huge) reactor depressurization system [automatic depressurization system (ADS)] has always been incorporated, together with a closed water reservoir for steam condensation. As, for the reasons explained above, a large mixing condenser is required which is isolated from the outside environment, then it can also be used to condense the steam water mixture in a primary pipe break accident (LOCA). Hence, the concept of a pressure suppression container has been born. It is composed of a “dry well” (normally dry), which encloses all the primary pipes which might potentially break, and a “wet well” or suppression pool where the mixture which has accidentally escaped in the dry well is routed and where it is condensed by mixing with cold water. A rupture of a steam pipe outside the above-mentioned isolation valves must be controlled by their quick closure (typically in 5 seconds). It can easily be seen that in the few

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00025-1 © 2020 Elsevier Ltd. All rights reserved.

297

298

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

FIGURE 25.1 Advanced boiling water reactor.



seconds necessary for the valves to close, a large quantity of steam water mixture may be released and that, because of its radioactivity, it may cause the most serious accident from among the design basis ones. Finally, because of the cooling effect of the suppression pool water, the container may also have a relatively small volume (e.g., 10,000 m3 instead of the 60,000 m3 of a PWR) and, therefore, the defence against a hydrogen explosion in severe accidents may be obtained by inerting in a nitrogen atmosphere. In practice, the reactor is normally operated with a nitrogen-enriched atmosphere in the container. This poses some additional problems when it is necessary for an operator to enter the container for inspection/ maintenance. In this case, it is necessary to de-inert the container (a lengthy operation) or use breathing apparatus (which, for other reasons, is not advisable). Not all BWR containments can be reasonably inerted. The most recent type (Mark III) has a volume of roughly 30,000 m3 and is not inerted. The reactor normally contains a steam water mixture so that any fast increase in pressure produces steam condensation, an increase of the water mass present and, because of the negative void coefficient for safety reasons, an increase in the core reactivity. It is easily seen

25.2 PRESSURE TUBE REACTORS







299

that in a BWR the ATWS accident (transients with failure to scram) is particularly serious and represents one of the dominant severe accidents in overall risk evaluations. An accident caused by the spurious and complete closure of isolation valves on steam lines has also been studied, even though it is highly unlikely, but it can be demonstrated that it is controllable by the ADS system. The problem of water chemistry is a little more complex for a BWR because of the larger size of the reactor cooling circuit (which includes the turbine condenser too) and of the practical impossibility of keeping in the water an excess of hydrogen for oxygen suppression, as it is done for PWRs. It is thought, however, that satisfactory solutions have been found, after a long series of problems of the appearance of cracks in metallic materials. The BWR, because of the lower density of the steam water mixture in the core compared with a PWR, tends to have, for the same power, a larger vessel than a PWR. However, it has to be remembered that a BWR has an operating pressure equal to about one half that of a PWR. A favorable consequence of this is that the fast fluence on the vessel material is much lower than that of a PWR and, therefore, the neutron embrittlement problem is much smaller. The BWR has a free surface between the water and steam mixture in the core. Consequently, if the vessel moves, the water oscillates in the core and this causes local power oscillations due to the interaction with the neutron regime. BWRs, therefore, are not suitable on board ships.

25.2 PRESSURE TUBE REACTORS From the onset of the peaceful use of nuclear energy, a line of water power reactors was developed (particularly in Canada) where a single reactor vessel is not used and, instead, the fuel and the cooling water are contained in a series of closely placed tubes. Heavy water (D2O) is used so that natural uranium (i.e., not enriched in the uranium-235 fissile isotope) can be used with an economic advantage. Heavy water has a lower moderating effect than light water (because of the higher atomic weight of deuterium compared with hydrogen) so the water circulating in the pipes (kept within the strict amounts necessary for cooling) is not sufficient for reactor moderation and therefore all the tubes are contained in a closed tank (calandria) full of additional heavy water. In order to keep the tank at low temperature and pressure, each fuel containing pressure tube is contained in a second tube (guard or calandria tube) with a gap filled with an inert gas between the two. This arrangement allows the second tube to be made strong enough to withstand the accidental rupture of the first one, so preventing the propagation of the ruptures to other tubes (an important feature from the safety point of view). Unlike the Canadian design, the Chernobyl tube reactor (light water-cooled and graphite-moderated) did not possess a similar safety characteristic and a break in the pressure tube could perhaps (at a low probability level) propagate through various mechanisms to other tubes. It has to be noted that in the history of nuclear technology, attempts have been made to cool tube reactors by light water. The results have not been positive because of the instability caused by the positive reactivity coefficient for loss of cooling water (a feature similar to the Chernobyl one). Hence, this reactor design has been abandoned. Obviously an attractive aspect of these reactors was the lack of pressurized heavy water and, therefore, the drastic reduction of leaks of precious heavy water from the circuit.

300

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

The tube reactors can be refueled during their operation, which is impossible in both PWRs and BWRs of the “vessel” type. To this end, a special refueling machine is used which connects in a leakproof way under pressure with any single tube for the time needed for the replacement of fuel. (This feature makes these reactors suitable for plutonium production, as it is possible to optimally choose the permanence of the fuel inside the reactor.) In Canada, where “parks” of CANDU tube reactors have been built (up to eight 600 MWe reactors on the same site), “vacuum building” containment has also been used which consists in building, for each park of reactors, a central empty containment, connected with the containments of any single reactor by a duct provided with a rupture disc or similar device. In the event of a LOCA accident in one of the reactors, the corresponding rupture disc opens and the air steam mixture under pressure has the whole volume of the vacuum building in which to expand. In this way, the containment of each reactor can be rather small with overall economic advantages. Some safety advantages are • • •

Modularity. As the dimensions are independent from the technological limit of the vessel dimensions, existing for the other reactors. Presence of an easy alternative scram mechanism, consisting in the fast dumping of the calandria moderation heavy water. Relatively easily replaceable used tubes. Significant safety disadvantages are

• •

Tritium contamination. Much more serious than for light water reactors. More susceptible to seismic damage.

25.3 GAS REACTORS The graphite-moderated gas-cooled reactor was the most popular design in the early days of nuclear power generation, especially in the United Kingdom and France. Obviously, the principal initial attractive feature of this design has been the possibility of using natural uranium as a fuel. Subsequently, in order to increase efficiency, a switch was made to enriched fuel with the advanced gas reactor. These reactors have been successfully operated but, after a long debate on their economic aspects, are now being replaced by the more common water reactor. It should be noted here that gas graphite reactors do not need a pressure resisting containment even according to the best international safety standards. This is due to particular features of these reactors among which one can quote the low radioactivity content of the cooling fluid, carbon dioxide, and the slow progress of design basis accidents in comparison with the more sensitive behavior of water-cooled reactors. The high temperature gas reactors, with fuel consisting of microspheres of uranium dioxide coated by additional refractory layers made of carbon (graphite, silicon carbide, pyrolithic carbon) are now considered very interesting by some supporters. Thorium cycle might also be feasible. In particular, the pebble bed modular reactor (PBMR) was deemed for some time to have good prospects (ESKOM, 2001). The PBMR is fed by fuel spheres similar to those of the experimental German AVR reactor which operated for 21 years without faults. Each module will have a thermal power of about 265 MWt and a net electric power of about 116 MWe (overall efficiency of about

25.4 RESEARCH REACTORS

301

43% due to the high maximum temperature of the cycle, 900 C). The cooling is by helium at a maximum pressure of about 7 MPa which directly operates a gas turbine. The support bearings are of the magnetic type and, therefore, do not have any cooling water in them (which gave serious trouble to previous prototype reactors, e.g., Fort St Vrain). The only water present in the system is that in the secondary side of the two refrigerators for the removal of waste heat of the Brayton cycle adopted. It is, however, always at a lower pressure than the gas circuit and, therefore, it cannot come into contact with the system graphite. The system has many intrinsic safety characteristics: • •





The power coefficient is strongly negative. The decay heat, even in the absence of emergency cooling, with a depressurized system and without fast shutdown, can be simply eliminated through the reactor vessel preventing the fuel from reaching damaging temperatures (the AVR reactor demonstrated this with a famous test). Even if a pipe ruptures, air cannot enter the system and a graphite oxidation (fire) cannot occur. Even if the two inlet and outlet gas pipes in the vessel completely rupture, the air will start to circulate in the reactor after 9 hours, with a release of only one millionth of the core radioactivity per day. Even in the case of the worst scenario, the virtual dose at the plant border will amount to that corresponding to one day of natural background and no emergency plan would be needed outside the plant (beyond 400 m from the reactor).

The consortium which was developing the reactor maintained that the cost of the energy produced, for a 10-module power station, is competitive with that of a coal-fired power station. The support to this type of reactor decreased strongly in 2009 2010 (Thomas, 2009) also because of Julich Center (Germany) studies on the strength of the pebble bed fuel at high temperature and under mechanical erosion. Development of the concept continued in China but no news are available on the future plans. The PBMR would be very interesting from the safety point of view even if the design of the system appears rather complex. The intrinsic safety characteristics declared seem to be feasible, under the condition that the detail system design is submitted to an attentive safety analysis and tests, and this includes surveillance systems for structures and components. The fuel behavior under feasible operating conditions should be, however, furtherly studied and problems solved.

25.4 RESEARCH REACTORS Many types of research reactor exist for physics and materials research, for irradiation, for isotope production. They are also used now for direct medical use. A very widely used type worldwide is the pool reactor with various types of fuel elements. From the safety point of view, usually these reactors have a small internal energy (no pressure circuit) and the intrinsic characteristic of neutron stability. They generally do not need a pressure container and are located in leakproof buildings with a small design pressure difference from the outside. Relatively high power research reactors do exist (up to 100 MWt) for which the safety issue is more complex.

302

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

25.5 SODIUM-COOLED FAST REACTORS Sodium-cooled fast reactors promise to definitely solve the fuel availability problem as they can convert nonfissile isotopes into fissile ones. Some of these reactors have been successfully operated and some of them have been plagued by many problems. This type of reactor, now included in the Generation IV reactors program, is being developed only by some countries; many countries with a nuclear industry have abandoned them, mainly for safety and for nonproliferation reasons (associated with the need to reprocess fuel and with production of plutonium). From a safety point of view, these reactors have the following advantages: • • •

Low operating pressure (similar to the hydrostatic pressure of the plant). Large thermal inertia. Reduced dimensions with the consequent possibility of considering small modular reactors with intrinsic emergency cooling. They have, however, some problematic aspects:

• •



The possibility of reaction of the coolant (sodium) with water and air (fire). Positive void reactivity coefficient of the reactor, made tolerable by the high thermal inertia of the sodium coolant in the amounts generally used and by the consequent difficulty for the reactor to reach boiling conditions. Presence of negative structural effects in the core (deformations, creep, etc.).

25.6 GENERATION III/III 1 REACTORS Many initiatives have been born since the turn of the century in order to develop cheaper and safer reactors (also see Introduction section). The first group of present day proposals is made of Generation III and Generation III 1 Reactors. The main objectives of these reactors are (Cognet, 2010): • • • • • • • •

Standardized design Simpler and more rugged design Higher availability and longer operating life (tipically 60 years) Reduced possibility of core melt accidents Minimal effect on the environment Higher burnup (reduced fuel and waste) Burnable absorbers (extended fuel life) Greatest difference from previous reactors: passive and inherent safety features which require no or minimal active controls and operational intervention to avoid accidents in the event of malfunction and rely on gravity, natural convection, or resistance to high temperatures. Notable examples of these reactors are

• •

European pressurized reactor (EPR) Advances pressurized reactor 1000 (AP1000) and APR-1400

25.7 GENERATION IV REACTORS

• • • •

303

Advanced boiling water reactor (ABWR or ESBWR) VVER 1000/1200/1300 Advanced pressurized heavy water reactor (ACR) Advanced gas-cooled reactors (GT-MHR) Two main issues still exist:

• •

Minimization of long-lived, high-level radioactive waste Safe disposal of remaining waste products Generation IV development tries to solve these issues too.

25.7 GENERATION IV REACTORS The panorama of research and design efforts is now very rich and reminds the multiple proposals which were put forward in years 1950/60. However, no clear indication of adequate investors for a demonstration reactor have emerged yet. Two concepts will be briefly described here as representative examples (the sodium-cooled fast reactor has been mentioned in Section 25.5): •



the small medium size reactor (SMSR) international, reactor innovative and secure (IRIS), which is to all effects a GIV project although it is not part of the Generation IV Consortium mentioned in Introduction section; the molten salt fast reactor (MSFR).

25.7.1 SMALL MEDIUM SIZE REACTOR IRIS was initiated by an international Consortium led by Westinghouse in year 1999 and now it is in the Pre-Application Licensing process with NRC USA (IRIS, 2008). Its reference power is 335 MWe. This choice does not comply with the well-known “economy of scale effect,” which, indeed, has not been validated by recent experiences. Main features are • • • • • • • • •

Integral primary circuit Higher safety level, many passive features like the shutdown core cooling by a system similar to the one described here in Appendix 10 Lower unit power (minimass production of certain components) Modularized construction Reduced waste High capacity factor Reduced construction time Reduced operation and maintenance (O&M) costs and personnel requirements Fuel cycle cost (low linear power)

Figs. 25.2 and 25.3 give an idea of the reactor, which is located in a 22-m diameter containment building.

304

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

FIGURE 25.2 International, reactor innovative and secure reactor scheme.

25.7.2 MOLTEN SALT FAST REACTOR The MSFR (www.samofar.eu and Kloosterman J.L. article in Makale) consists of a cylindrical vessel with diameter and height of 2.25 m made of nickel-based alloy filled with a liquid fuel salt under ambient pressure at operating temperature of 750 C. The fuel salt in the primary circuit is pumped around in upward direction through the central core zone and in downward direction through the heat exchangers located circumferentially around the core. In between, a container is located filled with a blanket salt containing thorium-fluoride to increase the breeding gain. A schematic view of the primary circuit is shown in Fig. 25.4. The reactor is designed with a fast neutron spectrum, and can be operated in the full range from breeder to burner reactor. This flexibility is facilitated by the fact that the fuel salt composition can easily be adapted during reactor operation without manufacturing of solid fuel elements. During reactor operation a fraction of the salt is continuously diverted to an ex-core salt clean up unit to extract lanthanides and actinides. The fast neutron spectrum relaxes the requirements for

25.7 GENERATION IV REACTORS

305

FIGURE 25.3 International, reactor innovative and secure reactor section.

this process considerably (Serp et al., 2014). The salt clean-up process is a unique feature of the MSFR and contains two major steps. First, the gaseous and nonsoluble fission products like the noble metals are removed from the primary circuit by gas bubbling near the pumps. In a second step the uranium, actinides, and some fission products that are strongly bound to the salt, can be separated by pyrochemical techniques. The liquid fuel salt is at ambient pressure. The reactor has good properties of control of excess reactivity (negative reactivity coefficients) and adequate removal of decay heat. The fuel salt in the core is in its most compact and reactive shape and any deformation will lead to a lower reactivity. The fuel salt can freely flow through fail-safe freeze plugs into drain tanks beneath the core to bring the reactor in a deep subcritical configuration with passive decay

306

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

FIGURE 25.4 Molten salt fast reactor (MSFR) scheme.

heat removal systems based on natural circulation. The liquid fuel salt, moreover, offers the opportunity, during reactor operation, to extract fission products from the fuel salt to reduce the decay heat and the parasitic neutron absorption, and to recycle all actinides in the salt until fission. Problems (presently under study) may arise during operation because of the erosion corrosion of the tanks and pipes caused by the molten salt at high temperature and under high radiation field. Although nickel-based corrosion-resistant alloys proposed for the various circuits may cost 30 times a stainless steel alloy, it might be convenient, as an extreme provision, to design in the plant an expansion space (initially left empty) for a second reactor to be used, should the need arise, to build a replacement of the original corroded reactor using new parts and recovered parts from the original reactor. Possible leaks from the circuits can be collected using heat traced paths for the leaked and solidified molten salt.

25.8 FUEL PLANTS The fuel fabrication plants are usually rather free from serious hazards, the only possible problem being an accidental criticality (e.g., Tokaimura accident in 1999). The containment is usually ensured by buildings kept at slight under pressure (of the order of 1 cm of water or less) in comparison with the outside to prevent the exit of an internal contaminated atmosphere due to the suction caused by the wind in some parts of the external surface of the structure. The relevant ventilation system is provided with filters.

25.10 VVER PLANTS

307

Obviously, special plants for research on the fuel exist such as those dealing with plutonium, and these have specific safety problems. Reprocessing plants are required only in a few countries and they show much more serious problems than the fabrication plants because of the very high radioactivity content and the uncertainties in the chemical behavior of the mixtures involved (strongly aggressive for structural materials), including the possibility of explosive phenomena and of accidental criticality. These plants are strongly shielded and are housed in buildings with dynamic leakproofing, maintained by a ventilation system with filters. Various problems of dispersion of radioactivity in the environment, due to the irradiated fuel storage pools, exist. The pools should always be provided with a corrosion-resistant metal liner, with the further possibility of collection and control of the possible leaks, should they happen. A periodical maintenance/repair program should also be implemented. The large fuel enrichment plants, present in very few countries in the world, show problems similar to those of the fabrication plants.

25.9 NUCLEAR SEAWATER DESALINATION PLANTS Water desalination (generally, seawater desalination) can be performed by various processes, the most common being: • •

thermal methods by distillation (e.g., multistage evaporation); mechanical methods (e.g., inverse osmosis).

In both cases, the reactor which provides thermal or electric energy may be similar to those used for energy production, except that the power must match the water production rate. Some aspects connected with the desalination process which may be relevant to nuclear safety are •





In thermal desalination, any possible leaks from the reactor circuit toward the desalinated water produced by the system, must be prevented by the correct choice of operating pressures in the various circuits and by the use of an intermediate circuit. In some cases, there is a strong need (security, transport costs, etc.) to locate the desalination plant close to consumption centers, therefore, there is a trend toward suburban sites. A safety consequence of this, for example, is the use of small reactors located inside a small container which is resistant to the rupture of the reactor pressure vessel. The continuity of supply of the desalinated water can be ensured by using reserve desalinated water storage tanks.

25.10 VVER PLANTS Water, russian Vodo; Water; Energetic; Reactor (VVERs) are PWRs designed in Russia. There are three main types: the Type 230 (oldest, 440 MWe); the Type 213 (440 MWe); and the Type 1000 (the most recent, 1000 MWe). The Type 1000 is very similar to one of the western-designed plants now operating. Types 230 and 213 show rather different characteristics and are less advanced from

308

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

the safety point of view. In particular, the containment has lower leakproofing than the Type 1000, the reactor protection systems are slower and less advanced, and the reactor vessel is more vulnerable to neutron embrittlement. However, these reactors exhibit a slower dynamical behavior than that of many western reactors, due to the larger water amount in the reactor and to other reasons, so that other less favorable characteristics are compensated. The good operating experience of these reactors supports their good design characteristics.

25.11 SHIP PROPULSION REACTORS Currently, all the nuclear-propelled ships are military, but at one time experimental, nuclearpowered, merchant ships were built. The most famous of these was the US ship, the NS Savannah, which hosted a small PWR (74 MWt) located in a small volume pressure containment (with a high design pressure). The ship was also provided with a small conventional engine as a reserve to the principal turbine engine. The main safety issue of these reactors was to guarantee the protection of the population during the stay in a harbor. To this end, every hosting port was provided with an emergency plan according to which, in case of accident, the ship would be taken offshore by “always available” tugs. In the many years of operation no event happened that required the activation of such a plan.

25.12 SAFE TRANSPORT OF RADIOACTIVE SUBSTANCES The transportation of radioactive material, in comparison to other dangerous substances, has the additional risk of irradiation even in normal conditions. In comparison with other nuclear activities, transportation has the following specific characteristics: • • •

It is performed in the open air, where it is not easy to define protected zones and have them complied with (monitored zone, controlled zone). It is usually performed by nonspecialized operators (according to instructions from a radiation protection organization). It is performed by ordinary machines (transportation, lifting, and tying means) and by specific machines (containers), to which safety is generally entrusted.

The IAEA has issued fundamental standards (IAEA, 2018), the various national standards are referred to these. The IAEA standards include, in particular, • • • • •

The classification of the containers; The hazard level labels (irradiation); The tests for the containers (up to a fall from 9 m height); The approval of the shipments for important amounts of radioactive and fissile materials; The limitation of the levels of external radiation either in contact with the packages and at 1 m distance.

Table 25.1 Data of Some Isotopes for Evaluation of Accidents Characteristic Data of Commonly Used Isotopes Emission α Nuclide

Type of Particle

T1/2

H13 C614 Na1122

β β β

12.35 a 5730 a 2.60 a

P1532

β

S1635

E (MeV)

β %

γ, X

E (MeV)

%

14.29 g

0.06 0.49 215 1.28 695

100 100 89.8 100 100

β

87.44 g

0.049

100

K1942

β

12.4 h

Co2760

β

5.27 a

0.822 1.64 0.096

17.5 82.1 99.9

Kr3685 Rb3786

β β

10.72 a 18.7 g

99.6

Sr3890

β

29.12 a

0.251 8.8 0.709 0.196

I53131

β

8.04 g

0.069 0.097 0.192

2.1 7.4 89.4

0.233

E (MeV)

511

%

181

0.32 1.52 24.99 1.332 0.514 1.077

0.1 18 1.2 100 0.43 8.78

0.030x 0.080 0.28 0.364 0.64 0.72

6 2 6 79 9 3

γ-Specific Onstant (mSvm2)/ (TBqh)

444 212

S.E.V. (cm Pb)

1 0.1

50

1.2

356

3.7

18

1

83

0.3

91.2 100

MAC in Water (Bq/mL) Soluble and Insoluble

MAC in Air (Bq/L) Soluble and Insoluble

1110 296 15

74 37 2.2

7.5 7.5 22 111 11 7.5 11

74 1.1 3.3 3.3 25.9 1.5 0.1

26 7.5 0.15 15 0.37 22

111 3.7 0.7 0.015 0.074 0.074 3.7

(Continued)

Table 25.1 Data of Some Isotopes for Evaluation of Accidents Continued Characteristic Data of Commonly Used Isotopes Emission α Nuclide

Type of Particle

T1/2

Cs55134

β

Cs55137 Ra88226

Pu94239

%

E (MeV)

%

2.06 a

0.023 0.21

27 70

β

30.0

0.173 0.425

94.6 5.4

0.563 0.569 0.605 0.796 0.662

8.4 15.4 97.6 85.4 86

α

1620 a

24065 a

%

4.602

5.55

4.785

94.4

Various

100

around 5 Am95241

γ, X

E (MeV)

A

E (MeV)

β

α

432.2 a

Various around 5.5

100

γ-Specific Onstant (mSvm2)/ (TBqh)

S.E.V. (cm Pb)

124

0.6

308

1.4

MAC in Water (Bq/mL) Soluble and Insoluble

MAC in Air (Bq/L) Soluble and Insoluble

3.3 15

0.37 0.148

7.5 15 0.0037

0.74 0.19 3.7 3 1024

11.1

2.2

Various from 0.18 to 2.2 0.13

7

1.85

2.2 3 1025

0.038 0.051 0.026 0.06

0.3 0.5 2.5 36.3

11.1

3.7 3 1024

1.5 11.1

7.4 3 1025 1.5 3 1023

4

Notes: γ-Specific constant (K): D (intensity irradiation dose, mSv/h) 5 K 3 C (source activity, TBq)/d (distance, m)2; (the constant K is used to calculate the irradiation dose intensity given by a certain amount of an isotope at a certain distance). MAC, Maximum admissible concentration; S.E.V, Pb halving thickness (cm).

REFERENCES

311

25.13 SAFETY OF RADIOACTIVE SOURCES AND OF RADIATIONGENERATING MACHINES The sources (IAEA, 2014) in a “sealed” form are used for industrial, medical, and scientific research applications. Possible accidents are • • • • •

detachment of the source from its support; blockage of the source in the irradiation position; abandonment of sources in a public place; the effect of earthquakes; accidental emission of an X-ray beam.

The accidents with a contamination hazard are caused predominantly from the use of nonsealed sources and of damaged sealed sources, due to • • • • • •

fire explosion flooding container break erroneous handling earthquake.

The necessary data for the evaluation of the severity of hypothesized or of really happened accidents are of the type of those included in Table 25.1, only for some of the interesting isotopes.

REFERENCES Cognet, G., 2010. Generation 3 nuclear reactors. ,www.iaea.org/inis/collection.. ESKOM, 2001. The pebble bed modular reactor. Nuclear News, September. IAEA, 2014. Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards. General Safety Requirements Part 3, No. GSR Part 3. IAEA, 2018. Regulations for the Safe Transport of Radioactive Material, SSR-6 (Rev.1). IRIS Reactor Development, 2008. D. V. Paramonov M. D. Carelli, Westinghouse, USA. K. Miller (BNFL. UK) C. V. Lombardi, M. E. Ricotti (POLIMI, Italy), N. E. Todreas (MIT, USA), E. Greenspan (UCB, USA), K. Yamamoto (JAPC, Japan), A. Nagano (MHI, Japan), H. Ninokata (TIT, Japan), J. Robertson (Bechtel, USA), F. Oriolo (Univ. Pisa, Italy), Westinghouse Electric Company, 1344 Beulah Road, Pittsburgh, PA15235, USA. ,www.samofar.eu. (2019). Serp, J., Allibert, M., Beneˇs, O., Delpech, S., Feynberg, O., Ghetta, V., et al., 2014. The molten salt reactor (MSR) in generation IV: overview and perspectives. Prog. Nucl. Energ. 77, 308 319. Thomas, S., 2009. The demise of the pebble bed modular reactor. ,https://thebulletin.org/Nuclearrisk/ NuclearEnergy..

312

CHAPTER 25 SAFETY OF SPECIFIC PLANTS AND OF OTHER ACTIVITIES

FURTHER READING ENEA/DISP, 1988. Mezzi e metodi per la gestione delle emergenze nucleari. Rome. IAEA, 2006. Safety of Radiation Generators and Sealed Radioactive Sources. Safety Guide No. RS-G-1,10. UNO, 2015. United Nations, Recommendations on the Transport of Dangerous Goods. Model Regulations, ST/SG/AC.10/1/Rev.19, 2 vols, UN, New York and Geneva.

CHAPTER

NUCLEAR FACILITIES ON SATELLITES

26

26.1 TYPES OF PLANT The most common use is radioisotope-powered thermoelectric generators for the electric loads on board. Power is typically about 1 kWe, subdivided between three or more units. Radioisotopepowered heat generators (2.7 g of plutonium, 1 W) are currently used to guarantee the suitable thermal conditions for the equipment on board during a mission. Generators are usually powered by the heat produced by plutonium-238, which has an optimal thermal power to weight ratio (0.57 W/g). The reason for the use of radioisotopes is that space missions require absolutely reliable sources of electric energy and heat, without any need for maintenance, that are capable of operating for years in severe environmental conditions. For these reasons, radioisotopes are practically the only choice, where bulky solar cells systems are not suitable. Real reactors, for example, the SNAP-10A and subsequent SNAP reactors were built and used. Other systems were tested only on the ground (Angelo and Buden, 1985). More powerful reactor designs are now under development in both the United States and Russia. The use of these devices is based on more than 50 years of operation experience on space vehicles of various types. A well-known thermoelectric generator built by the DoE, the general purpose heat source radioisotope thermoelectric generator (GPHS-RTG) (Fig. 26.1), produces 290 W of electric energy with less than 11 kg of plutonium dioxide. Three units are installed on the Cassini vehicle for the exploration of Saturn, launched in 1997 and active for nearly 20 years, corresponding to a total initial activity of 15,000 TBq. Currently, plutonium is used in oxide form which is more robust in accident conditions than the metallic plutonium initially used.

26.2 POSSIBLE ACCIDENTS AND THEIR CONSEQUENCES The GPHS thermoelectric generator is designed to withstand a variety of accident events, including an unforeseen reentry to the earth. In particular, the plutonium dioxide is protected by a graphite shield. However, events can be imagined such as the explosion of the vehicle or the impact of the

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00026-3 © 2020 Elsevier Ltd. All rights reserved.

313

314

CHAPTER 26 NUCLEAR FACILITIES ON SATELLITES

Cooling pipes

Cooling

Gas management

Aluminium shell

Safety valve

Thermal source Support

Flange Insulation

Si–Ge Thermocouples

Support

FIGURE 26.1 The satellite general purpose heat source radioisotope thermoelectric generator module.

GPHS module on a hard surface (rock), which might cause the release of plutonium, either at stratospheric elevations or on the ground. The probabilities of these events are of the order of 1027 1026 per mission. For a release on the ground, the area significantly contaminated extends for 1 2 km from the impact point so the problems are concentrated in a relatively small area. For a release at high altitude, the consequences are evaluated assuming that the plutonium is released in part as vapor or as breathable particles of a diameter lesser than 10 µm (ranging from 20% to 70% of the total, according to the reentry angle with reference to the terrestrial vertical direction), in part (4% 7%) as dust of 10 6000 µm diameter and, for the remaining portion, as larger particles. The “footprint” of the particulate on the ground is thought to reach up to 300 km. Part of the finer particulate may fall to ground after months or years from the accident and will extend to the whole planet. The maximum individual doses, without emergency actions, are estimated of the order of a fraction of 1 Sv. The maximum collective doses are thought to be of the order of 106 Sv-person, distributed over a great part of the world population and therefore with additional consequences very small in comparison with other causes. The extent of land contaminated with greater than 10 kBq/m2 is about 5000 km2. Other satellites with isotope generators or with a nuclear reactor, designed with lower strength characteristics than the one of the Cassini mission, could originate wider consequences, for example, fragments of the reactor of the satellite Cosmos 954, which fell in Northern Canada in 1978, were found over more than 100,000 km2. No health consequences were present because of the low population density.

FURTHER READING

REFERENCE Angelo, J.A., Buden, D., 1985. Space Nuclear Power. Orbit Book C, Malabar, FL.

FURTHER READING World Nuclear Association, 2019. Nuclear Reactors for Space.

315

CHAPTER

ERRONEOUS BELIEFS ABOUT NUCLEAR SAFETY

27

It is worth mentioning and discussing some beliefs prevalent in the field of nuclear safety. A shutdown plant cannot have an accident!

The opposite is true as the probabilistic safety analyses addressing this problem have concluded that a large part of the risk of a nuclear plant is related to plant situations of shutdown or low power. A plant is shut down for inspection and periodic maintenance, and often safety systems are disabled, the containment opened, and “unusual” operations are performed which decrease the usual defences, so that accidents are possible which could not happen in other conditions. In a pressurized reactor, a ‘solid system’ has to be avoided by all means!

A “solid system,” in the jargon of PWR operators, is a primary cooling system completely filled with water, that is, without the steam bubble in the pressurizer. In solid system conditions, the pressure resisting structures of the primary system are in effect exposed to undue overstressing as a compressible element in the fluid part of the system is lacking: one can think of an effect of local overheating and consequent thermal expansion of the fluid, or of the start up of a high head pump connected with the primary system, etc. Operators are warned about the danger of a solid system condition during their training. Experience indicates that sometimes the risks of this operating condition are exaggerated, almost identifying it with a situation of unavoidable accident to the primary structures. It must be remembered that, during the Three Mile Island accident, the operators blocked the operation of the safety injection system which had regularly been automatically started, precisely for the fear of being in a solid system condition (on the basis of the indications of the pressurizer level). It is necessary, in fact, to remember that other protections exist against the overpressurization of the primary system such as safety valves. However, they could be damaged (as they were at Three Mile Island) by a liquid efflux, having been designed for a steam efflux. The fear of damaging them or causing a leak in them after reclosure was, therefore, well founded. What had not perhaps been sufficiently made clear to the operators was that between the two possible evils (the safety valve not perfectly reclosing after opening because of the discharge of liquid, and lack of emergency core cooling), the potentially more serious situation was the second. Pouring water on an overheated core must be avoided!

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00027-5 © 2020 Elsevier Ltd. All rights reserved.

317

318

CHAPTER 27 ERRONEOUS BELIEFS ABOUT NUCLEAR SAFETY

This “myth” has been dangerously circulated in the field of nuclear safety for years, before being firmly refuted by an international group of experts on accident management (NEA, 1995). Indeed, pouring large amounts of cold water on an overheated, possibly partially molten, core without mature deliberation may in principle cause: • • •

instantaneous thermal stresses and structural damage; production of large quantities of hydrogen by metal water reactions; possible steam explosions.

A core in these conditions must be cooled and the means available in a water reactor is, indeed, cold water. It is up to the judgment of the operator to decide, case by case, the way by which the cooling operation has to be performed (e.g., proceeding by low duration injections and observing the result before continuing, or conveniently graduating the liquid injection flow rate). However, the injection of cold water in an overheated core must always take place, even if it means going through a transient seemingly worse situation. Timely action is beneficial, as this limitates the possibility of unforeseen aggravating phenomena. The actuation of the containment spray must be avoided in a severe accident!

There is some truth in this (possibly) common mistake. The spraying of water, in fact, causes the condensation of the steam in the containment, which may “deinert” the possible hydrogen oxygen explosive mixture. It can be concluded that in some cases this deinerting has to be avoided. However, in many other cases the spraying of the containment must be performed, for example, if this is a condition for the cooling of the core. This issue must be studied, case by case, during the preparation of the severe accident management program available at all plants. The operators should have all the diagnostic and intervention means needed for taking the correct decision in any situation, including the instrumentation for the difficult measurement of the explosivity within the container. The containment is a passive system!

Fortunately, this belief is not heard anymore, but, at one time, some people thought that the containment function was predominantly performed by the container shell and that, with an integer containment, a substantial separation of the internal atmosphere from the outside could be relied on. In reality, the containment is a machine which, in order to be able to perform its function, must pass from a state of multiple communication with the outside through the hundreds of mechanical penetrations usually present, to a state of isolation from the outside, by the closure of isolation valves and analogous devices. It must be remembered that the specified maximum design leakage of a containment is equivalent to the presence of a small hole, typically of about 3 mm diameter in the container shell. It is, therefore, vital that all the active isolation devices perfectly close in case of actuation of the containment isolation. Pipes crack, leak, wear out . . . but they don’t break!

This was one of the “battle cries” of many optimistic engineers (after one of them, an expert nuclear engineer, created it), who had a critical attitude, before Three Mile Island, toward the precautions imposed by the nuclear safety criteria and, in particular, toward the assumption of a break

REFERENCES

319

in the largest pipe of the plant and of the consequent need for the provision of a pressure resisting and leak-proof containment. A guillotine break of the largest primary pipe has never happened; however, the corresponding conservative assumptions made from the outset has provided a useful “envelope” for a series of other events (lack of valve reclosure, break of sealing and closure devices of components, detachment of bolted flanges of steam generators inspection ports or of valves and pumps, cracks of various types in many pipes, etc.) which the subsequent experience has demonstrated to be both possible and insidious. Catastrophic breaks of large pipes have happened on the secondary cooling circuit, less protected by the safety standards. In order to avoid criticality in new fuel storage it is sufficient that it is not completely flooded!

This mistake is not made any more. However, it is worthwhile repeating that the maximum reactivity of fresh fuel storage is generally obtained when the room is full of partial density water, that is for a situation of water sprayed on the fuel, more than for the complete flooding of it. Performing analyses with conservative assumptions always favors safety!

Why is this apparently correct statement not always true? Because the analyses performed with too many conservative assumptions, in the end gives a completely distorted picture of the real behavior of the system studied. The following consideration of Prof. Norman Rasmussen, coordinator of the famous Reactor Safety Study Wash-1400 (the Rasmussen report), is relevant (OECD, 1994): One unexpected event at TMI was the presence of a hydrogen-steam bubble in the primary vessel during the course of the accident. The fact that non-condensable hydrogen might be trapped in the vessel head was, as far as I can remember, never discussed during the RSS. The principal reason for this was that the RSS analysis made the conservative assumption that large amounts of hydrogen could only be generated if a significant fraction of fuel melted. Further, to be conservative, it was assumed this molten fuel would melt through the bottom head of the vessel. Thus, a situation in which large amounts of hydrogen could be trapped in the vessel was never encountered.

Any analysis should be performed in the most realistic way, using, at any step, the most probable assumptions, except for adding, at the end, for conservatism, a generous safety factor to the result, following the indications of an uncertainty analysis. In this process, it is, moreover, very useful to have the best estimate analysis followed by an analysis of the sensitivity of the result to variation in the assumed parameters.

REFERENCES NEA, 1995. Summary and Conclusions. Specialist Meeting on Severe Accident Management Implementation, NEA/CSNI/R(95)16, Niantic, CT, 12 14 June. OECD, 1994. Three Mile Island Reactor Pressure Vessel Investigation Project. Paris.

CHAPTER

WHEN CAN WE SAY THAT A PARTICULAR PLANT IS SAFE?

28

Putting the title of this chapter another way: is it possible to conclude that a nuclear plant is safe and, if it is, what are the conditions which make this conclusion possible? The answer to the first question is: “Yes, it is possible.” The conditions for such a conclusion to be valid are • •







• • •



The plant has been conceived and built within a legal framework that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities. The plant site has been chosen by a competent organization, following the stringent safety and radiation protection criteria internationally available and in the spirit of trying to have the site problems solved in the most natural way by the choice made, without putting the burden to compensate for possible specific deficiencies on the plant design. The decision process has been submitted with a positive result to the examination of an independent control body, competent and accurate, without overcoming the limits of good common sense. The plant has been conceived, designed, and built following the best internationally available criteria and standards important for safety and for radiation protection, utilizing a QA program which ensures the correctness of the process, by competent, cautious and accurate organizations, provided with all the technical, management, and financial means necessary to obtain an excellent result. The whole process has been submitted to the surveillance of an independent and highly competent technical control body, capable, with the cooperation of the plant builder, and as far as possible, of foreseeing the possible technical licensing problems before it is too late to solve them. All the organizations involved in the construction, the control, and the operation of the plant are permeated by a genuine safety culture, which puts safety first in the scale of values the plant must demonstrate to have. All the members of the organizations involved have been trained to the best professional standards with continuing professional development schemes. The operation is performed in connection with national and international organizations which have the aim of collecting and disseminating operating experience thoroughly and quickly. The plant is operated within an industrial system provided with a sufficient reserve of electric power or other commodity produced by the plant, in such a way that, when necessary for sufficient safety reasons, the plant can be stopped and maintained even for a time period of months. Working conditions for plant operators are conducive to solving problems. The psychological atmosphere in the plant is marked by alacrity and by serenity at the same time in order to facilitate the adequate examination and solution of the problems and doubts evidenced by the plant operation.

Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00028-7 © 2020 Elsevier Ltd. All rights reserved.

321

CHAPTER

THE LIMITS OF NUCLEAR SAFETY: THE RESIDUAL RISK

29

29.1 RISK IN GENERAL Some data on the risk levels of interest cannot be omitted from a book on nuclear safety. First of all, apologies are presented to the reader because some sentences among the following ones may appear disturbing and cynical: on the other side, the risk treatments must necessarily mention casualties with the cold attitude which is intrinsic in any statistical/probabilistic treatment while the idea of death is, for the majority of us, disquieting and problematic, for some even unbearable and for very few serene. Risk is generally defined as the likelihood that some harm might happen (HSE, 1992). In quantitative evaluations risk is defined as the probability that some negative event happens. So, for example, when it is said that a certain activity entails a death risk of 1024 (which may be referred to the entire duration of the activity or to a defined time period which should be specified, e.g., 1 year), it is meant that whoever performs that activity has a probability of dying as a consequence of it equal to 0.0001 in the specified period. In other words, on the average, for every 10,000 people performing that activity, one will die in the reference period.

29.2 RISK CONCEPTS AND EVALUATIONS IN NUCLEAR INSTALLATION SAFETY 29.2.1 TOLERABLE RISK The concept of tolerable risk for nuclear power stations was introduced for the first time in the report of the Sizewell B public enquiry (HSE, 1988/1992) in the United Kingdom, in which tolerable levels of individual and social risk to workers and public were mentioned. “Tolerability” does not mean acceptability. A risk is defined as “acceptable” when it has to be taken as it is. The concept of tolerable risk can be applied to a risk which can be lived with in view of the accompanying benefits of the activity which cause it. Moreover, the risk has to be kept under review and, if possible, still further reduced. Fig. 29.1 illustrates the idea of tolerable risk in relation to the concept of ALARP (as low as reasonably practicable—the UK expression substantially equivalent to ALARA) (see Chapter 7: Health Consequences of Releases). The implementation of the Tolerability Principle or Criterion implies the availability of instruments for performing the evaluation of costs and benefits of a certain decision concerning safety measures. A costbenefit analysis has to be made for decisions concerning the adoption of additional safety measures. As one of the main benefits to be examined is the saving of Nuclear Safety. DOI: https://doi.org/10.1016/B978-0-12-818326-7.00029-9 © 2020 Elsevier Ltd. All rights reserved.

323

324

CHAPTER 29 THE LIMITS OF NUCLEAR SAFETY: THE RESIDUAL RISK

Unacceptable region

Risk cannot be justified except in extraordinary circumstances

Tolerable only if risk reduction is impracticable or its cost is grossly disproportionate to the improvement gained

The ALARP (ALARA) or tolerability region (risk is undertaken only if benefit is desired)

Tolerable if cost of reduction would exceed the improvement gained

Broadly accepted region No need of detailed working to demonstrate ALARP (ALARA)

Necessary to maintain assurance that risk remains at this level

FIGURE 29.1 Levels of risk and ALARP (ALARA).

human lives, it can be understood how conceptually difficult it is to quantify this benefit, as everybody refuses to define a monetary value of the human life. As it is clearly stated in USNRC (2000), no mechanistic “rule book” for costbenefits analyses involving human life or permanent detriment to a person can be defined. However, since a costbenefit analysis, in principle, appears the logical way to proceed for delicate decisions, a flexible, pragmatic, and informed attitude should be maintained when performing it. A useful tool in this exercise has

29.2 RISK CONCEPTS AND EVALUATIONS

325

been identified by observing what people are able to accept as a small additional risk of death or other harm to themselves in return for financial and other benefits. From these data, a human life value can be inferred by statistical treatment. This exercise has resulted in minimum statistical values for human life exceeding h1 m (up to several millions) at time of writing. Timing of danger (immediate or deferred danger) and type of danger (dreadfulness of imagined situations) are also important factors in these analyses. Determining the additional cost of safety measures is also difficult, but it is, however, a conceptually simpler task than the evaluation of the benefit of additional safety measures.

29.2.2 RISK-INFORMED DECISIONS Risk-informed regulation by the USNRC has gained momentum in the last few years and has produced remarkable results (USNRC, 2000; USNRC, 2018; USNRC, 2011). The USNRC’s policy for implementing risk-informed regulation was expressed in the 1995 policy statement on the use of probabilistic risk assessment (PRA) methods in nuclear regulatory activities. The policy statement says: the use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data, and in a manner that complements the NRC’s deterministic approach and supports the NRC’s traditional defence-in-depth philosophy. As adequate protection is presumably provided by existing regulations, the NRC has determined that, for nuclear power plants and fuel cycle facilities, proposed safety improvements beyond adequate protection should be adopted only if they provide “substantial” additional protection and the direct and indirect costs are justified. In the nuclear reactor safety arena, regulatory analysis guidelines and backfitting analysis guidelines have been developed for assessing a “substantial” improvement and calculating the costbenefit trade-off. In the nuclear materials safety arena, the NRC has directed the staff to develop similar guidelines for fuel cycle facilities. Risk-informed requirements must maintain reasonable assurance of adequate protection. A challenge in the transition to risk-informed regulation will be to maintain an acceptable level of safety while (1) improving efficiency, effectiveness, and realism in agency decisions, practices, and processes, (2) increasing public confidence in the agency, and (3) reducing unnecessary regulatory burden on licensees. As risk information is to be used to complement the traditional deterministic approach, riskinformed activities must preserve certain key factors of the deterministic approach. Among these factors are the fundamental safety principles of defence-in-depth, safety margins, the principle of ALARA, radiation protection, and the agency’s safety goals. The NRC has used these principles in its regulatory programs to maintain acceptable risk levels. They ensure that the nuclear industry is safe. In riskinforming its requirements and practices, the NRC must use these principles to complement risk information in ensuring that regulations focus on the issues important to safety and account for uncertainties affecting regulatory decisions. Risk assessment insights will make, in the NRC view, regulatory decisions more effective and efficient and reflect realism. It has, however, always to be remembered that a low probability of an accident is only a necessary, not a sufficient condition, as in probability estimates the concept of “when” the unwanted event

326

CHAPTER 29 THE LIMITS OF NUCLEAR SAFETY: THE RESIDUAL RISK

will likely happen is missing (for a more ample treatment of this issue, see Section 18.6 of Appendix 18).

29.3 RESIDUAL RISK: THE CONCEPT OF LOSS-OF-LIFE EXPECTANCY One way of expressing the death risk connected to a certain activity is to indicate the years or the days of life lost on average [loss-of-life expectancy or years of lost life (YOLL)] by the individuals considered as a consequence of that activity. It is clear how one measure can be converted into the other one. If for a person the additional death risk (due to the exposure to the considered activity) is of 1024 per year and if the average life in the absence of this activity is 75 years (which corresponds to an average death risk of 1/75 5 0.0133 year21), then the new average death risk will be (0.0133 1 0.0001), or 0.0134 year21, equal to 1/74.46. The life lost on the average for that risk is roughly 0.54 years (365 3 0.54 5 197 days). This calculation is inaccurate because the natural death risk is not uniformly distributed over the life span. In order to account for this, the following approximate formula can be used: LLE 5 1:1 3 106 3 r ðdaysÞ ðr , 1023 Þ

(29.1)

24

where r is the risk per year (510 in the preceding example). For the example given, Eq. (29.1) gives an average life reduction of 110 days. If the considered risk refers to the working activity, say between the ages of 20 and 65 years, the value given by the formula must be approximately halved. No human activity is immune from risk and many activities also entail the certain likelihood of death risk. Nuclear plants are no exception, even if this activity is for the workers of the related plants and for the population near them, less risky than other energy-producing plants and incomparably less risky than many other human activities.

29.4 RISK FROM VARIOUS ENERGY SOURCES This issue has been studied at length during the years when the nuclear controversy was at its maximum level. Table 29.1 shows the “external” costs, which is the costs connected with the effects on the environment, of energy generation for various energy systems in the EU. The value of life for statistical uses applicable in the EU has been taken equal to h3.1 m. Consistent values have been assumed for various other health damages. The data are essentially from the EU EXTERNE (Externalities for Energy) program published in recent years and from other recent European sources (e.g., University of Stuttgart, Institute for Energy Economy and for rational uses of Energy). The total costs also include those of global heating, at the low estimate of h2.4 t21 CO2 and high estimate of h16.4 t21 CO2). For nuclear plants the radiological effects have been considered too (1.07 YOLL/TWh) and the energy consumption (8.9 YOLL/TWh) due to the fuel cycle, in the assumption that the needed electric energy is that produced in Germany with the present “mix” of sources. If the assumption had been made that the electric energy for the cycle was of nuclear origin, the YOLL estimate would have been lower by an order of magnitude.

29.6 ARE THE RISK ANALYSES OF NUCLEAR POWER PLANTS CREDIBLE?

327

Table 29.1 External Costs of Energy Generation by Various Systems (Emission Costs Corresponding to the 15 Member States of the EU Before April 2004) (Strupczewski, 2001) Energy Source

Loss-of-Life Duration (YOLL/TWh)

Health Costs (meuro/kWh)

Total Costs (meuro/kWh)

German coal Polish coal German lignite Russian natural gas German natural gas Biomass (wood) River hydro (500 kW plants) Wind (1.5 MW) Solar (polycrystalline cells) Nuclear plants with reprocessing

58.4 118 90.6 43.2 27 26.5 7.5 8.7 59.4 10

4.85 9.75 7.48 3.56 2.23 2.18 0.62 0.72 4.8 0.82

7.1820.45 12.2526.95 10.0525 4.5610.4 3.218.95 2.18 0.71.19 0.821.41 5.6210.44 0.861.1

29.5 RISK TO VARIOUS HUMAN ACTIVITIES This issue too has been studied in depth. Fig. 29.2 (Cohen, 1991) gives a measure of the risk in terms of thousands of years of life expectancy lost for various reasons.

29.6 ARE THE RISK ANALYSES OF NUCLEAR POWER PLANTS CREDIBLE? Here are some risk data for nuclear power plants: • •

• •

The maximum individual death risk for a nuclear power plant in normal operation and for the most exposed individual of the population is of the order of 10271026 per year. The death risk for accidents and for the most exposed individual of the population is, as a maximum, of the order of 5 3 1027 per year for currently operating plants (unfortunately, an exception must be made for the Reaktor Bolsoj Moscnosti Kanalnyj in russian, meaning High Power Channel Reactor (RBMK) plants, for which the risk is still, even after the modifications made, probably higher). For plants which would be built now, it is possible to believe in a decrease of the risk by one or two orders of magnitude. The safety objectives (safety goals) valid in the United States can be concisely expressed in the following way: • core melt: 1024 year21; • prompt death risk near the plant, for accidents: 0.1% of that for normal accidents (i.e., 0.1% 3 5 3 1024 year21); • death risk for the normal plant operation: 0.1% of the death risk for other cancer causes (i.e., about 0.1% 3 2 3 1023 year21).

328

CHAPTER 29 THE LIMITS OF NUCLEAR SAFETY: THE RESIDUAL RISK

0.0001

0.001

0.01

0.1

1 Alcoholic Poverty Smoke (M)

Poor social connections Heart disease Cancer 20% overweight Orphaned as child Motor vehicle accidents Suicide Murder Air pollution Aids Spouse smoking Radon Pesticides Radiation worker Drowning Drinking water Fires and burns Poison Natural hazards Bicycle Electrocution Hazardous waste Nuclear power (antinuclears) Milk (½ litre per day) Living close to a nuclear plant Charcoal broiled steak (2 hectograms per week) Nuclear power (government estimates-average in USA) 0.0001

0.001

0.01

0.1

1

FIGURE 29.2 Thousands of days of life expectancy lost for various reasons in the United States. Reproduced and modified from Fig. 32.2 by Cohen, B.L., 1991. Catalogue of risks extended and updated. Health Phys. 61 (3), courtesy Health Physics Society.

REFERENCES



329

The INSAG (safety advisor body for the IAEA director) suggested values are 1025 year21 for the target core melt probability and 10 times less for the risk of a large release from the plant due, for example, to an important damage of the containment (see Chapter 1: Introduction).

As it can be seen, both the risk objectives and the risk analyses on existing plants are reassuring, but, it is frequently asked, how reliable these analyses are? How much the inevitable uncertainties on data and methods can influence the results? Is it possible that some accident sequence has been forgotten in performing a probabilistic analysis? All the available information, including the analyses made before the Three Mile Island accident and the sequence of events in the accident itself, indicate that a corrective factor is embedded in the risk probabilities: this corrective factor might be identified in the redundancy of the protections adopted in the plants (defence in depth) and in the vastness of the field of theoretical possibilities of accident explored, by definition, in the probabilistic analyses. In simple words, even if a precise accident sequence has been forgotten in a specific probabilistic analysis, some other sequence would exist among those studied which is similar to it and that has been taken into account. It is for this reason that, even if many correctly hesitate in relying only on probabilistic safety criteria, a general agreement exists on the reliability of the probabilistic risk analyses as a tool for comparing different situations.

29.7 PROLIFERATION AND TERRORISM These issues are outside the specific scope of this book but have been mentioned throughout in passing. The fight against proliferation is an organization and international control problem, with some important technical aspects, overseen by the IAEA. The possibility of terrorist use of nuclear substances, either of those connected with the energy cycle or of those for industrial and medical uses, is similarly a problem of national and of international control, besides being a matter of careful management of the plant or of the laboratory which uses these substances.

REFERENCES Cohen, B.L., 1991. Catalogue of risks extended and updated. Health Phys. 61 (3). HSE, 1988/1992. Report of the Sizewell B Public Inquiry. HMSO, London. HSE, 1992. The Tolerability of Risk From Nuclear Power Stations. HMSO, London. Strupczewski, A., 2001. Environmental and Health Impact of Energy Sources. International Conference on E. Fermi and Nuclear Energy, Pisa, Italy, October 2001. USNRC, 2000. Risk-Informed Regulation Implementation Plan. SECY-00-0213. USNRC Regulatory Guide 1.174, 2018. An Approach for using Probabilistic Risk Assessment in Riskinformed Decisions on Plant-specific Changes to the Licensing Basis. USNRC Regulatory Guide 1.177, 2011. An Approach for Plant-specific, Risk-informed Decisionmaking: Technical Specifications.

Additional References

Essential references specifically related to each chapter of this book have been listed at the end of each chapter. However, these addresses for additional references give the reader a wider choice of documents. The references are grouped as follows: IAEA OECD NRC MISC

International Atomic Energy Agency (www.iaea.org) Organization for Economic Cooperation and Development (www.oecd.org/bookshop) United States Nuclear Regulatory Commission (www.nrc.gov) For references of other sources

IAEA REFERENCES NUCLEAR SAFETY STANDARDS SERIES Safety fundamentals: •





General safety requirements • Government, legal, and regulatory framework for safety • Leadership and management for safety • Radiation protection and safety of radiation sources • Safety assessment for facilities and activities • Predisposal management of radioactive waste • Decommissioning and termination of activities • Emergency preparedness and response Specific safety requirements • Site evaluation for nuclear installations • Safety of nuclear power plants Design Commissioning and operation • Safety of research reactors • Safety of nuclear fuel cycle facilities • Safety of radioactive waste disposal facilities • Safe transport of radioactive material Collection of safety guides Technical documents TECDOCS INSAG Accidents OECD references

331

332

ADDITIONAL REFERENCES

USNRC references Regulatory Guides NRC regulatory guides are classified into the following divisions: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

Power reactors Research and test reactors Fuels and materials facilities Environmental and siting Materials and plant protection Products Transportation Occupational health Antitrust and financial review General.

MISC, OTHER REFERENCES American Nuclear Society, 1984. Source terms. Special committee report. American Physical Society, 1985. Radionuclide release from severe accident management implementation. Study group report. ANS, 1983. Nuclear safety criteria for the design of stationary PWR plants. ANSI/ANS 51.1. Bayliss, C., Langley, K., 2003. Nuclear Decommissioning, Waste Management and Environmental Site Remediation. Elsevier, Oxford. Beckjord, E.S., 1995. NRC Research: A Ten-Year Vision. USNRC, Washington D.C. Bourgeois, J., Tanguy, P., Cogn´e, F., Petit, J., 1996. La suret´e nucleaire en France et dans le monde. Polytechnica, Paris. Broughton, J.M., Kuan, P., Petti, D.A., Tolman, E.L., 1989. A Scenario of the Three Mile Island Unit 2 Accident. Nuclear Technology 87 (1). Crede, C.E., 1976. Shock and Vibration Concepts in Engineering Design. Prentice-Hall, New York, USA. CSNI, 1990. Inadequate isolation of containment openings and penetrations. OECD/NEA Report 179. Cumo, M., Tripputi, I., Spezia, U., 2002. Decommissioning of nuclear plants, Scuola di specializzazion e in sicurezza nucleare ed industriale, Universita` di Roma. Etherington, H. (Ed.), 1958. Nuclear Engineering Handbook. McGraw-Hill, New York, USA. Forasassi, G., Guerrini, B., Petrangeli, G., 1997. Comparison of some passive safety concepts in nuclear and process industry systems. Post-SMIRT 14 International Seminar 18 Passive Safety Features in Nuclear Installations, 25 7 August, Pisa. Ford, D., 1982. The Cult of the Atom. Simon and Shuster, New York. Gittus, J., 1982. Power degraded core analysis. ND-R-610(S), United Kingdom Atomic Energy Authority. Glasstone, S., 1963. Nuclear Reactor Engineering. Van Nostrand, New York, USA. Hampton, W., 2001. Meltdown, A Race Against Nuclear Disaster at Three Mile Island, A Reporter’s Story. Candlewick Press, Cambridge, MA. Harbison, S., Martin, A., An introduction to radiation protection. ISBN 0412631105. Institute of Mechanical Engineers, 1988. Assuring it’s safe. ISBN 1860581471. Ishack, G., 1993. Operating experience with motor-operated valves: extracting the lessons learned from the Incident Reporting System. Report PWG1/OECD/NEA/CSNI.

ADDITIONAL REFERENCES

333

JGA, 1991. Recommended Practice for LNG Above-Ground Storage. Japanese Gas Association, Tokyo, Japan. Kletz, T., 1996. Dispelling Chemical Engineering Myths. Taylor & Francis, Oxford, UK. Lamarsh, J.R., Baratta, A., 2001. Introduction to Nuclear Engineering. Prentice Hall, NJ, USA. Lees, F.P., 2012. Loss Prevention in the Process Industries, vol. 3. Butterworth-Heinemann, Oxford. Lewis, E.E., Nuclear Power Reactor Safety. ISBN 0471533351. Mark’s Mechanical Engineers Handbook. 2006. McGraw-Hill, NY. Mazuzan, G.T., Walker, J.S., 1984. Controlling the Atom, the Beginning of Nuclear Regulation 1946 1962. University of California Press, Oakland, USA. Newmark, N.M., 1965. Effects of earthquakes on dams and embankments. Geotechnique 15 (2), 139 159. OECD, 1996. State of the art report on key fracture mechanics aspects of integrity assessment. OECD/GD (96) 6, NEA/CSNI/R(95)1. OECD, 2000. Report of the Senior Group on Safety Research. OECD/NEA/CSNI. Pearson, G.H., 1953. The Design of Valves and Fittings. Pittman and Sons, London. Petrangeli, G., 1987. Il concetto di rischio e definizione dei rischi. ANIAI, Rome. Petrangeli, G., Tononi, R., d’Auria, F., Mazzim, M., 1993. The SSN: an emergency system based on intentional coolant depressurization for PWRs. Nucl. Eng. Design 143, 25 54. Ramsey, C.B., Modarras, M., 1988. Commercial Nuclear Power, Assuring Safety for the Future. John Wiley & Sons, Hoboken, USA. Ravindra, M.K., 1992. Seismic assessment of chemical facilities under Califonia risk management and prevention program, International conference on Hazard Identification and Risk Analysis. Human Factors and Human Reliability in Process Safety, Orlando, FL, January. Robbins, A., 1991. Radioactive Heaven and Earth. The Apex Press, New York. Schweitzer, P.A., 1972. Handbook of Valves. Ind. Press, New York. Shibata, H., 1975. Anti-earthquake design of industrial facilities. Technocrat, 8 (11), 12 pages. Skousen P.L., 2004. Valve Handbook, Mc Graw Hill, NY. Stevenson, et al., 1992. Advances in the analysis and design of concrete structures, metal containment and liner plates for extreme loads. Nucl. Eng. Design 134, 12 pages. The Great Alaska Earthquake of 1964. 1972. National Academy of Sciences, Washington D.C. USA. Thompson, J., Beckerley, J.G., 1973. The Technology of Nuclear Reactor Safety. The MIT Press. USNRC, 1980. Equipment response at the El Centro steamplant during the 15 October 1979 Imperial Valley earthquake, NUREG/CR-1665. USNRC, 1985. Reliability analysis of containment isolation systems. NUREG CR-4220. USNRC, 1988. Technical findings and regulatory analysis for generic safety issue II.E.4.3 Containment integrity check. NUREG 1273. USNRC, 1990. Results of the public workshops. Supplement 1 to generic letter 89-10. USNRC, 1994. Information on schedule and grouping, and staff responses to additional public questions. Supplement 6 to generic letter 89-10. USNRC, 1996. Consideration of valve mispositioning in PWRs. Supplement 7 to generic letter 89-10. Voronin, L.M., et al., 1994. Safety of nuclear power plants (Russian edition, derived from the French book Memento de la suret´e nucleaire en exploitation). EDF-EPN-DSN-Paris-ISBN n2-7240-0090-0, September. Walker, J.S., 1992. Containing the Atom, Nuclear Regulation in a Changing Environment 1963 1971. University of California Press, Oakland, CA, USA. Walker, J.S., 2000. Permissible Dose, A History of Radiation Protection in the Twentieth Century. University of California Press, Oakland, CA, USA. Walker, J.S., 2004. Three Mile Island, A Nuclear Crisis in Historical Perspective. University of California Press, Oakland, CA, USA.

