Nuclear Safety

Nuclear Safety This page intentionally left blank Nuclear Safety GIANNI PETRANGELI Amsterdam Boston Heidelberg...

Author: Gianni Petrangeli

263 downloads 3493 Views 4MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

Nuclear Safety

This page intentionally left blank

Nuclear Safety GIANNI PETRANGELI

Amsterdam Boston Heidelberg London New York Paris San Diego San Francisco Singapore Sydney Butterworth-Heinemann is an imprint of Elsevier

Oxford Tokyo

Butterworth-Heinemann is an imprint of Elsevier Linacre House, Jordan Hill, Oxford OX2 8DP 30 Corporate Drive, Suite 400, Burlington, MA 01803 First edition 2006 Copyright ß 2006, Gianni Petrangeli. Published by Elsevier Butterworth-Heinemann. All rights reserved. The right of Gianni Petrangeli to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without the prior written permission of the publisher Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone (þ44) (0) 1865 843830; fax (þ44) (0) 1865 853333; email: [email protected]. Alternatively you can submit your request online by visiting the Elsevier web site at http://elsevier.com/locate/permissions, and selecting Obtaining permissions to use the Elsevier material Notice No responsibility is assumed by the publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN 13: 978-0-7506-6723-4 ISBN 10: 0-7506-6723-0 For information on all Butterworth-Heinemann publications visit our web site at http://books.elsevier.com Printed and bound in the UK 06 07 08 09 10 10 9 8 7 6 5 4 3 2 1

Contents

Preface xiii Acknowledgements xv

3-3 Future safety systems and plant concepts 3-3-1 General remarks 23 3-3-2 Some passive safety systems for nuclear plants 27 3-3-3 Inherently safe systems in the process industries 30 References 32 Chapter notes 32

Chapter 1 Introduction 1 1-1 Objectives 1 1-2 A short history of nuclear safety technology 1-2-1 The early years 2 1-2-2 From the late 1950s to the Three Mile Island accident 2 1-2-3 From the Three Mile Island accident to the Chernobyl accident 7 1-2-4 The Chernobyl accident and after 8 References 10 Chapter notes 10

2

Chapter 2 Inventory and localization of radioactive products in the plant 13 References

15

Chapter 3 Safety systems and their functions 17 3-1 Plant systems 17 3-2 Safety systems and accidents

18

23

Chapter 4 The classification of accidents and a discussion of some examples 35 4-1 Classification 35 4-2 Design basis accidents 35 4-2-1 Some important data for accident analysis 35 4-2-2 Example of a category 2 accident: spurious opening of a pressurizer safety valve 40 4-2-3 Example of a category 3 accident: instantaneous power loss to all the primary pumps 41 4-2-4 Example of a category 4 accident: main steam line break 43 4-2-5 Example of a category 4 accident: sudden expulsion of a control rod from the core 44 4-2-6 Example of a category 4 accident: break of the largest pipe of the primary system (large LOCA) 46 4-2-7 Example of a category 4 accident: fuel handling accident 47 4-2-8 Area accidents 50 v

vi

Contents

4-3 Beyond design basis accidents 51 4-3-1 Plant originated accidents 51 4-3-2 Accidents due to human voluntary actions 51 4-4 External accidents of natural origin 51 References 51 Chapter notes 51

Chapter 5 Severe accidents 53 5-1 Existing plants 53 5-2 Future plants: extreme and practicable solutions 55 5-3 Severe accident management: the present state of studies and implementations 57 5-4 Data on severe accidents 58 5-5 Descriptions of some typical accident sequences 58 5-5-1 Loss of station electric power supply (TE ¼ transient þ loss of electrical supply) 58 5-5-2 Loss of electric power with LOCA from the pump seals (SE ¼ small LOCA þ loss of electric power) 61 5-5-3 Interfacing systems LOCA (V) 61 5-5-4 Large LOCA with failure of the recirculation (ALFC) 62 5-5-5 Small LOCA with failure of the recirculation (SLFC) 62 5-6 ‘Source terms’ for severe accidents 62 References 64

Chapter 6 The dispersion of radioactivity releases 65 6-1 The most interesting releases for safety evaluations 65 6-2 Dispersion of releases: phenomena 66 6-3 Release dispersion: simple evaluation techniques 70 6-4 Formulae and diagrams for the evaluation of atmospheric dispersion 71 Reference 76 Chapter notes 76

Chapter 7 Health consequences of releases 79 7-1 The principles of health protection and safety 79 7-2 Some quantities, terms and units of measure of health physics 79 7-3 Types of effects of radiation doses and limits 80 7-4 Evaluation of the health consequences of releases 81 7-4-1 Evaluation of inhalation doses from radioactive iodine 81 7-4-2 Evaluation of doses due to submersion in a radioactive cloud 81 7-4-3 Evaluation of the doses of radiation from caesium-137 deposited on the ground (‘ground-shine’ dose) 81 7-4-4 Evaluation of the dose due to deposition of plutonium on the ground 81 7-4-5 Indicative evaluation of long distance doses for very serious accidents to nuclear reactors 82 7-4-6 Direct radiation doses 82 Reference 83 Chapter notes 83

Chapter 8 The general approach to the safety of the plant-site complex 85 8-1 Introduction 85 8-2 The definition of the safety objectives of a plant on a site 85 8-2-1 The objectives and limits of release/dose 85 8-3 Some plant characteristics for the prevention and mitigation of accidents 86 8-4 Radiation protection characteristics 86 8-5 Site characteristics 87

Chapter 9 Defence in depth 89 9-1 Definition, objectives, levels and barriers 9-2 Additional considerations on the levels of Defence in Depth 89

89

Contents

Chapter 14 Notes on some plant components 119

Chapter 10 Quality assurance 93 10-1 General remarks and requirements 10-2 Aspects to be underlined 93 Reference 94

93

Chapter 11 Safety analysis 95 11-1 Introduction 95 11-2 Deterministic safety analysis 95 11-3 Probabilistic safety analysis 97 11-3-1 Event trees 98 11-3-2 Fault trees 99 11-3-3 Failure rates 105 References 105 Chapter notes 105

Chapter 12 Safety analysis review 107 12-1 Introduction 107 12-2 The reference points 107 12-3 Foreseeing possible issues for discussion 107 12-4 Control is not disrespectful 108 12-5 Clarification is not disrespectful 109 12-6 Designer report 110 12-6-1 Introduction 110 12-6-2 Conclusions 110 12-6-3 Hydrodynamic aspects 110 12-6-4 Effective mass of oscillating system 111 12-6-5 Evaluation of fluid damping 111 12-6-6 Vibration analysis 111 12-7 Discussion 114 References 115 Chapter notes 115

Chapter 13 Classification of plant components 117 Reference

118

vii

14-1 Reactor pressure vessel 119 14-1-1 Problems highlighted by operating experience 119 14-1-2 Rupture probability of non-nuclear vessels 120 14-1-3 Failure probability of nuclear vessels 122 14-1-4 Vessel material embrittlement due to neutron irradiation 124 14-1-5 Pressurized thermal shock 126 14-1-6 The reactor pressure vessel of Three Mile Island 2 126 14-1-7 General perspective on the effect of severe accidents on the pressure vessel 127 14-1-8 Recommendations for the prevention of hypothetical accidents generated by the pressure vessel 128 14-2 Piping 130 14-2-1 Evolution of the regulatory positions 130 14-2-2 Problems indicated by experience 130 14-2-3 Leak detection in water reactors 132 14-2-4 Research programmes on piping 133 14-3 Valves 134 14-3-1 General remarks 134 14-3-2 Some data from operating experience 134 14-3-3 The most commonly used types of valve 135 14-3-4 Types of valve: critical areas, design and operation 136 14-3-5 Valve standards 140 14-4 Containment systems 141 References 142

Chapter 15 Earthquake resistance 145 15-1 General aspects, criteria and starting data 145 15-2 Reference ground motion 148 15-3 Structural verifications 158 15-3-1 Foundation soil resistance 158 15-3-2 Resistance of structures 162 References 182

viii

Contents

Chapter 16 Tornado resistance 185 16-1 The physical phenomenon 185 16-2 Scale of severity of the phenomenon 16-3 Design input data 186 Reference 187

186

Chapter 17 Resistance to external impact 189 17-1 Introduction 189 17-2 Aircraft crash impact 189 17-2-1 Effects of an aircraft impact 189 17-2-2 Overall load on a structure 189 17-2-3 Vibration of structures and components 191 17-2-4 Local perforation of structures 191 17-2-5 The effect of a fire 192 17-2-6 Temporary incapacity of the operating personnel 192 17-3 Pressure wave 192 17-5 Other impacts 193 References 194

Chapter 18 Nuclear safety criteria 195 18-1 General characteristics 195 18-2 The US general design criteria 195 18-3 IAEA criteria 196 18-4 EUR criteria 196 18-5 Other general criteria compilations 197 References 198 Chapter notes 198

Chapter 19 Nuclear safety research 199 Reference

199

Chapter 20 Operating experience 201 20-1 Introduction 201 20-2 Principal sources 201

20-3 Some significant events 201 20-3-1 Mechanical events 201 20-3-2 Electrical events 202 20-3-3 System events 202 20-3-4 Area events 203 20-3-5 Reactivity accidents 204 20-3-6 Possible future accidents 204 20-4 The International Nuclear Event Scale References 207

205

Chapter 21 Underground location of nuclear power plants 209 References

212

Chapter 22 The effects of nuclear explosions 215 22-1 22-2 22-3 22-4 22-5 22-6 22-7

Introduction 215 Types of nuclear bomb 215 The consequences of a nuclear explosion 215 Initial nuclear radiation 217 Shock wave 217 Initial thermal radiation 218 Initial radioactive contamination (‘fallout’) 218 22-8 Underground nuclear tests 218 22-8-1 Historical data on nuclear weapons tests 218 22-8-2 The possible effects of an underground nuclear explosion 219 22-8-3 The possible radiological effects of the underground tests 220 References 220

Chapter 23 Radioactive waste 221 23-1 Types and indicative amounts of radioactive waste 221 23-2 Principles 222 Reference 223

Chapter 24 Fusion safety 225 References

228

Contents

Chapter 25 Safety of specific plants and of other activities 229 25-1 Boiling water reactors 229 25-2 Pressure tube reactors 231 25-3 Gas reactors 231 25-4 Research reactors 232 25-5 Sodium-cooled fast reactors 232 25-6 Fuel plants 233 25-7 Nuclear seawater desalination plants 233 25-8 VVER plants 234 25-9 Ship propulsion reactors 234 25-10 Safe transport of radioactive substances 234 25-11 Safety of radioactive sources and of radiation generating machines 234 References 235

Chapter 26 Nuclear facilities on satellites 237 26-1 Types of plant 237 26-2 Possible accidents and their consequences 238 Reference 238

Chapter 27 Erroneous beliefs about nuclear safety 239 References

241

Chapter 28 When can we say that a particular plant is safe? 243

Chapter 29 The limits of nuclear safety: the residual risk 245 29-1 Risk in general

245

ix

29-2 Risk concepts and evaluations in nuclear installation safety 245 29-2-1 Tolerable risk 245 29-2-2 Risk-informed decisions 246 29-3 Residual risk: the concept of loss-of-life expectancy 247 29-4 Risk from various energy sources 247 29-5 Risk to various human activities 248 29-6 Are the risk analyses of nuclear power plants credible? 248 29-7 Proliferation and terrorism 250 References 250

Additional references 251 Appendices Appendix 1 The Chernobyl accident 279 A1-1 Introduction 279 A1-2 The reactor 279 A1-3 The event 281 References 284

Appendix 2 Calculation of the accident pressure in a containment 285 A2-1 Introduction 285 A2-2 Initial overpressure 285 A2-3 Containment pressure versus time 286 A2-3-1 Introductory remarks 287 A2-3-2 Calculation method 287 A2-3-3 Heat exchanged with the outside through the metal container 288 A2-3-4 Heat released by hot metals 288 A2-3-5 Heat exchanged with cold metals 289 A2-3-6 Heat exchanged with concrete layers 289 A2-3-7 Decay heat 290 A2-3-8 Heat removed by the spray system internal to the containment 291 A2-3-9 Solar heat 291 A2-3-10 Thermal balance in the interval 292 A2-3-11 Considerations on the performance of the calculation and on the choice of the input data 292 A2-3-12 Example calculation 293 References 296

x

Contents

Appendix 3 Table of safety criteria 297

Appendix 4 Dose calculations 315 A4-1 Introduction 315 A4-2 Virtual population dose in a severe accident 315 A4-2-1 The reactor and the released isotopes 315 A4-2-2 Source term at three days (I, Cs, Xe) 315 A4-2-3 Dose at the fence after three days of exposure 316 A4-2-4 Ground shine long-term dose 316 A4-3 Explorative evaluation of the radiological consequences of a mechanical impact on a surface storage facility for category 2 waste 316 A4-3-1 Type of repository 316 A4-3-2 Reference impact 316 A4-3-3 Fragmentation and dispersion of material 317 A4-3-4 Doses 318 A4-3-5 Conclusions 319 A4-4 Explorative evaluation of the radiological consequences of a mechanical impact on a transport/storage cask containing spent fuel 319 A4-4-1 Characteristics of the cask 319 A4-4-2 Reference impact 319 A4-4-3 Amount of significant fission products in the internal atmosphere of the cask and external release in one day 319 A4-4-4 Effective committed doses 320 A4-4-5 Conclusions 321 References 321

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core 323 A5-1 Analysis of the core without refrigeration 323 A5-2 Other formulae and useful data for the indicative study of the cooling of a core after an accident 325 References 326

Appendix 6 Extracts from EUR criteria (December 2004) 327 2-1-8-3 List of design basis conditions 327 2-1-8 Tables 328 2-1-8-1 Table 1: Radiological criteria for radioactive releases in normal operation and incident conditions 328 2-1-8-2 Table 2: Frequencies and acceptance criteria for normal operation, incident and accident conditions 328 2-1-B-1 Criteria for limited impact for DEC 329 2-1-B1-1 Table B1: Criteria for limited impact for no emergency action beyond 800 m from the reactor 329 2-1B 1-2 Table B2: Criteria for limited impact for no delayed action beyond 3 km from the reactor 330 2-1B 1-3 Table B3: Criteria for limited impact for no long-term actions beyond 800 m from the reactor 330 2-1B 1-4 Table B4: Criteria for limited impact for economic impact 330 2-1 B2 Release targets for design basis category 3 and 4 conditions 330 2-1-B-2-1 Table B5: DBA release targets for no action beyond 800 m from the reactor 331 2-1-B-2-2 Table B6: DBA release targets for economic impact 331 2-1-2-3 Operational staff doses during normal operation and incidents 331 2-1-2-6 Probabilistic safety targets 332 2-1-3-4 Single failure criterion 332 2-1-4-3-2 Complex sequences that may be considered in DEC 333 2-1-6-8 Classification of the safety functions and categorisation of the equipment 333 2-1-6-6-3 Requirements according to level of safety functions 334 2-1-6-8-4 Assignment of equipment and structures to a safety category 334

Contents

2-1-6-8-5 Requirements on equipment and structures according to safety category 335 2-1-6-8-6 Classification of structures and equipment according to the design and construction codes 335 2-1-6-8-7 The relation of seismic categorisation to safety level of functions 335 2-1-6-13 Accident management 335 2-1-6-14 Radiation protection 336

Appendix 7 Notes on fracture mechanics 337 A7-1 Introduction 337 A7-2 Current practice 338 References 341

Appendix 8 US general design criteria 343 A8-1 Introduction 344 A8-2 Definitions and explanations 345 A8-3 Criteria 345 A8-3-1 Overall requirements 345 A8-3-2 Protection by Multiple Fission Product Barriers 346 A8-3-3 Protection and Reactivity Control Systems 348 A8-3-4 Fluid Systems 349 A8-3-5 Reactor Containment 351 A8-3-6 Fuel and Radioactivity Control 352 Notes 353

Appendix 9 IAEA criteria 355

Appendix 10 Primary depressurization systems 357 A10-1 Initial studies 357 A10-2 Depressurization systems for modern design reactors 359 References 363

xi

Appendix 11 Thermal-hydraulic transients of the primary system 365 A11-1 General remarks 365 A11-2 General program characteristics 366 A11-3 Program description 366 A11-3-1 Macro Stampa dati 366 A11-3-2 Macro Copia_dati 368 A11-3-3 Macro HF 368 A11-3-4 Macro HFG 369 A11-3-5 Macro VF 369 A11-3-6 Macro VFG 370 A11-3-7 Macro QS 370 A11-3-8 Macro GU 370 A11-3-9 Macro GE 372 A11-3-10 Macro DT 373 A11-3-11 Macro PS 373 A11-4 Using the program 377 A11-5 Other formulae for the expanded use of the program 377 A11-5-1 ATWS 377 A11-5-2 Pressure in a depressurization water discharge tank 378 References 378

Appendix 12 The atmospheric dispersion of releases 379

Appendix 13 Regulatory framework and safety documents 385 A13-1 Regulatory framework 385 A13-2 Safety documents 385 A13-2-1 The safety report 386 A13-2-2 The probabilistic safety assessment 388 A13-2-3 The environmental impact assessment 388 A13-2-4 The external emergency plan 388 A13-2-5 The operation manual, including the emergency procedures 388 A13-2-6 Operation organization document 390 A13-2-7 The pre-operational test programme 390

xii

Contents

A13-2-8 The technical specifications for operation 390 A13-2-9 The periodic safety reviews References 391

391

Appendix 14 USNRC Regulatory Guides and Standard Review Plan 393 A14-1 Extracts from a regulatory guide 393 A14-2 List of contents and extracts from a sample chapter of the Standard Review Plan 395 A14-3 Sample chapter 400

Appendix 15 Safety cage 405 A15-1 General remarks 405 A15-2 Available energy 405 A15-3 Mechanical energy which can be released 405 A15-4 Overall sizing of a structural cage around the pressure vessel 406 A15-5 Experimental tests on steel cages for the containment of vessel explosions 408 Reference 408

Appendix 16 Criteria for the site chart (Italy) 409 A16-1 Population and land use 409 A16-2 Geology, seismology and soil mechanics 409 A16-3 Engineering requirements 410 A16-4 Extreme events from human activities A16-5 Extreme natural events 410

410

Appendix 17 The Three Mile Island accident 411 A17-1 Summary description of the Three Mile Island no. 2 Plant 411 A17-2 The accident 413 A17-3 The consequences of the accident on the outside environment 419 A17-4 The actions initiated after the accident 421 References 422

Glossary 423 Web sites 425 Index 427

Preface

Introduction I have written this book because of my firm belief that it is necessary to try to gather and to preserve in written form, and from one perspective, the accumulated experience in the fields of nuclear safety and of radiation protection. This is particularly important for countries where nuclear energy exploitation has been stopped, but where it might have to be resumed in future. The main accent of this book is on Nuclear Safety. From another point of view, many areas developed in nuclear safety studies are of interest in the safety of process plants too and, therefore, it is worthwhile writing about them. Given this perspective, I have tried to collect the ideas, the data and the methods which, in many decades of professional work in several countries, are in my opinion the most useful for ‘integrated system’ evaluations of the plant safety. I have emphasized the complete site–plant system more than single details, so the data and the methods discussed are not those applied in the many specialized disciplines devoted to the in-depth study of safety but are those required for overall, first approximation, assessments. In my opinion, such assessments are the most useful ones for the detection of many safety-related problems in a plant and for the drafting of a complete picture of them. The more accurate and precise methods are, however, essential in the optimization phase of plant design and of its operational parameters. Specialists in reactor engineering, in thermalhydraulics, in radiation protection and in structural

response issues may, therefore, be surprised to read that simple methods and shortcuts suggested here are very useful, as my experience and that of other ‘generalists’ suggests. Additionally, this book aims to cover some general and some unusual topics, such as: the overall conditions to be complied with by a ‘safe’ plant, the trans-boundary consequences of accidents to plants or to specific activities, the consequences of terrorist acts, and so on. On some crucial issues, the views of the world’s nuclear specialists are not the same, for example, the views in Western countries compared with those in former soviet-bloc countries on the pre-Chernobyl approach to nuclear safety in Eastern Europe: the West considered the soviet approach to be a relatively lenient one, while the soviets thought that they concentrated on prevention of accidents rather than on the mitigation of them. In these cases, the text tries to be objective and to quote the ‘Eastern’ view besides the ‘Western’ one, leaving future engineers and technical developments to decide on this issue. Except where explicitly indicated, the text refers to the pressurized water reactor. Extrapolation to other kinds of plants is, however, possible. The text complies with internationally recognized safety standards, and in particular with International Atomic Energy Agency (IAEA) requirements. On occasions I have digressed, in notes, from the main thrust of the text. I have done this for several reasons: many notes relate facts that qualify or justify what is written in a preceding paragraph; some of them are numerical examples added for clarification; xiii

xiv

Preface

others are simple comments and personal reflections on the subject. These notes are set at the end of each chapter. I have provided a list of references at the end of each chapter, however a complete chapter (Additional references) is almost completely devoted to a list of some ‘institutional’ references (i.e. those published by the IAEA, by the Organization for Economic Cooperation and Development (OECD) and by the United States Nuclear Regulatory Commission (USNRC) which is one of the richest sources of publications among Regulatory Bodies). These additional references are labelled with the superscript AR. Many of these references can be consulted and even downloaded from the web sites listed in the Web sites chapter (see p. 425). Calculation sheets mentioned in the text may be downloaded from the publisher’s web site (http://books.elsevier.com/companions/0750667230); the way to use them is described in the text. Finally, I wish to underline that all my experience suggests to me, after many positive and negative lessons learned, that today’s nuclear plants can be

completely safe and that significant accidents can be avoided. This is, however, only true on the condition that safety objectives are carefully pursued by the organizations involved in the plants; in this arena, as it will be shown, even organizations apparently very far from any specific plant must be, up to a certain extent, included (e.g. the bodies responsible for the general energy strategy of a country and the ‘media’). I will be very grateful to my readers for any suggestion concerning improvements to the text and also corrections to the mistakes which are certainly present in it. I am fully aware, in particular, of the subjective nature of the choice of the material included: the subject of nuclear safety, as does that concerning the safety of process plants in general, has become, over time, a discipline composed of many specific rather autonomous subsections. It is not easy, therefore, to choose the material to be included in a general text like this one; in this, practical experience of what is necessary while doing assessment work of plants has been my guide.

Acknowledgements

I am very grateful to all the colleagues who have cooperated, deliberately or by chance, in supplying me with the material for these pages. I apologize to

them if I don’t name them individually; this is not only because they are many, but because I am sure that I would inadvertently miss out some names. Gianni Petrangeli

xv


Chapter 1 Introduction

1-1. Objectives The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as, for example, the internationally accepted health, safety and radioprotection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable (the ALARA – As Low As Reasonably Achievable – Principle) in all operational conditions and in case of accidents. These objectives are frequently subdivided into a General Objective, a Radiation Protection Objective and a Technical Objective: for example, in the International Atomic Energy Agency (IAEA) criteria (see www.iaea.org). The General Nuclear Safety ObjectiveAR1 is to protect individuals, society and the environment from harm by establishing and maintaining effective defences against radiological hazards in nuclear installations. The Radiation Protection Objective is to ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed limits and as low as reasonably achievable, and to ensure mitigation of the radiological consequences of any accidents. The Technical Safety Objective is to take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation,

including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low. The target for existing power plants consistent with the Technical Safety Objective has been defined by the INSAG (International Nuclear Safety Advisory Group, advisor to the IAEA Director General)AR185 as a likelihood of occurrence of severe core damage that is below about 10 4 events per plant operating year. Implementation of all safety principles at future plants should lead to the achievement of an improved goal of not more than about 10 5 such events per plant operating year. Severe accident management and mitigation measures should reduce the probability of large offsite releases requiring short-term off-site response by a factor of at least 10. It has to be observed that these principles, while indicating the need for strict control of radiation sources, do not preclude the external release of limited amounts of radioactive products nor the limited exposure of people to radiation. Similarly, the objectives require to decrease the likelihood and the severity of accidents, but they recognize that some accidents can happen. Measures have to be taken for the mitigation of their consequences. Such measures include on-site accident management systems (procedures, equipment, operators) and off-site intervention measures. The greater the potential hazard of a release, the lower must be its likelihood. The chapters of this book, except the few of them not concerned with the safety of nuclear installations, deal with the ways for practically achieving these objectives.

1

2

Nuclear Safety

1-2. A short history of nuclear safety technology

1-2-1. The early years The first reactor, the ‘Fermi pile’ CP1 (or Chicago Pile 1, built in 1942) was provided with rudimentary safety systems in line with the sense of confidence inspired by the charismatic figure of Enrico Fermi and his opinion concerning the absence of any danger from unforeseen phenomena. The safety systems (Fig. 1-1) were:

gravity driven fast shutdown rods (one was operated by cutting a retaining rope with an axe); and

Cadmium solution

(Samuel Allison)

Ax man Spectator

(Norman Hilberry)

ZIP rod 57 layers of uranium and graphite Cadmium rod

Detector Recorder

Compared with the set of safety systems subsequently considered essential, an emergency cooling system was missing as decay heat was practically absent after shut down, and there was no containment system (except for a curtain!) provided as the amount of fission products was not significant. Other reactors were soon built, for both military and civil purposes, and since they were constructed on remote sites (e.g. Hanford, WA), they didn’t need containment systems. In the light of subsequent approaches used in reactor safety, probably, in this first period, not all the necessary precautions were taken; however, it is necessary to consider the specific time and circumstances present (a world war in progress or just finished, status of radiation protection knowledge not yet sufficiently advanced, etc.).1 In the 1980s and 1990s, a revision of the ‘simplified’ approach used for these first reactors (mainly devoted to plutonium production) was made. They were, as a consequence, either shut down or modified. In particular, the following characteristics or problems were removed or solved:

(Enrico Fermi)

(George Weil)

THE FIRST REACTOR 2, December 1942

Figure 1-1. Drawing of the CP1 pile. Scram – this term means ‘fast shutdown of a reactor’: various explanations have been proposed for its origin. The most credited one assumes that it derives from the abbreviated name of the CP1 safety rod which could be actuated by an axe. In the original design sketches of the pile, the position of the operator of the axe was indicated by ‘SCRAM’, the abbreviation of ‘Safety Control Rod Ax Man’. The designated operator was the physicist Norman Hilberry, subsequently Director of the Argonne Laboratory. His colleagues used the name ‘Mister Scram’. The drawing is courtesy of Prof. Raymond Murray.

a secondary shutdown system made of buckets containing a cadmium sulphate solution, which is a good neutron absorber. The buckets were located at the top of the pile and could be emptied onto it should the need arise.

the open cycle cooling of the reactors and nonpressure-resistant containments; the disposal of radioactive waste using unreliable methods, such as the location of radioactive liquids in simple underground metallic tanks which were subject to the risk of corrosion and of consequent leaks; the storage of spent fuel elements in leaking pools of water.

1-2-2. From the late 1950s to the Three Mile Island accident Since the early 1960s and even before, in the West, the criterion of locating power reactors in a leakproof and pressure resistant containment vessel was established and consolidated. In those cases where a significant release of radioactive products could be possible, the design pressure of the containment was


chosen on the assumption that all the primary (and part of the secondary) hot water (for a water reactor) was released from the cooling systems. Indeed, since the 1950s, the US ‘Reactor Safeguards Committee’, set up by the Atomic Energy Commission with the task of defining the guidelines for nuclear safety, had indicated that, for a noncontained reactor, an ‘exclusion distance’ (without resident population) should be provided. This distance, R, had to be equal, at least to that given by Eq. 1.1. pffiffiffiffiffiffiffi R ¼ 0:016 Pth km,

ð1:1Þ

where Pth is the thermal power of the reactor in kilowatts. For a 3000 MW reactor (the usual size today), this exclusion distance is equal to approximately 30 km, which is equal to the distance evacuated after the Chernobyl accident (Bourgeois et al., 1996). Evidently, the reference doses for the short-term evacuation were roughly the same for the two cases. An exclusion distance of this magnitude poses excessive problems to siting, even in a country endowed with abundant land such as the USA, therefore, the decision of adopting a containment is practically a compulsory one. The first reactor with leakproof and pressure resistant containment was the SR1 reactor (West Milton, NY, built in the 1950s). Built to perform tests for the development of reactors for military ship propulsion; this reactor was cooled by sodium and the containment was designed for the pressure corresponding to the combustion of the sodium escaping from a hypothetical leak in the cooling circuit. In Western countries, moreover, it was required that the whole refrigeration primary circuit should be located completely inside the containment, so that, even in the case of a complete rupture of the largest primary system pipe, all the escaped fluid would be confined in the containment envelope. The design pressure of the containment for water reactors (starting with the Shippingport, Pa, reactor, moderated and cooled by pressurized water) was derived on the basis of the assumption of the complete release of the primary water. In Eastern Europe, these criteria were applied to a lesser degree, as it was accepted that the pressure vessel alone would be located within the containment

3

(the rupture of large pipes was considered sufficiently unlikely to justify this assumption) and that the leakproof containment characteristic need not be very stringent. Thus, at the second Atoms for Peace conference in Geneva in 1964, the Western visitors were impressed but surprised by the model of the Novovoronezh reactor, which showed only one small containment enclosure around the reactor pressure vessel and was located in a building that from the outside resembled a big public office building. Still many years afterwards, the Russian reactors of the VVER 230 series, although provided with complete ‘Western-style’ containment, had a leakage rate from the containment of the order of 25 per cent each day (to be compared with figures of the order of 0.2 per cent each day from typical Western containments).2 Apart from differences of approach between world regions, in this period of time and in all the countries with nuclear reactors, the systems installed in the plants according to the requirements of the safety bodies and having the sole purpose of accident mitigation, were frequently the subject of heated debates; in particular, the emergency core cooling systems and the containment systems were often discussed. More precisely, the opinions on the accident assumptions evolved in the West were divided. The reference situations for the reasonably conceivable accidents were chosen by the judgement of expert committees. These situations included the worst ‘credible’ events (such as the complete severance of the largest primary pipe). The assumptions concerning the initiating event were accompanied by simultaneous conservative assumptions concerning malfunctions in safety systems, such as a ‘single failure’ consisting in the failure, simultaneous with the initiating event (pipe failure and so on), of one active component of one of the safety systems devoted to emergency safety functions during the accident (water injection system, reactor shutdown system and so on).3 On one side, the more cautious experts, generally members of public safety control bodies, many scholars and members of non-governmental organizations for the defence of public rights, supported the need for keeping these conservative assumptions; on the other side, more optimistic people (members of manufacturing industries and of electric utilities) maintained that the above mentioned accident

4

Nuclear Safety

assumptions entailed a true waste of resources (those necessary to provide nuclear plants with huge containment buildings and powerful safety systems). It has to be noted that the ‘optimists’ were by no means imprudent or reckless: a sincere conviction existed in the industry that the current accident assumptions were not well founded.4 The contrast between the optimists and the pessimists was exacerbated by the foreseeable circumstance that not all of the logical consequences of the initially adopted accident assumptions were from the start clear to technical people. As an example, as far as the effectiveness of emergency core cooling systems is concerned, it was not understood from the start that Zircaloy fuel cladding (stainless steel behaves in a similar way) could react with water in an auto-catalytic way at relatively low temperatures and could release large quantities of hydrogen. Neither was it understood from the start that the same cladding could swell before rupturing and could occupy the space between fuel rods, preventing the flow of cooling water. The existence of these phenomena was demonstrated by studies and by tests performed by the Atomic Energy Commission (AEC) on the Semiscale facility at the US National Laboratory of Idaho Falls towards the end of the 1960s, when many US reactors had already been ordered and were being designed or built. Similarly, at the beginning of the 1970s, the possibility was demonstrated that the break of a pipe could damage other nearby pipes or other plant components, starting a chain of ruptures (known as the ‘pipe whip’ effect). All of these discoveries, made late in the design and procurement phases of US reactors, persuaded the control bodies to stipulate that the inherent safety systems be improved in order to take them into account. Other requests for improvement concerned the resistance of the plants to natural phenomena or to man-made events, in order to reach a balanced defence spectrum against all of the realistically possible accidents; in such a way the defence against new phenomena became analogous to the defence against the already considered phenomena having a comparable or lower probability. These requests for improvement (‘backfitting’) extended the construction times of the plants, together with their costs.

It can be understood that the industry, which already considered the initially adopted accident assumptions to be excessive, strongly opposed these aggravating requests. As previously said, up to the Three Mile Island (TMI) accident, not all nuclear technical experts believed in the reasonableness of the current accident assumptions and in the need to pursue them with logical rigour and, in the light of the up-to-date scientific knowledge, up to their extreme consequences.5 The increase in costs as a consequence of the continuous requests for plant improvements, was strongly in contrast with the initial industrial expectations, which were concisely summarized by the then chairman of the Atomic Energy Commission, Lewis Strauss, who famously stated that nuclear energy would become ‘too cheap to meter’. In this period, the expression ‘ratcheting’ was created to describe the action of the control bodies in the field of the improvement of the plants concurrently with the indications of the progressing studies and research. This continuous process of improvement produced, where it was performed, very safe but also very costly and rather complicated plants. Indeed, the plants were subject to a series of safety feature additions to a substantially unchanged basic design. In this period a diverse approach to plant siting developed and was consolidated in the USA and in Western Europe. In the USA, the plant siting criteria, as far as demographic aspects were concerned, were substantially decoupled from the design features of the plant. On the contrary, in Europe, criteria for the site-plant complex were adopted. The US site criteria (except for seismic problems and for other external natural or man-made events) can be summarised as follows:

The existence of an ‘exclusion zone’ around the plant, where no dwellings or productive settlements exist, with access under the complete control of the plant management. The existence of a ‘low population zone’ around the plant, which could be quickly evacuated (within hours) in case of accident to the plant. The radioactive products release from the core to the plant containment conventionally established as a function of the plant power only: the TID release (Di Nunno et al., 1962).


A dose limit of 250 mSV (25 rem) total body and of 3 Sv (300 rem) for the thyroid (children) within two hours after the accident at the border of the exclusion zone.6 Dose limits equal to the preceding ones for the whole accident duration at the external border of the low population zone.

The exclusion zone was established at a radius of 800–1000 m around the plant and the low population zone at roughly 5 km from the plant (US Code of Federal Regulations, 2004a). The conventional release from the core was as follows:

For iodine-131:50 per cent of the core inventory, of which 50 per cent only is available in the containment for external release (deposition and plate out in the primary circuit). The iodine available for external release is 91 per cent elemental, 5 per cent particulate and 4 per cent organic iodide (methyl iodide). Noble gases are totally released to the containment.

Independent criteria were then established for the design of the plant. In this approach, the decision about the adequacy of a proposed site could be taken only on the basis of the plant power level and, possibly, on the specific characteristics of its fission product removal systems (to be evaluated and possibly validated on a case by case basis). On the other hand, in Europe, the site selection criteria usually consider the site-plant complex. Therefore, for example, if a plant with the usual safety systems could not be located on a specific site because accident doses exceeded the reference limits, it was possible to make the plant acceptable for the same site by the improvement of the systems for fuel integrity protection in case of accidents. The dose limits varied somewhat between various countries, but they were of the order of 5 mSv (500 mrem, effective dose) to the critical group of the population outside the exclusion zone for every credible accident (design basis accidents); some increase of this limit up to the level of tens of millisievert for single specific accidents could also be accepted. In order to evaluate the consequences of these accidents, then, no conventional figure for the

5

releases is used (such as the TID figures). On the contrary, conservative but more realistic assumptions are adopted; typically, the iodine released in the containment is assumed equal to the inventory in the fuel-clad interface, equal to one to five per cent of the total core inventory, instead of the TID 50 per cent. In Europe, the need to take account of the specific plant features for the evaluation of the acceptability of the site arises from the much higher population density in Europe in comparison with that of the USA (approximately 200 inhabitants per square kilometre and 30 per square kilometre, respectively). It is therefore much more difficult to find low population sites in Europe. The different population densities in Europe and the USA has also brought about differences in accident emergency plans: in the USA, the provision of a complete evacuation of the population within 16 km of the plant in a few hours is adopted, while in Europe the maximum comparable distance is equal to 10 km. It is indeed difficult to assure the evacuation of population centres with tens, hundreds or thousands of inhabitants. Here too, the countries’ differences in demographic conditions has to be compensated by additional plant features (generally, the use of double containment provided with intermediate filtration systems and the use of elevated stacks). The practice in the Far East (Japan, South Korea) is similar to the European one. These differences in the fundamental approach to safety among various countries have always been thought by the general public to be a weakness of the nuclear industry, thereby affecting their acceptance of nuclear energy. These differences have always been a source of confusion in the mind of the public and, therefore, they aggravate the public distrust in the safety of this energy source. Many attempts have been made, in the international and community arenas where nuclear safety is discussed (IAEA, OECD, EU), to adopt unified criteria (see Chapter 18). The aim of agreeing common criteria has been reached only at the expense of unification at a higher logical level, therefore leaving untouched the differences previously described, for example leaving to the freedom of each country the definition of acceptable distances or doses.

6

Nuclear Safety

In this period up to the TMI accident, three other facts influenced nuclear safety technology: defence against non-natural external events; the preparation of the Rasmussen report, WASH 1400; and the introduction of Quality Assurance (QA) in design, construction and operation of plants. The first of these, the defence against non-natural external events, would not deserve specific mention and discussion, except that its motivation has changed with time. For example, the initial official incentive for the reinforcement of plant structures and components of many reactors consisted in the defence against the accidental fall of an aircraft, while, subsequently, it was provided to defend against sabotage performed by the use of aircraft, but also by explosives of various kinds. In effect, the strengthening of structures and components was initially made in Germany as a consequence of the high number of crashes of the Lockheed Starfighter fighter plane in the 1960s. Subsequently, with the onset of terrorist activity in the 1970s, the need arose to defend nuclear plants against hypothetical external attacks conducted with the use of projectiles and of explosives. At this point, it was discovered that the German protection against the plane crash could also envelope a sufficient number of sabotage events based on the use of explosives. Therefore, as many people preferred not to mention these sabotage protections explicitly, the corresponding provisions were named in the official documents as ‘protection against plane crash’. Plant protection against the various effects of the impact by a fighter aircraft (weighing about 20 t) was adopted at least in Germany, Belgium, Switzerland and Italy, while in other countries the protection against the fall of a smaller sports aircraft was chosen, frequently only if justified by the proximity of an airport. No country explicitly adopted the protection against the impact of a wide-bodied airliner of the Jumbo Jet type (weighing about 350 t), which would be far more onerous (possibly requiring the underground location of plants). It was calculated that the protection against the fall of a fighter aircraft included the protection against the fall of a large airliner too if the impact takes place with less damaging characteristics (lower speed of impact, shallower angle of impact, and so on) than those which would cause the worst structural consequences. (See Chapter 17 for more on aircraft impact.)

The second influence, the Rasmussen report, first published in 1975, was sponsored by the Nuclear Regulatory Commission (NRC – the successor to the Atomic Energy Commission in control of peaceful applications of nuclear energy and the regulatory body on nuclear safety matters) with the aim of outlining an overall picture of all the conceivable accidents and of their probabilities, in order to identify the risk connected to a nuclear plant. It was the first time a study that included all conceivable accidents had been made. It included less probable scenarios too, such as the catastrophic explosion of a reactor pressure vessel and an estimate of the probability of each of them. It should be understood that the probability data concerning the most unlikely phenomena are scarce or even absent given the impossibility of studying these phenomena by experimental tests and the scarcity of applicable real-life data. In some ways, quantifying these events in a report was a bold decision, but, once the objective of the study was decided upon, nobody questioned the feasibility of it. Subsequently, once the report was published, criticism ensued: some people said that it was inscrutable, others criticized the completeness of the database, and others criticized the inconsistency of the executive summary with the main report. In the second, and final, edition some evident insufficiencies were corrected, but some of the criticisms remained unresolved. Whoever it was who started a risk study of the first cars, of the first railway trains or of the first airplanes, would have met the same difficulties. However, with the passing of time, the report has remained a fundamental reference for any safety and risk evaluation. Nobody could support the validity of the absolute quantitative risk evaluations contained in it, but, at the same time, the validity of this study and of the similar ones which followed is universally acknowledged as far as the relative probability estimates are concerned for detection of weak points in a specific design. In substance, the Rasmussen report and similar studies are possible judgement instruments in the nuclear safety field, although they cannot be used alone. Sound engineering evaluations, based on operating experience, even in different but similar fields, and on research results, are the necessary complement to the probabilistic evaluations. In the history of nuclear safety technology, the Rasmussen report did not solely represent a


methodological advancement. Severe accidents (those accidents more serious than those up to then considered credible) were included, especially after the TMI accident, in the design considerations for nuclear plants. Finally, the start of the application of QA in nuclear engineering has to be mentioned. According to this management system, the quality of a product is guaranteed by the control of the production processes, more than by the control of the products themselves. Certainly this represents remarkable progress towards the achievement of products better complying with their specifications, however the implementation of this system requires a significant effort in the field of activity planning and of the management of the documentation, entailing a corresponding cost burden.

1-2-3. From the Three Mile Island accident to the Chernobyl accident In March 1979, during a rather frequent plant transient, a valve on top of the pressurizer of the TMI plant (Pennsylvania, USA) remained stuck open, giving rise to a continuous loss of coolant. In an extremely concise way, an opening in that position (although this fact had not been sufficiently studied and publicized in the technical literature) generated over time a situation of a void reactor pressure vessel and of a full pressurizer. This accident demonstrated that the attitude of many technical people towards nuclear safety was careless and optimistic. It could also be concluded that bad ‘surprises’ caused by a nuclear plant could be avoided only at the expense of a strong change in their mindset towards safety itself. These conclusions were shared by practically all technical people and all over the world. Some optimists still existed, however. They were convinced that all the blame for the accident had to be placed on the operators who had not correctly diagnosed the plant conditions in time, and that all the problems could be solved by the use of more stringently screened operators. It can be said that this accident completely changed the attitude of the industry towards safety in all the OECD countries. The provision of features previously considered to be pointless by some (such as the presence of a leakproof, pressure

7

resistant containment) were acknowledged as valid in the light of the possibility of unforeseeable events. Two organizations were created for the exchange of information on operational events at nuclear plants and for the promotion of excellence in the nuclear safety field: the Institute of Nuclear Power Operations (INPO) in the USA and the World Association of Nuclear Operators (WANO) internationally. In the USA, within the NRC, a specific Office was created (Analysis and Evaluation of Operational Data – AEOD) for the analysis and the dissemination of operating experience. Long lists of ‘lessons learned’ were prepared and a ‘Three Mile Island Action Plan’ compiled which contained a large number of specific provisions against the possible repetition of similar accidents in the future. The implementation of these provisions cost each plant an amount of money ranging between several million dollars and several tens of millions of dollars. Above all, two concepts were underlined and reinforced: the concept of Defence in Depth and the concept of Safety Culture. According to a number of experts, in particular from the former USSR, the attitude of the industry towards safety also changed in Eastern Europe after the TMI accident: already in early 1980s, Russian designers of VVER reactors proposed a number of measures for safety improvements. The Defence in Depth initiative is a concept meaning that many, mutually independent, levels of defence against the initiation and the progression of accidents are created. The various levels include physical barriers, such as the fuel cladding, the primary system, the containment, etc. Five levels are defined: good plant design, control systems, emergency systems, accident management, and emergency plans. The Safety Culture concept is defined as the set of convictions, knowledge and behaviour in which safety is placed at the highest level in the scale of values in every activity concerning the use of nuclear energy.7 The result of these initiatives, together with the Rasmussen report and the TMI accident convinced many countries to give attention to severe accidents. Severe accident occurrence was introduced as a consideration in the design and operation of plants.

8

Nuclear Safety

A severe accident is defined as one exceeding in severity the Design Basis Accidents, which are those against which plant safety systems are designed in such a way that:

the core does not exceed the limits of irreversible damage of the fuel (e.g. 1200 C maximum temperature, 17 per cent local oxidation of the claddings, etc. (US Code of Federal Regulations, 2004b); the external releases do not exceed the maximum tolerable ones, according to the national criteria in force.

In many cases it is considered, as an accident progressively worsens, that the limit for which it becomes ‘severe’ is the attainment of 1200 C in the fuel cladding since at about this temperature the progression of the water–cladding exothermic reaction becomes auto-catalytic and proceeds at a high rate. The IAEA definition for severe accidents is ‘accident conditions more severe than a design basis accident and involving significant core degradation’.AR49 All the OECD countries (but also others) agreed on the advisability of studying and of implementing severe accident management techniques on their plants. These provide equipment and emergency procedures for severe accidents which, in the extreme case of reaching a situation close to a severe accident, prevent its occurrence or, at least, prevent it from worsening. Examples of typical equipment and procedures for severe accidents are the following:

portable electric energy generators, transportable from the plant to another on the same site or on a different site; procedures to supply electric energy to the essential loads, in case of total loss of electric power; procedures for the voluntary depressurization of the primary system in case of loss of the high pressure emergency injection systems, and so on.

By the 1980s, practically all the plants in the OECD area were equipped with Severe Accident Management Plans to various degrees of completeness. Some countries have progressed further than others, instigating real plant modifications as a means of implementing their Accident Management Plans. France, Germany and Sweden (and others)

have installed filtered containment venting systems designed to avoid the rupture of the containment in case of a severe accident entailing the slow overpressurization of the building beyond its strength limits (this situation could happen in every accident scenario without sufficient cooling of the core and of the containment). Other countries, such as the USA, concluded that these systems were not needed, on the basis of a cost–benefit analysis. In Italy, a set of criteria was developed, the ‘95–0.1 per cent criterion’, according to which, by the installation of appropriate systems (including a filtered venting system for at least one reactor), a release of iodine higher than 0.1 per cent of the core inventory could be avoided with a probability higher than 95 per cent, conditional upon core melt (defined as attainment of a cladding temperature higher than 1200 C). Obviously, no single events of very low probability were considered, such as a pressure vessel explosion due to a mechanical defect. A similar criterion was adopted in Sweden. Among the proposals at this time was one that concerned a preventative system for the voluntary depressurization of the primary system in pressurized water reactors (PWRs) and for the passive injection of water into the primary system for about 10 hours. This core rescue system (CRS) could decrease the core melt probability by a factor of at least 10. The system was proposed as a modification of the design chosen for the Italian Unified Nuclear Design, but was not considered necessary by the designers at that time. A few years later, the designers applied it, with modifications, to the passive reactor AP 600. Another reactor design (this time German) has a similar system. The voluntary primary system depressurization has subsequently been adopted by all the more modern PWR designs, such as the European Pressurized Reactor (EPR) and the System 80.

1-2-4. The Chernobyl accident and after In my opinion and the opinion of other experts, there were two primary causes of the Chernobyl tragedy. The first was that although the plant was certainly very good from a production point of view, it had been designed with excessive optimism as far as


safety was concerned. Indeed, in some operating conditions (low power, low steam content in the pressure tubes) the reactor was very unstable, in the sense that an increase in power or a loss of coolant tended to increase its reactivity, increasing the power auto-catalytically. In this way, the destruction of the reactor and of the plant could be initiated. Moreover, with completely extracted control rods (a situation forbidden by the operating procedures), the potential instability was more severe and, additionally, the use of the scram acted as an accelerator and not as a brake in the first moments of the rod movement (an ‘inverted scram’). The second fatal circumstance was that the operators were working, on that night in April 1986, in a condition of frantic hurry for various reasons. Although this reactor had been provided with leakproof and pressure resistant containment as a result of the prevailing changes in attitude already discussed, the containment did not include a significant portion of the reactor itself (a remarkable design decision). In particular, the fuel channel heads were directly put in a normal industrial building. A completely uncontained accident, therefore, happened. The reasons for the adverse design characteristics may have been financial (but expert opinion differs). The general lesson to be learned is always the same: no weak points compromising safety must be left in a plant. Human errors, as in the cases of TMI and Chernobyl, will succeed in finding them and will cause disasters and fatalities. I don’t believe, as some anti-nuclear people maintain, that ‘if an accident can happen, sooner or later it will happen’, however, experience indicates that accident possibility must be seriously considered during all the phases of the life of a nuclear plant.8 However, for the sake of completeness, it has to be said that the Chernobyl-type reactors were not well known in the Western world. The pertinent information was kept somewhat confidential because this reactor could potentially be used for plutonium production and therefore it was interesting from a military point of view.9 A confidential safety analysis of an RBMK reactor, similar to the Chernobyl one, was performed some years before the accident by a European design company. It concluded that this reactor, in many respects, did not meet the safety standards in use in the Western world. Copies of this safety analysis were

9

circulated among the experts after the Chernobyl accident. The Chernobyl accident, with its consequences (both local and afar) had not much to teach the Western nuclear safety engineers as the reactor’s shortcomings were all accurately known and avoided in their designs.10 Obviously, it was not possible to convince the public that such an accident could only happen in that specific design of reactor. In Italy, for example, some political parties exploited the evident fear generated in the population and, substantially, led the country towards the immediate and sudden dismissal of the nuclear source of power, with understandably prohibitive costs. In general, after Chernobyl and as a consequence of that accident, two ideas gained momentum:

Nuclear plant design, evolved by successive additions, had become too complicated and it was useful to think of simpler systems, based on concepts of passive rather than active safety. Accidents, even the most severe ones, should have modest consequences beyond the exclusion zone of the plant and so should require smaller emergency plans, especially concerning the quick evacuation of the population.

The USA was frequently against any simplification of its emergency plans in order not to change their well-established system of siting decoupled from the characteristics of the plants. This system, after all, was well accepted by the technical bodies and by the population. The concept of passive safety meant the use of systems based on simple physical laws more than on complex equipment. One example is represented by safety injection systems on water reactors which use gravity as a motive force and not pumps. This principle was, for example, adopted in the passive PWR AP600, certified by the NRC in 1999. It comprises a voluntary fast depressurization system of the primary circuit and the provision of a water reservoir in the containment located at an elevated position with respect to the reactor vessel. Passive cooling of the containment was also incorporated in the design. Evidently, however, neither of these new concepts nor the industrial weight of the NRC certification are sufficient to immediately convince the investors because, up to now (2005), no new AP600 has been ordered.

10

Nuclear Safety

A weak point of this concept has always been the reduced power and its consequent bad scale economy. The 600 MWe rating was initially chosen on the basis of a poll among the US utilities on the basis that this was the preferred size of a power station (lower financial risk and correspondence with the dimension of the electric grids served by the single utilities). The designers thought that they could in any case be competitive because of the use of passive components (i.e. with a reduction of installed components) and because of a general simplification of the plant. It seems now that this objective can be more easily reached by the AP1000 design (namely with a power of 1000 MWe), whose design has been recently (2004) approved by the NRC. A design where the passive safety has been adopted with a higher degree of caution but with a strong tendency towards the reduction of emergency plans is the French–German EPR of approximately 1400 MWe, where many precautions against severe accidents have been taken (e.g. molten core containment structures, ‘core catchers’, multiple devices for the quick recombination of hydrogen, voluntary primary system depressurization, etc.). New concepts based on passive safety presently under study are the Pebble Bed Modular Reactor (PBMR – gas cooled, high temperature, helium operated, direct cycle turbine generators) supported by an international group based in South Africa, the IRIS reactor (a PWR with steam generators integrated in the reactor pressure vessel) and the already mentioned AP1000. Other concepts still under study but already proposed exist.AR152, AR244 As usual, the future is difficult to forecast, however, when nuclear energy will be unquestionably necessary, it will be generally accepted. The investors will not have the continuous concern of its competitiveness, and the safety of the plants, which is already at a very good level, will be still more guaranteed.11

References Bourgeois, J., Tanguy, P., Cogne´, F. and Petit, J. (1996) La Surete Nucleaire en France et dans le Monde. Polytechnica, Paris. Di Nunno J., Baker, R.E.D., Anderson, F.D. and Waterfield, R.L. (1962) ‘Calculation of distance factors for power and test reactor sites’, USAEC, TID-14844.

Glasstone, S. (1963) Nuclear Reactor Engineering, Van Nostrand, Princeton, NJ. US Code of Federal Regulations (2004a) ‘Part 100: Reactor Site Criteria’, US Government. US Code of Federal Regulations (2000b) ‘Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors’, US Government.

Chapter notes 1 What radiation dose did Fermi and the other scientists absorb during the first criticality? Taking into account that the reactor was kept in a critical state for roughly half an hour and that the power was equal to about 0.5 W, an order of magnitude evaluation using current data [Glasstone, 1963] shows that the dose due to neutrons and to gamma rays was of the order of 10 Sv (1 mrem); very low indeed. 2 According to a number of experts, in particular from the former USSR, this situation is not to be viewed as the outcome of a more rigorous attitude in the West than in the East. There were different safety philosophies in East and West: the former focused on accident prevention without much care of the high cost (at least in the case of VVER reactors), the latter focused more on mitigation of accidents, with a strong effect on the results from cost–benefit considerations. The debates on relativism in philosophy (ethics or epistemology, for example) have some similarity with these arguments. Indeed, relativism has not to be identified, as some of its critics say, with the thesis that all points of view are equally valid, but with the thesis that one thing (moral values, beauty, knowledge, taste, meaning and nuclear safety criteria, too) is relative to some particular framework or standpoint (e.g. the individual subject, a culture, an era, a language or a conceptual scheme). Moreover, no standpoint is uniquely privileged over all others. With these kinds of highly controversial similarities, it is easy to understand that any attempt to resolve the issue by discussions may scarcely be productive and that only the future will indicate where the relative merits are higher. 3 This method of defining the accidents to be considered in the design was subsequently named the ‘deterministic method’, to be distinguished from the ‘probabilistic method’ based on the evaluation of the probability of the various accidental events. Presently, however, the choice criteria are generally a combination of the two approaches. 4 ‘Pipes leak, pipes crack, pipes are corroded, but pipes don’t break’, one of the senior US industry engineers used to repeat. And indeed, in the light of subsequent ‘experience’ (now equivalent to more than 10 000 reactor-years of operation) very few guillotine breaks of large pipes have happened. Moreover, most of these cases have not


11

Isolation valve

Normal cooling line Pressure channel

Emergency injection line

Figure 1-2. Sketch for a discussion on a break in a pressure tube reactor.

happened in primary pipes, but in pipes not submitted to the most stringent design and operation practices (periodic inspections and so on). Only two cases have happened in two feed-water pipes, weakened by erosion. On the other hand, the figures based on the assumption of a complete break of the largest pipe in the plant affords protection from a number of different events not explicitly considered, such as the flange bolts breaking in large valves (several cases of ‘near misses’ of this kind have happened), the partial rupture of pump casings caused by rotor failure, etc. 5 Towards the end of the 1960s, two eminent nuclear designers discussed with a safety reviewer the pipe rupture assumptions for a pressure tube reactor under design. The technical problem under discussion is sketched in Figure 1-2. If the cooling water pipes ruptured, the designers declared that the cooling of the fuel contained in each pressure channel was ensured as a valve at the inlet of each channel (shown in the drawing) would be closed in order to force the emergency cooling water to flow into the channel and to cool the fuel before reaching the rupture point and spilling into the containment. When the safety reviewer pointed out that this design objective would not be reached if the rupture had happened in the position marked with an X, their answer was ‘Safety is not a game with rigid and meticulous rules, sir! More room should be left to technical judgement!’ It has to be appreciated that in the nuclear safety profession everybody knows that an accidental break has to be assumed at every location on every pressure pipe and that, in these conditions, the plant must continue to be safe; so, it is ridiculous that somebody tries to resort to the difference between nuclear safety and a game in order to justify a departure from this rule concerning the break location. Many years afterwards, this sentence came again to my mind after the TMI accident in which the only rupture position for which the primary water loss could have created the situation of an ‘empty pressure vessel and filled up pressurizer’ which totally confused the operators and induced them to shut off the emergency injection system was precisely the one which happened, namely at the top of

the pressurizer. This anecdote is representative of a state of mind prevalent in the industry in the period of time up to the TMI accident, that is that the current accident assumptions were excessive so that their implementation could be rather flexible without adverse consequences. 6 The reference, in the US criteria, to 250 mSv total body and 3 Sv thyroid doses may be intriguing for some people. Indeed, nowadays, no acceptance criterion includes such high figures: the effective dose limits for design basis accidents (credible accidents) are 10 to 100 times lower. Indeed, in the 1950s and 1960s, the figures adopted in the US criteria were officially considered as maximum tolerable doses for serious accidents. Over time, however, progress in radiation protection knowledge has brought about an additional decrease in the tolerability limits, therefore the figures initially adopted in the USA have become ‘completely conventional numbers’, losing their (uncertain) original physical–biological meaning. The question arises as to why these figures have not been updated. Here, as in many other cases in the nuclear safety field, perhaps the consideration has prevailed that any reduction of the limits could be interpreted as a disapproval of already built and operating plants, for which the original figures were adopted. The site criteria have, however, always been thought to give acceptable protection to the population. 7 Two things are surprising when the operating experience of nuclear plants is considered. The first one is the astonishing coincidence of different adverse facts which is at the origin of many serious accidents (TMI and Chernobyl included). The second is the surprising intervention of resolving factors in sequences of events already well advanced in their progress towards a disaster (the Browns Ferry Fire (Alabama, 1975), many discoveries ‘at the last minute’ of very dangerous cracks in pressure vessels, and so on). It is thought that the motivation of many of these surprising events is the presence of a special atmosphere or mindset in the group of people responsible for the construction and the operation of a plant. This atmosphere can be either favourable or adverse to safety. Perhaps, the

12

Nuclear Safety

possible presence of it should be in some way considered in probabilistic analyses as a ‘concurrent event’ of any accident studied. As an example, letting our imagination wander, the initiating event ‘small pipe break’ could be studied in coincidence with ‘hectic atmosphere because of the need to conclude an operational phase or a test’, with a probability which now could be estimated of the order of 10 per cent. Obviously, the practical answer to these remarks is ‘prevention’, namely the strengthening of Defence in Depth and of Safety Culture. 8 The forgotten safety criterion: Many safety criteria have been discussed and written about, but one which requires that a nuclear plant should never be constructed and operated in haste has not been proposed yet. Perhaps, more than one criterion is involved here. For example, one of the specific requirements might be that ‘no nuclear plant can operate if its power is essential to the grid’, as happens when reserve energy is not available to allow it to be stopped in cases of unforeseen events, emergencies, or to perform inspection, maintenance or tests. In the case of Chernobyl, the existence of a similar criterion would have allowed the power station superintendent to oppose the request to continue to operate beyond the programmed time. Obviously, such a criterion could be opposed by the strong supporters of the cost convenience of nuclear energy. I think, on the contrary, that without subtracting anything from the great merits of nuclear energy, a more realistic attitude is necessary. A good example in which a plant was operated for production needs with a lack of power reserve in the grid, against the opinion of many experts, happened between 1995 and 1996 (American Nuclear Society, 1996). In that period, a power station was operated in various months in order to support the power demand during the winter period, despite strong doubts about the strength of the reactor pressure vessel (presence of cracks and doubts on the possible excessive neutron embrittlement of the vessel material). These doubts were expressed by a group of European specialists, which opposed the continuation of the plant operation. What the most pessimistic people feared did not happen but, for those knowing the facts, it was a worrying situation: the burst of a reactor pressure vessel of a water reactor must be absolutely prevented within reliable safety margins, as it can give rise to an accident of the severity of the Chernobyl one. 9 At the time when Finland was planning its first nuclear power station, because of existing commercial agreements, technical experts contacted Russian experts in order to explore the possibility of the supply of a Russian-designed reactor. When, during one of the meetings, the Finn responsible for nuclear safety and the Russian responsible

for the peaceful use of nuclear energy were discussing the various types of reactors available, the RBMK reactor (the Chernobyl type) was considered too. The Finnish expert asked for a copy of the safety report of this reactor, but the Russian answered that the safety report could be provided only to the buyers of the reactor. The Finn persisted, saying that Finland seriously intended to buy, but received a final answer that this type of reactor could not be sold outside the Soviet Union (for national security reasons). 10 The major lesson which was learnt from the Chernobyl accident was that it was demonstrated that a catastrophic accident could have consequences up to distances not yet imagined before. In this connection, it is not completely true, as many people have said, that the dispersion of the releases up to great distances was due solely to the upward propulsion caused by the explosion and by the fire of the reactor. The very large quantity of radioactive releases was the primary factor, although with an additional contribution by the explosion/fire phenomenon. 11 The symptoms of an illness might be around us, a desire to disregard past experience of accidents, which, if it should continue to grow, might really impair the safety of nuclear plants. On the one hand, a past WANO (World Association of Nuclear Operators) president has publicly declared, from his special observation point, that the interest in the lessons of experience is decreasing among operators. On the other hand, discussions with some designers of specific countries indicate that the pre-TMI accident mindset is surfacing again, exemplified by self confidence and optimistic bias. Moreover, some plant operators have stated with annoyance that after more than twenty years since the TMI accident, people still keep on studying it and that it is time to forget because what had to be learnt has been learnt already. These are all wrong attitudes because keeping alive the memory of the lessons of the past will avoid the carelessness that has caused the accidents in the first place. It is just as important to extract lessons from lesser incidents, those ‘semi-accidents’ which could have evolved into a disaster. In this field, the NRC keeps records that include the evaluation and publication of results. The media, too, can strongly contribute to the progress of safe nuclear energy. It is not necessary for it to always praise its virtues, but it should give special attention to the exactness of the news given and avoid emotive reporting, in particular as far as the gravity of the small accidental events which continuously happen in every industrial plant and therefore also on nuclear plants. As a reaction to sensationalism, the stakeholders in the nuclear industry react with a confidentiality policy which is detrimental to the progress of safety.

Chapter 2 Inventory and localization of radioactive products in the plant

One of the primary objectives of nuclear safety is to contain within the plant the radioactive products there present. It is, therefore, essential to know the amount and the normal location of these products. Almost all the radioactive products are contained in fuel located in the reactor itself or in used fuel which is still stored at the plant, in the spent fuel pool or, less frequently, in dry containers for temporary storage. Table 2-1 lists the half-life and total radioactivity for the nuclides in a 1000 MWe water reactor in equilibrium conditions (that is after a certain operation time). At the start of the operation, the amount of some nuclides with a long half-life continuously increases until it reaches, after several months, a practically constant saturation level. For the preliminary evaluations of the consequences of accidents, it is usually sufficient to consider the doses due to:

noble gases (direct cloud radiation dose); iodine (inhalation dose); caesium (mainly long-term doses due to radiation from the radioactivity deposited on the ground – ‘ground shine’); tritium (fusion machines and specific reactors), plutonium (fall of satellites, fuel treatment plants which handle plutonium).

The nuclides are grouped according to a criterion adopted in many ‘source term’ (complex of external releases in an accident) studies. This classification takes into account important factors in the release evaluation, such as the volatility of the element or its probable compounds and their chemical/physical properties.

In a rather indicative way, it can be assumed that if in an uncontrolled (severe) accident X per cent of the noble gases inventory is released, the releases of iodine and of caesium may reach 0.1X per cent, and the releases of other products roughly the 0.01X per cent. Each conceivable accident, however, has specific aspects which may strongly alter these indicative percentages, here mentioned in order to give an average measure of the natural release potential of the various isotopes. The radioactive products contained in the fuel are normally located in the sinterized uranium dioxide of the reactor fuel (the uranium dioxide fuel is shaped into pellets, roughly 1 cm in diameter, inserted in long zirconium alloy (zircalloy) cylinders). The matrix of these cylinders (roughly 40 000), grouped in bundles to form the fuel elements, is the reactor core. A fraction ranging from 0.5–5 per cent (USNRC, 1992) of the more volatile radioactive products (noble gases, iodine, caesium) is contained in the gap between the uranium pellets and the containment cylinder (cladding). For sake of conservatism, however, sometimes the accident release evaluations are made assuming that this percentage is equal to 10 per cent (this is the value suggested, for example, by USNRC Regulatory Guide 1.25 on fuel element drop accidentsAR316). During accidents without core melt but entailing a severe threat to the fuel (of a mechanical and/or thermal nature), these radioactive products may escape from the fuel and be released to the primary system. In general, it is assumed that at least noble gases, iodine and caesium are released in this way. 13

Table 2-1. Nuclides, half-life and radioactivity for a 1000 MWe PWR Radioactivity

Noble Gases

Krypton

Xenon Iodine

Iodine

Caesium & Rubidium

Caesium

Tellurium & Antimony

Rubidium Tellurium

Antimony Alkaline Earths

Strontium

Volatile Oxides

Barium Cobalt Molybdenum Technetium Ruthenium

Non-volatile Oxides

Yttrium Zirconium Niobium Lanthanum Cerium

Praseodymium Neodymium Neptunium Plutonium

Americium

18

Nuclide

Half-life (days)

(Bq 10 )

(MCi)

85

3950 0.183 0.0528 0.117 5.28 0.384 8.05 0.0958 0.875 0.0366 0.28 750 13 11 000 18.7 0.391 109 0.048 0.34 1.25 3.25 3.88 0.179 52.1 11 030 0.403 12.8 71 1920 2.8 0.25 39.5 0.185 366 1.5 2.67 59 65.2 0.71 35 1.67 32.3 1.38 284 13.7 11.1 2.35 32 500 8.9 106 2.4 106 5350 1.5 105

2.072 0.888 1.739 2.516 6.290 1.258 3.145 4.440 6.290 7.030 5.550 0.2775 0.111 0.1739 0.00096 0.2183 0.0407 1.147 0.1961 0.481 4.44 0.2257 1.221 3.478 0.1369 4.07 5.92 0.02886 0.01073 5.92 5.18 4.07 2.664 0.925 1.813 0.1443 4.44 5.55 5.55 5.55 5.92 5.55 4.81 3.145 4.81 2.22 60.68 0.002109 0.000777 0.000777 0.1258 0.0000629

56 24 47 68 170 34 85 120 170 190 150 7.5 3 4.7 0.026 5.9 1.1 31 5.3 13 120 6.1 33 94 3.7 110 160 0.78 0.29 160 140 110 72 25 49 3.9 120 150 150 150 160 150 130 85 130 60 1640 0.057 0.021 0.021 3.4 0.0017

Total activity (EBq) 193

Total activity (MCi) 5202

Kr 85m Kr 87 Kr 88 Kr 133 Xe 135 Xe 131 I 132 I 133 I 134 I 135 I 134 Cs 136 Cs 137 Cs 86 Rb 127 Te 127m Te 129 Te 129m Te 131m Te 132 Te 127 Sb 129 Sb 89 Sr 90 Sr 91 Sr 140 Ba 58 Co 60 Co 99 Mo 99m Tc 103 Ru 105 Ru 106 Ru 105 Ru 90 Y 91 Y 95 Zr 97 Zr 95 Nb 140 La 141 Ce 143 Ce 144 Ce 143 Pr 147 Nd 239 Np 238 Pu 239 Pu 240 Pu 241 Pu 241 Am

Chapter 2 Inventory and localization of radioactive products in the plant

Even during normal operation, the primary coolant contains a certain amount of radioactivity, partly due to nuclides formed by the irradiation in the core of elements dispersed in the coolant (oxygen, hydrogen, cobalt, iron, etc.) and partly due to the presence of defective (fissured) claddings in the core which let a part of the gap inventory escape into the coolant. The concentration of radioactive products in the water depends on the entity of fissures (in general, it is assumed that 1–2 per cent of the elements have fissures) and on the effectiveness of the primary water purification system. The degree of contamination of the primary coolant by iodine-131 (the most significant isotope) normally assumed in the study of accidents is equal to roughly 104–105 Bq g 1, corresponding to a total of the order of tens of terabequerels for the whole primary system (i.e. hundreds of curies). For iodine-131 (the same considerations are valid for caesium), the effects of the phenomenon of ‘iodine spike’ are, in addition, taken into consideration (this is an increase in the release of these radioactive products from the fissured fuel rods caused by power variations). The phenomena involved are connected with the ingress and subsequent exit of water through the gap and with likely fracturing of the fuel matrix. Guidance on figures to be used can be found in USNRC (1996). The normal values are:

A factor of 50 on the normal iodine content in the primary water (that is up to a total of 100–1000 TBq for all the primary system).

15

A factor of 500 on the rate of release of the iodine from the fuel, whose order of magnitude can be, for each fissured rod, 10 4–10 3 TBq h 1. A peak time duration of 1–5 hours.

Radioactive products are present in decay storage tanks for gases extracted from the primary water before their release to the atmosphere. Not all the plants use these tanks since the decay of waste gases is frequently obtained by delay lines that temporarily adsorb the gases on activated carbon. Where decay tanks are used, a rupture of one of them is serious. The total inventory of the stored gases is subdivided in several (typically eight) tanks. The most relevant external doses are those connected with the irradiation from the cloud of noble gases, whose total inventory may be of the order of 104 TBq. For completeness, although the accidents discussed may have minor consequences, it must be added that other radioactive products are contained in the plant, mainly in the form of solid waste.

References USNRC (1996) ‘Standard review plan for the review of safety analysis reports for nuclear power plants’, NUREG-0800. USNRC (1992) ‘Accident source terms for light-water nuclear power plants’, NUREG-1465.


Chapter 3 Safety systems and their functions

3-1. Plant systems By necessity, a nuclear power plant is composed of the parts required to generate electric power (the ‘process’ parts or systems) but also of a complexity of safety systems. The name ‘safety systems’ here indicates all those systems which are not strictly necessary to the plant operation or to health protection under normal conditions, but rather to those

that prevent the progression of accidents and therefore avert the large release of radioactive products. Accident prevention is a major activity of designers, operators and control bodies. Figure 3-1 will remind the reader of the components of a typical pressurized water reactor (the PWR – the most common design in the world). The process components are: the reactor (R) itself, where the nuclear chain reaction takes place and the Primary containment

Secondary containment

Secondary circuit S Steel liner

V

Spray

V

T G

SG

Cooling

C

PR AC

V

Pump Filtered suction

CR A

Primary circuit

F

I

R EC Foundation

Figure 3-1. Simplified schematic of a pressurized water reactor (PWR). 17

18

Nuclear Safety

heat is produced which will finally be transformed into electric energy; the steam generator (SG), where the heat is used to produce high pressure steam; the turbine (T), where the steam energy is transformed into mechanical rotation energy; and, finally, the electric generator (G), which produces the electric energy to be supplied to the grid. As can be seen in the drawing, the process fluid, that is water in the form of liquid or vapour, circulates in two distinct systems, the primary and the secondary system, which mutually exchange heat in the steam generator. Another important component of the primary system is the pressurizer (PR), whose function is that of an expansion volume and of a pressurization component. The latter function being obtained by electric heaters. The pressurizer keeps the circuit water at a higher pressure than its saturation pressure, thereby suppressing the steam production in the primary system. (The pressurizer was significant in the Three Mile Island (TMI) accident.) The safety systems have three main objectives: the quick emergency shutdown of the chain reaction; the emergency cooling of the reactor after shutdown; and, finally, the containment of radioactive products after their accidental release from the reactor. The quick shutdown is obtained by the insertion, by gravity, of control rods (CR) in the reactor and, as a backup, by the injection of a liquid neutron ‘poison’ (boron) in the primary water. The emergency cooling of the reactor is necessary because the radioactive products accumulated in the nuclear fuel continue to generate heat after the shutdown of the chain reaction (decay heat) (see Figs 3-2 and 3-3). The emergency cooling systems are both passive ones (that is those practically without moving components, such as pumps) and active ones. By way of examples, Figure 3-1 shows a passive system (accumulators, AC, kept under pressure by compressed nitrogen) and an active system (I). The containment comprises a combination of special buildings and engineered systems. The figure shows a complete ‘double containment’ system, similar to those adopted in many countries. In this design, an internal reinforced concrete building, strong enough to resist the accident pressure of the worst design basis accident, is internally lined by steel in order to guarantee optimum leakproof characteristics (primary containment). Isolation

valves (V) will close in case of accident, always for leak proofing reasons. The first building is enclosed in another reinforced concrete building (secondary containment) in order to further improve the retention of radioactive products and the shielding from direct radiation; it has also the function of affording protection against external impact events. The area between the two containments is kept at a negative pressure with respect to the external environment by means of filtered suction systems (A and F). The primary containment is provided with cooling and water spray systems in order to decrease, in case of accident, both the internal pressure and the amount of free radioactive products.