APPENDIX

THE CHERNOBYL ACCIDENT

1

A1.1 INTRODUCTION The circumstances leading to and the severe consequences of the Chernobyl accident deserve to be known and considered even outside the circle of directly interested specialists. It was, indeed, a dramatic event, rich in human, social, and cultural implications. In this connection, another sad event, which long ago entered the annals of big technological disasters, comes to mind: the sinking of the Titanic. The RMS Titanic was a splendid British ocean liner which sank on her maiden voyage on the night of April 14 15, 1912, after a collision with an iceberg in the northern Atlantic. Out of the 2200 passengers on board, 1500 died: many of these because there were too few lifeboats. Subsequently, more stringent safety rules and iceberg warning systems were adopted. The Chernobyl reactor, like the Titanic, was a technological masterpiece, but both had inherent and serious flaws in their design. Another technologically advanced design that failed disastrously was the NASA Space Shuttle Challenger. Other technological disasters, such as at Bhopal and Seveso, were more related to simple carelessness in design and operation. This appendix gives a brief description of the Chernobyl reactor and illustrates the accident and its principal causes.

A1.2 THE REACTOR The Chernobyl reactor (Fig. A1.1) is of the RBMK type (an acronym of the Russian words for “Channel High Power Reactor”). Five reactors of this type were built at various sites in the former USSR and the design is found nowhere else in the world. It is a boiling water pressure tube (channel) reactor, cooled by light water and moderated by graphite. [In pressure tube (channel) reactors the nuclear fuel, made from low enriched uranium oxide, is contained in a set of parallel and closely spaced tubes or channels.] On passing, it has to be said that water reactors are numerous in the world, although the majority of these reactors are of the “pressure vessel” type, where all the nuclear fuel is contained in a strong vessel and not in a set of parallel pressure channels. In the RBMK, the light water coolant is brought to boiling point in the channels. The steam produced is separated from the residual liquid water in dedicated separator tanks located at an elevated

335

336

APPENDIX 1 THE CHERNOBYL ACCIDENT

Steam separator

Reactor room Reinforced concrete structure

Header

Pump

Pressure resisting rooms Reactor

Suppression water pool

Water

Relief pipes

Safety valves discharge

FIGURE A1.1 Schematic of the Chernobyl plant.

position. It is then routed to the turbines mechanically coupled to the electric power generators. In this way, the heat produced by the chain reaction in the reactor is transformed into electric energy. The first generation units were located in a conventional industrial building and the other units, including the one in which the accident happened, were provided with partially reinforced containment. The plant was, in many respects, well designed in its details and had interesting characteristics both economically (it demonstrated a good use of the uranium) and militarily (it could possibly be used for plutonium production). However, it was inadequate from the point of view of the safety concepts adopted when compared with the Western state of the art. The three major defects, still partially present in the design, are: a tendency to instability and to uncontrolled power excursions (a positive power coefficient), a slow scram system which in certain conditions could act as an accelerator instead of a brake on the chain reaction (a positive fast shutdown), and the absence of a

APPENDIX 1 THE CHERNOBYL ACCIDENT

337

real and complete pressure resisting containment. Even before the accident, an English Working Group stated that a reactor of this type would not meet the safety standards of the Western world (Report by Nuclear Power Company Limited, March 1986, UK). In summary, the RBMK design has some economic and strategic advantages, but these are offset by the shortcoming in design which in 1986 destroyed reactor number 4 of the Chernobyl power station. It is worthwhile describing further the negative safety characteristics of these reactors in order to clarify the technical reasons for the accident, although they were not the only ones, and to see why the very competent designers made their decisions. The design has three principal negative characteristics. The first one is that the reactor power tends to strongly increase when the cooling water inventory in the reactor decreases: the cooling water is a “neutron poison.” The water inventory decreases when more steam is produced in the reactor. In fact, the steam bubbles produced expel the liquid water from the reactor. This is what happens in a boiling kettle which, if initially overfilled, as boiling starts, causes the water to be spilled out. If this kettle is heated on a gas cooker, the water spilled extinguishes the flame and, if the cooker is provided with an automatic gas supply stop, everything terminates without consequences. But this is not so in a RBMK because, as we have just mentioned, when the production of steam bubbles increases, the nuclear power (the heat produced by the cooker in the example) tends to increase instead of decrease. It can be easily seen that these types of reactors are unstable because an increase in power tends to be enhanced instead of being damped. On the other hand, when the power decreases, the steam production tends to decrease too, more liquid water is present inside the channels and the power tends to decrease still more. In the nuclear jargon, this unfavorable characteristic of RBMKs is called the “positive void (power) coefficient.” Naturally, the designers incorporated in the plant intrinsic characteristics and automatic control systems which counteracted this tendency toward instability in almost all the operation conditions, except, unfortunately, in some specific conditions, such as the one which occurred at Chernobyl. The second negative characteristic concerns some peculiarities of the emergency fast shutdown system of the reactor. This system is present in all nuclear reactors and causes the entry in the reactor itself of substances capable of arresting the chain reaction in case of danger. In general, these substances are contained in metallic rods which are named “control” or “safety” rods and which can be inserted in or extracted from the reactor. In the case of the RBMK the fast shutdown system was, before the Chernobyl accident, very slow (B20 seconds for the complete insertion of the rods into the core, instead of the usual two seconds). Moreover, rather surprisingly, for those rods which are completely extracted from the reactor, their action, in the initial part of their stroke during their insertion is not a reduction of the chain reaction but rather an acceleration of the reaction itself. This dangerous characteristic of the reactor is called “positive fast shutdown.” A third negative characteristic is the absence of a complete pressure containment building around the nuclear part of the plant which would resist the overpressure caused by possible accidents. The majority of the world’s reactors are contained in this manner in order to prevent the release of radioactive substances to the outside even in serious accidents. Fig. A1.1 shows that a large part of the building which contained the Chernobyl reactor was very similar to a light factory shed.

338

APPENDIX 1 THE CHERNOBYL ACCIDENT

Aggravating these deficiencies was the fact that the metal vessel containing all the nuclear fuel tubes could not withstand more than a very limited number of fractures. Beyond this number the pressure is so strong that the tank literally uncovers causing the break of all the tubes and the expulsion of nuclear fuel. Given these shortcomings it is natural to ask why these design decisions, so unfavorable to safety, were made. Without going into details, the reasons are probably two: first, a desire for maximum economy in fuel consumption and in operation in general, and second, the possibility of using the reactor plutonium production for nuclear weapons. Every decision, therefore, was made with excessive confidence in the perfection of the technology, in the belief that all the accident scenarios had been foreseen and in the operators’ correct behavior.

A1.3 THE EVENT Unit 4 of the Chernobyl plant was scheduled to be passed to the maintenance crews for a programed revision on the morning of April 26, 1986. Therefore the crews would arrive early and the plant had to be ready so they could do their work. However, before the reactor could be shut down for maintenance it was necessary to perform a programed test of a new safety device that had been installed on the electric generator, starting from a power of about 700 MWt (the normal operating power was 3200 MWt). The plant management began early and started to reduce power at about 1 a.m. on the night of Friday, April 25. This operation continued until 2 p.m. when the KievEnergo distributor (dispatcher) organization asked the Chernobyl power plant to continue to maintain the reduced power output without further reduction because the electricity demand in the Kiev industrial zone was still very high before the weekend interruption of work. The distributor is the organization which governs in any country or region the electric grid and has the responsibility of balancing demand and supply. The planned reduction of the reactor power was resumed, with the agreement of the distributor, only at about 11 p.m., meaning that nine hours had been lost from the test schedule and consequently less time before the looming deadline of the following morning’s maintenance shutdown. As can be imagined the operators became anxious. Half an hour into the morning of April 26 another unfortunate event happened. In the manual switch over, during the power descent, of the automatic control of the reactor from one regulator to another (a standard procedure) something happened (for a never clarified reason) which caused the reactor power to drop to only 30 MWt. Was it a malfunction of the controller or an operator error? It has not been possible to ascertain the truth with certainty, however, in my view, simple “bad luck” was heavily involved. A very low power condition might appear trivial in a normal machine—if the power decreases too much, it is made to rise again by the dedicated controls—but in a nuclear reactor and especially in a RBMK, this is not so. Besides the reluctance of any reactor to increase power after a reduction, due to some isotopes which slow the chain reaction down and which are produced precisely in these transients, in an RBMK at low power the steam production in the channels stops and they fill up with water. As described earlier, the nuclear power level tends to decrease even more (the typical instability of RBMKs).

APPENDIX 1 THE CHERNOBYL ACCIDENT

339

Hence, almost one hour of frantic attempts to regain power at any cost followed with the goal of getting an adequate power level to complete the test in time. The reactor engineer believed at this point that the test should have been discontinued but continued to make any possible attempt, even infringing safety rules, as he feared being fired. He attempted any possible maneuver, first of all extracting all the reactor control rods (an operation forbidden by the safety rules in force) and succeeded in bringing the reactor to 200 MWt with all the control rods extracted and with the channels almost filled with water. These are the conditions where the RBMK is maximally unstable and the scram is plagued by that tragic defect of accelerating the chain reaction instead of slowing it down at the start of its actuation. It is not clear what happened in the final instant as the reactor “blew up.” Some records shown by the Russians in Vienna in August 1986 during the first conference on the accident show that the control rods started to automatically enter the reactor. This could be an indication of an unstable nuclear transient. What is known is that an operator, at 01 h 23 m 40 s, pushed the scram button which introduced all the control rods into the reactor. High radiation alarms, high pressure alarms, and high pressure signals for fuel channel ruptures triggered, and finally two very strong explosions occurred. Fig. A1.2 shows the trend of the reactor power in the last minutes before the accident. Pushing the scram button had been the final catalyst: its small positive push of the reactor nuclear power had made the whole system unstable due to the low power and to the large quantity of liquid water in the reactor itself. The power strongly increased causing the fuel channels to burst and the lid of the metal tank which contained them to break. The reactor was almost destroyed and nuclear fuel and burning fragments were dispersed on the plant yard and projected high in the sky (to about 1 km), causing fires on the roof of the turbine building and elsewhere. The following describes the probable course of the accident in greater detail based on observations and direct inspections, on the available knowledge of the phenomena of severe nuclear accidents, on analytical evaluations subsequently made and on the conclusions prevailing among the experts. It has to be noted, however, that the degree of certainty of the conclusions on the precise accident dynamics is not yet satisfactory, so that other studies and research are needed. Once the scram button was pressed, the reactor power started to increase strongly because of the aforementioned characteristic of “positive scram” and because of the progressive increase in the amount of steam in the reactor (caused by the increase in thermal power) and because of the corresponding decrease in water (the water in this reactor is a neutron poison). In the RBMK, the thermal power is generated by the fission chain reaction inside the uranium fuel contained in the fuel channels where the cooling water flows under boiling conditions. It is easy to understand that increasing the thermal power (heat) generated in the fuel means that more heat needs to be transferred to the cooling water. However, temperature limits exist beyond which the uranium-based fuel, as well as the metal cladding which contains it, start to be damaged. This is what happened at Chernobyl in the first phase of the nuclear power excursion (the self-enhancing power increase phenomenon). The fuel (uranium dioxide) started to melt and to vaporize with a consequent pressure increase and with dispersion of overheated fragments in the cooling boiling water inside the channels. This dispersion caused a general pressure increase in the channels themselves, probably of an explosive type (steam explosion), and their bursting. The steam escaped in the reactor tank which, as noted, could resist only the break of a few tubes (channels). The tank uncovered and all the tubes were ripped off with the external projection of

340

APPENDIX 1 THE CHERNOBYL ACCIDENT

FIGURE A1.2 Trend of some of the Chernobyl reactor parameters in the last minutes up to the accident.

fuel and other incandescent materials. This was the first very strong explosion heard by the witnesses. Unfortunately, this was not the end of the story. Under very high temperature conditions of the fuel and of the metallic channel materials, water and steam may react, here too in an autoenhancing way, with the metallic materials generating hydrogen and with the reactor graphite generating carbon monoxide. Hydrogen and carbon monoxide are highly explosive gases and in effect they caused the second explosion.

APPENDIX 1 THE CHERNOBYL ACCIDENT

341

Sarcophagus

Reactor top plate

Turbine hall

Reactor rubble

FIGURE A1.3 Reconstruction of the reactor after the accident and the “sarcophagus.”

The consequences of the two explosions were the destruction of the reactor, the projection of incandescent, and burning materials outside (the flashes, as of fireworks, quoted by many witnesses) and a fire of all the graphite mass. The reactor, according to the subsequent reconstructions, was reduced to the condition shown in Fig. A1.3 which also illustrates subsequent work carried out in order to isolate the reactor from the environment (the so called “Sarcophagus”). So what was the actual cause of the accident? As frequently happens with accidents, this tragedy was caused by more than one error. At the start of the analysis, understandably, there was a tendency to put the greatest blame on the operators, even though their work records were good, but subsequently the serious safety deficiencies of this type of reactor have emerged. The accident was due to design shortcomings which, together with the special requirements then prevailing and with the operators not being prepared to cope with the difficult situation which developed and not being respectful of the safety rules, especially in the stressed conditions in which they operated, generated this catastrophe. Other accompanying causes have been indicated by the postaccident investigations. These have mainly focused on the inadequate general management system and on the insufficient level of “safety culture” in which the design and the operation of the Chernobyl reactor occurred.

FURTHER READING IAEA, 1986. Vienna, Acts of the Post-accident Review Meeting, August, Vienna. Medvedev G., 1990. La v´erit´e sur Tchernobyl, E’ditions Albin Michel S.A., Paris. Spezia, U., 1996. Chernobyl, dieci anni dopo il disastro (Chernobyl, Ten Years after the Disaster). Milo, Vitorchiano, Italy). Vargo, G.J., 2000. The Chernobyl Accident, a Comprehensive Risk Assessment. Battelle Press, Columbus, Richland, USA.

APPENDIX

CALCULATION OF THE ACCIDENT PRESSURE IN A CONTAINMENT

2

A2.1 INTRODUCTION An initial release of a steamwater mixture with a high internal energy into the containment takes place in many water reactor accident scenarios. Typically, it is the water of the primary cooling system which causes an initial overpressure and a subsequent pressure transient in the containment itself. The following paragraphs describe some simple methods, with essential data, for calculating the pressure with time in these two phases. A note concerning measurement units used in these calculations has to be added. Owing to the long history of the first creation of the related computer program and of its subsequent improvements and tests, the measurement units do not all belong to the Standard International (SI) system. They have been left as they were, in order not to lose the benefit, in terms of reliability, of the long testing of the program. The strongest discrepancy from the SI units is that large calories (Cal) are used instead of Joules and bars or kg/cm2 instead of Pascals.

A2.2 INITIAL OVERPRESSURE The initial pressurization of the containment is a constant volume phenomenon (the containment volume) and, therefore, in order to calculate the final state parameters (e.g., the pressure), it is necessary to equate the initial and final internal energies of the involved fluids. Here it is assumed that the initial pressurization of the containment is relatively fast, for example, corresponding to the break of an intermediate or large recirculation pipe (an intermediate or large LOCA). Therefore the heat exchanged with objects internal to the containment and between the inside and outside of it can be considered negligible. The initial and final energies of the fluids concerned can be calculated by the following considerations and formulae. Total internal energy 5 Air energy 1 Waterðliquid and steamÞenergy

(A2.1)

Air internal energy; Ua 5 Ma Cv t Cal=kg

(A2.2)

where Cv is the specific heat at constant volume of air (0.172 Cal/kg in normal conditions), Ma is the weight of air in the containment (kg) and t is the temperature in  C.

343

344

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

Specific internal energy of the water  steam mixture; UH2 O 5 MH2 O ðHH2 O 2 JpvÞ Cal=kg

(A2.3)

where MH2 O is the weight of watersteam (kg), HH2 O is the specific enthalpy of water (a function of the mixture quality and of the pressure) (Cal/kg), J is the inverse of the mechanical equivalent of the calorie [J 5 1/(427 kg m/Cal)], p is pressure (kg/m2), and v is the specific volume (m3/kg). The quality, X, of the mixture, before and after the pressurization of the containment, can be calculated from the specific volumes of the water and steam which are known. The weight of water and steam is equal to the released amount (e.g., that of the primary cooling water), while the initial volume is that of the primary system and the final volume is that of the containment. X5

v 2 v1 vfg

(A2.4)

where v1 and vfg are the specific volume of liquid water and the difference between water vapor specific volume and liquid water volume, respectively, and can be obtained from steam diagrams and tables as well as from the approximate formulae (A2.5) and (A2.6) (CNEN, 1976).     9:165659e 2 4 3 p3 2 4:159937e 2 1 3 p2 2 ð35:05628 3 pÞ 2 120:077 v1 5 p3 2 251:462p2 2 31207:36p 2 117706:3

and

 vfg 5

  22:309098e  3 3 p4 1 4:162979p3 2 857:4263p2 2 14867:06p 2 3998:127  4  p 2 381:89p3 2 7810:05p2 2 3776:419p 1 529:4787

(A2.5)

(A2.6)

were p is pressure (kg/cm2). The specific enthalpy HH2 O is given by Eq. (A2.7). HH2 O 5 Hf 1 XHfg

(A2.7)

where the enthalpies can also be calculated by the approximate formulae A2.8 and A2.9. 

 964:3845p3 1 188946:5p2 1 2470981p 2 1649689 Hf 5 3 p 1 665:0797p2 1 16075:48p 1 26716:57    231973:9p3 2 5:284174e7 3 p2 2ð1:191874e9 3 pÞ 2 1:575882e9  Hfg 5  4 p 1 82:67094p3 2 126285:4p2 12315288p 1 2785184

(A2.8)

(A2.9)

The initial values of the internal energies can be calculated directly, while the final ones must be obtained by a trial and error procedure, usually drawing a graph (e.g., in Microsoft Excel). It is possible to start with a tentative tfinal value from where the partial pressure of air is obtained (by the perfect gas law and the initial values) as well as the partial pressure of steam by diagrams,

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

345

200

1 0.8

150

350

0.6

300

100

0.4 250 (kcal kg)

T (°C)

V/P (m3/kg)

400 (kcal kg)

50

0.2

0

0 0

1

2

3

4 5 Pr (kg/cm2)

6

7

8

FIGURE A2.1 Loss of coolant accident pressure in a containment.

tables, or approximate relationships like that of Eq. (A2.10) which is very good between 99 C and 374 C, and discrete above 65 C.    9 8 2:284709 3 1026 t3  = 3 1029 t4 1 < 24:241304    2 2:952689 3 1024 t2 1 2:164816 3 1022 t : ; 2 5:712048 3 1021    p5 8 9 3 10211 t4 2 3:21231 3 1028 t3 = < 2:066907   1 2:049397 3 1025 t2 : ; 2 6:895268 3 1023 t 1 1

(A2.10)

The final accident pressure can also be calculated by specific diagrams, such as the one shown in Fig. A2.1, where Pr is the relative accident pressure in the containment (kg/cm2), T is the corresponding temperature ( C) and V/P is the ratio between containment volume and weight of water released (m3/kg). The four curves of the final pressure refer to various values of the specific internal energy of the released liquid. Example: The containment has a free volume of 60,000/m3, into which 250 t of primary water are released, with an average temperature of 300 C. Initially the pressure in the containment is equal to 1 bar. Therefore V/P 5 0.24 m3/kg. The specific enthalpy of the liquid water at 300 C is equal to about 314 Cal/kg (practically coincident with the specific internal energy). Entering these values into the graph, the relative accident pressure equals about 2.7 kg/cm2 and the final containment temperature is about 125 C.

A2.3 CONTAINMENT PRESSURE VERSUS TIME The following describes a simple spreadsheet which can be useful for rough evaluations. Where the assumptions on which it is based do not match those of interest (e.g., an absence of spray systems in the containment) the program can be easily modified.

346

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

A2.3.1 INTRODUCTORY REMARKS During the design of the pressure containment building of a water reactor, the calculation of the transient pressure within it as a consequence of a LOCA is very important. In the first place, the knowledge of the pressure history in the containment, in times subsequent to the rupture, is necessary for the determination of the maximum internal pressure after the accident, which in some cases can be higher than the first initial pressure peak occurring shortly after the break. This, in general, occurs when, for the constructive characteristics of the containment, the dispersion of heat toward the outside is limited. Representative examples of this situation are those containers where an internal liner in reinforced concrete or an external biological shield of the same material which encloses totally or partially the metal container is present (e.g., the Indian Point, Elk River, Connecticut Yankee, Trino Vercellese, and similar plants). In such cases, and in the absence of specific pressure abatement systems, such as cold water spray systems inside the containment, in addition to the first pressure peak in the instants immediately following the rupture, a second pressure peak can occur, higher than the first one, due to the release within the containment of the decay heat of the reactor core and to other possible phenomena, even in the realm of the design basis accidents. The second peak will occur at different times after the accident, according to the particular thermal characteristics of the system. In the second place, the knowledge of the pressure history in the containment is necessary for the evaluation of the release outside it of radioactive substances from the core through the inevitable leaks of the structure. The amount of this release depends, in fact, on the internal pressure.

A2.3.2 CALCULATION METHOD The step-by-step procedure described here is for use on a Microsoft Excel, or similar, spreadsheet. For the generic time interval the amounts of heat exchanged with the containment internal atmosphere on the basis of the conditions existing at the start of the same interval are calculated, assuming that in the interval the temperature of the airwatersteam mixture remains constant. Then the balance of these quantities is made and, on the basis of the current heat capacity of the mixture, the variation of its temperature in the time interval and the corresponding final pressure are evaluated. The initial conditions for the subsequent time interval are then calculated. The method has been developed for simple pressure containment such as that shown in Fig. A2.2 where the heat sources and sinks are solar heat absorbed by the containment (Qs), the heat exchanged with concrete (Qc), the heat exchanged with cold metals (Qmf), the heat exchanged with hot metals (Qmc), core decay heat (Qd), and the heat exchanged by the mixture toward the outside through the containment (Qco). With small and obvious modifications this method can also be adapted to rather different containments, such as double containment.

A2.3.3 HEAT EXCHANGED WITH THE OUTSIDE THROUGH THE METAL CONTAINER The container considered is painted on its surfaces and the thermal resistance of the metal is negligible compared with the resistance between the metal and the airsteam mixture on one hand and external air or water of the external spray system on the other. With these assumptions and in the

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

347

Qcs

Qmf Qc

Qco Qmc

Qd

FIGURE A2.2 Containment scheme.

case where the external spray is not operating, the formulae giving the amount of heat exchanged in the generic time interval and the metal temperature at the end of the same interval are given in Eqs. (A2.11)(A2.15).    h1 Qco 5 Δτ C1 ðTm 2 Te Þ 2 Qcs h1 1 h2 0 1 Qcs h T 1 h T 1 1 m 2 e B   Sco C C eC3 Δτ 2 1 1 C2 B @Tco ð0Þ 2 A h1 1 h2 0 B Tco 5 eC3 Δτ B @Tco ð0Þ 2

h1 Tm 1 h2 Te 1 h1 1 h2

(A2.12)

h1 h2 Sco h1 1 h2

(A2.13)

h1 Sco C3

(A2.14)

Sco ðh1 1 h2 Þ Cc

(A2.15)

C1 5

C2 5 C3 5

1 Qcs Qcs h1 Tm 1 h2 Te 1 Sco C Sco C1 A h1 1 h2

(A2.11)

where C1 (Cal/min  C), C2 (Cal/ C, kg), C3 (Cal/min) are three convenient calculation quantities, Cc is the specific heat of the concrete (Cal/kg,  C), h1 is the transmission coefficient between the

348

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

containment metal and the mixture (resistance of the paint and of the paintmixture interface) (Cal/m2 min  C), h2 is the transmission coefficient between the containment metal and external air (resistance of the paint and of the paintair interface) (Cal/m2 min  C), Sco is the containment surface area exposed to external air (m2), Tco is the temperature of the containment metal ( C), Tco(0) is the container metal temperature at the start of the interval of time ( C), Te is the temperature of the external air ( C), Tm is the temperature of the air-stream mixture within the containment ( C) and Δτ is the time interval (min). In the case where an external spray system operates it is possible to neglect the heat capacity of the containment and the heat released to the outside is calculated on the assumption that the spray water is poured from the top of the containment. The heating of the water itself while it flows along the surface is, moreover, taken into account. Thus Eq. (A2.16) follows:

Qco 5 Gse CðTm 2 Tse Þ 1 2 e2hSco =Gse Δτ

(A2.16)

where c is the total container metal thermal capacity (Cal/ C), C is the specific heat of the external spray water (Cal/kg,  C), Gse is the flow rate of the external spray (kg/min), h is the transmission coefficient between the mixture and the external spray water (Cal/m2, min,  C), and Tse is the temperature of the external spray water ( C). This equation does not include the solar heat because, if the external spray is operated, this contribution has no influence on the transient.

A2.3.4 HEAT RELEASED BY HOT METALS The hot metals are the primary and secondary systems and the related hot auxiliary systems inside the containment. These plant parts are all thermally insulated by a liner. The heat exchange is calculated assimilating these components to a flat layer of thickness equal to the average value of the thicknesses of all the components themselves, perfectly isolated on one side and lined on the other (toward the mixture) by the usual insulating liner. It is admissible to consider the metal as a capacity without resistance and the liner as a resistance without capacity and, with this scheme, the heat amount and the final temperature are given by Eqs. (A2.17) and (A2.18): Qme 5 hme Sme ΔτðTmc 2 Tm Þ Tmc 5 Tmc ð0Þ 2

hmc Smc ðTmc 2 Tm ÞΔτ; Cmc

(A2.17) (A2.18)

where hmc is the transmission coefficient between hot metals and the mixture (resistance of the isolating liner and the linermixture interface) (Cal/m2 min  C), Smc is the hot metal surface area (m2), Cmc is the thermal capacity of the hot metals (Cal/ C), Tmc is the temperature of the hot metals ( C), and Tmc(0) is the temperature of the hot metals at the start of the time interval ( C).

A2.3.5 HEAT EXCHANGED WITH COLD METALS The cold metals are those metallic components which during operation are at about the ambient temperature of the containment. They are lined, on exposed surfaces, by a layer of paint. The model

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

349

used here is a simple capacity (metal) and a resistance (paint and interface paint mixture). Thus Eqs. (A2.19) and (A2.20) follow:

hmf Smf Qmf 5 Cmf ðTmf ð0Þ 2 Tm Þ e Cmf 2 1 Δτ

(A2.19)

hSmf Δτ

Tmf 5 Tm 1 ðTmf ð0Þ 2 Tm Þe Cmf

(A2.20)



where Cmf is the thermal capacity of the cold metals (Cal/ C), hmf is the transmission coefficient between the metal and the mixture (Cal/m2 min  C), Smf is the cold metal surface area (m2), and Tmf is the temperature of the cold metals ( C).

A2.3.6 HEAT EXCHANGED WITH CONCRETE LAYERS The concrete layers have been modeled as plane insulated layers on one side and in contact, on the other side, with the airsteam mixture through a paint layer. The calculation method is that described in Jakob (1962) which uses the finite difference method for the solution of the heat transfer equations. The concrete layers have been grouped in a certain number of groups, each with an average thickness and an exposed surface equal to the sum of the surfaces of the concrete layers included in the group. The heat exchanged with one of the groups of layers during the generic time interval Δτ is given by Eq. (A2.21): Qc 5 hc Sc ðTm 2 Tc ÞΔτ;

(A2.21) 

where hc is the mixtureconcrete transmission coefficient (Cal/m min C), Sc is the concrete surface area (m2), Tm is the temperatures of the mixture ( C) at the start of the interval, and Tc is the temperature of the concrete wall ( C) at the start of the interval. The temperatures, T0 , of the layers in which the concrete has been subdivided at the end of the time interval are calculated by Eqs. (A2.22)(A2.24): 2

T 01 5

2N M 2 2N 2 2 2 Tm 1 T1 1 T2 M M M

(A2.22)

1 M22 1 Ti21 1 Ti 1 Ti11 M M M

(A2.23)

for the first layer, T 01 5

for the layers between the first and the last, and T 0n 5

1 M21 Tn21 1 Tn M M

(A2.24)

for the last layer. M is an auxiliary calculation nondimensional quantity and is given by Eq. (A2.25): M5

ρc Cc 2Δx2 Kc Δτ

(A2.25)

350

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

where ρc is the concrete density (kg/m3), Kc is the concrete heat conduction coefficient (Cal/m, min,  C), and Δx is the thickness of the concrete layer (m). N is another auxiliary calculation nondimensional quantity and is given by Eq. (A2.26): N5

hc Δx Kc

(A2.26)

The necessary condition for the convergence of the calculation is the one given by Eq. (A2.27) M . 2N 1 2

(A2.27)

The choice of the intervals Δx and Δτ has been made in a way which abundantly satisfies Eq. (A2.27), that is, M B 2(2 N 1 2).

A2.3.7 DECAY HEAT As far as the transfer of the decay heat of the core to the watersteam mixture is concerned, here too the assumptions are made (usual in this type of calculation) of the total and instantaneous transfer of the available energy from the core to the mixture. These assumptions are not likely to be complied with in an accident, especially when it is assumed that the core always remains dry (i.e., no spray or flooding system operates). In reality the heat released is only partially transmitted to the mixture and, moreover, this phenomenon occurs after a delay. The assumption of the total transfer to the mixture of the energy released over time by the core is certainly cautious, while the assumption of an absence of delays in the phenomenon may or may not be cautious according to the aspects of the accident considered. In fact, what can be expected by the assumption of immediate transfer of the heat from the core is a pressure transient characterized at the start by higher values but having a shorter duration. Therefore this assumption is very likely to be conservative for the evaluation of the probability that a second pressure peak higher than the first one in the containment occurs. It will not necessarily be so for the evaluation of prolonged releases of activity from the containment in the absence of pressure abatement systems, for example, spray systems. The core decay heat is essentially composed of the decay heat of the fission products, the decay heat of the decay chain of uranium-239 and neptunium-239 produced by neutron capture by uranium-238, the decay heat of other actinides, the control rods and the structural materials, and the heat generated by the residual fissions and by neutron capture by the fission products. The heat of the residual fissions is generally very small 100 s after shutdown and can be completely neglected for the study of medium-term and long-term transients. The decay heat of the structural materials can also be neglected. As far as the control rods are concerned, the heat released by them is not completely negligible, but it can probably be ignored if a safety factor for the total decay heat of at least 1.1 is used. The decay heats of the fission products have been amply studied and the values used here are those suggested by Shure and Dudziak (1961). They are very close to the values of the ANS (1994) and ISO (1992) curves. Some values of the decay heat of the fission products for infinite irradiation according to Shure are shown in Table A2.1.

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

351

Table A2.1 Decay Heat (Shure and Dudziak, 1961) Time After Shutdown (s)

Decay Power as a Percentage of the Thermal Operating Power

102 103 104 105 106 107 108

3.3 1.87 0.97 0.48 0.268 0.121 0.0515

Table A2.2 Decay Heat (ANS, 1994; ISO, 1992) Time After Shutdown, t (s) 1 10 102 103 104 105 106 107 108

ANS 5.1/94 22

6.066 3 10 4.731 3 1022 3.193 3 1022 1.980 3 1022 9.718 3 1023 5.548 3 1023 2.315 3 1023 7.015 3 1024 1.001 3 1024

ISO 10645 6.005 3 1022 4.738 3 1022 3.220 3 1022 2.031 3 1022 1.028 3 1022 5.705 3 1023 2.364 3 1023 7.461 3 1024 9.666 3 1025

For the time interval 150 , t , 4 3 106 s, which generally covers the time span of interest for this transient, Shure suggests the following approximate analytical expression for the decay heat for an infinite irradiation time, valid with a maximum error of 5%: MðN; tÞ 5 13:01t20:2834

(A2.28)

where M is the percentage of operating power and t is time (s). Table A2.2 lists for various times the total decay power as a fraction of operating power (practically infinite time) according to ANS (1994) and ISO (1992). The decay heat for a finite irradiation time t0, at time t after shutdown, is given by Eq. (A2.29): Mðt0 ; tÞ 5 MðN; tÞ 2 MðN; t 1 t0 Þ

(A2.29)

The decay heat of uranium-239 is an important fraction of the total decay heat. It is directly proportional to the initial conversion ratio of the core. For a conversion ratio equal to 0.5, to an approximation of about 15%, the approximate law [Eq. (A2.30)] holds for the total power within the interval 102 , t , 3 3 105 s after shutdown (i.e., from 100 s to about 3.5 days). Pd 5 14:9t20:278

where Pd is the percentage of the operating power and t is time (s).

(A2.30)

352

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

As usual Eq. (A2.30) gives the decay heat for an infinite operation time. The power for a finite operation time is given by Eq. (A2.31): Pd ðt0 ; tÞ 5 Pd ðN; tÞ 2 Pd ðN; t 1 t0 Þ

(A2.31)

The correction Pd(N, t 1 t0) is not negligible in this type of problem. The expression of the decay heat to be inserted in the program is determined case by case by Eq. (A2.30) or by its equivalent for conversion ratios different from 0.5, and by Eq. (A2.31), on the basis of the value of the core operation time t0. It will be opportune to add a safety factor of the order of 1.151.20 in order to take into account the mistakes due to approximate expressions of the type of Eq. (A2.30), and the fact that the control rod decay heat has not been taken into account, and so on.

A2.3.8 HEAT REMOVED BY THE SPRAY SYSTEM INTERNAL TO THE CONTAINMENT If the mechanical work for the introduction of water into the containment is neglected (a reasonable assumption), the energy absorbed by the sprayed cold water in the interval Δτ will be that necessary to bring the specific internal energy of the water from the u0 value (Cal/kg) pertinent to cold water to the value u pertinent to the steamwater system present in the containment. Thus Eq. (A2.32) follows: Qsi 5 Gsi ðu 2 u0 ÞΔτ

(A2.32)

where Gsi is the weight flow rate of the internal spray system (kg/min) and Qsi is the heat absorbed by the internal spray (Cal). In order to use Eq. (A2.32) in the program it is necessary to use an analytical expression of the internal energy, u, of the steamwater mixture as a function of the total volume, V (m3), its weight and the partial pressure of the steam or temperature as given in Section A2.2.

A2.3.9 SOLAR HEAT The solar heat contribution is not negligible in this problem and must, therefore, in general, be included in the calculation. The solar heat impinging on a surface outside the terrestrial atmosphere and normal to the direction of the solar beams, at the average distance from the earth, is 20 Cal m2 min (mean solar constant). This value undergoes a maximum variation of 6 3.5% during the year because of the variation of the distance between the Earth and the Sun. In order to evaluate which part of the mean solar constant is absorbed by a surface at ground level it is necessary to evaluate the effects of the inclination of the surface, the latitude, and the Sun’s declination, as well as of the transparency of the atmosphere and the surface reflection. In a conservative evaluation and on the basis of data in MARKS (1958), pp. 12114, the following multiplication factors can be assumed in order to take into account the aforementioned effects at about 43 degrees of latitude North (readers will insert a latitude of their interest here): For the surface inclination, the latitude, the Sun’s inclination, and the distance of the Sun from the earth:

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

f1 5 0:4 3 0:965 5 0:386

353

(A2.33)

where 0.4 is the surface inclination and latitude nondimensional coefficient and 0.965 is the distance of the Sun from the Earth nondimensional coefficient. For the transparency of the atmosphere: f2 5 0:6

(A2.34)

If the area of the containment surface exposed to the Sun is indicated with Scs (m ) and the conservative assumption of a unit absorption coefficient of the surface is made, it is possible to calculate the heat absorbed in one minute by the containment by Eq. (A2.35): 2

Qcs 5 20 3 f1 3 f2 3 Scs 5 4:63 Scs Cal=min

(A2.35)

A2.3.10 THERMAL BALANCE IN THE INTERVAL Δτ The variation of the internal atmosphere temperature of the containment, ΔTm, in the time interval Δτ, can be evaluated on the basis of the heat quantities exchanged by it [see Eqs. (A2.11), (A2.16), (A2.17), (A2.19), (A2.21), (A2.31), and (A2.32)] by the expression: ΔTm 5

ΣQ Qd 1 Qmc 2 Qco 2 Qmf 2 Qc 2 Qsi 5 W W

(A2.36)

where Qd comes from Eq. (A2.31) and W is the thermal capacity of the gasvapor mixture inside the containment (air, water, steam) and can be expressed with sufficient approximation by Eq. (A2.37):   W 5 Ca 1 PH2 O 1 V 0:002 Tm2 2 0:185 Tm 1 6:05 Cal= C

(A2.37) 

where Ca represents the constant volume thermal capacity of the containment air (Cal/ C), which is assumed to be constant during the transient, PH2 O is the total steamwater weight (kg), which is constant only if the internal spray is not operating, and V is the free volume of the containment (m3). The initial conditions for the subsequent interval will then be calculated by Eqs. (A2.12), (A2.18), (A2.20), (A2.22)(A2.24).

A2.3.11 CONSIDERATIONS ON THE PERFORMANCE OF THE CALCULATION AND ON THE CHOICE OF THE INPUT DATA When performing this type of calculation it must be remembered that the transient is very sensitive to relatively small errors in the heat amounts. This is due to the fact that in Eq. (A2.36) the effective heat quantity ΣQ is small in comparison with most of the other terms and, therefore, a relatively small error in one of them introduces a large error in ΣQ and therefore in ΔT. This is particularly true in those cases where spray systems are not operating and during a long transient, that is, in those cases where the variation of temperature and pressure with time is slow. Table A2.3 lists the values of ΣQ and the values of the various heat quantities as a percentage of ΣQ for values of the time after the occurrence of the accident in a cases of this type. This situation demands an extremely attentive determination of the input data in the calculation (heat exchange coefficients, area of the surfaces exposed to the atmosphere, and so on) to ensure

354

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

Table A2.3 Heat Rates From Various Sources Time After the Accident

ΣQ (Cal/h)

Qd (%)

Qmc (%)

Qmf (%)

Qc (%)

Qco (%)

30 min 2h 10 h 1 (day) 3 (days)

22900 3380 2180 1730 264

2900 1680 1500 1500 6700

31 26 36 37 135

34 13 11 9.5 7.3

2600 1300 990 720 1660

480 300 500 700 5000

that the various heat quantities exchanged by the mixture are evaluated in a conservative way. The following looks at some input data for the calculation whose determination is usually uncertain.

A2.3.11.1 Heat Transfer Coefficients As far as the heat transfer coefficient between the airsteam mixture in condensation and the various surfaces exposed to it is concerned, various theoretical (Jakob, 1962; McAdams, 1985) and experimental (Kolflat and Chittenden, 1957; Goodwin, 1958; Jubb, 1959; Leardini et al., 1961; Leardini and Cadeddu, 1961; Uchida et al., 1964) studies exist. A value normally accepted for operational water reactors (initial peak overpressure of some bars) is of 200 Cal m2 h/ C, at least until the pressure stays at high values, that is, until the percentage of steam in the containment is significant. In the first instants after the accident the heat transfer coefficient is likely to be higher than the indicated value, by as much as a factor of 10, because of the motion of the air and steam mixture due to the efflux from the reactor pressure boundary. The influence of the value given to the heat exchange coefficient between the airvapor mixture and the walls on the transient is limited by the fact that generally the walls are covered by paint layers whose resistance has, on the basis of the current evaluations, a value of the order of that of the resistance mixture paint. Moreover, this fact demonstrates the importance of carefully evaluating the thermal resistance of the paint layers in addition to that of the transmission coefficient between mixture and paints. As far as the heat transmission coefficient from the containment outside surface to the atmosphere in the absence of external spray is concerned, it is worthwhile remembering that the contribution of radiation is important. The coefficient values usually range from 5 to 20 Cal m2 h/ C according to the building layout adopted. If the external spray is supposed to operate, the transmission coefficient between paint and spray water is of the order of 5005000 Cal m2 h/ C.

A2.3.11.2 Choice of the Length of the Time Step and of the Thickness of the Concrete Layers, ΔX A series of tests performed in a typical case has shown that a maximum acceptable value of the step Δτ is about one minute. If a step 10 times lower is used no important differences are noted, while with a step 10 times longer the transient is completely wrong. The choice of the thickness, ΔX, of the concrete layers does not appear as critical as that of Δτ. Indeed, once the necessary stability condition [Eq. (A2.27)] is satisfied with a certain margin, for example putting M B 2(2N 1 2), the transient is not very sensitive to the value of ΔX, especially after the first hours from the start of the accident.

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

355

Hence, if only the long-term transient is of interest, the layers in which the concrete is subdivided can also be very thick.

A2.3.12 EXAMPLE CALCULATION This section describes the sample VBA (Visual Basic for Applications) macro PRESCONT for use with a Microsoft Excel 97 spreadsheet which is available on the Mendeley website (file CONTPRESSURE). A simple containment example is examined without internal or external spray. The decay heat corresponds to a conversion factor of 0.5 [Eq. (A2.30)], an operation time of 15 months and a safety factor of 1.2. Three groups of concrete slabs are considered which can be subdivided for the calculation into a maximum number of 630, 160, and 100 layers. The absolute pressure in the containment before the accident is 1 kg/cm2. The input data are C6 (Cal/ C) C10 (Cal/ C) CAP (Cal/ C) CM and CN CMC (Cal/ C) D (min) H1 (Cal/m2 min  C) H2 (Cal/m2 min  C) HC (Cal/m2min C) HMC (Cal/m2 min  C) HMF (Cal/m2 min  C) IC ICM ICN P (MWt) PH2O QS (Cal/min) SC (m2) SCC (m2) SCCM (m2) SCCN (m2) SMC (m2) SMF (m2) T (s) TA ( C) TE ( C) TF (min) TM ( C) TMC ( C) V (m3)

Thermal capacity of cold metals Thermal capacity of metal containment wall Total thermal capacity of air in the containment Nondimensional constants of the concrete [see Eqs. (A2.25) and (A2.26)] Thermal capacity of hot metals Calculation time step Transmission coefficient between mixture and containment metal Transmission coefficient between the containment metal and external air Transmission coefficient between mixture and concrete slabs Transmission coefficient between hot metals and the mixture Transmission coefficient between cold metals and mixture Number of layers in the first group of concrete slabs Number of layers in the second group of concrete slabs Number of layers in the third group of concrete slabs Steady thermal power of reactor (kg): weight of water released by the break Solar thermal power absorbed by the metal surface of the containment Containment surface area exposed internally to the mixture and externally to air Surface area of first group of concrete slabs Surface area of second group of concrete slabs Surface area of third group of concrete slabs Hot metal surface area Cold metal surface area Current time Containment atmosphere temperature before accident Temperature of the external air Time after rupture at which transient calculation is terminated Initial temperature of the containment mixture after efflux Hot metals initial temperature Internal free volume of the containment

356

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

The results of the first calculation step for this example are: The containment pressure, PR (kg/cm2) 5 1.996362 The heat exchanged with the concrete of the first group, QC (Cal) 5 146,666.8 The heat exchanged with the concrete of the second group, QCM (Cal) 5 1,925,000 The heat exchanged with the concrete of the third group, QCN (Cal) 5 1,925,000 The heat exchanged by the mixture toward the outside through the containment, QCO (Cal) 5 1,466,663.8 The decay heat, QD (Cal) 5 982,505.35 The heat exchanged by the mixture with hot metals, QMC (Cal) 5 66,500 The heat exchanged with the cold metals, QMF (Cal) 5 502,030.25 The current time, T (s) 5 1 The temperature of the containment metal, TCO ( C) 5 32.059002 The temperature of the first layer of the first concrete group, TC1 ( C) 5 52.380951 The temperature of the first layer of the second concrete group, TCM(1) ( C) 5 52.380951 The temperature of the first layer of the third concrete group, TCN(1) ( C) 5 52.380951 The temperature of the mixture, TM1 ( C) 5 91.952075 The temperature of the hot metals, TMC ( C) 5 298.1 The temperature of the cold metals, TMF ( C) 5 50.101512 The program listing follows. Sub PRESCONT() Dim TC(630) As Single Dim TCC(630) As Single Dim TCM(160) As Single Dim TCCM(160) As Single Dim TCN(100) As Single Dim TCCN(100) As Single J51 T50 TA 5 Range(“$f$2”) For I 5 1 To IC TC(I) 5 TA Next I For I 5 1 To ICM TCM(I) 5 TA Next I For I 5 1 To ICN TCN(I) 5 TA Next I TE 5 Range(“$h$2”) TCO 5 (TA 1 TE)/2 TMF 5 TA H1 5 Range(“$d$5”)

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

H2 5 Range(“$f$5”) SC 5 Range(“$h$5”) D 5 Range(“$d$4”) C1 5 H1 * H2 * SC * D/(H1 1 H2) C10 5 Range(“$b$10”) C2 5 H1 * C10/(H1 1 H2) C3 5 SC * (H1 1 H2)/C10 H3 5 H1 1 H2 CMC 5 Range(“$h$6”) CM 5 CMC/D CAP 5 Range(“$h$3”) PH2 5 Range(“$f$3”) TM 5 Range(“$d$2”) V 5 Range(“$d$3”) ProgramStart: W 5 CAP 1 PH2 1 (0.0022 * TM ^ 2 - 0.185 * TM 1 6.05) * V QS 5 Range(“$b$4”) QCC 5 C1 * (TM - TE) - H1 * D/H3 * QS QCO 5 QCC 1 C2 * (TCO - (H1 * TM 1 H2 * TE 1 QS/SC)/H3) * (Exp(-C3 * D) - 1) C4 5 Range(“$f$6”) TMC 5 Range(“$b$3”) QMC 5 C4 * (TMC - TM) * D C6 5 Range(“$d$7”) C7 5 Range(“$b$8”) QMF 5 C6 * (TM - TMF) * (1 - Exp(-C7 * D)) C8 5 Range(“$h$8”) QC 5 C8 * (TM - TC(1)) * D C9 5 Range(“$d$9”) QCM 5 C9 * (TM - TCM(1)) * D C11 5 Range(“$h$9”) QCN 5 C11 * (TM - TCN(1)) * D T 5 T 1 D/2 P 5 Range(“$b$2”) QD 5 172 * P * D * (14.9 * (60 * T) ^ ( 2 0.278) - 0.076) TM1 5 TM - (QC 1 QCM 1 QCN 1 QCO 1 QMF - QMC  QD)/W TCCO 5 (TCO - (H1 * TM 1 H2 * TE 1 QS/SC)/H3) * Exp(-C3 * D) 1 (H1 * TM 1 H2 * TE 1 QS/SC)/H3 C5 5 Range(“$b$7”) TMC 5 TMC - C5 * (TMC - TM) * D TMF 5 TM - (TM - TMF) * Exp(-C7 * D)

357

358

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

CN 5 Range(“$f$4”) CM 5 Range(“$H$4”) TCC(1) 5 2 * CN/CM * TM 1 (CM - 2 * CN - 2)/CM * TC(1) 1 2/CM * TC(2) Id 5 Range(“$d$11”) For I 5 2 To Id TCC(I) 5 TC(I - 1)/CM 1 (CM - 2)/CM * TC(I) 1 TC(I 1 1)/CM Next I IC 5 Range(“$f$10”) TCC(IC) 5 TC(Id)/CM 1 (CM - 1)/CM * TC(IC) TCCM(1) 5 2 * CN/CM * TM 1 (CM - 2 * CN - 2)/ CM * TCM(1) 1 2/CM * TCM(2) Idm 5 Range(“$f$11”) For I 5 2 To Idm TCCM(I) 5 TCM(I - 1)/CM 1 (CM - 2)/CM * TCM(I) 1 TCM(I 1 1)/CM Next I ICM 5 Range(“$h$10”) TCCM(ICM) 5 TCM(Idm)/CM 1 (CM - 1)/CM * TCM(ICM) TCCN(1) 5 2 * CN/CM * TM 1 (CM - 2 * CN - 2)/ CM * TCN(1) 1 2/CM * TCN(2) Idn 5 Range(“$b$12”) For I 5 2 To Idn TCCN(I) 5 TCN(I - 1)/CM 1 (CM - 2)/CM * TCN(I) 1 TCN(I 1 1)/CM Next I ICN 5 Range(“$b$11”) TCCN(ICN) 5 TCN(Idn)/CM 1 (CM - 1)/CM * TCN(ICN) For I 5 1 To IC TC(I) 5 TCC(I) Next I For I 5 1 To ICM TCM(I) 5 TCCM(I) Next I For I 5 1 To ICN TCN(I) 5 TCCN(I) Next I TCO 5 TCCO PA 5 (TM1 1 273)/(TA 1 273) PR 5 10 ^ (17.457 - 2795/(TM1 1 273)  1.6799 * Log(TM1 1 273)) 1 PA

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

359

T 5 T 1 D/2 Range(“b” & (J * 5 1 15)) 5 T Range(“d” & (J * 5 1 15)) 5 TM1 Range(“f” & (J * 5 1 15)) 5 PR Range(“h” & (J * 5 1 15)) 5 QD Range(“b” & (J * 5 1 16)) 5 QCO Range(“d” & (J * 5 1 16)) 5 TCO Range(“f” & (J * 5 1 16)) 5 QMC Range(“h” & (J * 5 1 16)) 5 TMC Range(“b” & (J * 5 1 17)) 5 QMF Range(“d” & (J * 5 1 17)) 5 TMF Range(“f” & (J * 5 1 17)) 5 QC Range(“h” & (J * 5 1 17)) 5 TC(1) Range(“b” & (J * 5 1 18)) 5 QCM Range(“d” & (J * 5 1 18)) 5 TCM(1) Range(“f” & (J * 5 1 18)) 5 QCN Range(“h” & (J * 5 1 18)) 5 TCN(1) TM 5 TM1 J5J 1 1 If T , Range(“$d$10”) Then GoTo ProgramStart: End If End Sub

If the program crashes for specific cases, it is useful to repeat the calculation using a shorter value of the time step, D. This program can be easily adapted to other cases, for example, by the inclusion of an external and internal spray, activated for a preselected time and duration or by the presence of a second containment.

REFERENCES ANS, 1994. Decay Heat Power in Light Water Reactors. ANSI/ANS-5.1-1994, American Nuclear Society, IL, United States. CNEN, 1976. Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua, Comitato Nazionale per l’Energia Nucleare, SATN-1-76, DISP/CENTR, August 1976. Goodwin, W.W., 1958, Pressure Build-up in a Container Following a Loss of Coolant Accident. ANS Meeting, June. ISO, 1992. Nuclear energy  light water reactors: calculation of the decay heat power in nuclear fuels. ISO 10645. Jakob, M., 1962. Heat Transfer. Wiley, New York. Jubb, D.H., 1959. Condensation in a reactor containment vessel. Nucl. Eng. December. Kolflat, A., Chittenden, W.A., 1957. A new approach to the design of containment shells for atomic power plants. 19th Annual American Power Conference.

360

APPENDIX 2 CALCULATION OF THE ACCIDENT PRESSURE

Leardini, I., Cadeddu, M., 1961. Caverns as nuclear power reactor containers. Energ. Nucl. February. Leardini, I., Cadeddu, M., Schiavoni, M., 1961. Tests on a cavern for the determination of temperature and pressure transients in a case simulating a major loss of coolant-type reactor accident. Energ. Nucl. February. MARKS, L.S., 1958. Mark’s Mechanical Engineers Handbook. McGraw-Hill. McAdams, W., 1985. Heat Transmission. R.E. Krieger Pub. Co, USA. Shure, K., Dudziak, J., 1961. Calculating Energy Released by Fission Products, WAPD-T-1309. Bettis Atomic Power Laboratory, Pittsburgh, PN, United States. Uchida, H., Oyama, A., Togo, Y., 1964. Evaluation of Post-incident Cooling Systems of Light Water Power Reactors. A/Conf. 28/P/436, Geneva 1964 Conference on Peaceful Uses of Atomic Energy, UNO, Geneva, 1964.

APPENDIX

TABLE OF SAFETY CRITERIA

3

Table A3.1 is intended to serve as a memo for the content of four of the general design criteria for nuclear plants, thought to be rather representative of the overall picture. The first column of the table contains the complete list of the IAEA criteria, which are rather recent and, therefore, complete.