3-2. Safety systems and accidents The safety systems are designed to cope with a set of accidental events (design basis accidents or DBAs), either originating inside the plant or outside it. This set also includes events of such a low probability that their occurrence during the life of the plant should not be feared. As an example, the following events are included within the DBAs: an instantaneous guillotine break of the largest pipe of the primary circuit; the sudden expulsion of a control rod from the core; and the maximum potential seismic event on the plant site. An accident at a nuclear power plant can be caused by many combinations of anomalous initiating event, malfunction and human error. The types of possible accidental situations are studied in the specific safety analysis of each plant and the safety systems described above are designed to prevent, or mitigate the effects of all the accidents chosen as DBAs. Table 3-1 provides an approximate indication of the effectiveness of various safety systems in limiting external releases in a typical loss of coolant accident (the break of a large primary circuit pipe). The figures are for the release of iodine-131 (often assumed as the reference isotope in indicative evaluations of ‘source terms’ and for a 1000 MWe reactor). As can be seen, the reduction of the releases caused by the safety systems is very significant and corresponds to a factor of the order of one million. The study of the safety of a plant is not, however, limited to the study of the serious and unlikely design basis accidents. For many years, the most serious

19

4 Mw

Kg/sec

Kg/sec

Burning kerosene

Kcal/sec 25000

Vaporizing water

Percent of nominal power


100

90 3

20000 80

40

2

70 30

15000 60 2 50 10000

20

40

1

30

1 5000

10

20

10 0.1 10E2 (=100)

1000 10E3

10E4

10E6 10E5 Time after shutdown [sec]

1hr

10hr

1d

7d

Figure 3-2. Decay power for a 2775 MWt reactor (10% over best estimate). accidents, named ‘severe accidents’ have also been the subject of studies and research. Some definitions of safety criteria (IAEA Safety Criteria and EUR Requirements) specify a third class of accidents that lies between the two already mentioned. These include:

operating transients without scram (ATWS); complete loss of alternate electric power in the power station; containment bypass accidents.

This class does not require the same conservative design provisions required by DBAs (high safety margins for mechanical strength, strict quality assurance requirements, etc.). However, substantial core integrity is required as a consequence of the implementation of accident management measures. The main reasons for the general interest in severe accidents are primarily the intention of improving the protection of the plant by its extension to the field of the most serious accidents, and the need to know

Nuclear Safety

Full power seconds

Mwh

10E9

Kg

1000 1000

10E8

10E6

Kg

Burning kerosene

Kcal

Vaporizing water

20

10E5

10E4

100 100 10E5

10E7

10E3

10 10 10E4

2*10E6 10E2 (=100)

10E3

10E4

1hr

10E5 10E6 Time after shutdown [sec]

10hr

1d

7d

Figure 3-3. Decay energy for a 2775 MWt reactor.

phenomenologies and probabilities of these accidents in order to perform less uncertain evaluations of the global risk of a plant (probability risk assessment or PRA) of the type of the famous Rasmussen report. What are the possible causes, the typical phenomena and the possible course of events in a severe accident? Here, a concise and necessarily incomplete description will be attempted. The typical sequences entail damage and melt of the core, interaction of the molten core with the pressure vessel and afterwards with the containment floor and, finally, perforation of the containment itself.

The damage and the melt of the core may happen for two reasons only, notwithstanding the large number of the possible sequences:

the late or missing shutdown of the chain reaction, when required; insufficient decay heat removal from the reactor.

For PWRs, in particular, the decay heat dominates the stage in severe accidents. Figure 3-2 illustrates the behaviour of the decay power with time for a 2775 MWt reactor. It shows the correspondence between this power and the amount of


Table 3-1. An example of the effectiveness of safety system. Release of (current reactors) Location

Activity (TBq)

Safety systems

In core In the gaps

3.5 106 3.5 104

Primary containment

3.5 103

Secondary containment

1.8 102

Environment

21

131

I due to loss of coolant

Effect

fast shutdown; emergency cooling.

Prevent releases from the fuel matrix and decrease releases from the gaps (dissolution, plate out).

primary containment; removal and cooling systems.

Leak proof: reduction factor of 20 for a 0.5% leakage per day and 10 days of pressurization.

secondary containment; activated carbon filters.

Segregate radioactive products.

1.8–18

water which could be evaporated per second by it (the corresponding amount of equivalent burnt kerosene per second is also shown). As can be seen, after a few hours, a really small flow rate of water is sufficient to cool the core (about 10 l s 1, that is the normal flow rate of a 50 mm diameter pipe). Contrasting this is the transient situation of a reactor where the rupture of a large diameter pipe has occurred (a large loss of coolant accident or LOCA). In this case the reactor vessel quickly empties (in a few tens of seconds) and therefore it has to be quickly refilled in order to keep the core covered and therefore adequately cooled. In this situation, it is essential that the emergency cooling systems have large flow rates (of the order of thousands of litres per second). The ‘re-flooding’ of the core places the largest flow rate demand on the safety injection systems. The first consequences of uncontrolled overheating of the core are the fissuring of the fuel claddings (at about 1073–1173 K (800–900 C)), while their normal operating temperature is about 623 K (350 C)) and their subsequent oxidation reaction with water or with steam (above 1473 K (1200 C)) which generates heat and hydrogen. It has to be remembered that, during their life in the reactor, the fuel tubes become significantly pressurized because of the development of fission gases inside them (up to several tens of atmospheres) and, therefore, once fissured, they tend to quickly release to the outside (if the reactor pressure is low, as in many accidents) all the accumulated volatile products.

The amount of hydrogen which can be generated by a normal size reactor may reach 700–800 kg: a very large quantity! The most severe hazard caused by hydrogen release is that it will be released, sooner or later according to the conservative assumptions made in severe accident studies, into the primary containment atmosphere where it may cause, in the presence of air, explosions or relatively slow combustion. In both cases, the internal pressure in the primary containment will increase and its integrity will be endangered. The containment safety margins against internal pressure are, however, normally high.1 If the accident is allowed to progress in an uncontrolled way, the temperature of the reactor core will continue to increase and it can be assumed that at about 1973 K (1700 C) the not yet oxidised, zircalloy claddings will melt, and at about 3073 K (2800 C) the uranium oxide pellets will melt completely. The liquid mass that could be formed in this way (named ‘corium’) collects on the bottom of the reactor vessel and may perforate it as the generation of decay heat continues. The TMI accident progressed up to the threshold of this event, without trespassing it, however. A large quantity of molten and re-solidified ‘corium’ was indeed found on the bottom of the vessel, which, however, was not perforated. Once the base of the vessel has been breached, the corium could pour on the bottom of the primary containment, usually made of a very thick layer of reinforced concrete (1–5 m). On contact, any water residing here would be vaporized increasing the pressure inside the containment.

22

Nuclear Safety

Today a ‘steam explosion’ under these conditions (the sudden contact and physical interaction of high temperature corium with water on the containment bottom) is generally thought to be very unlikely and, perhaps, physically impossible, at least not of such a magnitude to cause the rupture of the containment. Contact between the corium and the containment concrete is, on the contrary, certain. The chemical– physical attack of the concrete itself with the consequent production of gases (even of explosive ones, such as carbon monoxide and hydrogen) raises the possibility of perforation of the containment wall. Gas production and combustion, and the continued production of heat from the corium will necessarily cause the pressure to increase within the containment up to its rupture value (2–4 times the design pressure), unless the perforation of the containment floor, due to the concrete attack by the corium, intervenes first. This typical scenario is the one foreseen under the extreme assumption of a lack of any intervention able to stop the progress of the accident in the time period from its inception up to the rupture of the containment (which is expected to happen after 20 hours to 5 days, depending on the specific characteristics of the plant). The time periods indicated here refer to a reactor which had operated continuously for a long time before the accident. More than 400 civilian power reactors operate in the world today and they have altogether accumulated more than 10 000 reactor years of operation. The principal accidents which have occurred are the TMI accident (1979) and the Chernobyl accident (1986). The accident at the experimental Windscale reactor (1957, see Chapter 20) is also an interesting reference for the study of the consequences of serious accidents. The TMI accident (see Chapter 1) was due to a relief valve on the pressurizer (indicated S in Fig. 3-1) remaining stuck open during a normal plant transient. The operators didn’t become aware for hours of this opening in the primary circuit because they had, from the available instrumentation, contrasting indications about the level of water in the circuit itself. Indeed, the pressure and temperature instruments indicated that the water in the core was boiling, while the level instruments in the pressurizer indicated a primary circuit full of liquid. In deciding what to do, they made the wrong choice and believed the level instrumentation.

Consequently, they blocked the emergency water injection systems which had been automatically actuated. The core overheated and partially melted. The releases were negligible from the health protection point of view because of the presence of an effective containment. The fact that TMI didn’t result in a public health catastrophe has to be ascribed to the Defence in Depth principle systematically adopted as Western safety practice. The concept provides multiple redundant and diverse barriers against radioactive releases, well beyond what could be thought strictly necessary. TMI showed that this principle offers protection against the unforeseen and the unknown possible events. Chernobyl, on the contrary, is an example of what can happen if a completely opposite principle is applied, that to do only what is necessary for safety. In RBMK reactors, like the Chernobyl reactor, the safety margins were not stringent enough. For example, the plant had a containment system for the primary circuit but it was only partial: the reactor itself, and in particular the fuel channel heads, were not included in it. The designers thought that it was sufficient only to install protective monitoring instrumentation. Figure 3-4 shows the containment for a typical 900 MWt PWR and the Chernobyl reactor containment. In addition to the Chernobyl design deficiencies, there was evidence of human error and the voluntary violation of safety rules, both for production reasons and in the incorrect appreciation of the real danger. Chernobyl can with good reason be considered representative of the maximum possible accident to a power reactor. Unfortunately, the abundant information supplied by the designers does not allow us to conclude that the corrective measures adopted in other reactors of the same type (about 20) are sufficient to rule out the danger of another severe accident, possibly with different modalities. The accident, indeed, has highlighted a dangerous vulnerability of this type of reactor, which is generic in nature, and which is not specifically tied with the sequence of events that happened at Chernobyl in 1986. In particular, a weak point of the reactor is its upper closure plate, to which 1700 fuel channels and the control rods are fastened. There is no containment present above the plate: a major hazard during possible accidental internal over-pressurization of the reactor.


PWR

23

CHERNOBYL

60 m

Light upper containment

Figure 3-4. PWR containment and Chernobyl (RBMK 1000) containment (roughly to the same scale).

Figures 3-5 and 3-6 show the significant differences between the dynamics of the Chernobyl and the TMI accidents. Figure 3-5 illustrates the crucial phase of the Chernobyl accident and shows how it essentially comprised an uncontained ‘explosion’ of the reactor. Figure 3-6 shows the damaged state of the TMI-2 reactor core and vessel after the accident, and results from many years of research (OECD, 1993). As can be seen, in the case of TMI-2, and unlike Chernobyl, a slow ‘core melt’ took place, without explosive phenomena and with the absence of intrinsic instabilities. The following, also derived after many studies, gives a quantitative measure of the sequence of events in the same accident:

0–100 minutes: Loss of coolant and core exposure; 100–174 minutes: Start of core damage; 174–180 minutes: Temporary operation of the primary pump; 180–224 minutes: Prolonged heating-up of core; 224–226 minutes: Displacement of core material; 226 minutes: Stabilization of the debris.

It is possible to classify the types of significant accidents on a scale of increasing severity and, on the basis of available data, assign to them orders of magnitude of releases and of probabilities (see Table 3-2). The download file, DRYCORE (on this book’s companion website, http://books.elsevier.com/ companions/0750667230) provides some data and

methodology for evaluations on a barely refrigerated or completely dry core. These methods help, for example, in evaluating the time to the start of melt down after shutdown of a core (or part of a core) without refrigeration.

3-3. Future safety systems and plant concepts 3-3-1. General remarks The nuclear reactors now operating incorporate both passive and active safety features (see pp. 9 and 26). For example, reactors have a passive limitation of power excursions through a negative power coefficient of reactivity, which is, for most of them, the outcome of the early recognition that a power excursion might be difficult to limit in the presence of self-enhancing dynamic reactor features. On the other hand, most reactor emergency cooling systems are active. The variety of solutions does not reflect a precise choice in the early days of nuclear power towards active or passive systems, rather it reflects the best choice for the designers of that time. Passive and intrinsic safety solutions were adopted when they were recognized as being effective and economically convenient. Moreover, the fundamental safety functions required in a nuclear reactor are limited to reactor shutdown, reactor and containment cooling, and containment of radiotoxic

24

Nuclear Safety

Figure 3-5. The destruction of the Chernobyl reactor. products. The most natural engineering solutions for these functions were in general adopted, with obvious variations, in all of the reactor designs developed. With the passing of time, in depth safety studies and data from operating experience both tended to widen the safety requirements beyond those originally devised. Plants became more complex and some

of the passive safety features originally present tended to disappear. This is evident, for example, in containment cooling, which was originally entrusted to passive, natural mechanisms. The accidents at TMI and at Chernobyl, although, as discussed, different in many respects from one other, were equally rich in lessons in their applicable technical environment.


2B inlet

Upper grid damage

Coating of previously molten material on bypass region interior surfaces

25

1A inlet

Cavity

Loose core debris Crust Previously molten material

Hole in baffle plate

Ablated incore instrument guide

Lower plenum debris

Possible region depleted in uranium

Figure 3-6. The final configuration of the TMI core. (Reproduced from ‘Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results’, OECD, 1993.) Additionally, the integral safety studies of typical plants (see Section 1-2), starting with the Rasmussen study, caused the technical experts to completely rethink the safety approach hitherto followed. Now the design engineers and operators were

convinced (or even more convinced) that accident prevention and mitigation in nuclear plants deserved very special attention: serious accidents could be avoided, but continued attention to safety in design and operation was warranted, including

26

Nuclear Safety

Table 3-2. A possible classification of accidents, their external releases and their probabilities (current reactors) 131

Types of accident A – Maximum design basis accidents (DBA) B – Maximum DBA (degraded safety systems) or accidents with partial core melt C – Severe accidents with quick intervention D – Severe accidents with delayed intervention E – Severe accidents without intervention

I release fractions

10 10

7 5

10 4 10 3 10 2–10

the consideration of important plant design alternatives. Some facts, in particular, became even more evident than before: firstly, the potential importance of multiple failures in complex safety systems and, secondly, the possible serious consequence of human errors. Hence, attention focused on passive safety systems and on inherent or intrinsic safety systems. These needed fewer auxiliary systems, they were simpler, with a lower number of parts which could potentially fail, and they did not require as much operator intervention as active systems. ‘Passive’ safety systems are defined as the operating safety features of structures and devices designed to counteract specific events without the reliance on mechanical and/or electrical power, forces or ‘intelligence’ signals external to the same structures and devices (Lo Prato et al., 1990; IAEA, 1991). These features should rely only on natural laws and the properties of materials, and should not require any human action. Different degrees of passivity exist, for example a safety system may operate without external power but may require some sort of active actuating signal. In this case, too, the system is deemed passive even if not to the full definition of the term. ‘Inherent’ safety means the elimination of hazard by choice of material or design concept, for example the elimination in a plant of any combustible material (if possible) would demonstrate inherent safety from the danger of fire. In the last few years, a great deal has been discussed on the merits of passive and intrinsic safety Although it is evident that a substantial research and development effort on simpler and less vulnerable nuclear plants is still warranted, it appears now more

1

Order of magnitude of the release (TBq)

Associated probability each year

0.3 30

10 5 10 5–10

300 3000 30 000–300 000

10 10 10

6

6 7 8

generally recognized that the best possible and safest plant, at this point in time, and one in which serious accidents can be avoided throughout all of its life, probably includes both active and passive features in an optimization perspective. Passive systems, although at first sight attractive for their simplicity, may have drawbacks (e.g. they are less powerful and slower in their action than their active counterparts). Moreover, their reliability is more difficult to evaluate. Safety system development in the process (mainly chemical) industry is somewhat similar where a number of TMI–Chernobyl-type of events have occurred, for example Flixborough, Seveso, Bhopal, and others. The Flixborough nylon plant accident in the UK (1974) was caused by an open-air explosion of a flammable gas released into the air. It killed the 28 plant employees present and caused extensive property damage in the surrounding area. The failure to perform a full technical assessment of a modification was given as the main cause of the event. The Seveso pesticide plant accident in Italy (1976) is well known for the dangerous release of dioxin due to poor plant safety features and to the underestimation of the possibility of a runaway reaction. The Bhopal incident in India (1984), at another pesticide plant, killed an estimated 4000 (although the total number is still unknown). This disaster was attributed to too large an inventory of toxic substances and to very poor staff attention to the operability of safety features. As in the nuclear arena, the process industry plant designs tended to grow bigger and bigger with time, becoming, therefore, more complicated and dangerous as a result of the large amounts of stored chemicals, and the need for complex modifications


and operating procedures. The accidents initiated a rethinking period pointing to the study of ‘more inherently safe’ plants. The wording chosen is indicative of the need to eliminate the wrong idea of a completely safe plant. The following two sections respectively explore some of the main ideas brought about by this rethink of safety in the nuclear and process industries.

3-3-2. Some passive safety systems for nuclear plants The passive systems and components discussed in the last few years range from complete reactor concepts to single components (Forsberg et al., 1989; Petrangeli, 1992). A rather arbitrary selection of a few of these proposals is presented in this section. They are all well-known concepts in the nuclear industry and they discussed here because they are considered among the most interesting ones. Passive plant reactors (e.g. the AP600W) are proposed future reactors that use the technology of current reactors, but include also significant changes in plant design and layout. Safety, in the event of an accident, depends on truly passive safety systems and on safety systems which are passive in operation although started up by a simple action such as valves opening. In the AP600, a passive cooling containment system (PCCS) is provided to remove heat from the steel reactor containment (Petrangeli, 1992). The operation of the passive safety injection system (PSIS) following a LOCA results in steam released from the reactor core being passively condensed inside the containment. Steam condensation reduces containment pressure. In the first instance, the PCCS comprises a large tank above the containment structure that allows the drain of water by gravity on the outside of the steel containment vessel. Secondly, the opening of air dampers supplies natural circulation air cooling of the external surface of the steel containment. The air and evaporated water exhaust through an opening in the roof of the shield building. The PCCS is capable of removing the thermal energy following a DBA so that the containment pressure remains below the design value with no operator action required for (three) days. The PCCS is designed to reduce containment pressure to less than one half its design pressure

27

within 24 hours following a LOCA. After three days, if there is no supply of water, the heat removal is assured by air alone with an increased pressure (up to about design pressure). In nuclear power plants, the containment is the final barrier that prevents radioactive release to the environment during accident events. Because of containment importance in mitigating the consequences of an accident, it is necessary not only to assess its integrity during an accident, but also to ensure that it is and stays leakproof after the accident has occurred. Typical allowable primary containment leakage rates lie in the range of 0.1–1 per cent of volume a day, but the operating experience sometimes has indicated ‘real-world’ values above these allowable limits. These are usually due to excessive valve or penetration leakage, valves or penetrations left open after testing, airlock failure, etc. Studies have been made on the following aspects:

containment leak proofing enhancement (e.g. improved choice of valve types, reduction of the number of penetrations, valves stems leakage reduction, etc.); the root causes of leak proofing degradation (e.g. debris reduction and deposition on valve seal surfaces and valves behaviour under severe accidents); the concept of a secondary containment to reduce the primary containment releases by hold-up, deposition, filtration, elevated release (e.g. a secondary containment that envelopes possibly affected buildings equipped with filtration systems); monitoring capabilities to detect pre-existing openings in the containment boundary (e.g. monitoring nitrogen leaks in inert containments).

The advanced light water reactor (ALWR) passive plants, employ safety grade passive decay heat removal (PDHR) systems in order to enhance the capability (relative to current plants) of maintaining the plant in a safe shutdown condition following non-LOCA events. The approach developed for these systems is founded on meeting the following requirements:

The PDHR system is employed for both the hot stand-by and long-term core cooling modes. This system can operate at full reactor coolant system pressure and places the reactor in the long-term cooling mode immediately after shutdown.

28

Nuclear Safety

The operation in the long-term cooling mode is automatic. The operation of the system does not require any a.c. power, either on- or off-site. The operation of the system does not require any pumps or valve operation once initial alignment is established. No make-up water is required for a period of at least three days following reactor shutdown. The systems are located entirely within containment.

The passive decay heat removal (PDHR) systems, however, do not have the ability to bring the plant to the cold shutdown conditions of 373 K (100 C). This is inherent in the passive heat removal process itself because heat removal is accomplished by heat exchangers located within a pool of water, and the temperature on the reactor coolant side of the heat exchanger tubing will, by necessity, exceed the boiling point of water at normal pressure. Cold shutdown can be achieved by the reactor shutdown cooling system, proposed as a non-safety-grade system. The AP600 PDHR system, for example, is designed to perform the following functions for non-LOCA events:

The automatic actuation to provide reactor coolant and to prevent water release through the pressurizer safety valves. The removal of core decay heat assuming the steam generated in the in-containment refuelling water storage tank (IRWST) is condensed on the containment vessel and returned by gravity into the IRWST. The PDHR should provide decay heat removal for at least 72 hours if no condensate is recovered. Cooling the reactor coolant system to 473 K (200 C) in about 72 hours. Removal of core decay heat and reduction of reactor coolant system temperature and pressure, during a steam generator tube rupture event, equalizing primary pressure with steam generator pressure and terminating break flow, without overfilling the steam generator.

During the TMI accident, one of the strategies unsuccessfully tried by the operators to regain control of core cooling was to depressurize the reactor system. The reactor was not designed for that operation and the manoeuvre did not succeed. A reactor depressurization system would probably

have helped. Moreover even the initial probability risk assessments (PRAs) did highlight the possibility of high pressure severe accident sequences for current light water reactors (LWRs). The idea then started to be studied of designing a depressurization system into LWRs. This was a new concept, especially in PWRs. Boiling water reactors (BWRs) had a relief system in order to cope with loss of condenser accidents. In principle, a primary depressurization system has many advantages: its operation tends to create an immediate, yet temporary, reactor shutdown effect; it decreases the primary water temperature and favours core cooling; finally, it allows water to be supplied to the core either by high pressure injection systems or by low pressure ‘jury-rigged’ emergency systems (fire truck water, etc.). New passive LWRs incorporate a powerful depressurization system which allows emergency water injection to be made by gravity driven (passive) arrangements. Moreover the operation of the primary depressurization system also ensures that the reactor coolant system would be depressurized during a severe accident. Therefore, violent ejection of molten core debris from a pressurized reactor coolant system is highly unlikely for the passive plant with a corresponding reduction in the potential for direct heating of the containment atmosphere. This is also applicable to the evolutionary LWRs, in fact NRC staff has concluded (USNRC, 1990) that ALWR designs (evolutionary and passive) should include a depressurization system to preclude the ejection of molten core debris under high pressure from the reactor vessel. Nevertheless the reactor coolant release to containment has the potential for adverse effects on in-containment equipment. Accordingly, the ALWR plants should be designed to minimize such adverse effects by ensuring that the frequency of inadvertent actuation is extremely low (2 10 3 per year) for passive plants according to US Electric Power Research Institute requirements (EPRI, 1990) ensuring that recovery from such inadvertent actuation is feasible without compromising plant availability for a long period (recovery within 30 days or less according to EPRI requirements). As an example, a short description of the AP600 depressurization system follows. The AP600 automatic depressurization system comprises 16 valves divided into four depressurization stages. These valves are installed in the reactor coolant system at three different locations. The valves


in the first three stages are connected to nozzles on top of the pressurizer. The fourth stage valves are connected to the hot leg of reactor coolant loop. The main actuating signals for each depressurization stage come from different level set points in the core make-up tanks (CMTs that provide high pressure make-up by gravity). When the CMT is going to deplete, the depressurization takes place to allow low pressure injection from the IRWST by gravity. Moreover the depressurization system, together with passive injection of borated water from the IRWST, could ensure safe shutdowns in the long term in case of ATWS if other active systems are not available for this purpose. The design of hydraulic engineered safety features for LWRs has traditionally been performed according to high reliability and leak proof standards. These systems are usually called into operation to protect the fuel barrier in the case of a loss of the primary system barrier. In addition, being strictly connected to the primary circuit pressure boundary, they have to be equipped with leak proof isolation devices, normally closed during plant operation. Squib valves, initially used for applications in the space industry, have been considered very attractive for use in an advanced passive reactor. These valves are characterized by a no-leak capability and, once actuated, they are designed to maintain the open position. The inlet chamber of the valves is normally closed by a sealing cap. When the valve is actuated, an explosive initiator pushes a plunger that shears the cap off. This kind of actuation has been found to be very reliable from operational experience and qualification tests. These valves require very limited maintenance. In fact no periodic intervention, other than the substitution of the initiator, is necessary. There are additional benefits associated with their use in automatic depressurization systems relating to the possibility of providing a flow area larger than that traditionally obtained with standard safety relief valves (SRVs). Such a large area is very important in passive reactors to depressurize the primary system at very low pressures, consistent with the operation of injection systems based on gravity. The installation of such valves in the core cooling injection system, in addition to the benefits associated to the leak proof characteristics, ensures, during normal operation, a pressure shielding function on the upstream check valves. Therefore, these valves do not remain forced in the closed position for long

29

periods, thus improving their reliability when called to open under a low differential pressure. Density locks (or ‘hot–cold interfaces’) are passive devices which perform a similar function as normally-closed valves during normal operating conditions. However, in case of transient or accident conditions, they allow cooling flow without the need of a power supply or the motion of mechanical parts. Density locks have been applied in the process inherent ultimate safety (PIUS) reactor concept (Fosberg et al., 1989). In this design, the reactor core is immersed in a large pool of pressurized, cold, borated water. The hot primary water and the cold pool water are in contact at two ‘hot–cold interfaces’ (high and low elevation in the cooling circuit) where, during normal operation, substantial mixing is prevented by design details and by pump speed (head) adjustment, governed by the lower interface temperature. In case of uncontrolled accidents of any origin, the core will tend to overheat causing water boiling and a decrease of the hydrostatic head in the riser pipe above it, beyond the correction capability of the pump speed control system. Under these conditions, natural circulation between the cold pool, the core and the riser pipe will be established through the two ‘hot–cold interfaces’ along an always-open natural circulation path. The pool of cold, borated water will then enter into the core and will shut the reactor down and remove the decay heat. In a certain sense, PIUS safety is based on the use of an essentially unstable cooling circuit, which needs active pump action to ensure stability during normal operation; in off-normal conditions, the system automatically switches to its stable condition which also is a safe shutdown condition. Density locks perform a fundamental role in PIUS ensuring core cooling during emergency conditions, and thus the potential for blockages caused by gas collection, material distortion or plugging by detached insulating materials should be analysed in depth. The density lock concept has been used in other new reactor schemes. Fluidic diodes and vortex valves are passive devices whose use in future nuclear power plants (NPPs) is currently under evaluation with reference to their potential use as check valves or actuation valves in safety-related systems. Fluidic diodes, used in reprocessing plants and chemical industries, are one-way valves with no moving parts. They are characterized by a very high flow resistance in one

30

Nuclear Safety

direction with respect to the other. This characteristic allows them to be used as flow limiters to maintain core coolant boundary integrity in the case of a LOCA event. A potential application in a typical PWR system, might be to install a fluidic diode on the reactor pressure vessel nozzle of the cold legs of the circuit to avoid reverse flow conditions following a pipe break. Due to the diode’s characteristics, instead of a massive release of coolant, only limited leaks would occur. Vortex valves are ‘normally active/passive during emergency’ devices designed to maintain a separation between environments normally operating at different pressures. This function is performed by the fluid movement provided by a normally operating pump. A potential application to NPP safety features is as actuation valves in case of transients or accidents. During normal operation the two environments remain isolated as the vortex valve functions as a standard isolation valve. Following a transient, the pump operation is interrupted and water flows from the environment at high pressure to that at low pressure.

3-3-3. Inherently safe systems in the process industries In process industry plants, the concept of more inherently safe design is a recurring theme in the three reports of the Advisory Committee on Major Hazards (ACMH – set up in the UK after the Flixborough accident). These reports set the general principles of ‘new’ process industry safety in the UK and they represent in their field what, for example, the IAEA ‘Safety Fundamentals’ documents do in the nuclear industry. A full account of the developments of this concept is given in Lees,AR587 Kletz (1984) and UMIST (1982). The Loss Prevention Bulletin (published by the Institution of Chemical Engineers, England) is also a ‘must’ for interested people. It is available in most technical libraries and a list of its main articles over the years is included in Lees.AR587 The basic principles of inherently safer designs in the process industry are:

Intensification: namely carrying out the chemical reaction in a smaller volume in order to have a lower inventory of dangerous substances and smaller consequences of an accident.

Substitution: of a dangerous process or substance, for example a heat transfer medium with a less dangerous one. Attenuation: adoption of a less hazardous process condition, for example a lower pressure in combination with the improvement of a catalyst. Simplicity: for example designing a vessel or pipe for full over-pressure instead of adopting a pressure-relief system. (As Henry Ford has supposed to have said, ‘What you don’t fit costs nothing and needs no maintenance’.) Operability: adoption of a process which can be easily controlled and adjusted to off-normal conditions. Fail-safe design: where the failure of the system leads directly to a safe condition. Second chance design: second line of defence.

Interesting examples of proposals in the process industry follow The first typical example concerns the manufacture of nitroglycerine. It has to be classified as an ‘intensification’ of the process, namely the drastic reduction of the inventory of the dangerous substance. Nitroglycerine is manufactured by the reaction between glycerin and a mixture of concentrated nitric and sulphuric acids. The reaction is highly exothermic and the mixture has to be continuously cooled and stirred otherwise a violent explosion may occur due to the uncontrolled decomposition of nitroglycerine. Originally the reaction was performed in batches using large (1 t) pots. The operator had to continuously monitor the temperature and check that stirring was effective. Since the reaction lasted a rather long time (hours) there was the danger of the operators falling asleep and, therefore, they used to work sitting on onelegged stools, as it can be seen in historical pictures (Fig. 3-7). This kind of process continued to be used until fifty years ago with a number of casualties and complete plant losses. The same reaction is now obtained in a small injector where the acid jet entrains the correct amount of glycerin and, due to the turbulent mixing, the reaction time has been reduced down to minutes. The reaction is complete at the exit of the injector. The amount of nitroglycerine in the reactor is reduced to a few kilograms and the operators can be protected by a blast wall.


Figure 3-7. Manufacture of nitroglycerine in old times.

Another reaction, the adipic acid reaction (used in the manufacture of nylon), was previously performed in a huge reactor with external circuits for cooling. Today, it is carried out in a smaller integral vessel with internal cooling and agitation, and with a very smaller possibility for leaks. A similar evolution has taken place in nuclear reactors which changed from external to internal recirculation units (or to integral proposals for future reactors). It is also worth mentioning the ICI’s Higee process, where the process of gravitational separation is enhanced by centrifugal forces in a rotating unit, with a consequent decrease in amount of substance in the separator. Many examples are available concerning the substitution of one process with a less dangerous one. In a number of cases in the chemical industry the choice has to be made between the availability of a large storage of substances and the reduction of stored substances concurrent with the continuous production of them on site. In the first case,

31

continuity of production is better assured but the risk attributable to the storage is present. The situation is reversed in the second case. The concept of inherent safety leans thinking towards the second choice. It has to be remembered that in the case of Bhopal, the situation was exacerbated because it had been decided to produce methyl isocyanate (MIC – the poison which was released in the accident) on site instead of importing it from another factory. However, the already existing huge MIC tanks continued to be used with the consequent risk. In the industry, subsequent major reductions of inventories have taken place on safety grounds brought about by new regulations concerning, in particular, hazardous substances such as ethylene oxide, propylene oxide and sulphur trioxide. Huge strides are being made in chemical industry safety, in areas that are of strong interest for nuclear plants as well (e.g. a reduction in the possibility of leaks from containments through the reduction in the number and the dimension of penetrations). The simplification of complex designs is also pursued by such measures as design for over-pressure and design modification to avoid instrumentation. Simple cases of the latter operation is the use of suitable piping arrangements to avoid reverse flow and to provide for automatic sump voiding (high turns of pipe with anti-siphon openings, self-priming siphons, etc.). Concerning the ‘operability’ concept in the previous list of principles of more inherently safe design in the process industry, it seems worth noting that, in the parallel field of nuclear plants, designers tend now to provide a longer ‘grace period’ in case of mistakes or accidents (e.g. an increase of the water inventory in water reactors, and so on). Speculative proposals for the future process plants also exist. One of them considers the advantages of distributed manufacture of chemicals using miniaturized plants at the user’s site. Such plants would be more environmentally friendly and would deliver their products on a ‘just in time’ basis. They should also be completely automated, highly reliable, selfcleaning and sealed for life. As is apparent from this section, in a number of instances the process industry has gone beyond the study phase and has adopted more inherently safe provisions. Safety experts in the process industry, however, complain that, as yet, not enough has been

32

Nuclear Safety

done (Kletz, 1984). Some of the restraints towards a higher level of inherent safety are:

the technical options available for the next plant are usually limited by time, so if major advances are to be made there has to be a ‘plant after next’ design policy, namely during the design stage of a plant there is not enough time to discuss and to develop alternative designs); the desire for certainty of production (if a new process or a new equipment is used, then unforeseen difficulties may cause trouble during start-up, perhaps delay or prevent the achievement of design output or efficiency); the process licensing authorities are often on the side of tradition (possibly to prevent unforeseen snags and surprises); technical misconceptions (like the belief that, for example, the reduction in the inventory of dangerous substances may render the control of the process more difficult); the organization of a company in business areas instead of in functional departments is not favourable to innovation because of the strong influence of the control of expenditures (i.e. illdefined responsibility for design innovation by research departments or design departments).

It has been remarked that it is difficult to convince people close to the industry that there is a need to improve safety levels. Many are accustomed to think that hazard is inherent in the industry (which may be true to a certain extent) and it does not occur to them that in many cases it may be possible to reduce the risk and consequences of the hazards.3

References US Code of Federal Regulations (2004) ‘Part 100: Reactor Site Criteria’, US Government. EPRI (1990)-NP 6780, Advanced Light Water Reactor Utility Requirements Document. Forsberg, C.W., et al. (1989) ‘Proposed and existing passive and inherent safety-related structures, systems and components (building blocks) for advanced light water reactors’, ORNL-6554, Oak Ridge National Laboratory. IAEA (1991) ‘Safety-related terms for advanced nuclear plants’, IAEA TECDOC 626.

Kletz, T.A. (1984) Cheaper, Safer Plants or Wealth and Safety at Work? Rugby: The Institution of Chemical Engineers. Lo Prato, E., Petrangeli, G., Tononi, R. and Zaffiro, C. (1990) ‘Terminology for future nuclear power plants’, IAEA TECDOC 550. OECD (1993) ‘The Three Mile Island Pressure Vessel Investigation Project: Achievements and Significant Results’, OECD. Petrangeli, G. (1992) ‘Fifty years from the Fermi Pile’, Proceedings of CIRTEN Safety Technologies and Safeguards 1992, Pisa University. USNRC (1990) SECY 90.016 Evolutionary Light Water Reactor Certification Issues and their relationships to current regulatory requirements. UMIST (1982) ‘Inherently safe plant’, Proceedings of Safety in the Chemical Industry 1982, University of Manchester Institute of Science and Technology.

Chapter notes 1 An explosion of roughly 350 kg of hydrogen occurred during the TMI accident without any damage to the containment. 2 The TMI accident progressed up to the threshold of this event. A large quantity of molten and re-solidified corium was indeed found on the bottom of the vessel which, however, was not perforated. 3 The following short story, attributed to a chemical engineer, demonstrates the similarity of thought between safety engineers in the nuclear and process industries. It is so enjoyable, I think that it deserves reproduction here. It has been slightly adapted from Kletz (1984). The tiger and the treasure: A king offered a challenge to three young men. Each young man would be put in a room with two doors. The young men could open either door they pleased. Behind one door was a hungry tiger, the fiercest and most cruel that could be procured, which would immediately tear them to pieces. But if they opened the other door, they would find a precious treasure. So I leave it to you, which door should they open? The first young man refused to take the chance. He lived safe and died poor. The second man hired risk assessment consultants. He collected all the available data on tiger populations and on ways to detect treasures. He brought in sophisticated technology to listen for growling of tigers and to detect metals and precious stone from some distance. He completed checklists. He developed a utility function and assessed his

Chapter 3 Safety systems and their functions risk averseness. Finally, sensing that in a few more years he would be in no condition to enjoy the treasure anyway, he opened the optimal door. Some sources maintain that he was eaten by a low-probability tiger. The third man took a course in tiger taming.