361

Table A3.1 Safety Criteria IAEA SSR-2/1 (Rev.1) (2016)

INTRODUCTION 1 Background (1.1 1.3) Objective (1.4 1.5) Scope (1.6 1.8) 2 Structure (1.9) APPLYING THE SAFETY PRINCIPLES AND CONCEPTS (2.1 2.5) Radiation protection in design (2.6 2.7) Safety in design (2.8 2.11) The concept of defense-in-depth (2.12 2.14) (“cliff edge”) Maintaining the integrity of design of the plant throughout the lifetime of the plant (2.15 2.18) MANAGEMENT OF SAFETY IN DESIGN. Requirement 1: Responsibilities in the management of safety in plant design (3.1). Requirement 2: Management system for plant design (3.2 3.4) 10 Requirement 3: safety of the plant design throughout the

EUR (2016)

2.1.1 GENERAL SAFETY REQUIREMENTS 2.1.1.1 General safety objectives 2.1.1.2 Fundamental safety functions 2.1.1.3 Physical barriers 2.1.1.4 Application of Defense-in-Depth 2.1.2 DESIGN CONDITIONS 2.1.2.1 Plant states 2.1.2.2 Postulated initiating events 2.1.2.3 Design basis accidents 2.1.2.4 Design extension conditions 2.1.2.4.1 Complex sequences 2.1.2.4.2 Severe accidents 2.1.2.4.3 Severe accident in-containment source term quantification 2.1.2.4.3.1 General approach to the in-containment source term 2.1.2.4.3.2 Reference source term 2.1.2.4.3.3 Required applications of RST 2.1.2.4.3.4 PSA evaluation of source term 2.1.2.5 Practical elimination 2.1.2.6 Internal and external hazards 2.1.2.6.1 Consideration of internal hazards 2.1.2.6.2 Identification of external hazards 2.1.2.6.2.1 Identification of external hazards for standard design 2.1.2.6.2.1.1 Accidental aircraft crash 2.1.2.6.2.2 Identification of external hazards for site-specific evaluation 2.1.2.6.3 Screening for site-specific evaluation 2.1.2.6.3.1 Determination of external hazard parameters for site-specific design 2.1.2.6.4 External hazard design rules for standard design and site-specific design

US General Design Criteria (1971)

I. OVERALL REQUIREMENTS Criterion 1: Quality standards and records Criterion 2: Design bases for protection against natural phenomena Criterion 3: Fire protection Criterion 4: Environmental and dynamic affects design bases Criterion 5: Sharing of structures, systems, and components II. PROTECTION BY MULTIPLE FISSION PRODUCT BARRIERS Criterion 10: Reactor design Criterion 11: Reactor inherent protection Criterion 12: Suppression of reactor power oscillations Criterion 13: Instrumentation and control

OPB 88/97 (1997)

Notes

Main terms and definitions Main regulations Basic criteria and principles of ensuring safety Classification of systems and elements Safety classes of NPP elements:1-4 State supervision for ensuring NPP safety Basic principles in design General requirements Priority to passive systems Core design Reactor coolant circuit Control of processes Protection safety systems Localizing safety systems Support safety systems Nuclear fuel and radioactive waste storage system Ensuring safety of NPP in operation

In general, in IAEA and in EUR much more general safety philosophy is included. GDC goes sometimes into more detail. Many safety issues are dealt with in chapters of EUR different from 2.1, Safety requirements (e.g., Ch. 2.8.1.1: principal safety functions). EUR uses the expression “design extension conditions” that corresponds either to “complex sequences” or to “severe accidents”. EUR are very complete and quantitative in defining the various safety and radiation protection objectives. In IAEA the MANAGEMENT RESPONSIBILITY also includes safety culture Research is not mentioned as a support to design choices in IAEA and EUR criteria

lifetime of the plant (3.5 3.6) 11 4. PRINCIPAL TECHNICAL REQUIREMENTS. Requirement 4: fundamental safety functions (4.1 4.2) Requirement 5: Radiation protection in design (4.3 4.4) Requirement 6: Design for a nuclear power plant (4.5 4.8) (“cliff edge”) Requirement 7: application of defense-in-depth (4.9 4.13A) (“cliff edge”) Requirement 8: Interfaces of safety with security and safeguards 16 Requirement 9: proven engineering practices (4.14 4.16) Requirement 10: safety assessment (4.17 4.18) Requirement 11: provision for construction (4.19) Requirement 12: features to facilitate radioactive waste management and decommissioning (4.20)

2.1.3 QUANTITATIVE SAFETY OBJECTIVES 2.1.3.1 Overall approach to targets 2.1.3.2 Radiological impact during normal operation and incident conditions 2.1.3.2.1 Radioactive discharge criteria 2.1.3.2.2 Doses to the public during normal operation and anticipated operational occurrences 2.1.3.2.3 Operational staff doses during normal operation and anticipated operational occurrences 2.1.3.3 Safety objectives and offsite release targets for accidents without core melt 2.1.3.4 Safety objectives and offsite release targets for accidents with core melt 2.1.3.5 Probabilistic safety targets 2.1.4 SAFETY ANALYSIS 2.1.4.1 General 2.1.4.2 Deterministic safety analysis 2.1.4.2.1 General 2.1.4.2.2 Rules for deterministic safety analysis 2.1.4.2.3 Deterministic safety analysis methodologies 2.1.4.3 Probabilistic safety analysis 2.1.5 SAFETY CLASSIFICATION 2.1.5.1 Categorization of safety functions and classification of SSCs 2.1.5.1.1 Introduction 2.1.5.1.2 Categories of safety functions 2.1.5.1.2.1 Safety category 1 functions 2.1.5.1.2.2 Safety category 2 functions 2.1.5.1.2.3 Safety category 3 functions 2.1.5.1.3 Design provisions 2.1.5.1.4 Assignment of a safety class to SSCs 2.1.5.1.5 Requirements on SSCs according to safety class 2.1.5.1.6 Classification of SSCs according to the design and construction codes 2.1.5.1.7 Environmental condition resistance levels

Criterion 14: Reactor coolant pressure boundary Criterion 15: Reactor coolant system design Criterion 16: Containment design Criterion 17: Electric power systems Criterion 18: Inspection and testing of electric power systems Criterion 19: Control room III. PROTECTION AND REACTIVITY CONTROL SYSTEMS Criterion 20: Protection system functions Criterion 21: Protection system reliability and testability Criterion 22: Protection system independence Criterion 23: Protection system failure modes Criterion 24: Separation of protection and control systems

Organization of operation and operational documentation Commissioning Selection and training of operational personnel Radiation safety in operation Emergency planning on protection of personnel and population in case of accidents and accident management NPP decommissioning

GDC do not mention a safety classification EUR allows for considerations of “leak before break” and for “break preclusion” In IAEA the single failure criterion is formulated in a general and articulate way; in GDC it is specifically inserted in various criteria. The concept of “fail safe” is inserted in Criterion GDC 23 (protection system) In GDC no mention is made of possible interaction of systems in general (electric power only is treated) Design for decommissioning is dealt with in IAEA but not in GDC No mention is made of probabilistic approach in GDC In IAEA, severe accidents are dealt with as a consideration In GDC more detail is included on isolation valve systems In IAEA the problem of compartment (Continued)

Table A3.1 Safety Criteria Continued IAEA SSR-2/1 (Rev.1) (2016)

GENERAL PLANT DESIGN Design basis Requirement 13: categories of plant states (5.1 5.2) Requirement 14: design basis for items important to safety (5.3) Requirement 15: design limits (5.4) 19 Requirement 16: postulated initiating events (5.5 5.15) Requirement 17: internal and external hazards (5.15A 5.22) (“cliff edge”) 21 Requirement 18: engineering design rules (5.23). Requirement 19: design basis accidents (5.24 5.26) Requirement 20: Design extension conditions (5.27 5.32) Requirement 21: physical separation and independence of safety systems (5.33) Requirement 22: safety classification (5.34 5.36) Requirement 23:

EUR (2016)

2.1.5.1.7.1 Requirements for hazards and environmental conditions resistance 2.1.5.1.7.1.1 Environmental condition resistance level 1 2.1.5.1.7.1.2 Environmental condition resistance level 2 2.1.5.1.7.1.3 Environmental condition resistance level S 2.1.5.1.7.1.4 Environmental condition resistance level N 2.1.6 ENGINEERING DESIGN REQUIREMENTS 2.1.6.1 General 2.1.6.2 Design limits 2.1.6.3 Resilience to failures 2.1.6.3.1 Single failure criteria 2.1.6.3.1.1 Redundancy 2.1.6.3.2 Common cause failures 2.1.6.3.2.1 Independence 2.1.6.3.2.2 Functional isolation 2.1.6.3.2.3 Diversity 2.1.6.4 Reliability of items important to safety 2.1.6.5 Fail-safe design 2.1.6.6 Sharing of SSCs between units 2.1.6.7 Autonomy objectives 2.1.6.7.1 Autonomy objectives in respect of operators and plant personnel

US General Design Criteria (1971)

Criterion 25: Protection system requirements for reactivity control malfunctions Criterion 26: Reactivity control system redundancy and capability Criterion 27: Combined reactivity control system capability Criterion 28: Reactivity limits Criterion 29: Protection against anticipated operational occurrences IV. FLUID SYSTEMS Criterion 30: Quality of reactor coolant pressure boundary Criterion 31: Fracture prevention of reactor coolant pressure boundary Criterion 32: Inspection of reactor coolant pressure boundary Criterion 33: Reactor coolant makeup

OPB 88/97 (1997)

Notes

pressurization is dealt with IAEA requires consideration of containment cooling for severe accidents also. GDC does not consider this subject. In GDC, the auxiliary control room is required even if accomplished in various locations. In IAEA, a supplementary room is preferentially indicated IAEA mentions the design for radiation protection. GDC does not extensively deal with the radiometric surveillance within the plant. In GDC the requirement of the negative power coefficient is included In GDC, the requirement of the double external line is included. EUR includes, differently from other

reliability of items important to safety (5.37 5.38) Requirement 24: common cause failures Requirement 25: single failure criterion (5.39 5.40) Requirement 26: failsafe design (5.41) 28 Requirement: support service systems (5.42 5.43) Requirement 28: operational limits and conditions for safe operation (5.44) 28 Design for safe operation over the lifetime of the plant. Requirement 29: calibration, testing, maintenance, repair, replacement, inspection, and monitoring of items important to safety (5.45 5.47) Requirement 30: qualification of items important to safety (5.48 5.50) Requirement 31: aging management (5.51 5.52) Human factors Requirement 32: design for optimal operator performance (5.53 5.62)

2.1.6.7.1.1 Autonomy objectives in respect of nonpermanent equipment 2.1.6.7.2 Autonomy objectives in respect of ultimate heat sink 2.1.6.7.3 Autonomy objectives in respect of power supply systems 2.1.6.7.4 Compressed air 2.1.6.7.5 Autonomy objectives in respect of MCR 2.1.6.8 Nonpermanent equipment 2.1.6.8.1 Scope 2.1.6.8.2 General 2.1.6.8.3 Onsite nonpermanent equipment 2.1.6.8.4 Offsite nonpermanent equipment 2.1.6.8.5 Connection points for nonpermanent equipment 2.1.6.8.6 Rules for consideration of nonpermanent equipment in the safety analysis 2.1.6.8.7 Role of nonpermanent equipment with regard to plant robustness 2.1.7 DESIGN OF SPECIFIC SYSTEMS E-00 2.1.7.1 Reactor core E-00 2.1.7.1.1 Performance of fuel elements and assemblies E-00 2.1.7.1.1.1 Fuel limits in normal operation E-00 2.1.7.1.1.2 Fuel limits in anticipated operational occurrences E00 2.1.7.1.1.3 Fuel limits in design basis accidents E-00 2.1.7.1.2 Structural capability of the reactor core E-00 2.1.7.1.3 Control of reactor core E-00 2.1.7.1.4 Reactor shutdown E-00 2.1.7.1.4.1 Anticipated transients without scram (ATWS) E-00 2.1.7.2 Reactor coolant systems E-00 2.1.7.2.1 Design of reactor coolant systems E-00

Criterion 34: Residual heat removal Criterion 35: Emergency core cooling Criterion 36: Inspection of containment heat removal system Criterion 37: Testing of emergency cooling system Criterion 38: Containment heat removal Criterion 39: Inspection of containment removal system Criterion 40: Testing of containment heat removal system Criterion 41: Containment atmosphere cleanup Criterion 42: Inspection of containment atmosphere cleanup system Criterion 43: Testing of containment atmosphere cleanup system Criterion 44: Cooling water

compilations, the generic conditions for the choice of the site GDC explicitly considers control rod expulsion Recommendation of avoiding “cliff edge” (see Chapter 8: The General Approach to the Safety of the Plant Site Complex) situations is put in evidence for IAEA 2016 Requirements (four times in the whole document, as compared with one time only in previous edition (2000) of the same Requirements: an effect of the Fukushima event.) and for EUR Revision E (2017)

(Continued)

Table A3.1 Safety Criteria Continued IAEA SSR-2/1 (Rev.1) (2016)

Other design considerations Requirement 33: safety systems, and safety features for design extension conditions, of units of a multiple unit nuclear power plant (5.63) Requirement 34: systems containing fissile material or radioactive material Requirement 35: nuclear power plants used for cogeneration of heat and power, heat generation or desalination Requirement 36: escape routes from the plant (5.64 5.65) Requirement 37: communication systems at the plant (5.66 5.67) Requirement 38: control of access to the plant (5.68) Requirement 39: prevention of unauthorized access to, or interference with, items important to safety

US General Design Criteria (1971)

EUR (2016)

2.1.7.3

2.1.7.4

2.1.7.5 2.1.7.6

2.1.7.2.2 Overpressure protection of reactor coolant pressure boundary 2.1.7.2.3 Inventory of the reactor coolant E-00 2.1.7.2.4 Cleanup of reactor coolant E-00 2.1.7.2.5 Removal of residual heat from the reactor core E-00 2.1.7.2.6 Emergency cooling of the reactor core E-00 2.1.7.2.7 Heat transfer to an ultimate heat sink E-00 Containment E-00 2.1.7.3.1 Containment system for the reactor E-00 2.1.7.3.2 Control of radioactivity release from the containment E-00 2.1.7.3.2.1 Containment bypass accidents E-00 2.1.7.3.3 Isolation of the containment E-00 2.1.7.3.4 Control of containment conditions E-00 Instrumentation and control systems E-00 2.1.7.4.1 Provision of instrumentation E-00 2.1.7.4.2 Control systems E-00 2.1.7.4.3 Protection system E-00 2.1.7.4.4 Reliability and testability of instrumentation and control system E-00 2.1.7.4.5 Separation of protection system and control system E-00 2.1.7.4.6 Main control room E-00 2.1.7.4.7 Emergency control room E-00 2.1.7.4.8 Emergency response facilities on the site E-00 Electrical power supply in AOO and accident conditions E-00 Supporting systems and auxiliary systems E-00 2.1.7.6.1 Performance of supporting systems and auxiliary systems E-00 2.1.7.6.2 Heat transport systems E-00

Criterion 45: Inspection of cooling water system Criterion 46: Testing of cooling water system V. REACTOR CONTAINMENT Criterion 50: Containment design basis Criterion 51: Fracture prevention of containment pressure boundary Criterion 52: Capability for containment leakage rate testing Criterion 53: Provisions for containment testing and inspection Criterion 54: Systems penetrating containment Criterion 55: Reactor coolant pressure boundary penetrating containment Criterion 56: Primary coolant isolation

OPB 88/97 (1997)

Notes

Requirement 40: prevention of harmful interactions of systems important to safety (5.69 5.70) Requirement 41: interactions between the electrical power grid and the plant Safety analysis Requirement 42: safety analysis of the plant design (5.71 5.76). (“cliff edge”) DESIGN OF SPECIFIC PLANT SYSTEMS. Reactor core and associated features Requirement 43: performance of fuel elements and assemblies (6.1 6.3) Requirement 44: structural capability of the reactor core Requirement 45: control of the reactor core (6.4 6.6) Requirement 46: reactor shutdown (6.7 6.12) 39 Reactor coolant systems Requirement 47: design of reactor coolant systems (6.13 6.16) Requirement 48: overpressure protection of the

2.1.7.6.3 Process sampling systems and postaccident sampling systems E-00 2.1.7.6.4 Compressed air systems E-00 2.1.7.6.5 Air-conditioning and ventilation systems E-00 2.1.7.7 Fuel storage and handling systems E-00 2.1.7.7.1 Total loss of spent fuel cooling function E-00 2.1.7.8 Means of radiation monitoring E-00 2.1.7.9 Treatment of radioactive effluents and radioactive waste E-00 2.1.7.9.1 Systems for treatment and control of waste E-00 2.1.7.9.2 Systems for treatment and control of effluents E-00 2.1.8 OTHER CONSIDERATIONS 2.1.8.1 Long-term safety E-00 2.1.8.1.1 Inspection, online monitoring, testing, and maintenance E-00 2.1.8.1.2 Qualification of items important to safety E-00 2.1.8.1.3 Aging management E-00 2.1.8.2 Human factors E-00 2.1.8.3 Security E-00 2.1.8.3.1 General consideration E-00 2.1.8.3.2 Design of physical protection system E-00 2.1.8.3.3 Intentional aircraft crash E-00 2.1.9 TABLES E-00 2.1.9.1 Table 2: Radiological criteria for radioactive releases in normal operation and AOO per unit E-00 2.1.9.2 Table 3: Frequencies and general acceptance criteria for plant states E-00 2.1.9.3 List of hazards E-00 2.1.9.3.1 List of internal and external hazards for standard design E-00 2.1.9.3.2 List of external hazards for site-specific evaluation E-00

Criterion 57: Closed system isolation valves VI. FUEL AND RADIOACTIVITY CONTROL Criterion 60: Environment Criterion 61: Fuel storage and handling and radioactivity control Criterion 62: Prevention of criticality in fuel storage and handling Criterion 63: Monitoring fuel and waste storage Criterion 64: Monitoring radioactive releases

(Continued)

Table A3.1 Safety Criteria Continued IAEA SSR-2/1 (Rev.1) (2016)

reactor coolant pressure boundary. Requirement 49: Inventory of reactor coolant Requirement 50: cleanup of reactor coolant (6.17) Requirement 51: Removal of residual heat from the reactor core Requirement 52: emergency cooling of the reactor core (6.18 6.19) Requirement 53: Heat transfer to an ultimate heat sink (6.19A 6.19B) Containment structure and containment system Requirement 54: containment system for the reactor. Requirement 55: control of radioactive releases from the containment (6.20 6.21) Requirement 56: Isolation of the containment (6.22 6.24) Requirement 57: access to the

EUR (2016)

2.1.9.4 List of postulated initiating events for PWRs and BWRs E-00 2.1.10 APPENDICES E-00 2.1.A SOURCE TERM AND RELEASE QUANTIFICATION METHODOLOGY FOR DESIGN EXTENSION E-00 2.1.A.1 In-containment source term data D-02 2.1.A.2 Core inventory C-01 2.1.A.3 Reactor coolant activity E-00 2.1.A.4 Gap release D-08 2.1.A.5 Early in-vessel releases D-02 2.1.A.6 Retention in the RCS C-04 2.1.A.7 Releases from the RCS following vessel failure C-04 2.1.A.8 Long-term releases 2.1.A.9 Ex-vessel releases C-10 2.1.A.10 Chemical species grouping C-10 2.1.A.11 Nonradioactive aerosols C-01 2.1.A.12 Aerosol characterization C-01 2.1.A.13 Chemical form C-04 2.1.A.14 Acceptable codes 2.1.A.15 Containment spray D-01 2.1.A.16 Primary containment leak rate D-01 2.1.A.17 Secondary containment D-10 2.1.A.18 Filtering and releases D-09 2.1.A.19 Secondary containment bypass C-05 2.1.B VERIFICATION PROCESS OF THE EUR ENVIRONMENTAL IMPACT TARGETS E-00 2.1.B.1 Introduction E-00 2.1.B.2 Introduction to the EUR methodology E-00 2.1.B.3 Release targets for accidents without core meltdesign basis conditions 3 and 4 E-00 2.1.B.3.1 Table B1: DBC3 and 4 release targets for no or only minor offsite radiological impact beyond 800 m from the reactor E-00

US General Design Criteria (1971)

OPB 88/97 (1997)

Notes

containment (6.25 6.26) Requirement 58: control of containment conditions (6.27 6.30) Instrumentation and control systems. Requirement 59: provision of instrumentation (6.31). Requirement 60: control systems Requirement 61: protection system (6.32 6.33) Requirement 62: Reliability and testability of instrumentation and control systems (6.34 6.36) Requirement 63: Use of computer-based equipment in systems important to safety (6.37) Requirement 64: separation of protection systems and control systems (6.38) Requirement 65: control room (6.39 6.40A) Requirement 66: supplementary control room (6.41) Requirement 67: emergency response facilities on the site (6.42)

2.1.B.3.2 Table B2: DBA release targets for very limited restrictions on foodstuff consumption E-00 2.1.B.4 Release targets for accidents without core melt— complex sequences E-00 2.1.B.4.1 Table B3: Complex sequences release targets E-00 2.1.B.5 Criteria for limited impact for severe Accidents E-00 2.1.B.5.1 Table B4: Criteria for limited impact for no evacuation actions beyond 3 km from the reactor E-00 2.1.B.5.2 Table B5: Criteria for limited impact for no sheltering actions beyond 5 km from the reactor E-00 2.1.B.5.3 Table B6: Criteria for limited impact for no iodine prophylaxis actions beyond 5 km from the reactor E-00 2.1.B.5.4 Table B47: Criteria for limited impact for no long-term actions beyond 800 m from the reactor E-00 2.1.B.5.5 Table B8: Criteria for limited food restrictions

(Continued)

Table A3.1 Safety Criteria Continued IAEA SSR-2/1 (Rev.1) (2016)

Emergency power supply Requirement 68: design for withstanding the loss of offsite power (6.43 6.45A) Supporting systems and auxiliary systems Requirement 69: performance of supporting systems and auxiliary systems Requirement 70: Heat transport systems (6.46) Requirement 71: process sampling systems and postaccident sampling systems (6.47) Requirement 72: compressed air systems Requirement 73: air conditioning systems and ventilation systems (6.48 6.49) Requirement 74: fire protection systems (6.50 6.54) Requirement 75: lighting systems Requirement 76: overhead lifting equipment (6.55) Other power conversion systems Requirement 77: steam supply system,

EUR (2016)

US General Design Criteria (1971)

OPB 88/97 (1997)

Notes

feedwater system, and turbine generators (6.56 6.58) Treatment of radioactive effluents and radioactive waste Requirement 78: systems for treatment and control of waste (6.59 6.60) Requirement 79: systems for treatment and control of effluents (6.61 6.63) Fuel handling and storage systems Requirement 80: fuel handling and storage systems (6.64 6.68A) Radiation protection Requirement 81: design for radiation protection (6.69 6.76) Requirement 82: means of radiation monitoring (6.77 6.84) REFERENCES DEFINITIONS CONTRIBUTORS TO DRAFTING AND REVIEW

APPENDIX

DOSE CALCULATIONS

4

A4.1 INTRODUCTION This appendix gives some examples of dose calculations which have been used during discussions on conceptual designs of various plants. The dose calculations are of a simple type, suitable for indicative evaluations. More elaborate calculations are usually performed in the final phases of the safety analysis, when systems and components purchase specifications have already been defined.

A4.2 VIRTUAL POPULATION DOSE IN A SEVERE ACCIDENT The following sections describe the virtual population dose for a future reactor (an order of magnitude evaluation in the short term, at three days, and in the long term, several years).

A4.2.1 THE REACTOR AND THE RELEASED ISOTOPES The example is a passive type boiling water reactor of 600 MWe, provided with a double containment and a stack. The quantities of isotopes chosen as guide isotopes in the core (1800 MWt) are, at equilibrium: 131

I Cs 133 Xe 85 Kr 137

1.85 3 1018 Bq 148 3 1015 Bq 3.7 3 1018 Bq 12.95 3 1015 Bq

A4.2.2 SOURCE TERM AT THREE DAYS (I, CS, XE) •



The leakage rate assumed for the primary containment (taken into account the probability of leakage rates higher than the specified ones and possible damages to penetrations for severe accidents): 5%10% per diem. The leakage rate assumed for the secondary containment room (systems, collection room, or building): 1%10% per diem. (For this assumption to be valid extremely unlikely sequences are excluded, such as the rupture of a steam line with degraded core and valve leak proofing degraded.)

373

374

• •

APPENDIX 4 DOSE CALCULATIONS

The effective release height (e.g., passive routing of the leaks to a stack, collection of leaks in a leakproof room connected with the stack, leaks routed to a chimney through filters, etc.): 80 m. Iodine and cesium equivalent ground releases: n% of the core inventory w3x3y3z

(A4.1)

where n 5 20, w 5 10 for plateout and washout, x takes a value in the range 36 for leaks from primary containment in three days, y takes a value in the range 330 for leaks from the secondary containment in three days, and z 5 10 (a factor for elevated release). The iodine and cesium equivalent ground release range 5

0:2 3 core inventory 0:2 3 core inventory to 5 : 10 3 6 3 30 3 10 10 3 3 3 3 3 10

So for 131I, the range is (1.1 3 1025) (1.85 3 1018) to (2.2 3 1024) (1.85 3 1018) 5 20.35 3 101240.7 3 1013 Bq. (A realistic reference value 5 20.35 3 1012 Bq.) And for 137Cs, the range is 5 16.28 3 101132.56 3 1012 Bq. (A realistic reference value 5 18.5 3 1011 Bq.) For 133Xe, the equivalent ground release range [Eq. (A4.1)], calculated with n 5 80, w 5 0, x 5 36, y 5 330 and z 5 5, is 3.29 3 10156.58 3 1016 Bq. (A realistic reference value 5 1.85 3 1016 Bq.)

A4.2.3 DOSE AT THE FENCE AFTER THREE DAYS OF EXPOSURE I (effective dose for adults by inhalation) 5 (χ/Q) 3 dbf 3 grr, where χ (s/m3) is the cloud concentration at 1 km, Q (Bq) is the activity release, dbf (the dose biological factor) 5 10 and grr (the ground release range) 5 (20.35 3 1012)(40.7 3 1013) Bq. Assuming χ/Q at 1 km distance is 1 3 1024, then the effective iodine-131 dose for adults by inhalation is 5100 mSv. (A realistic value is 10 mSv.) 133 Xe (effective dose by cloud irradiation) 5 (χ/Q)(1/dcf) 3 grr, where dcf (dose conversion factor) (see Chapter 7: Health Consequences of Releases) 5 300 and grr 5 (3.29 3 1015) (6.58 3 1016) Bq. Assuming χ/Q is 1 3 1024, then the effective xenon-133 dose by cloud irradiation is 0.310 mSv. Calculations for all the noble gases give a dose at the fence after three days of 5120 mSv (about 10 times the value for 133Xe). An effective realistic value is 30 mSv.

131

A4.2.4 GROUND SHINE LONG-TERM DOSE The integrated dose due to ground shine with absorption in the soil, corresponding to a ground initial concentration of 1 Bq/cm2 of cesium-137 (a contribution by other nuclides exists but is not evaluated here): First year Second year 050 years

120 μSv 80 μSv 1.6 mSv

APPENDIX 4 DOSE CALCULATIONS

375

The initial concentration of cesium-137 corresponding to a realistic release of 1.85 3 1012 Bq is given by (1.85 3 1012) [Bq released] 3 1 3 1024[χ/Q], Bq s/m3 at 1 km] 3 (1 3 1022) [m/s: deposition velocity] 5 2 3 106 Bq/m2. Therefore the ground shine dose from cesium-137 is First year Second year 050 years (After 5 years this dose is 80 mSv.)

20 mSv 15 mSv 300 mSv

A4.3 EXPLORATIVE EVALUATION OF THE RADIOLOGICAL CONSEQUENCES OF A MECHANICAL IMPACT ON A SURFACE STORAGE FACILITY FOR CATEGORY 2 WASTE A4.3.1 TYPE OF REPOSITORY It is assumed that the disposal structure is similar to the French one at L’Aube or to the Spanish one in El Cabril. The waste is assumed to comply with the ANPA Technical Guide No. 26 (ANPA, 1985) and is, therefore, conditioned in a concrete matrix with compression strength of at least 500,000 kg m22.

A4.3.2 REFERENCE IMPACT It is assumed that the reference impact produces, on clear ground, a conical crater having an angle of 90 degrees and a depth of 4 m. Moreover, it is assumed that the cause of the impact is undefined, possibly to be identified with a plane crash, a launched projectile or a blast from an internal or external explosive charge. The 4 m deep crater has been chosen because it can be related to an explosive projectile of medium size (see a discussion at the Hanover Congress on the nuclear underground sites; Bender, 1982). The volume of material expelled from the crater would then be about 70 m3 corresponding to about 140 t. These values can be compared with the effects of mining explosives. The amount of rock (hard limestone rock) demolished in an open air mine is of the order of 710 t/kg explosive (Colombo, 1997). The rock in our example corresponds (in ideal conditions) to about 20 kg of explosive, an amount considered to be modest. The effect of an airplane crash, then, may cause, according to the usual assumptions, an impact load of about 10,000 t on a surface area of 7 m2, corresponding to about 150 kg/cm2. This load might cause the fall and the fragmentation of a column of structure, assumed to be 1015 m high with a volume of about 70 m3 (see Fig. A4.1).

376

APPENDIX 4 DOSE CALCULATIONS

10 m

FIGURE A4.1 Fragmentation due to impact

Table A4.1 Fragmentation of Material Average Dimension of Blocks (m)

Layer Volume 1 mm (m3)

Layer Volume 3 mm (m3)

0.33 0.20

1.2 2.1

3.6 6.3

A4.3.3 FRAGMENTATION AND DISPERSION OF MATERIAL It is assumed that the material is fragmented into blocks 0.20.3 m in diameter and that a layer 13 mm thick of each block is pulverized into fragments ranging between 1 μm and 13 mm, with a uniform distribution between the two extremes (see Table A4.1). If an intermediate case is chosen (e.g., a volume equal to 2.5 m3), a weight of finely fractured material of 5 t is obtained, corresponding to a fraction of about 3% of the total. This percentage agrees with the values estimated, for example, for the Chernobyl accident (Vargo, 2000). It is possible to make an assumption, also on the basis of accident data, that the coarser part of the powder produced (from 10 μm to 1 mm), with an overall weight approximately equal to the total one (99%), is deposited over a radius of a few kilometers (2 km are assumed) from the release point, with an average concentration c5

5000 5 4 3 1024 kg=m2 π 3 20002

(A4.2)

This evaluation is not conservative as the effect of wind is completely disregarded. This effect causes the angular distribution of the particulate to be nonuniform. An estimate of the concentration of the deposited radioactivity can be made with the following assumptions: •

The complex of released radioisotopes is equivalent to an amount of 137Cs.

APPENDIX 4 DOSE CALCULATIONS

377

Table A4.2 Soil Concentrations



Distance (km)

Soil Concentration (kBq/m2)

2 10

100 4

The equivalent value of 137Cs is equal to the value indicated in ANPA Technical Guide No. 26 (1985) as the limit for conditioned category 2, waste (3700 MBq/kg). The total radioactivity in the released particulate is, then R 5 5 ; 000; 000 3 3:7 3 1026 5 20 TBq

(A4.3)

With this assumption, the concentration on the soil is C 5 0:4 3 3:7 3 106 5 1500 kBq=m2

(A4.4)

The finest particles (110 μm), with an overall weight of about 50 kg and a total radioactivity of 0.2 TBq, can be assumed to be dispersed by diffusion and deposition (Pasquill model). Assuming a stability condition F with wind velocity of 2 m/s and a deposition velocity of 1022 m/s, the approximate soil concentrations shown in Table A4.2 are obtained. Indeed, the concentration, C, for example, at 1 km, is given by C

  χ 3 Q 3 vd Q 5 2 3 1024 3 0:2 3 109 3 0:01 5 400 kBq=m2

5

(A4.5)

and decreases roughly with the 1.52 power of the ratio of distances for higher distances (concentrations of 100 and 4 kBq/m2 at 2 and 10 km, respectively, result). The levels of soil contamination calculated may be compared with the cesium-137 contamination in a generic European country after Chernobyl, equal on the average to 1020 kBq/m2 with peaks up to 100200 kBq/m2 (Vargo, 2000).

A4.3.3.1 Alternative Source Term A different approach to the previously considered accident can be pursued, along the following lines: • •

• •

To assume an applied force of 5000 t for the reference aircraft impact (as adopted in Italy for power plants), instead of the 10,000 t adopted in the previous evaluation. To allow for the dynamic character of the load applied by the impacting aircraft on the concrete. This would imply an increment in the limit load as allowed by the applicable regulations [e.g., American Concrete Institute ACI 349 (ACI, 2001)]. To evaluate the depth of the fractured material as a consequence of the impact by the penetration formulae adopted for nuclear plant evaluations such as the formula (17.2). To add to the aircraft impact a fire of the transported fuel. This could influence the dispersion of the released particulate. In particular, the coarse fraction could be transported and deposited further than the assumed 2 km.

378

APPENDIX 4 DOSE CALCULATIONS

Taking into account the previous assumptions, the volume of fractured material would result in the order of 12 m3 instead of the 70 m3 assumed above. The coarse fraction of the release could be of the order of 860 kg instead of 5 t, whereas the fine fraction would turn out to be equal to 8.6 kg (instead of 50 kg). The uncertainty in the evaluation of the effect of the fire is rather high. Some indications could be obtained from the observation of the behavior of the Chernobyl release (Vargo, 2000). There, the large ( . 20 μm) particles were deposited within a radius of 5 km from the plant. With these assumptions, the following distribution of released material is obtained • • •

Coarse fraction: .20 μm: weight 5 860 kg. Ground concentration 5 1.1 3 1025 kg/m2, corresponding to 41 kBq/m2. Fine fraction: weight 5 17.2 kg.

This would be dispersed under the influence of the buoyancy effect of the fire. In the case of Chernobyl, the thermal elevation of the plume caused by the fire was of the order of 1000 m (Vargo, 2000) and this figure can be assumed to be valid also for this example. In order to get an idea of the characteristics of a (presumed) fire in a reference plane crash, it is assumed that the full fuel load charge of the aircraft is equal to 10 m3, corresponding roughly to 7 t. This amount of fuel, with a conservative assumption, can be considered to form a square pool with 10-m long sides. The burning velocity of a pool of kerosene of this size is roughly 170 kg/m2/h (Lees, 1996). The fuel would be completely burnt in about 25 min. The flame height would be equal to about twice its width, namely 20 m. The usual thermal-elevation formulae can be used to perform a further evaluation of the height to which the radioactive release will be brought by the flame. The Stu¨mke formula [see Eq. (6.7)] can be used to indicate a plume rise of .1000 m. The uncertainty of this evaluation is, however, high as both the wind velocity field and the atmospheric turbulence have a strong influence on the phenomenon. It has to be noted that the presence of a fuel fire should not significantly increase the amount of radioactive particulate released. Indeed, the duration of the fire is short and the radioactive waste packaging is made of “fire resistant” and “nonflame propagating” materials (ANPA, 1985).

A4.3.4 DOSES On the assumption that in the vicinity of the plant there is no intake of cesium through the food chain, the doses to the population can be caused by ground shine (on the assumption the population have not been evacuated). The doses at 1 year and at 50 years can be calculated on the basis of the factors shown in Table A4.3, corresponding to a contamination of 1 kBq/m2 (Ferreli and Bologna, 1991). Table A4.3 Dose Factors Time After Accident (Years)

Effective Dose (mSv)

1 50

0.012 0.16

APPENDIX 4 DOSE CALCULATIONS

379

Table A4.4 Doses Time After the Accident (Years)

Effective Dose (mSv)

1 50

18 (5) 240 (65)

The inhalation dose gives a negligible contribution. Therefore within a radius of 1 km from the site, multiplying the values in Table A4.3 by 1500 or 400, the doses shown in Table A4.4 are obtained. At 10 km from the plant, with the above-evaluated contamination figures, about 0.05 and 0.65 mSv can be obtained at 1 and at 50 years, respectively.

A4.3.5 CONCLUSIONS Although these evaluations are inevitably subjective and need further reflection, the consideration of a severe impact accident seems opportune, taking into account the long life of a repository (centuries). Technical solutions incorporating a special technological protection from the aircraft crash and from explosive events or solutions in which the disposal structure is located at a depth in the ground of at least 20 m should be considered among the alternatives to be examined. The subsurface solution would offer better protection during the phases of construction and of filling up of the repository.

A4.4 EXPLORATIVE EVALUATION OF THE RADIOLOGICAL CONSEQUENCES OF A MECHANICAL IMPACT ON A TRANSPORT/STORAGE CASK CONTAINING SPENT FUEL A4.4.1 CHARACTERISTICS OF THE CASK The cask complies with the international requirements for fuel transportation and, therefore, it resists the fall, punching, and submersion. Moreover, the cask will be designed to protect it from aircraft impact and consequent fire. The cask considered has two independent leakproof lids, each one equipped with metallic seals. It is assumed that the cask contains 50 fuel elements of the type used at the Caorso plant and that the maximum temperature of the cladding is 200 C. The interior of the cask is normally kept at negative pressure and in an inert atmosphere.

A4.4.2 REFERENCE IMPACT It is assumed that the cause of the impact is undefined, possibly to be identified but assumed to be due to a plane crash, the launch of a projectile or the blast of an internal or external explosive charge. The effect of a plane crash may cause, according to the usual assumptions, a load of about 10,000 t on a surface area of 7 m2, corresponding to about 1.43 3 106 kg m2.

380

APPENDIX 4 DOSE CALCULATIONS

Notwithstanding the strength characteristics of the cask and its leakproof seals against impact and other conceivable external loads, it is assumed that in the accident considered, both seals are damaged, allowing a certain communication between its internal and the outside atmosphere and a gas flow dependent on the pressure difference between the inside and outside. Immediately after the deterioration of the seals, the external air will flow into the cask because of the internal underpressure. Subsequently, as a consequence of the lowering of external atmospheric pressure, part of the gas contained inside the cask might escape to the outside. If it is assumed that the variation of the atmospheric pressure in one day is 1000 Pa (normal variation), the percentage of the internal atmosphere escaped to the outside will be in the same period of time 10/1000 5 1%. It is assumed here that after one day, steps have been taken to stop the release.

A4.4.3 AMOUNT OF SIGNIFICANT FISSION PRODUCTS IN THE INTERNAL ATMOSPHERE OF THE CASK AND EXTERNAL RELEASE IN ONE DAY Only cesium-137 and krypton-85 are considered significant. Indeed, the other isotopes (such as xenon and iodine) normally considered in explorative evaluations like this one are either completely decayed 15 years after the removal of the fuel from the reactor, or are not volatile enough to be released at relatively low temperature and through narrow and tortuous leak paths (e.g., imperfections in the metallic seals). In the first place it can be assumed that the amount of the fission products in the gap between the fuel and the cladding is the same as that which was there when the fuel was discharged from the reactor, except for the effects of radioactive decay. Indeed, the phenomenon of diffusion from the fuel to the gap is governed by a diffusion coefficient, D0Cs , which depends on the temperature (in kelvin) according to an Arrhenius type law (ANS, 1984): D0Cs 5 1:22eð272300=RTÞ 3 100ðBu=28000Þ

(A4.6)

where R is the gas constant 5 1.987 cal/mol/K (8.3143 J/mol/K), T is the temperature (K), and Bu is the fuel burn-up (MWD/t). The ratio between the diffusion coefficient at the average operating temperature of the fuel (roughly 1300 K) and at the fuel temperature after shutdown and during the storage (some hundreds of kelvin, typically 500 K) is practically infinite. The inventory of radioactive isotopes in the gap is, then, practically equal to that at the discharge from the reactor. Therefore for the Caorso reactor (860 MWe) and on the basis of the data on the content of fission products in a 1000-MWe reactor, the following evaluation can be made. In all the fuel (560 elements), after 15 years decay: 

 860 5 17 585 000 Cið650 600 TBqÞ 1000 3 2ð15=10:82Þ   860 137 5 2 924 533 Cið108 208 TBqÞ Cs: 4:7 3 106 1000 3 2ð15=30:13Þ 85

Kr:5:6 3 107

In the gap of 50 elements, assumed equal to 1% of the gap itself: 85

Kr:

17 585 000 50 3 5 15 700 Cið580 TBqÞ 100 560

APPENDIX 4 DOSE CALCULATIONS

137

Cs:

381

2 924 553 50 3 5 2611 Cið97 TBqÞ 100 560

Assuming, moreover, that five fuel elements leak as a result of the event, corresponding to 10% of the total (therefore equal to 10 times the percentage of fissured rods normally assumed in safety analyses for the normal operation of a reactor), then values available for release are obtained that are equal to one tenth of those indicated above. The external release in one day will be, for the considerations made above on the consequence of the variation of the atmospheric pressure, equal to one hundredth of the available activity values: 85

Kr:0:6 TBq Cs:0:1 TBq

137

The release is assumed to be at ground level in cases where no accompanying fuel failure is postulated and at hundreds of meters high in the case where a fire occurs. A fire of short duration (,1 hour), such as one resulting from a plane crash or a manually extinguished fire could have a limited influence on the amount of the release as the thermal time constant of the cask wall ( . 0.3 m of steel or cast iron) should be higher than the fire duration. In these conditions, the increase in the internal cask pressure caused by the fire could be high enough to change the amount (but not the order of magnitude) of the previously described release assumptions. A simple thermal analysis shows that a conservative estimate of the internal pressure increase caused by the fire in half an hour could be of the order of 3000 Pa (namely a factor of three over the above-described assumptions). In conclusion, the release in a fire could be of the order of three times the one assumed above, in a time frame of ,1 hour. The two releases should not be combined.

A4.4.4 EFFECTIVE COMMITTED DOSES A4.4.4.1 Cesium Doses The cloud resulting from the release can be considered dispersed by diffusion and deposition (Pasquill model). If a stability condition, F, is assumed with a 2 m/s wind velocity and a deposition velocity of 0.01 m/s, the ground concentrations shown in Table A4.5 (roughly) result. The ground concentration (e.g., at 1 km) is C 5 2 3 1024 3 0.1 3 109 3 0.01 5 200 kBQ/m2 (see Eq. A4.5) and roughly decreases with the 1.52 power of the ratio of distances (resulting in concentrations of 50 and 2 kBq/m2 at 2 and 10 km, respectively).

Table A4.5 Ground Concentrations Distance (km)

Soil Concentrations (kBq m2)

1 2 10

200 50 2

382

APPENDIX 4 DOSE CALCULATIONS

The levels of ground contamination calculated above, can be compared with the contamination levels in a generic European country after Chernobyl, on the average equal to 1020 kBq/m2 with peaks of 100200 kBq/m2 (Vargo, 2000). On the assumption that the food chain is controlled after the accident and so the cesium intake is zero, the doses to the population can be due only to ground shine (if the population has not been evacuated). The doses at one year and at 50 years can be calculated on the basis of the factors shown in Table A4.6 corresponding to a contamination of 1 kBq/m2 (Vargo, 2000). The inhalation dose gives a negligible contribution. Therefore within a radius of 1 km from the site, multiplying the figures of the preceding table by 200, the results shown in Table A4.7 are obtained. At 2 km from the site, the doses are shown in Table A4.8. At 10 km, the doses are shown in Table A4.9.

Table A4.6 Unit Doses Time After the Accident (Years)

Effective Dose (mSv)

1 50

0.012 0.16

Table A4.7 Doses at 1 km Time After the Accident (Years)

Effective Dose (mSv)

1 50

2.5 30

Table A4.8 Doses at 2 km Time After the Accident (Years)

Effective Dose (mSv)

1 50

0.6 8

Table A4.9 Doses at 10 km Time After the Accident (Years)

Effective Dose (mSv)

1 50

0.025 0.3

APPENDIX 4 DOSE CALCULATIONS

383

A4.4.4.2 Krypton-85 Effective Doses The krypton-85 doses are due to immersion in a finite dimension cloud. For a diffusion category F and at a distance of 1 km, the conversion coefficient between the effective dose and cloud concentration (Vargo, 2000) is 3.6 3 1025 rem per Ci s/m3 (2.7 3 10213 Sv per Bq s/m3). Therefore for a cloud concentration of 2 3 1024 3 0.6 TBq s/m3, the following effective dose results: 1 3 1029 Sv, which is practically zero.

A4.4.5 CONCLUSIONS The preceding evaluations, despite the high level of protection already incorporated in the casks, support the need for technological solutions which offer special protection against aircraft crash and against explosive events or solutions such as where the storage structure is located at least 20 m below ground level.

REFERENCES ACI, 2001. Code Requirements for Nuclear Safety Related Concrete Structures and Commentary. ACI 349, American Concrete Institute, USA. ANPA, 1985. Gestione dei rifiuti radioattivi. Guida Tecnica 26. ANS, 1984. Report of the Special Committee on Source Terms. American Nuclear Society, September. Bender F., Herausgegeber, 1982. Underground Siting of Nuclear Power plants. Hanover Symposium, Stuttgart. Colombo, G., 1997. Manuale dell’Ingegnere. Nuovo Colombo, L-37 (83a), Ulrico Hoepli Editore, Milano. Ferreli, A., Bologna, L., 1991. Reattori nucleari: Termine di sorgente e piani di emergenza, Commissione Tecnica. Vargo, G.J., 2000. The Chernobyl Accident: A Comprehensive Risk Assessment. Battelle Press, Columbus.

APPENDIX

SIMPLIFIED THERMAL ANALYSIS OF AN INSUFFICIENTLY REFRIGERATED CORE

5

A5.1 ANALYSIS OF THE CORE WITHOUT REFRIGERATION The simple spreadsheet macro dryco.xls (available on the Mendeley website) calculates the distribution of temperatures in a core (in downloadable file DRYCORE) without any refrigeration except for the radiation heat transfer toward the vessel and toward the surrounding concrete cavity. The calculation is a simplified one and is based on that used in the Rasmussen Report (Rasmussen, 1978). As explained at the beginning of Appendix 2, some of the units are not in the SI System, for historical reasons. The core is subdivided into 10 circular rings, as illustrated in Fig. A5.1. The input data are the temperature at the center of the core, the total decay heat, and the dimensions of the core, the vessel, and the external cavity. It is assumed that heat transfer occurs only in the radial direction. In reality, 10%12% of the heat is dissipated axially (Rasmussen, 1978). The core power peaking factor (radial) is assumed to be 1.5, with a linear distribution as a function of the radius. In normal operation, however, an axial peaking factor of 1.41.5 should also be taken into account. The emissivity of the surfaces is set to 0.7. The dimensions of the rods (radius 0.535 cm) and the distance between a ring and the subsequent one (0.357 cm) corresponds to the dimensions in a water reactor. For the heat transfer from a layer at temperature T1 to the subsequent one at temperature T2, the principal formula used (Rasmussen, 1978) is Q 5 1:35 3 1027 3 F 3 A 3 ½ðT1 =100Þ4 2 ðT2 =100Þ4  Cal =s

(A5.1)

where F, the radiation coefficient 5 1/[(1/εr) 1 (1/εo1)] 5 0.54 (εr is the emissivity of the radiating surface and εo is the emissivity of the irradiated surface), and A is the area of the radiating surface (m2). A typical problem solved by the spreadsheet macro is the following one: Given the temperature at the core center and the decay power, not including the dimensions of the various parts, the concrete temperature necessary to dissipate the heat produced has to be calculated. The problem, once the input data are added to the spreadsheet, is easily solved by subsequent

385

386

APPENDIX 5 SIMPLIFIED THERMAL ANALYSIS

Region n = 10 Region 1

Vessel

Concrete cavity

FIGURE A5.1 Core regions.

iterations given the rapidity of the calculation. The formulae for calculating the decay heat are also given as a function of the time elapsed since the shutdown and the operating power. Input data H, the height of the core 5 353 cm Qtot, the total core decay thermal power at time t 5 544 Cal/s qm, the average thermal power for unit volume of core 5 Cal/s/cm3 R, the core external radius 5 152 cm Rev, the vessel external radius 5 200 cm To, the core center temperature 5 2047.15K Output data Tcls, the reactor cavity concrete temperature 5 133.97893K Tv, the vessel temperature 5 1142.46K Note on this sample calculation: 0K for 1800 MWt, 150 days decay and central temperature equal to about 2050K (zircaloy melting point). 1. Kqd, the decay power coefficient 5 1.05 Qde1, the decay power at time t 5 543.76 866 Cal/s P, the operating power 5 1800 MWt t 5 12,960,000 s

APPENDIX 5 SIMPLIFIED THERMAL ANALYSIS

387

2. Qde2/P, the ratio between decay and operating power (10150 s after shutdown) 5 0.0039 523 (or 1700.3099 Cal/s) 3. Qde3/P, the ratio between decay and operating power (1504 3 106 s after shutdown) (equivalent to Qde1 for Kqd 5 1.05) 5 0.001262 The decay power at a certain time and for a certain operating power are depicted by list items 1, 2, and 3. Item 1 gives the decay power as a function of the time in seconds after the shutdown and the operating power (both to be inserted as inputs to the spreadsheet). The formula also requires a coefficient, Kqd, which represents a multiplication factor for the decay power and which takes the value 1.05 for the decay heat according to the ANS formula (ANS, 1971). Some think that the ANS formula is too conservative, so here is a way to change the decay power by a Kqd factor chosen by the user. For example, many experts think that the power (ANS—5%) is more representative of the real situation. This corresponds to a Kqd value of 1. The formula is valid in the range 150 , t , 4 3 106 s. Item 2 gives the ratio between decay power and operating power for 10 , t , 150 s, according to the ANS formula. Item 3 is equivalent to item 1 with Kqd 5 1.05 (ANS) with the only difference being that it gives the ratio between the powers, as does item 2, but for the long term. The example shows the case of an 1800 MWt core after 150 days of decay, with the central temperature equal to about the melting point of zircalloy [about 1800 C (  2100K)]. It can be seen that the concrete temperature necessary to remove the heat is about 130K, which is within an acceptable range (a more precise input decay power, 543.7688 817 Cal/s instead of 544 Cal/s, would have given 297K). The same spreadsheet can be used to show that the central region formed by four fuel elements, even after only 30 days of decay, could save its integrity (temperature lower than 1500K) if exposed to an environment kept at some hundreds degrees kelvin (Table A5.1).

Table A5.1 Spreadsheet for Calculations. Qtot (Cal/s21) H (cm)

544 353

qm (Cal/s/cm23) 5 R(cm)

2.123 3 1025 152

To(K) 5 Rev (cm)

Fuel Ring Number, n (106 Rings in Total)

Radius Corresponding to n [x (cm)]

Lateral Area in x [A (cm2)]

Thermal Power Produced Within Radius x [Qx (Cal/s)]

Temperature in x [Tn (K)]

16 26 36 46 56 66 76 86 96 106

23.367 37.637 51.907 66.177 80.447 94.717 108.987 123.257 137.527 151.797

53744.1 86565.1 119386.1 152207.1 185028.1 217849.1 250670.1 283491.1 316312.1 349133.1

18.737769 47.745591 89.16686 142.25443 206.26115 280.43987 364.04346 456.32475 55.5366 663.93187

2047.15 2032.8911 2009.7015 1976.9607 1933.5523 1877.6273 1806.1204 1713.6724 1589.8208 1409.3021

2047, 15 200

388

APPENDIX 5 SIMPLIFIED THERMAL ANALYSIS

A5.2 OTHER FORMULAE AND USEFUL DATA FOR THE INDICATIVE STUDY OF THE COOLING OF A CORE AFTER AN ACCIDENT The data listed here are those given in Rasmussen (1978). In the case where the core is totally submerged by water, in a boiling regime, the heat transfer coefficient, hB, can be assumed to be equal to 1600 Cal/m2 h K. On the other hand, when the core is partially submerged, then it will be necessary to determine the level of the watersteam mixture: above this level the heat transfer will take place toward the steam, below this level it will be toward the mixture. The heat transfer coefficient toward steam can be assumed equal to the one given by the DittusBoelter formula h5

3:026x1023 Cp G0:8 =Wm2 =K D0:2

(A5.2)

where Cp is the specific heat of the steam (J/kg/ K), G is the steam flow rate (kg/s/m2) and D is the equivalent diameter of the channel (m). The calculation of the mixture level is made by trial and error using Eqs. (A5.3) and (A5.4):  αT  kg M 5 Atot YρL 1 2 2

(A5.3)

where M is the weight of water in the core (kg), Atot is the total vessel cross-section occupied by the mixture (m2), Y is the level of the mixture above the vessel bottom (m), αT is the void fraction at the top of the mixture (it is assumed that the void fraction varies linearly with height), and ρL is the liquid density (kg/m3). QDK 5 ρsUT αT Atot hfg W

(A5.4)

where QDK is the total decay power in the zone covered by the mixture (W), ρS is the steam density (kg/m3), UT is the steam separation velocity at the top of the mixture (m/s) and hfg is the evaporation enthalpy (J/kg). A constant value of 1.4 m/s for UT can be assumed, but it can be calculated by the Wilson correlation [Eq. (A5.5)]: UT 5 1:05ð58:76DÞ0:244 ðαT Þ1:283 =ms

(A5.5)

where D is the hydraulic diameter (m) of the fuel element channel (or “box”) or the fuel rod. A typical reflood velocity of the core after uncovering is 5 3 1023 m/s. The thermal constant of the fuel rod is equal to about 1 minute. The overall thermal capacity of a core for a pressurized reactor of 900 MWe is equal to about 3.35 3 106 J/K (8000 Cal/ C).

REFERENCES ANS, 1971. Decay Energy Release Rates Following Shutdown of Uranium Fuelled Thermal Reactors. Subcommittee ANS-5, American Nuclear Society Standards Committee, October. Rasmussen, 1978. Thermal Analyses. The Rasmussen Report, WASH-1400, v. VIII, App. A.

APPENDIX

EUROPEAN REQUIREMENTS REVISION E, 2016

6

A6.1 GENERAL OVERVIEW The main purpose of this Appendix is to give an idea of the degree of completeness of the guidance to design and evaluation that these criteria offer. The whole document can be obtained at specific conditions contacting the EUR website at www.europeanutilityrequirements.org. Only the List of Content is publically available (see, for Safety Requirements, table in Appendix 3). EUR Organization, however, has given permission to insert also in the second edition of this book (present Appendix 6) some concepts and some complete extracts of volume 2, 2.1 (Safety), and 2.4 (Design Basis). Revisions E (2016) introduces (EUR Training, 2017) important up-to-date guidance to what reproduced in the first edition of this book (e.g., Rev. E, improved coherence with EURATOM Directives, WENRA Standards, IAEA Standards and Guides SSR 2/1 SSG-30 SSG-3 SSG-4, IEC Standards 61513 60880 62138 61226, update of Pipe Break Preclusion and Leak Before Break concepts). The design of the plant shall consider at least one severe accident sequence with significant core melt, while other severe accident sequences shall be considered for demonstration of compliance with the overall probabilistic safety objective. Containment structure and containment system, in more general sense (with pertinent procedures), are the main defense against external damage, in the short and in the long term for design extension conditions [see also IAEA Criteria SSR-2/1 (Rev.1)]. Safety features of the plant against design extension conditions shall be, as far as reasonably practicable (AFARP) independent from safety systems [which seems an invitation to designers to use AFARP diverse (e.g., passive) systems and features included in basic design]. It is noted here that Appendixes A and B of Section 2.1 (Safety) of volume 2 (see Appendix 3 for titles) include many numerical requirements.

A6.2 SAMPLE OF NOTABLE CONCEPTS ADOPTED IN REVISION E •

Methodology for release consequences calculation: “The EUR methodology for evaluating compliance with the dose limits is based on the consideration of all significant radionuclides which could be released in an LWR accident (vs. limiting the release to a few representative radioisotopes). Isotopes have been clustered in 9

389

390

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

groups according to the similarity in their release fractions and physical-chemical behavior during the accident, as is typical of severe accident consequence models. To reduce the number of calculations to be performed, doses are estimated for a unit release of a representative radioisotope of each group along with a corresponding release for the other radionuclides in the group that is equal to the release fraction for the representative isotope (i.e., the ratio of the unit release divided by the core inventory of the representative isotope at scram).” The following type of condition has to be complied with for the various cases of dose limits: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , Dose criterion target

i51





Break preclusion/leak before break measures may be taken to reduce the requirements to consider the consequential effects of LOCAs. Following provisions are adopted in case this option is chosen: • Quality in design (material selection, manufacturing, low stresses, good inspectability); • Integrity demonstration (limited crack growth of path-through flaw, safety margins to fracture); • Surveillance and monitoring of design bases; • In-service inspection; and • Adequate leak detection (with margin). Practical elimination “A Accident sequences that have the potential to cause a Large Release or Early Release shall be Practically Eliminated. The relevant safety demonstration requires identifying accident sequences potentially leading to such unacceptable releases and then bringing the appropriate justification that those accident sequences do not need to be considered in the plant design under the Defence-in-Depth concept. B Identification of such accident sequences shall be based on deterministic analyses, supported byEngineering judgment, and probabilistic assessment. Accident sequences involving at least the following phenomena shall be demonstrated to be Practically Eliminated: Hydrogen detonation; Large steam explosion; Direct containment heating; Large reactivity insertion (including heterogenous boron dilution in PWRs); Rupture at high pressure of major pressure retaining components e.g. Reactor Pressure Vessel and large components of RCS; Fuel failure in a spent fuel store; Primary Containment over pressurisation; Late containment failure due to base melt through; Severe Accidents challenging the Containment System at all times when loss of confinement is caused by containment bypass (e.g. rupture of a steam generator tube, containment isolation valves are open or aninterfacing system LOCA; and Severe Accidents in the shutdown state whilst the containment is open or Severe Accident mitigatingmeasures are out of service.”

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

391

A6.3 EXTRACTS FROM EUR CRITERIA REVISION E (2016) (PRESSURIZED WATER REACTORS) (The EUR Criteria Revision E numbering system has been kept as far as reasonable) “2.1 9.4 List of Postulated Initiating Events for PWRs Design Basis Category 1: Normal Operations Steady-state, start-up and shutdown conditions: • • • • • • • •

Power operation; Start-up; Hot standby; Hot zero power; Hot shutdown; Cold shutdown; Refuelling shutdown; and Operation with an inactive loop, if applicable. Anticipated operating transients:

• • • •

Temperature increase and decrease at a maximum rate of 55 C per hour; Step load increase and decrease (10% load); Load increase and decrease at a rate of 5% rated load/minute(between 15 and 100% full power); and Limiting conditions allowed by the Technical Specifications. Design Basis Category 2: AOO

• • • • • • • • • • • • • • • • •

Inadvertent withdrawal of RCCA (Rod Cluster Control Assembly)bank with reactor subcritical; Inadvertent withdrawal of RCCA bank with reactor at power; Misalignment of control rod assembly or RCCA bank drop; Inadvertent boric acid dilution; Partial loss of core coolant flow (loss of one reactor coolant pump); Inadvertent closure of main steam isolation valve; Total loss of load and/or turbine trip; Loss of load and switchover to house load operation; Loss of main feed water flow to Steam Generators; Malfunction of Steam Generator main feedwater system; Total loss of off-site power (,2 hours); Excess increase in turbine load; Temporary depressurisation of Reactor Coolant System (Temporary depressurization or Reactor Coolant System in the inadvertent actuation of the pressurizer spray); Spurious opening of Steam Generator safety valve or other secondary side depressurisation caused by a Single Failure; Spurious start-up of safety injection system; Spurious reactor trip from power state; Malfunction of chemical & volume control system;

392

• • •

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

Very small loss of reactor coolant (e.g. small instrument line break); Loss of main Heat Sink; and Loss of fuel pool cooling system (one train) or of a supporting system in power state. Design Basis Condition 3: DBC-3

• • • • • • • • • • • • • •

Loss of reactor coolant (small pipe break); Small secondary pipe break; Forced reduction in reactor coolant flow; Mispositioning of a Fuel Assembly in the core; Withdrawal of a single RCCA at power; Spurious operation of a pressuriser safety valve; Rupture of volume control tank; Rupture of gaseous waste hold-up tank; Failure of liquid waste effluent tank; Steam Generator tube rupture (1 tube), without previous iodine spiking; Total loss of off-site power (up to 72 hours); Failure of a main controller (if not an anticipated event); Category 2 event with delayed scram; and Loss of spent fuel pool cooling system (one train) or of a supporting system in refuelling state Design Basis Condition 4: DBC-4

• • •

MSLB; Main feedwater line break; Reactor coolant pump seizure (locked rotor); Reactor coolant pump shaft break; Ejection of any single RCCA; Loss of reactor coolant due to intermediate break; Loss of reactor coolant up to and including double-ended guillotine failure of largest RCS pipe; Fuel handling accident; and Steam Generator tube rupture (2 tubes in 1 SG) with previous iodine spiking. Design Extension Conditions: Complex Sequences Anticipated transient without scram (ATWS due to mechanical blocking of rods); Anticipated transient without scram (ATWS due to failure of Reactor Protection System (RPS)); Station Black Out (SBO); Total loss of feedwater to the Steam Generators (loss of main feedwater and postulated CCF of emergency feedwater); Loss of coolant accident with loss of medium/high head safety injection; Uncontrolled boron dilution; Total loss of Ultimate Heat Sink during Normal Operations; Total loss of cooling chain during Normal Operations (loss of CCWS 1 ESWS); Total loss of spent fuel cooling functions during Normal Operations;

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

393

Containment Bypass Accidents (without core melt) Main steam line break with consequential steam generator tube ruptures (MSLB 1 SGTR), and Interfacing system LOCAs (outside containment boundary)” “2.1 1.4 Application of Defence in Depth The design of the plant shall incorporate Defence-in-Depth. The Defence-in-Depth concept shall be applied to provide required levels of defence (as indicated in Table 1 below) that are aimed at: • preventing consequences of accidents that could lead to harmful effects on people and the environment; • ensuring that appropriate measures are taken for the protection of people and the environment; and • the mitigation of consequences in the event that prevention fails. Table 1: EUR representation of Defence-in-Depth and associated Plant States, based on WENRA and IAEA approaches

Levels of DiD

Objective

Level 1

Prevention of abnormal operation and failures

Level 2

Control of abnormal operation and detection of failures

Level 3a

Control of Design Basis Accidents Control of Complex Sequences & prevention of core melt

Level 3b

Level 4

Control of accidents with core melt to limit off-site releases

Essential means Conservative design and high quality in construction and operation Control, limiting and protection systems and other surveillance features Safety Systems and accident procedures Dedicated Safety Features for DEC to prevent core melt and accident procedures Dedicated Safety Features for DEC to mitigate core melt and accident management

Radiological safety objectives (1) O1

O2

O3

EUR radiological targets (2) Doses to the public during Normal Operation and Anticipated Operational Occurrences (Section 2.1.3.2.2; Discharge targets given in Table 2)

Operational States

Targets for Design Basis Accidents given in Appendix B Target for Complex Sequences given in Appendix B

Accident Conditions

CLI target for Severe Accidents given in Appendix B

Design conditions

Plant States Normal Operation

DBC-1

Anticipated Operational Occurrences

DBC-2

Design Basis Accidents Design Extension Conditions

DBC-3 DBC-4 Complex Sequences

Severe Accidents

(Continued)

394

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

Continued

Levels of DiD Level 5

Objective Mitigation of radiological consequences of significant releases of radioactive material

Essential means On-site and Off-site emergency preparedness and response

Radiological safety objectives (1)

EUR radiological targets (2)

_

_

Plant States _

Design conditions _

(1) See WENRA RHWG Report Safety of new NPP designs, March 2013, for the explanation of safety objectives O1, O2, O3 (2) EUR Radiological targets are defined in accordance with EUR safety objectives given in section 2.1.3.

The design shall take due account of the fact that the existence of multiple levels of defence is not a basis for continued operation in the absence of one level of defence. All levels of Defence-inDepth shall be kept available at all times and any relaxation shall be justified for specific modes of operation. The design: •







shall be suitably conservative, and the construction shall be of high quality, so as to provide assurance that the likelihood of failures and deviations from Normal Operation are minimised, that accidents are prevented as far as is practicable and that a small deviation in the main plant parameter does not lead to a Cliff Edge Effect; shall provide for the control of plant behaviour by means of Inherent Safety Characteristics and engineered features, such that the likelihood of failures and deviations from Normal Operation requiring actuation of Safety Systems are minimised or exclude dby design, to the extent possible; shall provide for supplementing the control of the plant by means of automatic actuation of Safety Systems, such that the likelihood of failures and deviations from Normal Operation that exceed the capability of control systems can be controlled with a high level of confidence, and the need for operator actions in the early phase of these failures or deviations from Normal Operation is minimised; and shall provide for Structures, systems and components (SSCs) and procedures to control the course of and, as far as practicable, to limit the consequences of failures and deviations from Normal Operation that exceed the capability of Safety Systems.

The essential means involved at different levels of Defence-in-Depth shall be independent as far as reasonably practicable to avoid a failure of one level reducing the effectiveness of other levels. The design shall be such as to ensure, as far as is practicable, that the first, or at most the second, level of Defence-in-Depth is capable of preventing an escalation to Accident Conditions for all failures or deviations from Normal Operation that are likely to occur over the operating lifetime of the plant.”

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

“2.1 9.2 Table 3 Design Basis Condition

Frequencies and general acceptance criteria for plant states

Frequency of PIE (per year)

Acceptance criteria

General plant acceptance criteria Design Basis Condition 1

Design Basis Condition 2

f . 1 (1)

1 . f . 1022

395

Fuel and cladding (3)

Primary Containment (5)

Plant parameters within Normal Operation range of Technical Specifications. (2)

Fuel rods should operate well below specified fuel design limits.



No failure of Physical Barriers allowed except minor operational leakage. Process parameters within applicable acceptance criteria. (2) No restrictions on return to Power Operation.

No fuel damage allowed. For PWR: The minimum DNBR shall be such that with 95 % probability, with 95 % confidence, DNB does not occur on any fuel rod surface. Fuel centreline temperatures shall not reach melting point for reactivity events. For BWR: The minimum CPR shall be specified such that at



No irreversible deformation allowed. The containment structure shall be leak tight, i.e. the leak rate shall be limited to meet the targets for annual discharge.

Same as for Design Basis Condition 1.

Spent fuel pool Fuel assemblies shall be covered with coolant with sufficient margin. Coolant temperature kept well below boiling conditions (, 50 C) Fuel assemblies kept subcritical (keff , 0,95). Same as for Design Basis Condition 1.

Off-site radioactive releases Negligible radiological impact beyond the immediate vicinity of the plant. The following targets for annual discharge shall be met.

Negligible radiological impact beyond the immediate vicinity of the plant. Each AOO shall meet the same targets as for Design Basis Condition 1.

(Continued)

396

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

Continued Design Basis Condition

Frequency of PIE (per year)

Acceptance criteria

General plant acceptance criteria

Fuel and cladding (3)

Primary Containment (5)

Spent fuel pool

Off-site radioactive releases

least 99.9 % of the fuel rods will not be subjected to transition boiling. 1022 . f . 1024 • Design Basis Condition 3



1024 . f . 1026 Design Basis Condition 4

The Postulated Initiating Event shall not result in consequential damage of the RCS or result in the loss of a Safety Function. (2) Shutdown of the plant for inspection may be necessary.

No more than minor fuel damage allowed. Less than 5 % of the fuel rods shall experience DNB or CPR.

The Postulated Initiating Event shall not result in consequential damage of the RCS or result in the loss of a Safety Function. (2) Plant restart may be impossible.

Only limited fuel damage allowed: Less than 10 % of the fuel rods shall experience DNB or CPR. The core geometry shall be maintained in order not to endanger

Local deformations may be allowed for some events, but structural integrity shall be maintained. The maximum pressure shall not exceed the design pressure for the containment. The leak rate of the Containment System shall be limited to meet the release targets. Same as for Design Basis Condition 3.

Fuel assemblies shall be covered with coolant with sufficient margin. No boiling allowed (coolant temperature , 80 C, local temperatures may be higher) Fuel assemblies kept subcritical (keff , 0,95).

No or only minor radiological impact beyond immediate vicinity of the plant. Release targets according to Appendix B shall be met.

Same as for Design Basis Condition 3. If part of DBC4 list, the boiling conditions in SFP may be necessary to considered.

No or only minor radiological impact beyond immediate vicinity of the plant. Release targets according to Appendix B shall be met.

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

397

Continued Design Basis Condition

Frequency of PIE (per year)

Acceptance criteria

General plant acceptance criteria

Fuel and cladding (3)

Primary Containment (5)

Spent fuel pool

Off-site radioactive releases

core coolability. For LOCA: Peak clad temperature shall be less than 1204 C. Local clad oxidation shall be , 17% of original cladding thickness. For fast reactivity increase accidents (at low power): Radial average peak fuel enthalpy at hot spot shall be , 837 kJ/kg. (4) Complex Sequences

1024 . f . 1027 •



Severe Accidents

f , 1026

The postulated initiating event (including the additional failures) shall not result in consequential damage of the RCS. (2) Plant restart may be impossible.

Containment integrity shall be maintained.

Only limited fuel damage allowed. The core geometry shall be maintained in order not to endanger core coolability.

Local deformations may be allowed for some events, but structural integrity shall be maintained. The leak rate of the Containment System shall be limited to meet the release Targets. Large permanent deformations are allowed as long as

Fuel assemblies shall be covered with coolant with sufficient margin. Potential boiling situations should be considered. Fuel assemblies kept subcritical.

No or only minor radiological impact beyond immediate vicinity of the plant. Release targets according to Appendix B shall be met.

Accident sequences leading to failure of the fuel in the spent fuel pool shall be

Only limited protective measures in area and

(Continued)

398

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

Continued Design Basis Condition

Frequency of PIE (per year)

Acceptance criteria

General plant acceptance criteria

Fuel and cladding (3)

Primary Containment (5) structural integrity and leak tightness are sufficiently maintained to meet the release Targets.

Spent fuel pool Practically Eliminated

Off-site radioactive releases time shall be needed for the public. The Criteria for Limited Impact shall be met.

(1) Excluding refuelling which can vary according to 12, 18 or 24 month fuel cycle. (2) The load combinations and acceptance criteria for structures, systems and components, in particular mechanical equipment, will be in accordance with Chapter 2.4 Section 2.4.5. (3) Detailed requirements on core performance and fuel requirements according to Chapter 2.2 will also be met. (4) This limit may need to be reduced for high burn-up fuel. (5) Detailed requirements on load combinations and acceptance criteria according to Chapter 2.9 will also be met, in particular according to Chapter 2.9 Section 2.9.3.1.4.5.3 (PWR) and Chapter 2.9 Section 2.9.3.1.4.5.4 (BWR)”

“2.1 B.3.1 Table B1 -DBC3 and 4 release targets for no or only minor off-site radiological impact beyond 800 m from the reactor Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

Xe133 I131 Cs137

5.0  1029 4.5  1025 7.8  1024

9.1  10210 2.8  1026 4.9  1025

The EUR methodology-specific acceptance dose criteria for the targets are: •

for DBC Category 3: n X i51



for DBC Category 4:

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 1:1023 Sv

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

n X

399

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 5:1023 Sv

i51

2.1 B.3.2 Table B2 DBA release targets for very limited restrictions on foodstuff consumption For the limitation of areas impacted by food marketing restrictions in DBA, release targets to the atmosphere shall be set. These release targets are more stringent than those given for Severe Accidents to minimise the impacted area. Targets set for ground and elevated releases and for two reference isotopes, I131 and Cs137, are the follows: Isotope

Target for ground level release TBq

Target for elevated level release TBq

I131 Cs137

4.4 0.5

73 7.9

If only ground or elevated release occurs, the target shall be checked for each reference isotope and only for the related release path. If both ground level and elevated releases occurs, a combination of limit percentages for each isotope shall be assessed. The method consists in estimating, for each isotope and for each release path, the percentage of release with respect to the target. To satisfy the target, the sum of those percentages, for each reference isotope, shall be lower than 100% value The same targets shall be applied to both Design Basis Condition 3 and Design Basis Condition 4. 2.1 B.4 Release Targets for Accident without core melt Complex Sequences Respectively as presented in Section 2.1 B.2 for DBA, in the case of Complex Sequences the design target that shall be applied is derived from the following generic safety objective for all accidents without core melt: No or only minor off-site radiological impact The target of Complex Sequences shall be verified according to a combination methodology similar to the one developed for the first four Criteria for Limited Impact of Severe Accidents: • •

the releases from the plant are broken down into 3 reference isotope groups; and these releases are combined and compared with one criterion.

The coefficients presented in the Table B3 below are valid insofar no Core Damage occurs during the considered accidents, while evaluated with realistic methodologies. These coefficients shall be applicable to all DBC and Complex Sequences, related to core and RCS. 2.1 B.4.1 Table B3 Complex Sequences release targets Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

Xe133 I131 Cs137

5.0  1029 4.5  1025 7.8  1024

9.1  10210 2.8  1026 4.9  1025

400

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

The EUR methodology-specific acceptance dose criteria for the targets are: •

for Complex Sequences: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 10 3 1023 Sv

i51

2.1 B.5 Criteria for limited impact for Severe Accidents The Criteria for Limited Impact are set as acceptance criteria for a number of Severe Accidents and for probabilistic safety assessment studies. The following Sections define the methodology to assess the acceptability of the releases from a specific design vs. the Criteria for Limited Impact. The Criteria for Limited Impact includes five different design targets: 1. 2. 3. 4. 5.

no Evacuation Action beyond 3 km; no Sheltering Action beyond 5 km; no Iodine Prophylaxis action beyond 5 km; and no Long Term Action beyond 800 m. limited food restrictions.

Each of the targets (1) to (4) shall be verified independently according to the following methodology: • •

the releases from the plant to the atmosphere are broken down into the 9 (Targets (1), (2) and (4)) or 1 (Target (3)) reference isotope group(s); and these releases are combined and compared with one criterion according to the following formula: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , Dose criterion Target

i51

In the linear combination formula: •

Rig and Rie are the total environmental releases (at ground and elevated level) of the nine reference isotopes during the release period from the Containment System; • Cig, Target and Cie Target are the coefficients given in Tables B4, B5, B6, B7 below, related to environmental effects of unitary releases; • Dose criterion Target is the EUR methodology specific criterion which is expressed separately for each target in a form of dose limit [Sv]. For the targets (1), (2) and (4) the dose criterion is expressed in effective dose and for target (3) the dose is equivalent dose for thyroid.

For the fifth target, only 2 reference isotopes are given. Each isotope target shall be considered as an independent criterion. Releases shall be calculated by the Designer for the RST, as required in Appendix A of Chapter 2.1, and for the PSA release categories, as required in Chapter 2.17. Timing and quantities of the releases of the 9 reference isotopes listed below, as representative of their groups shall be derived. The coefficients have been determined on the assumption that other isotopes in the same group will be released with the same release fraction and that the core inventories are typical of a

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

401

PWR with a fuel cycle of about 18 to 24 months. Isotopes in the 9 groups have been considered according to generally accepted criteria Coefficients for elevated releases have been determined with reference to releases occurring from a stack of about 100 m height. Higher stacks will reduce the effects at short distances and, therefore, the results will be conservative for the ranges under consideration. If a lower stack is provided, special considerations shall be agreed with the Utilities. The coefficients for ground level releases shall be applied to non-stack releases from a height less than 100 m. The coefficients and release Targets are determined based on assumption that the release (linear) will last at least 24 hours, if the release will occur more rapidly, special considerations how to adjust the figures presented in Tables B4, B5, B6, B7, B8 shall be agreed with the Utilities. 2.1 B.5.1 Table B4 from the reactor

Criteria for limited Impact for no Evacuation Action beyond 3 km

Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

Xe133 I131 Cs137 Te131m Sr90 Ru103 La140 Ce141 Ba140

9.0  1029 4.6  1026 1.1  1025 1.9  1025 2.2  1025 1.6  1025 1.4  1024 6.6  1025 1.3  1026

2.1  1029 6.5  1027 9.4  1027 1.8  1026 1.8  1026 1.2  1026 1.1  1025 5.2  1026 1.3  1027

The EUR methodology-specific acceptance dose criterion for the target is: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 5:1022 Sv

i51

2.1 B.5.2 Reactor

Criteria for Limited Impact for no Sheltering Action beyond 5 km from the

Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

Xe133 I131 Cs137 Te131m Sr90 Ru103 La140 Ce141 Ba140

4.0  1029 1.6  1026 3.7  1026 6.4  1026 8.5  1026 5.7  1026 5.0  1025 2.4  1025 3.2  1027

1.1  1029 3.1  1027 4.5  1027 7.6  1027 9.6  1027 6.5  1027 5.8  1026 2.7  1026 4.1  1028

402

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

The EUR methodology-specific acceptance dose criterion for the target is: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 1:1022 Sv

i51

2.1 B.5.3 Table B6 Criteria for Limited Impact for no Iodine prophylaxis Actions beyond 5 km from the reactor Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

I131

3.0  1025

5.6  1026

The EUR methodology-specific acceptance dose criterion for the target is: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 1:1022 Sv

i51

2.1 B.5.4 Table B7 from the reactor

Criteria for Limited Impact for no Long Term Actions beyond 800 m

Isotope group

Coefficients (Sv/TBq) for ground level releases Cig

Coefficients (Sv/TBq) for elevated releases Cie

Xe133 I131 Cs137 Te131m Sr90 Ru103 La140 Ce141 Ba140

0 1.2  1025 7.2  1024 2.8  1025 1.4  1027 1.6  1025 4.1  1025 6.1  1026 1.2  1025

0 7.7  1027 4.6  1025 1.7  1026 1.5  1028 9.8  1027 2.5  1026 3.9  1027 7.7  1027

The EUR methodology-specific acceptance dose criterion for the target is: n X

Rig 3 Cig;Target 1 Rie 3 Cie;Target , 1:1021 Sv

i51

2.1 B.5.5 Table B8 Criteria for Limited Food Restrictions For each reference isotope, the sum of ground and elevated releases during the entire release time shall be compared with each of the reference values indicated in the following table: Isotope

Target (TBq)

Cs137 Sr90

2800 400

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

403

(The Criteria for Limited Food Restrictions is defined according to WENRA’s safety objective O3 and its requirement on avoidance of long term restrictions in food consumption after accidents with core melt. The criteria are determined in accordance of WENRA’s Reactor Harmonization Working Groups position and interpretation guidance on that specific objective, which after the targets are defined with European Commission’s maximum allowed concentrations for foodstuffs. The targets and objectives of this criterion differ from those targets which were intended to limit restrictions on the consumption of foodstuff and crops in earlier EUR revisions. It can be noticed that especially for the Cs137 isotope more demanding release limits can most likely be derived from other CLI (Criteria for Limited Impact) targets, than what is set here based on the criteria for limited food restrictions. However, the target for Cs137 derived from WENRA’s safety objective O3 and European Commission’s maximum foodstuff criteria is still positioned here in order to be consistent with the WENRA’s safety objective).” “2.1 3.2 Radiological impact during Normal Operation and Incident Conditions The ultimate criteria are for radiation doses to individual members of the public and to population groups living near the site. For design purposes, the requirements for Normal Operation and Anticipated Operational Occurrences are specified in terms of radiological discharges and doses expressed in mSv/y. 2.1 3.2.1 Radioactive discharge criteria The discharges shall be reduced to levels, which are ALARA. In assessing means of achieving these targets (Table 2), account shall be taken of best current achievements for fuel failure rates, reactor coolant activity levels, Reactor Coolant System (RCS) leak rates, etc. The design shall be assessed realistically against these targets assuming expected plant performance not less than those corresponding to best current operating plant achievements. The annual discharges shall take into account the releases from Anticipated Operational Occurrences to meet the targets set in Table 2. 2.1 3.2.2 Doses to the public during Normal Operation and Anticipated operational occurrences The target for public exposure during Normal Operation and Anticipated Operational Occurrences shall be 0,3 mSv/year per Site. This target is independent from plant Rated Power. The value of 0,3 mSv/year represents an objective of performance in line with ALARA concept. The methodology used by the designer for assessing the doses to the public in Normal Operation and Anticipated Operational Occurrences shall take into consideration all the possible pathways (ingestion, inhalation, deposit, direct radiation) and be applied to the most sensitive population.” “2.1 6.3.1 Single Failure criteria (A Single Failure is a failure that results in the loss of capability of a component to contribute to the fulfilment of the dedicated Safety Function(s) and any consequential failure(s) of components and systems that result from it. The Single Failure Criterion is a criterion (or requirement) applied to a system such that it must be capable of performing its task in the presence of any Single Failure.) The Single Failure Criterion shall be applied to any system designated to perform actions required for a particular postulated initiating event to ensure that the limits specified in the design basis for Anticipated Operational Occurrences and Design Basis Accidents are not exceeded.

404

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

The design shall take due account of the failure of a Passive Component, unless it has been justified in the Single Failure analysis with a high level of confidence that a failure of that component is very unlikely and that its function would remain unaffected by the postulated initiating event. Operator errors shall not be considered as a Single Failure. Automatic provisions shall be provided where prompt and reliable Operator actions would be required in the event of any Internal Hazard or External Hazard. Spurious action shall be considered to be one mode of failure when applying the Single Failure Criterion. The Designer shall implement specific design provisions to avoid and inhibit spurious actuations of plant automation unless probabilistic arguments can be deployed to show it to be unreasonable. The Designer shall provide an assessment of such provisions (permissives, interlocks, priority Rules among signals, voting logic principles, etc.) implemented in Instrumentation and Control (I&C) and human-machine interface system (HMI(S)) design. Components may be withdrawn from service for repair, periodic maintenance or testing. During this limited period, the combined frequency of Postulated Initiating Event and loss of Safety Function or the effect on the system’s capability to perform its Safety Function shall be demonstrated to be low enough in order not to consider the Single Failure Criterion.” “Fundamental Safety Functions 1. control of reactivity; 2. removal of heat from the reactor and from the fuel store; and 3. confinement of radioactive material, shielding against radiation and control of planned radioactive releases, as well as limitation of accidental radioactive releases.” “2.1 5 SAFETY CLASSIFICATION 2.1 5.1 Categorisation of Safety Functions and Classification of SSCs Terminology “Items important to safety” mentioned in chapter 2.1 is equivalent to “Safety classified SSCs” defined by the categorisation and classification process outlined below. The Designer shall define a methodology for the safety categorisation and classification process. The process shall provide a systematic and consistent approach for all the organisations involved in the design process. 2.1 5.1.1 Introduction The safety categorisation and classification shall be carried out by the Plant Designer on the following basis: • • • • •

Definition of all functions required for fulfilling Fundamental Safety Functions for all Plant States during the lifetime of a nuclear power plant; Categorisation of functions in accordance with their safety significance; Identification of SSCs involved in each function; Assignment of each SSC to a Safety Class, according to the highest safety category of the function it has to perform; and Definition of a set of engineering design rules and requirements proportional to the safety classification of the SSCs.

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

405

If the Designer has developed a different safety classification approach than the one required in the following Section, the Designer shall demonstrate the equivalence of its safety classification system with the EUR safety classification principles. Classification of SSCs shall be based primarily on deterministic methods, complemented, where appropriate, with probabilistic methods and engineering judgement. 2.1 5.1.2 Categories of safety functions Each Safety Function shall be assigned to one of three safety categories. Safety Functions shall be identified and categorised for all Plant States, including all modes of normal operation, fault scenarios and hazard conditions, during the lifetime of a nuclear power plant. The categorisation of Safety Functions shall take into account the following factors of safety significance: • • •

The consequences of failure to perform the function The frequency of occurrence of the Postulated Initiating Event for which the function will be called upon; and The significance of the contribution of the function in reaching and maintaining either a Controlled State or a Safe State.

According to the above criteria and taking into account the definitions of Plant States the following categories of functions shall be applied. The significance of the contribution of the function in reaching and maintaining either a Controlled State or a Safe State should be informed by the timescale within which the safety function is required to perform as follows:

406

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

(a) Cat.2 functions can be credited if it is demonstrated that the consequences of their failure are of “medium severity” (b) Cat.3 functions can be credited if it is demonstrated that the consequences of their failure are of “medium severity” (c) Cat.2 if the function is designed to provide a backup of a Cat.1 function; Cat.3 in other cases. 2.1 5.1.2.1 Safety Category 1 Functions Any function that is required to reach the Controlled State after Design Basis Conditions 2, 3 and 4 and whose failure, when challenged, would result in consequences of “high” severity shall be assigned to Safety Category 1. The severity shall be considered “high” if failure of the function could: • •

Lead to a release of radioactive material that exceeds the limits for Design Basis Conditions 4 (or the equivalent limit accepted by the regulatory body); or Cause the values of key physical parameters to exceed acceptance criteria for Design Basis Conditions 4. 2.1 5.1.2.2 Safety Category 2 Functions To Safety Category 2 shall be assigned:

• •



Any function that is required to reach a Controlled State after a Design Basis Conditions 2, 3 and 4 and whose failure, when challenged, would result in consequences of “medium” severity; Any function that is required to reach and maintain for a long time (See 2.1.5.1.2.A1) a Safe State after a Design Basis Conditions 2, 3 and 4 and whose failure, when challenged, would result in consequences of ‘high’ severity; and Any function that is designed to provide a backup of a function categorised in Safety Category 1 and that is required either to control Complex Sequences. The severity shall be considered “medium” if failure of the function could:

• •

Lead to a release of radioactive material that exceeds limits established for Design Basis Conditions 2, or Cause the values of key physical parameters to exceed the design limits for Design Basis Conditions 2. 2.1 5.1.2.3 Safety Category 3 Functions To Safety Category 3 shall be assigned:

• •



Any function that is actuated in the event of a Design Basis Condition 2-4 and whose failure, when challenged, would result in consequences of “low” severity; Any function that is required to reach and maintain for a long time a Safe State after a Design Basis Conditions 2, 3 and 4 and whose failure, when challenged, would result in consequences of “medium” severity; Any function that is required to mitigate the consequences of Complex Sequences, unless already required to be categorised in Safety Category 2, and whose failure, when challenged, would result in consequences of “high” severity;

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

• •





407

Any function that is required to mitigate the consequences of Severe Accidents, to meet the safety objectives for accidents with core melt; Any function that is designed to reduce the actuation frequency of the reactor trip or Safety Systems in the event of a deviation from Normal Operation, including those designed to maintain the main plant parameters within the normal range of operation of the plant; Any function relating to the monitoring needed to provide plant staff and off-site emergency services with a sufficient set of reliable information in the event of an accident (DBC 3 and 4, also Complex Sequences and Severe Accidents,) including monitoring and communication means as part of the emergency response plan (Defence-in-Depth level 5), unless already assigned to a higher category; and SSCs for Practical Elimination.

The severity shall be considered “low” if failure of the function could, at worst lead to doses to workers above authorized limits. 2.1 5.1.3 Design Provisions The Designer shall identify Design Provisions specifically designed for use in Normal Operation and on the reliability of which plant safety is highly dependent. Design provisions shall be directly classified according to the severity of consequences of their failures: • • •

Safety class 1 - Any SSC whose failure would lead to consequences of “high” severity; Safety class 2 - Any SSC whose failure would lead to consequences of “medium” severity; Safety class 3 - Any SSC whose failure would lead to consequences of “low” severity.

2.1 5.1.4 Assignment of a Safety Class to SSC (Structures, Systems and Components) All SSCs important to safety shall be identified and be classified on the basis of their function and their safety significance. The Designer shall assign to each SSC an appropriate Safety Class, according to the highest category of the Safety Function it performs as follows: • • •

Safety Category 1 function-Safety Class 1 SSCs Safety Category 2 function-Safety Class 2 SSCs Safety Category 3 function-Safety Class 3 SSCs

Any SSC whose failure could challenge the assumptions made in the hazard analysis should be assigned to Safety Class 3 at the very least. Each safety classified SSC shall be analysed to define which component or structure shall be classified according to the safety function the component or structure contributes to. This analysis shall also consider if any component or structure of the classified SSC could impact the delivery of a categorised Safety Function; these components or structures shall then be classified accordingly. Auxiliary SSCs that support a classified SSC shall also have the same classification of the SSC they support. Where the supporting SSC is not required to provide continuous support a lower classification can be justified considering its role in reaching and maintaining the Controlled State or Safe State. The classification of SSCs shall be an iterative process which is to be reviewed periodically during the design, construction and commissioning phases. The classification of SSCs shall also be

408

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

reviewed during the lifetime of the plant when any design modification or identification of new PIE or function occurs. The classification of the SSCs involved in processes related to radioactive materials in Normal Operation, such as fuel handling or management of Radioactive Waste, shall be carried out according to the approach defined for Design Provisions. 2.1 5.1.5 Requirements on SSCs according to Safety Class Engineering design rules and requirements, based on the relevant national or international codes, standards and proven engineering practices, shall be defined and systematically applied to the design of SSCs. These rules and requirements shall ensure that: • •

frequent Postulated Initiating Events yield little or no adverse radiological consequences; and extreme events (those having the potential for the greatest consequences) have very low probability of occurrence.

The engineering design rules and requirements shall ensure that the SSCs will be designed, manufactured, constructed, installed, commissioned, operated, tested, inspected and maintained to appropriate quality standards. These engineering design rules and requirements shall be proportionate to the SSC Safety Class to ensure that the appropriate level of quality and reliability is achieved. These rules and requirements shall be justified by the Designer. The design rules and requirements for classified SSCs shall be informed by the level of Defence-in-Depth (See Section 2.1.1.4) they support. Typical design requirements for Classified systems and components are outlined below: Design Requirement

Safety Class of system

1

2

Single Failure Criterion Physical & electrical Separation Emergency power supply Periodic tests

Yes Yes Yes Yes

3 (c) Yes (a) Yes (b) Yes Yes

No (d) Yes for redundant equipment only Yes Yes

a) This requirement is not applied to systems identified to support DEC scenarios and designed as a backup of a safety class 1 system which provides an alternative means to accomplish the same safety function as that performed by the safety class 1 system. The reliability of such system should be adequate to meet the total Core Damage Frequency (CDF) target. However, I&C systems designed as a backup to safety class 1 I&C systems may require the redundancy to be applied to prevent spurious actuation (e.g. for the diverse actuation system). b) This requirement is only applicable to safety class 2 systems which are: • required to reach and maintain the Safe State; or • required in DEC scenarios and identified as a backup of a system assigned in safety class 1. c) The requirements for safety class 3 systems which are not required to meet the acceptance criteria established for DBAs or DECs but are important to safety shall be determined based on specific functional analysis.

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

409

d) Compliance with the single failure criterion is not required in DEC. However, active components may require redundancy to achieve the reliability expected for the function performed by the system (e.g. active components of systems required to preserve the containment integrity in case of a Severe Accident with core melt). All safety classified design provisions, structures, systems and components (SSCs) shall apply the following design requirements: • •

• •

In-Service Inspections/ periodic tests; protection against or designed to withstand the identified hazards which the SSCs will be exposed to and during and after which they are required to maintain the categorised safety function; the qualification against the harsh ambient conditions which the SSCs will be exposed to and during and after which they are required to maintain their categorised safety functions; and quality assurance, proportionate to the classification level.

2.1 5.1.6 Classification of SSCs according to the design and construction codes The Designer shall assign each Safety Class 1 and 2 structure and piece of equipment (mechanical, electrical, I&C) to an appropriate class of the nuclear design and construction codes to which the item is being designed and constructed. The Designer shall assign each Safety Class 1 and 2 structure and piece of equipment (mechanical, electrical, I&C) to an appropriate class of the nuclear design and construction codes to which the item is being designed and constructed. 2.1 5.1.7 Environmental conditions resistance levels All safety classified SSCs shall be designed, constructed and, where appropriate, qualified to withstand the effects of the hazards and environmental conditions to which the SSCs will be exposed to and during and after which they are required to maintain their categorised Safety Functions. 2.1 5.7.1 Requirements for hazards and environmental conditions resistance Requirements for hazards and environmental conditions resistance shall be assigned to SSCs in a systematic and consistent manner taking into account their role during and after a hazard and/or DBC 2-4 and DEC, thus their safety significance. All SSCs shall be subject to one of the following levels of requirements: • • • •

Environmental Environmental Environmental Environmental

condition condition condition condition

resistance resistance resistance resistance

level level level level

1; 2; S; and N.

2.1 5.1.7.1.1 Environmental conditions resistance level 1 Environmental Condition Resistance Level 1 shall be applied to: •

All SSCs which are required to remain functionally operable and/or structurally intact in DBC 2-4;

410

• •

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

All SSCs which are required, in case of DBEH conditions, to meet the Safety Objective for accidents without core melt; and All SSCs which are required, in case of Complex Sequence which is not initiated by a Rare and Severe External Hazard (RSEH).

Such SSCs shall be either protected from or shall be designed, constructed and qualified with appropriated margins to withstand: • •

the effects of the environmental conditions (P, T , . . .) for which they are required; and the effects of the DBEH to be considered. The different sublevel of requirements shall be assigned for SSCs:

• • • •

that must remain functionally operable; that must remain functionally operable and must not operate spuriously in a manner detrimental to safety; that must not operate spuriously in a manner detrimental to safety; and whose operational failure in any mode is not detrimental to safety, but which must retain its pressure boundary function and/or leaktightness. 2.1 5.7.1.2 Environmental conditions resistance level 2 Environmental Condition Resistance Level 2 shall apply to:

• •

SSCs required, in case of Severe Accidents or Rare and Severe External Hazards, to meet the safety objective for Accidents with Core melt; and SSCs required for Complex Sequences initiated by Rare and Severe External Hazards.

SSCs required in case of Severe Accidents and Complex Sequences initiated by a Rare and Severe External Hazards (RSEH) shall be: • • •

designed, constructed and qualified with appropriated margins to withstand the effects of the environmental conditions (P, T , . . .) for which they are required; designed, constructed and qualified with appropriated margins at a DBEH magnitude for hazards to be considered; and verified to have sufficient margins to withstand the effects the Rare and Severe External Hazards to be considered. The different sublevel of requirements shall be assigned to SSC:

• • • •

that must remain functionally operable; that must remain functionally operable and must not operate spuriously in a manner detrimental to safety; that must not operate spuriously in a manner detrimental to safety; and whose operational failure in any mode is not detrimental to safety, but which must retain its pressure boundary function and/or leak tightness.

2.1 5.1.7.1.3 Environmental conditions resistance level S SSCs which themselves are not required to remain operable or structurally intact, but whose failure could prevent SSC assigned to Environmental Condition Resistance Level 1 and

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

411

Environmental Condition Resistance level 2 from functioning as designed shall be subject to Environmental Condition Resistance Level S. Such SSCs shall be designed, constructed and verified to prevent their failure from impairing the functioning of SSC which are subject to Environmental Condition Resistance Level 1 or Environmental Condition Resistance Level 2. 2.1 5.1.7.1.4 Environmental conditions resistance level N All SSCs, which are not subject to any of the environmental condition resistance levels described above, shall be subject to Environmental Condition Resistance Level N. Such SSC shall be designed and constructed to operational environmental conditions and level of hazards.” “2.1 6.8 Non permanent Equipment 2.1 6.8.1 Scope Non-Permanent Equipment can be considered in the safety analysis of the plant as robustness provision Non-Permanent Equipment consists of two main categories: • •

Off-site Non-Permanent Equipment that are stored outside of the site in a location far enough from the Site so as not to be affected by the initiating events or hazards; and On-site Non-Permanent Equipment that are stored in a location surrounded by the site boundary fences.

On-site Non-Permanent Equipment are identified as “light” or “heavy” Non-Permanent Equipment. Light Non-Permanent Equipment are stored in a place as close as possible to their final position, usually in the same building (and if possible in the same room) or in a dedicated bunkerised building. They are usually portable by a single member of the plant personnel or by the required minimum available team. Heavy Non-Permanent Equipment can be stored in another building and/or their weight is such that their transport to the final position requires a large handling device or a large plant personnel team. 2.1 6.8.2 General In order to assure reliability and availability of the Non-Permanent Equipment, the Site should have sufficient equipment to address all required functions at all Units on site, plus one additional spare, i.e. an N 1 1 capability, where N is the number of Units on-site. The Non-Permanent Equipment should be subjected to the start-up test programme to verify the performance conforms to the requirements established by the Designer. The Non-Permanent Equipment shall be maintained, inspected and tested to ensure that they are in satisfactory conditions to fulfil the functions they are expected to perform.” “2.1 6.8.5 Connection points for Non-Permanent Equipment Provision should be made in plant design to provide multiple (i.e. N 1 1), accessible, simple and redundant connection points for Non-Permanent Equipment identified in Accident Management Procedures.

412

APPENDIX 6 EUROPEAN REQUIREMENTS REVISION E, 2016

The Designer shall provide a complete list of all connections points which enables the use of Non-Permanent Equipment in Accident Conditions. The design shall at least have the provisions for Non-Permanent Equipment which enable the use of existing safety equipment to: • • •

restore the necessary electrical power supply; restore the containment cooling; and assure SFP cooling and inventory.

Connection points shall be designed to minimise radiation exposure during the connection The environmental and seismic qualification of connection points shall demonstrate the ability to perform their required function in Accident Conditions, DBEH and applicable RSEH. Connection points shall be maintained, inspected and tested to ensure that they will be operable in Accident Conditions, DBEH and RSEH. Connection points shall be accessible under Accident Conditions and applicable rare and severe natural Hazards given radiation levels and potential impact of debris and solids. The mechanical and electrical interface of connection points shall be standardised and compatible with on-site and off-site Non-Permanent Equipment.”

REFERENCE EUR Training course, 2017. 10 12 October, Budapest (text of the Course in Internet, Look for: “EUR UTILITY REQUIREMENTS Open Documentation”).

APPENDIX

NOTES ON FRACTURE MECHANICS

7

A7.1 INTRODUCTION The field of fracture mechanics has progressed a long way since the first study by A.A. Griffith (18931963). It is useful to recall the simple yet brilliant logic behind them. Fundamentally Griffith (Ewing and Hill, 1967) understood that as a crack propagated in a stressed material an energy exchange took place. On one hand, the crack propagation required energy for the creation of further fracture surfaces in front of the crack point and, on the other hand, energy was released by the zone of material which was unloaded by the propagation itself. Fig. A7.1 illustrates this phenomenon and the concept of “critical crack length.” Curve A represents the energy necessary to create rupture surfaces corresponding to a certain crack length L. The curve is substantially a straight line as the area of the rupture surfaces is proportional to the crack length and the rupture energy is proportional to this area. Curve B represents the energy released for the extension of the crack from zero length up to length L. This curve has a parabolic shape as the energy released is proportional to the volume of material unloaded by the propagation (indicated around the crack in the left part of the diagram), which in turn is roughly proportional to the square of the crack length. The third curve represents the difference between released energy and rupture energy for the various lengths of crack; the quantity Lg represents the critical crack length, that is, the value for which the increase of length of the crack releases more energy than is consumed in the creation of new rupture surfaces. In analytical terms, Griffith arrived at the conclusion shown in Eq. (A7.1): Lg 5

1 Rupture work for unit area 2GE 3 5 ; π Deformation energy for unit volume πs2

(A7.1)

where Lg is the crack length (m) (with reference to the geometry depicted in Fig. A7.1), G is the energy needed for a unit increase of the crack surface (J/m2), E is Young’s modulus (N/m2), and s is the tension in the plate (N/m2).

413

414

APPENDIX 7 NOTES ON FRACTURE MECHANICS

Fracture Mechanics — Griffth (1920) P B: Released energy

Energy

L

Lg

Crack length A: Absorbed energy

P

FIGURE A7.1 Energy balance in crack propagation.

G has the order of magnitude of 12 3 105 J/m2 for construction steels and s is usually in the range of 70150 3 106 N/m22, so for a construction steel plate stressed at 150 3 106 N/m2, the following result is obtained: Lg 5

2 3 ð1:5 3 105 Þ 3 E 5 0:91 m πð150 3 106 Þ2

Among other things, Griffith’s energy formulation gives a logical explanation to the fact that, notwithstanding the very high stresses present at the crack tip, the resistance to its propagation is high for ductile materials.

A7.2 CURRENT PRACTICE Two of today’s approaches to fracture study are summarized here. The first is based on the use of the stress intensity factor K. The second is based on the J integral. The latter approach is suitable for situations of ductile fracture with strong deformations (ductile materials, low stress triaxiality, and so on). The approach based on the K factor is based on the possibility of representing the stress field around the crack tip by, precisely, a stress intensity factor K, which in turn is dependent on the way the crack is invited to propagate, on the mode of application of the load, on the level and variation of the stress in the material far from the crack tip and, finally, on the type of crack (thickness, elliptical, or with constant depth, etc.). The three stress modes usually considered are shown in Fig. A7.2. The various load application modes are shown in Fig. A7.3. The coordinate system generally adopted to describe the stress field around the crack is shown in Fig. A7.4.

APPENDIX 7 NOTES ON FRACTURE MECHANICS

415

Mode I

Mode II

Mode III

FIGURE A7.2 Modes of crack stressing (KI, KII, KIII).

An example of the distribution of stresses around the crack in biaxial geometry is given in Fig. A7.5. The expressions for O(r) in Fig. A7.5 represent distributions of stresses in the zones far removed from the crack tip and dependent on the complete stress state of the structure. Fig. A7.6 shows KI for the case of a longitudinal crack of various depths in a cylinder wall (e.g, in a pipe or the reactor vessel). A variety of already calculated cases exists for the distribution of stresses around a crack tip for various types of cracks and of loading conditions. Guidance on this can be found in specialist texts on fracture mechanics (Anderson, 2013; Milella, 1999, 2013; Miannay, 1997; Wilkowski et al., 1997). Fig. A7.7 shows the material properties KIC and KIA (intensity factors for crack initiation and for crack arrest of a propagating crack), with reference to a typical pressure vessel steel.

416

APPENDIX 7 NOTES ON FRACTURE MECHANICS

FIGURE A7.3 Modes of load application.

FIGURE A7.4 Coordinate system.

The temperature RTndt is the transition temperature between brittle and ductile rupture. It can be determined by tests on specific toughness specimens or it can be correlated (for increased easiness) with an energy value absorbed in the common Charpy V test (generally 5.1 3 105 or 8.7 3 105 J/ m2, corresponding to 30 or 50 ft/lb, respectively. The way in which the various types of data are used is generally the following one: • •

KI is determined for the crack to be studied. KIC is determined for the material corresponding to the conditions at the crack tip. The comparison between this value and KI indicates whether the crack will start to propagate in an unstable way or not.

APPENDIX 7 NOTES ON FRACTURE MECHANICS

417

FIGURE A7.5 Stresses around the crack tip.



If it can be controlled, then the possibility exists that the crack which started to propagate is arrested at a certain point. For this investigation, KI, corresponding to various stages of extension of the crack has to be again determined. These values have to be compared with the corresponding KIA. If, for a certain stage of crack propagation it is found that KI is lower than KIA, then the crack will stop at that point.

In the case of a reactor pressure vessel the crack may stop because, with its extension, it arrives to zones of the material which are less embrittled than the one from where the crack has started. In other cases the arrest may occur because the material reached during the propagation is less stressed than the initial one. It is useful to remember the existence of the phenomenon of “warm prestress” according to which, in general terms, if a component containing a crack is loaded in warm conditions (ie, in conditions of good ductility), it is not susceptible to unstable crack propagation for lower load conditions, even if correspondingly the temperature and ductility are lower. This principle, which finds its evident logical basis in the effect of “protective” plasticization at the crack tip, is usually

418

APPENDIX 7 NOTES ON FRACTURE MECHANICS

FIGURE A7.6 KI for a longitudinal crack in the wall of a cylinder.

accepted in the following, less ample, formulation: “after an initial preload, no unstable crack propagation will occur if the stress intensity factor is constant or decreasing.” The J integral method is more widely used especially in cases of strong plasticization of the material during its rupture. This method substantially follows the K factor approach with the difference that the parameter to be evaluated is, now, a special integral operator, called the J integral (Rice, 1968). The integral is defined in Eq. (A7.2) with the symbols indicated in Fig. A7.8 ð J5

-@u

Γ

Wdy 2 T

@x

ds

(A7.2)

where T is the stress vector (kg/m2), u is the displacement (m), and W is the strain energy density (J/m3).

APPENDIX 7 NOTES ON FRACTURE MECHANICS

419

Critical toughness Toughness (kg/m1.5)

6.00E+07 5.00E+07 4.00E+07 KIc

3.00E+07

KIa

2.00E+07 1.00E+07 0.00E+00 –50 0 RTndt

–100

(T-RTndt) (°C) 50

100

FIGURE A7.7 Critical toughness and arrest toughness of a construction steel as a function of temperature (relative to the transition one).

y

T

n

u

ds

0

ny

y

X

n

nx= cosθ =

dy ds

ny= sinθ =−

dx ds

θ dy

0

nx

ds dx x

FIGURE A7.8 Definition of the symbols used in the expression of the J integral.

420

APPENDIX 7 NOTES ON FRACTURE MECHANICS

The integral is calculated along any path Γ which includes the crack tip as indicated in the figure. It is invariant of the specific path chosen. The value of J that is critical for the material is measured on special samples. In order to clarify the physical meaning of K and, above all, of J, these quantities can be simply related to each other and with a concept already used by Griffith, that is with the specific potential energy related with the crack area, GR [see Eq. (A7.3)] GR 5 2

@U @A

(A7.3)

assuming a small plastic area at the crack tip, and where R is the specific potential energy related to crack area (J/m2), U is the potential energy (J), and A is the crack area (m2). GR is then the variation of the elastic potential energy of deformation of the material corresponding to the unit variation of the crack area. The following relationships hold: J 5 GR; for plane problems

(A7.4)

K12 5 GR 3 E; for plane stress states

(A7.5)

GR 3 E ; for plane strain states 1 2 v2

(A7.6)

(where E is Young’s modulus) K12 5

(where v is the Poisson modulus)

REFERENCES Anderson, T.L., 2013. Fracture Mechanics, third ed. CRC Taylor & Francis. Ewing, D.J.F., Hill, R.J., 1967. The plastic constraint of V-notched tension bars. J. Mech. Phys. Solids 15, 115. Miannay, D.P., 1997. Fracture Mechanics. Springer. Milella, P.P., 1999. Meccanica della frattura. Ansaldo Nucleare, Corso Perrone, 25, Genova. Milella, P.P., 2013. Fatigue and Corrosion in Metals. Springer. Rice, J.R., 1968. A path independent integral and the approximate analysis of strain concentration by notches and cracks. J. Appl. Mech. 15, 379386. Wilkowski, G.M., et al., 1997. State-of-the-art Report on Piping Fracture Mechanics. NUREG/CR-6540; BMI 2196.

APPENDIX

US GENERAL DESIGN CRITERIA

8

The following text is reproduced from the US (1971) “General Design Criteria (CFR Part 50, App. A).” The criteria document numbering and cross-references have been retained.

Applicability

Criterion Title

I. Overall requirements

Quality standards and records Design bases for protection against natural phenomena Fire protection Environmental and dynamic effects design bases Sharing of structures, systems, and components Reactor design Reactor inherent protection Suppression of reactor power oscillations Instrumentation and control Reactor coolant pressure boundary Reactor coolant system design Containment design Electric power systems Inspection and testing of electric power systems Control room Protection system functions Protection system reliability and testability Protection system independence Protection system failure modes Separation of protection and control systems Protection system requirements for reactivity control malfunctions Reactivity control system redundancy and capability Combined reactivity control systems capability Reactivity limits Protection against anticipated operational occurrences

II. Protection by multiple fission product barriers

III. Protection and reactivity control systems

Criterion Number 1 2 3 4 5 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (Continued)

421

422

APPENDIX 8 US GENERAL DESIGN CRITERIA

Continued Applicability

Criterion Title

IV. Fluid systems

Quality of reactor coolant pressure boundary Fracture prevention of reactor coolant pressure boundary Inspection of reactor coolant pressure boundary Reactor coolant makeup Residual heat removal Emergency core cooling Inspection of containment heat removal system Testing of emergency core cooling system Containment heat removal Inspection of containment heat removal system Testing of containment heat removal system Containment atmosphere cleanup Inspection of containment atmosphere cleanup systems Testing of containment atmosphere cleanup systems Cooling water Inspection of cooling water system Testing of cooling water system Containment design basis Fracture prevention of containment pressure boundary Capability for containment leakage rate testing Provisions for containment testing and inspection Systems penetrating containment Reactor coolant pressure boundary penetrating containment Primary containment isolation Closed systems isolation valves Control of releases of radioactive materials to the environment Fuel storage and handling and radioactivity control Prevention of criticality in fuel storage and handling Monitoring fuel and waste storage Monitoring radioactivity releases

V. Reactor containment

VI. Fuel and radioactivity control

Criterion Number 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 50 51 52 53 54 55 56 57 60 61 62 63 64

APPENDIX 8 US GENERAL DESIGN CRITERIA

423

A8.1 INTRODUCTION Pursuant to the provisions of y50.34, an application for a construction permit must include the principal design criteria for a proposed facility. The principal design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety; that is, structures, systems, and components which provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. These general design criteria establish minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have been issued by the Commission. The general design criteria are also considered to be generally applicable to other types of nuclear power units and are intended to provide guidance in establishing the principal design criteria for such other units. The development of these general design criteria is not yet complete. For example, some of the definitions need further amplification. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include: 1. Consideration of the need to design against single failures of passive components in fluid systems important to safety (see Definition of Single Failure). 2. Consideration of redundancy and diversity requirements for fluid systems important to safety. A “system” could consist of a number of subsystems each of which is separately capable of performing the specified system safety function. The minimum acceptable redundancy and diversity of subsystems and components within a subsystem, and the required interconnection and independence of the subsystems have not yet been developed or defined (see Criteria 34, 35, 38, 41, and 44). 3. Consideration of the type, size, and orientation of possible breaks in components of the reactor coolant pressure boundary in determining design requirements to suitably protect against postulated loss-of-coolant accidents (see Definition of Loss-of-Coolant Accidents). 4. Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems and reactivity control systems (see Criteria 22, 24, 26, and 29). It is expected that the criteria will be augmented and changed from time to time as important new requirements for these and other features are developed. There will be some water-cooled nuclear power plants for which the general design criteria are not sufficient and for which additional criteria must be identified and satisfied in the interest of public safety. In particular, it is expected that additional or different criteria will be needed to take into account unusual sites and environmental conditions, and for water-cooled nuclear power units of advanced design. Also, there may be water-cooled nuclear power units for which fulfillment of some of the general design criteria may not be necessary or appropriate. For plants such as these, departures from the general design criteria must be identified and justified.

424

APPENDIX 8 US GENERAL DESIGN CRITERIA

A8.2 DEFINITIONS AND EXPLANATIONS Nuclear power unit. A nuclear power unit means a nuclear power reactor and associated equipment necessary for electric power generation and includes those structures, systems, and components required to provide reasonable assurance the facility can be operated without undue risk to the health and safety of the public. Loss-of-coolant accidents. This means those postulated accidents that result from the loss of reactor coolant at a rate in excess of the capability of the reactor coolant makeup system from breaks in the reactor coolant pressure boundary, up to and including a break equivalent in size to the double-ended rupture of the largest pipe of the reactor coolant system.1 Single failure. A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 Anticipated operational occurrences. This means those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power.

A8.3 CRITERIA A8.3.1 OVERALL REQUIREMENTS Criterion 1—Quality standards and records. Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. 1

Further details relating to the type, size, and orientation of postulated breaks in specific components of the reactor coolant pressure boundary are under development. 2 Single failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.

APPENDIX 8 US GENERAL DESIGN CRITERIA

425

Criterion 2—Design bases for protection against natural phenomena. Structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems, and components shall reflect: (1) appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena, and (3) the importance of the safety functions to be performed. Criterion 3—Fire protection. Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability, and effect of fires and explosions. Noncombustible and heat-resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety. Firefighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these structures, systems, and components. Criterion 4—Environmental and dynamic effects design bases. Structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping. Criterion 5—Sharing of structures, systems, and components. Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

A8.3.2 PROTECTION BY MULTIPLE FISSION PRODUCT BARRIERS Criterion 10—Reactor design. The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation including the effects of anticipated operational occurrences. Criterion 11—Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity. Criterion 12—Suppression of reactor power oscillations. The reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can

426

APPENDIX 8 US GENERAL DESIGN CRITERIA

result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed. Criterion 13—Instrumentation and control. Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges. Criterion 14—Reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture. Criterion 15—Reactor coolant system design. The reactor coolant system and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation including anticipated operational occurrences. Criterion 16—Containment design. Reactor containment and associated systems shall be provided to establish an essentially leaktight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require. Criterion 17—Electric power systems. An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies.

APPENDIX 8 US GENERAL DESIGN CRITERIA

427

Criterion 18—Inspection and testing of electric power systems. Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components. The systems shall be designed with a capability to test periodically: (1) the operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation including operation of applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system. Criterion 19—Control room. A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design certifications under part 52 of this chapter who apply on or after January 10, 1997, applicants for and holders of combined licenses under part 52 of this chapter who do not reference a standard design certification, or holders of operating licenses using an alternative source term under y50.67, shall meet the requirements of this criterion, except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent as defined in y50.2 for the duration of the accident.

A8.3.3 PROTECTION AND REACTIVITY CONTROL SYSTEMS Criterion 20—Protection system functions. The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety. Criterion 21—Protection system reliability and testability. The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning

428

APPENDIX 8 US GENERAL DESIGN CRITERIA

when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Criterion 22—Protection system independence. The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other defined basis. Design techniques such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Criterion 23—Protection system failure modes. The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or postulated adverse environments (e.g., extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced. Criterion 24—Separation of protection and control systems. The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. Criterion 25—Protection system requirements for reactivity control malfunctions. The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems such as accidental withdrawal (not ejection or dropout) of control rods. Criterion 26—Reactivity control system redundancy and capability. Two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions. Criterion 27—Combined reactivity control systems capability. The reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained. Criterion 28—Reactivity limits. The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by

APPENDIX 8 US GENERAL DESIGN CRITERIA

429

positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold water addition. Criterion 29—Protection against anticipated operational occurrences. The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.

A8.3.4 FLUID SYSTEMS Criterion 30—Quality of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage. Criterion 31—Fracture prevention of reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions (1) the boundary behaves in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of irradiation on material properties, (3) residual, steady state and transient stresses, and (4) size of flaws. Criterion 32—Inspection of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed to permit (1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program for the reactor pressure vessel. Criterion 33—Reactor coolant makeup. A system to supply reactor coolant makeup for protection against small breaks in the reactor coolant pressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from the reactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary. The system shall be designed to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation. Criterion 34—Residual heat removal. A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 35—Emergency core cooling. A system to provide abundant emergency core cooling shall be provided. The system safety function shall be to transfer heat from the reactor core

430

APPENDIX 8 US GENERAL DESIGN CRITERIA

following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal water reaction is limited to negligible amounts. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 36—Inspection of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system. Criterion 37—Testing of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 38—Containment heat removal. A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 39—Inspection of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system. Criterion 40—Testing of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole, and under conditions as close to the design as practical the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 41—Containment atmosphere cleanup. Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and

APPENDIX 8 US GENERAL DESIGN CRITERIA

431

to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure. Criterion 42—Inspection of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important components such as filter frames, ducts, and piping to assure the integrity and capability of the systems. Criterion 43—Testing of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves, and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of associated systems. Criterion 44—Cooling water. A system to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems, and components under normal operating and accident conditions. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 45—Inspection of cooling water system. The cooling water system shall be designed to permit appropriate periodic inspection of important components such as heat exchangers and piping to assure the integrity and capability of the system. Criterion 46—Testing of cooling water system. The cooling water system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and the performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.

A8.3.5 REACTOR CONTAINMENT Criterion 50—Containment design basis. The reactor containment structure, including access openings, penetrations, and the containment heat removal system shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design

432

APPENDIX 8 US GENERAL DESIGN CRITERIA

leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident. This margin shall reflect consideration of (1) the effects of potential energy sources which have not been included in the determination of the peak conditions, such as energy in steam generators and as required by y50.44 energy from metal water and other chemical reactions that may result from degradation but not total failure of emergency core cooling functioning, (2) the limited experience and experimental data available for defining accident phenomena and containment responses, and (3) the conservatism of the calculational model and input parameters. Criterion 51—Fracture prevention of containment pressure boundary. The reactor containment boundary shall be designed with sufficient margin to assure that under operating, maintenance, testing, and postulated accident conditions (1) its ferritic materials behave in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the containment boundary material during operation, maintenance, testing, and postulated accident conditions, and the uncertainties in determining (1) material properties; (2) residual, steady state, and transient stresses; and (3) size of flaws. Criterion 52—Capability for containment leakage rate testing. The reactor containment and other equipment which may be subjected to containment test conditions shall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure. Criterion 53—Provisions for containment testing and inspection. The reactor containment shall be designed to permit (1) appropriate periodic inspection of all important areas such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows. Criterion 54—Piping systems penetrating containment. Piping systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability, and performance capabilities which reflect the importance to safety of isolating these piping systems. Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to determine whether valve leakage is within acceptable limits. Criterion 55—Reactor coolant pressure boundary penetrating containment. Each line that is part of the reactor coolant pressure boundary and that penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines such as instrument lines are acceptable on some other defined basis: 1. One locked closed isolation valve inside and one locked closed isolation valve outside containment; or 2. One automatic isolation valve inside and one locked closed isolation valve outside containment; or 3. One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or 4. One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment.

APPENDIX 8 US GENERAL DESIGN CRITERIA

433

Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for inservice inspection, protection against more severe natural phenomena, and additional isolation valves and containment, shall include consideration of the population density, use characteristics, and physical characteristics of the site environs. Criterion 56—Primary containment isolation. Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis: 1. One locked closed isolation valve inside and one locked closed isolation valve outside containment; or 2. One automatic isolation valve inside and one locked closed isolation valve outside containment; or 3. One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or 4. One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment. Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Criterion 57—Closed system isolation valves. Each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

A8.3.6 FUEL AND RADIOACTIVITY CONTROL Criterion 60—Control of releases of radioactive materials to the environment. The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. Sufficient holdup capacity shall be provided for retention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment. Criterion 61—Fuel storage and handling and radioactivity control. The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shall be designed to

434

APPENDIX 8 US GENERAL DESIGN CRITERIA

assure adequate safety under normal and postulated accident conditions. These systems shall be designed (1) with a capability to permit appropriate periodic inspection and testing of components important to safety, (2) with suitable shielding for radiation protection, (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal capability having reliability and testability that reflects the importance to safety of decay heat and other residual heat removal, and (5) to prevent significant reduction in fuel storage coolant inventory under accident conditions. Criterion 62—Prevention of criticality in fuel storage and handling. Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe configurations. Criterion 63—Monitoring fuel and waste storage. Appropriate systems shall be provided in fuel storage and radioactive waste systems and associated handling areas (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions. Criterion 64—Monitoring radioactivity releases. Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents. [36 FR 3256, Feb. 20, 1971, as amended at 36 FR 12733, July 7, 1971; 41 FR 6258, Feb. 12, 1976; 43 FR 50163, Oct. 27, 1978; 51 FR 12505, Apr. 11, 1986; 52 FR 41294, Oct. 27, 1987]

APPENDIX

IAEA CRITERIA

9

In general, it is probably correct to say that IAEA Safety Standards offer a very complete list of recommendations and requirements concerning nuclear safety; they appear also to leave ample ground to Member States for the definition of more precise and quantitative criteria for their plants. For sake of brevity, excerpts of the IAEA Criteria are not included here as they can be easily consulted on the site www.iaea.org where the document “Safety of Nuclear Power Plant Design, No SSR-2/1 (Rev 1),” containing the Criteria, can be easily found.

435

APPENDIX

PRIMARY DEPRESSURIZATION SYSTEMS

10

A10.1 INITIAL STUDIES The importance of a voluntary primary depressurization system in a pressurized water reactor (PWR) has been stressed many times in this book. It is an absolute requirement in a boiling water reactor (BWR) in order to cope with the loss of the main condenser, given the fact that steam release to the outside is excluded for the radioactivity content of the reactor water. A system of this type can have several configurations, but only one type (see Fig. A10.1), the “core rescue system” (CRS), which was greatly studied between 1980 and 1985, is described here. This system was not only a primary depressurization system, as it also included a subsequent passive water injection function in the primary circuit (low pressure and small flow rate) for the long-term refrigeration of the core. The degree to which the CRS was incorporated into plants depended on how far a particular plant design had progressed, ranging from being an integral part of the design from initial conception to being “backfitted.” The system operation does not exploit gravity, which is the type to be preferred, and has been replaced, for the borated water injection (accumulators), by gas under pressure. In fact, where significant pressures are needed, gravity can only be used on sites having a particular topography, as in the case of the SENA power station located inside a cavern in a hill (Chooz, Belgium). Fig. A10.1 shows the functional scheme of a CRS where, for clarity, the necessary redundancies of components are not indicated. The principal system parts are (the dimensions refer to a Westinghouse 312 reactor of about 1000 MWe) •



An automatic and manual primary system depressurization line which is connected to the pressurizer top and terminates in a mixture condenser. The line has an equivalent flow area corresponding to a circular opening of 150 mm diameter. It ensures a quick chain reaction shutdown by void formation in the core and a reliable depressurization (which is protected from the effect of partial plugging) down to pressures lower than 1 MPa, even without any other primary water cooling system, in a time of minutes. A series of three compressed gas accumulators and borated water at low pressure (1.8 MPa, relative), each connected to one of the three cold legs of the primary system. The volume of each accumulator is of about 333 m3, 250 m3 of which are occupied by borated water at 2000 ppm boron. These accumulators are normally isolated from the primary system

437

438

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

CW ST

LO S

VB SV

T

EC N2

V

RPS 6" 2"

A

LPA CP

LD

A

18 ATA 5 cm

PR

P

L

M

T

M N RPV

A, air operated; CP, containment pressure; CW, containment wall; EC, emergency condenser; L, vessel water level; LO, logics; LPA, low pressure accumulators M, motor operated N, neutron flux

P, PR, RPV, S, ST, T, V, VB,

pump; pressurizer; reactor pressure vessel; spray; spray tank; temperature; emergency condenser vault vacuum breaker

FIGURE A10.1 Core rescue system.

by nonreturn valves only, as for the intermediate pressure (4.2 MPa, relative) accumulators commonly installed in PWRs. The connection lines with the primary system are of small diameter (B50 mm), sufficient to supply, in case of primary depressurization, a slow and

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS



439

durable injection of borated water (indicative duration in typical cases $ 10 hours). Borated water injection performs the double function of maintaining the reactor subcritical in the long term and of refrigerating it by flooding and vaporization (feed and bleed). A mixture condenser of the indicative volume of about 1500 m3, of which 500 m3 are initially occupied by borated water at 2000 ppm boron and the rest by nitrogen. The function of this component is the collection of the fluid discharged by the primary system and the confinement of the fission products contained in it, the dissipation of its thermal energy to the outside environment and the formation of an additional reserve of water for the long-term cooling of the core, that is beyond the 10 hours (by natural or forced circulation, using the low power pumps, according to the elevation where the condenser is placed). The condenser should be a vessel of very simple shape (for ease of inspection), cooled from the outside by a gravity-driven water spray and subsequent submersion. It is connected to the atmosphere of the reactor containment by safety valves and by vacuum breakers. The design pressure is the same as that of the containment. The actuation of the external spray occurs by high temperature, 343K (70 C) in the condenser or manually. The condenser is an easily coolable extension of the containment. It has to be noted that this component could also be omitted, discharging the primary fluid of the depressurization line directly into the containment. The drawback of this solution is, however, the contamination of the containment and the absence of a passive “heat sink.”

Two of the many core danger conditions under which it is necessary to operate the system, that is, to open the depressurization line, are •



The presence of a significant neutron flux together with a fast shutdown actuation signal (anticipated transient without scram case, that is, a transient with the failure of the scram to operate). An excessive temperature of the fluid exiting the core or low water level in the vessel (a situation of dangerous overheating of the core). Indicatively the intervention thresholds to be chosen are: 613K (340 C) and level below 66% of the fuel element height. It is not believed that the value of these thresholds is very critical. It seems prudent, to further decrease the spurious actuation probability of the system, to envisage a delay of 50 200 s between attainment of an actuation threshold and opening of the depressurization valves. This allows the operators to intervene in cases of clearly erroneous demand for the intervention of the system and also corresponds to what is done in BWR automatic depressurization systems. It may also be useful to operate the system in other dangerous situations.

It has been proposed to automatically open the depressurization valves in case of very high pressure in the containment (e.g., two-thirds of the design pressure). This provision could be useful in case of small breaks in the primary system: the largest part of the efflux flow rate would, in this way, be diverted to the emergency condenser, stopping the pressure increase in the containment. Other situations where the operation of the CRS might be opportune, according to the specific design characteristics of the plant, are listed in Petrangeli (1985), Milella and Petrangeli (1983) and Petrangeli et al. (1993). The energy required to power the instrumentation and commands can be supplied by a small battery. The actuation energy of the valves may be supplied by small compressed air tanks in the same manner as for the safety-relief valves of many BWRs.

440

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

FIGURE A10.2 Inside NRC article on CRS. Courtesy Peatts/McGraw-Hill.

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

FIGURE A10.3 Annex to an ACRS (United States) letter.