33

Is the optimal combination of the course of actions chosen by the two young men who opened the door very dissimilar from the Defence in Depth concept, well established as a foundation block of the nuclear safety? It seems not, and this seems to also be the conclusion of the chemical engineer who invented the story.


Chapter 4 The classification of accidents and a discussion of some examples

4-1. Classification

4-2-1. Some important data for accident analysis

Accidents are usually grouped as follows:

Accidents of internal or external origin. Area accidents (fires, internal floods). Accidents of natural origin. Accidents of human origin (explosion of a tank near the plant, sabotage, etc.). Voluntary accidents (sabotage). Design Basis Accidents, Beyond Design Basis Accidents, Severe Accidents (see Section 1-2 and Chapter 3).

Design Basis Accidents are usually subdivided into four categories:

4-2-1-1. Initial conditions

Operational transients. Moderate frequency sequences. Rare sequences. Limiting accidents.

The EUR criteria give an idea of the probabilities assigned to these accidents (see Appendix 6 on EUR Criteria).

The core nominal power is usually increased by 2 per cent in order to take into account possible calorimetric errors. The average coolant temperature is taken as the nominal one 2 C due to measurement errors. The pressurizer pressure is varied by 200 kPa (2 bar) in order to take into account normal fluctuations and measurement errors. The initial values of the various parameters quoted are chosen in such a way to minimize the initial departure from nuclear boiling ratio (DNBR – the power ratio margin from nucleate boiling, usually kept higher than 1.3 in normal operation and in ordinary transients). The fast shutdown trigger levels and the corresponding time delays considered in the analyses (including errors) are of the order of magnitude indicated in Table 4-1 and Figure 4-1.

4-2. Design basis accidents

4-2-1-2. Doppler coefficient

Design basis accidents (DBAs) are those accidents chosen by the deterministic method or with the help of probabilistic considerations, in order to design all the plant systems, but particularly the safety ones. Some of the following considerations are of interest for DBAs and for the other accidents. Most of the quoted data are taken from examples of typical 1000 MWe pressurized plants.

It is well recognized that the Doppler coefficient is one of the most important counter-reactions during reactivity excursions. The increase of the fuel temperature causes an increase in the amplitude of the uranium-238 neutron capture resonances and, therefore, a decrease in the core reactivity. In some transients, it is conservative to assume a most negative Doppler coefficient (when a higher power 35

36

Nuclear Safety

Table 4-1. Fast shutdown signals and corresponding delays (core safety limits, p ¼ 15.51 MPa (2250 psig) Origin of fast shutdown

Trigger level in the analyses

High neutron flux Core T (excess temperature) Core T (excess power) High pressurizer pressure Low pressurizer pressure Low recirculation flow Turbine trip Low-low level in steam generator High level in steam generator, feedwater pumps stop, feedwater system valves shut-off, turbine trip

118% Automatically variable Automatically variable 16.65 MPa (normal 15.51 MPa) 12.31 Mpa 87%

Time delay (s) 0.5 6 6 2 2 1 1 2 2

140 Overpower DT trip 120 Overpower trip 100

% Power

Operating point Over-temperature DT trip

80

60

Technical specifications safety limit

Steam generator safety valves open

40

20

0 573

593

613 Tavg (K)

Figure 4-1. Core safety limits ( p ¼ 15.51 MPa/2250 psig).

633


PCM per per cent power

0

0

20

40

60

80

100

37

120

−5 Most negative Doppler power coefficient −10 −15 −20

Least negative Doppler power coefficient

−25 Per cent power Figure 4-2. Doppler coefficient for transient analyses. and temperature decrease is contrary to a conservative evaluation, e.g. for steel over-cooling reasons) and in others (the majority), the opposite applies. Figure 4-2 shows, the curves for the two cases. According to the two curves, at practically zero initial power, an increase in power until 10 per cent causes a reduction in reactivity ranging from 0.1 per cent to 0.2 per cent. The Doppler coefficient varies with the fuel burnup, that is with the operation time, becoming less negative (i.e. less effective as a safety counterreaction) when the burn-up increases. In fact, with time, four phenomena cause a variation of the coefficient:

The variation of the composition of the gap gases in the fuel rods (which includes helium at the start only, but then also fission gases); the conductivity of the gap decreases with increasing time and, therefore, the fuel tends to become hotter. The densification of the fuel pellets which tends to increase the gap with an effect similar to the preceding phenomenon. The increase in the content of plutonium-240 which shows strong resonance peaks for neutron capture in the thermal zone and the consequent magnification of the uranium-238 effect (which, on the contrary, tends to decrease). The deformation by mechanical creep of the claddings, which tends to decrease the gaps and, therefore, the Doppler effect.

The last factor predominates over the others and, at the end of the core life, the Doppler coefficient is less effective. The two curves in Figure 4-2 to be used for transient analysis, are the result of the fuel burnup and the uncertainties of evaluation. As can be seen from the figure, the variation of power from zero to 100 per cent entails a variation of Doppler reactivity of the order of 1–1.5 per cent; this figure doesn’t include the effect of the variation of the moderator temperature, which is separately evaluated.

4-2-1-3. Coefficient of moderator temperature and of the voids The moderator temperature reactivity coefficient is also important for safety. In fact, when the moderator temperature increases, its density decreases and, as a consequence, the moderating effectiveness also decreases. This decrease causes an increase in the loss of neutrons from the core and an increase in the parasite captures, so that the reactivity tends to decrease. As, however, PWRs adopt chemical shim, that is the control of reactivity through dissolution of boric acid in the reactor water, the presence of this neutron absorber decreases the safety effectiveness of the moderator temperature coefficient; in fact, if the temperature increases, the amount of boron

38

Nuclear Safety

20

Moderator temperature coefficient (PCM/°C)

10

2000 ppm

0 −10 0

100

200

300 1500 ppm

400

−20 −30

1000 ppm

−40 500 ppm

−50 −60

0 ppm

−70 −80 −90 Moderator temperature (K−273)

Figure 4-3. Moderator temperature coefficient (start of life, no rods). 0

Moderator temperature coefficient (PCM/°C)

−10 0

50

100

150

200

250

−20

300 Unrodded

350

−30 −40 −50 500 ppm

−60

Rodded

−70

0 ppm

−80 −90 Moderator temperature (K−273)

Figure 4-4. Moderator temperature coefficient (end of life).

contained in the reactor water decreases and consequently the reactivity increases. For this reason, when the boron concentration is high (start of life, cold conditions) the overall temperature coefficient of the reactor water may be positive. Additionally, it must be emphasized that, in any case, the power coefficient (which includes the Doppler effect) must be always negative. Figures 4-3 and 4-4 show the behaviour of the temperature reactivity coefficient of the reactor water.

4-2-1-4. Reactivity of the boron content The content of boron in the cooling water is usually measured in parts per million (ppm). Generally, boric acid is used as the soluble boron compound: 1000 ppm of boron corresponds to about 0.6 per cent of boric acid. The reactivity of the dissolved boron is equal to about 800–900 pcm per 100 ppm, therefore in an operating condition with 1000 ppm boron, the reactivity in the dissolved boron is roughly


8–9 per cent. The usual values of the boron content are 2000 ppm boron at start of life and in cold conditions, 1000 ppm in hot conditions and only some hundreds of parts per million at end of life and hot conditions. It has to be remembered that boric acid may precipitate from the solution as various kinds of deposits (crud) which form on the inside primary system surfaces and especially on the hot surfaces of the fuel elements. Subsequently, in case of thermal or hydraulic transients, some of these deposits may peel off from the core giving rise to a reactivity transient. Over the years, no accidents due to this phenomenon have happened, notwithstanding the fact that the boron deposition on core surfaces has been observed and studied. The maximum reactivity which could be released can be evaluated of the order of 0.1 per cent in half a second (Petrangeli, 1967).

4-2-1-5. Reactivity of the control rods The reactivity of the complex of control rods is typically of the order of 10 per cent. The reactivity available for fast shutdown, however, depends on the position of the rods (e.g. rods are usually inserted under zero power and hot circuit conditions, but less often inserted under full power conditions), on the axial shape of the neutron flux and on the core burnup. Moreover, in order to evaluate the reactivity available for a fast shutdown, the assumption is usually made that the most reactive rod stays stuck in its position (generally it is considered completely extracted).

Overall, the reactivity available for a fast shutdown typically ranges between 6 per cent (under hot conditions and zero power conditions) and 9 per cent (at full power). Theoretically, a single rod may reach a worth of two per cent or more (as an example, a rod at the centre of the core with all the other rods inserted, which increases the worth of the rod) but the reactivity corresponding to the ejection of any rod (one of the DBAs) is always kept below the ‘prompt reactivity’ value (0.6 per cent): typically a limit of 0.5 per cent is adopted. The integrated worth of a control rod has the shape shown in Figure 4-5. Figure 4-6 shows the typical trend of the start-up rate, expressed in decades of growth of the neutron flux per minute, as a function of reactivity. The relationship connecting the start-up rate to the period T (s) is: Start-up rate ¼

26 decades min T

ð4:1Þ

Core reactivity is strongly influenced by the dynamic variation of the fission products as a consequence of the operational states of the core. Of course, the fission products accumulated in the core as a function of the fuel burn-up have also a strong influence on reactivity. Xenon-125 and samarium-149 are, in different ways, the most important nuclides in this context.

2 Reactivity, %

1

4-2-1-6. Reactivity of fission products (xenon and samarium)

2.5

1.5 1 0.5 0 0

39

20 40 60 80 Control rod position, percentage withdrawal

Figure 4-5. Integrated worth of a control rod (indicative).

100

40

Nuclear Safety

Reactivity (Dk/k * 10E-4)

100

10

1 0.01

0.1

1

10

Reactor start-up rate

Figure 4-6. Start-up rate as a function of reactivity.

Under stationary power operation conditions, the reactivity absorbed by xenon and samarium varies between two and three per cent. However, after shutdown, the reactivity of xenon may increase many times showing the well-known peak at about 11 hours. The negative reactivity due to samarium increases asymptotically up to a few per cent.

4-2-1-7. Reactivity balance Taking into account the above sections, the typical reactivity balance of a PWR could be similar to that shown in Table 4-2. The use of burnable poisons in the core to compensate for the burn-up reactivity of the fuel, normally adopted at least for the first cycle of the core, significantly reduces the need for compensating reactivity by soluble poison (Table 4-2 does not consider the use of burnable poisons). Table 4-2. The reactivity balance of a PWR Motivation

Reactivity (%) Rods

Cold shutdown (variation between hot and cold core) Doppler Xenon Samarium Operation margin Fuel burn-up (life)

Boron 2

2.2 2.2 0.8 0.8 9

4-2-2. Example of a category 2 accident: spurious opening of a pressurizer safety valve This scenario assumes that a pressurizer safety valve opens and stays open during the full power operation of the reactor. In the following, results are from studies made on a modern 1000 MWe reactor, but it can reasonably well apply to any PWR. After the opening of the valve, the primary system starts to quickly depressurize while the mixture of water and steam contained in the pressurizer reaches the temperature and pressure conditions of the primary hot leg. The valve has a flow area of 27.9 cm2 and the voiding of the pressurizer, for this opening, takes place in about 600 s. Subsequently, the depressurization of the entire primary system continues following the trend shown in Figure 4-7, where the curves obtained by the simple code ps.xls (available on the downloadable file ‘Primary System’ on this book’s accompanying web site) are also shown (the pertinent calculation will be commented on later). The reactor is shut down by the intervention of the low primary pressure signal at 10.93 MPa (abs) (109.3 bar (abs)). The normal primary pressure from which the transient starts is 15.82 MPa (abs) (158.2 bar (abs)). At a pressure of 10.93 MPa (abs), the safety injection system is automatically actuated which starts to inject water in the primary system through the high pressure pumps. Conservatively, it is


41

Primary pressure (105 Pa)

100

80

60 Safety report 40

ps.xls program (steam efflux)

20

ps.xls program (homogeneous efflux)

1200

2400

3600

4800

6000

Time (s)

Figure 4-7. Spurious opening of a safety valve on the pressurizer: calculated primary system pressure trend. assumed that one high pressure injection pump only operates (single failure), the injection flow rate is initially equal to about 1200 kg min 1 (20 kg s 1), increasing to 2700 kg min 1 (45 kg s 1) when the primary pressure decreases to 5 MPa (abs) (50 bar (abs)). Subsequently, as the primary pressure continues to decrease, the safety accumulators and the low pressure injection pumps start operating. During this accident scenario, the heat transfer from the fuel rods to the water does not usually reach the threshold of nucleate boiling, that is the conditions of ‘film boiling’ are not reached. In other words, the DNBR (or ‘burn-out’ ratio) never goes below 1, with some safety margin. In the transient described, the maximum fuel clad temperature is of the order of 843 K (570 C), well below the limit of 1477 K (1204 C) specified by the US regulations (US Code of Federal Regulations, 2004) universally followed in other countries. For interest, the other limits given in the abovementioned regulations applicable to DBAs are listed here:

Maximum oxidation of the cladding in the core: 17 per cent.

Less than one per cent of the total clad metal consumed by the metal–water reaction which generates hydrogen. The core geometry variation due to thermal and mechanical effects (swelling due to creep, etc.) insufficient to prevent its ability to cool.

None of these limits is reached in this accident, weighting the scenario as lower among other DBAs. Throughout accident duration, when very soon the primary system saturation conditions are reached (after about 600 s), the average steam–water mixture quality in the primary system always stays at a very low level. Obviously, if, as at Three Mile Island, the safety injection was shut off, the accident would continue to the start of core melt and beyond.1

4-2-3. Example of a category 3 accident: instantaneous power loss to all the primary pumps This scenario assumes that the accident starts at full power, then evolves through a number of stages

42

Nuclear Safety

Recirculation flow rate (%)

100

50

10

10

20

Time (s)

Figure 4-8. Total loss of power supply to the pumps: coast-down of the flow rate. concurrently with a progressive slowing down of the pumps. The initiating cause may only be the instantaneous loss of all the external electric power sources. The fast shutdown is quick ( > < m2 v€2 þ c2 v_2 þ k21 v1 þ k22 v2 þ þ k2N vN ¼ P2 ðtÞ ... > > : mN v€N þ cN v_N þ kN1 v1 þ kN2 v2 þ þ kNN vN ¼ PN ðtÞ ð15:20Þ

where kij are the influence coefficients of the stiffnesses and therefore represents the force on the node i deriving from a unit displacement of the node j, with the other nodes fully restrained.

It will be realized that Equation 15.20 lends itself to matrix notation. The extended notation is used here for sake of more general transparency. Equation 15.20, for the simpler case of an undamped system, , becomes: ½Afv€g þ ½Cfvg ¼ fPg,

ð15:21Þ

where A and C are mass and stiffness matrices, respectively, both symmetrical and defined positive. The terms containing the stiffnesses in general automatically calculated by the usual calculation

Chapter 15 Earthquake resistance

a) - ground acceleration

Acceleration fract. of g

8E−01 6E−01 4E−01 2E−01 0E+00 0E+00 −2E−01

1E+00

2E+00

3E+00

4E+00

5E+00

6E+00

−4E−01 −6E−01 Time

Displacement (m)

Figure 15-11. Acceleration record (horizontal), Loma Prieta (1989).

0.04 0.035 0.03 0.025 0.02 0.015 0.01 0.005 0 0

5

10 15 Frequency (Hz)

20

25

Figure 15-12. The Duhamel integral of Figure 15-11.

derived acceleration Derived acc. (m s−2)

14 12 10 8 6 4 2 0

0

5


20

25

Figure 15-13. Maximum spectral acceleration of the earthquake represented in Figure 15-11.

165

Nuclear Safety

Acceleration (m s−2)

166

16 14 12 10 8 6 4 2 0 0

5


20

25

Figure 15-14. Approximate spectral acceleration of the earthquake represented by Figure 15-11.

programs or they can be evaluated by Castigliano’s theorem, according to which, given the potential elastic energy, E, as a function of vi, is Fi ¼

@E , @vi

4

k43 = K

3

k33 = H = −2 K

2

k23 = K

1

Figure 15-15. Building with rigid girders.

8 m1 v€1 þ k11 v1 þ k12 v2 þ þ k1N vN ¼ 0 > > > > > < m2 v€2 þ k21 v1 þ k22 v2 þ þ k2N vN ¼ 0

: > > > > > : mN v€N þ kN1 v1 þ kN2 v2 þ þ kNN vN ¼ 0 ð15:23Þ Assuming: ð15:24Þ

and fvg ¼ fg sinð!tÞ:

k53 = 0

ð15:22Þ

where Fi are the stiffness terms of the ith equation. For simple systems, as in that of a multi-floor building, the influence coefficients of the stiffnesses are directly calculated from the stiffnesses of the various floors. A framed multi-floor building whose girders can be considered rigid in comparison with the columns (Fig. 15-15) is particularly simple. Here, the reaction forces on a floor are different from zero only for the unit displacement of the immediately adjacent floors (i.e. the coefficients kij with i and j different for more than one unit are equal to zero). The first step for the solution of Equation (15.20) is the solution of the associated system of homogeneous equations, in the case of zero damping:

vi ¼ Vi sin !t,

5

ð15:25Þ

Equation 15.23 has non-identically zero solutions only for N values of the pulsation ! (eigenvalues), obtainable by substituting Equation 15.24 in Equation (15.23) and calculating the N roots of the associated determinant:

!2 m1 þ k11 ; ... . . . k1N

k12 ... ... ... . . .

... ... ... . . .

!2 mN þ kNN ; kN1 . . . . . .

ð15:26Þ


½ C

!2 ½A ¼ 0:

ð15:27Þ

In correspondence with each eigenvalue, !i, Equation 15.23 can be solved to obtain N solutions, V1, V2, . . ., VN, but for a multiplying constant (as for any set of N homogeneous equations with N unknowns). Each set Vi identifies a vibration mode of the structure defined by:

where !2n ¼ Mn ¼

Kn ¼ 1, n , 2, n , , N, n ¼ nth mode:

ð15:28Þ

The modes satisfy the orthogonality relationships: N X

Mi in im ¼ 0;

m 6¼ n

ð15:29Þ

i¼1

and

167

X

m1 2in

X

in

Kn , Mn

ð15:35Þ

ðgeneralized mass of mode nÞ, ð15:36Þ

X

j ki, j jn

ðgeneralized stiffness of mode nÞ,

ð15:37Þ

and Pn ðtÞ ¼

X

in Pi ðtÞ

ðgeneralized force of mode nÞ, ð15:38Þ

In the case of seismic excitation, this is: N N X X j¼1

i¼1

!

kj, i in jm ¼ 0;

m 6¼ n:

ð15:30Þ

Physically, the orthogonality relationships express the fact that the inertia forces or the elastic forces of each mode do not globally make work for the displacements of another mode. The solutions of the general equation (Equation (15.20)) may be found by imposing the displacement of each mode as a linear combination of the displacements of the node according the N modes (Yn(t) is said to be the generalized coordinate of the mode n): vi ðtÞ ¼

N X

in Yn ðtÞ

ð15:31Þ

ð2Þ 1

ð15:32Þ

i¼1

ð1Þ

½X ¼

1

fvg ¼ jXjfYg

1ðnÞ

nðnÞ

ð15:33Þ

Substituting Equation (15.31) into Equation (15.20), and making use of the orthogonality relationships a set of N decoupled equations is obtained (in reality only if the displacement matrix satisfies certain conditions (Castellani et al., 2000)):

P ðtÞ Y€ n þ 2n !n Y_ n þ !2n Yn ¼ n , Mn

ð15:34Þ

Pi ðtÞ ¼

mi v€g ðtÞ,

ð15:39Þ

where v€g ðtÞ is the ground displacement. Therefore Pn ðtÞ ¼

v€g ðtÞ

X

mi in

ð15:40Þ

(if the excitation is in one direction only the summation in Equation 15.40 includes only the terms relevant to that direction) and Equation (15.34) becomes: P mi in Y€ n þ 2n !n Y_ n þ !2n Yn ¼ v€g ðtÞ P : ð15:41Þ mi 2in P P The Pn terms (¼ mi in = mi 2in ) are the coefficients or factors of modal participation, which physically represent the measure of the work done by a base excitation of the structure on the mode n and therefore a measure of how much the base acceleration is capable of putting the structure in vibration according to the same mode. In order to judge if the number of modes considered in an analysis is sufficient, a criterion exists based precisely on the modal participation coefficients. The sum of their squared values normalized to Mn , for each direction of excitation, is equal to the total mass of the system, M. The criterion states that, for each direction of excitation, the sum of the masses which participate in the jth mode given by: P

2 i mi ij Mj ¼ P P2j Mj , 2 i mi ij

ð15:42Þ

168

Nuclear Safety

must be equal to atPleast 90 per cent of the total mass of the system M ¼ mi. It must therefore be true that P jMj > 0.9M for each vibration direction. Comparing Equation (15.41) with the analogous equation Equation (15.10) for a one degree of freedom system, a perfect correspondence of the terms can be observed and therefore Equation (15.41) will have the same form of solution, that is:

Yn ðtÞ ¼

N P

i¼1 N P

i¼1

mi i, n mi 2i, n

1 !n

Z

t

e

!n ðt Þ

v€g ðtÞ sin !n ðt

Þd:

0

ð15:43Þ

The maximum values of the generalized coordinates of mode n and of their derivatives during the earthquake can be obtained by the response spectra of the earthquake for one degree of freedom systems, that is:

Yn, max ¼

N P

i¼1 N P

i¼1

mi i, n ð15:44Þ

Sd mi 2i, n

Y€ n, max ¼ !2n Yn, max :

ð15:45Þ

The maximum values of the displacements and of the forces of the i node will be: N P

vi, n;max ¼ i, n Yn, max ¼ i, n i¼1 N P i¼1

mi i, n Sd

ð15:46Þ

mi 2i, n

Fi, n;max ¼ mi vi, n;max ¼ mi !2n vi, n;max :

ð15:47Þ

In order to obtain the values of displacements, forces and so on, resulting from the contribution of all the vibration modes and to be used in the verification calculations, generally the quadratic mean of the values corresponding to the various modes is used (or other combination methods). For example, in order to obtain vi: X 0:5 2 vi ¼ : ð15:48Þ N vi, n

In this way a good estimate of the required quantities is obtained, as it has been extensively controlled, except for natural frequencies very close to each other. A complete guide for the combination of modal values can be obtained from the NRC Standard Review PlanAR372 and from a specific USNRC Regulatory Guide 1.92.AR372 The above methods are based on the modal analysis and therefore on the previous determination of frequencies and vibration modes and on the subsequent calculation of the response of various modes to a space–time history (time history of the ground acceleration) or to a design spectrum. These methods are the most used and are valid in the majority of cases. Some peculiar situations (such as the presence of marked non-linearities) require a direct integration of the motion equations, generally performed step-by-step.

Continuous systems Continuous systems can be considered systems with an infinite number of degrees of freedom. Their response to an earthquake can be found by the direct study of the relevant partial derivative equations of the motion or by the reduction to a system with a finite number of degrees of freedom (discretization of the masses and modelling by concentrated masses and springs). In practice, the ‘generalized coordinates system’ is, for simplicity, extensively used to obtain an approximate solution, but it is sufficiently precise for practical uses (i.e. for the first or the first few modes of vibration). Consider a structure which can be modelled as a slender cantilever built in the ground with an arbitrary distribution of the linear mass m(x) with flexural rigidity EI(x) (Fig. 15-16). If the virtual work theorem is applied equating the work of the inertia forces to the elastic work for the virtual displacement dv ¼ p(x)dy, then Equation (15.49) is obtained: y€ M þ yK ¼

v€g L,

ð15:49Þ

where RL 2 M is the generalized mass ð¼ 0 mðxÞpðxÞ dxÞ,


y (t )

If a spectrum is used, for example the maximum value of x during an earthquake is given by: ymax ¼ Sd

− v″g(t )

RL K is the generalized stiffness ð¼ 0 EIðxÞ @2 p= @ x2 Þ2 dxÞ, and RL L is the modal participation factor ð¼ 0 mðxÞ pðxÞdxÞ. If generalized damping is included, then Equation (15.49) can be rearranged and rewritten as: ð15:50Þ

or y€ þ 2!y_ þ !2 y ¼

v€g ðtÞL , M

ð15:53Þ

Tanks

Figure 15-16. An example of a continuous system.

v€g ðtÞL,

ð!, ÞL , M

where Sd is the spectral displacement which is a function of ! and , as well as the earthquake under consideration. Usually, a method based on a tentative deformed shape is used to study the first mode, but methods exist for higher modes (Biggs, 1964).

v(t ) = p (x)y (t )

M y€ þ C y_ þ K y ¼

169

ð15:51Þ

where ¼ C*/2M*! is the fraction of the critical damping of the system, and 0:5 K !¼ ð15:52Þ M is the eigenfrequency associated to the p(x) mode. It is evident that these equations have the same form as the equation of motion of a simple oscillator with the substitution of the generalized coordinate y in place of x in the simple system. It is therefore evident that, once the estimate of p(x) has been made (even a tentative shape generally gives good results without the need of iterations), the coefficients of the equation can be calculated and the solution can be obtained by the methods valid for one degree of freedom systems (i.e. the Duhamel integral, response spectrum, etc.).

Tanks of liquid, specially of light construction (atmospheric tanks), are subject to peculiar phenomena during an earthquake, all of them are related to the formation of internal waves and to their interaction with the walls and with the roof of the tank. Experience indicates the possibility of damage at the roof–wall join (buckling and breaks), of damages to the base of the lateral wall (‘elephant foot’ buckling), of damage to the anchor components between the tank and its foundation (if existing) and damage to internal components. When testing a tank it is, first of all, necessary to determine the liquid motion and the forces exerted by it on the tank. This phenomenon has been particularly studied in Japan, where experimental tanks have been studied to determine their response in cases of real earthquakes. A simple analysis method is described in ASCE (1986). According to this method, the liquid mass is subdivided into two parts: a lower part which can be considered rigidly connected with the tank and an upper part which oscillates relative to it. The method supplies the formulae for the calculation of forces and of oscillation heights on the basis of the reference spectrum of the earthquake. The walls of the tank can be considered rigid in a first approximation even if methods exist to take into account the effect of the flexibility of the walls on the result (Veletsos, 1974; Kana, 1978; Adams, 1992). The flexibility of the walls is important especially when evaluating the forces caused by the lower part of the liquid. Should atmospheric tanks be rigidly connected to their bases? The alternative solution is not anchoring the tank and to shape its bottom as a cone in order to ensure a lateral retention; pipes and cables connected to the tank should obviously be provided with ample

170

Nuclear Safety

Table 15-10. Natural period of liquid in tanks Depth filled 30% D¼5 m D ¼ 10 m D ¼ 20 m D ¼ 30 m

50%

80%

Cylinder

Sphere

Cylinder

Sphere

Cylinder

Sphere

2.5 3.5 5.0 6.2

3.0 4.0 5.5 7.0

2.3 3.3 4.5 5.2

2.5 3.5 5.0 6.2

2.2 3.5 4.8 5.8

2.1 3.0 4.4 5.3

s s s s

s s s s

flexibility. In the Alaskan earthquake in 1964 unanchored tanks were moved 1.5 m. The choice between one or the other solution is a matter of debate, even if the prevailing opinion is for anchored tanks with attachment zones and anchors generously sized and fitted to the main structure. Tank walls are thick (typically 20 mm) if the design pressure is high (non atmospheric tanks), and therefore the rigidity of the shell is significant. The deformable parts of a pressure tank subject to seismic excitation are, instead, the supporting truss structure (or the support saddles) and the contained liquid, thereby causing the whole structure to behave like a double pendulum. The first pendulum (of inverted type, that is with its mass above and its spring below) has its mass essentially formed by the shell and by that part of the contained liquid (located in the lower part) which follows the tank in its oscillation. The second pendulum, linked to the first one in the upper part, has its mass formed by that part of the liquid (located in the upper part) which oscillates in an autonomous way relative to the shell. The recall forces for the two pendulums are, respectively, the elastic recall force of the support structure and the gravity force. In practical cases the natural period of the first pendulum is much lower than the natural period of the second (e.g. 0.5 s vs. 5 s). The two pendulums are, therefore, decoupled. As a consequence, because the first pendulum is the one which directly receives the ground vibration and the second receives the vibration of the first one, the first pendulum will tend to oscillate with a period close to its natural one without being significantly influenced by the second one. These qualitative analyses are confirmed by dynamic analysis calculation methods (USAEC 1963; ASCE 1986).

s s s s

s s s s

s s s s

s s s s

To verify that the natural period of oscillation of the liquid is significantly different from the one of the structure, the data in Table 15-10 is useful (for cylindrical vertical and spherical tanks). In practice, neglecting the liquid oscillation is, for pressure tanks, generally conservative. In fact, considering all the liquid as a part of the structure leads to increasing the mass participating in the prevailing vibration (the one of the first pendulum) and therefore increases the corresponding horizontal seismic forces. Therefore these tanks are very different from atmospheric pressure tanks (generally cylindrical with a vertical axis) used for oil products and for other liquid products.

Resistance and functionality of mechanical, electrical and electronic components Often it is impractical to model, in the seismic analysis of a plant, all the components located at different heights. The need arises to define methods of identifying a seismic excitation (spectrum or accelerogram) by which resistance and functionality of the essential components can be verified. In reality, recently the problem has been simplified by the development of dynamic analysis computer programs, which makes the modelling of structurecomponent complexes easier. The anchorage of components, especially with cantilevered parts (actuators of valves, and so on), sufficient slack and flexibility in the mechanical and electrical connections (pipes and cables), sufficient gaps between components and between components and structures, are the principal design and installation characteristics to be examined. A specific consideration is deserved by electro-mechanical


relays which in the past have given unpleasant surprises (chatter during earthquakes and consequent malfunctions of the connected equipment). In these cases, it is necessary to consult an expert specialist or in any case to have the result of shake-table tests for the various relay types of interest. These tests may in some case be already available from manufacturers or suppliers. A sound empirical attitude does not, however, solve all the problems and it is in general necessary to have recourse to specific analyses. Methods of modelling the components together with the structure, if practicable for a reasonable number of components, are available. Otherwise the method for defining the ‘floor’ response spectra at various heights of the structure, for example, Biggs (1972) and Roesset (1995), for which various publications suggest indications and conservative practical rules which protect against the possibility of mistakes (USNRC, 1988).AR379 The following gives some simple methods for a first look at practical cases. The components located on a floor of a structure and which cannot be considered rigidly connected to it, can be subject, during an earthquake, to accelerations considerably higher than those of the floor itself. This fact appears evident if it is considered that resonance can occur between structure frequencies and component frequencies. In this case the amplification ratio of these accelerations can be approximated (in the case of sinusoidal motion) by M ¼ 1/ (2), where is the fraction of the critical damping of the component. For a metallic component with ¼ 0.02, M will be equal to 25, corresponding to an acceleration of the component 25 times that of the floor in resonance conditions. In reality, the floor acceleration is generally composed of various modes, one of which only will be in resonance with the component. However, amplification factors of the order of 10 are not infrequent. Another method, already mentioned above, is to roughly estimate the acceleration of components, in cases where a modal analysis of the structure is available, by evaluating the response of the component to the various modes of the structure considered as stationary sinusoidal vibrations and subsequently to calculate the square root average of the responses (or other meaningful combination). This method, too, can be highly conservative. As already mentioned, the floor response spectra can be used (and this is the most common method).

171

These spectra are defined as the response spectra of the seismic motion at the floor and can usually be obtained by modal analysis or by direct integration of the equations of motion of the structure, always on the basis of a reference time history of the ground motion. These analyses are usually long and complex. In order to avoid an analysis by using the more precise techniques, a simplified and general procedure can be used which gives, according to the author (Biggs, 1972), usually conservative but reasonable results. It is assumed that a modal analysis of both the structure (s) and the component (e) has been performed and therefore that the eigenmodes [ve] and [vs] and the corresponding periods Te and Ts are known. In a qualitative way, considering the mode n for the structure and the mode m for the component, we imagine the complex structure–component as a set of two coupled simple linear oscillators (Fig. 15-17): It can be seen, that if the structure s is much more rigid than the component e, then the motion is transmitted almost rigidly to the component and it is similar to that of the ground. Moreover, if the structure (or the complex soil–structure) is more flexible than e, the motion of e is essentially due to that of s. (It has to be noted that the lowest periods of

e

s

Figure 15-17. Schematic of a structure–component complex.

172

Nuclear Safety

the soil–structure complex can also be rather high (of the order of 1 second) precisely because of the soil– structure interaction, while in general the pipes and the components can be made very rigid in order to stay away from the prevailing periods of the earthquake.) Therefore:

if Te,m > aTs,n, the influence of the soil prevails; if Te,m < aTs,n, the influence of the structure prevails.

The coefficient a is chosen to be 1.25 on the basis of comparisons with the time histories method. Having considered all the meaningful modes, N, of the structure and all the meaningful modes, M, of the component: Ae, m, n ¼ As, n

Ae, m , if Te, m < 1:25Ts, n , As, m

ð15:54Þ

where As,n ¼ A0,nPs,nvs,n with A0,n is Sd the spectral amplitude of the mode considered, Ps,n is the relevant modal participation factor and vs,n is the relative displacement of the mode in correspondence of the component (As,n is therefore known on the basis of the modal analysis of the structure). Ae, m A0e, m, n ¼ Ae, mg , if Te, m > 1:25Ts, n , Ae, m, G ð15:55Þ where Ae,m,G is the maximum component acceleration for mode m, supposing that it is directly placed on the ground and that, therefore, it is known on the basis of a specific modal analysis, required by the application of this method. The ratios ðAe, m =As, m Þ and ðAe, m =Ae, m, G Þ are given by empirical diagrams, summarized in Tables 15-11 and 15-12, as a function of the ratio of the periods ðTe, m =Ts, n Þ and of the damping ratios of the structure and the component. The acceleration of the component in mode m is, then, given by: Ae, m ¼

X

n0

Ae, m, n

0:5 P n00 Ps, n vs, n A0 e, m, n Pn , þ Ps, n vs, n ð15:56Þ

where n is the number of significant modes of s, n0 is the number of modes from Equation (15.54), and n00 is the number of modes from Equation (15.55).

The resulting quantities of interest for all the modes of the component will then be combined by the root mean square or by other algorithms. The authors of this method have conservatively approximated the diagrams/tables and have based these diagrams on three past earthquakes having different characteristics from each other (El Centro in 1940, Taft in 1952 and Parkfield). When modelling a structure it has to be decided if part of it can be considered a ‘component’ and can be decoupled from the main structure (and therefore treated by the preceding methods). Some decoupling criteria follow: Where Rm is the ratio of the mass of the part and the mass of the affected floor of the building and Rf is the ratio of the fundamental frequency of the part and the dominating frequency of the floor motion, then:

if Rm < 0.01, it is possible to decouple for each Rf; if 0.01 < Rm < 0.1, it is possible to decouple if 0.8 > Rf > 1.25; if Rm > 0.1 it is not possible to decouple the component.