441

442

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

At the time, this system was studied in depth by DISP, ENEA, the University of Pisa, and the ISPRA Research Centre to find its thermal-hydraulic effectiveness and the reduction of core melt probability that its adoption would have caused. The principal results of these studies are summarized in Petrangeli et al. (1993). The thermal-hydraulic effectiveness of the core cooling, even under extreme conditions, was amply proven. The possible reduction of the core melt probability was estimated to be of a factor of at least 10. The probabilistic analysis was submitted to Prof. Rasmussen for review and was approved by him. Other studies that also gave a positive result were made on peculiar effects of the system operation such as the thermomechanical consequences of its spurious actuation on the reactor pressure vessel (Milella and Petrangeli, 1983). The CRS was not, however, adopted for the reactor then currently being designed in Italy (a Westinghouse 900 MWe plant chosen for the Unified Nuclear Design, PUN). The adoption of the system would have introduced expense and delay which were considered excessive. In any case, its adoption would have introduced an improvement in a plant already considered satisfactory. A system of the CRS type was adopted for a German-designed PWR and, 10 years later, by Westinghouse for its advanced passive safety reactor AP 600. Figs. A10.2 and A10.3 and Table A10.1 show three documents detailing the studies on the CRS. Fig. A10.2 is reproduced from an article in Inside NRC, where the system was announced. Table A10.1 Information to CSNI on the CRS. Present views and trends at DISP (Italy) on light water reactor (LWR) risk reduction (Information notes for CSNI, November 1982.) 1. It is recognized that a public demand and expectation for a LWR risk reduction still exists in Italy as in many other countries. 2. Two ways in principle exist in order to pursue a risk reduction objective: a. enhanced core melt prevention b. mitigation of core melt consequences 3. Mitigation of consequences is a rather new undertaking and many years of intensive research and development effort are thought to be necessary in order to get a complete enough phenomenological knowledge for soundly based design activities and for significant risk reduction. Considerations like the following ones tend to support this view: a. many uncertainties exist on phenomena related to core melt, as pointed out by research and design professionals; b. the investment forecast on severe core damage research by national and international organizations is longlasting (e.g., inside NRC, May 3, 1982; CEC programs); c. past experience indicates a progressive widening of the needed research as research work progresses (consider, e.g., the research on ECCS performance after the end-of-1960s’ alarm); d. the fact that engineering mitigation features as yet proposed are effective on a part only of the foreseeable containment damage scenarios. 4. Mitigation of core melt consequences does not prevent plant extensive contamination and subsequent occupational health and economic burdens. 5. It is believed that a significant potential of risk reduction still exists in the enhancement of core melt prevention by a more attentive use of proven components; exploitation of this potential is at hand now and should be pursued at least in an interim period of time, while knowledge on core melt mitigation makes sufficient progress.

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

443

Table A10.1 Information to CSNI on the CRS. Continued 6. It is believed that the most effective way to affect core melt prevention has to be based on a. the recognition that core integrity can be preserved, despite the wide variety of possible plant accident sequences, by two provisions only: core shutdown and core submersion by boiling water; b. the adoption of simple, reliable, passive, direct safety systems as those currently accepted for the prevention against other industrial age common dangers (e.g., fire protection means, transportation vehicle emergency arrest, overpressure protection of industrial and family devices). 7. System concepts which satisfy the above-listed criteria have been developed in the last two years and are now undergoing final verification at DISP for use on future PWRs (see Annex for a brief description). It can now be evaluated that their adoption may originate a nuclear plant at least 10 times safer than most of the current designs. 8. Further information on these systems will be offered to interested national and international organizations as soon as the verification work progresses, in order to share knowledge and to seek cooperation. ANNEX SSN 1 systems for PWRs: a brief description 1. Main components: a. primary system automatic depressurization line through adequately sized relief valve(s) b. low-pressure accumulators for borated water injection lasting about 10 hours c. spray and submersion cooled direct-contact condenser for heat transmission to the environment d. connections for fire-fighting corps mobile pumps and augmented borated water preparation devices for long-term water injection in the primary system (plus additional recirculation means from the direct-contact condenser) 2. Actuating signals: a. high core fluid temperature b. failed scram (coincidence of significant neutron flux with presence of a scram signal) c. (low vessel water level or high high containment pressure to be considered as possible future developments). 3. Functions: a. core shutdown (void formation and boron injection) and core cooling (boiling and bleed) by passive and direct means for at least 10 hours in case of any of the dominant core melt sequences of risk studies b. core cooling by readily and widely available means in the long term. 4. Possible further developments: a. pressurized thermal shock prevention b. prevention of radioactivity release from steam generator safety/relief valves c. prevention of containment contamination by quench tank overflow d. simplification or elimination of high pressure safety injection systems and of other cooling systems against external events e. extension of the concept to BWRs f. use of further passive components 5. Work in progress and possible future activities: a. first conceptual design and PRA on risk reduction have been completed and independently reviewed by Prof. Rasmussen. b. thermal-hydraulic refined verification are in progress Future possible actions: • further independent PRA • completion of thermal-hydraulic refined verifications and feedback on conceptual design • implementation design work by utility and industry. References • IAEA-Conference, Stockholm Oct.80, Paper CN 39/52 • Report ENEA RT/DISP(82)1 (Continued)

444

APPENDIX 10 PRIMARY DEPRESSURIZATION SYSTEMS

Table A10.1 Information to CSNI on the CRS. Continued 1 Acronym for “Sistema di Salvataggio del Nocciolo,” meaning “core rescue system.” Information to CSNI November 1982 DISP—Italy

Fig. A10.3 contains the information which was given to CSNI in 1982. Table A10.1 is part of the US Advisory Committee for Reactor Safeguards (ACRS) answer to a communication containing the description of the system.

A10.2 DEPRESSURIZATION SYSTEMS FOR MODERN DESIGN REACTORS The concept of primary depressurization systems for PWRs has become ever more popular with time. All modern plants, including the European pressurized reactor, incorporate an enhanced “feed and bleed” function according to the conceptual lines of the depressurization system. Some designs, like AP 600, also have an enhanced depressurization/injection function with a higher injection flow rate than the above-described CRS, with the aim of allowing coolant injection into the core by gravity and not by nitrogen accumulator pressure. Voluntary primary depressurization has also been considered as the best means to stop possible direct containment heating and to eliminate severe accident sequences with a vessel at high pressure.

REFERENCES Milella, P., Petrangeli, G., 1983. Thermo-mechanical Effects of a Postulated Spurious Actuation of a Core Rescue System. RT/DISP(83)5, DISP/ENEA. Petrangeli, G., 1985. More Intrinsically Safe and Simplified Light Water Reactors. RTI DISP (85), DISP/ ENEA. Petrangeli, G., Tononi, R., D’Auria, F., Mazzini, M., 1993. The SSN: an emergency system based on intentional coolant depressurization for PWRs. Nucl. Eng. Des. 143 (1), 25 54.

APPENDIX

THERMAL-HYDRAULIC TRANSIENTS OF THE PRIMARY SYSTEM

11

A11.1 GENERAL REMARKS This appendix details a simple calculation program that allows the rough evaluation of transients and accidents in the primary system of a pressurized water reactor (PWR). It can, however, be adapted to other types of water reactors. As noted at the beginning of Appendix 2, here also, for historical reasons, some units of measurement are not those of the Standard International System. The aim of this program is to evaluate the general trend of the parameters that influence the reactor cooling and heat dissipation to the environment in a large number of incident/accident situations. The emphasis has, therefore, been put on the flexibility and speed of the tool more than on its precision and on its degree of detail. Given the limited and specific objective of the program, a (substantially) single volume primary system scheme has been adopted. The file PRIMARYSYSTEM (which can be downloaded from the Mendeley website) shows the simulated components. The reactor pressure vessel and pressurizer are shown as separate components, while in the program they are part of a single calculation volume. This program has been useful in preliminary sizing safety systems during the design phase and in the quick verification of them during safety reviews. This program was first developed (Petrangeli, 1983; Petrangeli et al., 1993) for the study of a new safety system (the CRS described in Appendix 10) based on the voluntary depressurization of the primary system and on the passive injection (by accumulators under pressure) of cooling water. This basic concept has been subsequently applied to various reactor designs. Calculation tools of this kind are very useful to the designer or to the overall system analyst (even if they leave the true specialists of the branch rather puzzled), as they allow the study of many cases and for transient times as long as are desired. It has been observed, with reference to the Three Mile Island accident, that if the time length of the calculated transients had been prolonged beyond the intervention time of the safety systems, the adopted thermal-hydraulic codes (RELAP and so on) could have shown the danger of getting to a situation where the pressurizer is substantially full of liquid while the reactor vessel is nearly empty. As it is known, this situation may cause the operators to erroneously think that all of the primary system is full and therefore

445

446

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

make them shut off the safety injection systems. In fact, the calculations performed were stopped precisely at the moment of their intervention. This practice concerning the duration of the calculations was and is motivated by economic reasons. Unfortunately, the program described here would not have been adequate in the Three Mile Island situation as it is too simple (one volume only). The concept, however, that powerful and complex calculation programs must be accompanied by more simply usable tools has a general validity.

A11.2 GENERAL PROGRAM CHARACTERISTICS Saturation conditions are assumed in the primary system and, therefore, the initial phase of the pressurizer voiding during an accident cannot be simulated. This phase is not of great interest for the prevention of severe core damage which remains the field of deepest interest in the context for which the program has been written. The principal analytical instruments are the mass and energy conservation equations. The heat supplied to the primary system is principally the core decay heat, set equal to the one given by the ANS curve minus 5%, according to a suggestion by Tong (1982) intended to originate better approximation evaluations (best estimates) as opposed to very conservative evaluations. This curve can be multiplied by a factor higher than one, foreseen by the program (KQD factor) in order to obtain conservative results, even if less similar to reality (see Table A2.2.) The heat exchanged (in either direction) by the primary system with the steam generators during the accident can be simulated by a term decreasing from a given value at an initial time down to zero at a given subsequent time. This term may simulate, for example, the heat absorbed by the residual water of the secondary side of the steam generators after a stop of the feedwater flow. The loss of water from the primary system can be simulated by an efflux from a depressurization system and from a hypothetical break in the primary system itself. The efflux can be of a liquid, homogeneous mixture or steam, as chosen by the user. The pressure transients in the accumulators are simulated as isothermal transformations. The water injection by an ECCS system can be simulated. The simplicity of the program is responsible for the possibility of interrupting a calculation and of easily resuming it using different input data (e.g. if one wants to change the ECCS flow rate from a certain time on).

A11.3 PROGRAM DESCRIPTION The program is based on a Microsoft Excel97 spreadsheet which includes some Visual Basic for Applications macros. Macro SP is used for the general control, which when needed calls the other 14 subroutines.

A11.3.1 MACRO STAMPA DATI This prints the input data of the case under study. These are entered by the user into cells A2:H11. These cells are subsequently used by the program as a set of service cells, with their content being

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

447

varied at any program step. Therefore, at the end of the run, the numbers contained in the cells refer to the values corresponding to the last step. ‘ STAMPA_DATI Macro ‘ Macro registrata il 03/11/2001 da Petrangeli Gianni Range(‘‘A31:H41’’).Select Selection.PrintOut Copies: 5 1 Application.CommandBars(‘‘Stop Recording’’).Visible 5 False Range(‘‘J16’’).Select Application.Goto Reference: 5 ‘‘STAMPA_DATI’’ Application.WindowState 5 xlMinimized Application.WindowState 5 xlNormal Application.Goto Reference: 5 ‘‘STAMPA_DATI’’ Range(‘‘A27’’).Select ChDir ‘‘C:\SP’’ ActiveWorkbook.SaveAs Password: 5 ‘‘‘‘,

FileName: 5 ‘‘C:\SP\SP.xls’’,FileFormat: 5 xlNormal,

WriteResPassword: 5 ‘‘‘‘,

ReadOnlyRecommended: 5 False,

_ _

CreateBackup: 5 False End Sub

The reference cells, containing initial data and the service ones for the calculation of each step are the following: Program “PS”: Input Data and Last Step Data:

4/11(2)

Vp (m3) 5 Vab (m3) 5

463.3 463.3

VAT1 (m3) 5 VAT2 (m3) 5

118 1012

VA1 (m3) 5 VA2 (m3) 5

0 675

Mp (kg) 5 P0 (kg/cm2) 5

79519.2974 94

DP1 (s) 5

2

PA1 (kg/cm2) 5 DP2 (s) 5

40 0.2

PA2 (kg/cm2) 5 As (cm2) 5

15 0

P1 (kg/m2) 5 Ab (cm2) 5

27.9

12

HA (Cal/kg) 5

49

2871.3

711 1.45

KA2 (kg/cm2 s) 5

P (MWt) 5

KA1 (kg/cm2 s) 5 KQD 5

GS (kg/s) 5 QS (Cal/s) 5

0 0

TU1GS (s) 5 TU1QS (s) 5

600 0

TU2GS (s) 5 TU2QS (s) 5

6000 0

TUO (s) 5 FL1 5

600 0

TUF (s) 5 FL2 5

6000 0

DT (s) 5

TUO (s) 5 P0 (kg/cm2)

6114.141 5 70

TU1 (s) 5 VF (m3/kg) 5

6114,141 0.0013531

VFG (m3/kg) 5 HF (Cal/kg) 5

0.0257476 303.48877

HS (Cal/kg) 5

661.95934

HFG (Cal/kg) 5 GUS (kg/s) 5

358.47058 0

HB (Cal/kg) 5 GUB (kg/s) 5

661.95934 30.93552

GE (kg/s) 5 QS (Cal/s) 5

0 0

GA1 (kg/s) 5 -1132.76

DT (s) 5

GA2 (kg/s) 5 265.96065

-301269.55

VF1 5 VFG1 5

0.0013468 0.0266207

x1 5

0.1682713

Mp1 (kg) 5

79519.2974

HF1 5 HFG1 5

301.0671 361.50553

P1 (kg/cm2) 5

70

x5

TU1 5

0.1525122

448

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Symbols Ab, area of break in primary system (cm2) As, equivalent efflux area of the depressurization line (cm2) A1 A2, Accumulators, respectively at intermediate (40 bar) and low (B1520 bar) pressure CRS, Core Rescue System DP1 DP2, variation of the pressure in single step, respectively high (B5 bar) and low (1520 bar) DT, time increment in the generic step (s) ECCS, Emergency Core Cooling System FL1 FL2, service command ‘flags’ for the calculation of the efflux from CRS system (depressurization) and from break G, mass flow rate (kg/s or kg/cm/s) GA1 GA2, efflux flow rate from accumulators A1 and A2, respectively (kg/s) GE, inlet flow rate in the primary system (accumulators 1 ECCS) (kg/s) GS, efflux flow rate of ECCS (kg/s) GUB, efflux flow rate from assumed break (kg/s) GUS, efflux from depressurization system (CRS) (kg/s) HA, enthalpy of the water delivered by accumulators and by ECCS (Cal/kg) KA1 KA2, efflux coefficients from accumulators A1 and A2, respectively (kg cm2/s) KQD, decay power multiplier (51.05 for ANS curve) Mp, mass of water in the primary system (liquid 1 steam) (kg) P, pressure (kg/cm2) PA1 PA2, A1 and A2 accumulator pressure, respectively (kg/cm2) VA1 VA2, water volume in accumulators A1 and A2, respectively (m3) VAT1 VAT2, total volume in accumulators A1 and A2, respectively (m3) Vab, portion of primary volume below break (m3) Vp, primary system volume (m3) x, x1, average steam quality in the primary system at start and end of step TU1, end time of step (s) TU1GS TU2GS, start and stop time, respectively, for ECCS system (s) TU1QS TU2QS, start and stop time, respectively, for the steam generator heat release or absorption (s) TU0 TUF, start and stop time, respectively, of the calculated transient (s)

A11.3.2 MACRO COPIA_DATI This copies the initial data in cells A31:H41 so that they may be kept until the end of the calculation in order to allow the user to evaluate the results. COPIA_DATI() ‘ ‘ COPIA_DATI Macro ‘ Macro registrata il 03/11/2001 da Petrangeli Gianni ‘ ‘

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

449

Range(‘‘A2:H11’’).Select Selection.Copy Range(‘‘A32’’).Select ActiveSheet.Paste Range(‘‘$a$31’’) 5 ‘‘DATI DI INGRESSO’’ Range(‘‘$a$43’’) 5 ‘‘RISULTATI DEI PASSI’’ End Sub

A11.3.3 MACRO HF This evaluates at each step the specific enthalpy of the primary liquid as a function of the initial pressure of the step. Eq. (A11.1) the approximate formula has been taken from Santarossa et al. (1976) (as have the subsequent properties of the cooling fluid). HF 5

964:3845p3 1 188946:5p2 1 2470981p 1 1649689 ; p3 1 665:0797p2 1 16075:48p 1 26716:57

(A11.1)

where HF is the specific enthalpy of the liquid water (Cal/kg) and p is the primary pressure at the start of the step (kg/cm2). As an example, for a pressure of 70 kg/cm2, Eq. (A11.1) gives a value of 301.1 (Cal/kg) compared with a handbook value of 298 (Cal/kg). Sub HF() ‘ ‘ HF Macro ‘ Macro registrata il 30/10/2001 da Petrangeli Gianni ‘ ‘ Range(‘‘$d$17’’) 5 (964.3845 * Range(‘‘$b$15’’) ^ 3 1 188946.5 * Range(‘‘$b$15’’) ^ 2 1 2470981 * Range(‘‘$b$15’’) 1 1649689)/(Range(‘‘$b$15’’) ^ 3 1 665.0797 * Range(‘‘$b$15’’) ^ 2 1 16075.48 * Range(‘‘$b$15’’) 1 26716.57) Range(‘‘F18’’).Select End Sub

A11.3.4 MACRO HFG This evaluates the enthalpy of vaporization at the start of the step with the same units as macro HF using Eq. (A11.2). HFG 5

231973:9p3 1 ð5:284174 3 107 Þp2 1 ð1:191874 3 109 Þp 1 ð1:575882 3 109 Þ p4 1 82:67094p3 1 126285:4p2 1 2315288p 1 2785184

(A11.2)

As an example, for a pressure of 70 (kg/cm2), Eq. (A11.2) gives a value of 361.5 (Cal/kg) compared with a handbook value of 357.3 (Cal/kg). HFG Macro ‘ Macro registrata il 30/10/2001 da Petrangeli Gianni

450

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Range(‘‘$d$18’’) 5 (231973.9 * Range(‘‘$b$15’’) ^ 3 - 52841740 * Range(‘‘$b$15’’) ^ 2 - 1191874000 * Range(‘‘$b$15’’) - 1575882000)/ (Range(‘‘$b$15’’) ^ 4 1 82.67094 * Range(‘‘$b$15’’) ^ 3 - 126285.4 * Range(‘‘$b$15’’) ^ 2 - 2315288 * Range(‘‘$b$15’’) - 2785184) Range(‘‘H17’’).Select End Sub

A11.3.5 MACRO VF This evaluates the specific volume of the liquid at the start of the step [Eq. (A11.3)]. VF 5

ð9:165659 3 1024 Þp3 1 ð4:1599 3 1021 Þp2 1 35:05628p 1 120:077 ; p3 1 251:462p2 1 31207:36p 1 117706:3

(A11.3)

where VF is the specific volume (m3/kg). For 70 (kg/cm2), Eq. (A11.3) gives 0.001 35 (m3/kg) which is equal to the table value. Sub VF() Range(‘‘$D$15’’) 5 (0.0009165659 * Range(‘‘$b$15’’) ^ 3 - 0.4159937 * Range(‘‘$b$15’’) ^ 2 - 35.05628 * Range(‘‘$b$15’’’’) - 120.077)/(Range(‘‘$b$15’’) ^ 3 - 251.462 * Range(‘‘$b$15’’) ^ 2 - 31207.36 * Range(‘‘$b$15’’) - 117706.3) End Sub

A11.3.6 MACRO VFG This evaluates the differential specific volume of steamliquid (m3/kg) at the start of the step using Eq. (A11.4). VFG 5

ð2 2:309098 3 1023 Þp4 1 4:162979p3 1 857:4263p2 1 14867:06p 1 3998:127 p4 1 381:89p3 1 7810:05p2 1 3776:419p 1 529:4787

(A11.4)

For 70 (kg cm22), Eq. (A11.4) gives 0.027 (m3 kg21) compared with a table value of 0.026 (m3 kg ). Four more macros calculate by identical formulae the values of HF1, HFG1, VF1 and VFG1 for the thermo-dynamic properties of the pressure at the end of the step. 21

Sub VFG() ‘ ‘ VFG Macro ‘ Macro registrata il 30/10/2001 da Petrangeli Gianni Range(‘‘$d$16’’) 5 (-0.002309098 * Range(‘‘$b$15’’) ^ 4 1 4.162979 * Range(‘‘$b$15’’) ^ 3 - 857.4263 * Range(‘‘$b$15’’) ^ 2 - 14867.06 * Range(‘‘$b$15’’) - 3998.127)/(Range(‘‘$b$15’’) ^ 4 - 381.89 * Range(‘‘$b$15’’) ^ 3 - 7810.05 * Range(‘‘$b$15’’) ^ 2 - 3776.419 * Range(‘‘$b$15’’) 1 529.4787) End Sub

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

451

A11.3.7 MACRO QS This calculates the heat supplied to the primary system or released by it from/to sources other than the core (typically to the steam generator) using Eq. (A11.5).   TU0 2 TU1QS ; QS 5 1 2 TU2QS 2 TU1QS

(A11.5)

where QS is the maximum thermal power exchanged at the instant TU1QS (s), TU1QS and TU2QS are the times (s) of the start and end of the heat exchange, respectively, and TU0 is the initial time of the step (s). QS() Rem Calcola il calore aggiunto da sorgenti diverse dal nocciolo, come ad esempio i generatori di vapore If Range(‘‘$d$9’’) , Range(‘‘$b$14’’) Then If Range(‘‘$f$9’’) . Range(‘‘b$14’’) Then Range(‘‘$d$22’’) 5 (1 - ((Range(‘‘$b$14’’) - Range(‘‘$d$9’’))/(Range(‘‘$f$9’’)  Range(‘‘$d$9’’)))) * Range(‘‘$B$9’’) Else Range(‘‘$d$22’’) 5 0 End If End If End Sub

A11.3.8 MACRO GU This calculates the weight flow rate which exits from the depressurization line and which exits through an assumed break. According to the liquid level in the primary calculated by the program, the efflux is liquid or nonliquid. In the latter case, it is of steam or of a homogeneous mixture with quality equal to the average one of the primary system according to a choice made by the user as an input datum to the calculation: the parameters FL1 and FL2, refer to the depressurization and to the break, respectively, and are set equal to 0 for steam efflux and to 1 for two-phase efflux. The formulae used for the various cases are

G 5 ðp

G 5 ð1:54 3 1022 Þp 3 A ðsteamÞ

(A11.6)

G 5 p1=3 3 A ðliquidÞ

(A11.7)

1=3

2 0:02 3 X 3 HFGÞ 3 A ðtwo phasesÞ

(A11.8)

where G is the weight flow rate (kg/s), p is the primary pressure (kg/cm ), A is the efflux area (cm2), X is the average primary steam quality and HFG is the vaporization heat of the water at the primary pressure (Cal/kg). It is assumed that the opening for the primary depressurization is located on top of the pressurizer (i.e.. at the highest point of the system) so liquid efflux will occur only if the program detects a situation where the water volume in the primary system is equal to or higher than the volume of the primary itself. 2

452

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

As far as the break is concerned, its location is defined at the start (among the input data) by the volume of the primary system below it and therefore liquid efflux occurs only if the water volume is higher than this given volume. Sub GU() If (Range(‘‘d$15’’) * Range(‘‘$h$2’’)) . Range(‘‘b$2’’) Then Range(‘‘$d$20’’) 5 Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) 5 Range(‘‘$d$17’’) Else If Range(‘‘$b$11’’) 5 0 Then Range(‘‘$d$20’’) 5 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) 5 Range(‘‘$d$17’’) 1 Range(‘‘$D$18’’) Else Range(‘‘$D$20’’) 5 (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) 5 Range(‘‘$d$17’’) 1 Range(‘‘f$15’’) * Range(‘‘$f$18’’) End If End If If (Range(‘‘$d$15’’) * Range(‘‘$h$2’’)) . Range(‘‘$b$3’’) Then Range(‘‘$f$20’’) 5 Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) 5 Range(‘‘$d$17’’) Else If Range(‘‘$d$11’’) 5 0 Then Range(‘‘$f$20’’) 5 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) 5 Range(‘‘$d$17’’) 1 Range(‘‘$d$18’’) Else Range(‘‘f$20’’) 5 (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) 5 Range(‘‘$d$17’’) 1 Range(‘‘f$15’’) * Range(‘‘$d$18’’) End If End If End Sub

A11.3.9 MACRO GE This evaluates the liquid flow rate entering the primary system using Eq. (A11.9). It is composed of the efflux of the two series of accumulators (intermediate and low pressure) whose characteristics are specified in the input data and by the efflux of an injection safety system (ECCS), operating between two given times (TU1GS and TU2GS) for a given flow rate GS. G 5 K 3 Δp

1 2

(A11.9)

where G is the weight flow rate (kg/s), K is the efflux coefficient (kg•5cm/s) and Δp is the pressure difference between accumulators and primary system (kg/cm2).

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

453

The program sets the efflux from each series of accumulators to zero when their pressure is lower than the primary one and when the water volume in them is zero. Sub GE() Rem calcola la portata entrante nel primario durante il passo (accumulatori 1 e 2 ed ECCS) Rem Qui si calcola la portata uscente dagli accum. A1 If Range(‘‘$d$4’’) . Range(‘‘$b$15’’) Then If Range(‘‘$f$2’’) . 0 Then Range(‘‘$d$21’’) 5 (Range(‘‘$d$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$d$6’’) Range(‘‘$f$21’’) 5 Range(‘‘$D$21’’) Else Range(‘‘$d$21’’) 5 0 Range(‘‘$f$21’’) 5 Range(‘‘$D$21’’) End If End If Rem Qui si calcola la portata uscente dagli accum. A2 If Range(‘‘$f$4’’) . Range(‘‘$b$15’’) Then If Range(‘‘$f$3’’) . 0 Then Range(‘‘$d$21’’) 5 Range(‘‘$d$21’’) 1 (Range(‘‘$f$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$f$6’’) Range(‘‘$h$21’’) 5 Range(‘‘$d$21’’) - Range(‘‘$f$21’’) Else Range(‘‘$h$21’’) 5 0 End If End If Rem Qui si aggiunge la portata GS degli ECCS If Range(‘‘$d$8’’) , Range(‘‘$b$14’’) Then If Range(‘‘$b$14’’) , Range(‘‘$f$8’’) Then Range(‘‘$d$21’’) 5 Range(‘‘$d$21’’) 1 Range(‘‘$b$8’’) End If End If End Sub

A11.3.10 MACRO DT This calculates the time, DT, necessary to cover the given pressure interval (DP1 or DP2) and essentially includes the mass and energy conservation equations in a finite differences form: Mp H1  Mp 0H0  JVpðP1  P0Þ 5 DTðQ 1 GE HE  GU HUÞ Mp 1 5 Mp 0 1 ðGE  GUÞDT

where Mp is the primary fluid mass (kg), H is the enthalpy of the primary fluid (Cal/kg), J is the mechanical equivalent of the Calorie, Vp is the primary volume (m3), P is the primary pressure

454

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

(kg/cm2), Q is the heat supplied to the primary system or released by it (Cal), GE is the entering flow rate (kg/s), GU is the exiting flow rate (kg/s) and 0 and 1 are the indexes for the start and end of the step, respectively. The interval DT for each step is given by Eq. (A11.10).      HFG1 HFG0 1 VF0 M0 HF1 2 HF0 2 VF1 VFG1 VFG0    DT 5 HFG1 20:283 ð239 3 P 3 Kqd 3 0:124 3 TU0 Þ 1 Ge Ha 2 HF1 1 VF1   VFG1 ; HFG1 HFG0 2 2 23:4ðP1 2 P0Þ 1 Vp VFG1 VFG0       HFG1 HFG1 2 Gus Hus 2 HF1 1 VF1 2 Gub Hub 2 HF1 1 VF1 1 Qs VFG1 VFG1

(A11.10)

where Kqd is the coefficient for the decay heat described in Section A11.2, P is the reactor thermal power (MWth) and Gus and Gub are the flow rate going out from the depressurization system and from the break (kg/s), respectively. The other symbols have been defined earlier. Sub DT() Range(‘‘$h$22’’) 5 (Range(‘‘$h$2’’) * (Range(‘‘$d$25’’) - Range(‘‘$d$17’’)  Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’)) 1 Range(‘‘$d$15’’) * (Range(‘‘$d$18’’)/Range(‘‘$d$16’’))) 1 Range(‘‘$b$2’’) * (Range(‘‘$d$26’’)/ Range(‘‘$d$24’’) - Range(‘‘$d$18’’)/Range(‘‘$d$16’’) - 23.4 * (Range(‘‘$b$23’’) - Range(‘‘$b$15’’)))) Range(‘‘$e$22’’) 5 (239 * Range(‘‘$b$7’’) * Range(‘‘$d$7’’) * 0.124 * Range(‘‘$b$14’’) ^ (-0.283) 1 Range(‘‘$d$21’’) * (Range(‘‘$h$6’’)  Range(‘‘$d$25’’) 1 Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’)))  Range(‘‘$d$20’’) * (Range(‘‘$f$17’’) - Range(‘‘$d$25’’) 1 Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) - Range(‘‘$f$20’’) * (Range(‘‘$f$18’’)  Range(‘‘$d$25’’) 1 Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) 1 Range(‘‘$d$22’’)) Range(‘‘$g$22’’) 5 Range(‘‘$h$22’’)/Range(‘‘$e$22’’) End Sub

A11.3.11 MACRO PS This is the general program which connects together all the other subroutines. It initially calls the subroutine Stampa Dati which produces a paper copy of the input data supplied by the user. The subroutine Copia Dati copies these data to the spreadsheet. Subsequently, it chooses the pressure interval between the two given values DP1 and DP2 (usually smaller). At the start, DP1 is chosen, then a series of conditions are inserted in the program which implement the following: •

The shortest step is chosen if the time interval resulting from the calculation of the step is too long to guarantee the required precision, that is longer than 1000 s (the case for slowly varying pressure). It may happen that even with the shorter step, the time interval is longer than 1000 s and in these conditions, the calculation is repeated using an even shorter DP2.

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS



455

A negative pressure step is chosen if the calculated time interval is negative (in the case of an inversion in the pressure trend).

Then the program calculates all the quantities necessary to find DT using the various subroutines and finally it calculates DT. If it is not necessary to repeat the step in order to change the chosen DP. The program writes the results of the step in the spreadsheet and, having put the input data for the subsequent step in cells A2:H6, it runs the following. Sub SP() Call COPIA_DATI Call STAMPA_DATI Range(‘‘$a$14’’) 5 ‘‘TU0[s] 5 ‘‘ Range(‘‘$a$15’’) 5 ‘‘P0[Kg/cm2] 5 ‘‘ Range(‘‘$c$14’’) 5 ‘‘TU1[s] 5 ‘‘ Range(‘‘$c$15’’) 5 ‘‘VF[m3/Kg] 5 ‘‘ Range(‘‘$e$15’’) 5 ‘‘x 5 ‘‘ Range(‘‘$c$16’’) 5 ‘‘VFG[m3/Kg] 5 ‘‘ Range(‘‘$c$17’’) 5 ‘‘HF[KL/Kg] 5 ‘‘ Range(‘‘$e$17’’) 5 ‘‘HS[Kl/Kg] 5 ‘‘ Range(‘‘$c$18’’) 5 ‘‘HFG[KL/Kg] 5 ‘‘ Range(‘‘$e$18’’) 5 ‘‘HB[KL/Kg] 5 ‘‘ Range(‘‘$c$20’’) 5 ‘‘GUS[Kg/s] 5 ‘‘ Range(‘‘$e$20’’) 5 ‘‘GUB[Kg/s] 5 ‘‘ Range(‘‘$c$21’’) 5 ‘‘GE[Kg/s] 5 ‘‘ Range(‘‘$e$21’’) 5 ‘‘GA1[Kg/s] 5 ‘‘ Range(‘‘$g$21’’) 5 ‘‘GA2[Kg/s] 5 ‘‘ Range(‘‘$c$22’’) 5 ‘‘QS[KL/s] 5 ‘‘ Range(‘‘$f$22’’) 5 ‘‘DT[s] 5 ‘‘ Range(‘‘$a$23’’) 5 ‘‘P1[Kg/cm2]’’ Range(‘‘$c$23’’) 5 ‘‘VF1 5 ‘‘ Range(‘‘$e$23’’) 5 ‘‘x1 5 ‘‘ Range(‘‘$g$23’’) 5 ‘‘Mp1[Kg] 5 ‘‘ Range(‘‘$c$24’’) 5 ‘‘VFG1 5 ‘‘ Range(‘‘$c$25’’) 5 ‘‘HF1 5 ‘‘ Range(‘‘$c$26’’) 5 ‘‘HFG1 5 ‘‘ Range(‘‘$a$59957’’) 5 Range(‘‘$b$10’’) Range(‘‘$b$59957’’) 5 Range(‘‘$h$3’’) Range(‘‘$c$59957’’) 5 Range(‘‘$h$2’’) co 5 0 Rem impostazione pressione iniziale e tempo iniziale Range(‘‘$b$14’’) 5 Range(‘‘$b$10’’) Range(‘‘$d$14’’) 5 Range(‘‘$b$10’’) Range(‘‘$b$15’’) 5 Range(‘‘$h$3’’) Rem inizia il loop principale Do While Range(‘‘$b$14’’) , Range(‘‘$d$10’’)

456

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Rem calcolo pressione finale del passo a passo lungo Range(‘‘$b$23’’) 5 Range(‘‘$b$15’’) - Range(‘‘$b$5’’) GoTo Fine_ciclo_a_passo_temporale_lungo Rem label per cambiare passo Passo_temporale_breve: Range(‘‘$b$23’’) 5 Range(‘‘b$15’’) - Range(‘‘$d$5’’) Rem fine del passo temporale breve Fine_ciclo_a_passo_temporale_lungo: Call VF Call VF1 Call VFG Call VFG1 Call HF Call Modulo6.HF1 Call HFG Call HFG1 Call GU Call GE Call QS Call DT If Range(‘‘$g$22’’) , 0 Then Range(‘‘$d$5’’) 5 -Range(‘‘d$5’’) Range(‘‘b$5’’) 5 -Range(‘‘b$5’’) GoTo Passo_temporale_breve Else End If Rem scrive TU1 in d14 Range(‘‘$d$14’’) 5 Range(‘‘d$14’’) 1 Range(‘‘$g$22’’) Rem xo Range(‘‘$f$15’’) 5 (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) - Range(‘‘$d$15’’))/ Range(‘‘$d$16’’) Rem si calcola Mp1 e si colloca anche come Mp del passo successivo Range(‘‘$h$23’’) 5 (Range(‘‘$d$21’’) - Range(‘‘$d$20’’) - Range(‘‘$f$20’’)) * Range(‘‘$g$22’’) 1 Range(‘‘$h$2’’) Range(‘‘$h$2’’) 5 Range(‘‘$h$23’’) Rem x1 Range(‘‘$f$23’’) 5 (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) - Range(‘‘$d$23’’))/ Range(‘‘$d$24’’) Range(‘‘h’’ & ((co 1 1) * 12 1 32)) 5 Range(‘‘h2’’) Range(‘‘g’’ & ((co 1 1) * 12 1 32)) 5 “Mp[Kg] 5 “ Rem Si calcola PA1 del passo successivo e si sostituisce al precedente valore Range(‘‘$d$4’’) 5 Range(‘‘$d$4’’) * (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))/ (Range(‘‘$f$21’’)/1000 1 (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))) Range(‘‘d’’ & ((co 1 1) * 12 1 34)) 5 Range(‘‘$d$4’’)

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Range(‘‘c’’ & ((co 1 1) * 12 1 34)) 5 ‘‘PA1[Kg/cm2] 5 ‘‘ Rem Si calcola PA2 del passo successivo e si sostituisce al precedente valore Range(‘‘$f$4’’) 5 Range(‘‘$f$4’’) * (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))/ (Range(‘‘$h$21’’)/1000 1 (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))) Range(‘‘f’’ & ((co 1 1) * 12 1 34)) 5 Range(‘‘$f$4’’) Range(‘‘$e’’ & ((co 1 1) * 12 1 34)) 5 ‘‘PA2[Kg/cm2] 5 ‘‘ Rem Si calcola VA1 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$2’’) 5 Range(‘‘$f$2’’) - (Range(‘‘$f$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$2’’) . 0 Then Range(‘‘$f$2’’) 5 Range(‘‘$f$2’’) Else Range(‘‘$f$2’’) 5 0 End If Range(‘‘f’’ & ((co 1 1) * 12 1 32)) 5 Range(‘‘$f$2’’) Range(‘‘e’’ & ((co 1 1) * 12 1 32)) 5 ‘‘VA1[m3/Kg] 5 ‘‘ Rem Si calcola VA2 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$3’’) 5 Range(‘‘$f$3’’) - (Range(‘‘$h$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$3’’) . 0 Then Range(‘‘$f$3’’) 5 Range(‘‘$f$3’’) Else Range(‘‘$f$3’’) 5 0 End If Rem Scrittura dati per grafico Range(‘‘a’’ & (59958 1 co)) 5 Range(‘‘$d$14’’) Range(‘‘b’’ & (59958 1 co)) 5 Range(‘‘$b$23’’) Range(‘‘c’’ & (59958 1 co)) 5 Range(‘‘$h$23’’) Rem Scrittura valori VA2,P1,DT,TU1,x,x1,GUS,GUB Range(‘‘f’’ & ((co 1 1) * 12 1 33)) 5 Range(‘‘$f$3’’) Range(‘‘e’’ & ((co 1 1) * 12 1 33)) 5 ‘‘VA2[m3/Kg] 5 ‘‘ Range(‘‘h’’ & ((co 1 1) * 12 1 34)) 5 Range(‘‘$b$23’’) Range(‘‘g’’ & ((co 1 1) * 12 1 34)) 5 ‘‘P1[Kg/cm2] 5 ‘‘ Range(‘‘f’’ & ((co 1 1) * 12 1 40)) 5 Range(‘‘$g$22’’) Range(‘‘e’’ & ((co 1 1) * 12 1 40)) 5 ‘‘DT[s] 5 ‘‘ Range(‘‘h’’ & ((co 1 1) * 12 1 40)) 5 Range(‘‘$d$14’’) Range(‘‘g’’ & ((co 1 1) * 12 1 40)) 5 ‘‘TU1 5 ‘‘ Range(‘‘$b$14’’) 5 Range(‘‘$d$14’’) Range(‘‘$b$15’’) 5 Range(‘‘$b$23’’) Range(‘‘e’’ & ((co 1 1) * 12 1 35)) 5 ‘‘x 5 ‘‘ Range(‘‘f’’ & ((co 1 1) * 12 1 35)) 5 Range(‘‘$f$15’’) Range(‘‘e’’ & ((co 1 1) * 12 1 36)) 5 ‘‘x1 5 ‘‘ Range(‘‘f’’ & ((co 1 1) * 12 1 36)) 5 Range(‘‘$f$23’’) Range(‘‘c’’ & ((co 1 1) * 12 1 37)) 5 ‘‘GUS[Kg/s] 5 ‘‘ Range(‘‘d’’ & ((co 1 1) * 12 1 37)) 5 Range(‘‘$d$20’’) Range(‘‘e’’ & ((co 1 1) * 12 1 37)) 5 ‘‘GUB[Kg/s] 5 ‘‘

457

458

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Range(‘‘f’’ & ((co 1 1) * 12 1 37)) 5 Range(‘‘$f$20’’) Range(‘‘g’’& ((co 1 1) * 12 1 37)) 5 ‘‘GE[Kg/s]’’ Range(‘‘h’’& ((co 1 1) * 12 1 37)) 5 Range(‘‘$d$21’’) co 5 co 1 1 Loop End Sub

A11.4 USING THE PROGRAM The program CSPSen.xls is available on the Mendeley website. On running the program the initial page of the spreadsheet is displayed with the cells A1:Al1 filled with the input data of a sample case. The numerical data of the sample case have to be replaced by the data of the case to be studied. The spreadsheet program calls macro SP and the calculation proceeds automatically. Initially the input data is printed and then results populate the cells. Usually at least 500 steps are necessary for a transient duration of ten hours. Once the calculation has been performed, it is advised to answer ‘No’ to the question Salvare le modifiche? (‘Save the modifications?’) in order to preserve the sample opening page for future use. The following data are written in the first three columns starting at cell A59995: time, primary pressure and weight of remaining primary fluid. These data can be used to draw two graphs for the pressure and the liquid weight, which are particularly meaningful to evaluate the transient trend. Other graphs and results can be obtained from the result sheet. It is advised to choose, for the transients with liquid efflux, a DP1 of 5 (kg/cm2) and an initial DP2 of 0.5 (kg/cm2). If the calculated DT is in any case too long (indicatively higher than 1000 s) the calculation should be repeated with a lower DP2, down to 0.30.2 (kg/cm2). It is advisable not to leave zeros in the input data and to replace them with very small, mutually consistent, numbers.

A11.5 OTHER FORMULAE FOR THE EXPANDED USE OF THE PROGRAM The version of the program described here does not foresee the study of anticipated Transients Without Scram or the calculation of the pressure in a water tank where the primary liquid from the depressurization system is discharged. For additional calculations of this type, the following notes and formulae may be useful.

A11.5.1 ANTICIPATED TRANSIENTS WITHOUT SCRAM For calculations of this type, the evaluation of the shutdown effect of the depressurization is interesting. The depressurization, in fact, causes a loss of primary liquid and a pressure decrease which increase the steam volume in the core (the void content of the core is increased) with consequent introduction of negative reactivity and shutdown of the chain reaction. These evaluations can be done taking into account that results consistent with refined calculations are obtained by assuming

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

459

that the core shutdown occurs for an average void ratio α in the primary system of 30%. The value of α can be calculated by the following formulae: γX 1 1 Xðγ 2 1Þ

(A11.11)

1019:2 2 2:28 P

(A11.12)

α5

where γ5

The values of X (average quality in the primary system) and of P are obtained by the PS program, where the heat supplied to the system must be increased in the first phase of the transient in order to take into account the heat produced by the still active chain reaction. This can be obtained, for example, by artificially increasing the decay heat KQD coefficient.

A11.5.2 PRESSURE IN A DEPRESSURIZATION WATER DISCHARGE TANK Normally it can be assumed that the energy supply to the tank only increases the liquid water temperature. That is, both the energy for the production of steam in the tank and the enthalpy of the water in the tank in comparison with the enthalpy of the incoming water can be disregarded. In this way the temperature increase in the tank is calculated using Eq. (A11.13). T1 2 T0 5

DTðGUS 3 HUS 2 QEÞ ; Ma

(A11.13)

where QE is the heat exchanged with the outside of the tank (Cal) in the time step and Ma is the water mass in the tank (kg). The vapour pressure in the tank can be calculated using the approximate Eq. (A11.14) (or by using the steam tables and saturated steam diagrams). T is the temperature ( C). Pv 5

ð2 4:241304 3 1029 ÞT 4 1 ð2:284709 3 1026 ÞT 3 2 ð2:952689 3 1024 ÞT 2 1 ð2:16481 3 1022 ÞT 2 0:5712048 ð2:066907 3 10211 ÞT 4 2 ð3:211231 3 1028 ÞT 3 1 ð2:049397 3 1025 ÞT 2 2 ð6:895268 3 1023 ÞT 1 1 (A11.14)

This formula has been developed for high pressures and its approximation is considered unacceptable (error higher than 20 per cent) for temperatures lower than 60 C [corresponding to a vapor pressure of 0.2031 (kg/cm2)]. More data and formulae for thermo-hydraulic calculations in the primary system and in the depressurization systems can be found in (Petrangeli, 1983).

REFERENCES Petrangeli, G., 1983. Transient, One-volume Calculations for a PWR Equipped with a Core Rescue System (SSN). RT/DISP(83)2, ENEA  DISP, Roma, Italy. Petrangeli, G., Tononi, R., D’Auria, F., Mazzini, M., 1993. The SSN: an emergency system based on intentional coolant depressurization for PWRs. Nucl. Eng. Des. 143, 2554.

460

APPENDIX 11 THERMAL-HYDRAULIC TRANSIENTS

Santarossa G. et al., 1976. Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua. Rapporto interno SATN-1-76, DISP/CENTR Servizio Analisi Termoidraulica e Neutronica, Enea/Disp, Roma, Italy. Tong, L.S., 1982. Some design issues for future LWRs. Notes for a seminar, January.

APPENDIX

THE ATMOSPHERIC DISPERSION OF RELEASES

12

This appendix describes four simple programs for calculating the atmospheric dispersion of releases on the basis of the formulae of Chapter 6, The Dispersion of Radioactivity Releases. As noted at the beginning of Appendix 2, for historical reasons some of the measurement units do not belong to the SI system. •

• •

Program DR1 is for an instantaneous radioactivity release and calculates the cloud concentration, χ (Ci s/m3), and the ground concentration, Ct (Ci/m2), in a ground position chosen downwind from the release point. Program DR2 calculates the cloud concentration, χ (Ci s/m2), for a continuous release. Programs DR1FUM and DR2FUM, respectively, perform the same calculations for the fumigation case.

The programs are written in Visual Basic for Applications (VBA) for execution in Microsoft Excel. They can be downloaded from the Mendeley website (Files: DISPERSION1, DISPERSION2, FUMIGATION1, FUMIGATION2). Program DR1 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x 5 Log(Range(‘‘b6’’))/Log(10) y 5 Range(‘‘b9’’) u 5 Range(‘‘b5’’) h 5 Range(‘‘b7’’) Q 5 Range(‘‘b8’’) If Range(‘‘b4’’) 5 ‘‘B’’ Then lsy 5 0.0027 * x ^ 3 - 0.0585 * x ^ 2 1 1.2136 * x - 1.0106 lsz 5 0.9238 * x ^ 2 - 3.5634 * x 1 4.4731 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘D’’ Then lsy 5 0.0148 * x ^ 3 - 0.1752 * x ^ 2 1 1.5541 * x - 1.6231

461

462

APPENDIX 12 THE ATMOSPHERIC DISPERSION OF RELEASES

lsz 5 0.0049 * x ^ 3 - 0.135 * x ^ 2 1 1.4082 * x - 1.6325 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘F’’ Then lsy 5 0.0044 * x ^ 3 - 0.0713 * x ^ 2 1 1.2271 * x - 1.6022 lsz 5 0.0011 * x ^ 3 - 0.144 * x ^ 2 1 1.5033 * x - 2.0967 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b12’’) 5 chi End If End If End If End Sub

The Microsoft Excel cells for the input data and output results are (examples): Input data: Category 5 D Wind (m/s) 5 1 Distance (m) 5 2500 Release height (m) 5 100 Release activity (Ci) 5 1 Lateral distance, y (m) 5 0 Deposition vel. (m/s) 5 0.01

(Pasquill category B, D, or F) (average wind speed in x direction) (distance from the point chosen on the ground) (height at which release occurs) (activity released) (lateral distance of chosen point from plume axis) (deposition velocity of particles)

Results: χ (Ci/sm3) 5 8.31155E-06 Ct (Ci/m2) 5 8.31155E-08

Program DR2 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x 5 Log(Range(‘‘b6’’))/Log(10) y 5 Range(‘‘b9’’) u 5 Range(‘‘b5’’) h 5 Range(‘‘b7’’)

(cloud concentration at the chosen point) (ground concentration at the chosen point)

APPENDIX 12 THE ATMOSPHERIC DISPERSION OF RELEASES

463

Q 5 Range(‘‘b8’’) If Range(‘‘b4’’) 5 ‘‘B’’ Then lsy 5 0.0027 * x ^ 3 - 0.0585 * x ^ 2 1 1.2136 * x - 1.0106 lsz 5 0.9238 * x ^ 2 - 3.5634 * x 1 4.4731 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘D’’ Then lsy 5 0.0148 * x ^ 3 - 0.1752 * x ^ 2 1 1.5541 * x - 1.6231 lsz 5 0.0049 * x ^ 3 - 0.135 * x ^ 2 1 1.4082 * x - 1.6325 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘F’’ Then lsy 5 0.0044 * x ^ 3 - 0.0713 * x ^ 2 1 1.2271 * x - 1.6022 lsz 5 0.0011 * x ^ 3 - 0.144 * x ^ 2 1 1.5033 * x - 2.0967 sy 5 10 ^ lsy sz 5 10 ^ lsz chi 5 (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) 1 (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) 5 chi End If End If End If End Sub

The Microsoft Excel cells for the input data and output results are (example): Input data: Category 5 D Wind (m/s) 5 1 Distance (m) 5 600 Release height (m) 5 30 Release activity (Ci/s) 5 1 Lateral distance, y (m) 5 0

(Pasquill category B, D, or F) (average wind speed in x direction) (distance from the point chosen on the ground) [height at which release occurs (stack)] (activity released per second) (lateral distance of chosen point from plume axis)

Results: χ (Ci/m3) 5 0.000125151

(cloud concentration at the chosen point)

464

APPENDIX 12 THE ATMOSPHERIC DISPERSION OF RELEASES

Program DR1FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x 5 Log(Range(‘‘b6’’))/Log(10) y 5 Range(‘‘b8’’) u 5 Range(‘‘b5’’) hi 5 Range(‘‘b10’’) Q 5 Range(‘‘b7’’) If Range(‘‘b4’’) 5 ‘‘B’’ Then lsy 5 0.0027 * x ^ 3 - 0.0585 * x ^ 2 1 1.2136 * x - 1.0106 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘D’’ Then lsy 5 0.0148 * x ^ 3 - 0.1752 * x ^ 2 1 1.5541 * x - 1.6231 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘F’’ Then lsy 5 0.0044 * x ^ 3 - 0.0713 * x ^ 2 1 1.2271 * x - 1.6022 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) 5 chi End If End If End If End Sub

The Microsoft Excel cells for the input data and output results are (example): Input data: Category F Wind (m/s) 5 1 Distance (m) 5 1500 Release activity (Ci) 5 1 Lateral distance, y (m) 5 0 Deposition vel. (m/s) 5 0.01 Inversion height (m) 5 100

(Pasquill category B, D, or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (deposition velocity of particles) (inversion height)

APPENDIX 12 THE ATMOSPHERIC DISPERSION OF RELEASES

Results: χ (Ci s/m3) 5 7.65607E-05 Ct (Ci/m2) 5 7.65607E-07

(cloud concentration at the chosen point) (ground concentration at the chosen point)

Program DR2FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x 5 Log(Range(‘‘b6’’))/Log(10) y 5 Range(‘‘b8’’) u 5 Range(‘‘b5’’) hi 5 Range(‘‘b9’’) Q 5 Range(‘‘b7’’) If Range(‘‘b4’’) 5 ‘‘B’’ Then lsy 5 0.0027 * x ^ 3 - 0.0585 * x ^ 2 1 1.2136 * x - 1.0106 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘D’’ Then lsy 5 0.0148 * x ^ 3 - 0.1752 * x ^ 2 1 1.5541 * x - 1.6231 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) 5 chi Else If Range(‘‘b4’’) 5 ‘‘F’’ Then lsy 5 0.0044 * x ^ 3 - 0.0713 * x ^ 2 1 1.2271 * x - 1.6022 sy 5 10 ^ lsy chi 5 (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) 5 chi End If End If End If End Sub

465

466

APPENDIX 12 THE ATMOSPHERIC DISPERSION OF RELEASES

The Microsoft Excel cells for the input data and output results are (example): Input data: Category D Wind (m/s1) 5 1 Distance (m) 5 1500 Release activity (Ci/s) 5 1 Lateral distance, y (m) 5 0 Inversion height (m) 5 100

(Pasquill category B, D, or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (inversion height)

Results: χ (Ci/m3) 5 3.81255E-05

(cloud concentration at the chosen point)

APPENDIX

REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

13

A13.1 REGULATORY FRAMEWORK A legal framework has to be established that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities. Legislative institutions should produce laws which assign the prime responsibility for safety to the operating organization and establish a regulatory body responsible for a system of licensing, for the regulatory control of nuclear activities and for enforcing the relevant regulations. It is also very useful, although not done everywhere, for the legislative power of a country to define in general terms the safety level which nuclear installation should achieve in order to give the industrial organizations and the regulatory body general guidance in their activities. For example, the classes of nuclear installations, the orders of magnitude of the amount and the probability of the maximum accident release or consequences should be established at the top of the people’s representation structure, with a balanced view of the risks and benefits to society. The prime responsibility for the safety of the installation rests with the operating organization. It is responsible for establishing its safety criteria (which should be approved by the regulatory body) and for the compliance of the design, construction, and operation of the installation with them and with relevant safety standards. Procedures and arrangements for the safe control of the installation under all conditions should also be established together with the maintenance of a competent and fully trained staff and for the control of fissile and radioactive materials utilized or generated. It is the responsibility of the regulatory body to set the detailed safety objectives and standards and to monitor and enforce them. Effective independence of the regulatory body from organizations that promote nuclear activities should be in place in order to ensure the absence of undue pressures from competing interests. An important function of the regulatory body is to communicate to the public any information concerning safety and in particular its regulatory decisions and opinions. In many cases, the regulatory body is supported by a dedicated technical support organization (TSO) which performs technical analyses and studies. These are used in reviews and in other activities by the regulatory body. The personnel of the two organizations may comprise several tens of people to a few thousands people according to the size of the nuclear program and the activities entrusted to the body itself. Usually the regulatory body has access to confirmatory research, which creates a way to directly get supporting technical information necessary to a well-based regulatory activity. A review of existing regulatory frameworks for various countries is included in OECD (1991).

467

468

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

A13.2 SAFETY DOCUMENTS The principal documents concerning plant safety vary according to the specific requirements of each country; however, some conceptual generalizations, accepted everywhere, can be made. The following documentation will be briefly discussed: • • • • • • • • •

The safety report (SR). The probabilistic safety evaluation (PRA or PSA). The environmental impact assessment (EIA). The external emergency plan (EEP). The operation manual, including the emergency procedures (EP). The operation organization document. The preoperational test program. The technical specifications (TS) for operation. The periodic safety reviews. Other documents result from inspection activities on plant construction and operation.

A13.2.1 THE SAFETY REPORT The SR is the principal document for the demonstration that the design and the construction of a nuclear plant on a specific site are such that it can be operated without undue risk to the workers and the public. Here the assumption is made that the SR contains the treatment of both the aspects relevant to the site and those concerning the plant (description and analysis). It must be noted, however, that in various regulatory systems, the two issues are dealt with in separate documents. It is easy to understand that this subdivision quickens the time for site selection and for preparatory work on it; however, the acceptability of a site also depends on the characteristics of the plant to be installed on it. The problem is easily solved for proven plants. In different cases, various parts of the information on the plant safety characteristics must be presented in advance and inserted in the part of the SR devoted to the site. In case of separation and of advanced presentation of the part of the report relevant to the site, it will be in any case necessary to link the approval of the site to the compliance with some reasonably assumed plant characteristics. The SR is a ‘living’ document which evolves and changes with time. The principal factors of this change are the progression of the detailed design, the design modifications decided during the construction and the operation of the plant and the needs for adjustments due to the progress of safety knowledge. It has also to be noted that, for the demonstration of the plant safety, more detailed information concerning both design and analyses than is usually included in the SR is also necessary. The corresponding documents are termed ‘support documents’ (following the IAEA (1979) nomenclature). In some regulatory systems (e.g., in the Italian one) these supporting documents take the form of detailed design reports which have to be submitted, for approval, to the national control body. Usually, the principal stages of the SR are • •

the preliminary SR: to be submitted before the site approval and the plant construction permit; and the final SR: to be submitted before fuel loading.

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

469

While the preliminary SR describes many plant data at the level of initial solutions and plans, the final SR shows the plant “as built” (in its final form) as a result of the design, validation and modification activities. The content of the SR may, for simplicity, be subdivided in the following five parts: • • • • •

Site Quality assurance Criteria and standards Design Nuclear safety and radiation protection analysis.

The needs of radiation protection and of containment and mitigation of the effluents must permeate all the content of the SR and therefore are not indicated as separate parts of the SR. It is strongly advised that one or more radiation protection design experts are part of the design organization. In addition to the systems specifically devoted to radiation protection tasks, some design aspects must be the subject of complete evaluation, such as the following: the general and detailed plant layout; the space available for operation, inspection and maintenance tasks; the choice of materials; system specifications and component specifications and location. Other issues which may be part of the SR or be the subject of separate documents, are • • • • • •

organization for preoperational tests and operation; preoperational test program; operational limits, operation conditions and procedures; emergency plans; decommissioning schemes; physical protection. The objectives of the SR information on the site are • assessment of the feasibility of a safe plant on the site; • definition of the site parameters necessary to plant design (external events and so on); • evaluation of the possible impact of the plant operation on the surrounding population and environment.

These three objectives must be followed keeping in mind both the normal operating conditions and the exceptional and accidental ones. A sample list of the contents of a SR is given in the NRC Regulatory Guide 1.70 Rev3 (USNRC, 1978). What has to be underlined is that, in the light of experience, many unfavorable characteristics of a site cannot be corrected by design provisions. In other words, various site exclusion criteria exist (an example is included in Appendix 16). A principal section of a SR should be devoted to the description of the quality assurance programs of the plant owner and of its contractors during the design, construction, testing, and operation of the plant. The methods for the implementation of the quality assurance functions should also be described. The section of the SR devoted to criteria and standards is particularly important. All the standards to be adopted for the plant should be listed, which usually can be divided into three levels of generality: the general criteria (general safety and radiation protection objectives and functional

470

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

system objectives) and general applicable country laws (health protection limits, fire protection laws, etc.), the guides at the level of system and component (e.g., the NRC Regulatory Guides and the standard review plan) which usually are not compulsory but simply indicate an acceptable way of proceeding, and, finally, the technical standards for components (ASME III Code for Pressure Components, etc.). It is important to note that all the standards (and particularly those concerning components) evolve with time and that, therefore, the specific issue used has to be indicated. How does one proceed if a standard changes during the design? This problem, typically the result of revisions (every five or ten years) of the safety of operating plants, is usually tackled and solved as follows: •

• •

• •





If the revision is due to formal improvements and no new safety problem is involved as a consequence of the progress in knowledge, then no special analysis or modification is necessary. If the revision is intended to solve some new safety problem, then: additional, more precise analyses are performed in order to demonstrate, possibly, that the existing design which followed the old standard is still acceptable in the light of the new knowledge; modifications to operation parameters or rules are introduced, if possible, in order to compensate for the ‘inadequacy’ of the standards adopted for the design; if any other action is inadequate, plant modifications have to be made in order to take account of the new knowledge. The part of the SR devoted to the description of the design should offer a concise yet complete description of the entire plant. It should allow the reviewers: to obtain an overall view of the systems and structures of the plant, as far as their characteristics and integrated functioning is concerned, either in normal and in transient and accident conditions, including the possibility of external, natural and unnatural, events; to understand and evaluate the design solutions and the main operational limits adopted to satisfy the reference criteria and the safety and protection standards.

In particular, special problems caused by specific site characteristics should be described and discussed. Similarly, possible plant design aspects should be described which have not yet been satisfactorily solved, together with the possible research and development programs aimed at the identification of a satisfactory solution. A comparison table, moreover, should be supplied showing plant data and corresponding data of other similar recent plants, with the indication of the condition of the other plants (degree of completion and authorization, operational situation, etc.). In general terms, the objective of safety analysis (SA) is to demonstrate that the plant design and its operating procedures (together with well-trained personnel) ensure a high level of protection of the population and workers in case of malfunctions, human errors or assumed external events. Therefore, the contents of the SA is a set of dynamic studies of the most significant transients and accidents, giving an evaluation of their consequences on the plant and on the outside environment. The SA must offer a clear picture of the integrated behavior of the plant in fault conditions. The integrity and the behavior of the barriers between the radioactive substances and the environment

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

471

are the main concern of the plant response evaluation. The information supplied by the SA, together with the information contained in the balance of the SR, should be sufficient to convince reviewers that the plant design is acceptable from a safety and radiation protection point of view, at the authorization stage to which the SR applies. The SA is usually structured as follows: • • •

The initiating events (which in general descend from the general design criteria), usually subdivided in a certain number (often four) operation conditions. The acceptance criteria and the design methods, usually contained in the general criteria and in the system component guides. The analyses and the conclusions.