A more complete treatment of these guide criteria can be found in the NRC Standard Review Plan and in the connected Regulatory Guides. Table 15-11. Values of Ae,m/As,m for s ¼ 0.05 and for various values of e Te/Ts,n

e ¼ 0.05

e ¼ 0.02

0.3 0.5 0.8 1.0 1.2 1.5

1.1 1.5 3.2 5.3 3.3 2.4

1.2 1.6 4.0 8.4 4.4 2.8

e ¼ 0.01 1.3 1.7 4.5 11.0 5.5 3.5

Table 15-12. Values of Ae,m/Ae,m,G for s ¼ 0.05 Te/Ts,n

s ¼ 0.05

1.1 1.3 1.5 1.7 2.0 2.5

5.0 3.5 2.8 2.3 1.7 1.3


Soil–structure interaction This issue has been already treated in general terms in section 15-3-1 on foundation soil. Here some practical data and some formulae relevant to modelling the ground (inertial interaction) by equivalent masses, springs and dampers. The coupling between structure and ground must generally be considered elastic and, for dynamic modelling, it is necessary to evaluate the following elements:

For the evaluation of the effect of soil, the simplest assumption is to model the soil by a series of equivalent springs whose constants are determined either on the basis of analyses of the behaviour of a rigid solid on an elastic indefinite semispace or by a finite element evaluation of the stiffness characteristics of the soil–structure couple. The first system uses the following formulae for a circular base structure (Petrangeli et al., 1998):

the equivalent springs of the ground (Fig. 15-5); the damping of the ground.

soil masses and inertias associated with a structure when vibrating, which in a first approximation (especially for large structures) may be neglected when compared with the masses and inertias of the structure itself.

The importance of considering the soil in the dynamic analysis varies according to the types of soil and of structure. As it can be imagined, for example, a deformable structure founded on solid rock and solidly anchored to it can be considered fully constrained in the ground and therefore the influence of the elastic soil–structure coupling can be disregarded. However, this is not the case for a rigid structure on relatively elastic ground (e.g. sand or clay), which will usually require the dynamic analysis of the elastic soil–structure coupling to be taken into consideration. If this is not done, a much more unfavourable structure response will be obtained than in reality (indeed, the elastic coupling of the rigid structure with a soft soil filters the largest part of the high frequencies of the earthquake, whose effect on the rigid structure can be particularly strong). A criterion used to verify if the effect of the soil is important is given in the next equation: T0
Rv Þ c ¼ Vv Rv

ð16:1Þ ð16:2Þ

where varies between infinity (at the initial instant of the formation of the vortex) and 1 when the rotation has fully propagated towards the outside. Distribution of the pressure due to the vorticity dp V2 ðrÞ ¼

r dr

ð16:3Þ

with obvious meaning of the symbols.

185

186

Nuclear Safety

v P

R

Figure 16-1. Schematic of tornado vortex of radius R, and the velocity and pressure distributions due to rotation.

16-2. Scale of severity of the phenomenon

From the above: "

2 # r 0:5 ð Rv < r < Rv Þ Rv

pðrÞ ¼ V2v 1

The scale usually used is the gravity scale proposed by Prof T. Fujita (Chicago) (Table 16-1).

ð16:4Þ

pðrÞ ¼ 0:5 V2v

Rv r

2

16-3. Design input data ð Rv > r > Rv Þ

1:29 ¼ 0:13 kg s m 4. where 9:8

ð16:5Þ

On the basis of a thorough search of past events, the design values for nuclear reactors in Italy were chosen as shown in Table 16-2.

Chapter 16 Tornado resistance

187

Table 16-1. Fujita scale for tornadoes Degree 0 Degree 1 Degree 2 Degree 3 Degree 4 Degree 5

Winds from 60 to 110 km h 1. It may bend road signs and displace trestles and objects not anchored to ground. Winds from 110 to 170 km h 1. Tree branches are broken off, roofs are ripped away, vehicles are significantly displaced, light trailers can be overturned. Winds from 170 to 240 km h 1. Large trees and telephone poles are uprooted, cars are displaced by small distances and small wooden constructions without foundations are destroyed. Winds from 240 to 320 km h 1. Brick walls can be knocked down, trucks and trains can be overturned, objects weighing several kilograms can be lifted to large heights. Winds from 320 to 410 km h 1. Destruction of masonry buildings without deep foundations, light vehicles and big animals can be moved, objects up to 100 kg are transformed into missiles. Winds from 410 to 500 km h 1. Total disaster, buildings of any kind destroyed, trains and trucks lifted, whatever object protruding from the ground is pulled away and blown away, sometimes several kilometres.

Table 16-2. Tornado design figures adopted in Italy Translation velocity Maximum rotation velocity Maximum resulting velocity Maximum theoretical pressure Maximum depression Missile 1: automobile of 1000 kg Missile 2: Steel pipe * ⁄ ¼ 80 mm, length ¼ 3 m, weight ¼ 35 kg Missile 3: Wooden plank 0.1 m 0.3 m 3.6 m, weight ¼ 50 kg

24 m s 1 73.5 m s 1 97.5 m s 1 600 kg m2 700 kg m2 Impact velocity ¼ 1/6 rotational velocity (12.5 m s 1), impact elevation ¼ 7 m, impact area ¼ 2.1 m2 Impact velocity ¼ 1/3 rotational velocity (¼ 24.5 m s 1), impact of the pipe end perpendicularly to the surface, any impact elevation Impact velocity equal to the rotational velocity (73.5 m s 1), any impact elevation, impact area 3.6 m 0.3 m

The reference tornado in Italy is taken to be Degree 4 on the Fujita scale. In the USA two sets of values are used for this event (Bechtel, 1973). The strongest one (in the central-eastern part of the country, notoriously subject to this phenomenon) has a maximum velocity of 576 km h 1 and therefore belongs to the Degree 5 of the Fujita scale. The design of nuclear plants is not significantly influenced by a design event tornado of intensity 4, except for the need to provide the secondary containment or similar buildings with pressure equalizing automatic panels (or with other provisions) in order to cope with the negative pressure caused by the event (e.g. the Caorso power station in Italy). Design verifications for a tornado usually entail the following:

Testing for positive and negative pressures on the exterior walls of buildings taking into account the

various shape coefficients (Bechtel, 1973) which are customary for the design against strong winds. Analysis of positive–negative pressure gradients created inside buildings and the verification of the internal structures by appropriate computer codes which take into account the possible time variation of the positive–negative pressures present, caused by the movement of the vortex. Analysis of resistance to missiles by using the penetration formulae usually used for impacts (see Chapter 17).

Reference Bechtel Co. (1973) ‘Tornado and extreme wind design criteria for nuclear power plants’, BC-TOP-3, Bechtel Power Co.


Chapter 17 Resistance to external impact

17-1. Introduction

17-2-1. Effects of an aircraft impact

This chapter considers the external impact of crashing aircraft, sabotage and the effect of explosive pressure wave. The external impact is considered with reference to engineering defence measures: aircraft impact, otherwise, can be prevented, with variable degrees of effectiveness, by provisions such as by modifying flight corridors or by protecting the nuclear power plant with special forces, etc.

Usually the effects of an aircraft impact (or similar) on a plant are assumed to be:

The first type of strong external impact due to human activities considered for nuclear plants was that of a crashing aircraft. This kind of load started to be included among the usual design conditions, together with the pressure wave, in the 1960s and 1970s in Germany as a result of several accidents primarily involving the Lockheed F-104 Starfighter. However, for conservatism, the reference aircraft chosen was the McDonnell-Douglas F-4 Phantom. The same approach was then followed by other countries, such as Belgium, Switzerland and Italy. Subsequently, it became clear that, in some countries, nuclear plants should also be protected against external acts of sabotage, involving aircraft, but also against launched explosive charges. It was then discovered that the protection against aircraft impact of the type described above, also gave protection against many plausible similar events, at least from the structural point of view.

17-2-2. Overall load on a structure The overall dynamic load on structures has been evaluated by tests and analytical evaluations. The corresponding load–time diagram is shown in Figure 17-1 for a Phantom F-4.

Load (1000 kg)

17-2. Aircraft crash impact

a dynamic load at the point of impact, causing static stresses and vibration of structures and components; a localized load at the point of impact with possible penetration of the impacted wall and generation of fragments on the opposite face of the structure (spalling); fire due to the fuel transported by the aircraft; temporary incapacitation of the operating personnel.

11 000 10 000 ≈5400

10

50 Time (ms)

Figure 17-1. Load–time diagram for Phantom F-4.

189

190

Nuclear Safety

The velocity of impact (assumed normal to the impacted surface) is 215 m s 1. The equivalent diameter of the loading area is 2.60 m. The two-step shape of the load curve is due to the presence of two phases: initial impact of the body and subsequent impact of the engines (more rigid). In the Italian criteria (see Appendix 1), it is supposed that the reference impact happened at 45 relative to the normal of the surface and that this event was equivalent to a normal impact with velocity equal to 150 m s 1. The estimated load curve is shown in Figure 17-2. In practice (with reference to Fig. 17-2), the second impact of the engines is eliminated. The impact area is assumed, as in the first case, equal to 7 m2. These assumptions are not accepted by all the experts because they do not take account of the fact that the engines, in the first phase of the impact, may break off the aircraft body and proceed towards the target as autonomous missiles, without the energy absorbing effect of the body itself. In order to perform an indicative evaluation of the load which could correspond to other types of aircraft and to other impact speeds, the following simple concepts are suggested:

Load (1000 kg)

G1 and G2 are the weights of the two aircraft and V1 and V2 their impact velocities, respectively. It is assumed that G ¼ G1/G2 and V ¼ V1/V2. The ratio, L, between the linear dimensions, l, and the product of the area of part of the aircraft times the square of its velocity, will vary with the weight of the aircraft as this quantity is proportional to the lift which must equal the weight (it is supposed that this is true in conditions of impact also). The following is obtained: L2V2 ¼ G and therefore L ¼ G0.5/V.

≈5000

50

10 Time (ms)

Figure 17-2. Example of another load–time diagram.

The flexural moment on the body will vary according to the product of the weights for the lengths and therefore according to the ratio G ¼ G0.5/V. The design mechanical stresses will be the same, so from ¼ My/tkl3, the thickness, t, of the body varies with the ratio T ¼ GV/G0.5. The impact force will presumably vary as crLT, that is as the product between the buckling stress of a cylinder times the area of the resistant cross-section; as cr in a cylinder varies as T/L, the impact forces, Fi, will vary as T 2, that is as GV2: Fi ¼ GV2

ð17:1Þ

The preceding relationships agree with the data for the Phantom F-4 within 10 per cent compared with those of a completely different aircraft, the Learjet of roughly 10 t studied in report CEA-IPSN, 1977, for various impact velocities. The influence of velocity too, according to these last data, is well represented by the above discussed formulae. Table 17-1 shows the weights and wing spans of several aircrafts. The simple laws described above, when applied to a Boeing 747 with an impact velocity of about 200 m s 1 would generate a peak force of about 17 times the one associated with a Phantom F-4. Even taking into account the larger impact area, it is therefore difficult to protect a plant against this impact (unless it is located in a cavern or sufficiently underground). The protection against a Phantom F-4 hitting at a velocity of 215 m s 1 requires a minimum reinforced concrete thickness of 1.8 m and, at 150 m s 1, a minimum thickness of 1.2 m is needed. These thicknesses also take into account the penetration strength. CEA-IPSN (1977) gives the result of studies for the evaluation of oblique impact loads, that is not normal to the surface. It may be interesting to know that the two Boeing 767s which hit the World Trade Center in New York on 11 September 2001, had estimated velocities of 686 km h 1 and 859 km h 1, respectively.


191

Table 17-1. Data for various aircraft Aircraft

Full load weight (t)

Engine weight (kg)

Wing span (m)

Learjet 23 Boeing 707-320 Boeing 757-200 Airbus A300 Boeing 747-200C Boeing 767 Phantom F-4E Airbus A330-200 Boeing 737-600

About 10 About 150 116 132 350 180 20 230 56

2 1295 4 8100 2 18 000–19 000 2 23 000 4 21 300 2 27 000–28 000 2 1700 2 29 000–32 000 2 8000–9000

About 13 44 38 45 60 52 12 60 34

17-2-3. Vibration of structures and components The dynamic load dealt with in the preceding section has to be considered as a quasi-static load imposed on the structure as a whole but also as the cause of vibration of the components located inside. It is estimated that the acceleration due to an aircraft impact at the foundation level may reach and overcome the values typical of a design earthquake in a moderately seismic area. The response spectrum of the aircraft impact pulse is rather ‘hard’, that is dominated by high frequencies. For this reason, the components subjected to the highest loads are the most rigid ones, especially if the plant is located on rigid foundation soil (rock). In some designs, the external structures of the plant are mechanically decoupled from the internal ones on which the plant components are fixed. In this way the vibration transmitted to the components is reduced. The decoupling, obviously, is obtained by inserting joints and gaps in the structures. Figure 17-3 shows qualitatively the relative position of the response spectra of the seismic excitation, of the deflagration of an explosive cloud and of an aircraft impact.

17-2-4. Local perforation of structures Parts of an impacting aircraft, especially the engines, cause local effects such as perforation and missile generation in the rear side of an impacted wall. Many formulae exist for the evaluation of these effects, not all of them applicable in the range of

parameters of interest here (CEA-IPSN, 1977; Riera, 1982, 1989). x¼

1:5 G 4 V 3, f t0:5 D1:8

ð17:2Þ

where, x is the penetration depth (cm), ft is the compression resistance of the concrete (kg cm 2), V is the impact velocity (m s 1), G is the impacting weight (kg), and D is the effective diameter of the impacting body (aircraft or engine) (cm). This formula is valid for impact velocities ranging from 150 and 300 m s 1 and has been verified by experimental tests. The protection against ‘spalling’ is obtained by empirically increasing by 25 per cent the thickness calculated by the formula. An increase of thickness up to 1.8 m guarantees an absence of damage due to the simultaneous explosion of the normal weapons carried by a fighter aircraft (missiles), but not of the possibly carried bombs (which is justified on a probabilistic basis if the bombs are not triggered to explode). This thickness also offers protection against other types of impacts, such as an oblique one due to the separation of an engine and that of a missile due to the explosion of a nuclear plant turbine (for which in general 80 cm are sufficient). The depth of penetration in the soil (of interest for buried lines and tunnels) can be evaluated according to: x0 ¼

GV , D2

ð17:3Þ

192

Nuclear Safety

acceleration earthquake spectrum (Arbitrary scale)

aircraft impact spectrum

explosive cloud deflagration spectrum

2

30

Frequency (Hz)

Figure 17-3. Structural response spectra for various phenomena.

where x0 is the penetration depth (m), D is the diameter of the missile (m), is a constant dependent on the type of soil (¼ 9 10 6 for sandy soil), G is the weight of the missile (kg), and V is the vertical component of the velocity (m s 1). For a Phantom F-4, a depth of about 6 m is obtained, which corresponds to the effect of a bomb of about 100 kg of explosive.

17-2-5. The effect of a fire It is assumed that the impacting aircraft has up to 10 t of aviation fuel on board, so the potential damage if a fire breaks out is significant and therefore the design of the structure and of the surrounding spaces must be such to eliminate this danger. A measure commonly adopted is to encircle the buildings with deep trenches filled by gravel. These have the function of collecting the spilt fuel and of preventing its ignition in the open air. Obviously, the resistance of the external structures to the impact stops fuel from entering the building.

17-2-6. Temporary incapacity of the operating personnel It is believed that the operating personnel would be so shocked by the impact, that they are unable

to operate the plant for hours afterwards. For this reason, every plant protected from external impacts as described in this chapter is also provided by an emergency system which can automatically operate for many hours and which is able to guarantee the safety of the plant. This system is also a protection against the effects of an explosive wave hitting the plant from outside and the possible use of toxic gases. Obviously, the whole system, provided with an adequate redundancy, is also protected by the external impact.

17-3. Pressure wave The design pressure wave is supposed to be due to the release of explosive gases, either accidental or maliciously. Generally, the following assumptions are made:

The cloud’s size includes all of the station buildings. The wave has the characteristics of the deflagration, not of the detonation. It is thought, in fact, that a detonation can only happen close to the release point and therefore the plant is protected by the normal safety distances, see Figures 17-4 and 17-5 (obviously this concept does not apply to voluntary events).

180 000

Pressure difference due to explosion

Possible explosive weight (kg)


100 000

10 000

193

p0, peak pressure in free field

>0 10 Gy 1

10

100

1000

Distance (km)

Figure 22-1. Indicative consequences of a 1 Mt explosion.

might adequately shield a human being at distances further than 1 km from ‘ground zero’. At these distances the other destructive effects, however, prevail (shock wave and, above all, thermal radiation and fire storm). In the figure, 10 Gy (1000 rad) have been chosen as the lethal dose, as at this value the probability of prompt death is high (LD50 ¼ 3–5 Gy, see Chapter 7). The destructive shock wave is directly caused by the blast and by its reflections on solid walls. The energy transported in this way is about 50 per cent of the total and it is the highest proportion with reference to the others (nuclear radiation energy and thermal energy). Up to about 3 km from the explosion, concrete buildings may collapse. The duration of the pulse is 0.4–1 s. The propagation velocity is slightly higher than the velocity of sound. The initial thermal radiation is emitted by the fireball generated by the bomb and lasts for about 10 s for 1 Mt. The fraction of energy transported is about 35 per cent of the total. The consequences are the direct ignition of everything combustible in a radius of about 10 km and the generation of fire storms with high velocity winds (>100 km h 1 up to several kilometres distant) generated by direct heating and by fires caused by the radiation. It should be remembered that large fire storms were caused during the intense conventional bombing of German cities during the Second World War even though substantially lower overall energy was released.

Initial fallout is the deposition on the ground of the radioactive particles generated in the explosion during the first 24 hours after the event. The particles which are deposited later are smaller (order of magnitude of 1 m) and reach the ground sometimes a year later. Here, too, the lethality limit has been assumed to be 10 Gy accumulated within seven days of exposure in the contaminated zone. The total radioactivity generated is equal to about 3000 times the one contained in a 1000 MWe reactor at equilibrium (but, for iodine-131, it is about equal and after 24 hours the total radioactivity decreases, at least, by 2000 times). A fraction of this radioactivity, highly dependent on the explosion height (ranging from 10 per cent for elevated explosions to 70 per cent for surface ones), originates the initial fallout. However, this value of the ratio of total radioactivity released by a bomb and the total radioactivity contained in a reactor at equilibrium does not apply to the various isotopes or different decay times, for example the above quoted ratio of 3000 becomes 1 for iodine-131 and even 1/10 for caesium-137, which is responsible for 40 per cent of the long time ‘fallout’ doses of the bombs exploded in the atmosphere (Glasstone and Dolan, 1977). As a further example, the caesium-137 released by the Chernobyl accident was equal to about 500 times the caesium-137 released by the Hiroshima bomb (Glasstone and Dolan, 1977). These differences are due to the fact that the isotope composition of the resulting radioactive

Chapter 22 The effects of nuclear explosions

products is different for an explosion and for a reactor core at equilibrium (i.e. after a practically infinite time of operation). Finally, a phenomenon which may indirectly entail casualties is the electromagnetic pulse (EMP). An atomic explosion causes highly variable ionization currents and the consequent electromagnetic fields generate electric currents in conducting objects. Serious faults and malfunctions of control and operation systems are likely: the ubiquitous microprocessor-based systems are particularly sensitive to EMP effects.

The next section briefly discusses these phenomena. Only relatively low altitude air explosions are dealt with (underwater and high-elevation explosions are not discussed, underground explosions are discussed in Section 22-8).

22-4. Initial nuclear radiation The dose resulting from the initial nuclear radiation depends in a complex way on the explosion power and on distance, and on the density variations of air due to the blast (the ‘hydrodynamic’ increment due to the rarefaction of air behind the shock wave at high explosion energies). Tables 22-1 and 22-2 detail three values of gamma and neutron doses, respectively, and distance (in air from the explosion centre) for three typical explosion energies. Other values can be interpolated or extrapolated. The uncertainty is equal to a factor of two in both ways. Protection from the initial radiation is obtained by shielding layers. For gamma rays, every material is useful, but preferably those with a high atomic Table 22-1. Gamma doses 100 kt 1000 kt 10 000 kt

1 Gy

10 Gy

100 Gy

2400 m 3200 m 5000 m

1700 m 2700 m 4200 m

1200 m 2000 m 3400 m

Table 22-2. Neutron doses 100 kt 1000 kt 10 000 kt

1 Gy

10 Gy

100 Gy

2000 m 2500 m 3000 m

1600 m 2000 m 2500 m

1100 m 2500 m 2000 m

217

Table 22-3. Approximate dose transmission factors through various structures 1 m soil Dwellings (high floors) Dwellings (low floors) Concrete shelter (25 cm walls) Concrete shelter (60 cm walls)

Gamma rays

Neutrons

0.003 0.8 0.5 0.15 0.01

0.005 0.9 0.5 0.4 0.15

weight. For neutrons, the shielding is more complex as they must be slowed down first (light elements are effective for this) and then absorbed. Moreover, as the interaction of neutrons with matter generates gamma radiation, the latter must also be shielded by heavy elements. Table 22-3 lists some (indicative) data of an experimental and/or analytical origin concerning the transmission factor of various structures for the two types of radiation.

22-5. Shock wave The intensity of the shock wave generated by an explosion depends on the height of the explosion and distance from the explosion. However, for objects on the ground and for explosions within a few kilometres, the peak pressure generated is shown in Figure 22-2 for the equivalent energy of 1 kt. For other energies a scaling law can be used: D ¼ D1 W1=3 ,

ð22:1Þ

where D1 is the distance where a pressure for 1 kt occurs and W is the equivalent energy of the explosion considered. Equation 22.1 is valid only for surface explosions and impact points, otherwise other correction coefficients should be used. The pressure acting on a structure hit by the wave is not equal to the above mentioned peak pressure unless the structure is hit sideways, that is when the structure wall considered is parallel to the direction of propagation of the wave. In any other case, the maximum dynamic pressure on the wall is higher than the peak one by a factor of 2–4 (theoretically, 8) for a wall perpendicular to the wave direction of propagation, due to the reflection of the wave itself.

218

Nuclear Safety

Pressure (105 Pa)

1000 100 10 1 0.1 0.01 10

100

1000

10 000

Distance (m)

Figure 22-2. Peak pressure for a 1 kt explosion. Diagrams exist for the preventive evaluation of the possible damage to various structures, drawn on the basis of experimental and theoretical data. As an example, a reinforced concrete office building, designed to resist an earthquake, can be severely damaged by a 1 Mt explosion up to about 10 km distant.

22-6. Initial thermal radiation The overall duration of the emission of initial thermal energy varies with energy between values of a fraction of a second for low energies and values of tens of seconds for the higher energies (10 Mt and higher). As already mentioned, it is assumed that about 35 per cent of the energy released is transmitted as initial thermal radiation. The total energy deposited on objects on the ground and for unit surface is, then, approximately proportional to the inverse of the cube of the distance in air. It can be assumed that any combustible material catches fire for a value of this specific energy equal to 40 J cm 2 (¼ 400 kJ m 2). For an explosion of 1 Mt, about 40 J cm 2 at 3000 m in air from the explosion centre can be observed. Other values can be obtained by the simple scaling laws above. The ‘mushrooms’ of higher energy explosions tend to have heights equal to their widths, while those of small energy have heights greater than width because of the relative importance of the buoyancy and lateral forces. Figure 22-3, gives an idea of the dimension and typical form of the ‘fireball’ generated by the explosion.

22-7. Initial radioactive contamination (‘fallout’) The following steps give an indicative estimate of the dose from the fallout of an explosion: (1) Calculation by interpolating the dose intensity at the moment of arrival of the radioactive particulate (reference dose intensity). (2) Calculation of the accumulated dose for the given permanence in the considered position, by multiplying the initial dose intensity by a factor given by diagrams like Figure 22-4, as a function of the arrival time of the contamination (dependent on the wind velocity and of the distance). This method does not take into account the shielding effect of the ground roughness, nor the dimensions of the initial radioactive cloud. These effects, given the largely indicative character of these estimates, are to be considered as secondary. Rain or snow are much more important than these effects on the distribution of the contamination by causing a washout of the radioactive cloud and a ‘patchy’ distribution of the unit dose.

22-8. Underground nuclear tests 22-8-1. Historical data on nuclear weapons tests Testing has been a fundamental factor in the design of nuclear weapons. Therefore, up to now, six countries have performed about 1900 tests, of

Chapter 22 The effects of nuclear explosions

219

40 km

100 kt

10 Mt

Figure 22-3. Relative dimensions of the radiating surfaces of two different explosions.

Factor

10 Factor, 1h

1

Factor, 1d 0.1

Factor, 4d

0.01 1

10 Initial time (h)

100

Figure 22-4. Dose factor for permanence in the contaminated place.

which 518 have been in the atmosphere, underwater or in space, and the remainder underground (Robbins, 1991). In 1963, the first international treaty against testing nuclear weapons was signed and after that, only France (atmospheric and underwater tests until 1974) and China (until 1980) continued. After 1980, all the tests have been underground. One of the positive results of the G7 Group, enlarged to include

the new Russia, is that a total stop of the nuclear tests has been agreed upon.

22-8-2. The possible effects of an underground nuclear explosion Underground nuclear explosions are usually performed at a depth of hundreds of metres in order to

220

Nuclear Safety

avoid any consequences, radioactivity releases in particular, on the surface. The known effects of an underground explosion are the melting of rocks near the bomb and their fracturing for an extended surrounding volume. Certain events are seismic waves produced by the explosion and the ensuing surface disturbances in lakes and lagoons. The radioactive products (with a long half life and at a few hours from the time of the blast) released in the rock cavities have the following order of magnitude:

strontium-90: about 3500 TBq per megaton; caesium-137: about 5500 TBq per megaton; plutonium-239: about 5 TBq per test (corresponding to about 2.5 kg Pu).

Activation products have also to be considered which are generated by the intense neutron flux. In contrast to atmospheric explosions, a small amount of carbon-14 is generated by activation of nitrogen14 and a small amount of tritium. If salt water is present, the isotope sodium-24 is produced by activation of sodium-23. In the ground, silicon, aluminium and manganese are also activated, which have short half lives and rapidly decay. Besides these known effects, some accidental ones may also occur, such as in the experimental test at Baneberry, Nevada, in 1970 (10 kt at 270 m depth). A release of the majority of the explosion products and debris occurred which was pushed to a height of 3 km. After that event the Americans adopted more efficient containment measures. Another feared effect is the later penetration of water into the fractured rocks down to the blast cavity: it is thought that thermal highly radioactive springs could be created with a release of radioactivity at the surface. In underground tests performed below a water body, as in the case of the tests at the Mururoa Atoll, underwater rock slides creating anomalous waves and tsunamis. An event of this kind really happened at Mururoa (25 July 1975) when an underwater slide of about 106 m3 of coral rock was created leaving a cavity of about 140 m in diameter, accompanied by

the generation of a tsunami which caused damage and injured people in the Tuamotu archipelago. Unfortunately, the event could have been foreseen, as the operators did not succeed in taking the weapon down to the planned 800 m underground: it got stuck at 400 m, but the test was performed anyway.

22-8-3. The possible radiological effects of the underground tests Given the order of magnitude of the source of the most meaningful isotopes (strontium-90, caesium-137 and plutonium-239), the calculation of external releases is based on an estimate of the percentage of radioactivity released in the atmosphere. A criterion which has been used for estimating the possible damage consists in assuming that the external release is in the interval of 1–10 per cent of the generated radioactivity. The consequences, then, can be evaluated by the usual methods used for the calculation of radioactivity concentration as a function of distance downwind and the estimate of the health effects of direct exposure, of inhalation and of ingestion. The evaluations of the assumed accidental releases that happened during the underground tests indicate an average external release of about 40 TBq per test. The Baneberry case is probably unique in its severity. A release of 40 TBq of caesium and strontium is, however, serious (when compared to the maximum acceptable releases from future European reactors, even in a severe accident, which might be expected of the order of terabecquerels of iodine-131, corresponding to fractions of terabecquerels of caesium-137).

References Becket, B. (1983) Weapons of Tomorrow. Plenum Press. Glasstone, S. and Dolan, P.J. (1977) ‘The effects of nuclear weapons’, USDOD and ERDA. Robbins, A. (1991) Radioactive Heaven and Earth, The Apex Press, New York. Van Vliet, P. (1992) Armi Nucleari, Fratelli Melita editori, La Spezia.

Chapter 23 Radioactive waste

23-1. Types and indicative amounts of radioactive waste Radioactive waste is generated by the following activities:

medical uses (radiodiagnostics and radiotherapy) and industrial uses without nuclear reactors (radiography of mechanical components, irradiation of goods for disinfection/sterilization/ conservation); operation and decommissioning of nuclear plants.

The waste is mainly classified according to its radioactivity level and to its decay time. These two characteristics principally influence the choice of the best method for waste treatment and its storage/ disposal. A classification internationally used is shown in Table 23-1, together with the suggested management method. In order to get an idea of the quantity of radioactive waste produced by the various activities, it is useful to consider that in a country like Italy the medical and industrial waste (not including nuclear reactor waste) is as much as 1500 m3 per year. The LILW-SL waste produced per year by a 1000 MWe reactor is similar. The fuel discharged by a similar reactor is approximately 30 t in the non-conditioned state. As far as the low- and medium-activity waste are concerned, when disposal at sea was abandoned following the international agreement for the protection of sea, a disposal system based on burial in trenches, adopted in the USA after the Second World War (SNSF – Simple Near Surface Facility) has been gradually replaced by ever more elaborate methods based on the acknowledgement of the importance of introducing redundancy in the safety systems. This approach substantially aims at designing the storage

with the concept of entrusting safety to various natural and artificial components, each one representing a barrier to the diffusion of radionuclides into the biosphere. Various types of repositories have been conceived and implemented over the years (Cumo, Tripputi, Spezia, 2002). In the near surface type, based on various engineered barriers (ENSF – Engineered Near Surface Facility), the disposal structures can be positioned above or below ground. The repository at Dukovany in Czech Republic, at l’Aube in France and at El Cabril in Spain are above ground. The repositories at Drigg in the UK and at Rokkasho in Japan are below ground. Deep repositories offer an alternative. Waste is often stored 100 m deep in caverns (mined cavity), or using abandoned mines and galleries, or in deep geological repositories. The SFR repositories at Forsmark (Sweden) and at Olkiluoto and Loviisa in Finland belong to the first type, the repositories at Richard in the Czech Republic, and at Morsleben and Konrad in Germany, belong to the second type, the repository at Wellenberg in Switzerland belongs to the third type. Table 23-2 lists the safety features of some repositories. At the scientific level, generally the solution considered more appropriate for the final disposal of high-level waste is the placement of it in adequate deep geological repositories. However, no solutions of this type have been implemented yet, except for the Waste Isolation Pilot Plant (WIPP) in 1999, located in New Mexico (USA). The reasons for the postponement of a decision of this type are essentially the following:

Recently produced radioactive waste releases large quantities of heat. As the decay of radioactivity or 221

222

Nuclear Safety

Table 23-1. Classification of radioactive waste Category

Characteristic

Suggested management

VLLW (very low-level waste)

Waste which decays in a few months (maximum several years) to levels lower than the limits fixed for unconditional release. Low- and medium-activity waste with limited content of -emitting nuclides.

Temporary storage and disposal as conventional waste.

Low- and medium-activity waste which exceed the limit of 4000 Bq g 1 for -emitting nuclides. Waste which exceeds the limit of 4000 Bq g 1 for -emitting nuclides and shows a significant production of heat (>100 W m 3).

Conditioning in a concrete matrix and disposal in medium depth storage (>100 m). Conditioning in vitrified matrix and disposal in a deep geological formation (100–800 m) after a storage period of 30–50 years in adequate engineered structures.

LILW-SL (low- and intermediate-level waste – short lived) LILW-LL (low- and intermediate-level waste – long lived) HLW (high-level waste)

thermal power is very high in the first decades, it is convenient to store this waste for this time period in alternative facilities in order to subsequently simplify the management of the storage facility. The spent fuel could become an energy resource in the future. The time needed to qualify a site and install a final repository at depth is very long, so an intermediate solution of some decades has to be implemented in any case. Reversible options allow the possibility of taking advantage of research. The deep repository solution seems to many to be an irreversible concept. Doubts exist about the capability of science to ensure adequate safety levels in the required time span (hundreds of thousands years).

The trend emerging from various international experiences is to keep many alternatives open. Prevailing opinion can be summarized in the following way:

It is necessary to make choices which are not only scientifically and technically correct but also based on a democratic process. A decision has in any case to be taken. Abstaining from any decision is a decision in itself. Temporary storage is not a final solution, it is a way of buying some time. This remark has not to be seen necessarily in a critical sense. This position may be justified and correct if it is deemed that

Conditioning and disposal in an engineered surface site.

the uncertainties are too large to allow a wellpondered decision. If it is so, it is necessary to clearly and publicly affirm that at the moment only an intermediate solution can be pursued and implemented, and to indicate guidelines and research efforts for the definition of a final solution. The ability of retrieving the waste influences the decision on the type of final repository. If it is proposed to implement a final repository in the framework of a design which allows waste recovery, then the design has to demonstrate that retrievability does not detract from safety, otherwise it cannot be accepted. The concepts of interim experimental and research plants which may possibly evolve into final repositories is another solution.

23-2. Principles The general principles which have to be adhered to by the relevant legislation have been recognized internationally and the ‘Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management’ treaty has been signed by many countries. In summary, these principles are: (1) Protecting human health. (2) Protecting the environment.

Chapter 23 Radioactive waste

223

Table 23-2. Safety features of some repositories Country/facility/type of storage

Safety and radiation protection requirements

Finland: VLJ Olkiluoto (deep cavern) VLJ Loviisa (deep cavern)

France: L’Aube (surface)

dose limit for critical group 10 t < 2:066907 = þ 2:049397 10 5 t2 > > : ; 6:895268 10 3 t þ 1 ðA2:10Þ

The final accident pressure can also be calculated by specific diagrams, such as the one shown in Figure A2-1, where Pr is the relative accident pressure in the containment (kg cm 2), T is the corresponding temperature ( C) and V/P is the ratio between containment volume and weight of water released (m3 kg 1). The four curves of the final pressure refer to various values of the specific internal energy of the released liquid. Example: The containment has a free volume of 60 000 m 3, into which 250 t of primary water are released, with an average temperature of 300 C. Initially the pressure in the containment is equal to 1 bar. Therefore V/P ¼ 0.24 m3 kg 1. The specific enthalpy of the liquid water at 300 C is equal to about 314 Cal kg 1 (practically coincident with the specific internal energy). Entering these values into the graph, the relative accident pressure equals about 2.7 kg cm 2 and the final containment temperature is about 125 C.

A2-3. Containment pressure versus time The following describes a simple spreadsheet which can be useful for rough evaluations. Where the assumptions on which it is based do not match those of interest (e.g. an absence of spray systems

Appendix 2 Calculation of the accident pressure in a containment

287

200

1 0.8

150

350

0.6

300

100

0.4 250 (kcal kg)

T (°C)

V/P (m3/kg)

400 (kcal kg)

50

0.2

0

0 0

1

2

3

4 5 Pr (kg cm−2)

6

7

8

Figure A2-1. Loss of coolant accident pressure in a containment. in the containment) the program can be easily modified.

A2-3-1. Introductory remarks During the design of the pressure containment building of a water reactor, the calculation of the transient pressure within it as a consequence of a LOCA is very important. In the first place, the knowledge of the pressure history in the containment, in times subsequent to the rupture, is necessary for the determination of the maximum internal pressure after the accident, which in some cases can be higher than the first initial pressure peak occurring shortly after the break. This, in general, occurs when, for the constructive characteristics of the containment, the dispersion of heat towards the outside is limited. Representative examples of this situation are those containers where an internal liner in reinforced concrete or an external biological shield of the same material which encloses totally or partially the metal container is present (e.g. the Indian Point, Elk River, Connecticut Yankee, Trino Vercellese and similar plants). In such cases, and in the absence of specific pressure abatement systems, such as cold water spray systems inside the containment, in addition to the first pressure peak in the instants immediately following the rupture, a second pressure peak can occur, higher than the first one, due to the release within the containment of the decay heat of the reactor core and to other possible phenomena, even in the realm of the design basis accidents. The second peak will occur at different times after the accident, according to the particular thermal characteristics of the system.

In the second place, the knowledge of the pressure history in the containment is necessary for the evaluation of the release outside it of radioactive substances from the core through the inevitable leaks of the structure. The amount of this release depends, in fact, on the internal pressure.