On the basis of past experiences (see Appendix 17), it is recommended that particular attention is given to the length in (real) time for which the transients and accident are calculated. These parameters can be established tentatively beforehand, but they can be defined only after calculation as they can indicate the presence of situations which may confuse the operators. Moreover, in the evaluations, it should be ensured that sufficient time exists to allow for the correct intervention of the operators, up to the attainment of perfectly stabilized plant conditions.

A13.2.2 THE PROBABILISTIC SAFETY ASSESSMENT The PSA is now a companion of the SR for every new plant. In fact, after some initial doubts, it is now recognized as a valid knowledge and evaluation tool for a plant and also as valid help in the design and operation of it (see Chapter 11: Safety Analysis). It is understood, then, that PSA must be developed in parallel with the design, initially making many working assumptions on the features of the plant as it will be at the end. IAEA requirements demand that a summary of the plant PSA is included in the SR. The PSA, used in this way, can be limited to level 1 or 2, that is, at the first core damage or at the releases from the containment, respectively. A complete risk analysis (PRA), performed, for example, to verify the compliance of the plant with preselected risk objectives, must also include level 3, that is, the probabilistic evaluation of the accident consequences. Further discussion on PSA strong and weak points can be found in Section 18.6, together with some ideas for overcoming the difficulties which a probabilistic analysis cannot, by its nature, resolve.

A13.2.3 THE ENVIRONMENTAL IMPACT ASSESSMENT The EIA is now compulsory nearly everywhere. It follows official channels that are usually different from those of the safety evaluation and health protection. Many issues, however, of the two processes coincide and it is useful if the two analyses proceed in parallel. The EIA commences with the initial strategic planning of the works. During the development of the two processes (nuclear safety and environmental impact) information exchange should take place between the authorities responsible, for example, by a mutual participation of observers in the commission meetings and in working groups.

472

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

A13.2.4 THE EXTERNAL EMERGENCY PLAN Before fuel loading, an EEP must be operative as a part of the Defense in Depth (see Chapter 9: Defense in Depth). To this end, usually, a dedicated issue of the safety evaluation is prepared, containing the technical basis for the EEP.

A13.2.5 THE OPERATION MANUAL, INCLUDING THE EMERGENCY PROCEDURES The operation manual, which includes the EP and the internal emergency plan, must be available before any operation with nuclear fuel. It is important that the EP includes, in order to prevent severe accidents, the procedures based on the analysis of the plant states (symptom oriented) as well as the more traditional ones based on the analysis of specific accident sequences (event oriented). In the symptom-based approach, operator actions result from the monitoring of plant symptoms rather than from the identification of the details of the event taking place. For example, the operator responds to the symptom of loss of primary water inventory as opposed to the specific event of a loss of coolant accident. The need for this kind of procedure was indicated by the Three Mile Island accident where the operators were confronted with a confusing situation (see Appendix 17) and were not able to timely identify the precise event taking place. Subsequently, it was confirmed that it was possible to develop emergency procedures on the basis of the damaging symptoms of the event rather than of the origin of the event and its consequences. The two concepts partly overlap, but by following the symptombased approach it is not necessary to lose precious time in identifying, by a process of selection and elimination, the event origin and features. In general, some critical safety functions are identified (attainment of subcriticality, availability of coolant in the core, availability of an efficient containment function) and the operator action is to identify which critical safety function is not available to the desired degree and to try, with the support of the emergency symptom-based procedures, to restore the function itself. The difference between event-based procedures and symptom-based procedures is the possibility of quickly diagnosing the plant accident situation. If this diagnosis can be made, then the event-based procedures are followed. If it cannot, then the symptom-based procedures are used. It is apparent from the preceding sentences that both sets of procedures are intended to be used in any nuclear plant. The process of developing modern procedures is still ongoing on many plants and it takes a remarkable effort. Some plants decide to have a dedicated procedure development group of experts. Some other plants carry out procedure development with other work groups, such as operations staff or operational experience feedback staff, as a part time responsibility. In any case, a plant procedures group ensures an efficient and effective method for development, distribution and revision of plant procedures, resulting in lower cost and more uniform quality. Close cooperation between the procedures group and the technical departments on a plant is essential. Symptom-based procedures require the NPP to complete a significant amount of site-specific thermal-hydraulic analyses of bounding scenarios. These analyses ensure that a generic set of operator actions for loss of each critical safety function are sufficient to mitigate the most severe challenge to that critical safety function. Owners groups may share the same package of procedures but the EPs and the supporting thermal-hydraulic analyses are plant specific. In recent years it has been determined that a potential for external release of radioactive products not only exists while the plant is operating at power but also when it is in a low power or shutdown

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

473

condition. EPs, therefore, have been expanded in order to cover situations where the reactor cooling system may be depressurized and the vessel head removed. Due to the specific requirements of certain plant configurations that may exist during shutdown, together with the reduced level of automatic protection, many of these procedures are specific to these plant conditions and initiating events and thus are very event specific. It has also been recognized that the operator needs additional guidance for those conditions beyond the design basis accidents where core damage exists or is imminent. Hence the evolution of severe accident management guidelines (SAMGs). Due to the wide variety of conditions that may exist, these guidelines have been written in a symptom-based format. Symptom-based, event-based, and integrated (a combination of the two) approaches to emergency operating procedures exist. Verification and validation of procedures are two very important elements in the procedures development work. Verification is defined as the process of determining if a procedure is administratively and technically correct. Validation is the process of evaluating procedures to ensure that they are usable and they will function as intended. These two processes should be performed using a graded approach, that is, devoting more effort where the consequences of some inadequacy are more serious. Administrative procedures such as record keeping verification and validation can be accomplished through a tabletop review. For emergency operating procedures, verification may include checking the technical information against design documents while validation might include the use of mock-ups of the plant and a full-scope control room simulator, as well as direct use of the plant. Checklists are available for verification and validation (IAEA, 1998). It is highly recommended that the plant designer participates in the procedure preparation and review phases.

A13.2.6 OPERATION ORGANIZATION DOCUMENT The operation organization document describes the functions, responsibilities, and mutual relationships of the plant personnel. The adequacy of its contents directly affects the adequacy of the human element to which the plant is entrusted. Great weight should be placed on this document as its content gives a measure of the attention given to the human factors of safety. The operation organization document should include training and personal/professional development issues.

A13.2.7 THE PREOPERATIONAL TEST PROGRAM The initial test program concerns a particularly delicate phase in the plant life, in which possible design or construction deficiencies usually come to the open. The test program comprises two phases: nonnuclear (before fuel loading) and nuclear. The tests are often termed “preoperational” and “nuclear,” respectively. In the preoperational tests, components and systems are tested. Integrated tests of several interacting systems are performed too. Therefore, the functional consistency of the systems to the design is verified, as well as the absence of vibrations, normal operation in general and the normal expansion and contraction of systems while they heat up and cool down, etc. It is very desirable that operating personnel directly take part in the preoperational tests, together with the representatives of the contractors, in order to get used to the plant components.

474

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

It is not usually considered necessary that the preoperational tests program is explicitly approved by the safety control body, but its contents, time schedule, and results are, however, timely communicated to it. On the other hand, the nuclear tests program must have prior approval because it must fully demonstration the safety characteristics of the plant and because while it is being carried out, the risk of accidents involving radioactive products starts. However, not all conceivable tests can be performed, as some of them would be detrimental to systems and components and therefore dangerous in view of the subsequent life of the plant (e.g., the capability of a safety injection system to introduce cold water at full flow in an operating plant will never be tested because the water injected would cause an unacceptable thermal transient on structures and components). In these cases, partial yet demonstrative tests are performed. As far as the contents of a test program is concerned, specific documents should be consulted (Petrangeli, 1985). Here it is sufficient to say that it is very important that the procedure of any single test includes a clear specification of the acceptance limits of the test, in order to avoid long and costly discussions between the organization responsible for the tests and the safety control body during the performance of the tests themselves. The test period, in fact, is a particularly delicate phase in the life of the plant, either for the intrinsic difficulties of the tuning of the plant and for the huge organization necessary for all the tests and the measures to be performed. The nature of the “final exam” also leads to high psychological tension. Therefore, any unnecessary disturbance or delay must be avoided. It is often convenient to specify three levels of acceptability of each test: • • •

acceptance; acceptance after review by the designer without test program stoppage; nonacceptance.

As far as possible, the tests should comply with normal operating procedures. The tests are a good opportunity to test the procedures, too and to amend them, if necessary. On the basis of practical experience, at least nine months are necessary for the preoperational tests and at least three months for the nuclear tests. Causes, sometimes trivial, of delay may always intervene, thus extending the time required. Often a great deal of time is lost because of defective pipe support anchorages, pipe vibrations, and fluid leakages from systems and from buildings.

A13.2.8 THE TECHNICAL SPECIFICATIONS FOR OPERATION The objective of the TS is to define conditions and limits for the operation of the plant, compatible with its safety, and to define the specifications and the programs for periodic surveillance of the various parts of the plant. The operational limits concern plant parameters such as pressures, temperatures, and the minimum availability of systems and components for the various operating modes (full power, cold shutdown, and so on). Particularly important is an initial part of the TS devoted to definitions. An example of a particularly delicate definition is the one concerning the word “operable”: one of the most common within the TS! The TS text, with the aid of the initial definitions, must be clear and unmistakable. In fact the TS are the first support of the plant operators for fundamental decisions, such as the continuation

APPENDIX 13 REGULATORY FRAMEWORK AND SAFETY DOCUMENTS

475

of operation at power in the presence of irregular plant situations. Frequently, little time for discussions and interpretation is available when decisions of this kind have to be taken. The probabilistic plant analysis offers a rational basis for decisions concerning the TS, either for the choice of operating limits or for the intervals between tests and inspections of parts of the plant (periodic surveillance). The TS must be available before fuel loading.

A13.2.9 THE PERIODIC SAFETY REVIEWS Operating personnel must pay continuous attention to plant safety and conduct periodic reviews in order to improve the plant and its operating procedures as a result of research and of operating experience of similar plants. An operating licence usually requires revision every 10 years. As already mentioned in Section A13.2.1 in connection with criteria and standards, the case may occur that new knowledge or new standards may generate doubts about the consistency of the criteria and about the adequacy of the plant or its procedures. In that section it was noted that the situation has to be primarily assessed to see if the discrepancy is formal or substantial in nature. Even in the latter case, various degrees of action are available, such as a more refined analysis, modifications to limits and operating procedures and, finally, plant improvements.

REFERENCES IAEA, 1979. Information to be Submitted in Support of Licensing Applications for Nuclear Power Plants. IAEA Safety Series 50-SG-G2, Vienna. IAEA, 1998. Good Practices with Respect to the Development and Use of Nuclear Power Plant Procedures. TECDOC 1058, IAEA, Vienna. OECD, 1991. Licensing Systems and Inspection of Nuclear Installations. OECD, Nuclear Energy Agency, Paris. Petrangeli, G., 1985. Licensing Procedures: Parts I III. CEE Training Seminar on PWR Safety, Cairo, Nov Dec. USNRC, 1978. Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants: LWR Edition. Regulatory Guide 1.70, Rev. 3, November.

APPENDIX

USNRC REGULATORY GUIDES AND STANDARD REVIEW PLAN

14

This Appendix gives an example of a USNRC Regulatory Guide and a chapter of the Standard Review Plan to provide useful reference technical information and data. The numbering system and cross-references of the original documents are retained. All illustrations in the original documents have been removed.

A14.1 EXTRACTS FROM A REGULATORY GUIDE REGULATORY GUIDE 1.3 Assumptions used for evaluating the potential radiological consequences of a loss of coolant accident for boiling water reactors. A. INTRODUCTION Section 50.34 of l0 CFR Part 50 requires that each applicant for a construction permit or operating license provide an analysis and evaluation of the design and performance of structures, systems, and components of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility. The design basis loss of coolant accident (LOCA) is one of the postulated accidents used to evaluate the adequacy of these structures, systems, and components with respect to the public health and safety. This guide gives acceptable assumptions that may be used in evaluating the radiological consequences of this accident for a boiling water reactor. In some cases, unusual site characteristics, plant design features, or other factors may require different assumptions which will he considered on an individual case basis. The Advisory Committee on Reactor Safeguards has been consulted concerning this guide and has concurred in the regulatory position. B. DISCUSSION [. . .] within the guidelines of 10 CFR Part 100. (During the construction permit review, guideline exposures of 20 rem whole body and 150 rem thyroid should be used rather than the values given in y100.1 1 in order to allow for (a) uncertainties in final design details and meteorology or (b) new data and calculational techniques that might influence the final design of engineered safety features or the dose reduction factors allowed for these features.) C. REGULATORY POSITION (1) The assumptions related to the release of radioactive material from the fuel and containment are as follows: (a) Twenty-five percent of the equilibrium radioactive iodine inventory developed from maximum full power operation of the core should be assumed to be immediately available

477

478

APPENDIX 14 USNRC REGULATORY GUIDES

for leakage from the primary reactor containment. Ninety-one percent of this 25 percent is to be assumed to be in the form of elemental iodine, 5 percent of this 25 percent in the form of particulate iodine, and 4 percent of this 25 percent in the form of organic iodides. (b) One hundred percent of the equilibrium radioactive noble gas inventory developed from maximum full power operation of the core should be assumed to be immediately available for leakage from the reactor containment. (c) The effects of radiological decay during holdup in the containment or other buildings should be taken into account. (d) The reduction in the amount of radioactive material available for leakage to the environment by containment sprays, recirculating filter systems, or other engineered safety features may be taken into account. but the amount of reduction in concentration of radioactive materials should be evaluated on an individual case basis. (e) The primary containment should be assumed to leak at the leak rate incorporated or to be incorporated in the technical specifications for the duration of the accident. The leakage should be assumed to pass directly to the emergency exhaust system without mixing in the surrounding reactor building atmosphere and should then be assumed to be released as an elevated plume for those facilities with stacks. (f) No credit should be given for retention of iodine in the suppression pool. (2) Acceptable assumptions for atmospheric diffusion and dose conversion are: (a) Elevated releases should be considered to be at the height equal to no more than the actual stack height. Certain site dependent conditions may exist, such as surrounding elevated topography or nearby structures which will have the effect of reducing the actual stack height. The degree of stack height reduction should be evaluated on an individual case basis. Also, special meteorological and geographical conditions may exist which can contribute to greater ground level concentrations in the immediate neighborhood of a stack. For example, fumigation should always be assumed to occur: however, the length of time that a fumigation condition exists is strongly dependent on geographical and seasonal factors and should be evaluated on a case-by-case basis. [. . .] (b) No correction should be made for depletion of the effluent plume of radioactive iodine due to deposition on the ground, or for the radiological decay of iodine in transit. (c) For the first 8 hours, the breathing rate of persons offsite should be assumed to be 3.47 3 1024 cubic meters per second. From 8 to 24 hours following the accident, the breathing rate should be assumed to be of 1.75 3 1024 cubic meters per second. After that until the end of the accident, the rate should be assumed to be 2.32 3 1024 cubic meters per second. (These values were developed from the average daily breathing rate [2 3 107 cm3 day21] assumed in the report of ICRP, Committee II-1959.) (d) The iodine dose conversion factors are given in ICRP publication 2, Report of Committee II, “Permissible Dose for Internal Radiation,” 1959. (e) External whole body dose should be calculated using “Infinite Cloud” assumptions, i.e., the dimensions of the cloud are assumed to be large compared to the distance that the gamma rays and beta particles travel. “Such a cloud would be considered an infinite cloud for a receptor at the center because any additional [gamma and] beta emitting material beyond the cloud dimensions would not alter the flux of (gamma rays and) beta particles to the receptor” (Meteorology and Atomic Energy, Section 7.4.1.1ARxxx  editorial

APPENDIX 14 USNRC REGULATORY GUIDES

479

additions made so that gamma and beta emitting material could be considered). Under these conditions the rate of energy absorption per unit volume is equal to the rate of energy released per unit volume. For an infinite uniform cloud containing χ curies of beta radioactivity per cubic meter, the beta dose in air at the cloud center is: 0

β DN

5 0:4571Eβ χ

(A14.1)

The surface body dose rate from beta emitters in the infinite cloud can be approximated as being one-half this amount. From a semi-infinite cloud, the gamma dose rate in air is given by a formula equal to Eq. (A14.1) with the coefficient 0.457 changed to 0.507; here also, for a semi-infinite cloud, the coefficient is one half. Where: 0 β D 5 beta dose rate from an infinite cloud (rad/sec); E 5 average gamma or beta energy per disintegration (Mev/dis); χ 5 concentration of beta or gamma emitting isotope in the cloud (curie/m3) (f) The following specific assumptions are acceptable with respect to the radioactive cloud dose calculations: (1) The dose at any distance from the reactor should be calculated based on the maximum concentration in the plume at that distance taking into account specific meteorological, topographical, and other characteristics which may affect the maximum plume concentration. These site related characteristics must be evaluated on an individual case basis. In the case of beta radiation, the receptor is assumed to be exposed to an infinite cloud at the maximum ground level concentration at that distance from the reactor. In the case of gamma radiation, the receptor is assumed to be exposed to only one-half the cloud owing to the presence of the ground. The maximum cloud concentration always should be assumed to be at ground level. (2) The appropriate average beta and gamma energies emitted per disintegration, as given in the Table of Isotopes, Sixth Edition, by C.M. Lederer, J.M. Hollander, 1. Perlman University of California, Berkeley; Lawrence Radiation Laboratory; should be used. (g) For BWRs with stacks the atmospheric diffusion model should be as follows: (1) The basic equation for atmospheric diffusion from an elevated release is: χ=Q 5

expð2 h2 =2σ2z Þ πuσy σz

(A14.2)

Where. . . (2) For time periods of greater than 8 hours the plume from an elevated release should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Eq. (A14.2) multiplied by 2.032πσy/u. (3) The atmospheric diffusion model for an elevated release as a function of the distance from the reactor, is based on the information in Table A14.1. (h) For BWRs without stacks the atmospheric diffusion model should be as follows: (1) The 08 hour ground level release concentrations may be reduced by a factor ranging from one to a maximum of three (see Figure. . .) for additional dispersion produced by the turbulent wake of the reactor building in calculating potential exposures.

480

APPENDIX 14 USNRC REGULATORY GUIDES

Table A14.1 Time Following Accident

Atmospheric Conditions

08 hours

See Figure. . .

824 hours

See Figure. . .

14 days

See Figure. . .

430 days

See Figure. . .

Envelope of Pasquill diffusion categories based on Figure. . ., Meteorology and Atomic Energy-1968, assuming various stack heights; windspeed 1 meter/sec; uniform direction. Envelope of Pasquill diffusion categories, windspeed 1 meter/sec: variable direction within a 22.5 sector. Envelope of Pasquill diffusion categories with the following relationship used to represent maximum plume concentrations as a function of distance: Atmospheric Condition Case 1 40% Pasquill A 60% Pasquill C Atmospheric Condition Case 2 50% Pasquill C 50% Pasquill D Atmospheric Condition Case 3 33.3% Pasquill C 33.3% Pasquill D 33.3% Pasquill E: Atmospheric Condition Case 4 33.3% Pasquill D 33.3% Pasquill E: 33.3% Pasquill F Atmospheric Condition Case 5 50% Pasquill D 50% Pasquill F windspeed variable (Pasquill Types A, B, E, and F, windspeed 2 meter/sec; Pasquill Types C and D windspeed 3 meter/sec): variable direction within a 22.5 sector. Same diffusion relations as given above; windspeed variable dependent on Pasquill Type used: wind direction 33.3% frequency in a 22.5 sector.

The volumetric building wake correction factor, as defined in section 3-3-5-2 of Meteorology and Atomic Energy 1968, should be used only in the 08 hour period; it is used with a shape factor of I/2 and the minimum cross-sectional area of the reactor building only. (2) The basic equation for atmospheric diffusion from a ground level point source is: χ=Q 5 1=πσy σz

(A14.3)

Where. . . (3) For time periods of greater than 8 hours the plume should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Eq. (A14.3) multiplied by 2.032πσy/u. (4) The atmospheric diffusion model for ground level releases is based on the information in Table A14.2. (5) . . . D. IMPLEMENTATION The purpose of the revision (indicated . . .

APPENDIX 14 USNRC REGULATORY GUIDES

481

Table A14.2 Time Following Accident

Atmospheric Conditions

08 hours 824 hours 14 days

Pasquill Type F, windspeed 1 meter/sec, uniform direction Pasquill Type F, windspeed 1 meter/sec, variable direction within a 22.5 sector (a) 40% Pasquill Type D, windspeed 3 meter/sec (b) 60% Pasquill Type F, windspeed 2 meter/sec (c) wind direction variable within a 22.5 sector (a) 33.3%; 4 Pasquill Type C, windspeed 3 meter/sec (b) 33.3% Pasquill Type D, windspeed 3 meter/sec (c) 33.3% Pasquill Type F windspeed 2 meter/sec (d) Wind direction 33.3% frequency in a 22.5 sector

430 days

A14.2 LIST OF CONTENTS AND EXTRACTS FROM A SAMPLE CHAPTER OF THE STANDARD REVIEW PLAN SRP 1: List of contents NUREG-0800 Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants LWR Edition Draft Report for Comment INTRODUCTION SRP NO. CHAPTER 1 INTRODUCTION AND GENERAL DESCRIPTION OF PLANT 1.8 Interfaces for Standard Designs CHAPTER 2 SITE CHARACTERISTICS 2.1.1 Site Location and Description 2.1.2 Exclusion Area Authority and Control 2.1.3 Population Distribution 2.2.12.2.2 Identification of Potential Hazards in Site Vicinity 2.2.3 Evaluation of Potential Accidents 2.3.1 Regional Climatology 2.3.2 Local Meteorology 2.3.3 Onsite Meteorological Measurements Programs 2.3.4 Short-term Dispersion Estimates for Accidental Atmospheric Releases 2.3.5 Long-Term Diffusion Estimates 2.3.6 Site Parameter Envelope [Future] 2.4.1 Hydrologic Description 2.4.2 Floods 2.4.3 Probable Maximum Flood (PMF) on Streams and Rivers

482

APPENDIX 14 USNRC REGULATORY GUIDES

2.4.4 Potential Dam Failures 2.4.5 Probable Maximum Surge and Seiche Flooding 2.4.6 Probable Maximum Tsunami Flooding 2.4.7 Ice Effects 2.4.8 Cooling Water Canals and Reservoirs 2.4.9 Channel Diversions 2.4.10 Flooding Protection Requirements 2.4.11 Cooling Water Supply 2.4.12 Groundwater 2.4.13 Accidental Releases of Liquid Effluents in Ground and Surface Waters 2.4.14 Technical Specifications and Emergency Operation Requirements 2.5.1 Basic Geologic and Seismic Information [Future] 2.5.2 Vibratory Ground Motion [Future] 2.5.3 Surface Faulting [Future] 2.5.4 Stability of Subsurface Materials and Foundations 2.5.5 Stability of Slopes CHAPTER 3 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT, AND SYSTEMS 3.2.1 Seismic Classification 3.2.2. System Quality Group Classification 3.3.1 Wind Loadings 3.3.2 Tornado Loadings 3.4.1 Flood Protection 3.4.2 Analysis Procedures 3.5.1.1 Internally Generated Missiles (Outside Containment) 3.5.1.2 Internally Generated Missiles (Inside Containment) 3.5.1.3 Turbine Missiles 3.5.1.4 Missiles Generated by Natural Phenomena 3.5.1.5 Site Proximity Missiles (Except Aircraft) 3.5.1.6 Aircraft Hazards 3.5.2 Structures, Systems, and Components to be Protected from Externally Generated Missiles 3.5.3 Barrier Design Procedures 3.6.1 Plant Design for Protection Against Postulated Piping Failures in Fluid Systems Outside Containment 3.6.2 Determination of Rupture Locations and Dynamic Effects Associated with the Postulated Rupture of Piping 3.7.1 Seismic Design Parameters 3.7.2 Seismic System Analysis 3.7.3 Seismic Subsystem Analysis 3.7.4 Seismic Instrumentation 3.8.1 Concrete Containment 3.8.2 Steel Containment 3.8.3 Concrete and Steel Internal Structures of Steel or Concrete Containments 3.8.4 Other Seismic Category I Structures

APPENDIX 14 USNRC REGULATORY GUIDES

483

3.8.5 Foundations 3.9.1 Special Topics for Mechanical Components 3.9.2 Dynamic Testing and Analysis of Systems, Components, and Equipment 3.9.3 ASME Code Class 1, 2, and 3 Components, Component Supports, and Core Support Structures 3.9.4 Control Rod Drive Systems 3.9.5 Reactor Pressure Vessel Internals 3.9.6 Inservice Testing of Pumps and Valves 3.10 Seismic and Dynamic Qualification of Mechanical and Electrical Equipment 3.11 Environmental Qualification of Mechanical and Electrical Equipment 3.12 Interfacing System Loss of Coolant Accident (ISLOCA)  Design Review for Systems Interfacing with the Reactor Coolant System [Future] 3.13 Threaded Fasteners CHAPTER 4 REACTOR 4.2 Fuel System Design 4.3 Nuclear Design 4.4 Thermal and Hydraulic Design 4.5.1 Control Rod Drive Structural Materials 4.5.2 Reactor Internal and Core Support Materials 4.6 Functional Design of Control Rod Drive System CHAPTER 5 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS 5.2.1.1 Compliance with the Codes and Standards Rule, 10 CFR 50.55a 5.2.1.2 Applicable Code Cases 5.2.2 Overpressure Protection 5.2.3 Reactor Coolant Pressure Boundary Materials 5.2.4 Reactor Coolant Pressure Boundary Inservice Inspection and Testing 5.2.5 Reactor Coolant Pressure Boundary Leakage Detection 5.3.1 Reactor Vessel Materials 5.3.2 Pressure-Temperature Limits and Pressurized Thermal Shock 5.3.3 Reactor Vessel Integrity 5.4 Components and Subsystem Design 5.4.1.1 Pump Flywheel Integrity (PWR) 5.4.2.1 Steam Generator Materials 5.4.2.2 Steam Generator Tube Inservice Inspection 5.4.6 Reactor Core Isolation Cooling System (BWR) 5.4.7 Residual Heat Removal (RHR) System 5.4.8 Reactor Water Cleanup System (BWR) 5.4.11 Pressurizer Relief Tank 5.4.12 Reactor Coolant System High Point Vents CHAPTER 6 ENGINEERED SAFETY FEATURES 6.1.1 Engineered Safety Features Materials

484

APPENDIX 14 USNRC REGULATORY GUIDES

6.1.2 Protective Coating Systems (Paints)  Organic Materials 6.2.1 Containment Functional Design 6.2.1.1. A PWR Dry Containments, Including Subatmospheric Containments 6.2.1.1. B Ice Condenser Containments 6.2.1.1. C Pressure-Suppression Type BWR Containments 6.2.1.2 Subcompartment Analysis 6.2.1.3 Mass and Energy Release Analysis for Postulated Loss-of-Coolant 6.2.1.4 Mass and Energy Release Analysis for Postulated Secondary System Pipe Ruptures 6.2.1.5 Minimum Containment Pressure Analysis for Emergency Core Cooling System Performance Capability Studies 6.2.2 Containment Heat Removal Systems 6.2.3 Secondary Containment Functional Design 6.2.4 Containment Isolation System 6.2.5 Combustible Gas Control in Containment 6.2.6 Containment Leakage Testing 6.2.7 Fracture Prevention of Containment Pressure Boundary 6.3 Emergency Core Cooling System 6.4 Control Room Habitability System 6.5.1 ESF Atmosphere Cleanup Systems 6.5.2 Containment Spray as a Fission Product Cleanup System 6.5.3 Fission Product Control Systems and Structures 6.5.4 Ice Condenser as a Fission Product Cleanup System 6.5.5 Pressure Suppression Pool as a Fission Product Cleanup System 6.6 Inservice Inspection of Class 2 and 3 Components 6.7 Main Steam Isolation Valve Leakage Control System (BWR) 6.8 Reactor Coolant Depressurization Systems (PWR)[Future] CHAPTER 7 INSTRUMENTATION AND CONTROLS [Future] CHAPTER 8 ELECTRIC POWER 8.1 Electric Power  Introduction 8.2 Offsite Power System 8.3.1 AC Power Systems (Onsite) 8.3.2 DC Power Systems (Onsite) 8.4 Station Blackout [Future] 8-A Branch Technical Positions (PSB) 8-B General Agenda, Station Site Visits CHAPTER 9 AUXILIARY SYSTEMS 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5

New Fuel Storage Spent Fuel Storage Spent Fuel Pool Cooling and Cleanup System Light Load Handling System (Related to Refueling) Overhead Heavy Load Handling Systems

APPENDIX 14 USNRC REGULATORY GUIDES

9.2.1 9.2.2 9.2.3 9.2.4 9.2.5 9.2.6 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.5.1 9.5.2 9.5.3 9.5.4 9.5.5 9.5.6 9.5.7 9.5.8

Station Service Water System Reactor Auxiliary Cooling Water Systems Demineralized Water Makeup System Potable and Sanitary Water Systems Ultimate Heat Sink Condensate Storage Facilities Compressed Air System Process and Post-accident Sampling Systems Equipment and Floor Drainage System Chemical and Volume Control System (PWR) (Including Boron Recovery System) Standby Liquid Control System (BWR) Control Room Area Ventilation System Spent Fuel Pool Area Ventilation System Auxiliary and Radwaste Area Ventilation System Turbine Area Ventilation System Engineered Safety Feature Ventilation System Fire Protection Program Communications Systems Lighting Systems Emergency Diesel Engine Fuel Oil Storage and Transfer System Emergency Diesel Engine Cooling Water System Emergency Diesel Engine Starting System Emergency Diesel Engine Lubrication System Emergency Diesel Engine Combustion Air Intake and Exhaust

CHAPTER 10 STEAM AND POWER CONVERSION SYSTEM 10.2 Turbine Generator 10.2.3 Turbine Rotor Integrity 10.3 Main Steam Supply System 10.3.6 Steam and Feedwater System Materials 10.4.1 Main Condensers 10.4.2 Main Condenser Evacuation System 10.4.3 Turbine Gland Sealing System 10.4.4 Turbine Bypass System 10.4.5 Circulating Water System 10.4.6 Condensate Cleanup System 10.4.7 Condensate and Feedwater System 10.4.8 Steam Generator Blowdown System (PWR) 10.4.9 Auxiliary Feedwater System (PWR) CHAPTER 11 RADIOACTIVE WASTE MANAGEMENT 11.1 Source Terms 11.2 Liquid Waste Management Systems 11.3 Gaseous Waste Management Systems

485

486

APPENDIX 14 USNRC REGULATORY GUIDES

11.4 Solid Waste Management Systems 11.5 Process and Effluent Radiological Monitoring Instrumentation and Sampling Systems CHAPTER 12 RADIATION PROTECTION 12.1 Assuring that Occupational Radiation Exposures Are As Low As Is Reasonably Achievable 12.2 Radiation Sources 12.312.4 Radiation Protection Design Features 12.5 Operational Radiation Protection Program CHAPTER 13 CONDUCT OF OPERATIONS 13.1.1 Management and Technical Support Organization 13.1.213.1.3 Operating Organization 13.2.1 Reactor Operator Training 13.2.2 Training For Non-Licensed Plant Staff 13.3 Emergency Planning 13.4 Operational Review 13.5.1.1 Administrative Procedures  General 13.5.1.2 Administrative Procedures  Initial Test Program 13.5.2.1 Operating and Emergency Operating Procedures 13.5.2.2 Maintenance and Other Operating Procedures 13.6 Physical Security CHAPTER 14 INITIAL TEST PROGRAM AND ITAAC-DESIGN CERTIFICATION 14.2 Initial Plant Test Program  Final Safety Analysis Report 14.3 Inspections, Tests, Analyses, and Acceptance Criteria  Design Certification 14.3.1 Site Parameters (Tier 1) 14.3.2 Structural and Systems Engineering (Tier 1) 14.3.3 Piping Systems and Components (Tier 1) 14.3.4 Reactor Systems (Tier 1) 14.3.5 Instrumentation and Controls (Tier 1) 14.3.6 Electrical Systems (Tier 1) 14.3.7 Plant Systems (Tier 1) 14.3.8 Radiation Protection and Emergency Preparedness (Tier 1) 14.3.9 Human Factors Engineering (Tier 1) 14.3.10 Initial Test Program and D-RAP (Tier 1) 14.3.11 Containment Systems and Severe Accidents (Tier 1) CHAPTER 15 ACCIDENT ANALYSIS 15.0 Accident Analysis  Introduction 15.1.115.1.4 Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 15.1.5 Steam System Piping Failures Inside and Outside of Containment (PWR)

APPENDIX 14 USNRC REGULATORY GUIDES

487

15.1.5.A Radiological Consequences of Main Steam Line Failures Outside Containment of a PWR 15.2.115.2.5 Loss of External Load; Turbine Trip; Loss of Condenser Vacuum; Closure of Main Steam Isolation Valve (BWR); and Steam Pressure Regulator Failure (Closed) 15.2.6 Loss of Nonemergency AC Power to the Station Auxiliaries 15.2.7 Loss of Normal Feedwater Flow 15.2.8 Feedwater System Pipe Breaks Inside and Outside Containment 15.3.115.3.2 Loss of Forced Reactor Coolant Flow Including Trip of Pump Motor and Flow Controller Malfunctions 15.3.315.3.4 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break 15.4.1 Uncontrolled Control Rod Assembly Withdrawal from a Subcritical or Low Power Startup Condition 15.4.2 Uncontrolled Control Rod Assembly Withdrawal at Power 15.4.3 Control Rod Misoperation (System Malfunction or Operator) 15.4.415.4.5 Startup of an Inactive Loop or Recirculation Loop at an Incorrect Temperature, and Flow Controller Malfunction Causing an Increase in BWR Core Flow Rate 15.4.6 Chemical and Volume Control System Malfunction that Results in a Decrease in Boron Concentration in the Reactor Coolant (PWR) 15.4.7 Inadvertent Loading and Operation of a Fuel Assembly in an Improper Position 15.4.8 Spectrum of Rod Ejection Accidents (PWR) 15.4.8. A Radiological Consequences of a Control Rod Ejection Accident (PWR) 15.4.9 Spectrum of Rod Drop Accidents (BWR) 15.4.9. A Radiological Consequences of Control Rod Drop Accident (BWR) 15.5.115.5.2 Inadvertent Operation of ECCS and Chemical and Volume Control System Malfunction that Increases Reactor Coolant Inventory 15.6.1 Inadvertent Opening of a PWR Pressurizer Pressure Relief Valve or a BWR Pressure Relief Valve 15.6.2 Radiological Consequences of the Failure of Small Lines Carrying Primary Coolant Outside Containment 15.6.3 Radiological Consequences of Steam Generator Tube Failure 15.6.4 Radiological Consequences of Main Steam Line Failure Outside Containment (BWR) 15.6.5 Loss-of-Coolant Accidents Resulting From Spectrum of Postulated Piping Breaks Within the Reactor Coolant Pressure Boundary 15.6.5. A Radiological Consequences of a Design Basis Loss-of-Coolant Accident Including Containment Leakage Contribution 15.6.5. B Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Engineered Safety Feature Components Outside Containment 15.6.5. D Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Main Steam Isolation Valve Leakage Control System (BWR) 15.7.3 Postulated Radioactive Releases Due to Liquid-Containing Tank Failures 15.7.4 Radiological Consequences of Fuel Handling Accidents 15.7.5 Spent Fuel Cask Drop Accidents 15.8 Anticipated Transients Without Scram [Future]

488

APPENDIX 14 USNRC REGULATORY GUIDES

CHAPTER 16 TECHNICAL SPECIFICATIONS 16.0 Technical Specifications CHAPTER 17 QUALITY ASSURANCE 17.1 17.2 17.3 17.4

Quality Assurance During the Design and Construction Phases Quality Assurance During the Operations Phase Quality Assurance Program Description Reliability Assurance Program

CHAPTER 18 HUMAN FACTORS ENGINEERING 18.0 Human Factors Engineering CHAPTER 19 SEVERE ACCIDENTS 19.1 Probabilistic Risk Assessment [Future] 19.2 Severe Accident Containment Performance [Future] APPENDIX I INTEGRATED IMPACTS APPENDIX II POTENTIAL IMPACTS

A14.3 SAMPLE CHAPTER The following is a sample chapter from Section 6.5.2 “Containment Spray as a Fission Product Cleanup System.” 6.5.2 CONTAINMENT SPRAY AS A FISSION PRODUCT CLEANUP SYSTEM REVIEW RESPONSIBILITIES Primary  Materials and Chemical Engineering Branch (EMCB) Secondary  Plant Systems Branch (SPLB) Emergency Preparedness and Radiation Protection Branch (PERB) I. AREAS OF REVIEW. . . (1) Fission Product Removal Requirement for Containment Spray. . . (2) Design Bases. . . (3) System Design The information on the design of the spray system, including any subsystems and supporting systems, is reviewed to familiarize the reviewer with the design and operation of the system. The information includes: (a) The description of the basic design concept; the systems, subsystems, and support systems required to carry out the fission product scrubbing function of the system; and the components and instrumentation employed in these systems. (b) The process and instrumentation diagrams. (c) Layout drawings (plans, elevations, isometrics) of the spray distribution headers. (d) Plan views and elevations of the containment building layout. (4) Testing and Inspections. . . (5) Technical Specifications. . .

APPENDIX 14 USNRC REGULATORY GUIDES

489

II. ACCEPTANCE CRITERIA. . . The acceptance criteria for the fission product cleanup function of the containment spray system are based on meeting the relevant requirements of the following regulations: A. General Design Criterion 41 (Reference. . .) as it relates to containment atmosphere cleanup systems being designed to control fission product releases to the reactor containment following postulated accidents. B. Specific criteria necessary to meet the relevant requirements of General Design Criteria 41, 42, and 43 include: (1) Design Requirements for Fission Product Removal The containment spray system should be designed in accordance with the requirements of ANSI/ANS 56.5 (Reference. . .), except that requirements for any spray additive or other pH control system in this reference need not be followed. (a) System Operation The containment spray system should be designed to be initiated automatically by an appropriate accident signal and to be transferred automatically from the injection mode to the recirculation mode to ensure continuous operation until the design objectives of the system have been achieved. In all cases, the operating period should not be less than two hours. Additives to the spray solution may be initiated manually or automatically, or may be stored in the containment sump to be dissolved during the spray injection period. (b) Coverage of Containment Building Volume In order to ensure full spray coverage of the containment building volume, the following should be observed: (1) The spray nozzles should be located as high in the containment building as practicable to maximize the spray drop fall distance. (2) The layout of the spray nozzles and distribution headers should be such that the cross-sectional area of the containment building covered by the spray is as large as practicable and that a nearly homogeneous distribution of spray in the containment building space is produced. Unsprayed regions in the upper containment building and, in particular, an unsprayed annulus adjacent to the containment building liner should be avoided wherever possible. (3) In designing the layout of the spray nozzle positions and orientations, the effect of the post-accident atmosphere should be considered, including the effects of postaccident conditions that result in the maximum possible density of the containment atmosphere. (c) Promotion of Containment Building Atmosphere Mixing Because the effectiveness of the containment spray system depends on a wellmixed containment atmosphere, all design features enhancing post-accident mixing should be considered. (d) Spray Nozzles The nozzles used in the containment spray system should be of a design that minimizes the possibility of clogging while producing drop sizes effective for iodine absorption. The nozzles should not have internal moving parts such as swirl vanes, turbulence promoters, etc. They should not have orifices or internal restrictions which would narrow the flow passage to less than 0.64 cm (0.25 inch) one quarter of an inch in diameter.

490

APPENDIX 14 USNRC REGULATORY GUIDES

(e) Spray Solution The partition of iodine between liquid and gas phases is enhanced by the alkalinity of the solution. The spray system should be designed so that the spray solution is within material compatibility constraints. Iodine scrubbing credit is given for spray solutions whose chemistry, including any additives, has been demonstrated to be effective for iodine absorption and retention under post-accident conditions. (f) Containment Sump Solution Mixing The containment sump should be designed to permit mixing of emergency core cooling system (ECCS) and spray solutions. Drains to the engineered safety features sump should be provided for all regions of the containment which would collect a significant quantity of the spray solution. Alternatively, allowance should be made for “dead” volumes in the determination of the pH of the sump solution and the quantities of additives injected. (g) Containment Sump and Recirculation Spray Solutions The pH of the aqueous solution collected in the containment sump after completion of injection of containment spray and ECCS water, and all additives for reactivity control, fission product removal, or other purposes, should be maintained at a level sufficiently high to provide assurance that significant long-term iodine re-evolution does not occur. Long-term iodine retention is calculated on the basis of the expected long-term partition coefficient. Long-term iodine retention may be assumed only when the equilibrium sump solution pH, after mixing and dilution with the primary coolant and ECCS injection, is above 7 (Reference. . .). This pH value should be achieved by the onset of the spray recirculation mode. (h) Storage of Additives. . . (i) Single Failure. . . (2) Testing. . . (3) Technical Specifications. . . III. REVIEW PROCEDURES. . . C. Fission Product Cleanup Models. The reviewer estimates the area of the interior surfaces of the containment building which could be washed by the spray system, the volume flow rate of the system (assuming single failure), the average drop fall height and the mass-mean diameter of the spray drops, from inspection of the information in the SAR. The effectiveness of a containment spray system may be estimated by considering the chemical and physical processes that could occur during an accident in which the system operates. Models containing such considerations are reviewed on case-by-case bases. NUREG/CR-5966 (Reference. . .) provides a method for review of containment spray models and evaluating the effectiveness of the spray design in the removal of fission products from the containment atmosphere. This model is used in conjunction with the fission product release assumptions in NUREG-1465. In the absence of detailed models, the following simplifications may be used: Experimental results (References. . .) and computer simulations of the chemical kinetics involved (Reference. . .) show that an important factor determining the effectiveness of sprays against elemental iodine vapor is the concentration of iodine in the spray solution. Experiments with fresh sprays having no dissolved iodine were observed to be quite effective in the

APPENDIX 14 USNRC REGULATORY GUIDES

491

scrubbing of elemental iodine even at a pH as low as 5 (References. . .). However, solutions having dissolved iodine, such as the sump solutions that recirculate after an accident, may revolatilize iodine if the solutions are acidic (References. . .). Chemical additives in the spray solution have no significant effect upon aerosol particle removal because this removal process is largely mechanical in nature. (1) Elemental iodine removal during spraying of fresh solution During injection, the removal of elemental iodine by wall deposition may be estimated by λw 5 Kw A/V. (Note: this is the fraction of iodine removed by the spray in one second, order of magnitude 5 3 3 1023). Here, λw is the first-order removal coefficient by wall deposition, A is the wetted surface area, V is the containment building net free volume, and Kw is a mass-transfer coefficient. All available experimental data are conservatively enveloped if Kw is taken to be 4.9 meters per hour (Reference. . .). During injection, the effectiveness of the spray against elemental iodine vapor is chiefly determined by the rate at which fresh solution surface area is introduced into the containment building atmosphere. The rate of solution surface created per unit gas volume in the containment atmosphere may be estimated as (6F/VD), where F is the volume flow rate of the spray pump, V is the containment building net free volume, and D is the massmean diameter of the spray drops. The first-order removal coefficient by spray, λs, may be taken to be λs 5 6 Kg T F/V D, where Kg is the gas-phase mass-transfer coefficient, and T is the time of fall of the drops, which may be estimated by the ratio of the average fall height to the terminal velocity of the mass-mean drop (Reference. . .). The above expression represents a first-order approximation if a well-mixed droplet model is used for the spray efficiency. The expression is valid for λs values equal to or greater than ten per hour. λs is to be limited to 20 per hour to prevent extrapolation beyond the existing data for boric acid solutions with a pH of 5 (References. . .). For λs values less than ten per hour, analyses using a more sophisticated expression are recommended. (2) Elemental iodine removal during recirculation of sump solution The sump solution at the end of injection is assumed to contain fission products washed from the reactor core as well as those removed from the containment atmosphere. The radiation absorbed by the sump solution, if the solution is acidic, would generate hydrogen peroxide (Reference. . .) in sufficient amount to react with both iodide and iodate ions and 32 raise the possibility of elemental iodine re-evolution (Reference. . .). For sump solutions having pH values less than 7, molecular iodine vapor should be conservatively assumed to evolve into the containment atmosphere (Reference. . .). Information on the partition coefficients for molecular iodine can be found in References.. . . The equilibrium partitioning of iodine between the sump liquid and the containment atmosphere is examined for the extreme additive concentrations determined in Section III.1.a.(2), in combination with the range of temperatures possible in the containment atmosphere and the sump solution. The reviewer should consider all known sources and sinks of acids and bases (e.g. alkaline earth and alkali metal oxides, nitric acid generated by radiolysis of nitrogen and water, alkaline salts or lye additives) in a postaccident containment environment. The minimum iodine partition coefficient determined

492

APPENDIX 14 USNRC REGULATORY GUIDES

for these conditions forms the basis of the ultimate iodine decontamination factor in the staff’s analysis described in subsection III.4.d. (3) Organic iodides It is conservative to assume that organic iodides are not removed by either spray or wall deposition. Radiolytic destruction of iodomethane may be modeled, but such a model must also consider radiolytic production (Reference. . .). Engineered safety features designed to remove organic iodides are reviewed on a case-by-case basis. (4) Particulates The first-order removal coefficient, λp, for particulates may be estimated by λp 5 3 h F E/2 V D, where h is the fall height of the spray drops, V is the containment building net free volume, F is the spray flow, and (E/D) is the ratio of a dimensionless collection efficiency E to the average spray drop diameter D. Since the removal of particulate material depends markedly upon the relative sizes of the particles and the spray drops, it is convenient to combine parameters that cannot be known (Reference. . .). It is conservative to assume (E/D) to be 10 per meter initially (i.e. 1% efficiency for spray drops of one millimeter in diameter), changing abruptly to one per meter after the aerosol mass has been depleted by a factor of 50 (i.e. 98% of the suspended mass is ten times more readily removed than the remaining 2%). D. The iodine decontamination factor, DF, is defined as the maximum iodine concentration in the containment atmosphere divided by the concentration of iodine in the containment atmosphere at some time after decontamination. DF for the containment atmosphere achieved by the containment spray system is determined from the following equation (Reference. . .): DF 5 1 1 Vs H/Vc, where H is the effective iodine partition coefficient, Vs is the volume of liquid in containment sump and sump overflow, and Vc is the containment building net free volume. The maximum decontamination factor is 200 for elemental iodine. The effectiveness of the spray in removing elemental iodine shall be presumed to end at that time, post-LOCA, when the maximum elemental iodine DF is reached. Because the removal mechanisms for organic iodides and particulate iodines are significantly different from and slower than that for elemental iodine, there is no need to limit the DF for organic iodides and particulate iodines. For standard design certification reviews under 10 CFR Part 52, the procedures above should be followed, as modified by the procedures in SRP Section 14-3 (proposed), to verify that the design set forth in the standard safety analysis report, including inspections, tests, analysis, and acceptance criteria (ITAAC), site interface requirements and combined license action items, meet the acceptance criteria given in subsection II. SRP Section 14-3 (proposed) contains procedures for the review of certified design material (CDM) for the standard design, including the site parameters, interface criteria, and ITAAC. IV. EVALUATION FINDINGS. . . V. IMPLEMENTATION. . . The following guidance is provided to applicants and licensees about the staff’s plans for using this SRP section. . . VI. REFERENCES. . .

APPENDIX

SAFETY CAGE

15

A15.1 GENERAL REMARKS This appendix considers one of the more “extreme” solutions against severe accidents (see Chapter 5: Severe Accidents) which consists of a steel-reinforced concrete cage built around a pressurized water reactor vessel with the purpose of absorbing, by plastic deformation, the energy released by a steam explosion (internal or external to the vessel) and which causes its rupture and the violent projection of its pieces into the surrounding space. A possible conceptual scheme is presented with the verification calculations. (The calculations and drawings are due to Dr. Eng Giuseppe Pino.) The results of some experimental tests at a reduced scale performed several years ago on safety cages similar to the one described are presented.

A15.2 AVAILABLE ENERGY This evaluation is undertaken for an AP600 reactor. The mass of the molten core is about 110 t (61 t of UO2, 18.8 t of Zr, 29.2 t of stainless steel). The initial temperature of the corium ranges between 2000K and 2500K and the final temperature, after quenching in water, is about 400K. On the basis of the specific heat and of the fusion heat, the specific thermal energy is about 1 MJ/kg and therefore the total energy amounts to about 110,000 MJ.

A15.3 MECHANICAL ENERGY WHICH CAN BE RELEASED The conversion of thermal energy into mechanical energy in this phenomenon has a low efficiency, ranging from 2% to 15% with a likely value close to 4% 5%. Therefore the mechanical energy produced by the reaction for all the 110 t of corium will range between 2200 MJ and 16,500 MJ, with a likely value of about 5000 MJ. Considering various assumptions on the fall of corium in water within the vessel, it can be concluded that only 2% of the entire mass takes part in the explosion. Therefore, for steam explosions within the vessel, the value of the energy released may range from 45 to 330 MJ.

493

494

APPENDIX 15 SAFETY CAGE

For hypothetical explosions occurring outside the vessel, a rough first evaluation can be made. If the assumption is made of a corium release from penetrations in the vessel bottom head, the mass which could take part in the explosion is the one which could leave the vessel, at the existing internal pressure, in the typical delay time for the triggering of such explosions (about 1 2 s). For a hole of 100 mm of equivalent diameter, the mass concerned is of the order of 7400 kg which can originate 330 MJ of mechanical energy, given the above discussed efficiency levels. Even in the case of an abrupt failure of the vessel bottom head with the release of all the molten core, phenomena exist which prevent all the fallen mass from taking part in the explosion. It is estimated that not more than 10% of it can be involved, with a release of mechanical energy of the order of 1650 MJ. These values of available energy are comparable but lower than those taken into consideration by the Karlsruhe Research Center (KFK) and quoted in the figures given in Chapter 5, Severe Accidents (the reactor in that example is different from the one considered here and some of the estimates concerning the conversion of thermal to mechanical energy are rather different). Both evaluations, however, have their validity.

A15.4 OVERALL SIZING OF A STRUCTURAL CAGE AROUND THE PRESSURE VESSEL The overall sizing of a structural cage around the vessel is illustrated here. The aim of the cage is to absorb the impact of internally originated missiles having an energy corresponding to a steam explosion, to a pressure failure of the vessel and to a destructive reactivity excursion. The worst case is discussed, corresponding to a steam explosion with a mechanical energy of 1650 MJ. The structural scheme chosen is shown in Fig. A15.1. An upper box-like structure, having a hemispherical shape is located above the vessel, is made from a number of webs with a section of 0.03 3 1 m, positioned along the meridian lines, and of two curved shells at their inside and outside lines having, respectively, a thickness of 20 and 30 mm. The meridian webs are connected to an annular beam, also of a box-like construction, connected by tendons located on its median circumference with the reinforced concrete structure of the reactor building. In a first-trial sizing, 476 tendons were considered, with a diameter of approximately 76.2 mm (equal to 3 inches), ungrouted for the largest part of their length, about 24 m, and grouted in the reinforced concrete structure in their terminal anchorage zone. The weight of the upper hemispherical structure is about 150 t.

A15.4.1 VERIFICATION OF THE TENDONS It is assumed that all the mechanical energy available is transferred to the “missile” (the entire vessel), neglecting the deformation and rupture energy of the pipes. It is also assumed that this energy is totally absorbed by the plastic deformation of the tendons, up to an admissible ductility limit of 0.5(εu/εe), according to the suggestions of the ASCE (ASCE, 1997) and where εu and εe are the specific elongation at rupture and the specific elongation at elastic limit, respectively.

APPENDIX 15 SAFETY CAGE

0

2

4

6

8

495

10 m

Upper steel shell 320 cm Webs 63 0

Lower steel shell

m 0c

55

cm

Annular box-like beam for anchorage of tendons Mobile wall

Ungrouted steel bars Φ 3" 0.476 L= 24 m

440 cm 480 cm

Annular tunnel Connections of tendons to anchorages Tendon anchorages

FIGURE A15.1 Scheme of structural cage for containment of the effects of a stream explosion.

The material chosen is a special T1 steel with the following characteristics: σu 5 7 3 107 kg/m2 and εu $ 16%. The admissible ductility, μ 5 0.5(0.16/0.002) 5 40.

496

APPENDIX 15 SAFETY CAGE

The overall yield force which the tendons have to exert is Ry 5 E/[xe(μ 1/2)], where E is the absorbed energy (kg m) and xe, the elastic deformation of the tendons, is 0.002 3 24 5 0.048 m. R y 5 165 3 103= 0:048 40

 1=2 5 87; 025 t

The overall tendon cross-section required, Aa 5 87025000/7 3 107 5 1.2432 m2, corresponding to 354 3 76.2 mm bars, which is fewer than the first-trial bars. The verification has therefore had a positive result and some resistance margin exists. It can be verified with similar calculations that the upper hemispherical structure is equally adequate, as well as the lateral structure of the reactor cavity (suitably reinforced by additional steel bars, within the limits of practical feasibility).

A15.5 EXPERIMENTAL TESTS ON STEEL CAGES FOR THE CONTAINMENT OF VESSEL EXPLOSIONS Some tests were performed in Italy at the end of the 1960s to verify the calculations and effectiveness of the scheme. The case studied was a little different from that caused by an explosive steam explosions in that the rupture of a pressurized vessel was induced by the instantaneous creation of a supercritical crack and the surrounding cage had to prevent the separation of vessel fragments in order to limit damage to nearby components and structures. The mechanism of loading the cage and the way in which the containment was obtained were, however, identical to those of the case examined here. Fig. A15.2 shows the lateral view (from which it can be understood why the test team called it salama) and a longitudinal section of the vessel and cage. The latter comprised seven rings connected by four longitudinal bars. Some spacer blocks were attached to the rings in order to simulate a full scale structural scheme, where the vessel should have a rather free space around to be filled by the thermal insulation. The crack was suddenly generated by the firing of a small copper tile externally lined by a plastic explosive, placed along the trace of the crack to be generated. The explosion of the plastic projected on the vessel molten copper, converging at the centreline of the small tile and causing a sharp cut in the vessel steel. CO2 bottles at 1 2 (MPa) were used as the pressure vessel. Both longitudinal (linear axial crack) and circumferential (arc of circle crack) breaks were simulated. The behavior of the cage (rings and bars) was as anticipated assuming a uniform load on the blocks and on the bars (according to the crack position) and a perfectly elastic plastic behavior of the material. For the longitudinal cracks, for example, the cage rings were plastically deformed into almost perfect hexagons.

APPENDIX 15 SAFETY CAGE

Cage rings

Copper tile and plastic explosive Vessel Blocks

FIGURE A15.2 Lateral view and cross-section of the test vessel and cage.

REFERENCE ASCE 40265, 1997. Design of blast resistant buildings in petrochemical facilities, USA.

497

APPENDIX

CRITERIA FOR THE SITE CHART (ITALY)

16

A16.1 POPULATION AND LAND USE The exclusion criteria adopted are the following: 1. A population factor weighted over circular rings lower than 20,000 with a weight given by Table A16.1 (or by an equivalent bilogarithmic graph). 2. A population factor weighted on the most unfavorable 22 30’ sector from the origin up to 50 km, lower than 6500 (with the weight given by r21.5, where r is the distance in kilometers). 3. A distance of at least 10 km from population centers with many hundreds of thousands of inhabitants. 4. A distance of at least 20 km from population centers with many hundreds of thousands of inhabitants. 5. The availability, around the center of the site, of a circular area of the diameter of about 1 km which can be put under the direct control of the utility. The criteria on the population distribution and on its weight are connected with the assumption of an accidental release of 3.7 3 1013 Bq of iodine-131 and of the other associated nuclides, with a maximum effective dose to the individual (adult) equal to 0.01 Sv and with a thyroid maximum dose of a few tens of millisieverts. The criteria concerning population centers are connected with the possibility to proceed, in case of very serious accident, to the evacuation of population centers.

Table A16.1 Population Factor Distance (km)

Factor

1 2 5 10 15 20

1 0.66 0.25 0.07 0.03 0.001

499

500

APPENDIX 16 CRITERIA FOR THE SITE CHART (ITALY)

A16.2 GEOLOGY, SEISMOLOGY AND SOIL MECHANICS 1. Areas are excluded which have shown tectonic and volcanic activity in recent geological times (upper Pleistocene). 2. Areas are excluded where historical data indicate earthquakes of intensity X or higher on the Mercalli Cancani Sieberg scale. Historical data may be completed by seismotectonic studies in order to determine whether the areas without such historical earthquakes are in any case susceptible to originate them in the future and should therefore be excluded. 3. Specific sites have to be excluded where in case of earthquake the following occurrences may happen: maximum ground acceleration incompatible with proven features of the design; unacceptable karstic phenomena; surface faulting; liquefaction beyond the design capabilities. (It is observed that this criterion excludes particular sites having the possibility of movement of surface faults.)

A16.3 ENGINEERING REQUIREMENTS 1. Availability of condenser water (see Table A16.2). 2. Ground slopes less than 5% 10% on the site. 3. Distance from communication lines less than 10 km with elevation differences lower than 100 m.

A16.4 EXTREME EVENTS FROM HUMAN ACTIVITIES The following criteria have been temporarily adopted (waiting for design solutions): 1. For military airports, a distance of at least 15 km from the runways and at least 8 km from the airport area. 2. For civil airports, a minimum distance of at least 8 km from the airport area (for airports with small tourism airplanes only, having small dimensions and velocities, about 250 km/h, the distance is halved). 3. A distance of at least 8 km from important firing ranges and from areas with nonremovable military restrictions. 4. Distances from potentially dangerous industrial installations and from communication lines also for the transport of dangerous substances, to be studied case-by-case.

Table A16.2 Condenser Water Flowing Water 3

About 50 m /s for each 1000 MWe unit at less than 3 km distance

Wet Towers 3

About 1.5 m /s per unit of 1000 MWe with evaporation of one half and restitution of the remaining amount (minimum flow of the water body of 12 m3/s for at least 355 days per year to comply with water heating limits)

Dry Towers No requirement

APPENDIX 16 CRITERIA FOR THE SITE CHART (ITALY)

501

A16.5 EXTREME NATURAL EVENTS Areas subject to extreme natural phenomena (floods, snow slides and so on) have to be excluded if absolutely safe design provisions cannot be adopted. For floods, in particular, it should be possible to place the plant at an elevation of objective safety (natural or artificial). Particular attention should be given to • • •

relatively narrow valleys, dominated by lakes, water reservoirs or dams; areas which could be subject, in case of earthquake, to landslides, snow slides, and avalanches; coastal areas subject to tidal waves.