A2-3-2. Calculation method The step-by-step procedure described here is for use on a MicrosoftÕ ExcelÕ , or similar, spreadsheet. For the generic time interval the amounts of heat exchanged with the containment internal atmosphere on the basis of the conditions existing at the start of the same interval are calculated, assuming that in the interval the temperature of the air–water–steam mixture remains constant. Then, the balance of these quantities is made and, on the basis of the current heat capacity of the mixture, the variation of its temperature in the time interval and the corresponding final pressure are evaluated. The initial conditions for the subsequent time interval are then calculated. The method has been developed for simple pressure containment such as that shown in Figure A2-2 where the heat sources and sinks are solar heat absorbed by the containment (Qs), the heat exchanged with concrete (Qc), the heat exchanged with cold metals (Qmf), the heat exchanged with hot metals (Qmc), core decay heat (Qd) and the heat exchanged by the mixture towards the outside through the containment (Qco). With small and obvious modifications this method can also be adapted to rather different containments, such as double containment.

288

Nuclear Safety

h1 h2 Sco h1 þ h2

ðA2:13Þ

h1 Sco C3

ðA2:14Þ

Sco ðh1 þ h2 Þ , Cc

ðA2:15Þ

C1 ¼ Qcs

C2 ¼ C3 ¼ Qmf Qc

Qco Qmc

Qd

Figure A2-2. Containment scheme.

A2-3-3. Heat exchanged with the outside through the metal container The container considered is painted on its surfaces and the thermal resistance of the metal is negligible compared with the resistance between the metal and the air–steam mixture on one hand and external air or water of the external spray system on the other. With these assumptions and in the case where the external spray is not operating, the formulae giving the amount of heat exchanged in the generic time interval and the metal temperature at the end of the same interval are given in Equations A2.11–A2.15.

Qco ¼ C1 ðTm þ C2 Tco ð0Þ

Te Þ

Qcs

h1 h1 þ h2

! cs h1 Tm þ h2 Te þ Q Sco e h1 þ h2

C3

ðA2:11Þ Q

Tco ¼ e

C3

Tco ð0Þ

1

h1 Tm þ h2 Te þ Scocs h1 þ h2

!

Q

h1 Tm þ h2 Te þ Scocs þ h1 þ h2 ðA2:12Þ

where C1 (Cal/min C), C2 (Cal/ C kg), C3 (Cal/min) are three convenient calculation quantities, Cc is the specific heat of the concrete (Cal/kg C), h1 is the transmission coefficient between the containment metal and the mixture (resistance of the paint and of the paint–mixture interface) (Cal/m2min C), h2 is the transmission coefficient between the containment metal and external air (resistance of the paint and of the paint–air interface) (Cal/m2 min C), Sco is the containment surface area exposed to external air (m2), Tco is the temperature of the containment metal ( C), Tco(0) is the container metal temperature at the start of the interval of time ( C), Te is the temperature of the external air ( C), Tm is the temperature of the air-stream mixture within the containment ( C) and is the time interval (min). In the case where an external spray system operates it is possible to neglect the heat capacity of the containment and the heat released to the outside is calculated on the assumption that the spray water is poured from the top of the containment. The heating of the water itself while it flows along the surface is, moreover, taken into account. Thus Equation A2.16 follows: Qco ¼ Gse CðTm

Tse Þ 1

e

h Sco =c Gse

, ðA2:16Þ

where c is the total container metal thermal capacity (Cal/ C), C is the specific heat of the external spray water (Cal/kg C), Gse is the flow rate of the external spray (kg/min), h is the transmission coefficient between the mixture and the external spray water (Cal/m2min C) and Tse is the temperature of the external spray water ( C). This equation does not include the solar heat because, if the external spray is operated, this contribution has no influence on the transient.

A2-3-4. Heat released by hot metals The hot metals are the primary and secondary systems and the related hot auxiliary systems inside


the containment. These plant parts are all thermally insulated by a liner. The heat exchange is calculated assimilating these components to a flat layer of thickness equal to the average value of the thicknesses of all the components themselves, perfectly isolated on one side and lined on the other (towards the mixture) by the usual insulating liner. It is admissible to consider the metal as a capacity without resistance and the liner as a resistance without capacity and, with this scheme, the heat amount and the final temperature are given by Equations A2.17 and A2.18: Qmc ¼ hmc Smc ðTmc Tmc ¼ Tmc ð0Þ

hmc Smc ðTmc Cmc

Tm Þ

ðA2:18Þ

where hmc is the transmission coefficient between hot metals and the mixture (resistance of the isolating liner and the liner–mixture interface) (Cal/m2min C), Smc is the hot metal surface area (m2), Cmc is the thermal capacity of the hot metals (Cal/ C), Tmc is the temperature of the hot metals ( C) and Tmc(0) is the temperature of the hot metals at the start of the time interval ( C).

A2-3-5. Heat exchanged with cold metals The cold metals are those metallic components which during operation are at about the ambient temperature of the containment. They are lined, on exposed surfaces, by a layer of paint. The model used here is a simple capacity (metal) and a resistance (paint and interface paint mixture). Thus Equations A2.19 and A2.20 follow: hmf Smf Qmf ¼ Cmf ðTmf ð0Þ Tm Þ e Cmf 1 ðA2:19Þ Tmf ¼ Tm þðTmf ð0Þ

h Smf

Tm Þ e Cmf

other side, with the air–steam mixture through a paint layer. The calculation method is that described in Jakob (1962) which uses the finite difference method for the solution of the heat transfer equations. The concrete layers have been grouped in a certain number of groups, each with an average thickness and an exposed surface equal to the sum of the surfaces of the concrete layers included in the group. The heat exchanged with one of the groups of layers during the generic time interval is given by Equation A2.21: Qc ¼ hc Sc ðTm

ðA2:17Þ

Tm Þ,

,

289

Tc Þ,

ðA2:21Þ

where hc is the mixture–concrete transmission coefficient (Cal/m2min C), Sc is the concrete surface area (m2), Tm is the temperatures of the mixture ( C) at the start of the interval and Tc is the temperature of the concrete wall ( C) at the start of the interval. The temperatures, T 0, of the layers in which the concrete has been subdivided at the end of the time interval are calculated by Equations A2.22–A2.24: T10 ¼

2N M Tm þ M

2N M

2

T1 þ

2 T2 , M

ðA2:22Þ

for the first layer, T10 ¼

1 Ti M

1

þ

M 2 1 Ti þ Tiþ1 , M M

ðA2:23Þ

for the layers between the first and the last, and Tn0 ¼

1 Tn M

1

þ

M 1 Tn , M

ðA2:24Þ

for the last layer. M is an auxiliary calculation non-dimensional quantity and is given by Equation A2.25:

ðA2:20Þ

where Cmf is the thermal capacity of the cold metals (Cal/ C), hmf is the transmission coefficient between the metal and the mixture (Cal/m2min C), Smf is the cold metal surface area (m2) and Tmf is the temperature of the cold metals ( C).

A2-3-6. Heat exchanged with concrete layers The concrete layers have been modelled as plane insulated layers on one side and in contact, on the

M¼

c Cc 2 x2 , Kc

ðA2:25Þ

where c is the concrete density (kg/m3), Kc is the concrete heat conduction coefficient (Cal/mmin C) and x is the thickness of the concrete layer (m). N is another auxiliary calculation non-dimensional quantity and is given by Equation A2.26: N¼

hc x Kc

ðA2:26Þ

290

Nuclear Safety

The necessary condition for the convergence of the calculation is the one given by Equation A2.27 (Max, 1962): M > 2N þ 2:

ðA2:27Þ

The choice of the intervals x and has been made in a way which abundantly satisfies Equation A2.27, that is, M 2(2N þ 2).

A2-3-7. Decay heat As far as the transfer of the decay heat of the core to the water–steam mixture is concerned, here too the assumptions are made (usual in this type of calculation) of the total and instantaneous transfer of the available energy from the core to the mixture. These assumptions are not likely to be complied with in an accident, especially when it is assumed that the core always remains dry (i.e. no spray or flooding system operates). In reality the heat released is only partially transmitted to the mixture and, moreover, this phenomenon occurs after a delay. The assumption of the total transfer to the mixture of the energy released over time by the core is certainly cautious, while the assumption of an absence of delays in the phenomenon may or may not be cautious according to the aspects of the accident considered. In fact, what can be expected by the assumption of immediate transfer of the heat from the core is a pressure transient characterized at the start by higher values but having a shorter duration. Therefore this assumption is very likely to be conservative for the evaluation of the probability that a second pressure peak higher than the first one in the containment occurs. It will not necessarily be so for the evaluation of prolonged releases of activity from the containment in the absence of pressure abatement systems such as, for example, spray systems. The core decay heat is essentially composed of the decay heat of the fission products, the decay heat of the decay chain of uranium-239 and neptunium-239 produced by neutron capture by uranium-238, the decay heat of other actinides, the control rods and the structural materials and the heat generated by the residual fissions and by neutron capture by the fission products. The heat of the residual fissions is generally

very small 100 s after shutdown and can be completely neglected for the study of medium- and longterm transients. The decay heat of the structural materials can also be neglected. As far as the control rods are concerned, the heat released by them is not completely negligible, but it can probably be ignored if a safety factor for the total decay heat of at least 1.1 is used. The decay heats of the fission products have been amply studied and the values used here are those suggested by Shure (1961). They are very close to the values of the ANS (1994) and ISO (1992) curves. Some values of the decay heat of the fission products for infinite irradiation according to Shure are shown in Table A2-1. For the time interval 150 < t < 4 106 seconds, which generally covers the time span of interest for this transient, Shure suggests the following approximate analytical expression for the decay heat for an infinite irradiation time, valid with a maximum error of five per cent: Mð1, tÞ ¼ 13:01t

0:2834

,

ðA2:28Þ

where M is the percentage of operating power and t is time (s). Table A2-2 lists for various times the total decay power as a fraction of operating power (practically infinite time) according to ANS (1994) and ISO (1992). The decay heat for a finite irradiation time t0, at time t after shutdown, is given by Equation A2.29: Mðt0 , tÞ ¼ Mð1, tÞ

Mð1, t þ t0 Þ

ðA2:29Þ

The decay heat of uranium-239 is an important fraction of the total decay heat. It is directly proportional to the initial conversion ratio of the core. For a conversion ratio equal to 0.5, to an

Table A2-1. Decay heat (Shure, 1961) Time after shutdown (s) 102 103 104 105 106 107 108

Decay power as a percentage of the thermal operating power 3.3 1.87 0.97 0.48 0.268 0.121 0.0515


Table A2-2. Decay heat (ANS, 1994; ISO, 1992) Time after shutdown, t (s)

ANS 5.1/94

1 10 102 103 104 105 106 107 108

6.066 10 4.731 10 3.193 10 1.980 10 9.718 10 5.548 10 2.315 10 7.015 10 1.001 10

ISO 10645

2

6.005 10 4.738 10 3.220 10 2.031 10 1.028 10 5.705 10 2.364 10 7.461 10 9.666 10

2 2 2 3 3 3 4 4

2 2

0:278

,

2 2 3 3 4 5

ðA2:30Þ

where Pd is the percentage of the operating power and t is time (s). As usual Equation A2.30 gives the decay heat for an infinite operation time. The power for a finite operation time is given by Equation A2.31. Pd ðt0 , tÞ ¼ Pd ð1, tÞ

Pd ð1, t þ t0 Þ

bring the specific internal energy of the water from the u0 value (Cal/kg) pertinent to cold water to the value u pertinent to the steam–water system present in the containment. Thus Equation A2.32 follows: Qsi ¼ Gsi ðu u0 Þ, ðA2:32Þ

2

approximation of about 15 per cent, the approximate law (Equation A2.30) holds for the total power within the interval 102 < t < 3 105 seconds after shutdown (that is from 100 s to about 3.5 days). Pd ¼ 14:9t

291

ðA2:31Þ

The correction Pd(1, t þ t0) is not negligible in this type of problem. The expression of the decay heat to be inserted in the program is determined case by case by Equation A2.30 or by its equivalent for conversion ratios different from 0.5, and by Equation A2.31, on the basis of the value of the core operation time t0. It will be opportune to add a safety factor of the order of 1.15–1.20 in order to take into account the mistakes due to approximate expressions of the type of Equation A2.30, and the fact that the control rod decay heat has not been taken into account, and so on.

A-2-3.8. Heat removed by the spray system internal to the containment If the mechanical work for the introduction of water into the containment is neglected (a reasonable assumption), the energy absorbed by the sprayed cold water in the interval will be that necessary to

where Gsi is the weight flow rate of the internal spray system (kg/min) and Qsi is the heat absorbed by the internal spray (Cal). In order to use Equation A2.32 in the program it is necessary to use an analytical expression of the internal energy, u, of the steam–water mixture as a function of the total volume, V (m3), its weight and the partial pressure of the steam or temperature as given in Section A2-2.

A2-3-9. Solar heat The solar heat contribution is not negligible in this problem and must, therefore, in general, be included in the calculation. The solar heat impinging on a surface outside the terrestrial atmosphere and normal to the direction of the solar beams, at the average distance from the Earth, is 20 Cal m2 min (mean solar constant). This value undergoes a maximum variation of 3.5 per cent during the year because of the variation of the distance between the Earth and the Sun. In order to evaluate which part of the mean solar constant is absorbed by a surface at ground level it is necessary to evaluate the effects of the inclination of the surface, the latitude and the Sun’s declination, as well as of the transparency of the atmosphere and the surface reflection. In a conservative evaluation and on the basis of data in MARKS, 1958, pp. 12–114, the following multiplication factors can be assumed in order to take into account the aforementioned effects at about 43 degrees of latitude North (readers will insert a latitude of their interest here): For the surface inclination, the latitude, the Sun’s inclination and the distance of the Sun from the Earth: f1 ¼ 0:4 0:965 ¼ 0:386,

ðA2:33Þ

where 0.4 is the surface inclination and latitude nondimensional coefficient and 0.965 is the distance of the Sun from the Earth non-dimensional coefficient. For the transparency of the atmosphere: f2 ¼ 0:6

ðA2:34Þ

292

Nuclear Safety

If the area of the containment surface exposed to the Sun is indicated with Scs (m2) and the conservative assumption of a unit absorption coefficient of the surface is made, it is possible to calculate the heat absorbed in one minute by the containment by A2.35: Qcs ¼ 20 f1 f2 Scs ¼ 4:63 Scs Cal min 1 ðA2:35Þ

A2-3-10. Thermal balance in the interval "s The variation of the internal atmosphere temperature of the containment, Tm, in the time interval , can be evaluated on the basis of the heat quantities exchanged by it (see Equations A2.11, A2.16, A2.17, A2.19, A2.21, A2.31 and A2.32) by the expression: Tm ¼

Q Qd þ Qmc ¼ W

Qco Qmf W

Qc

Qsi

,

ðA2:36Þ where Qd comes from equation A2.31 and W is the thermal capacity of the gas–vapour mixture inside the containment (air, water, steam) and can be expressed with sufficient approximation by Equation A2.37: W ¼ Ca þ PH2 O þV 0:002 T2m 0:185 Tm þ 6:05 Cal C 1 ,

ðA2:37Þ where Ca represents the constant volume thermal capacity of the containment air (Cal/ C), which is assumed to be constant during the transient, PH2O is the total steam–water weight (kg), which is constant only if the internal spray is not operating, and V is the free volume of the containment (m3). The initial conditions for the subsequent interval will then be calculated by Equations A2.12, A2.18, A2.20, A2.22–A2.24.

A2-3-11. Considerations on the performance of the calculation and on the choice of the input data When performing this type of calculation it must be remembered that the transient is very sensitive to relatively small errors in the heat amounts. This is due to the fact that in Equation A2.36 the effective heat quantity Q is small in comparison with most of the other terms and therefore a relatively small error in one of them introduces a large error in Q and therefore in T. This is particularly true in those cases where spray systems are not operating and during a long transient, that is in those cases where the variation of temperature and pressure with time is slow. Table A2-3 lists the values of Q and the values of the various heat quantities as a percentage of Q for values of the time after the occurrence of the accident in a cases of this type. This situation demands an extremely attentive determination of the input data in the calculation (heat exchange coefficients, area of the surfaces exposed to the atmosphere and so on) to ensure that the various heat quantities exchanged by the mixture are evaluated in a conservative way. The following looks at some input data for the calculation whose determination is usually uncertain.

Heat transfer coefficients As far as the heat transfer coefficient between the air– steam mixture in condensation and the various surfaces exposed to it is concerned, various theoretical (Jakob, 1962; McAdams, 1985) and experimental (Kolflat and Chittenden, 1957; Goodwin, 1958; Jubb, 1959; Leardini, Cadeddu and Schiavoni, 1961; Leardini and Cadeddu, 1961; Uchida, Oyama and Togo, 1964) studies exist. A value normally accepted for operational water reactors (initial peak

Table A2-3. Heat rates from various sources Time after the accident 30 min 2 hr 10 hr 1 (day) 3 (days)

Q (Cal h 1) 2900 3380 2180 1730 264

Qd (%)

Qmc (%)

Qmf (%)

Qc (%)

Qco (%)

2900 1680 1500 1500 6700

31 26 36 37 135

34 13 11 9.5 7.3

2600 1300 990 720 1660

480 300 500 700 5000


overpressure of some bars) is of 200 Cal m2hr C 1, at least until the pressure stays at high values, that is until the percentage of steam in the containment is significant. In the first instants after the accident the heat transfer coefficient is likely to be higher than the indicated value, by as much as a factor of 10, because of the motion of the air and steam mixture due to the efflux from the reactor pressure boundary. The influence of the value given to the heat exchange coefficient between the air–vapour mixture and the walls on the transient is limited by the fact that generally the walls are covered by paint layers whose resistance has, on the basis of the current evaluations, a value of the order of that of the resistance mixture paint. Moreover, this fact demonstrates the importance of carefully evaluating the thermal resistance of the paint layers in addition to that of the transmission coefficient between mixture and paints. As far as the heat transmission coefficient from the containment outside surface to the atmosphere in the absence of external spray is concerned, it is worthwhile remembering that the contribution of radiation is important. The coefficient values usually range from 5 to 20 Cal m2hr C 1 according to the building layout adopted. If the external spray is supposed to operate, the transmission coefficient between paint and spray water is of the order of 500–5000 Cl m2hr C 1.

Choice of the length of the time step and of the thickness of the concrete layers. X A series of tests performed in a typical case has shown that a maximum acceptable value of the step is about one minute. If a step ten times lower is used no important differences are noted, while with a step ten times longer the transient is completely wrong. The choice of the thickness, X, of the concrete layers does not appear as critical as that of . Indeed, once the necessary stability condition (Equation A2.27) is satisfied with a certain margin, for example putting M 2(2N þ 2), the transient is not very sensitive to the value of X, specially after the first hours from the start of the accident. Hence, if only the long-term transient is of interest, the layers in which the concrete is subdivided can also be very thick.

293

A2-3-12. Example calculation This section describes the sample VBA (Visual BasicÕ for Applications) macro PRESCONT for use with a MicrosoftÕ ExcelÕ 97 spreadsheet which is available on the companion website (file CONTPRESSURE). A simple containment example is examined, without internal or external spray. The decay heat corresponds to a conversion factor of 0.5 (Equation A2.30), an operation time of 15 months and a safety factor of 1.2. Three groups of concrete slabs are considered which can be subdivided for the calculation into a maximum number of 630, 160 and 100 layers. The absolute pressure in the containment before the accident is 1 kg cm 2. The input data are: C6 (Cal/ C):

Thermal capacity of cold metals C10 (Cal/ C): Thermal capacity of metal containment wall CAP (Cal/ C): Total thermal capacity of air in the containment CM and CN: Non-dimensional constants of the concrete (see Equation A2.25 and A2.26) CMC (Cal/ C): Thermal capacity of hot metals D (min): Calculation time step H1 (Cal/m2min C): Transmission coefficient between mixture and containment metal H2 (Cal/m2min C): Transmission coefficient between the containment metal and external air HC (Cal/m2min C): Transmission coefficient between mixture and concrete slabs HMC (Cal/m2min C): Transmission coefficient between hot metals and the mixture HMF (Cal/m2min C): Transmission coefficient between cold metals and mixture IC: Number of layers in the first group of concrete slabs ICM: Number of layers in the second group of concrete slabs

294

Nuclear Safety

Number of layers in the third group of concrete slabs P (MWt): Steady thermal power of reactor PH2O (kg): Weight of water released by the break QS (Cal/min): Solar thermal power absorbed by the metal surface of the containment SC (m2): Containment surface area exposed internally to the mixture and externally to air Surface area of first group of SCC (m2): concrete slabs SCCM (m2): Surface area of second group of concrete slabs Surface area of third group of SCCN (m2): concrete slabs SMC (m2): Hot metal surface area Cold metal surface area SMF (m2): T (s): Current time Containment atmosphere TA ( C): temperature before accident Temperature of the external air TE ( C): TF (min): Time after rupture at which transient calculation is terminated TM ( C): Initial temperature of the containment mixture after efflux TMC ( C): Hot metals initial temperature V (m3): Internal free volume of the containment ICN:

The results of the first calculation step for this example are: The containment pressure, PR (kg/cm2) ¼ 1.996362 The heat exchanged with the concrete of the first group, QC (Cal) ¼ 146666.8 The heat exchanged with the concrete of the second group, QCM (Cal) ¼ 1925000 The heat exchanged with the concrete of the third group, QCN (Cal) ¼ 1925000 The heat exchanged by the mixture towards the outside through the containment, QCO (Cal) ¼ 1466663.8 The decay heat, QD (Cal) ¼ 982505.35 The heat exchanged by the mixture with hot metals, QMC (Cal) ¼ 66500 The heat exchanged with the cold metals, QMF (Cal) ¼ 502030.25 The current time, T (s) ¼ 1

The temperature of the containment metal, TCO ( C) ¼ 32.059002 The temperature of the first layer of the first concrete group, TC1 ( C) ¼ 52.380951 The temperature of the first layer of the second concrete group, TCM(1) ( C) ¼ 52.380951 The temperature of the first layer of the third concrete group, TCN(1) ( C) ¼ 52.380951 The temperature of the mixture, TM1 ( C) ¼ 91.952075 The temperature of the hot metals, TMC ( C) ¼ 298.1 The temperature of the cold metals, TMF ( C) ¼ 50.101512 The program listing follows. Sub PRESCONT() Dim TC(630) As Single Dim TCC(630) As Single Dim TCM(160) As Single Dim TCCM(160) As Single Dim TCN(100) As Single Dim TCCN(100) As Single J=1 T=0 TA = Range(‘‘$f$2’’) For I = 1 To IC TC(I) = TA Next I For I = 1 To ICM TCM(I) = TA Next I For I = 1 To ICN TCN(I) = TA Next I TE = Range(‘‘$h$2’’) TCO = (TA + TE)/2 TMF = TA H1 = Range(‘‘$d$5’’) H2 = Range(‘‘$f$5’’) SC = Range(‘‘$h$5’’) D = Range(‘‘$d$4’’) C1 = H1 * H2 * SC * D/(H1 + H2) C10 = Range(‘‘$b$10’’) C2 = H1 * C10/(H1 + H2) C3 = SC * (H1 + H2)/C10 H3 = H1 + H2 CMC = Range(‘‘$h$6’’) CM = CMC/D CAP = Range(‘‘$h$3’’)


PH2 = Range(‘‘$f$3’’) TM = Range(‘‘$d$2’’) V = Range(‘‘$d$3’’) ProgramStart: W = CAP + PH2 + (0.0022 * TM ^ 2 - 0.185 * TM + 6.05) * V QS = Range(‘‘$b$4’’) QCC = C1 * (TM - TE) - H1 * D/H3 * QS QCO = QCC + C2 * (TCO - (H1 * TM + H2 * TE + QS/SC)/H3) * (Exp(-C3 * D) - 1) C4 = Range(‘‘$f$6’’) TMC = Range(‘‘$b$3’’) QMC = C4 * (TMC - TM) * D C6 = Range(‘‘$d$7’’) C7 = Range(‘‘$b$8’’) QMF = C6 * (TM - TMF) * (1 - Exp(-C7 * D)) C8 = Range(‘‘$h$8’’) QC = C8 * (TM - TC(1)) * D C9 = Range(‘‘$d$9’’) QCM = C9 * (TM - TCM(1)) * D C11 = Range(‘‘$h$9’’) QCN = C11 * (TM - TCN(1)) * D T = T + D/2 P = Range(‘‘$b$2’’) QD = 172 * P * D * (14.9 * (60 * T) ^ (-0.278) - 0.076) TM1 = TM - (QC + QCM + QCN + QCO + QMF - QMC QD)/W TCCO = (TCO - (H1 * TM + H2 * TE + QS/SC)/H3) * Exp(-C3 * D) + (H1 * TM + H2 * TE + QS/SC)/H3 C5 = Range(‘‘$b$7’’) TMC = TMC - C5 * (TMC - TM) * D TMF = TM - (TM - TMF) * Exp(-C7 * D) CN = Range(‘‘$f$4’’) CM = Range(‘‘$H$4’’) TCC(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/CM * TC(1) + 2/CM * TC(2) Id = Range(‘‘$d$11’’) For I = 2 To Id TCC(I) = TC(I - 1)/CM + (CM - 2)/CM * TC(I) + TC(I + 1)/CM Next I IC = Range(‘‘$f$10’’) TCC(IC) = TC(Id)/CM + (CM - 1)/CM * TC(IC) TCCM(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/ CM * TCM(1) + 2/CM * TCM(2) Idm = Range(‘‘$f$11’’) For I = 2 To Idm TCCM(I) = TCM(I - 1)/CM + (CM - 2)/CM * TCM(I) + TCM(I + 1)/CM

295

Next I ICM = Range(‘‘$h$10’’) TCCM(ICM) = TCM(Idm)/CM + (CM - 1)/CM * TCM(ICM) TCCN(1) = 2 * CN/CM * TM + (CM - 2 * CN - 2)/ CM * TCN(1) + 2/CM * TCN(2) Idn = Range(‘‘$b$12’’) For I = 2 To Idn TCCN(I) = TCN(I - 1)/CM + (CM - 2)/CM * TCN(I) + TCN(I + 1)/CM Next I ICN = Range(‘‘$b$11’’) TCCN(ICN) = TCN(Idn)/CM + (CM - 1)/CM * TCN(ICN) For I = 1 To IC TC(I) = TCC(I) Next I For I = 1 To ICM TCM(I) = TCCM(I) Next I For I = 1 To ICN TCN(I) = TCCN(I) Next I TCO = TCCO PA = (TM1 + 273)/(TA + 273) PR = 10 ^ (17.457 - 2795/(TM1 + 273) 1.6799 * Log(TM1 + 273)) + PA T = T + D/2 Range(‘‘b’’ & (J * 5 + 15)) = T Range(‘‘d’’ & (J * 5 + 15)) = TM1 Range(‘‘f’’ & (J * 5 + 15)) = PR Range(‘‘h’’ & (J * 5 + 15)) = QD Range(‘‘b’’ & (J * 5 + 16)) = QCO Range(‘‘d’’ & (J * 5 + 16)) = TCO Range(‘‘f’’ & (J * 5 + 16)) = QMC Range(‘‘h’’ & (J * 5 + 16)) = TMC Range(‘‘b’’ & (J * 5 + 17)) = QMF Range(‘‘d’’ & (J * 5 + 17)) = TMF Range(‘‘f’’ & (J * 5 + 17)) = QC Range(‘‘h’’ & (J * 5 + 17)) = TC(1) Range(‘‘b’’ & (J * 5 + 18)) = QCM Range(‘‘d’’ & (J * 5 + 18)) = TCM(1) Range(‘‘f’’ & (J * 5 + 18)) = QCN Range(‘‘h’’ & (J * 5 + 18)) = TCN(1) TM = TM1 J=J+1 If T < Range(‘‘$d$10’’) Then GoTo ProgramStart: End If End Sub

296

Nuclear Safety

If the program crashes for specific cases, it is useful to repeat the calculation using a shorter value of the time step, D. This program can be easily adapted to other cases, for example by the inclusion of an external and internal spray, activated for a preselected time and duration or by the presence of a second containment.

References ANS (1994) ‘Decay heat power in light water reactors’, ANSI/ANS-5.1-1994, American Nuclear Society, La Grange Park, Illinois 60526 USA. CNEN (1976) ‘Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua’, Comitato Nazionale per l’Energia Nucleare, SATN-1-76, DISP/ CENTR, August 1976. Goodwin, W.W. (1958) ‘Pressure build-up in a container following a Loss of Coolant Accident’, ANS Meeting, June. ISO (1992) ‘Nuclear energy – Light water reactors: Calculation of the decay heat power in nuclear fuels, ISO 10645.

Jakob, M. (1962) Heat Transfer. New York: Wiley. Jubb, D.H. (1959) ‘Condensation in a reactor containment vessel’, Nuclear Engineering, December. Kolflat, A. and Chittenden, W.A. (1957) ‘A new approach to the design of containment shells for atomic power plants’, 19th Annual American Power Conference. Leardini, I. and Cadeddu, M. (1961) ‘Caverns as nuclear power reactor containers’, Energia Nucleare, February. Leardini, I., Cadeddu, M. and Schiavoni, M. (1961) ‘Tests on a cavern for the determination of temperature and pressure transients in a case simulating a major Loss of Coolant-type reactor accident’, Energia Nucleare, February. MARKS, L.S. (1958) Mark’s Mechanical Engineers Handbook. McGraw-Hill. McAdams, W. (1985) Heat Transmission. R.E. Krieger Pub. Co, USA. Shure, K. and Dudziak J. (1961) Calculating energy released by fission products, WAPD-T-1309, Bettis Atomic Power Laboratory, Pittsburgh, Pennsylvania, USA. Uchida, H., Oyama, A. and Togo, Y. (1964) ‘Evaluation of post-incident cooling systems of light water power reactors’, A/Conf. 28/P/436, Geneva 1964 Conference on Peaceful Uses of Atomic Energy, UNO, Geneva, 1964.

Appendix 3 Table of safety criteria

This table is intended to serve as a memo for the content of five of the general design criteria for nuclear plants, thought to be rather representative of the overall picture. The first column of the table contains the complete list of the IAEA criteria, which are rather recent and therefore complete. If another criteria has no

correspondence to the IAEA criteria, it has been put at the bottom of the table, after the end of the IAEA criteria. For brevity, the recent US Utility Requirements Document (URD) criteria have not been included, but it does have many points in common with the EUR criteria.

297

298

Table A3-1. Safety criteria GDC – USA IAEA (2000)

EUR (1995)

(1971)

OPB 88/97 (1997)

PUN – ITALY (1987)

NOTES

1 INTRODUCTION

Introduction

LIST OF ABBREVIATIONS BASIC TERMS AND DEFINITIONS

I GENERALITIES

In general, in IAEA and in EUR much more general safety philosophy is included. GDC goes sometimes into more detail. Many safety issues are dealt with in chapters of EUR different from 2.1, Safety Requirements (example: Ch. 2.8.1.1: principal safety functions).

BACKGROUND

Definitions and explanations

BASIC PROVISIONS

I.1 PREAMBLE

1.1 PURPOSE OF THE DOCUMENT

I.2 OBJECTIVES AND SCOPE

OBJECTIVE SCOPE STRUCTURE

DEFINITION BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

2 SAFETY OBJECTIVES AND CONCEPTS

SAFETY OBJECTIVE 2.2 General Nuclear Safety Objective

2.1 FUNDAMENTAL SAFETY OBJECTIVES AND POLICIES 2.1.1.1 Fundamental safety objectives 2.1.2 QUANTITATIVE SAFETY OBJECTIVES 2.1.2.1 Overall approach to targets and utility limits 2.1.2.2 Radiological impact during Normal Operation and Incident

II CRITERIA

II.1 Radiation protection assignment II.1.1 Population protection II.1.2 Protection of non-exposed workers II.1.3 Protection of exposed workers II.1.4 Balance of exposure (populationworkers, etc.) II.4 Probabilistic

EUR not only uses the expression ‘severe accidents’ but also the expression ‘design extension conditions’. EUR are very complete and quantitative in defining the various safety and radiation protection objectives.

safety objectives (limits for the 4 events categories)

Conditions 2.1.2.2.1 Radioactive discharge criteria during Normal Operation and Incident Conditions 2.1.2.2.2 Doses from direct radiation during Normal Operation and Incident Conditions 2.1.2.3 Operational staff doses during Normal Operation and Incidents 2.1.2.4 Off-site release targets for Accident Conditions 2.1.2.5 Off-site release targets for Severe Accidents 2.1.2.6 Probabilistic safety targets

PUN provides probabilistic limits for internal origin events, while earthquakes and other external events, as a matter of consensus among the experts involved at the time of criteria definition, are dealt with in a deterministic way (maximum potential event).

2.4 Radiation Protection Objective 2.5 Technical Safety Objective

THE CONCEPT OF DEFENCE IN DEPTH

3 REQUIREMENTS FOR MANAGEMENT OF SAFETY

2.1.1.3 DEFENCE IN DEPTH

II Protection by multiple fission product barriers

1.2.17 Limit of 10 7 y for maximum releases considered BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

1

1.2.20 1.2.21 (training centre) 1.2.22 (physical protection and fire safety) 1.2.24 (control of nuclear materials) 5 ASSURANCE OF THE OPERATIONAL SAFETY OF NUCLEAR PLANTS 5.1 Operational management and operational documentation

299

Continued

300

Table A3-1. Continued GDC – USA IAEA (2000)

EUR (1995)

(1971)

MANAGEMENT OF DESIGN PROVEN ENGINEERING PRACTICES OPERATIONAL EXPERIENCE AND SAFETY RESEARCH SAFETY ASSESSMENT

INDEPENDENT VERIFICATION OF THE SAFETY ASSESSMENT QUALITY ASSURANCE

SAFETY FUNCTIONS ACCIDENT PREVENTION AND PLANT SAFETY CHARACTERISTICS RADIATION PROTECTION AND ACCEPTANCE CRITERIA


NOTES In IAEA the MANAGEMENT RESPONSIBILITY also includes Safety Culture

II.9 Design management 2.1.6.3 Design codes and standards 2.1.6.4 Materials 2.1.1.3.3 Accident prevention

In EUR research in general is not mentioned as a support to design choices. 1.2.18 1.2.19 Safety analysis and probabilistic analysis

2.1.6.15 Quality assurance

I Overall requirements Cr.1 Quality standards and records

1.2.6 (and following)

BASIC SAFETY ASSURANCE PRINCIPLES AND CRITERIA

4 PRINCIPAL TECHNICAL REQUIREMENTS

REQUIREMENTS FOR DEFENCE IN DEPTH

OPB 88/97 (1997) 1.2.8 (Safety culture) and following

RESPONSIBILITIES IN MANAGEMENT

2.1.1.3 DEFENCE IN DEPTH 2.1.1.3.1 Levels of defence 2.1.1.3.2 Barriers and safety functions 2.1.1.3.3 Accident prevention 2.1.1.3.4 Accident mitigation

II.5 Plant systems

II.5.1 System requirements and classifications

5 REQUIREMENTS FOR PLANT DESIGN

SAFETY CLASSIFICATION

2.1.6.8 Classification of Safety Functions and categorization of equipment 2.1.6.8.1 Introduction 2.1.6.8.2 Level of safety functions 2.1.6.8.2.1 Safety functions of level F1 2.1.6.8.2.2 Safety functions of level F2 2.1.6.8.3 Requirements according to level of Safety Functions 2.1.6.8.4 Assignment of equipment and structures to a safety category 2.1.6.8.5 Requirements on equipment and structures according to safety category 2.1.6.8.6 Classification of structures and equipment according to the design and construction codes 2.1.6.8.7 The relation of seismic categorization to safety level of functions

4 BASIC SAFETY PRINCIPLES TO BE IMPLEMENTED DURING THE DESIGN OF NUCLEAR PLANTS AND THEIR SYSTEMS 4.1 General requirements 2 CLASSIFICATION OF SYSTEMS AND OF COMPONENTS (4 SAFETY CATEGORIES: fuel and beyond dba accid., dba with standardized failures of components and comp. essential to safety systems, other systems related to safety., comp. without connection with safety)

II.5.1 System requirements and classifications

GDC do not mention a safety classification

301

Continued

302

Table A3-1. Continued GDC – USA IAEA (2000)

EUR (1995)

GENERAL DESIGN BASIS

2.1.6.5 Plant performance following Accident Conditions 2.1.6.6 Plant performance following DEC

Categories of plant states Postulated initiating events

Internal events Fires and explosions

Other internal hazards

External events

2.1.5 EXTERNAL AND INTERNAL HAZARDS 2.1.5.1 Hazards to be considered 2.1.5.2 Approach to hazards 2.1.5.4 Internal hazards 2.1.5.4.1 Fires 2.1.5.4.2 Release of gas, water, steam or any noxious substance 2.1.5.4.3 Failure of pressure parts, supports or other structural components 2.1.5.4.4 Disruptive failure of rotating machinery or other equipment 2.1.5.4.5 Dropped or impacting loads 2.1.5.4.6 Electromagnetic interference from equipment on site 2.1.5.3 External hazards 2.1.5.3.1 Earthquake 2.1.5.3.2 Extreme weather conditions 2.1.5.3.3 Site flooding 2.1.5.3.4 Aircraft crash

(1971)

OPB 88/97 (1997)


NOTES

I Overall Requirements Cr.4 Environmental and dynamic effects design bases

I Overall requirements Cr.3 Fire protection

II.2 External events and area events II.2.5 Fires

I Overall requirements Cr.4 Environmental and dynamic effects design bases

II.2.4 Dynamic effects (segregation of systems with internal energy, pipe whip, compartment pressurization)

II.2 External events and area events II.2.1 Natural external events II.2.2 External events from human activities,

EUR allows for considerations of ‘Leak before Break’ and for ‘Break Preclusion’

reference impact, 20 t (aircraft, pressure wave) II.5.13 Automatic control of the reactor in case of external events from human activities II.2.3 Flooding

2.1.5.3.5 Hazards from adjacent installations and transport activities 2.1.5.3.6 Electromagnetic interference from sources outside the site 2.1.5.3.7 Sabotage I Overall requirements Cr.2 Design bases for protection against natural phenomena

Site related characteristics

Combination of events Design rules (generic) Design limits (generic) Operational states Design basis accidents

Severe accidents

2.1.8.3 Table 3 List of Design Basis Conditions (Categories 1, 2, 3, 4) 2.1.8.4 Hazards (internal, external, human) 2.1.1 FUNDAMENTAL SAFETY OBJECTIVES AND POLICIES 2.1.1.2 Safety policy 2.1.4 DESIGN EXTENSION CONDITIONS (DEC) 2.1.4.1 Design extension approach 2.1.4.2 General assessment rules for DEC 2.1.4.3 Complex sequences 2.1.4.3.1 General approach for Complex sequences 2.1.4.3.2 Complex sequences that must be considered in DEC

1.2.14 (severe accident management) 1.2.15 (Risk reduction; emerg. plans)

303

Continued

304

Table A3.1. Continued IAEA (2000)

DESIGN FOR RELIABILITY OF STRUCT., SYS. AND COMPONENTS Common cause failures Single failure criterion

Fail safe design

EUR (1995) 2.1.4.3.3 ATWS 2.1.4.3.4 Containment bypass accidents 2.1.4.4 Severe accidents 2.1.4.4.1 Prevention of Primary Containment failure 2.1.4.4.2 Mitigation of Severe Accidents by containment system 2.1.4.5 Severe Accident In-Containment Source Term quantification 2.1.4.5.1 General approach to the in-Containment Source Term 2.1.4.5.2 Reference Source Term (RST) 2.1.4.5.3 Required application of RST 2.1.4.5.4 PSA evaluation of Source Term (probabilistic analysis) 2.1.6.13 Accident Management 2.1.9 Appendix A Source term and release quantification methodology for DEC 2.1.6 ENGINEERING REQUIREMENTS 2.1.6.1 Design objectives 2.1.6.2.2 Prevention of common cause failure 2.1.3.4 Single failure criterion

2.1.6.1.1 Simplicity, transparency and

GDC – USA (1971)

OPB 88/97 (1997)


NOTES

II.5.1 Systems requirements and classifications

In IAEA the single failure criterion is formulated in a general and articulated way; in GDC it is specifically inserted in various criteria The concept of ‘fail safe’ is inserted in criterion GDC 23

4.1.6 (embedded in various criteria)

1.2.12, 4.4.5.7

Auxiliary services

Equipment outages PROVISIONS FOR IN-SERVICE TESTING, MAINTENANCE, REPAIR, INSPECTION AND MONITORING EQUIPMENT QUALIFICATION AGEING HUMAN FACTORS Design for optimal operator performance OTHER DESIGN CONSIDERATIONS Sharing of structures, systems and components between reactors

forgiving design 2.1.6.1.2 Fault tolerance 2.1.5.2 Approach to hazards

(protection system) IV Fluid Systems Cr.44 Cooling water

4.7 Supporting safety systems

2.1.6.10 Inspection, on-line monitoring, testing and maintenance

2.1.6.9 Equipment qualification 2.1.6.9 Equipment qualification 2.1.6.11 Human factors 2.1.6.11 Human factors

II.7 Human factors

II.5.18 Structures, systems and components common to more units

I Overall Requirements Cr.5 Sharing of structures, systems and components

Systems containing fissile or radioactive materials (generic) Power plants used for cogeneration, heat generation or desalination Transport and packaging for fuel and radioactive waste Escape routes and means of communication Control of access

II.5.7 Cooling of essential systems II.5.11 Instrument air II.5.15 Emergency environment cooling and conditioning

In EUR the sharing of components and systems between various plants is not even mentioned

II.5.17 Production, treatment and disposal of waste 2.1.5.2 Approach to hazards 2.1.6.14 Radiation protection

1.2.23 (communications)

305

Continued

Table A3-1. Continued EUR (1995)

Interactions of systems

2.1.1.3.4 Accident mitigation

Interaction between the electrical 2.1.7.1 Factors affecting power grid and the plant choice of site

Decommissioning

SAFETY ANALYSIS Deterministic approach

Probabilistic approach

Control of the reactor core

OPB 88/97 (1997)


NOTES In GDC no mention is made of possible interaction of systems in general (electric power only is treated)

II Protection by Multiple Fision Products Barriers Cr.17 Electric power systems

2.0.3.16 Chapter 2.16 Decommissioning

5.6 Nuclear plant decommissioning

2.1.3 DESIGN BASIS CONDITIONS 2.1.3.1 Deterministic approach to safety 2.1.2.7 Probabilistic safety assessment methodology 2.1.3.2 Design basis and safety objectives 2.1.3.3 Deterministic safety analysis

6 REQUIREMENTS FOR DESIGN OF PLANT SYSTEMS REACTOR CORE AND ASSOCIATED FEATURES

General Design Fuel elements and assemblies

GDC – USA (1971)

306

IAEA (2000)

II.8 Provisions for decommissioning

Design for decommissioning is dealt with in IAEA but not in GDC

II.6 Analysis of transients and accidents

II.4 Probabilistic safety objectives (including limit to reliability of non-diversified systems, etc.)

II.3- Physical and functional integrity of barriers II Protection by Multiple Fission Product Barriers Cr.10 Reactor Design 2.1.8.5 Table 5 Fuel limits in Design Basis Category 4 Conditions

4.2 Core design and characteristics

4.2.1 Fuel damage limits

II Protection by Multiple Fission Product Barriers

II.3.1 Fuel (integrity criteria in accidents, Doppler effect) 4.2.3 Core and reactivity II.5.2 Reactivity control II.5.3 Chemical and control avoid power volume control pump seal excursions

No mention is made of probabilistic approach in GDC

Reactor shutdown

REACTOR COOLANT SYSTEM Design of the reactor coolant system

In-service inspection of the reactor pressure boundary

2.8.1.1.1.5 Reliability of shutdown capability

Cr.12 Suppression of reactor 4.5.2 (scram requirements) power oscillations III Protection and Reactivity Control Systems Cr.29 Protection against anticipated operational occurrences III Protection and Reactivity Control Systems Cr.25 Protection system requirements for reactivity control malfunctions Cr.26 Reactivity control system redundancy and capability Cr.27 Combined reactivity control systems capability 4.3 Reactor coolant circuit II Protection by Multiple Fission Product Barriers Cr.14 Reactor coolant pressure boundary Cr.15 Reactor coolant system design IV Fluid systems, Cr.30 Quality of reactor coolant pressure boundary IV Fluid Systems Cr.30 Quality of reactor coolant pressure boundary Cr.31 Fracture prevention of reactor coolant pressure boundary Cr.32 Inspection of reactor coolant pressure boundary

injection

II.5.2 Reactivity Control

II.3.2 Reactor coolant pressure boundary

307

Continued

308

Table A3-1. Continued IAEA (2000) Inventory of the reactor coolant Cleanup of the reactor coolant Removal of the residual heat from the core Emergency core cooling

Inspection and testing of the emergency core cooling system

Heat transfer to an ultimate heat sink CONTAINMENT SYSTEM

Design of the containment system

Strength of the containment system Capability for containment pressure tests Containment leakage

Containment penetrations

EUR (1995)

GDC – USA (1971)

OPB 88/97 (1997)


NOTES

IV Fluid Systems Cr.33 Reactor coolant makeup IV Fluid Systems Cr.34 Residual heat removal IV Fluid Systems Cr.35 Emergency core cooling

II.5.4 Emergency feedwater and residual heat removal II.5.5 Emergency cooling

IV Fluid Systems Cr.36 Inspection of emergency core cooling system Cr.37 Testing of emergency cooling system IV Fluid Systems Cr.44 Cooling water 4.6 Localizing safety systems II Protection by Multiple Fission Product Barriers Cr.16 Containment design V Reactor Containment Cr.50 Containment design basis V Reactor Containment Cr.53 Provisions for containment testing and inspection V Reactor Containment Cr.51 Fracture prevention of containment pressure boundary V Reactor Containment Cr.53 Provisions for containment testing and inspection V Reactor Containment Cr.52 Capability for containment leakage rate testing V Reactor Containment Cr.54 Piping systems penetrating containment

II.3.3 Containment (double containment, leakage 0.25%/d) In IAEA, severe accidents are dealt with as a consideration. In GDC more detail is included on isolation valve systems.

Cr.55 Reactor coolant pressure boundary penetrating containment Cr.56 Primary containment isolation Cr.57 Closed system isolation valves Containment isolation

II.5.6 Containment auxiliaries

Containment air locks

In IAEA the problem of compartment pressurization is dealt with

Internal structures of the containment Removal of heat from the containment

IV Fluid Systems Cr.38 Containment heat removal Cr.39 Inspection of containment heat removal system Cr.40 Testing of containment heat removal system IV Fluid Systems Cr.41 Containment atmosphere clean up

Control and clean up of the containment atmosphere Covering and coatings INSTRUMENTATION AND CONTROL

General requirements for instrumentation and control systems important to safety

Control Room

Supplementary control room

2.1.6.12 Main and emergency plant control 2.1.6.12 Main and emergency plant control

II Protection by Multiple Fission Product Barriers Cr.13 Instrumentation and control II Protection by Multiple Fission Product Barriers Cr.13 Instrumentation and control III Protection and Reactivity Control Systems Cr.20 Protection system functions Cr.21 Protection system reliability and testability II Protection by Multiple Fission Product Barriers Cr.19 Control room II Protection by Multiple Fission Product Barriers Cr.19 Control room

IAEA also requires consideration of containment cooling for severe accidents also. GDC does not consider this

4.4 Process control

II.5.8 Instrumentation and control

4.4.2 (and following) Control room 4.4.3 Auxiliary control room

II.5.12 Control room

Continued

309

In GDC, this function is required even if accomplished in various locations. In IAEA, a supplementary room is preferentially indicated

310

Table A3-1. Continued GDC – USA IAEA (2000) Use of computer-based systems in systems important to safety Automatic control Functions of the protection system Reliability and testability of the protection system

Use of computer-based systems in protection Separation of protection and control systems

EMERGENCY CONTROL CENTRE EMERGENCY POWER SUPPLY

EUR (1995)

(1971)

OPB 88/97 (1997)


III Protection and Reactivity Control Systems Cr.20 Protection system functions III Protection and Reactivity Control Systems Cr.21 Protection system reliability and testability Cr.22 Protection system independence Cr.23 Protection system failure modes

4.5 Protection safety systems

II.5.9 Reactor instrumentation

III Protection and Reactivity Control Systems Cr.24 Separation of protection and control systems

4.8 Nuclear fuel and radioactive waste storage system

WASTE TREATMENT AND CONTROL SYSTEMS Control of releases of radioactive liquids to the environment

Control of airborne radioactive material

II.5.10 Electric power

II Protection by Multiple Fission Product Barriers Cr.17 Electric power systems Cr.18 Inspection and testing of electric power systems

VI Fuel and Radioactivity Control Cr.60 Control of releases of radioactive materials to the environment Cr.64 Monitoring radioactivity releases

NOTES

Control of releases of gaseous radioactive material to the environment FUEL HANDLING AND STORAGE SYSTEMS

4.8 Nuclear fuel and radioactive waste storage system

Handling and storage of non-irradiated fuel

VI Fuel and Radioactivity Control Cr.62 Prevention of criticality in fuel storage and handling VI Fuel and Radioactivity Control Cr.61 Fuel storage and handling and radioactivity control Cr.63 Monitoring fuel and waste storage

Handling and storage of irradiated fuel

5.4 Operational radiation safety

RADIATION PROTECTION General requirements Design for radiation protection

2.1.6.14 Radiation protection

Means of radiation monitoring

APPENDIX 1 POSTULATED INITIATING EVENTS

TYPES OF PIE

II.5.14 Fuel storage and handling

II.5.15 Radiation monitoring

IAEA mentions the design for radiation protection GDC does not extensively deal with the radiometric surveillance within the plant

2.1.8.3 Table 3 List of Design Basis Conditions (Categories 1, 2, 3, 4) 2.1.8.4 Hazards (internal, external, human) 1.2.16 (need to specify list elsewhere)

311

Internal events Equipment failures Human error Other internal events External events Combination of events Continued

312

Table A3.1. Continued IAEA (2000)

EUR (1995)

APPENDIX II REDUNDANCY, DIVERSITY AND INDEPENDENCE COMMON CAUSE FAILURES REDUNDANCY DIVERSITY INDEPENDENCE (1) Functional isolation

2.1.6.2 Design measures to achieve reliability of functions 2.1.6.2.2 Prevention of common-cause failure 2.1.6.2.1 Redundancy 2.1.6.2.2.1 Diversity 2.1.6.2.2.2 Independence 2.1.6.2.2.3 Functional isolation 2.1.6.2.2.4 Segregation

(2) Physical separation and layout of plant components REFERENCES ANNEX: SAFETY FUNCTIONS FOR BWRs, PWRs AND PRESSURE TUBE REACTORS GLOSSARY

2.1.6.7 Autonomy objectives 2.1.6.7.1 Overview of autonomy requirements 2.1.6.7.2 Autonomy in respect of operators 2.1.6.7.3 Autonomy in respect of heat sink 2.1.6.7.4 Autonomy in respect of power supply systems 1) Electrical power supply 2) Compressed air

GDC – USA (1971)

II Protection by Multiple Fission Product Barriers Cr.11 Reactor inherent protection

OPB 88/97 (1997)


NOTES

3 GOVERNMENT CONTROL OF THE USE OF NUCLEAR ENERGY TO ENSURE NPP SAFETY AND GOVERNMENT REGULATION OF NPP SAFETY

II.3.2 Vessel fluence limit at 1019 n/cm2 for amortization period of the plant

In GDC the requirement of the negative power coefficient is included

2.1.7 SITE CONDITIONS 2.1.7.1 Factors affecting choice of site 2.1.7.2 Hazards 2.1.7.3 Surrounding population 2.1.7.4 Reliability of services 2.1.10 Appendix B Verification process of the EUR environmental impact targets

II Protection by Multiple Fission Product Barriers Cr.17 Electric power systems

4.1.7 Preference for passive systems and natural principles

III Protection and Reactivity Control Systems Cr.28 Reactivity limits

4.1.11 Reset of safety systems possible only by step-by-step actions 4.2.4 Prevention of secondary critical masses in case of core melt 5.2 Pre-operational tests

IV Fluid Systems Cr.41 Containment atmosphere clean-up IV Fluid Systems Cr.43 Testing of containment atmosphere clean-up systems IV Fluid systems Cr.45 Inspection of cooling water system IV Fluid systems Cr.46 Testing of cooling water system

In GDC, the requirement of the double external line is included. EUR includes, differently from other compilations, the generic conditions for the choice of the site GDC explicitly considers control rod expulsion

5.3 Selection and training of operations personnel 5.5 Set of planned measures aimed at the protection of personnel and the public in the event of accidents and during accident management

313


Appendix 4 Dose calculations

A4-1. Introduction

A4-2-2. Source term at three days (I, Cs, Xe)

This appendix gives some examples of dose calculations which have been used during discussions on conceptual designs of various plants. The dose calculations are of a simple type, suitable for indicative evaluations. More elaborate calculations are usually performed in the final phases of the safety analysis, when systems and components purchase specifications have already been defined.

A4-2. Virtual population dose in a severe accident The following sections describe the virtual population dose for a future reactor (an order of magnitude evaluation in the short term, at three days, and in the long term, several years).

A4-2-1. The reactor and the released isotopes The example is a passive type boiling water reactor of 600 MWe, provided with a double containment and a stack. The quantities of isotopes chosen as guide isotopes in the core (1800 MWt) are, at equilibrium: 131

I Cs 133 Xe 85 Kr 137

1.85 1018 Bq 148 1015 Bq 3.7 1018 Bq 12.95 1015 Bq

The leakage rate assumed for the primary containment (taken into account the probability of leakage rates higher than the specified ones and possible damages to penetrations for severe accidents): 5–10% per diem. The leakage rate assumed for the secondary containment room (systems, collection room or building): 1–10% per diem. (For this assumption to be valid extremely unlikely sequences are excluded, such as the rupture of a steam line with degraded core and valve leak proofing degraded.) The effective release height (e.g. passive routing of the leaks to a stack, collection of leaks in a leakproof room connected with the stack, leaks routed to a chimney through filters, etc.): 80 m. Iodine and caesium equivalent ground releases: n% of the core inventory , wxyz

ðA4:1Þ

where, n ¼ 20, w ¼ 10 for plateout and washout, x takes a value in the range 3–6 for leaks from primary containment in three days, y takes a value in the range 3–30 for leaks from the secondary containment in three days), and z ¼ 10 (a factor for elevated release). The iodine and caesium equivalent ground release range ¼

0:2 core inventory 10 6 30 10

to

¼

0:2 core inventory : 10 3 3 10

So for 131I, the range is (1.1 10 5)(1.85 1018) to (2.2 10 4)(1.85 1018) ¼ 20.35 1012–40.7 1013 Bq. (A realistic reference value ¼ 20.35 1012 Bq.)

315

316

Nuclear Safety

And for 137Cs, the range is ¼ 16.281011–32.56 10 Bq. (A realistic reference value ¼ 18.5 1011 Bq.) For 133Xe, the equivalent ground release range (Equation A4.1), calculated with n ¼ 80, w ¼ 0, x ¼ 3–6, y ¼ 3–30 and z ¼ 5, is 3.29 1015–6.58 1016 Bq. (A realistic reference value ¼ 1.85 1016 Bq.) 12

A4-2-3. Dose at the fence after three days of exposure 131

I (effective dose for adults by inhalation) ¼ ð=QÞ dbf grr, where (s m 3) is the cloud concentration at 1 km, Q (Bq) is the activity release, dbf (the dose biological factor) ¼ 10 and grr (the ground release range) ¼ (20.35 1012)–(40.7 1013) Bq. Assuming /Q at 1 km distance is 1 10 4, then the effective iodine-131 dose for adults by inhalation is 5–100 mSv. (A realistic value is 10 mSv.) 133 Xe (effective dose by cloud irradiation) ¼ ð=QÞð1=dcfÞ grr, where dcf (dose conversion factor (see Chapter 7) ¼ 300 and grr ¼ (3.29 1015)– (6.58 1016) Bq. Assuming /Q is 1 10 4, then the effective xenon-133 dose by cloud irradiation is 0.3–10 mSv. Calculations for all the noble gases give a dose at the fence after three days of 5–120 mSv (about 10 times the value for 133Xe). An effective realistic value is 30 mSv.

A4-2-4. Ground shine long-term dose The integrated dose due to ground shine with absorption in the soil, corresponding to a ground initial concentration of 1 Bq cm 2 of caesium-137 (a contribution by other nuclides exists but is not evaluated here): First year: Second year: 0–50 years:

120 mSv 80 mSv 1.6 mSv

The initial concentration of caesium-137 corresponding to a realistic release of 1.85 1012 Bq is given by: (1.85 1012) [Bq released] 1 10 4 [ð=QÞ, Bq s m 3 at 1 km] (1 10 2)[m s 1: deposition velocity] ¼ 2 106 Bq m 2.

Therefore the ground shine dose from caesium137 is: First year: Second year: 0–50 years: (After 5 years

20 mSv 15 mSv 300 mSv this dose is 80 mSv.)

A4-3. Explorative evaluation of the radiological consequences of a mechanical impact on a surface storage facility for category 2 waste A4-3-1. Type of repository It is assumed that the disposal structure is similar to the French one at L’Aube or to the Spanish one in El Cabril. The waste is assumed to comply with the ANPA Technical Guide No. 26 (ANPA, 1985) and is, therefore, conditioned in a concrete matrix with compression strength of at least 500 000 kg m 2.

A4-3-2. Reference impact It is assumed that the reference impact produces, on clear ground, a conical crater having an angle of 90 and a depth of 4 m. Moreover, it is assumed that the cause of the impact is undefined, possibly to be identified with a plane crash, a launched projectile or a blast from an internal or external explosive charge. The 4 m deep crater has been chosen because it can be related to an explosive projectile of medium size (see a discussion at the Hanover Congress on the nuclear underground sites (BENDER, 1982)). The volume of material expelled from the crater would then be about 70 m3 corresponding to about 140 t. These values can be compared with the effects of mining explosives. The amount of rock (hard limestone rock) demolished in an open air mine is of the order of 7–10 t per kilogram explosive (Colombo, 1997). The rock in our example corresponds (in ideal conditions) to about 20 kg of explosive, an amount considered to be modest. The effect of an airplane crash, then, may cause, according to the usual assumptions, an impact load of about 10 000 t on a surface area of 7 m2, corresponding to about 150 kg cm 2. This load might cause the fall and the

317


fragmentation of a column of structure, assumed to be 10–15 m high with a volume of about 70 m3 (see Figure A4-1).

A4-3-3. Fragmentation and dispersion of material It is assumed that the material is fragmented into blocks 0.2–0.3 m in diameter and that a layer 1–3 mm thick of each block is pulverized into fragments ranging between 1 mm and 1–3 mm, with a uniform distribution between the two extremes (see Table A4-1). If an intermediate case is chosen (e.g. a volume equal to 2.5 m3), a weight of finely fractured material of 5 t is obtained, corresponding to a fraction of about 3 per cent of the total. This percentage agrees with the values estimated, for example, for the Chernobyl accident (Vargo, 2000). It is possible to make an assumption, also on the basis of accident data, that the coarser part of the powder produced (from 10 mm to 1 mm), with an overall weight approximately equal to the total one (99 per cent), is deposited over a radius of a few kilometres (2 km are assumed) from the release

10 m

point, with an average concentration: c¼

5000 ¼ 4 10 20002

4

kg=m2

ðA4:2Þ

This evaluation is not conservative since the effect of wind is completely disregarded. This effect causes the angular distribution of the particulate to be nonuniform. An estimate of the concentration of the deposited radioactivity can be made with the following assumptions:

The complex of released radioisotopes is equivalent to an amount of 137Cs. The equivalent value of 137Cs is equal to the value indicated in ANPA Technical Guide No. 26 (1985) as the limit for conditioned category 2, waste (3700 MBq kg 1).

The total radioactivity in the released particulate is, then: R ¼ 5 000 000 3:7 10

6

¼ 20 TBq:

ðA4:3Þ

With this assumption, the concentration on the soil is: C ¼ 0:4 3:7 106 ¼ 1500 kBq m 2 :

ðA4:4Þ

The finest particles (1–10 mm), with an overall weight of about 50 kg and a total radioactivity of 0.2 TBq, can be assumed to be dispersed by diffusion and deposition (Pasquill model). Assuming a stability condition F with wind velocity of 2 m s 1 and a deposition velocity of 10 2 m s 1, the approximate soil concentrations shown in Table A4-2 are obtained. Indeed, the concentration, C, for example at 1 km, is given by: C¼

Q vd Q

¼ 2 10

4

0:2 109 0:01 ¼ 400 kBq m

ðA4:5Þ

Figure A4-1. Fragmentation due to impact. Table A4-1. Fragmentation of material Average dimension of blocks (m) 0.33 0.20

2

Table A4-2. Soil concentrations

Layer volume 1 mm (m3)

Layer volume 3 mm (m3)

1.2 2.1

3.6 6.3

Distance (km) 2 10

Soil concentration (kBq m 2) 100 4

318

Nuclear Safety

and decreases roughly with the 1.5–2 power of the ratio of distances for higher distances (concentrations of 100 and 4 kBq m 2 at 2 and 10 km, respectively, result). The levels of soil contamination calculated may be compared with the caesium-137 contamination in a generic European country after Chernobyl, equal on the average to 10–20 kBq m 2 with peaks up to 100–200 kBq m 2 (Vargo, 2000).

Alternative source term A different approach to the previously considered accident can be pursued, along the following lines:

To assume an applied force of 5000 t for the reference aircraft impact, (as adopted in Italy for power plants), instead of the 10 000 t adopted in the previous evaluation. To allow for the dynamic character of the load applied by the impacting aircraft on the concrete. This would imply an increment in the limit load as allowed by the applicable regulations (e.g. American Concrete Institute ACI 349, (ACI, 2001)). To evaluate the depth of the fractured material as a consequence of the impact by the penetration formulae adopted for nuclear plant evaluations, such as the formula 17.2 in Chapter 17. To add to the aircraft impact a fire of the transported fuel. This could influence the dispersion of the released particulate. In particular, the coarse fraction could be transported and deposited further than the assumed 2 km.

Taking into account the previous assumptions, the volume of fractured material would result in the order of 12 m3 instead of the 70 m3 assumed above. The coarse fraction of the release could be of the order of 860 kg instead of 5 t while the fine fraction would turn out to be equal to 8.6 kg (instead of 50 kg). The uncertainty in the evaluation of the effect of the fire is rather high. Some indications could be obtained from the observation of the behaviour of the Chernobyl release (Vargo, 2000). There, the large (>20 mm) particles were deposited within a radius of 5 km from the plant. With these assumptions, the following distribution of released material is obtained:

Coarse fraction (>20 mm: weight ¼ 860 kg.

Ground concentration ¼ 1.1 10 sponding to 41 kBq m 2. Fine fraction: weight ¼ 17.2 kg.

5

kg/m 2, corre-

This would be dispersed under the influence of the buoyancy effect of the fire. In the case of Chernobyl, the thermal elevation of the plume caused by the fire was of the order of 1000 m (Vargo, 2000) and this figure can be assumed to be valid also for this example. In order to get an idea of the characteristics of a (presumed) fire in a reference plane crash, it is assumed that the full fuel load charge of the aircraft is equal to 10 m3, corresponding roughly to 7 t. This amount of fuel, with a conservative assumption, can be considered to form a square pool with 10 m long sides. The burning velocity of a pool of kerosene of this size is roughly 170 kg m 2 hr 1 (Lees, 1996, Additional References 587). The fuel would be completely burnt in about 25 min. The flame height would be equal to about twice its width, namely 20 m. The usual thermal-elevation formulae can be used to perform a further evaluation of the height to which the radioactive release will be brought by the flame. The Stu¨mke formula (see Equation 6.7) can be used to indicate a plume rise of more than 1000 m. The uncertainty of this evaluation is, however, high since both the wind velocity field and the atmospheric turbulence have a strong influence on the phenomenon. It has to be noted that the presence of a fuel fire should not significantly increase the amount of radioactive particulate released. Indeed, the duration of the fire is short and the radioactive waste packaging is made of ‘fire resistant’ and ‘non-flame propagating’ materials (ANPA, 1985).

A4-3-4. Doses On the assumption that in the vicinity of the plant there is no intake of caesium through the food chain, the doses to the population can be caused by ground shine (on the assumption the population have not been evacuated). The doses at 1 year and at 50 years can be calculated on the basis of the factors shown in Table A4-3, corresponding to a contamination of 1 kBq m 2 (Ferreli and Bologna, 1991).


Table A4-3. Dose factors Time after accident (years)

Effective dose (mSv)

1 50

0.012 0.16

Table A4-4. Doses Time after the accident (years) 1 50

Effective dose (mSv) 18 (5) 240 (65)

The inhalation dose gives a negligible contribution. Therefore, within a radius of 1 km from the site, multiplying the values in Table A4-3 by 1500 or 400, the doses shown in Table A4-4 are obtained. At 10 km from the plant, with the above evaluated contamination figures, about 0.05 mSv and 0.65 mSv can be obtained at 1 and at 50 years, respectively.

A4-3-5. Conclusions Although these evaluations are inevitably subjective and need further reflection, the consideration of a severe impact accident seems opportune, taking into account the long life of a repository (centuries). Technical solutions incorporating a special technological protection from the aircraft crash and from explosive events or solutions in which the disposal structure is located at a depth in the ground of at least 20 m should be considered among the alternatives to be examined. The sub-surface solution would offer better protection during the phases of construction and of filling up of the repository.

A4-4. Explorative evaluation of the radiological consequences of a mechanical impact on a transport/storage cask containing spent fuel

319

the fall, punching and submersion. Moreover the cask will be designed to protect it from aircraft impact and consequent fire. The cask considered has two independent leak-proof lids, each one equipped with metallic seals. It is assumed that the cask contains 50 fuel elements of the type used at the Caorso plant and that the maximum temperature of the cladding is 200 C. The interior of the cask is normally kept at negative pressure and in an inert atmosphere.

A4-4-2. Reference impact It is assumed that the cause of the impact is undefined, possibly to be identified but assumed to be due to a plane crash, the launch of a projectile or the blast of an internal or external explosive charge. The effect of a plane crash may cause, according to the usual assumptions, a load of about 10 000 t on a surface area of 7 m2, corresponding to about 1.43 106 kg m2. Notwithstanding the strength characteristics of the cask and its leak-proof seals against impact and other conceivable external loads, it is assumed that in the accident considered, both seals are damaged, allowing a certain communication between its internal and the outside atmosphere and a gas flow dependent on the pressure difference between the inside and outside. Immediately after the deterioration of the seals, the external air will flow into the cask because of the internal under-pressure. Subsequently, as a consequence of the lowering of external atmospheric pressure, part of the gas contained inside the cask might escape to the outside. If it is assumed that the variation of the atmospheric pressure in one day is 1000 Pa (normal variation), the percentage of the internal atmosphere escaped to the outside will be in the same period of time 10/1000 ¼ 1%. It is assumed here that after one day, steps have been taken to stop the release.

A4-4-1. Characteristics of the cask

A4-4-3. Amount of significant fission products in the internal atmosphere of the cask and external release in one day

The cask complies with the international requirements for fuel transportation and therefore it resists

Only caesium-137 and krypton-85 are considered significant. Indeed, the other isotopes (such as xenon

320

Nuclear Safety

and iodine) normally considered in explorative evaluations like this one are either completely decayed 15 years after the removal of the fuel from the reactor, or are not volatile enough to be released at relatively low temperature and through narrow and tortuous leak paths (e.g. imperfections in the metallic seals). In the first place it can be assumed that the amount of the fission products in the gap between the fuel and the cladding is the same as that which was there when the fuel was discharged from the reactor, except for the effects of radioactive decay. Indeed, the phenomenon of diffusion from the fuel to the gap is governed by a diffusion coefficient, 0 , which depends on the temperature (in kelvin) DCs according to an Arrhenius type law (ANS, 1984): D0Cs ¼ 1:22eð

72300=RTÞ

100ðBu=28000Þ

ðA4:6Þ

where R is the gas constant ¼ 1.987 cal mol 1 K 1(8.3143 J mol 1 K 1), T is the temperature (K) and Bu is the fuel burn-up (MWD t 1). The ratio between the diffusion coefficient at the average operating temperature of the fuel (roughly 1300K) and at the fuel temperature after shutdown and during the storage (some hundreds of kelvin, typically 500K) is practically infinite. The inventory of radioactive isotopes in the gap is, then, practically equal to that at the discharge from the reactor. Therefore, for the Caorso reactor (860 MWe) and on the basis of the data on the content of fission products in a 1000 MWe reactor, the following evaluation can be made: In all the fuel (560 elements), after 15 years decay: 85

7

Kr: 5:6 10

860 1000 2ð15=10:82Þ

¼ 17 585 000 Ci ð650 600 TBqÞ

137

Cs: 4:7 106

860 1000 2ð15=30:13Þ

¼ 2 924 533 Ci ð108 208 TBqÞ

In the gap of 50 elements, assumed equal to1 per cent of the gap itself: 85

Kr:

17 585 000 50 ¼ 15 700 Ci ð580 TBqÞ 100 560

137

Cs:

2 924 553 50 ¼ 2611 Ci ð97 TBqÞ 100 560

Assuming, moreover, that five fuel elements leak as a result of the event, corresponding to 10 per cent of the total (therefore, equal to ten times the percentage of fissured rods normally assumed in safety analyses for the normal operation of a reactor), then values available for release are obtained that are equal to one tenth of those indicated above. The external release in one day will be, for the considerations made above on the consequence of the variation of the atmospheric pressure, equal to one hundredth of the available activity values: 85

Kr: 0.6 TBq Cs: 0.1 TBq

137

The release is assumed to be at ground level in cases where no accompanying fuel failure is postulated and at hundreds of metres high in the case where a fire is occurs. A fire of short duration (less than one hour), such as one resulting from a plane crash or a manually extinguished fire could have a limited influence on the amount of the release since the thermal time constant of the cask wall (more than 0.3 m of steel or cast iron) should be higher than the fire duration. In these conditions, the increase in the internal cask pressure caused by the fire could be high enough to change the amount (but not the order of magnitude) of the previously described release assumptions. A simple thermal analysis shows that a conservative estimate of the internal pressure increase caused by the fire in half an hour could be of the order of 3000 Pa (namely a factor of three over the above described assumptions). In conclusion, the release in a fire could be of the order of three times the one assumed above, in a time frame of less than one hour. The two releases should not be combined.

A4-4-4. Effective committed doses Caesium doses The cloud resulting from the release can be considered dispersed by diffusion and deposition (Pasquill model). If a stability condition, F, is assumed with a 2 m s 1 wind velocity and a deposition velocity of 0.01 m s 1, the ground concentrations shown in Table A4-5 (roughly) result.

321


Table A4-5. Ground concentrations Distance (km) 1 2 10

Table A4-8. Doses at 2 km

Soil concentrations (kBq m 2)

1 50

200 50 2

1 50

Effective dose (mSv) 0.012 0.16

Table A4-7. Doses at 1 km Time after the accident (years) 1 50

Effective dose (mSv) 0.6 8

Table A4-9. Doses at 10 km

Table A4-6. Unit doses Time after the accident (years)

Time after the accident (years)

Effective dose (mSv) 2.5 30

The ground concentration (e.g. at 1 km) is C ¼ 2 10 4 0.1 109 0.01 ¼ 200 kBQ m 2 (see Equation A4.5) and roughly decreases with the 1.5–2 power of the ratio of distances (resulting in concentrations of 50 kBq m 2 and 2 kBq m 2 at 2 km and 10 km, respectively. The levels of ground contamination calculated above, can be compared with the contamination levels in a generic European country after Chernobyl, on the average equal to 10–20 kBq m 2 with peaks of 100–200 kBq m 2 (Vargo, 2000). On the assumption that the food chain is controlled after the accident and so the caesium intake is zero, the doses to the population can be due only to ground shine (if the population has not been evacuated). The doses at one year and at 50 years can be calculated on the basis of the factors shown in Table A4-6 corresponding to a contamination of 1 kBq m 2 (Vargo, 2000). The inhalation dose gives a negligible contribution. Therefore, within a radius of 1 km from the site, multiplying the figures of the preceding table by 200, the results shown in Table A4-7 are obtained.