APPENDIX

THE THREE MILE ISLAND ACCIDENT

17

A17.1 SUMMARY DESCRIPTION OF THE THREE MILE ISLAND NO. 2 PLANT Three Mile Island (TMI) on the Susquehanna River is located about 16 km SE of Harrisburg, PA, United States. It is a flat island with a surface of several square kilometers. Some years ago it was chosen as the site for a nuclear power station with two units named TMI-1 and TMI-2. Each unit has its own reactor and turbine-generator group for the conversion of steam into electric energy. The two units could supply 1700 MW to the grid, sufficient for the needs of 300,000 families (based on the average consumption of a US family). The power station was the joint property of the Pennsylvania Electric Company, the Jersey Central Power & Light Company, and the Metropolitan Edison Company. The three companies were part of a “holding,” the General Public Utilities Corporation. Operational responsibility was vested in Metropolitan Edison. The nuclear part of the plant (i.e., the reactor and its auxiliary systems—the “nuclear island”) had been supplied by the Babcock & Wilcox company. The architect engineer, Burns & Roe, had built the remainder of plant. The plant, equipped with a pressurized water reactor, is represented in a simplified way in Fig. A17.1. The vessel (1) contains the reactor core (2) in which the control rods can be inserted from above (3). The cooling system is formed by two circuits (in the figure only one is represented), each one provided with two recirculation pumps (4) and with one steam generator (5). The steam produced in the secondary side of the generator is routed to the turbine (6) and converted to water again in the condenser. The condensate returns to the steam generators through the normal feedwater pumps (7). The water is also passed through a filtration and purification device which has the objective of maintaining a high degree of purity and therefore of avoiding corrosion of the mechanical components (steam generators, turbine, piping, etc.). In addition to the normal feedwater system, an auxiliary system exists with three pumps which start automatically in case of need. The transformation of water into steam in the secondary side of the steam generators takes heat and therefore cools the water which circulates in the primary system of the same generators. The two water flows, the primary and the secondary one, are in opposite sides of the metal wall of small

503

504

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

Reactor building (containment) (12)

Auxiliary building

(15)

Cooling tower Stack

(9)

Ventilation filters Waste gas decay tank Waste gas compressor

Pilot-operated relief valve

Safety valve Core flood tank

(8)

Block valve Pressurizer Steam generator

(5)

Control

Vent header

Turbine building

(3) rods

Turbine

(6)

High pressure injection pump

Vent valve

Makeup tank

Generator

Reactor core Makeup line

(1)

Condensor Block valve

(2)

Letdown line

Borated water storage tank

Relief valve Radiation waste storage tank

(14)

Rupture disk Cold leg

(13)

Condensate Condensate pump storage tank

Demineralizer

Drain tank

(11)

Transformer

Sump

Reactor coolant pump Sump pump (4)

Circulating water pump

Main feedwater pump

Emergency feedwater pump Hot leg

FIGURE A17.1 Simplified schematic of the TMI-2 plant.

pipes located in each steam generator. Through this wall the warmer fluid, primary water, transmits heat to the colder fluid, that is the secondary water, and converts it into steam. The primary water, which therefore leaves the generator at a lower temperature than the initial one, is recirculated by pumps (4) through the reactor core and removes the heat produced by the nuclear chain reaction. Once the warmed primary water leaves the core, it reenters into the steam generators, so starting again its cooling heating cycle, transporting the heat of nuclear origin and producing the steam which operates the turbine. The stability of the pressure of the primary system is assured by the pressurizer (8). This is a vertical vessel whose volume is normally 60% filled with water and 40% by steam. The lower part of it (filled with water) is connected by a surge line with one of the two primary cooling circuits: electrical heaters are immersed in the water. The upper part (filled with steam) can be sprayed by cold water. The introduction of cold water by the sprays or the switching on of heaters takes care of the control of the pressure. In fact, when cold water is sprayed, the pressure decreases, and when the heaters are switched on, the opposite happens. When the reactor pressure exceeds a certain value, the relief valve (9) is automatically actuated. This valve is located on the upper part of the pressurizer and discharges steam in a discharge collecting tank (10), partly filled with cold water and provided with an emergency rupture disc (11), which avoids its excessive pressurization. When the pressure within the tank reaches the intervention level of the rupture disc, it breaks off discharging the excess fluid into the containment building (12). The relief valve is preceded by a block valve. If the relief valve remains stuck open, with consequent excessive loss of steam, the block valve can be closed from the control room, so preventing steam efflux from the pressurizer. The liquids collected on the bottom of the containment building are transferred by a sump pump (13) in the radioactive discharges tank (14) located in the auxiliary building (15). This building is provided with a filtered ventilation system.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

505

The reactor is assisted by the following emergency core cooling systems: •





A high-pressure injection (HPI) system with three pumps for the injection of borated water in the reactor. In emergency operation, which is automatically activated by low pressure of the primary system or by high pressure in the containment building, two pumps activate. Analyses show that only one pump is necessary to prevent core damage in case of small breaks in the cooling system. A flooding system is provided with two systems containing pressurized borated water, which automatically inject water when the pressure goes below a preset value. This system has the objective of protecting the core in cases of intermediate and large breaks in the primary cooling system. A low-pressure injection system provided with two pumps which inject borated water in the reactor. The system is automatically operated by the same types of signal as the high-pressure system. This system ensures the cooling of the core in cases of large breaks, while in cases of small breaks it operates after the operation of the high-pressure system, when the primary pressure has reached a sufficiently low level. Analyses show that only one pump is necessary to guarantee cooling.

The primary circuit and the steam generators are located inside the containment building in prestressed concrete, with a steel liner to assure it is leak-proof. The atmosphere of the building can be refrigerated by fan cooler groups. Recombiners are provided for the treatment of hydrogen (which is possibly released within the building in an accident). Moreover, a containment atmosphere spray system exists aimed at reducing the temperature, and consequently the pressure, which could be created in the building itself as a consequence of primary coolant loss.

A17.2 THE ACCIDENT On the night of March 27 28, 1979 the TMI-1 unit was stopped as the refuelling operations were being completed. In fact, about every year and half, the water power stations are stopped in order to replace the more exhausted fuel elements with new ones. The second unit, TMI-2, was operating normally at 97% full power. TMI-2 had started its commercial operation phase only a few months earlier, at the end of 1978, after having passed the commissioning tests. Operation personnel were working on the purification plant of the water extracted from the condenser (which receives and condenses the steam released by the turbine). The operations in progress on that equipment consisted in the replacement of the filtering material (resins), normally performed by removal with compressed air, washing in water, and subsequent replacement. Possibly, during the operation of resin removal, the washing water accidentally penetrated the compressed air circuit because of a leaking valve. The presence of water in the compressed air system, which is also used for the operation of the big valves on the feedwater pipes, caused the quick closure of these valves and the complete interruption of the secondary water to steam generators.

506

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

The TMI accident started 36 seconds after 4 a.m. TMI-2 had already met problems with the feedwater purification system 18 months before the accident. During this time, however, no effective measures were taken to guarantee the needed safety of operation of this equipment. It must be noted here that the event described, a sudden and total lack of normal feedwater to steam generators, is considered in the safety analyses of power stations, among the relatively frequent ones and therefore plants are protected against them. As we will see, only a fatal combination of erroneous evaluations by the personnel with a general plant situation characterized by a substantially careless plant management and with the malfunction of another plant component, allowed the events (probable and normally without damaging consequences) to escalate into one of the worst nuclear accidents ever to happen. The interruption of feedwater to steam generators causes a decrease of their water level and within a few minutes, for this type of PWR plant, their complete voiding, when all the residual water has been transformed into steam. For this reason an automatic protection system stops the turbine when the water level in the steam generators decreases to a trigger level. This occurred correctly at TMI-2, two seconds from the start of the accident. When the secondary side of a generator dries off, as at TMI-2, the primary water no longer cools down further and therefore returns to the core inlet as warm as it had left it. Passing through the core, it heats up further and increases to ever higher temperatures. In these conditions, it is dangerous to allow the primary temperature to grow beyond certain limits, so it is necessary to stop the nuclear chain reaction, thus substantially reducing the amount of heat produced by the core. The fast shutdown of the TMI-2 reactor, in the conditions described, occurs in the following way. The increase of primary water temperature causes the expansion of the water itself which can expand in the pressurizer, which, as it has been said, is connected to the primary circuit by a pipe and is only partially filled with water: the other part of it is full of steam, as in a pressure cooker (see Fig. A17.2). The flow of water into the pressurizer compresses the steam contained in it and increases its pressure. When the pressure has reached a preset value, the chain reaction is arrested by an automatic shutdown system which causes the control rods to fall into the core. This occurred correctly in TMI-2, eight seconds after the start of the accident. In the meantime another event had happened. It too was normal and foreseen: the opening of the relief valve located on the top of the pressurizer. This had a similar effect to opening the valve on a pressure cooker lid. The combination of opening the relief valve with the arrest of the chain reaction (as if the valve on the pressure cooker was opened and the burner shut off) causes a quick decrease of the primary system pressure. However, the automatic control system of the relief valve is designed in such a way that it causes its reclosure when the pressure again reaches sufficiently low values. This lower pressure was reached in TMI-2, 13 seconds after the start of the accident, but unfortunately, something malfunctioned and the valve did not automatically reclose. The relief line stayed open for 2 hours and 20 minutes, transforming a relatively normal event of feedwater interruption into a much more serious accident of loss of coolant from the primary circuit. This malfunction was the only mechanical fault of the events that brought the accident to its serious final consequences. The other events were human evaluation errors and the poor maintenance conditions of the plant.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

FIGURE A17.2 Pressurizer.

507

508

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

Two systems had been provided to cope with this mechanical failure. The first system signaled to the operators in the control room the “open” status of the valve and, therefore, the lack of its reclosure. It consisted of an instrument, readable in the control room, which measured the temperature in the pipe connecting the relief valve to the steam condensation tank. When the valve was open, hot steam flowed into the pipe and the temperature indicated by the instrument is high. When the valve was closed, the pipe does not contain hot steam and the indicated temperature was low. Additionally, a light on the control console indicated if the valve had received the opening electric command. This indication was, however, indirect and unsafe: in fact, the valve may receive the “close” command and, at the same time, be still open because of a mechanical fault, for example, because of a seizure of parts in its mechanism. Also, it is possible for a blown bulb to go undetected thereby giving an incorrect status reading. Both systems were provided so that an operator on seeing the primary pressure decrease in an abnormal way could check if this fact depended on a stuck open relief valve. At TMI-2, 13 seconds after the start of the accident, the valve position indicator signaled that the closure command had been given. A second system was provided to compensate for the effects of a mechanical fault of the relief valve. This consisted, very simply, of a block valve located on the same pipe as the relief valve. An operator, correctly diagnosing the failure of the relief valve to close by reading the temperature in the pipe, may stop the steam leak by closing this second valve. Hence the name of block valve. At TMI-2, even with these provisions, the carelessness with which, apparently, the plant was managed before the accident prevented the four men who happened to have to cope with it alone in the first crucial phases of it from taking the correct actions. During one of the postaccident inquiries (Kemeny, 1979), the shift superintendent for TMI-1 and TMI-2 explained that the temperature in the pipe was high even before the accident because of leaks in the relief valve: “I have seen, consulting the recordings after the accident, about 198 F. But I remember previous cases . . . slightly higher than 200 [. . .] knowing that the relief valve had opened, I expected that the temperature in the pipe had stayed high and that some time had been necessary for the pipe to cool down below 200 .” However, the records show that the temperature reached 285 F. Moreover, one of the emergency procedures of the plant says that a temperature of 200 F indicates that the relief valve is open. Another procedure requires the closure of the block valve when the temperature exceeds 130 F. All this indicated that the plant was operated in the usual way even in presence of evident leakages from the relief valve, contrary to any good practice and in violation of the procedures. This operational malpractice is not general in nuclear plants. In particular, an inquiry performed on some power stations after the TMI-2 accident has confirmed that in similar cases of valves affected by significant leaks, the plant has been stopped and the leak eliminated. The delayed closure of the block valve at TMI-2 prevented the operators from distinguishing an accident situation (relief valve stuck open) from a situation of careless operation (relief valve with continuous leaks). As we have seen, once the chain reaction arrest did intervene because of high pressure, the heat generated by the core substantially decreases but does not completely cease. In fact, the radioactive products of the fission reaction of the uranium nucleus and those generated by other secondary phenomena continue to emit radiation which, once absorbed by the surrounding materials, is transformed into heat. This heat, the core “decay heat,” immediately after the arrest equals 7% of the power of the preceding operation. It decreases to 1% after about 2 hours.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

509

The decay heat must be removed from the primary circuit by a cooling system, otherwise the primary water and the reactor core will overheat. In the case of normal feedwater loss to steam generators, an auxiliary feedwater system automatically intervenes which, in a similar way to the main system, supplies water to the secondary side of the steam generators and performs, by steam production, the primary system cooling. Fourteen seconds after the start of the accident at TMI-2 an operator observed that the auxiliary feedwater pumps had automatically started as expected. However, he did not notice the two lights on the control panel indicating that two valves, one on each of the two auxiliary feedwater pipes, were shut and that the water could not reach the generators and so provide cooling. Eight minutes after the start of the accident, however, somebody noticed that the water had not arrived at the generators and another operator opened the two closed valves. This delay in the arrival of the auxiliary feedwater to the generators did not greatly affect the accident, but it did distract the operators. The reason why the two valves were closed is not known exactly. According to the technical specifications for operation they had to be in the open position. Two minutes after the start of the accident, because of the continuous loss of steam from the stuck open relief valve and the consequent decrease in the pressure of the primary circuit, the two powerful pumps on the high-pressure emergency injection system started up, as anticipated, on a “too low” pressure signal (indicative of the presence of a steam or water leak from the primary system). They started to automatically introduce water into the primary circuit. The HPI system is a part of the ECCS, principally aimed at the protection of the core integrity in case of primary loss of coolant accident (LOCA). These systems are capable of keeping the core submerged in water and therefore cooled even if the largest primary pipe suddenly broke. In fact we have seen that the decay heat of the shutdown core, that is, after the chain reaction ceases, must in any case be removed and, in case of a break in a large pipe, it is not possible to rely on the heat removal capability of the steam generators. As the core is under water, its excessive overheating is prevented. In fact the water heats up and is transformed into steam, so cooling the core. It then escapes from the rupture toward the containment building while new water is introduced into the primary circuit by the ECCS system in order to always keep the core submerged. The HPI system at TMI-2 correctly came into operation because the system was undergoing a LOCA because of the “stuck open” relief valve. But at the time, the operators did not know that yet. They had neither diagnosed a LOCA nor its cause, because the control room pressurizer water level instrumentation indicated a level that was higher than normal. What was happening was an extremely insidious but not yet well-known phenomenon. In a system of pipes and vessels, fluids tend to move from high-pressure zones toward low-pressure ones. At TMI-2, the lower pressure zone was closer to the opening toward the outside (relief valve open), that is the pressurizer. For this reason, while steam went out of the pressurizer top toward the outside, at the same time the content of the remaining part of the primary system flowed toward the inside of the pressurizer. Without entering into the details of the complex fluid-dynamic phenomena involved, it can be said that that flow succeeded in keeping the water level in the pressurizer high while the primary system was losing its precious content of water. This phenomenon is in some respects similar, even if not for the same reasons, to the one which happens when a gassed soft drink bottle is opened. The gas is suddenly released entraining to the outside part of the liquid. This does not happen because the bottle is too full of liquid, but because the violently outgoing gas entrains it in part.

510

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

The operators, concentrating their attention on the fact that the level in the pressurizer was higher than normal, were erroneously convinced that the primary system was full of water and that therefore the core was safe. They, unfortunately, made, at this point and later in the course of the accident, some fatal maneuvres, all consistent, however, with this erroneous conviction of theirs. One of the operators, about two and a half minutes after the start of the HPI pumps, stopped one of them and reduced the water flow rate of the other to a minimum. Subsequently a controlled spillage of the primary water was started. During the subsequent inquiries, he said: “The rapidly growing pressurizer level at the start of the accident made me believe that the HPI was excessive and that soon we would have the primary system completely full of water.” The control room instrumentation indicated a loss of coolant accident in progress. The indication of high temperature in the relief valve pipe has already been discussed. Additionally, the continuous decrease of the primary system pressure, even after the HPI intervention, was a clear indication that the system was losing water. Why did not the operators correctly interpret the signals? They simply trusted the high pressurizer level indications. A technical superintendent at TMI-2 who arrived on the plant at 03:45, subsequently said: “I had the perception that we were in a very unusual situation, since I had never seen the pressurizer level increase and stay at a high value and, at the same time, the pressure staying low. They [the pressure and the level] had always behaved in the same way.” As a consequence of the described evaluation errors the primary circuit continued to lose water for hours and in addition the automatic core cooling system, correctly activated, could not perform its function of fuel integrity protection. It is now known that if the block valve had been closed after one and half or two hours or if the operation of the HPI only had not been arrested, even without the closure of the valve, the TMI accident would have been no more than a modest nuisance of operation. For completeness of information it has to be added that the possibility of an accident of the type of TMI-2 had been foreseen by some experts. If these foresights had been confirmed by in-depth theoretical studies and possibly by experimental tests, their results, duly made known to interested people, would have enabled the TMI-2 operators to correctly diagnose the fault and react correctly. In September 1977, for example, an event similar to the TMI-2 had happened at the Davis Besse Station, United States. Luckily the reactor was operating only at 9% of normal power and therefore the decay heat was small. Moreover, the block valve was closed 20 minutes after the start of the event. No reactor damage therefore occurred. In any case, an engineer of Babcock & Wilcox, the designer of this plant too, warned, in an internal memorandum written before the TMI2 accident, that if the event had happened on a plant operating at full power, probably the core would have been uncovered with the possibility of fuel damage. An engineer of the Tennessee Valley Authority had described, in a draft technical report, the possibility of the phenomenon of increasing water level in the pressurizer with simultaneous decreasing pressure. Not enough time was available, unfortunately, for these studies to proceed beyond the stage of first initial draft and to become part of the nuclear science before the TMI-2 accident. As the incident at TMI-2 progressed, the indications that severe core damage was occurring became ever clearer. One hour after the start of the accident, at 05:00, the four primary water recirculation pumps started to strongly vibrate and had to be shutdown. The vibration was indicative of the presence of steam in the circuit and therefore of a scarcity of water.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

511

At 06:00, alarms indicted high radiation in the containment. This was an indication of a release of radioactive products from a core that had been damaged. At 07:00, radiation levels throughout the plant increased prompting the operators to declare a state of internal emergency. This action is taken when an event threatens “an uncontrolled release of radioactivity outside the plant.” At 07:24, the station superintendent, worried by the high radiation levels in the primary containment, declared a general emergency, that is, “an accident capable of causing serious radiological consequences to the health and safety of the population.” In spite of everything, the station personnel continued to believe that the reactor core was covered by water, but at the same time, by some unknown phenomenon, that it had been damaged. The station superintendent would later say: “. . . I don’t think that in my mind I was really convinced that the core had remained completely uncovered or uncovered in a substantial measure at that time (eight o’clock in the morning).” For several hours, the operators did not understand the real condition of the core. Various strategies were tried during that time in order to terminate an unknown, but indicated, core damage situation. It is not possible to give now the rationale for any single maneuvre performed but certainly the erroneous conviction that the primary system was full of water stayed for many hours in the minds of the operators. About 16 hours after the start of the accident, maneuvres were performed which gave clear indication that the control of core cooling had been regained: the block valve was definitively closed, the HPI was started up and one of the recirculation pumps of the primary circuit was started up with one steam generator operating. Soon afterwards the decreasing trend of all the primary circuit temperatures, the correct value of the pressure and the good operating conditions of the pumps clearly indicated that the core cooling was again under control. What had happened in the meantime within the reactor core? During the first 16 hours of the accident the core had, on several occasions and for long periods, dried (even if not completely) and therefore was without adequate cooling (Figs. A17.3 and A17.4). It can be calculated that some parts of the core reached temperatures in excess of 3100 K. The many safety tests performed over the years indicate the occurrence of two dangerous phenomena when the core temperature exceeds 1500 K. The first one consists in the fact that the small tubes (claddings) containing the core uranium, made of a zirconium alloy, show a vigorous chemical reaction with water or steam at these temperatures to generate hydrogen. The hydrogen, in the presence of oxygen or air, may lead to potentially destructive explosions. The second is caused either by nuclear overheating or by the metal (zirconium) water reaction. It consists of the mechanical damage of the fuel claddings and of the fuel itself, up to its melting, with the consequent liberation of the accumulated radioactive fission products. The nuclear fission (splitting) reaction of the nucleus of the uranium atom leads to the disappearance of the atom itself and to its transformation into two or more lighter, generally radioactive, atoms. These fission products accumulate in the fuel and their release is prevented by the presence of the cladding. Fig. 3.6 shows the damaged areas of the core as now known from the available information (OECD, 1994). It can be calculated that about 50% of the zirconium present in the TMI-2 core reacted with water to produce hydrogen and that practically all the volatile fission products were released by the core into the primary circuit and hence, through the stuck open relief valve, into the

512

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

(

)

FIGURE A17.3 Pressure history and periods when the core was uncovered.

System pressure (MPa)

20 B pump transient (174 to 193)

HPI on (200–217)

15 Block valve opened

10

Coolant pumps off (100 m) Core relocation Block valve closed (139 m) (174) (224)

5 (100)

0

Initial core heatup

Loss of coolant (core cooled)

100

Degraded core heatup

200 Time (min)

FIGURE A17.4 Pressure history and significant events in the first hours.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

513

containment building. Forty-five percent (62 t) of the fuel melted and about 20 t migrated from their original position and collected on the vessel bottom head. The formation of hydrogen in the core also occurs by the radiolytic decomposition of water molecules, made of hydrogen and of oxygen. This phenomenon generates a mixture of hydrogen and oxygen gas. The considerable production of hydrogen during the TMI-2 accident gave the operators further difficulties: no severe consequence, however, ensued. First, hydrogen collected, because of its low density, in the highest part of the vessel and other primary circuit components, forming large bubbles which impaired the good circulation of water in the circuit itself. The phenomenon, an air-lock, which occurs in a domestic central heating system when air collects in the pipes, is familiar to many: the radiator stays cold because the water cannot circulate through it. Second, for many subsequent days there was concern about the possibility that radiolytic hydrogen and oxygen could detonate within the vessel and damage it. In reality, the first calculations were too conservative and did not account for other phenomena which in effect prevented the accumulation of oxygen in a measure sufficient to give rise to a detonation. In conclusion, it was probably an unfounded fear. A real explosion, on the other hand, happened in the containment building where the hydrogen that had escaped through the relief valve mixed with the air oxygen causing an explosion about 10 hours after the start of the accident without, however, damaging either the containment or other essential equipment. The sudden pressure rise caused by the explosion was recorded by the instruments and was equal to about 0.2 MPa. In addition to the possible effects of hydrogen, the other danger to the plant was the perforation of the vessel by the molten material (B20 t) which collected on its bottom. With the aim of understanding how the vessel resisted the high temperatures and stresses imposed on it by contact with the corium, an international research program, the Vessel Investigation Project (VIP) was launched by the OECD. The VIP results are described in OECD (1994). One of the principal conclusions being that, although the vessel wall locally reached temperatures high enough to possibly make it fail, due to the fact that around the hot zone the vessel was relatively cooler, this failure did not happen. In reality, there was always some water on the vessel bottom throughout the accident and it is thought that this water succeeded in penetrating the solidified corium cracks and the gaps between the corium and vessel, thereby refrigerating the largest part of the vessel. The indication given by the accident that a molten core may be confined inside the pressure vessel has not been forgotten by nuclear safety specialists and now this fact is relied upon in various designs (see Chapter 5: Severe Accidents).

A17.3 THE CONSEQUENCES OF THE ACCIDENT ON THE OUTSIDE ENVIRONMENT The commission nominated by President Carter to investigate the accident, the “Kemeny Commission” after the name of its chairman, effectively detected responsibilities and deficiencies, and listed the damages caused by the accident. However, its final report, published at the end of

514

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

October 1979 (Kemeny, 1979), contained the following statement: “We conclude that the most serious health effect of the accident was severe mental stress, which was short lived. The highest levels of distress were found among those living within 5 miles of TMI and in families with preschool children.” The TMI-2 accident has been one of the two most serious events in the nuclear industry since its start. It engaged the US technological apparatus for many months, it has worried practically all the world and has cost an estimated one to two billion dollars. However, it has not had consequences on the external environment beyond inconvenience and the state of concern of the population in the immediate neighborhood of the plant. This concern, to a large part, is due to evaluation errors. Nuclear power stations have been designed taking into account the possibility of accidents and providing the consequent protection, generally multiple, against their effects. In the TMI-2 accident these protections, notwithstanding the damages to the plant, have not missed their principal aim of protecting the integrity of the people and the environment. The following describes the still negligible health damage of radiological origin due to the accident (USNRC, 1979a; Kemeny, 1979). The radiation damage depends on the amount of radiation dose absorbed: the more sievert (or rem) absorbed by exposure to them the more serious are the consequences on the exposed individual. Up to some hundreds of millisieverts, no consequences arise. Beyond 1 Sv up to 2 Sv, nausea, vomiting, and indisposition may occur. At about 5 Sv the probability of death is high. For the TMI accident the highest potential individual irradiation outside the plant site is more conveniently expressed in microsievert. It has been in fact measured in 800 µSv. In order to evaluate the importance of this irradiation, it is useful to compare it with the one annually absorbed by every one of us just by living in a place, in a certain type of house, of eating and drinking, watching television, traveling by air, undergoing medical diagnoses, etc. In fact, each of us is subject to cosmic radiation and to radiation emitted by the ground, by construction materials, by food, and by various electronic devices. The annual doses absorbed in this way vary from place to place, but, for example, the higher the altitude of a town where an individual lives, the higher is the amount of cosmic radiation absorbed. In many countries, the background individual annual dose ranges between 500 µSv and 2.5 mSv. The maximum potential dose at TMI is lower than the typical difference in annual dose from one part of a country and another. Many will be surprised at this. It must, however, be remembered that we live in a radioactive world. Radioactivity is everywhere around us and is part of our environment. It is true that the TMI accident has had minor health consequences of radiological nature. A similar result is obtained if, instead of the individual dose, the collective dose is considered. It is known that in a population receiving even a small individual dose, statistically, lethal cases of cancer may occur. For TMI, various evaluations of this possible effect have been made, also considering the minute dose received due to the accident by individuals living as far as 80 km from the plant. The total population within this distance is about two million. Of these, in the subsequent years, according to the statistical data, about 325,000 will die of cancer for reasons different from the accident. It is practically certain that the possible additional cases of cancer due to the accident will be less than five, and therefore, as this is so low, they are included within the statistical variation of the cases occurring for other reasons (Kemeny, 1979).

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

515

The same general conclusion holds for the probability that the subsequent offspring of the population involved in the accident show malformations of some type. This reassuring health picture is derived from the measurements taken by various teams of wellequipped specialists operating around the power station and in the air space of the same zone. However, the governor of Pennsylvania, at the time, officially issued recommendations concerning protective measures and the evacuation of the population. Late in the morning of March 30, it was suggested that the population within 16 km of the plant should stay inside their houses to shield them to the maximum possible extent from possible radioactive clouds due to releases from the power station. Soon afterwards, roughly at 12:30, following further consultations with health authorities and experts, the governor recommended that pregnant women and preschool children should leave the zone within a radius of 8 km from the power station and that in this zone all the schools should be closed. At 20:30 of the same day, the governor withdrew the first recommendation but the second was only cancelled on 9 April. These precautionary measures, which were subsequently shown to be excessive, were in the largest part suggested by pessimistic evaluations of the possible evolution of plant phenomena and by incredible fortuitous coincidences. For example, a strong belief in the importance on the decisions of the governor was held by a group of experts from the Nuclear Regulatory Commission (NRC, the US control body on the peaceful uses of atomic energy) who suggested the evacuation of women and children. The same experts, in issuing their recommendation, were influenced by the following coincidence. They were evaluating all the possible modes of release of radioactive products from the plant and were calculating the consequences of a release due to excessive pressure from some radioactive gas storage tanks. The calculation indicated the theoretical possibility of radiation at the fence of the plant of 12 mSv/hour. Fifteen or twenty seconds after having obtained this result, they received the news that on site a radiation field of precisely 12 mSv/hour had been measured. They concluded that the unlikely emission of gases from the tanks had happened and recommended the evacuation to the governor. In reality, the measurement had been made by an helicopter which was flying 40 m above the discharge stack. The measurement was not therefore representative of the radiation field on the ground. Another element of confusion and of pessimism was represented by the exceedingly conservative evaluation of the detonation possibility of the hydrogen bubble in the reactor vessel. The recommendations to stay inside and to evacuate the zone, at least for the people most vulnerable to radiation damage, together with news from television and the press who were not completely reassuring, caused the understandable fear of the inhabitants of the TMI-2 zone. Radiations, unlike other potentially damaging agents and elements (e.g., fire, water, toxic gases), are not detected by our senses, so we feel unsafe and uncertain because we must rely on measurements and the advice of “experts.” In this regard, the astonishment of the Harrisburgh major, who wanted to visit the power station during the crisis on 30 March, is highly indicative: “Rather strangely, one of the things that impressed me the most and that gave me the maximum sensation of confidence that everything was under control was that everybody on the site, all the employees, the president and so on, went around in their shirts and bare head. I didn’t see any indication of nuclear protection.”

516

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

The mobilization of all the industrial and health protection national resources was, however, impressive. About 10 laboratories in the United States worked night and day to analyze samples taken from the plant and to perform evaluations of the present situation of the reactor and of its possible evolution. The industries of the nuclear field, such as General Electric and Westinghouse, promptly put themselves at the disposal of Babcock & Wilcox, of Metropolitan Edison and of the NRC for whatever assistance might be needed. The pharmaceutical industry, too, had to make a powerful effort. The Mallincrodt Chemical Company of St Louis, in cooperation with Parke-Davis of Detroit and with a manufacturer of machines for filling vials, based in New Jersey, agreed at short notice to supply the Government Department for Health 250,000 doses of potassium iodide. This substance, if ingested in an opportune dose, protects the individual from the negative consequences of the inhalation of radioactive iodine, potentially released to the atmosphere by a nuclear station accident. In fact the inhaled or ingested iodine, radioactive or not, is absorbed by the thyroid until it is not saturated. At this point, even if additional iodine is ingested, it is eliminated by the body. The previous ingestion of potassium iodide saturates the thyroid with iodine and then the further possible inhalation of radioactive iodine has no health consequences as it is promptly eliminated. The first batch of vials arrived in Harrisburgh within 24 hours and the last batch arrived 4 days later. It was not necessary to use any of them. Despite the effectiveness of the emergency plans, the TMI-2 experience has shown that the preparations for an emergency must be increased in every country.

A17.4 THE ACTIONS INITIATED AFTER THE ACCIDENT The TMI-2 accident was followed by decontamination operations, that is, the removal of radioactive products contained in the systems and in the buildings. This has made it possible to enter the containment building in order to complete the decontamination operations within it and to start the inspections of the reactor. In parallel, in the United States and in all countries interested in nuclear energy, studies were initiated in order to understand the development and the causes of the accident and to identify the possible improvements to power stations and to their management which might prevent accidents of similar severity. The studies in question, initiated immediately almost everywhere after the accident, gave substantial results even in the same year. Modifications made to existing plants were relatively few, but very crucial, and have been promptly made. They mainly concerned the automatic protection systems of the reactors which have now been set in a way which takes into account the behavior, previously not well known, of the pressurizer level in LOCAs concerning, as in TMI-2, the high parts of the pressurizer itself. Numerous other improvements were instigated in the aftermath of the accident. The work done by the NRC (Rogovin, 1980; USNRC, 1979b; 1979c) has indicated the need for improvements to the instrumentation, to the containment systems, to operator training, skills in safety issues present in each power station, to the operating procedures, to the safety analyses and to the emergency provisions.

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

517

The Kemeny Commission (Kemeny, 1979) concluded its work by saying that the field in which the more fundamental modifications were necessary is that of the mindset and of the working methods of the industry and of the control bodies in the United States. It was of the opinion that “after many years of operation of nuclear power plants, with no evidence that any member of the general public has been hurt, the belief that nuclear power plants are sufficiently safe grew into a conviction. One must recognize this to understand why many key steps that could have prevented the accident at TMI were not taken.” The most important modifications that the Kemeny commission deemed necessary in order to prevent the further occurrence of accidents of the TMI-2 severity, concern the organization and the intervention procedures of the NRC, the operator training, the management of nuclear plants by the utilities, some technical aspects of the plants, the research on the effects of low radiation doses and the emergency provisions. Studies by various working groups in other countries were substantially in agreement with the NRC and with the Kemeny commission recommendations. In Italy, a country well known to the author, the attempt was made to single out through the work of an expert group, among the proposed improvements, the few which appeared to be most effective in unlikely accident situations of various types. This was because even if the study of many thinkable accidents can be made, it is not possible to be certain that all of them have been foreseen, so an effective protection against the unforeseen is necessary. On the other hand, the core of a reactor may “die” from only two “illnesses” only: the lack of water and the lack of neutron poisons for the shutdown of the chain reaction. The first case has happened in TMI-2. It is also true that the study of possible accidents, even if limited, leads to the provision of abundant water for core submersion and for the shutdown of the chain reaction. The area of possible improvement concerns the systems which diagnose the conditions of possible danger to the core itself. For this reason the group recommended, in the first place, the installation, as far as technologically feasible on each reactor, of instrumentation capable of directly and reliably measuring the water level, and the temperature and power local distribution, in the core. Recommendations were then made concerning the improvement of operator training for accident conditions, of the emergency provisions and of the study of accidents in order to pay more attention to the plant control actions even a long time after the event. Other more specific recommendations concerned detailed characteristics of plant components. Some recommendations of the American study groups were already implemented in Italy, for example, the one concerning the consideration of more simultaneous faults in the study of an accident. The studies initiated soon after the accident continued in the field of emergency provisions, of operator training and on the completion of the recommendations. In the subsequent years, the technical thinking on the accident at ENEA-DISP led to the development of a proposal for the Core Rescue System (see Appendix 10) based on the voluntary depressurization of the primary system and on the injection of cooling water by passive systems (Petrangeli et al., 1993). This type of system was subsequently adopted in various new reactor designs (e.g., on the AP600 Westinghouse reactor). In particular, the voluntary depressurization system of the primary circuit, publicly proposed for the first time (for pressurized reactors) in the course of the mentioned studies in Italy, has become a permanent feature in the new PWR plant designs.

518

APPENDIX 17 THE THREE MILE ISLAND ACCIDENT

REFERENCES Kemeny, J.G., 1979. Report of the President’s Commission on the Accident at Three Mile Island: The Need for Change; the Legacy of TMI’, President’s Commission on the accident at Three Mile Island, 2100 M Street, NW Washington, DC 20037. OECD, 1994. Three Mile Island Reactor Pressure Vessel Investigation Project. OECD-NEA. OECD, Paris. Petrangeli, G., Tononi, R., D’Auria, F., Mazzini, M., 1993. The SSN: An emergency system based on intentional coolant depressurization for PWRs. Nucl. Eng. Des. 143, 25 54. Rogovin, M., 1980. Three Mile Island: A Report to the Commissioners and to the Public. NRC Special Inquiry Group. USNRC, 1979a. Population Dose and Health Impact of the Accident at the Three Mile Island Nuclear Station. NUREG 0558, May. USNRC, 1979b. TMI-2 Lessons Learned Task Force: Final Report. NUREG 0585, October. USNRC, 1979c. Investigation into the March 28, 1979, Three Mile Island accident by Office of Inspection and Enforcement. NUREG 0600, August.

APPENDIX

OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

18

A18.1 QUICK REVIEW OF THE PRELIMINARY SAFETY ANALYSIS REPORT OF A GENERATION III PRESSURIZED WATER REACTOR A18.1.1 OBJECTIVE It is supposed here that merely as an exercise in the application of issues dealt with in this book, the Preliminary Safety Report (SAR or PSAR) of a pressurized water reactor (PWR, Fig. A18.1) (issue 2006, freely obtained upon request) has to be quickly reviewed in order to examine the main safety features of the plant. A few days are available for this first quick review. The issues mentioned in Chapter 8, The General Approach to the Safety of the PlantSite Complex, of this book will be considered and discussed.

A18.1.2 PROCEDURE A fast reading of the Report, in order to get an overall picture of the main safety features must in any case precede the study of any specific question.

A18.1.3 THE SAFETY OBJECTIVES AND LIMITS OF RELEASE/DOSE, KEY ASPECT 1: EXTERNAL RELEASES This issue is particularly clear and complete in SAR. Chapter 1 (Introduction), Chapter 3 (Conceptual basis for the design of the plant), Chapter 15 (Design basis Accidents, DBAs), Chapter 19 (Additional risk reduction measures) deal in a very complete way with the general safety approach of the plant design. The rather usual list of design basis accidents (DBAs) is examined in Chapter 15, Design basis Accidents, DBAs; the acceptance doses for the worst DBAs are 10 mSv for the effective dose and 100 mSv for the thyroid dose. This limits avoid any emergency measures for the population except, if needed, some restriction in the consumption of some locally grown food. The threshold figures for sheltering of population and for evacuation are, respectively, 10 and 50 mSv effective dose. 100 mSv to the thyroid is the threshold figure for distribution of iodide pills. Chapter 19, Additional Risk Reduction Measures, deals with some beyond DBAs, which result from DBAs plus some additional plant malfunctions [typically anticipated transients without

519

520

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.1 Generation III Pressurized Water Reactor (PWR), general arrangement.

scram (ATWS) and loss of onsite and of offsite power (LOOSP) situations] and with severe accidents (except those “practically excluded” by design). The first class of situations is named risk reduction class A (RRA). The severe accidents considered are named risk reduction class B. For the RRA accidents, the limit external consequences are the same as those of the most severe among the DBAs. The approach to the design of this PWR against severe accidents (risk reduction class B) is made of the following two steps: 1. “practical” exclusion of some severe accident phenomena by design; 2. containment of external consequences within those of the category 4 of the DBAs with an overall probability of less than 1027 per year of being overcome (except for area and external events hazards). The phenomena that were considered practically excluded by design and the main reasons for that are • •



high pressure core melt and direct containment heating; the main design feature which is essential in this connection is a special primary depressurization capability; fast reactivity addition accidents, which can be excluded for a number of design features (e.g., prevention of control rod ejection by structural provisions, included an external missile retention device); hydrogen detonation, prevented by passive hydrogen catalytic recombiners and steam inerting;

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

• •



521

steam explosion endangering the integrity of the containment building (prevention of pouring corium into water, primary system depressurization); core melt with containment bypass (primary containment leak collection in surrounding buildings, filtering and discharge through tall stack, prevention of containment lower head perforation by a special refrigerated core catcher); fuel melting in the spent fuel decay pool.

Some words can be added on the primary depressurization system adopted. The maximum primary depressurization rate can be obtained by the opening of the three pressurizer safetyrelief valves and of the additional three depressurization valves also located on the pressurizer top head; the two sets of valves have a maximum steam discharge rate of 900 t/h each at primary system design pressure. With reference to the approximate efflux formulae suggested in this book [formulae (A11.6)(A11.8)] the equivalent flow area for each of the two sets of valves is about 92 cm2, with a total of 184 cm2. This opening can decrease the primary pressure from the saturation value (about 100 kg/cm2) down to the value of 20 kg/cm2 (typical for prevention of direct containment heating, Table 5.1 of this book) in about 10 minutes if the depressurization is actuated 2 hours after shutdown (reasonable value of the time for vessel perforation). The diagram obtained using the PS computer program (Appendix 11) and the corresponding code input are shown in Figs. A18.2 and A18.3. In case of accidents with pressurization of the containment building, the maximum leak rate considered in accident analyses is 0.3% per day at maximum pressure (design value); the Technical Directives of the Authority mention 1% per day. Remembering what exposed in nuclear safety (NS), Section 14.4, there is a certain probability (as evidenced by comparison of “as found” leak test values with design values, 14.4) that in accident conditions the leak rate overcomes the design figure (indicatively, for many containment buildings, a probability of 10% for a factor 10 and a

DEPR EPR 7200-9000 s

Pressure (MPa/10)

120 100 80 60 40 20 0 0

1000

2000

3000

4000

5000

Time (s)

FIGURE A18.2 Primary pressure after opening of all depressurization valves.

6000

7000

8000

9000

10,000

522

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

DATI DI INGRESSO : Vp [m3]= 460 460 Vab [m3]= DP1 [s]=

2

P [MWt]= GS [Kg/s]= QS [KL/s]= TU0 [s]= FL1=

4500 0 0 7200 0

VAT1 [m3]= VAT2 [m3]= PA1 [Kg/cm2]= DP2 [s]= KA1 [KC/s]= KQD= TU1GS [s]= TU1QS [s]= TUF [s]= FL2=

118 1012 40 0,2 711 1 600 0 9000 0

VA1 [m3]= VA2 [m3]= PA2 [Kg/cm2]= As [cm2]= KA2 [KC/s]=

0 0,1 15 184 12

Mp [Kg]= P0 [Kg/cm2]= P1 [Kg/cm2]= Ab [cm2]= HA [KL/K]=

TU2GS [s]= TU2QS [s]= DT [s]=

6000 0 10

TU1=

306,000 100 0,1 49

FIGURE A18.3 Input data for the PS case.

probability of 1% for a factor 100). The PWR PSAR does not include a justification of the use of the design figure of leak rate for accident studies: this point will probably be dealt with in more detail in subsequent refinements on the basis of specific experience with similar containment buildings in operation. An exhaustive statistics of the “as found” leak rates for similar containment buildings could provide a sound basis for the chosen 0.3% leak rate value. Similarly, a satisfactory study of the effect of containment environment (radiation emitting species, thermal distortions, etc.) should be referenced, USNRC (1985). The following excerpt from this book can help clarify the problem (Section 14.4): “There is a tendency in the design phase to specify for the containment buildings a figure for the maximum admissible leakage rate which is close to that which is technically obtainable in ideal conditions, that is after having performed a complete maintenance to all the important sealing parts (valves, seals for the personnel, and equipment air locks, etc.). Consequently, the values chosen for pressurized water reactor (PWR) containments are typically of 0.1%0.2% per day. In the course of plant operation, however, as above mentioned, even if at the start the leak rate was the specified one or lower, a certain deterioration in the containment leak rate takes place and then in case of accident, probably the leak rate would be higher than that measured in the last leakage test. It is therefore very interesting to estimate which a leak rate suitable for use in safety analyses, leaving unchanged the figure inserted in the technical specifications for the maximum leak rate to be demonstrated through periodical tests. Obviously, each containment is a particular case and the best way to establish a realistic yet conservative value of the leak rate for safety analyses would be to observe the behavior of the containment with time and the amount of the leakages measured either in the “as found” conditions (i.e., before having performed maintenance to the sealing parts) and in the “as left” conditions (i.e., after maintenance). Unfortunately, however, at the time of the design and of the initial safety analyses this experience is not available and therefore reasonable preventive estimates have to be done, which should be confirmed during the operation. It must be noted that the containments show very different behaviors: cases have happened where, after only one week following a leak test and maintenance, the leak rate of some valves have become large again and not within the technical specification limit.”

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

523

Similarly, the filter retention factor of 99.9% for iodine and 99% for organic iodine for the study of accidents is significantly higher than the figures mentioned in Section 5.6 (90%99% and 30%99%, respectively). This last figures are taken from the USNRC Report on new Source Term (NUREG 1465) and correspond to conservative practice. Probably, there is some firm experimental basis for the assumption adopted in SAR, too. Uncertainties in this issue stem from the presence of many chemical species and impurities in the contaminated air which passes through the filters after an accident, from the effect of humidity, from the effect of heat-generating species in filtered flow, from the presence of undetected bypass paths in the filter beds (also caused by thermal distortion of the filter frame), and so on. Of course, optimum filter design and periodical testing help in this respect. A supporting basis for the filtering efficiencies used in PSAR should be provided (exhaustive statistics of results of “as found” filter tests? Studies on the effect of containment environment on the filter efficiency?; USNRC, 1985). Demonstrated absence of any bypass of the secondary containment system is an essential condition, too.

A18.1.4 THE SAFETY OBJECTIVES AND LIMITS OF RELEASE/DOSE, KEY ASPECT 2: EXTERNAL DOSES This book includes data and methods useful to perform a quick check of the comparison of the accident external releases and of consequent external doses of a given SAR with current practices. This exercise, with all the useful references to PSAR and to chapters of this book will be here performed for the here considered PSAR. A release time of 7 days (short term) will be considered. External releases of iodine 131 and of xenon 133 will be taken into consideration, since they are the leading isotopes in this context (Appendix 4, A4.2.1); in fact, the other two isotopes mentioned in the book (cesium 137 and krypton 85) are not important for short-term doses. The PSAR gives (Chapter 15: Design basis Accidents, DBAs) the following figures: Iodine 131: 6.1 3 1025% of core inventory (CI), corresponding to 2.6 3 1012 Bq released Xenon 133: 1.5 3 100% of CI, equal to 1.41 3 1017 Bq released The main assumptions supporting these figures are • • • • • • •

100% release from core 0.15% of iodine released in the form of organic compounds and the balance released as molecular or cesium iodide aerosols plate-out and deposition of iodine in the containment, no spray 0.3%/day leakage from primary containment 0% bypass of the secondary containment 99.9% filter removal efficiency for molecular and aerosol iodine, 99% for organic iodine apparently, no effect of elevated release has been considered, probably for the peculiar topography of the site (plant ground level below countryside).

According to the practical methods exposed in Table 3.1 and related text, Section 5.6 “Source Terms” for severe accidents and Appendix 4, Dose Calculations, Section A4.2.2, the following release figures can be evaluated:

524

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Release of Iodine 131 4.72 3 1018 Bq

(1.27 3 108 Ci)



Core inventory (Table 2.1),



Fraction released from vessel (A4.2.2, Table 5.3), ranging from 20% to 30% (25% assumed);



In containment



Plate-out and deposition, reduction factor of 10 (Table 3.1 and A4.2.2)



Initially available for external release



Effect of decay in 7 days (C 5 C0 3 e20.693 3 t/8), multiplication factor 0.775



Available for release in the average,



Fraction leaked in 7 days, without considering leak rate reduction for pressure decrease and with a conservative factor of 10 on design leak rate (Section 14.4 and A4.2.2), 0.3% 3 7 3 10 5 21%



Leaked activity, 7 days,



Filtering effect with efficiency of 90%, factor 0.9



Released I131 activity

1.18 3 1018 Bq

1.18 3 1017 Bq

9.15 3 1016 Bq

(3.2 3 107 Ci)

(3.2 3 106 Ci)

(2.48 3 106 Ci)

1.92 3 1016 Bq

(5.2 3 105 Ci)

1.92 3 1015 Bq

(5.2 3 104 Ci)

In conclusion, an evaluation performed according to generic suggestions of this book gives a release roughly equal to 1000 times the release calculated in SAR: this is essentially due to a factor of 100 in filter efficiency (10 instead of 1000) and to a factor of 10 in leak rate (3% instead of 0.3%). In any case, what written at the end of the previous Section 3.3 may support a conclusion different from the one obtained using the above listed figures. Release of Xe133 9.435 3 1018 Bq

(2.55 3 108 Ci)

7.55 3 1018 Bq

(2.04 3 108 Ci)



Core inventory (Table 2.1),



Fraction released from vessel (A4.2.2), 80%;



In containment



Effect of decay in 7 days (C 5 C0 3 e20.693 3 t/5.28), multiplication factor 0.7



Available for release in the average,



Fraction leaked in 7 days, without considering leak rate reduction for pressure decrease and with a conservative factor of 10 on design leak rate (Section 14.4 and A4.2.2), 0.3% 3 7 3 10 5 21%



Leaked activity, 7 days,



According to PSAR, the leaked activity of Xe133 in 7 days is 1.41 3 1017 Bq (3.8 3 106 Ci)



As could be expected, the revision method used estimates a figure roughly 10 times the PSAR figure for the Xe133 release, which is due to the higher leak rate assumed here.

5.3 3 1018 Bq

1.1 3 1018 Bq

(1.43 3 108 Ci)

(3 3 107 Ci)

For the external doses, too, a comparison can be made between the PSAR figures and the values suggested here.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

525

As a starting point, the PSAR I131 release will be considered (2.6 3 1012 Bq, 70.2 Ci). The doses at 1 km from the release point will be calculated; the procedure described in Section A4.2.2 will be followed for the calculation of I131 and Xe133 doses. For I131, the whole body effective dose (Chapter 7: Health Consequences of Releases) will be evaluated; this value will be multiplied for the organ conversion factor 20 in order to get the thyroid dose (Chapter 7: Health Consequences of Releases). I131 doses 2.6 3 1012 Bq



I131 release:

(70.2 Ci)



Effective dose to adults by inhalation: (χ/Q) 3 dbf 3 grr (A4.2.3), where χ (s/m3) is the cloud concentration at 1 km, assumed to be 1 3 1024 for stable diffusion conditions and low wind velocity u, 12 m/s (see Fig. 6.11 of Chapter 6: The Dispersion of Radioactivity Releases, where χu/Q, cloud concentration at ground level for a low release point is given), dbf is a biological dose factor, assumed to be equal to 10 and grr is the above quoted ground release expressed in Curies;



Effective dose D due to I131 at 1 km in 7 days (rem 5 1/100 Sv):

D 5 1 3 1024 3 10 3 70:2 3 1=100 5 0:7 mSv •

Dose to the thyroid (at 1 km in 7 days):

D 5 0:7 3 20 5 14 mSv

A first comparison can here be made with the thyroid dose calculated in PSAR which is equal to 4 mSv; considering the usual spread of results obtained by different experts in these calculations, the agreement between these two results (14 and 4 mSv) can be considered good. The following considerations can be made for the doses due to Xe133. 1.41 3 1017 Bq

(3.8 3 106 Ci)



Xe133 release



With reference to A4.2.3 and using the appropriate scaling factors, the following dose for 7 days release at 1 km is obtained:   Xe133 effective dose (7 days, 1 km) D 5 1:41 3 1017 =3:29 3 1015 3 0:3 5 12:84 mSv



Consequently, summing the contributions of I131 and of Xe133 to the total effective dose, the following result is obtained: •

Effective dose due to I31 and Xe133 in 7 days at 1 km:

Dtot 5 12.84 1 .7 5 13.5 mSv

This result has to be compared with the one of Fig. 1, Section 19.2 of SAR (Effective dose in the short term, 7 days): •

Effective dose for 7 days at 1 km,

Dtot 5 4 mSv

526

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Here again, the comparison is satisfactory: the two dose calculations, here and in PSAR, give similar results if the same release figures are assumed. Overall comparison of effective doses: A comparison will now be made, considering the differences in both released activities and in dose calculations. For the purpose of this comparison (rough estimate of doses calculated according the two procedures under examination), the total effective dose can be assimilated, for a time span of 7 days, with the dose due to Xe133 and to I131;on the basis of the preceding figures, taking into account the different evaluated releases and doses, the following result is obtained: This book: Dtot 5 DI131 1 DXe133 5 (1.92 3 1015/2.6 3 1012) 3 0.7 1 (1.1 3 1018/ 1.41 3 1017) 3 12.84 5 517 1 100 mSv 5 617 mSv (where the contribution of I131 prevails, as in many plant cases for short term releases) PSAR: Dtot 5 4 mSv (essentially due to Xe133, which has to be noted as a remarkable and rather new achievement) The two sets of effective doses are, thus, different by a factor of roughly 150, which is not very acceptable. The main issues, here, are containment leak rate and filter efficiency for iodine. As pointed out above, however, special care in design, testing, and accident management of filters and of containment penetrations may demonstrate the soundness of the leak rate and of the filter efficiency assumed in PSAR: in this case, the comparison between the two calculations gives an acceptable result. Moreover, all the release calculations here made do not take into account the operation of the containment spray system: the effect of it is a rapid reduction in containment pressure and of leak rate; in addition, the contribution of iodine 131 to doses (where it is significant) would be strongly reduced because of iodine abatement. The highest doses calculated could well be lowered by a factor of 10 (62 mSv instead of 617 mSv). Certainly, the emergency operation guidelines will strongly support the operation of the containment spray system, in any condition where it is available and unacceptable hydrogen deinerting is not a danger (in this connection, hydrogen concentration instrumentation is very helpful).

A18.1.5 KEY ASPECT 3: POSSIBLE NOT CONSIDERED ACCIDENTS No accident has been considered with a relatively “high” probability of initiator event, typical of a class 4 event (e.g., fuel handling accident in the fuel building, large primary break . . ., with a probability of 1023 or 1024 per year) and with low probability of unexpectedly high containment leakage or of low filter efficiency [e.g., a 1022 or 1023/demand probability for a leakage 100 times the specification value (Section 14.4 and A4.2.2) or for a filter efficiency for aerosol iodine of 90% (Section 5.6 “Source Terms” for severe accidents and Appendix 4, Dose Calculations, Section A4.2.2)]. For these accidents, a dose much higher than the specified limits could be calculated. In summary, no consideration has been given to the probability of “malfunction” of leakage limitation components and of filtering equipment: this subject is a very critical point in the evaluation of external consequences in the European present safety approach (reduced emergency actions) and should be treated in depth in the PSAR (e.g., a statement that these malfunctions have been “designed off” cannot be sufficient); similarly, putting all the burden of the proof that these malfunctions are not possible on the operating personnel is not correct without a demonstration of feasibility on the basis of a sufficient amount of past experience data.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

527

A18.1.6 OTHER IMPORTANT CHECKS According to Chapter 8, The General Approach to the PlantSite Complex, the following additional points should be checked in a SAR quick review: • • • • • • • • • • • • • •

reactivity coefficients abundance of primary water accident management system reactor pressure vessel (RPV) irradiation basis for “leak before break” diverse emergency power supplies backup to microprocessor-based protection system limit to collective occupational doses design review in view of reduction of occupational doses minimization of waste consideration of plant decommissioning absence of danger of natural destructive phenomena favorable population distribution road system

A18.1.6.1 Key Aspect 4: Reactivity Coefficients The subject is dealt with in Chapter 4, Reactor, of the PSAR and it is apparent that the characteristics of the core completely satisfy the requirement that the power coefficient of reactivity be negative in any operating condition.

A18.1.6.2 Key Aspect 5: Abundance of Primary Water This issue is not explicitly dealt with in the PSAR. No problem is, in any case, evident to this regard.

A18.1.6.3 Key Aspect 6: Accident Management System In many places in the PSAR the care given by designers to possibilities of accident management is evident (e.g., containment leak mitigation after an accident).

A18.1.6.4 Key Aspect 7: Reactor Pressure Vessel Irradiation In normal operating conditions the end of life fluence on the vessel wall is kept within the limit of 1.26 3 1019 n/cm2 (E . 1 Mev), which is very close to the target suggested in this book of 1 3 1019 n/ cm2. This result has been achieved through a very careful design and operating rules and has to be considered very remarkable, due to the exclusive importance of the RPV integrity for the overall safety of the plant (the importance of the RPV can be assimilated to that of the King in a chess game!).

A18.1.6.5 Key Aspect 8: Leak Before Break The exclusion of the possibility of rupture (EPRU) is valid according to PSAR for most of the primary piping and for the part of steam lines between steam generators and the fixed supports after the steam isolation valves. Certain conditions have to be complied with by the excluded piping

528

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

(diameter .50 mm, overall service time below 2%, good design, fabrication, inspection). The “leak before break” concept is, in SAR, considered as an additional means for preventing pipe ruptures: it is not a condition for EPRU. In this way, the problem of demonstrating the effectiveness of the provided leak detection means in any case (e.g., for steam lines and bolted closure or inspection flanges) does not exist. As usual, the exclusion of rupture is applied for the mechanical effect only (pipe whip, pressure waves, etc.). The PSAR approach implements a very welcome simplification and rationalization of safety features (less pipe whip restraints) in a field where operating experience shows that a well-founded basis exists for that. This attitude has to be encouraged, together with efforts for protecting the plant against more substantial threats.

A18.1.6.6 Key Aspect 9: Diverse Emergency Power Supplies The emergency power supply is assured by four main diesel generators and by two additional last resort diversified diesels. These last generators are designed to supply energy to two auxiliary feedpumps for the steam generators, to essential ventilation systems (e.g., for the secondary containment underpressure), to control systems and to the lighting of the control room. The external lines are two, one principal line and one auxiliary line.

A18.1.6.7 Key Aspect 10: Backup to Microprocessor-Based Protection Systems This issue is probably not explicitly dealt with in the PSAR. However, experts (Holcomb and Wood, 2006) state that “Although digital technology has been proven to be very reliable, no accepted means of characterizing or quantifying the reliability of the software element of digital systems currently exists. . ..”. Ample basis of experience certainly exists for this type of digital protection systems, which has not been addressed in the PSAR. It has also worth mentioning the danger of voluntary sabotage of digital protection systems (as almost happened in Busher plant, Stuxnet virus, 2010).

A18.1.6.8 Key Aspect 11: Limit to Collective Occupational Doses The target figure chosen in PSAR is 0.35 Sv, which is well below the 1 Sv current value quoted in this book (Section 8.4).

A18.1.6.9 Key Aspect 12: Design Review in View of Reduction of Occupational Doses No mention is made in PSAR of any special design review for the reduction of occupational doses. This review is very likely included in the design verification process.

A18.1.6.10 Key Aspect 13: Minimization of Waste Chapter 11, Waste, of the PSAR does not include any discussion concerning the minimization of radioactive waste of the plant; its main focus is the performance of the waste treatment systems.

A18.1.6.11 Key Aspect 14: Consideration of Plant Decommissioning Chapter 20, Plant Decommissioning, of the PSAR deals with the decommissioning of the plant. It explicitly includes mention of the special attention given in the design process to the minimization of doses and of waste resulting from decommissioning itself.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

529

A18.1.6.12 Key Aspect 15: Absence of Danger of Natural Destructive Phenomena No special danger of natural destructive phenomena is mentioned in SAR. After the Fukushima event (2010) this omission is not acceptable. In this connection, it must be remembered that destructive waves can be originated by earthquakes but also by submarine slides (Storegga, Norway, slide, Holocene, roughly 7000 years ago) and by submarine volcanic eruptions. Unfortunately, after the large wave is generated, it can propagate with destructive effects on dry lands for many hundreds of kilometers.

A18.1.6.13 Key Aspect 16: Favorable Population Distribution This subject is exhaustively dealt with in Chapter 2, Site, of the PSAR.

A18.2 THERMAL-HYDRAULIC STUDY OF A PRESSURIZED WATER REACTOR A18.2.1 OBJECTIVE A wide-scope investigation has to be made on the thermal-hydraulic behavior of a PWR in case of small break events and of similar situations. It is interesting to detect, as an example, if there is a critical break size for which the consequences on core heat-up are the worst. In a case like this one, it is possible to use a regular and complete thermal-hydraulic computer code (RELAP5 or CATHARE as examples) and study a series of cases covering the field of investigation considered. As an alternative, it is possible to use a simpler and quicker code for a first investigation and to terminate the study by the use of one of the previously mentioned full-scope thermalhydraulic codes, in order to dig into the most interesting case or cases. Here this second way is chosen and the simpler code is the PS code attached to NS. The full-scope code chosen is RELAP5/MOD3.

A18.2.2 THE PS CODE (MICROSOFT EXCEL WORK SHEET) The PS code was initially developed in order to perform scoping studies of a (then) new idea of a Primary Circuit Depressurization System for PWRs. At that time, years 1980s, a Primary Depressurization System was used for boiling water reactors, but not for PWRs: indeed, when initially proposed, it was received as a rather extravagant idea. It was difficult, then, to convince people to spend time and money in the study of it by full-scope computer codes: hence the need to develop a simple tool to perform scoping studies of the system and the writing of the PS code based on MS Excel. The code worked well and its results were sufficient to proceed with more professional tools and with experiments. PS represents the primary circuit as a single volume with the possibility to use various heat sources (core power, heat flow from steam generators) and sinks (breaks, cold water injection, passive accumulators, heat flow to steam generators). Fig. 1 (taken from the Mendeley website file CSPSen.xls attached to this book and there described) represents the base model used by PS (Fig. A18.4). In particular, PS offers the following possibilities: • •

efflux of steam, liquid or mixture from breaks or depressurization valves; the choice can be left to the program on the basis of the liquid level in the circuit or made by the user; core decay power based on ANS curve with the possibility to use a multiplication factor.

530

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.4 Scheme of the basic PS model.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

531

A18.2.3 PROCEDURE USED In order to improve the result of the PS calculations, a process of tuning some critical code parameters is suggested here. The tuning can be made by the parallel use of a full-scope code (RELAP5/3 has been chosen) and by the consequent adjustment of the mentioned PS parameters on the basis of the comparison of the results. Of course, this tuning operation is useful if more than one transient is performed using PS.

A18.2.4 RELAP CASE AND MODEL A 4v break in the cold leg of a four-loop PWR has been used. The RELAP model used has been taken from the RELAP code package where a similar model is suggested as a sample case. The reactor model is presented in Figs. A18.5 and A18.6. The nodalization used is the one offered by the RELAP code package. The input file for RELAP (RELAPSAMPLEPWR) can be downloaded from the Mendeley website. PORV a=8.7 cmq

SV a=4115.5 cmq

27.32 m PRZ 51 mc

18.37 m

Vs=305.6 mc

PIPE a=450 cmq

12.71 m 8.57 m

ACC 38mc 42bar 49°C

BREAK a=81.1 cmq

Vuh=13.9 mc

Vup=48.3 mc

Phl=2245 psi, T= 589°F(582.6 °K) (309.44 °C); Di=2ft=(61cm)

7.61 m

6.65 m Pcl=2205 psi, T= 529.71°F(549.5 °K), (276.5 °C) Di=2.03ft(62cm);G=10154.85 lb/s (4606kg/s) Vco=46.2 mc

0.0

Vlp=26.6 mc

Vv=135 mc

FIGURE A18.5 RELAP model of simplified pressurized water reactor (PWR), broken loop (the other three loops are condensed in one equivalent loop not shown here).

532

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.6 RELAP model additional data.

A18.2.5 PS CODE TUNED CASE Comparison of the RELAP code 4v break case with some runs of the PS code, performed using different input figures for some key parameters, showed an acceptable agreement for the PS input shown in Fig. A18.7. The meaning of the symbols is explained in NS book and companion downloadable files and is here shown in Fig. A18.8. The main parameters which have been adjusted in the PS input during the tuning comparison are the following: • •

Main accumulator discharge coefficient [KA1(kg/cm2 s)] which has been put equal to 100; Decay power coefficient (KQD) which has been put equal to 1.5 in order to assure a reasonable match of the pressure versus time curve and of the mass versus time curve; the value 1.5 which was necessary to use for KQD is rather high and is probably motivated by the use of a single

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

533

FIGURE A18.7 Input data (DATI DI INGRESSO) for the final PS case for a 4v break.

SYMBOLS LIST: Ab [cm2], Area of break in primary system As [cm2], Equivalent efflux area of the depressurization line A1,A2, Accumulators, respectively at intermediate (~40 bar) and low (~15-20 bar) pressure DP1, DP2 [s], variation of the pressure in single step, respectively high (~5 bar) and low (0,2-0,5 bar) DT [s], time increment in the generic step ECCS=Emergency Core Cooling System FL1, FL2, service command "flags" for the calculation of the efflux from CRS system (depressurization ) and from break G [Kg/s] o [Kg/cm2 s], mass flow rate GA1 [Kg/s] e GA2 [Kg/s], efflux flow rate from accumulators A1 e A2 GE [Kg/s], inlet flow rate in the primary system (accumulators+ECCS) GS [Kg/s], efflux flow rate of ECCS GUB [Kg/s], efflux flow rate from assumed break GUS [Kg/s], efflux from depressurization system (CRS) HA [Kcal/Kg], enthalpy of the water delivered by accumulators and by ECCS KA1 [Kg cm2/s], KA2 [Kg cm2/s], efflux coefficients from accumulators A1 e A2 KQD, decay power multiplicator (= 1.05 for ANS curve) Mp [Kg], mass of water in the primary system (liquid+steam) P [Kg/cm2], pressure PA1 [Kg/cm2], PA2 [Kg/cm2],A1 and A2 accumulators pressure CRS= Core Rescue System VA1 [m3], VA2 [m3], water volume in accumulators A1 and A2 VAT1 [m3], VAT2 [m3], total volume in accumulators A1 and A2 Vab [m3], portion of primary volume below break Vp [m3], primary system volume x,x1, average steam quality in the primary system at start and end of step TU1GS [s], TU2GS [s], start and stop times for ECCS system TU1QS [s], TU2QS [s], start and stop times for the steam generator heat release or absorption TU0 [s], TUF [s], start and stop times of the calculated transient

FIGURE A18.8 List of symbols used in the PS code.



volume for the primary circuit in the PS code; in fact, in PS all the fluid is readily available for release from the break while in the real primary circuit the complicated piping and component arrangement makes the efflux from the break much more retarded: this fact is here compensated by a rather high power coefficient KQD; Effective break area (Ab), put equal to 75 cm2, rather close to the real flow area of 81.1 cm2.

534

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

A18.2.6COMPARISON OF THE CALCULATED VARIATION WITH TIME OF SOME QUANTITIES •

Fig. A18.9 shows the comparison of some quantities (pressure, total mass, break flow area) obtained from RELAP and from PS, plus some PS curves (ECCS flow rate, water volume in accumulators and accumulators pressure).

REFPWRBS1 250000

80 70 60

primary mass [kg]

primary pressure [10e5 Pa]

REFPWRBS1

PS

50 40

RELAP

30 20

200000 PS 150000 100000 RELAP 50000

10 0

0 0

200

400

600

800

1000

0

1200

200

400

REFPWRBS1

1000

1200

400 Break flow rate [kg/s]

ECCS flow rate [kg/s]

800

REFPWRBS1

350 300 250 200

PS

150 100 50 0

350 300 250 PS

200

RELAP

150 100 50 0

0

200

400

600

800

1000

1200

0

200

400

time [s]

Accum. pressure[10e5 Pa]

96 95.5

PS

95 94.5 94 93.5 93 200

400

600 time [s]

FIGURE A18.9 Comparison of results.

800

1000

1200

REFPWRBS1

96.5

0

600 time [s]

REFPWRBS1 Water volume in accumul. [m3]

600 time [s]

time [s]

800

1000

1200

42.05 42 41.95 41.9 41.85 41.8 41.75 41.7 41.65 41.6 41.55

PS

0

200

400

600 time [s]

800

1000

1200

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

535

A18.2.7CONCLUSION Now the systematic investigation of the results for other break sizes and locations in the primary circuit can be performed by the simple and fast PS code or by similar codes. Finally, particularly interesting cases will be repeated using the full-featured RELAP code.

A18.3 EFFECT OF AN EARTHQUAKE (FRIULI 1976) ON A REAL BUILDING A18.3.1 OBJECTIVE In 1976 a severe (M 5 6.4 Richter) earthquake hit northern Italy and, in particular, the Friuli region. Buildings suffered extensive damage. The example dealt with here considers a specific building under construction which did not collapse, but came close to that. The building structures only were completed at the time of the earthquake, and any architectural detail (windows and doors, other fixtures, paints, floorings) was lacking; this fact is interesting from the point of view of this study, since it allows a very clear schematization of the building, without many uncertainties, as those introduced by the behavior and effect of structural and of nonbearing walls. This section A18.3 will describe the building and its damage; dynamic calculations will be made of the effect of the earthquake, static verifications of some critical structural members will be done and general considerations will be made on the behavior of the structure. Methods and data of Chapter 15, Earthquake Resistance, of Nuclear Safety will be used.

A18.3.2 DESCRIPTION OF THE BUILDING AND ITS DAMAGE A view of the building as it was before the earthquake is presented in Fig. A18.10. Fig. A18.11 is a plan of the ground level floor, where structural elements are shown. The building did not collapse but was severely damaged. The resisting structural was not symmetric and important torsional effects were generated by the earthquake. The columns at the periphery were slightly damaged at the base and at the top of the ground floor by bending moments; the internal columns suffered essentially torsional and shearing effects.

A18.3.3 DYNAMIC ANALYSIS (EXPLICIT AND MATRIX TREATMENT) The building can be modeled as built-in to the ground at elevation 0 (ground level) (Fig. A18.12). The second and third floors can be considered as a rigid block weighting 11,074,000 N (about 11,074 t); its mass, therefore is of 1.13e6 Ns2/m. The elasticity of the building can be concentrated entirely in the ground floor, where the walls were almost absent. The ground floor was 3.28 m high; the peripheral columns were 200 3 350 mm in section with six main rebars of 14 mm diameter and 6 mm diameter stirrups located at a distance of 200 mm from each other; the internal columns had a section of 350 3 350 mm, with four main rebars of 16 mm diameter and 6 mm stirrups placed every 240 mm. The possible equivalent springs can be modeled as shown in Fig. 13.4, where G is the barycenter of the masses (upper floors essentially) and the meaning of the other symbols is self-evident.

FIGURE A18.10 View of building before the earthquake.

FIGURE A18.11 Floor plan (ground level) and data.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

537

FIGURE A18.12 Dynamic model.

A two degrees of freedom model will be adopted in the first place with seismic excitation along y axis and along x axis. The two coordinates chosen are yG and α (Fig. A18.13). A three degrees of freedom model will, then, be studied. The structural effect of the structural walls (essentially stair cage walls) and of the filling walls at ground floor will be evidenced.

A18.3.3.1 Two Degrees of Freedom, Excitation Along y Axis: Classical (nonmatrix) Notation The y coordinate of the center of mass, yG, and the rotation angle of the block formed by the second and third floors with respect to ground, α, are the two coordinates (degrees of freedom) chosen. The following equations express the equilibrium along the axis y and according to rotation: € M 3 y€G 1 ðk1 1 k2 ÞyG 2 ðk2 b2 1 k1 b1 Þα 5 M 3 yðtÞ; I 3 α€ G 2 ðk1 b1 1 k2 b2 ÞyG 1 ðk1 b21 1 k2 b22 1 k3 ðb23 1 b24 1 b25 Þ 1 k4 b26 Þα 5 0

(A18.1)

€ represents the inertia force imposed by the earthquake on the system. where M 3 yðtÞ Eq. (A18.1) forms a system of two homogeneous equations. The system (A18.1) may be written:   A1 y€G 1 A2 yG 1 A3 α 5 2 M 3 yðtÞ €   B1 α€ G 1 B2 yG 1 B3 α 5 0

(A18.2)

The corresponding characteristic equation is given by (NS, 15.26):   2A1 ω2 1 A2   B2

  A3 50 2B1 ω2 1 B3 

B2 5 A3 for the symmetry of the mass and stiffness matrixes (NS, 15.21) That is, A1 B1 ω4 2 ðA1 B3 1 A2 B1 Þω2 1 ðA2 B3 2 B2 A3 Þ 5 0

(A18.3)

538

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.13 Dynamic model and data.

ω2 5

ðA1 B3 1 A2 B1 Þ 6

qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ðA1 B3 1A2 B1 Þ2 2 4A1 B1 ðA2 B3 2 B2 A3 Þ 2A1 B1

which gives the two natural frequencies of vibration. The numerical determination of the two natural frequencies follows. It is here assumed that the contribution of the columns to the elastic rigidity of the structure can be neglected in comparison with the contribution of the shear walls. M 5 1; 130; 000 Ns2 =m

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

I 5M

539

L2 1 h2 262 1 132 5 1; 130; 000 5 79; 570; 830 Ns2 m 12 12

k1 5

GA 8:3 3 109 3 26 3 0:2 5 5 1:1 3 1010 N=m 1:2H 1:2 3 3:28

where G is the tangential modulus of elasticity of the reinforced concrete. k2 5 k3 5

8:3 3 109 3 3 3 0:2 5 1:27 3 109 N=m 1:2 3 3:28

8:3 3 109 3 5:4 3 0:2 5 2:28 3 109 N=m 1:2 3 3:28

k4 5

8:3 3 109 3 13 3 0:2 5 5:5 3 109 N=m 1:2 3 3:28

The overall rigidity in the y direction is: ky 5 k1 1 k2 5 1:1 1010 1 1:27 109 5 1:23 1010 N=m

The contribution of the columns (neglected in the following) would be kyc 5 7 kp 1 8 kp1 1 5 kp

  where kp 5 12 E Jp = 3 h3 5 12 3 2 1010 3 0:2 3 0:353 = 12 3 3:283 5 4:86007 106 N=m kp1 5 2 1010 3 0:35 3 0:23 =3:283 5 1:58696 106 N=m kP 5 2 1010 3 0:35 3 0:353 =3:283 5 8:50512 106 N=m

therefore kyc 5 7 3 4:86007 106 1 8 3 1:58696 106 1 5 3 8:50512 106 5 8:92 107 N=m The contribution of the columns to the overall lateral rigidity of the ground floor of the building is less than 1/30 in the y direction and of the same order-of-magnitude in the x direction; this contribution can, then, be neglected in the calculations of the building response to the earthquake. A1 5 M 5 1; 130; 000 Ns2 =m A2 5 k1 1 k2 5 1:23 3 1010 N=m A3 5 2 ðk2 b2 1 k1 b1 Þ 5 2 1:27 3 109 3 1:25 2 1:1 3 1010 3 6:5 5 2 7:3 3 1010 N B1 5 I 5 7:9571 3 107 Ns2 m B2 5 A3 5 2 7:3 3 1010 N B3 5 k1 b21 1 k2 b22 1 k3 ðb23 1 b24 1 b25 Þ 1 k4 b26 5 ð1:11 3 03 3 6:52 1 1:27 3 102 3 1:252 1 228ð32 1 5:82 1 8:72 Þ 1 550 3 132 Þ 3 107 5 1:67 3 1012 N ðA1 B3 1 A2 B1 Þ 5 1:13 3 106 3 1:67 3 1012 1 1:23 3 1010 3 7:9571 3 107 5 2:87 3 1018 N2 s2 =m 2 4UA1 B1 ðA2 B3 2 B2 A3 Þ

5 2 4 3 1:13 3 106 3 7:9571 3 107 3 ð1:23 3 1010 3 1:67 3 1012 2 7:32 3 1020 Þ 5 2 4 3 8:99 3 1013 3 1:27 3 1021 N4 s4 =m2 5 2 5:47 3 1036 N4 s4 =m2

2UA1 B1 5 2 3 1:13 3 106 3 7:9571 3 107 5 1:798 3 1014 N2 s4 =m

540

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

ω2 5

2:87 3 1018 6

qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð2:87 3 1018 Þ2 2 5:47 3 1036

1:798 3 1014 5 6730 and 25195= s2 ω1 5 82 =s; f1 5 13=s; T1 5 0:08 s

5

2:87 3 1018 6 1:66 3 1018 1:798 3 1014

ω2 5 159=s; f1 5 25=s; T2 5 0:04 s

The two corresponding vibration modes can be obtained by Eq. (A18.1) in correspondence with each value of the natural circular frequencies of vibration (NS, 15.28). Ψ1α 2 Mω21 1 ðk1 1 k2 Þ 2 1; 130; 000 3 6730 1 1:23 3 1010 5 5 k2 b2 1 k1 b1 7:3 3 1010 Ψ1yg 4:7 3 109 5 0:064 rad=m 7:3 3 1010 5 6:4 3 10 2 5 rad=mm 5

(A18.4)

Ψ2α 2 Mω22 1 ðk1 1 k2 Þ 2 1; 130; 000 3 25195 1 1:23 3 1010 5 5 k2 b2 1 k1 b1 7:3w 3 1010 Ψ2yg 5 2 0:22 rad=m 5 2 2:2 3 1024 rad=mm

The modal participation factors (NS, 15.41) can also be calculated on the basis of the vibration modes. As explained in Nuclear Safety, the modal participation factors (Pn) physically represent the measure of how much the base acceleration is capable of putting the structure in vibration according to the same mode:  2 Pn 5 Σmi Ψni =Σmi Ψni    2  2 P1 5 M Ψ1yg =ðM Ψ1yg 1 I Ψ1α   5 1; 130; 000 3 1= 1; 130; 000 3 1 1 7:9571 3 107 3 0:0642 5 0:78    2  2 P2 5 M Ψ2yg =ðM Ψ2yg 1 I Ψ 2α   5 1; 130; 000 3 1= 1; 130; 000 3 1 1 7:9571 3 107 3 0:222 5 0:23

(A18.5)

Fig. A18.14 shows the two mode shapes. The maximum values of the coordinates yG and α are then obtained by the expressions (NS, 15.46) YG1 5 1 3 P1 3 S1d YG2 5 1 3 P2 3 S2d

α1 5 α1

Ψ1α 3 P1 3 S1d Ψ1yg

Ψ2α 3 P2 3 S2d Ψ2yg

S1d and S2d are the maximum ground displacements for the two modes read on the earthquake spectrum in correspondence to the two mode frequencies, 13 and 25 Hz. For the Newmark ’73

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

541

G’

G

First mode (T1 = 0.08 s)

G

G’

Second mode (T2 = 0.04 s)

FIGURE A18.14 Vibration modes for Y excitation.

spectrum (NS, Fig. 15.6) and for a maximum acceleration of 0.5 g (here assumed to correspond to the site of the building in the Friuli 0 76 earthquake): S1d 5 0:07 inch=39:4 inch=m 5 0:00178 m 5 1:78 mm S2d 5 0:02 inch=39:4 inch=m 5 0:00051 m 5 0:51 mm YG1 5 1 3 0:78 3 1:78 5 1:39 mm α1 5 6:4 3 1025 3 0:78 3 1:78 5 9 3 1025 rad YG2 5 1 3 0:23 3 0:51 5 :12 mm α2 5 2 2:2 3 1024 3 0:23 3 0:51 5 2 2:6 3 1025 rad

Table A18.1 summarizes the above listed results

(A18.6)

542

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Table A18.1 Summary of Calculation Results for y Excitation ΨyG First mode Second mode

Ψα

1 1

YG (mm)

0.064 2 0.22

1.39 0.12

α (rad) 25

9 3 10 2 2.6 3 1025

F (Hz)

Sd (mm)

13 25

1.78 0.51

A18.3.3.2 Two Degrees of Freedom, Excitation Along x Axis: Matrix Notation This case will be calculated using the matrix notation only. The equilibrium equations are M 3 x€G 1 ð3k3 1 k4 ÞxG 2 ½ðb3 1 b4 1 b5 Þk  3 1 b6 k4 α 5 0  I 3 α€ G 2 ½k3 ðb3 1 b4 1 b5 Þ 1 k4 b6 xG 1 k1 b21 1 k2 b22 1 k3 b23 1 k3 b24 1 k3 b25 1 k4 b26 α 5 0

The eigenvalues and eigenvectors of this system are given, in a widely used mathematical program, Mathcad, by the two operators genvals and genvecs



genvals

 genvecs

  1:13 3 106 2:869 3 104 21:11 3 1011 0 ; 5 1:67 3 1012 3:187 3 103 0 7:9571 3 107   0:984 20:997 21:11 3 1011 0 1:13 3 106 ; 5 20:178 20:078 1:67 3 1012 0 7:9571 3 107

1:23 3 1010 21:11 3 1011

1:23 3 1010 21:11 3 1011

ω2 5 3187 and 28690=s2 ω1 5 56:45=s; f1 5 9=s; T1 5 0:11 s ω2 5 169=s; f1 5 13=s; T2 5 0:08 s Ψ1α 2 Mω21 1 ð3k3 1 k4 Þ 2 1; 130; 000 3 3187 1 1:23 3 1010 5 5 1 1:11 3 1011 Ψxg k3 ðb3 1 b4 1 b5 Þ 1 k4 b6 8:7 3 109 5 0:08 rad=m 1:11 3 1011 5 8 3 1025 rad=mm

5

(A18.7)

Ψ2α 2 Mω22 1 ð3k3 1 k4 Þ 2 1; 130; 000 3 28; 690 1 1:23 3 1010 5 5 2 k3 ðb3 1 b4 1 b5 Þ 1 k4 b6 1:11 3 1011 Ψxg 5 2 0:18 rad=m 5 2 1:8 3 1024 rad=mm

The modal participation factors (NS, 15.41) can also be calculated as above.  2 Pn 5 Σmi Ψni =Σmi Ψni    2  2 1 1 1 I Ψ1α P1 5 M Ψxg =ðM Ψxg   5 1; 130; 000 3 1= 1; 130; 000 3 1 1 7:9571 3 107 3 0:082 5 0:69    2  2 P2 5 MΨ2xg =ðM Ψ2xg 1 I Ψ2α   5 1; 130; 000 3 1= 1; 130; 000 3 1 1 7:9571 3 107 3 0:182 5 0:3

(A18.8)

The two mode shapes are similar to those pertaining to the y excitation, with the displacement of the center of gravity in the x direction.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

543

Table A18.2 Summary of Calculation Results for x Excitation ΨxG First mode Second mode

1 1

Ψα

α (rad)

xG (mm)

0.08 2 0.18

24

1.38 3 10 2 7 3 1025

1.725 0.39

F (Hz)

Sd (mm)

9 13

2.5 1.3

The maximum values of the coordinates xG and α are then obtained by the expressions (NS, 15.46) XG1 5 1 3 P1 3 S1d

α1 5

Ψ1α 3 P1 3 S1d Ψ1xg

XG2 5 1 3 P2 3 S2d

α1 5

Ψ2α 3 P2 3 S2d Ψ2xg

S1d and S2d are the maximum ground displacements for the two modes read on the earthquake spectrum in correspondence to the two mode frequencies, 9 and 13 Hz. For the Newmark ’73 spectrum (NS, Fig. 15.6) and for a maximum acceleration of 0.5 g: S1d 5 0:1 inch=39:4 inch=m 5 0:0025 m 5 2:5 mm S2d 5 0:05 inch=39:4 inch=m 5 0:0013 m 5 1:3 mm XG1 5 1 3 0:69 3 2:5 5 1:725 mm α1 5 8 3 1025 3 0:69 3 2:5 5 1:38 3 1024 rad α2 5 2 1:8 3 1024 3 0:3 3 1:3 5 2 7 3 1025 rad XG2 5 1 3 0:3 3 1:3 5 0:39 mm

(A18.9)

Table A18.2 summarizes the above listed results.

A18.3.3.3 Static Analysis of Some Elements The various columns are, more or less, in the same situation if they have the same dimensions. Let us choose one of the rectangular (200 3 350 mm) columns: as an example, the column at the northwest corner of the building. Fig. A18.15 indicates the deformed shape and symbols used. The displacement of the top of the column with reference to ground are related to the horizontal forces, Tx and Ty at the top by Dx 5 Tx 3 h3 =12 E Jy Jy 5 0:200 3 0:3503 =12 5 7:15 3 1024 m4

Dy 5 Ty 3 h3 =12 E Jx Jx 5 350 3 2003 =12 5 2:33 3 1024 m4

The corresponding bending moments are My 5 Tx 3 h=2 Mx 5 Ty 3 h=2

Applying the square root average (NS, 15.48) to the previous results (y and x excitations) qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð1:72511:38 3 1024 3 13; 000Þ2 1 ð0:3927 3 1025 3 13; 000Þ2 5 3:56 mm qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Deccy 5 ð9 3 1025 3 13; 000Þ2 1 ð22:6 3 1025 3 13; 000Þ2 5 1:22 mm x

Deccx 5 x

544

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Dx or Dy

T

H

M

FIGURE A18.15 Generic column.

qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Dx 5 ð3:562 1 1:222 Þ 5 3:76 mm qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 5 ð1:38 3 1024 3 6500Þ2 1 ð27 3 1025 3 6500Þ2 5 1 mm Deccx y qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Deccy 5 ð1:3919 3 1025 3 6500Þ2 1 ð0:1222:6 3 1025 3 6500Þ2 5 1:98 mm y qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Dy 5 ð1:982 1 12 Þ 5 2:22 mm Ty 5 12 3 2 3 1010 3 2:33 3 1024 3 2:22 3 1023 =3:2803 5 3518 N

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

545

Tx 5 12 3 2 3 1010 3 7:15 3 1024 3 3:76 3 1023 =3:283 5 18285 N qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Ttot 5 35182 1 182852 5 18; 620 N Mx 5 3518 3 3:28=2 5 5770 Nm My 5 18:285 3 103 3 3:28=2 5 29; 987 Nm

The normal (gravity) force taken by the column can be estimated dividing the weight of the two upper floors by the total bearing surface area of the columns plus structural walls (or columns and walls, structural and filling walls, of the ground floor) and multiplying this value by the column transverse (bearing) area: P 5 M 3 g 5 1:13 3 106 3 9:8 5 1:11 3 107 N   Atot 5 Acolumns and struct: walls 1 Afilling walls 5 15 3 0:07 1 5 3 0:1225 1 0:3 3 ð3 3 ð6:5 2 1:25Þ 1 5:8 2 3Þð 1 39 3 0:2Þ 5 5 1:6625 1 2:415ð 1 7:8Þ 5 4:08ð 1 7:8Þ 5 from 4:08 to 11:88 m2

The bearing area can then vary by a factor of about 3 according to the degree of participation of the nonstructural walls. Consequently, the average vertical (weight) force is Pa 5 1:11 3 107 =ð4:08 to 11:88Þ 5 from 9:34 3 105 to 2:72 3 106 N=m2

For the column in consideration here, the vertical force applied is Fn 5 9:34 3 105 3 0:07 to 2:72 3 106 3 0:07 5 6:54 3 104 to 1:9 3 105 N

A simple check of the influence of the horizontal acceleration on the upper two floors on the vertical forces on columns and walls would show that this influence is neglectable in comparison with the compression due to simple weight. On the contrary, the presence of a vertical component of the ground motion is responsible for a significant increase or decrease of this vertical force. If we assume (NS, 15.2) that the vertical ground acceleration is 2/3 g 5 2/3 3 0.5 g 5 0.33 g, the spread in Fn becomes (assuming no spectral amplification) Fn 5 4:38 3 104 to 2:53 3 105 N

For reinforced concrete columns under pressure-bending loads an high value of the vertical compression force is usually beneficial as it reduces the load eccentricity and the amount of the cracked section area. In conclusion, the column section has to be verified under the following loads: Fn 5 4:38 3 104 to 2:53 3 105 N Mx 5 5770 Nm My 5 29987 Nm

546

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.16 Loads and stresses.

The corresponding eccentricities of the equivalent load are

  ex 5 My =Fn 5 0:12 to 0:68 m to  be compared with emax;x 5 0:35=6 5 0:06 m  ey 5 Mx =Fn 5 0:023 to 0:13 m to be compared with emax;y 5 0:2=6 5 0:033 m

emax,x and emax,y indicate the maximum eccentricity for which the section is completely compressed (no cracked portion). The section, therefore, is partially in tension. The stresses (ACI 99 Code) are the following: Maximum tension stress in rebars: 113 N/mm2 Maximum compression stress in concrete: 33 N/mm2 (330 kg/cm2) Figs. A18.16 and A18.17 show the section properties, loads, and stresses. The two cases with high and low normal force have been run: some difference in stresses result. In conclusion, no column failure is justified by these results, in accordance with the postevent observations.

A18.3.3.4 Three Degrees of Freedom, Nonstructural Walls Considered, Matrix Notation M 3 x€G 1 ð3k3 1 k4 ÞxG 2 ðk3 ðb3 1 b4 1 b5 Þ 1 k4 b6 Þα 5 0 € M 3 y€G 1 ðk1 1 k2 ÞyG 2 ðk2 b2 1 k1 b1 Þα 5 2 M 3 yðtÞ

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

547

FIGURE A18.17 Loads and stresses.

I 3 α€ G 2 ðk3 ðb3 1 b4 1 b5 Þ 1 k4 b6 ÞxG 2 ðk1 b1 1 k2 b2 ÞyG 1 ðk1 b21 1 k2 b22 1 k3 ðb23 1 b24 1 b25 Þ 1 k4 b26 Þα 5 0; M 5 A1 5 B2 5 1:13e6 Ns2 =m 3k3 1 k4 5 A4 5 1:234e10 N=m 2 ðk3 ðb3 1 b4 1 b5 Þ 1 k4 b6 Þ 5 A6 5 C4 5 2 1:11e11 N k1 1 k2 5 B5 5 1:23e10 N=m 2 ðk2 b2 1 k1 b1 Þ 5 B6 5 C5 5 2 7:3e10 N I 5 C3 5 7:9571e7 Ns2 m  2    k1 b1 1 k2 b22 1 k3 b23 1 b24 1 b25 1 k4 b26 5 C6 5 1:67e12 Nm

The characteristic determinant of this system of homogeneous equations is   2A1 ω2 1 A4   0   C4

  21:13e6ω2 1 1:234e10   0   21:11e11

0 2B2 ω2 1 B5 C5

  A6  50 B6  2C3 ω2 1 C6 

0 21:13e6ω2 1 1:23e10 27:3e10

  21:11e11  50 27:3e10  2 27:9571e7ω 1 1:67e12 

(A18.10)

548

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK



ð2 1:13e6ω2 1 1:234e10Þ ð2 1:13e6ω2 1 1:23e10Þð2 7:9571e7ω2 1 1:67e12Þ 2 ð7:3e10Þ2 2 1:11e11 1:11e11ð2 1:13e6ω2 1 1:23e10Þ 5 0

which is equivalent to ω6 2 4:279285545e4ω4 1 2:613439347e8ω2 2 3:49859741e11 5 0

The calculation of the roots of this equation follows (by a mathematics program, although an explicit solution is available for third degree equations) 0 B B v5B @

1 23:49859741 3 1011 2:613439347 3 108 C C C 24:279285545 3 104 A

1 0 1 1:909 3 103 B C PolyrootsðvÞ 5 @ 5:127 3 103 A 3:576 3 104

Roots of the characteristic equation

roots:1909, 5127,35760 s-2

Equation value

1E+12 0 -1E+12 0

10000

20000

30000

40000

-2E+12 -3E+12 -4E+12 -5E+12 -6E+12 Omega square

The method used above for the 2 degrees of freedom model is also used with the following results for natural frequencies and modes. The results concerning frequencies are considered (for the precision needed here) close to the values calculated above and so the last results for frequencies and modes can be used (see also Table A18.3).

Table A18.3 Frequencies and Modes (3 Degrees of Freedom) Mode 1 Mode 2 Mode 3

ω2 (per s2)

Ψx

1059 10900 30840

1 1 1

G

Ψy

G

(m)

0.66 2 1.52 0.66

α (rad/m) 0.1 2.5 3 1024 2 0.2

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

20

1:234 3 1010

6B B genvals6 4@ 0

2 1:11 3 1011 1 3:084 3 104 B C 5 @ 1:059 3 103 A 0

2 1:11 3 1011

0

1 0

1:13 3 106

549

13

0

0

1:13 3 106

0

0

0

7:9571 3 107

1:13 3 106

0

0

1:13 3 106

0

0

7:9571 3 107

1:23 3 1010

C B B 2 7:3 3 1010 C A; @ 0

2 7:3 3 1010

1:67 3 1012

0

2 1:11 3 1011

C7 C7 A5

1:09 3 104 20

1:234 3 1010

1 0

6B C B B B genvecs6 1:23 3 1010 2 7:3 3 1010 C 4@ 0 A; @ 0 2 1:11 3 1011 2 7:3 3 1010 1:67 3 1012 0 0 1 0:824 2 0:832 2 0:55 B C B C 5 @ 0:541 2 0:549 0:835 A 2 0:167 2 0:083 2 1:383 3 1024

13 C7 C7 A5

It is useful to remember that in these frequency and modes calculations, trivial mistakes are frequent due to the high computational precision required (instability/bifurcation situations are common); it is therefore recommended that each result obtained, either by hand calculations or by suitable computer programs, be completely and carefully double checked. Table A18.3 gives a summary of these results (mode coordinates are normalized to XG 5 1). The complete set of frequencies, natural periods, and spectral displacements is given in Table A18.4. The participation factors for excitation along the y direction are

 2 (A18.11) Pn 5 Σmi Ψni =Σmi Ψni    2      2 P1y 5 MΨ1yg =ðM Ψ1xg 1 M Ψ1yg 2 1 I Ψ1α   5 1; 130; 000 3 0:66= 1; 130; 000 3 1 1 1; 130; 000 3 0:662 1 7:9571 3 107 3 0:12 5 0:25     2  2  2 P2y 5 MΨ2yg = M Ψ2xg 1 M Ψ2yg 1 I Ψ2α   5 1; 130; 000 3 ð2 1:52Þ= 1; 130; 000 3 1 1 1; 130; 000 3 1:522 1 7:9571 3 107 3 2:5 3 1028 5 2 0:46     2  2  2 P3y 5 MΨ2yg = M Ψ3xg 1 M Ψ3yg 1 I Ψ3α   5 1; 130; 000 3 0:66= 1; 130; 000 3 1 1 1; 130; 000 3 0:662 1 7:9571 3 107 3 0:04 5 0:46

Table A18.4 Natural Frequencies, Periods, and Spectral Displacements Mode 1 Mode 2 Mode 3

ω2 (per s2)

ω (per second)

f (per second)

T (seconds)

Sd (mm)

1059 10900 30840

35 104 176

5.6 16.6 28

0.18 0.06 0.036

6.35 0.762 0.127

550

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Similarly, for excitation along x

   2 h    2 i P1x 5 MΨ1xg =M Ψ1xg 1 M Ψ1yg 2 1 I Ψ1α   5 1; 130; 000 3 1= 1; 130; 000 3 1 1 1; 130; 000 3 0:662 1 7:9571 3 107 3 0:12 5 0:47    2  2  2 P2x 5 MΨ2xg = M Ψxg2xg 1 M Ψ2yg 1 I Ψ2α

5 1; 130; 000 3 1= 1; 130; 000 3 1 1 1; 130; 000 3 1:522 1 7:9571 3 107 3 ð2:5 3 1024 Þ2 5 0:3    2  2  2 P3x 5 MΨ2xg = M Ψ3xg 1 M Ψ3yg 1 I Ψ3α

5 1; 130; 000 3 1= 1; 130; 000 3 1 1 1; 130; 000 3 0:662 1 7:9571 3 107 3 ð2 0:22 Þ 5 0:24

The corresponding displacements of the center of mass and the rotation are For excitation along y XG1 5 1 3 P1y 3 S1d

YG1 5

XG2 5 1 3 P2y 3 S2d

YG2 5

XG3 5 1 3 P3y 3 S3d

YG3 5

Ψ1yg Ψ1xg Ψ2yg Ψ2xg Ψ3yg Ψ3xg

P1y S1d

α1 5

Ψ1α 3 P1y 3 S1d Ψ1xg

P2y S2d

α2 5

Ψ2α 3 P2y 3 S2d Ψ2xg

P3y S3d

α3 5

Ψ3α 3 P3y 3 S3d Ψ3xg

XG1 5 1 3 P1y 3 S1d 5 0:25 3 6:35 5 1:59 mm YG1 5 α1 5

Ψ1yg Ψ1xg

P1y S1d 5 0:66 3 0:25 3 6:35 5 1:05 mm

Ψ1α 3 P1y 3 S1d 5 0:1 3 0:66 3 6:35 3 1023 5 4:19 3 1024 rad Ψ1xg XG2 5 1 3 P2y 3 S2d 5 2 0:46 3 0:762 5 2 35 mm YG2 5

α2 5

Ψ2yg Ψ2xg

P2y S2d 5 1:52 3 0:46 3 0:762 5 0:53

Ψ2α 3 P2y 3 S2d 5 2 0:00025 3 0:46 3 0:000762 5 2 8:8 3 1028 rad Ψ2xg XG3 5 1 3 P3y 3 S3d 5 0:46 3 0:127 5 0:058 mm YG3 5

α3 5

Ψ3yg Ψ3xg

P3y S3d 5 0:66 3 0:46 3 0:127 5 0:038

Ψ3α 3 P3y 3 S3d 5 2 0:2 3 0:46 3 0:127 3 1023 5 2 1:17 3 1025 rad Ψ3xg

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

551

For excitation along x axis XG1 5 1 3 P1x 3 S1d

YG1 5

XG2 5 1 3 P2x 3 S2d

YG2 5

XG3 5 1 3 P3x 3 S3d

YG3 5

Ψ1yg Ψ1xg Ψ2yg Ψ2xg Ψ3yg Ψ3xg

P1x S1d

α1 5

Ψ1α 3 P1x 3 S1d Ψ1xg

P2x S2d

α2 5

Ψ2α 3 P2x 3 S2d Ψ2xg

P3x S3d

α3 5

Ψ3α 3 P3x 3 S3d Ψ3xg

XG1 5 1 3 P1x 3 S1d 5 0:47 3 6:35 5 2:98 mm YG1 5 α1 5

Ψ1yg Ψ1xg

P1x S1d 5 0:66 3 0:47 3 6:35 5 1:97 mm

Ψ1α 3 P1x 3 S1d 5 0:1 3 0:66 3 6:35 3 1023 5 4:19 3 1024 rad Ψ1xg XG2 5 1 3 P2x 3 S2d 5 2 0:3 3 0:762 5 0:23 mm YG2 5

α2 5

Ψ2yg Ψ2xg

P2x S2d 5 2 1:52 3 0:3 3 0:762 5 2 0:35

Ψ2α 3 P2x 3 S2d 5 0:00025 3 0:3 3 0:762 3 1023 5 5:7 3 1028 rad Ψ2xg XG3 5 1 3 P3x 3 S3d 5 0:24 3 0:127 5 0:03 mm YG3 5

α3 5

Ψ3yg Ψ3xg

P3x S3d 5 0:66 3 0:24 3 0:127 5 0:02

Ψ3α 3 P3x 3 S3d 5 2 0:2 3 0:66 3 0:127 3 1023 5 2 1:7 3 1025 rad Ψ3xg

It is now interesting to calculate the maximum displacement of the top of the most loaded column (using a statistical combination of modes and of directions of excitation, NS, 15.48) and the consequent stresses. A complete study of the loads on the various columns would indicate that the column located at the north-west corner of the building is the most loaded one. This column will then be studied in detail and its maximum calculated displacements will be indicated as x1 and y1. It is x1 5 xG 1 a 3 b6

y1 5 yG 2 a 3 b1

b1 5 6500 mm b6 5 13000 mm

The calculation of x1 and of y1 for the excitation along x proceeds in the following way: First mode x1I 5 2:98 1 4:2 3 1024 3 13; 000 5 8:44 mm y1I 5 1:97 2 4:2 3 1024 3 6500 5 2 0:76 mm

552

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

Second mode x2I 5 0:23 1 5:7 3 1028 3 13; 000 5 0:23 mm y2I 5 2 0:35 2 5:7 3 1028 3 6500 5 2 0:35 mm

Third mode x3I 5 0:03 1 5:7 3 1028 3 13; 000 5 0:03 mm y3I 5 0:02 2 5:7 3 1028 3 6500 5 0:02 mm

Combining the three modes

pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 8:442 1 0:232 1 0:032 5 8:44 mm pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi yI 5 0:762 1 0:352 1 0:022 5 0:84 mm xI 5

For an excitation along y First mode x1II 5 1:59 1 4:19 3 1024 3 13; 000 5 7:04 mm y1II 5 1:05 2 4:19 3 1024 3 6500 5 2 1:67 mm

Second mode x2II 5 2 0:35 2 8:8 3 1028 3 13; 000 5 2 0:35 mm y1II 5 0:53 1 8:8 3 1028 3 6500 5 0:53 mm

Third mode x1III 5 0:058 2 1:17 3 1025 3 13; 000 5 2 0:1 mm y1III 5 0:038 1 1:17 3 1025 3 6500 5 0:11 mm

Combining the three modes

pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 7:042 1 0:352 1 0:12 5 7:05 mm pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi yI 5 1:672 1 0:532 1 0:112 5 1:76 mm

xI 5

The combination of the two excitation directions gives

pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 8:442 1 7:052 5 11 mm pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ytot 5 0:842 1 1:762 5 1:95 mm

xtot 5

A18.3.3.5 Static Analysis of Some Elements With the same notation and formulae applied in Section A18.3.3.3 Dx 5 Tx 3 h3 =12 E Jy Jy 5 0:200 3 0:3503 =12 5 7:15 3 1024 m4

Dy 5 Ty 3 h3 =12 E Jx Jx 5 350 3 2003 =12 5 2:33 3 1024 m4

The corresponding bending moments are My 5 Tx 3 h=2 Mx 5 Ty 3 h=2 Ty 5 12 3 2 3 10 3 2:33 3 1024 3 1:95 3 1023 =3:2803 5 3090 N 10

Tx 5 12 3 2 3 1010 3 7:15 3 1024 3 11 3 1023 =3:283 5 53492 N qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi Ttot 5 30902 1 534922 5 53581 N

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

553

Mx 5 3090 3 3:28=2 5 5068 Nm My 5 53492 3 3:28=2 5 87727 Nm

The normal (gravity) force taken by the column can again be estimated dividing the weight of the two upper floors by the total bearing surface area of the columns plus structural walls (or columns and walls, structural and filling walls, of the ground floor) and multiplying this value by the column transverse (bearing) area P 5 M 3 g 5 1:13 3 106 3 9:8 5 1:11 3 107 N   Atot 5 Acolumns and struct: walls 1 Afilling walls 5 15 3 0:07 1 5 3 0:1225 1 0:3 3 ½3 3 ð6:5 2 1:25Þ 1 5:8 2 3ð 1 39 3 :2Þ 5 5 1:6625 1 2:415ð 1 7:8Þ 5 4:08ð 1 7:8Þ 5 from 4:08 to 11:88 m2

The bearing area can then vary by a factor of about 3 according to the degree of participation of the nonstructural walls. Consequently, the average vertical (weight) force is Pa 5 1:11 3 107 =ð4:08 to 11:88Þ 5 from 9:34 3 105 to 2:72 3 106 N=m2 Fn 5 9:34 3 105 3 0:07 to 2:72 3 106 3 0:07 5 6:54 3 104 to 1:9 3 105 N

The corresponding eccentricities of the equivalent load are

  ex 5 My =Fn 5 0:46 to 1:34 m to be compared with emax;x 5 0:35=6 5 0:06 m   ey 5 Mx =Fn 5 0:027 to 0:08 m to be compared withemax;y 5 0:2=6 5 0:033 m

emax,x and emax,y indicate the maximum eccentricity for which the section is completely compressed (no cracked portion). The section, therefore, is partially in tension. The stresses (ACI 99 Code) are the following: Maximum tension stress in rebars: 300 N/mm2 Maximum compression stress in concrete: 40 N/mm2 (400 kg/cm2) Figs. A18.18, A18.19 show the section properties, loads, and stresses. The two cases with high and low normal force have been run: some differences in stresses result. In conclusion, again, no column failure is justified by these results, in accordance with the postevent observations. However, this case with simultaneous excitation in the x and y direction results in higher section stresses As noted in Section A18.3.3.1, the lateral rigidity of the deformable ground floor is dominated by the walls and the contribution of the columns to the lateral rigidity is about 1/30 and, therefore, negligible. This last qualitative conclusion also holds if the structural walls only (essentially the stair cage walls) are considered. The filling walls did not collapse in the earthquake but their collapse could have happened since no special lateral retaining provision was adopted in their design of normal type. In any case, the structural walls only could have had the same effect on the vibratory behavior of the building. In which way did this effect save the building?

554

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.18 Loads and stresses.

First, the lowest eigen-frequencies of vibration were increased by the high lateral rigidity introduced by the walls. Looking at the reference earthquake spectrum of Fig. 15.6 of (NS 15) which is here reproduced for convenience (Fig. A18.20). It is evident that a reduction of the eigen-frequency brings about an increase of the maximum displacement of the vibrating body. For the case under consideration, this displacement is the relative displacement of the column considered in the above calculations with reference to the column base. The lowest frequency calculated above for the three degrees of freedom model is 5.6 Hz, which corresponds to a maximum displacement (10% damping, 0.5 g maximum ground acceleration) of about 0.25 inches. Now, in a model which does not consider any wall, the minimum eigenfrequency could increase by the square root of the ratio of the new lateral rigidity of the ground floor and of the previously considered one. As said above, this ratio of rigidities is about 30 and the ratio of the corresponding frequencies is about equal to the square root of 30 5 5.5. From the diagram, the new frequency should be about 5.6/5.5 5 1 Hz. The corresponding maximum spectral displacement for a maximum ground acceleration of 0.5 g (equal to one half the nominal 1 g acceleration of the spectrum diagram) is about 5 inches, 20 times the maximum displacement of the

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

555

FIGURE A18.19 Loads and stresses.

model with walls. It is evident that this displacement could not be sustained by the structure without collapse. We can then conclude that the survival of the building was due to the presence of some walls at the ground floor.

A18.3.4 MODAL ANALYSIS PERFORMED BY AN INTEGRATED STRUCTURAL PROGRAM The search for eigen-frequencies and modes can, nowdays, be also performed by the use of an integrated structural computational program, that is a program where, after a model of structure is built on, the calculation of frequencies and modes is automatically and very rapidly performed. In the following, the results of the application of one of those programs to the calculation of the model with all the walls and, for comparison, the calculation of a model with only columns without any wall is presented. The program used is the widely known SAP2000.

556

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

D

is

Damping (%)

pl

ac

0.5

em

en

t(

200

in

2

ch

)

5 10

D fo isp (m r g lac ax ro em ) o un en f 1 d a t: g cc 36 el in er c at h io n

100

Velocity (inch|s)

50

10

ra

le

5

e cc

A

2 1

)

(g

10

5

0.5

10

n

tio

0.2 1

5

0.5

2 0.2

0.5

1

2

0.2 0.1 5

10

20

50

Frequency (cps)

FIGURE A18.20 Spectrum.

Figs. A18.21A18.24 show the model and three modes of the case with walls; the corresponding modal periods (inverse of frequencies) are 0.13, 0.06, and 0.036 seconds, which correspond rather well to the previously calculated (Section A18.3.3.4) 0.18, 0.06, and 0.036 seconds. Figs. A18.25A18.28 show the corresponding results for the case without walls. Periods are now 1.9, 0.38, and 0.34 seconds which correspond, according to the response spectrum used here, to a factor of 20-in displacements, as shown also by the order-of-magnitude evaluation of the end of the previous chapter. A third case can also be run where a model with columns and stair cage only is studied. In this case also, the displacements would result rather small. The conclusion that the survival of the building was due to the presence of some walls at the ground floor is, then, confirmed.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.21 Model.

FIGURE A18.22 Mode 1.

557

FIGURE A18.23 Mode 2.

FIGURE A18.24 Mode 3.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.25 Model without walls.

FIGURE A18.26 Mode 1.

559

560

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

FIGURE A18.27 Mode 2.

FIGURE A18.28 Mode 3.

APPENDIX 18 OTHER EXAMPLES OF PRACTICAL USE OF THIS BOOK

561

REFERENCES Holcomb, D.E., Wood, R.T., 2006. Challenges for instrumentation, controls and human—machine interface technologies. Nucl. News 49 (13), December 2006. USNRC, 1985. Containment Performance Working Group Report. NUREG 1037.

Websites

https://doi.org/10.17632/4hc54vnzx6.2 This book’s Mendeley website. The following files can be downloaded: CONTPRESSURE.xls, DISPERSION1.xls, DISPERSION2.xls, DRYCORE.xls, DUHAMEL.xls, FUMIGATION1.xls, FUMIGATION2.xls, PRIMARY-SYSTEM.xls, RELAPSAMPLEPWR.txt www.cordis.lu, the European Union site www.doc.gov www.europeanutilityrequirements.org www.iaea.org, the IAEA site that contains much technical and regulatory information www.nrc.gov www.nucleartourist.com, the site of the Nuclear Energy Institute in the United States with information on existing reactors www.nuc.berkeley.edu, the site of the Nuclear Department of Berkeley University; it is listed here as an example of the U.S. University sites, very interesting in general; each of them has usually links with the others www.oecd.org, the site of OECD, Paris, very rich in information, for which authorization is needed.

563

Index Note: Page numbers followed by ‘f’ and ‘t’ refer to figures and tables, respectively.

A Accelerogram, 191 Accidents (examples), 51 53 Accidents which should not happen, 266 267 ACMH (Advisory Committee for Major Hazards), 38 39 Active safety systems, 33 34 Adiabatic (gradient), 87 88 Aircraft crash, 239 243 ALARP (as low as reasonably practicable), 323 All the way through safety, 13 ALWR (Advanced Light Water Reactors), 35 Anticipated Transients Without Scram, 458 AP600, 12 AP1000, 12 Area accidents, 62 63 ‘As found’ (leakage), 180 ‘As left’ (leakage), 180 Atomic Energy Commission (AEC), 3 ATWS, 63, 298 299

B Baneberry (test of), 285 Barriers of defence, 115 116 Becquerel, 104 Best estimate approach, 123 124 Beyond design basis accidents, 63 65 Bhopal, 40 41 Black Swan, 254, 256 Blayais, 253 Boiling water reactor (BWR), 75, 297 Bombs (nuclear), 279 Boolean (algebra), 126 128 Boron dilution accidents, 267 268 Boron (dissolved) reactivity, 45 Browns Ferry (accident), 266 267 Building effect on dispersion, 98

C Cage (safety), 493 498 Cassini (Saturn probe), 313 Chernobyl, 335 Claddings, 28 Classification of accidents, 45 Classification of plant components, 149 Cliff edge effect, 362t

Cloud concentration, 91 92 Cloud submersion dose, 106 Coefficient of moderator temperature and of voids, 48 Collective dose (workers), 105 Components (plant), 151 Computer Fluid Dynamics (CFD), 99 100 Conservative approach, 121 Containment systems, 180 182, 343 Control rod ejection accident, 56 59 Control rods reactivity, 49 51 Core overheating, 385 Core rescue system, 10 11 Core Rescue System (CRS), 437 ‘Corium’, 28 29 Cosmos, 314 Cost benefit analysis, 323 325 Cracks, 152, 413 Criteria (nuclear safety, table), 361 CRS (Core Rescue System), 437 Curie, 104

D Damping (earthquakes), 191 Davis Besse, 253, 264 Decay energy, 23 Decay power, 23, 25f, 351 Defence in depth, 9, 115 DEMO, 292 Density locks, 37 38 Deposition velocity, 93 Depressurization (primary, systems), 437 Desalination plants, 307 Design basis accidents, 6, 45 63 Deterministic effects of radiation, 104 Deterministic method, 4 Deterministic safety analysis, 121 Direct radiation dose, 106 Dispersion of releases, 85, 461 Documentation (safety), 468 Doppler coefficient, 46 48 Dose, 104, 373 375 Dose (absorbed), 103 Dose limits, 103 Ductility, 205 Duhamel integral, 207 208 Dynamic pressure in tanks, 216

565

566

Index

E Earthquake, 185 Earthquake (criteria), 185 Earthquake effect on a real building, 535 560 ECCS (Emergency core cooling systems), 122 Effective dose, 104 Effects of Radiation doses, 105 EIA (Environmental Impact Assessment), 471 Embrittlement (neutron), 158 160 Emergency plan (external), 472 Emergency procedures, 472 473 Enrichment (plants), 307 EPR (European Pressurized Reactor), 12 Equivalent dose, 104 Erroneous beliefs in nuclear safety, 317 EUR criteria, 251, 389 412 Event tree, 126 Exclusion zone, 6 Explosions (nuclear), 279 External impact, 239 External natural accidents, 65 EXTERNE, 326

F Fail safe, 39 Failure rates, 132 134 Fallout, 281 Fast reactors, 302 Fast shutdown (scram)(trigger limits), 46 Fault tree, 126 135 Faults, faulting, 191 Filtered containment venting, 70 Fission product reactivity, 51 Flixborough, 34 Floor response spectrum, 223 Fluence, 158 159 Fluidic diodes, 38 Fracture mechanics, 413 Fragility, 187 Fuel fabrication, 306 Fuel handling accident, 61 Fuel plants, 306 307 Fujita (scale of), 237 Fukushima, 13 14, 253 254 Fumigation, 98 Fusion (safety of . . . reactors), 291 Future accident (to be prevented), 267 268 Future reactors, 31 41

G Gap (fission products), 82t Gas (reactors), 300

GDC (US General Design Criteria), 421 434 General design criteria (USA), 421 434 Genetic effects of radiation, 104 GPHS-RTG, 313 Gray, 103 Ground motion (reference), 187 Ground shine dose, 107, 375 Ground (soil) stability (earthquakes), 202

H Health consequences of releases, 103 Health Physics units, 103 104 Heavy clouds, 87 Hereditary effects of radiation, 104 Hiroshima and Nagasaki, 279 History of nuclear safety technology, 2 14 Hot-cold interface, 37 38 Human behavior (probability), 125 126

I IAEA criteria, 251, 435 436 IFMIF, 291 292 Impacts (external), 239 INES, event scale, 268 Inhalation dose, 106 Inherent safety, 34 Intensity (seismic), 197 Interfacing systems LOCA, 79 International, reactor innovative and secure (IRIS), 303 International Nuclear Event Scale (INES), 268 Intrinsic safety, 33 Inversion, 89 91 Inverted scram, 11 Iodine spike, 21 22 IPIRG (International Piping Integrity Research Group Program), 169 Irradiation embrittlement, 158 160 IRS (Incident Reporting System), 263 ISCC (Intergranular Stress Corrosion Cracking), 168 Isolation (seismic), 226 ITER, 291

J J integral, 414 Justification principle, 103

K Kashiwazaki-Kariwa, 253 KI, KIC, KIA, 415 Kyshtym (accident), 266

Index

L LARA, 1 Large LOCA with failure of recirculation, 80 81 LD50, 105 Leak before break, 166 Leaks (detection), 168 Levels of defence, 120 Licensee Event Report, 263 Limitation principle, 103 Limits (for reactor operation), 45 Limits of releases on a site, 111 112 Liquefaction, 199 LLE (Loss of life expectancy), 325 326 LOCA, 59 60 Long distance dose, 107 Loss of electric power, 76 79 Loss of electric power with LOCA, 79 Loss of life expectancy, 326 Low population zone, 6

M Magnitude (seismic), 197 Marshall Report, 154 Media (and safety), 14 Methyl isocyanate (MIC), 40 41 Minimum safety, 123 Modal (seismic) analysis, 191 Moderator temperature coefficient, 48 Mononobe Okabe model, 204 205 Most interesting releases, 85 86 Mururoa, 286

N Natural origin accidents, 65 Negative scram. See Inverted scram NII criteria, 253 Nonstochastic effect of radiation, 104 Nuclear bombs, 279 Nuclear explosions, 280 281 Nuclear safety criteria, 249 Nuclides, 19

O Objectives (of nuclear safety), 1 2 Operating experience, 263 Operation manual, 472 473 Operation organization document, 473 Optimization principle, 103 Oscillator (simple), 205 206

P Pasquill, 92 Passive safety system, 33

PBMR (Pebble bed modular reactor), 300 301 Pentagon, 257 Perforation (impact), 242 243 Periodic safety reviews, 475 PIE (postulated initiating events), 122 Pile (Fermi, CP1), 2 3 Pipe Fracture Encyclopedia, 170 Pipe whip, 165 Piping, 165 Piping (regulatory positions), 165 Piping (research), 169 170 PIUS, 37 38 Plant components, 151 Plant site complex safety, 111 Plutonium (deposited) dose, 107, 313 314 Preliminary Safety Analysis Report (PSAR), 519 529 Preoperational test program, 473 474 Pressure in containment, 343 Pressure peak (lateral), 246f, 282 Pressure tube reactors, 299 300 Pressure vessels recommendations, 163 165 Pressure wave, 244 Pressure-temperature correlation (water), 459 Pressurizer, 23 Primary depressurization systems, 437 Principles of Health Protection and Safety, 103 Probabilistic method, 124 Probabilistic safety analysis, 124 135, 471 probability risk assessments, 124 Proliferation, 329 PSA (probabilistic safety analysis), 124 135, 471 PTS (pressurized thermal shock), 160 PUN criteria, 252 PWR (scheme), 38

Q Quality assurance plan (QAP), 119 Quality assurance (QA), 119

R Radiation weighting factor, 104 Radiation-generating machines, 311 Radioactive products, 19, 22 Radioactive sources, 311 Radioactive waste, 287 Radioactivity, 104 Rasmussen Report (WASH 1400), 7 Ratcheting, 5 6 RBMK, 11 Reactivity balance, 51 Reactor Pressure Vessel, 151 165 Reactor Safeguards Committee, 3 Regulatory framework, 467 Regulatory Guides (NRC), 477 478

567

568

Index

Release for accidents (Table), 53 Release of fission products (conventional from core, TID), 6 Reprocessing plants, 307 Research (nuclear safety), 261 Research reactors, 301 Residual risk, 323 Richter scale, 197 Risk analyses (credibility), 327 329 Risk of human activities, 327 Risk-informed method, 325 326 Rupture probability of pressure vessels, 156

S Safe plant (when . . .), 321 Safety analysis, 121 Safety analysis review, 137 Safety approach (general), 519 Safety cage, 493 498 Safety criteria (table), 361 372 Safety culture, 9 Safety documents, 468 475 Safety Goal, 327 328 Safety objectives for sites, 469 Safety Report, 468 471 Safety systems, 23 Safety systems effectiveness, 27t Saint Laurent les Eaux, 266 Salama, 496 SAMOFAR, 13, 304 Satellites (with nuclear plants), 313 Savannah, 308 Scram, 2f Seismic hazard, 125 Seismo-tectonic model, 194 SENA, 273 Severe accident management, 75 76 Severe accidents, 8, 69, 76 Seveso, 34 Shielding (radiation), 113 Ship propulsion reactors, 308 Sievert, 104 Single failure, 4 Site characteristics, 113 114 Site criteria (Italian chart), 499 502 SL1 (accident), 267 Sloshing (of liquids in tanks), 223 Small medium size reactor (SMSR), 303 SNAP, 313 Sodium cooled fast reactors, 302 Soil resistance (earthquakes), 199, 203 Soil structure interaction, 191 193, 193f Solar radiation, 352

‘Solid’ system, 313 Somatic effects of radiation, 104 Source term, 81 83, 377 378 Sources (radioactive) and radiogenic machines, 311 Space time history, 195 Specific plants and activities, 297 Spectrum (design and verification, for earthquakes), 191 Squib valves, 37 Stack effect on release dispersion, 99 100 Standard Review Plan, 251 Starfighter, 239 STARFIRE, 292 Start up rate, 50 51 Stochastic effects of radiation, 104 Storage facility (impact accident), 375 Stress test, 13 14 Stress-assisted corrosion, 168 Structures resistance (earthquakes), 205 230 Stuxnet, 253 Submersion doses, 106 Superadiabatic (gradient), 88

T Taleb, 254 Technical specifications for operation, 474 475 Temperature pressure correlation (water), 459 Terrorism, 329 Thermal analysis of a dry core, 385 388 Thermal constant of fuel rod, 388 Thermal-hydraulic study of PWR, 529 535 Thermal plume rise, 98 99 Thermal shock (vessel), 160 Three Mile Island (TMI) accident, 503 518 Three Mile Island vessel, 160 161 Tissue weighting factor, 104 TokaiMura (accident), 267 Tolerable risk, 323 325 ‘Too cheap to meter,’, 5 6 Tornado, 235 Tornado scale, 236f Toughness, 416 Tower (meteorological), 91 Transients (primary, calculation), 445 Transport safety, 308 310 Tritium, 106, 293 Tsunami, 113 114 Tube reactors, 299 300

U Underadiabatic gradient, 88 Underground (buried) structures (earthquake), 224 225

Index

Underground location of nuclear plants, 273 Underground nuclear tests, 285 US general criteria, 250

V V sequence, 70 Vajont, 256 Valves, 170 179 Vandellos (accident), 267 Vessel, 151 165 Vessel and severe accidents, 161 Vessel failure prevention, 163 165 Virtual dose in severe accident, 373 375 Void coefficient, 48 Voluntary action accidents, 64 65 Vortex valves, 38 VVER (Russian PWRs), 307 308

569

W WANO, 9, 263 Warm prestressing, 160, 417 418 Waste (radioactive), 287 WENRA (Western National Regulators Association), 13, 389, 403 Wigner energy, 265 266 Windscale accident, 265 266

X Xenon and Samarium reactivity, 51

Y YOLL, 326

Z Zircalloy, 28