Time after the accident (years) 1 50

Effective dose (mSv) 0.025 0.3

At 2 km from the site, the doses are given by Table A4-8. At 10 km, the doses are given in Table A4-9.

Krypton-85 effective doses The krypton-85 doses are due to immersion in a finite dimension cloud. For a diffusion category F and at a distance of 1 km, the conversion coefficient between the effective dose and cloud concentration (Vargo, 2000) is 3.6 10 5 rem per Ci s m 3 (2.7 10 13 Sv per Bq s m 3). Therefore, for a cloud concentration of 2 10 4 0.6 TBq s m 3, the following effective dose results: 1 10 9 Sv, that is practically zero.

A4-4-5. Conclusions The preceding evaluations, despite the high level of protection already incorporated in the casks, support the need for technological solutions which offer special protection against aircraft crash and against explosive events or solutions such as where the storage structure is located at least 20 m below ground level.

References ACI (2001) Code Requirements for Nuclear Safety Related Concrete Structures and Commentary, ACI 349, American Concrete Institute, USA.

322

Nuclear Safety

ANPA (1985) ‘Gestione dei rifiuti radioattivi’, Guida Tecnica 26. ANS (1984) ‘Report of the special committee on source terms’, American Nuclear Society, September. Colombo, G. (1997) ‘Manuale dell’Ingegnere, Nuovo Colombo’, L-37 (83a), Ulrico Hoepli Editore, Milano.

Ferreli, A. and Bologna, L. (1991) ‘Reattori nucleari: Termine di sorgente e piani di emergenza’, Commissione Tecnica. Vargo, G.J. (2000) The Chernobyl Accident: A Comprehensive Risk Assessment. Columbus: Battelle Press. Bender F., Herausgegeber (1982) ‘Underground siting of nuclear power plants’, Hanover Symposium, Stuttgart.

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core

A5-1. Analysis of the core without refrigeration The simple spreadsheet macro dryco.xls (available on the companion website) calculates the distribution of temperatures in a core (in downloadable file DRYCORE) without any refrigeration except for the radiation heat transfer towards the vessel and towards the surrounding concrete cavity. The calculation is a simplified one and is based on that used for the Rasmussen Report (Rasmussen, 1978). As explained at the beginning of Appendix 2, some of the units are not in the S.I. System, for historical reasons. The core is subdivided into ten circular rings, as illustrated in Figure A5-1. The input data are the temperature at the centre of the core, the total decay heat, and the dimensions of the core, the vessel and the external cavity. It is assumed that heat transfer occurs only in the radial direction. In reality, 10–12 per cent of the heat is dissipated axially (Rasmussen, 1978). The core power peaking factor (radial) is assumed to be 1.5, with a linear distribution as a function of the radius. In normal operation, however, an axial peaking factor of 1.4–1.5 should also be taken into account. The emissivity of the surfaces is set to 0.7. The dimensions of the rods (radius 0.535 cm) and the distance between a ring and the subsequent one (0.357 cm) corresponds to the dimensions in a water reactor.

For the heat transfer from a layer at temperature T1 to the subsequent one at temperature T2, the principal formula used (Rasmussen, 1978) is: Q ¼ 1:35 10

7

½ðT1 =100Þ

FA

4

ðT2 =100Þ4 Cal s 1 ,

ðA5:1Þ

where F, the radiation coefficient ¼ 1=ðð1="r Þþ ð1="o 1ÞÞ¼ 0.54, ("r is the emissivity of the radiating surface and "o is the emissivity of the irradiated surface), and A is the area of the radiating surface (m2). A typical problem solved by the spreadsheet macro is the following one: Given the temperature at the core centre and the decay power, not including the dimensions of the various parts, the concrete temperature necessary to dissipate the heat produced has to be calculated. The problem, once the input data are added to the spreadsheet, is easily solved by subsequent iterations given the rapidity of the calculation. The formulae for calculating the decay heat are also given as a function of the time elapsed since the shutdown and the operating power. Input data H, the height of the core ¼ 353 cm Qtot, the total core decay thermal power at time t ¼ 544 Cal s 1 qm, the average thermal power for unit volume of core ¼ Cal s 1 cm 3 R, the core external radius ¼ 152 cm Rev, the vessel external radius ¼ 200 cm To, the core centre temperature ¼ 2047.15 K 323

324

Nuclear Safety

Region n = 10 Region 1

Vessel

Concrete cavity

Figure A5-1. Core regions.

Output data Tcls, the reactor cavity concrete temperature ¼ 133.97893 K Tv, the vessel temperature ¼ 1142.46 K Note on this sample calculation: 0K for 1800 MWt, 150 days decay and central temperature equal to about 2050K (zircaloy melting point). (1) Kqd, the decay power coefficient ¼ 1.05 Qde1, the decay power at time t ¼ 543.76 866 Cal s 1 P, the operating power ¼ 1800 MWt t ¼ 12 9600 00 s (2) Qde2/P, the ratio between decay and operating power (10–150 s after shutdown) ¼ 0.0 039 523 (or 1700.3099 Cal s 1) (3) Qde3/P, the ratio between decay and operating power (150–4 106 s after shutdown) (equivalent to Qde1 for Kqd ¼ 1.05) ¼ 0.001 262 The decay power at a certain time and for a certain operating power are depicted by list items 1, 2 and 3.

Item 1 gives the decay power as a function of the time in seconds after the shutdown and the operating power (both to be inserted as inputs to the spreadsheet). The formula also requires a coefficient, Kqd, which represents a multiplication factor for the decay power and which takes the value 1.05 for the decay heat according to the ANS formula (ANS, 1971). Some think that the ANS formula is too conservative, so here is a way to change the decay power by a Kqd factor chosen by the user. For example, many experts think that the power (ANS 5%) is more representative of the real situation. This corresponds to a Kqd value of 1. The formula is valid in the range 150 < t < 4 106 s. Item 2 gives the ratio between decay power and operating power for 10 < t < 150 s, according to the ANS formula. Item 3 is equivalent to item 1 with Kqd ¼ 1.05 (ANS) with the only difference being that it gives the ratio between the powers, as does item 2, but for the long term.

Appendix 5 Simplified thermal analysis of an insufficiently refrigerated core

325

Table A5-1. Spreadsheet for calculations Qtot[Cal s 1] H [cm] Fuel ring number, n (106 rings in total)

16 26 36 46 56 66 76 86 96 106

544 353 Radius corresponding to n, x (cm)

qm[Cal s 1cm 3] ¼ R[cm] ¼ Lateral area in x, A (cm2)

2.123 10 5 152 Thermal power produced within radius x, Qx (Cal s 1)

To[K] ¼ Rev[cm] ¼ Temperature in x, Tn (K )

23.367 37.637 51.907 66.177 80.447 94.717 108.987 123.257 137.527 151.797

53744.1 86565.1 119386.1 152207.1 185028.1 217849.1 250670.1 283491.1 316312.1 349133.1

18.737769 47.745591 89.16686 142.25443 206.26115 280.43987 364.04346 456.32475 55.5366 663.93187

2047.15 2032.8911 2009.7015 1976.9607 1933.5523 1877.6273 1806.1204 1713.6724 1589.8208 1409.3021

The example shows the case of a 1800 MWt core after 150 days of decay, with the central temperature equal to about the melting point of zircalloy (about 1800 C (2100 K)). It can be seen that the concrete temperature necessary to remove the heat is about 130 K, which is within an acceptable range (a more precise input decay power, 543.7688 817 Cal/s instead of 544 Cal/s, would have given 297 K). The same spreadsheet can be used to show that the central region formed by four fuel elements, even after only 30 days of decay, could save its integrity (temperature lower than 1500 K) if exposed to an environment kept at some hundreds degrees kelvin.

A5-2. Other formulae and useful data for the indicative study of the cooling of a core after an accident The data listed here are those given in Rasmussen (1978). In the case where the core is totally submerged by water, in a boiling regime, the heat transfer coefficient, hB, can be assumed to be equal to 1600 Cal m 2hr K. On the other hand, when the core is partially submerged, then it will be necessary to determine the level of the water–steam mixture: above this

2047,15 200

level the heat transfer will take place towards the steam, below this level it will be towards the mixture. The heat transfer coefficient towards steam can be assumed equal to the one given by the Dittus-Boelter formula: h¼

3:026x10 3 Cp G0:8 Wm 2 K 1 , D0:2

ðA5:1Þ

where Cp is the specific heat of the steam (Jkg 1 K 1), G is the steam flow rate (kgs 1m 2) and D is the equivalent diameter of the channel (m). The calculation of the mixture level is made by trial and error using Equations A5.2 and A5.3: M ¼ Atot Y L 1

T kg, 2

ðA5:2Þ

where M is the weight of water in the core (kg), Atot is the total vessel cross-section occupied by the mixture (m2), Y is the level of the mixture above the vessel bottom (m), T is the void fraction at the top of the mixture (it is assumed that the void fraction varies linearly with height) and L is the liquid density (kg m 3). QDK ¼ sUT T Atot hfg W,

ðA5:3Þ

where QDK is the total decay power in the zone covered by the mixture (W), S is the steam density (kg m 3), UT is the steam separation velocity at the top of the mixture (ms 1) and hfg is the evaporation enthalpy (J/kg).

326

Nuclear Safety

A constant value of 1.4 ms 1 for UT can be assumed, but it can be calculated by the Wilson correlation (Equation A5.4): 0:244 ðT Þ1:283 ms 1 , UT ¼ 1:05 ð58:76DÞ

ðA5:4Þ

where D is the hydraulic diameter (m) of the fuel element channel (or ‘box’) or the fuel rod. A typical reflood velocity of the core after uncovering is 5 10 3 m s 1. The thermal constant of the fuel rod is equal to about 1 minute.

The overall thermal capacity of a core for a pressurized reactor of 900 MWe is equal to about 3.35 106 J K 1 (8000 Cal C 1).

References ANS (1971) ‘Decay energy release rates following shutdown of uranium fuelled thermal reactors’, Subcommittee ANS-5, American Nuclear Society Standards Committee, October. Rasmussen (1978) ‘Thermal Analyses’, The Rasmussen Report, WASH-1400, v.VIII, App.A.

Appendix 6 Extracts from EUR criteria (December 2004)

Some pages of the EUR criteria relevant to nuclear safety are reproduced in this appendix (courtesy of the European Utility Requirements Group through its member SOGIN, Italy). The order in which paragraphs are shown has been adjusted to fit into the present context. Most notes are not included. The whole document can be consulted on the EUR website at www.europeanutilityrequirements.org although some areas require access permission. The EUR criteria numbering system has been kept together with the cross-references within the criteria.

Category 2

2-1-8-3. List of design basis conditions

PWR Category 1 Steady-state and start-up conditions and shutdowns

power operation start-up hot standby hot shutdown cold shutdown refuelling shutdown operation with an inactive loop, if applicable

Anticipated operating transients:

temperature increase and decrease at a maximum rate of 55 C per hour step load increase and decrease (10% load) load increase and decrease at a rate of 5% rated load/minute (between 15 and 100% full power) switch-over to hassled operation from full power with steam dump limiting conditions allowed by the technical specifications

inadvertent withdrawal of RCCA bank with reactor subcritical inadvertent withdrawal of RCCA bank with reactor power misalignment of control rod assembly or bank drop inadvertent boric acid dilution, partial loss of core coolant flow inadvertent closure of main steam isolation valve total loss of load and/or turbine trip loss of main feedwater flow to steam generators malfunction of steam generator main feedwater system total loss of off-site power ( 10

3

Accidents (low frequency)

10

2

> f > 10

4

4

Accidents (very low frequency)

10

4

> f > 10

6

2

Plant parameters

Radioactive releases

Process parameters within normal operation range of technical specifications Process parameters within applicable acceptance criteria Plant limits for Category 3 (1) Limited fuel damage Shutdown for inspection may be necessary Acceptance criteria for Category 4 (1) Core coolable geometry retained Plant restart may be impossible

Table 1

Table 1

Appendix B (2)

Appendix B (2)

329


(1) See Chapter 2.4, Section 2-4-5-9-2-1 for safety category 1 mechanical equipment, Table 5 for fuel and Chapter 2-9, Sections 2-9-3-1-4-5-3 and 2-9-3-1-4-5-4 for Primary Containment (2) See Appendix B for release assessment methodology and release targets NB: This summary table must be read in conjunction with the more detailed requirements in Section 2-1-3.

2-1-B-1. Criteria for limited impact for DEC The criteria for limited impact is set as acceptance criteria for a number of DEC and for probabilistic safety assessment studies. The following sections define the methodology to assess the acceptability of the releases from a specific design versus the criteria for limited impact. Four different design targets are identified in Chapter 2-1 Section 2-1-2-5: (1) (2) (3) (4)

No Emergency Protection Action beyond 800 m No Delayed Action beyond 3 km No Long-term Action beyond 800 m Limited economic impact

Each of the Targets 1–3 shall be verified independently according to the following methodology:

The releases from the plant to the atmosphere are broken down into the nine reference isotope groups. These releases are combined and compared with one criterion according to the linear combination formula:

In the case that the primary containment is kept pressurised well beyond 7 days, but the primary containment has nevertheless reached a relatively low pressure, the calculation of the releases may be stopped at 7 days. Releases shall be calculated by the designer for the reference source term, as required in Appendix A to Chapter 2.1, and for the PSA release categories, as required in Chapter 2-17. Timing and quantities of the releases of the nine reference isotopes listed below as representative of their group shall be derived. The coefficients have been determined on the assumption that other isotopes in the same group will be released with the same release fraction and that the core inventories are typical of a PWR with a fuel cycle of about 18 to 24 months. Isotopes in the nine groups have been considered according to generally accepted criteria. Coefficients for elevated releases have been determined with reference to releases occurring from a stack of about 100 m height. Higher stacks will reduce the effects at short distances and, therefore, the result will be conservative for the ranges under consideration. If a lower stack is provided, special considerations shall be agreed upon with the utilities. The coefficients for ground level releases shall be applied to releases from a height less than 100 m.

2-1-B 1-1. Table B1: Criteria for limited impact for no emergency action beyond 800 m from the reactor

1, 9 Rig Cig þ 1, 9 Rie Cie < criterion, where Rig and Rie are the total releases (at ground and elevated level, respectively) of the nine reference isotopes during the related release period from the containment system, and Cig and Cie are the coefficients given in Tables B1 to B3, related to environment effects of unitary releases. For the fourth Target, only three reference isotopes are given. Each shall be considered as an independent criterion.

Isotope group 133

Xe I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba 131

Coefficients for ground level releases, Cig 6.5 10 5.0 10 1.2 10 1.6 10 2.7 10 1.8 10 8.1 10 1.2 10 6.2 10

8 5 4 4 4 4 4 3 6

Coefficients for elevated releases, Cie 1.1 10 3.1 10 5.4 10 7.6 10 1.2 10 8.1 10 3.7 10 5.6 10 3.1 10

8 6 6 6 5 6 5 5 7

330

Nuclear Safety

The acceptance criterion is that: 1, 9 Rig Cig þ 1, 9 Rie Cie < 5 10

2

2-1B 1-4. Table B4: Criteria for limited impact for economic impact ðreleases in TBqÞ: Isotope

2-1B 1-2. Table B2: Criteria for limited impact for no delayed action beyond 3 km from the reactor

Isotope group 133

Xe I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba 131

I 137 Cs 90 Sr

Coefficients elevated releases, Cie

2-1 B2 Release targets for design basis category 3 and 4 conditions

0 1.2 10 5.6 10 3.8 10 9.9 10 1.3 10 2.9 10 4.5 10 1.5 10

0 3.5 10 8.9 10 7.0 10 3.2 10 2.2 10 4.8 10 8.1 10 2.5 10

In the cases of design basis category 3 and 4 conditions, the same general approach as for DEC shall be used to prove that the design complies with the following design targets:

6 6 6 7 6 6 6 6

7 7 7 7 7 7 7 7

1, 9 Rig Cig þ 1, 9 Rie Cie < 3 10 2 :

(1) No action beyond 800 m (2) Limited economic impact The first target shall be verified according to a combination methodology similar to the one developed for the first three criteria for limited impact:

2-1B 1-3. Table B3: Criteria for limited impact for no long-term actions beyond 800 m from the reactor

Isotope group Xe 131 I 137 Cs 131m Te 90 Sr 103 Ru 140 La 141 Ce 140 Ba

4000 30 400

Coefficients for ground level releases, Cig

The acceptance criterion is that:

133

Target (TBq)

131

Coefficients for ground level releases, Cig

Coefficients for elevated releases, Cie

0 1.2 10 6.5 10 2.6 10 1.4 10 2.3 10 7.9 10 7.6 10 1.1 10

0 7.8 10 3.4 10 1.3 10 7.2 10 1.2 10 4.1 10 4.0 10 5.9 10

5 5 5 5 5 5 5 5

7 5 6 7 7 6 6 7

The acceptance criterion is that: 1, 9 Rig Cig þ 1, 9 Rie Cie < 1 10

1

ðreleases in TBqÞ:

The releases from the plant are broken into the three reference isotope groups These releases are combined and compared with one criterion.

The combination shall be made according to the following linear combination formula: 1, 3 Rig Cig þ 1, 3 Rie Cie < criterion, where Rig and Rie are the total releases (at ground and elevated level, respectively) of the three reference isotopes during the entire release period from the containment system, and Cig and Cie are the coefficients given in Table B5, related to environment effects of unitary releases. The second target shall be checked using a methodology similar to the one developed for the economic part of the criteria for limited impact: independent release targets for several representative isotopes. This methodology is developed in Section 2-1 B-2-2. The coefficients presented in Tables B5 and B6 are valid insofar as no core damage occurs during


the considered accidents, while evaluated with realistic methodologies. These coefficients shall be applicable to all DBC related to core and RCS behaviour. Releases of the most representative chemical species shall be assessed by the designer in general with realistic/best estimate assumptions, with the exception of the conservative assumptions listed in Section 2-1-2-4. In the methodology applicable to DBA release targets, the same limitations and the same warnings are applicable as those given for DEC (see Section 2-1-B-1).

2-1-B-2-1. Table B5: DBA release targets for no action beyond 800 m from the reactor

Isotope group 133

Xe I 137 Cs 131

Coefficients for ground level releases, Cig 1.5 10 8.1 10 1.5 10

8 5 4

Coefficients for elevated releases, Cie 3.0 10 5.5 10 8.5 10

9

Isotope 131

I Cs

137

Target for ground release (TBq)

Target for elevated release (TBq)

10 1.5

150 20

If only ground or elevated release occurs, the target shall be checked for each reference isotope and only for the related release path. If both ground level and elevated releases occur, a combination of limit percentages for each isotope shall be assessed. The method consists in estimating, for each isotope and for each release path, the percentage of release with respect to the target. To satisfy the target, the sum of those percentages, for each reference isotope, shall be lower than 100% value. The same targets apply to both design basis category 3 and 4 conditions.

6

3

for DBC category 3 1, 3 Rig Cig þ 1, 3 Rie Cie < 5 10

Targets set for ground and elevated releases and for only two reference isotopes, 131I and 137Cs, are the following:

6

The acceptance criteria are: 1, 3 Rig Cig þ 1, 3 Rie Cie < 1 10

331

3

2-1-2-2-2. Doses from direct radiation to the public during normal operation and incident conditions The target for direct radiation dose during normal operation and incidents is 0.1 m Sv year 1. The target is independent from plant rated power. This shall be assessed for the most exposed position or surrounding people:

for DBC category 4 (Releases expressed in TBq.)

2-1-B-2-2. Table B6: DBA release targets for economic impact For the limitation of area impacted by food marketing restrictions in DBA, release targets to the atmosphere shall be set. These release targets are more stringent than those given for limited DEC to minimise the impacted area.

at 100 m from the most significant sources with an occupancy factor of 1/30 or at 300 m with an occupancy factor of 1.

2-1-2-3. Operational staff doses during normal operation and incidents The plant designer shall demonstrate that for the operational staff, the following objectives for annual effective doses can be met: (1) Individual effective doses Target for individual effective dose: 5 mSv year 1

332

Nuclear Safety

Individual effective doses shall also comply with local regulations, if these are more stringent. (2) Collective effective dose The collective effective dose shall be ALARA. The target for annual collective effective dose averaged over the plant life is 0.5 man Sv per unit.

2-1-2-6. Probabilistic safety targets In accordance with the safety policy described before, EUR sets probabilistic quantitative design targets as follows:

core damage cumulative frequency shall be lower than 10 5 per reactor year cumulative frequency of exceeding the criteria for limited impact (CLI) defined in appendix B shall be lower than 10 6 per reactor year sequences potentially involving either the early failure of the primary containment (see Section 2-1-4-4-1) or very large releases shall have a cumulative frequency well below the previous target of 10 6 per reactor year.

These targets are associated with the scope, data, methods, assumptions and criteria for core damage which are defined in Chapter 2.17. In particular they include the risks in shutdown modes which have been shown to be a significant contributor in assessments of present reactor designs. The plant designer shall provide a PSA at both level 1 (determination of the frequency of events leading to core damage) and level 2 (determination of frequencies and magnitudes of radioactive release).

2-1-3-4. Single failure criterion An assembly of equipment satisfies the single failure criterion (SFC) if it can perform its safety function despite a single random failure assumed to occur in any part of the assembly during any design condition in which the assembly is required to operate. This includes unrevealed pre-existing failures. Consequential failures resulting from the assumed single failure shall be considered to be an integral part of the single failure.

The SFC shall be applied to each assembly of equipment which performs all actions required to fulfil a level F1 function for a given initiating event in order that the limits specified in the design basis for that event are not exceeded. The need to apply SFC to level F2 functions will be determined on a case-by-case basis. If, for a particular safety function, it is necessary to operate various systems simultaneously or successively, a single failure shall be postulated in any one of the systems in turn, but not simultaneously in more than one of them. In the single failure analysis, the failure may not need to be assumed of a passive component designed, manufactured, installed, inspected and maintained in service to a high quality level. However, when it is assumed that a passive component does not fail, such an approach shall be justified, taking into account the total period of time that the component is required after the initiating event. The treatment of certain components sometimes considered passive, such as check valves, should be based on a realistic assessment, rather than on prescriptive rules. Thus, single failures should be assumed for check valves that have to change state unless sufficient evidence exists to show, in relation to their implicit reliability, that this is unduly conservative. In certain cases it may not be necessary to consider the combination of an event or hazard with a single failure when the probability of the combination is very low (e.g. aircraft crash). Spurious automatic action shall be considered as one mode of failure, unless there are specific measures to inhibit such actions, or probabilistic arguments can be deployed to show this is unreasonable. Single operator errors (excluding diagnostic errors) shall be included in the SFC, but only to a limited extent as for a single spurious automatic action. Components may be withdrawn from service for repair, periodic maintenance or testing. For the systems they belong to, the SFC is not applicable during this limited time period. During this period, the combined frequency of postulated initiating event and loss of safety function or the effect on the system’s capability to perform its safety function shall be demonstrated to be insignificantly low.


2-1-4-3-2. Complex sequences that must be considered in DEC Some complex sequences shall be considered in the design, and therefore identified as part of DEC on the basis of current licensing practices or of the uncertainties associated with the evaluation of their probability of occurrence. In this case, probabilistic arguments are used only in identifying the initial reactor states and the associated assumptions for safety analysis. These conditions include:

anticipated transients without scram (ATWS) (see Section 2-1-4-3-3) station black out (SBO). In line with the overall frequency targets, SBO sequences and their duration shall be considered as DEC if their combined occurrence frequency is higher than 10 7 per year (see also Section 2-1-6-7-4). In the analysis as DEC, proper credit shall be given to diversified on-site power sources for PWRs, main steam-line break plus consequential steam-generator tube ruptures (SGTR) containment system bypass accidents, Section 2-1-4-3-4 (including multiple SGTR for PWRs).

2-1-6-8. Classification of the safety functions and categorisation of the equipment 2-1-6-8-1 Introduction The safety categorisation and classification shall be carried out on the following basis:

Definition of safety functions required to achieve and maintain a controlled or safe shutdown state. Identification of equipment and structures involved in each function. Assignment of each item of equipment or each structure to a safety category, generally according to the highest safety level of function it has to perform. Assignment of each item of equipment or each structure (where relevant) to a code class, according to the code used for the design (see Chapter 2-5).

The two levels of safety function, plus nonsafety, are defined in this section, together with the

333

requirements associated with each level. The principles for safety categorisation, deriving from the functional level, are also described in this section, together with the requirements for each safety category. The list of function and the relevant levels related to systems generally are given in Chapter 2-8 and for containment in Chapter 2-9. The plant designer shall define in detail the specific provisions to fulfil each function and shall assign each item of equipment or each structure to an appropriate safety category. The plant designer shall then, as appropriate, assign the item to a code class according to the system of codes and standards to which the plant is to be designed and constructed. The objective of the safety categorisation and classification is to specify equipment that is appropriate to the demands of safety, without requiring unduly high levels of quality, equipment qualification, periodic testing, etc. If the designer has developed a Nuclear Island using a different safety classification approach than the one required in Sections 2-1-6-8-2-1 and 2-1-6-8-2-2, the designer shall demonstrate the correspondence of its initial safety classification system with the EUR functional safety classification. If following the initial designer’s approach, any Nuclear Island equipment has a lower safety level than the one it would have following the EUR approach, the designer shall categorise it at the safety level corresponding to the one required in the EUR document.

2-1-6-8-2. Level of safety functions The levels of safety functions are defined as F1and F2. The level F1 is subdivided into sublevels F1A and F1B. The other functions are defined as non-safety. As applied to equipment required to fulfil the safety functions in design basis category 3 and 4 and certain category 2 conditions (see Section 2-1-3-3(2)), the relevant parameters are the timescale following an initiating event related to the need for the safety function and the plant state to be reached. The same applies also to DEC, but with different rankings. According to the above criteria and taking into account the definitions of plant states included in Volume 1, Appendix B, the following classification applies.

334

Nuclear Safety

2-1-6-8-2-1 Level F1 safety functions. Level F1 is subdivided into sublevels F1A and F1B according to the following criteria:

Level F1A: The safety functions needed to reach a controlled state in design basis category 3 and 4 conditions and certain category 2 conditions. Level F1B: The safety functions needed to reach a safe shutdown state in design basis category 3 and 4 conditions and in certain category 2 conditions. If this state is reached before 24 hours the safety level F1B functions shall maintain the plant in this state at least until 24 hours from accident initiation.

Due to its importance for achieving the main safety objectives, maintaining the integrity of the RCS pressure boundary should be considered as a safety level F1 function. 2-1-6-8-2-2. Level F2 safety functions. The safety functions needed to maintain a safe shutdown state beyond 24 hours and up to 72 hours from the initiating events in design basis categories 2, 3 and 4 conditions shall be assigned to level F2. Level F2 also includes safety functions needed in complex sequences up to 72 hours after onset of event. Level F2 shall also include the safety functions needed to reach and maintain a severe accident safe state (SASS).These functions shall be assigned to level F2 if critical to fulfil the overall probabilistic safety targets (see Section 2-1-2-6) or to assure the releases are kept within the targets set for certain DEC. This will be made on a case-by-case basis which can be design dependent. Level F2 shall also include the safety functions needed to reach and maintain a severe accident safe state (SASS) and a safe shutdown state in complex sequences. Safety functions which are not already level F1 and which are relevant to show compliance with the core damage cumulative frequency target of 10 5 per year shall be, in general, assigned to F2. The level of safety functions needed to cope with for hazard of external and internal origins should be assessed on a case-by-case basis, mainly on the basis of the severity of the potential consequences. The level of safety functions needed to cope with accidents not involving the reactor coolant

system and the core such as the fuel handling accidents, accidents involving the radioactive waste management systems, etc., should be defined on a case-by-case basis according to the overall safety classification and categorisation framework, the frequency of the initiating event and the potential consequences. It is not anticipated that these will be higher than level F2.

2-1-6-6-3. Requirements according to level of safety functions There are certain general requirements which can be associated with the different levels of safety functions relating to:

the need to consider the SFC; the requirement for emergency electrical supply; the need for physical separation between functional trains in a system; the need for automatic actuation.

These are summarised in their most general application in the following table: Requirement

F1A

F1B

F2

Single-failure criterion Back-up on-site electrical supply Physical separation between functional trains Automatic actuation

Yes Yes Yes

Yes Yes Yes

No1 No2 No3

Yes5

No

No4

1 Redundancy may be required for the case of equipment which is inaccessible or, if required, to meet probabilistic targets or for certain hazards. 2 Yes for those functions which require electrical supply of high reliability in the relevant conditions. 3 Yes for specific hazards (e.g. fire). 4 For certain design extension conditions there may be exceptions; to be considered on a case-by-case basis (see Chapter 2-19). 5 There may be exceptions for some slowly developing accidents.

2-1-6-8-4. Assignment of equipment and structures to a safety category Equipment and structures are assigned to the following categories:

Safety category I Safety category II Non-safety.


The designer shall assign each structure and each item of equipment to an appropriate safety category, primarily according to the highest level of the safety function they perform as follows: Highest safety function level performed

Safety category

F1A, F1B F2 Non-safety

I II Non-safety

2-1-6-8-5. Requirements on equipment and structures according to safety category Certain requirements are imposed on structures and equipment according to their safety category. These requirements are as follows: Safety category of structure or equipment Requirement

I

II

NS

Quality assurance (QA) Application of nuclear codes Qualification In-service inspection/ periodic tests Seismic qualification Reliability data

Yes Yes

Yes1 No2

No No

Yes Yes

No3 No4

No No

Yes Yes

No2 Yes

No Yes5

1 Sufficient to assure required reliability. QA typically to EN ISO 9001. 2 Appropriate codes shall be used, but they may be non-nuclear ones, see Section 2-1-6-8-6. 3 For structures or equipment used under severe accident conditions, demonstration of survivability is required. 4 Except as required to support the reliability data. 5 Only equipment claimed in PSA.

2-1-6-8-6. Classification of structures and equipment according to the design and construction codes The designer shall assign each safety category I structure and piece of equipment (mechanical, electrical, I&C) to an appropriate class of the nuclear

335

design and construction codes to which the item is being designed and constructed. See Chapter 2-5 for the definition of these level 3 codes. Safety category II and non-safety category structures and equipment shall be designed to appropriate codes (Chapter 2-5 gives the general outline, which will be specified in more detail in Volume 3).

2-1-6-8-7. The relation of seismic categorisation to safety level of functions All structures and equipment required to fulfil level F1 safety functions shall be seismic category I. Such structures and equipment shall be qualified to withstand the effects of a design basis earthquake (DBE) (i.e. to remain structurally intact, leaktight in the case of fluid retaining equipment, and functionally operable to the extent required by its safety role). Structures and equipment required to fulfil level F2 safety functions during or after an earthquake shall be identified, on a case-by-case basis, to establish the need for seismic qualification or other means of ensuring its capability to withstand earthquakeinduced effects to the extent required by its contribution to nuclear safety. Such equipment shall be seismic category I. In addition, non-seismic-category I components and structures, whose failure in DBE conditions could impair the correct functioning of seismic category I equipment, shall be assigned to seismic category S. (See Chapter 2-4, Section 2-4-4-2-1).

2-1-6-13. Accident management Accident management includes pre-planned and ad hoc operational practices which, in circumstances in which the design basis specification of the plant is exceeded, would make optimum use of existing plant equipment to restore control. This applies to design extension conditions (i.e. to prevention of core damage and mitigation of severe accidents) (see Section 2-1-4). Accident management procedures and equipment should be provided which would allow the plant to be restored to a safe state, using what is still available. Physical state-based and/or symptom-based accident management procedures should be developed,

336

Nuclear Safety

verified and validated. Unambiguous criteria shall be established for the conditions in which particular procedures would be stated, and the time interval for each action defined. If it is not possible to ensure that core damage can be prevented, the design shall allow sufficient time to obtain the necessary expertise for on-site accident management and to organise off-site emergency measures. This relates to autonomy requirements, included in Section 2-1-6-7 and requirements in Chapters 2-8 and 2-9. Sufficient instrumentation whose operability must be demonstrated under the relevant conditions, shall be provided to allow the necessary actions to be carried out and the response monitored.

2-1-6-14. Radiation protection The design for normal operation shall provide a high degree of assurance that releases of radioactive materials are as low as reasonably achievable (ALARA) and will stay below specified limits. Suitable provisions shall be made in the design and layout of the plant to minimise exposure and contamination from all sources of radioactivity. Such provisions shall include adequate design of systems and components with respect to low radiation exposure during maintenance and inspection, shielding from direct radiation, reduction of corrosion-product activation by specification of appropriate materials, means of monitoring, control of access to the plant, minimisation of the time to be spent in contaminated areas, and suitable decontamination facilities. The plant arrangements shall provide for control of access into radiation and contamination areas and should also minimise contamination resulting from the movement of radioactive materials and personnel within the plant. The plant arrangements should provide for efficient operation, inspection, maintenance, and replacement as necessary to minimise radiation exposure (see also Chapter 2-14 Section 2-14-4).

The designer shall provide a dose assessment which includes doses arising during maintenance. Attention shall also be given to the actions that operators may be asked to perform during and after an accident condition or a DEC. Equipment accessibility and proper evaluation of radiation dose rate where the presence of the operator is required shall be carried out.

Definitions (extracts) Delayed actions: Actions involving public temporary relocation, based on projected doses up to 30 days caused by ground shine and aerosol resuspension, which may be implemented after the practical end of the releases phase of an accident. Long-term actions: Actions involving public permanent resettlement, based on projected doses up to 50 years caused by ground shine and aerosol resuspension. Doses due to ingestion are not considered in this definition. Controlled state: In DBC 2 (incident conditions), or DBC 3 & 4 conditions (accident conditions) or in complex sequences, the plant is in a controlled state if the following conditions are ensured by operator actions or by the active or passive safety features:

reactivity control heat removal releases to the environment are in accordance with: EUR Section 2-1-8-1 for incident; Section 2-1-B-2 for accident; and Section 2-1-B for complex sequences.

Safe shutdown state: In incident or accident conditions or in complex sequences, the plant is in a safe shutdown state if the following conditions are ensured by operator actions or by the active or passive safety features:

reactivity control core heat removal limitations of releases in accordance with EUR plant parameters are well below the design limits for components and structures.

Appendix 7 Notes on fracture mechanics

A7-1. Introduction The field of fracture mechanics has progressed a long way since the first studied by A.A. Griffith (1893– 1963). It is useful to recall the simple yet brilliant logic behind them. Fundamentally Griffith (Ewing and Hill, 1967) understood that as a crack propagated in a stressed material an energy exchange took place. On one hand, the crack propagation required energy for the creation of further fracture surfaces in front of the crack point and, on the other hand, energy was released by the zone of material which was unloaded by the propagation itself. Figure A7-1 illustrates this phenomenon and the concept of ‘critical crack length’. Curve A represents the energy necessary to create rupture surfaces corresponding to a certain crack

length L. The curve is substantially a straight line as the area of the rupture surfaces is proportional to the crack length and the rupture energy is proportional to this area. Curve B represents the energy released for the extension of the crack from zero length up to length L. This curve has a parabolic shape as the energy released is proportional to the volume of material unloaded by the propagation (indicated around the crack in the left part of the diagram), which in turn is roughly proportional to the square of the crack length. The third curve represents the difference between released energy and rupture energy for the various lengths of crack; the quantity Lg represents the critical crack length, that is the value for which the increase of length of the crack releases more energy than is consumed in the creation of new rupture surfaces.

Fracture Mechanics - Griffth (1920) P B: Released energy

Energy

L

P

Lg

Crack length A: Absorbed energy

Figure A7-1. Energy balance in crack propagation. (Griffith, 1920).

337

338

Nuclear Safety

In analytical terms, Griffith arrived at the conclusion shown in Equation A7.1: Mode I

1 rupture work for unit area 2GE ¼ , Lg ¼ deformation energy for unit volume s2 ðA7:1Þ where Lg is the crack length (m) (with reference to the geometry depicted in Figure A7-1), G is the energy needed for a unit increase of the crack surface (J m 2), E is Young’s modulus (N m 2) and s is the tension in the plate (N m 2). G has the order of magnitude of 1–2 105 J m 2 for construction steels and s is usually in the range of 70–150 106 N m 2, so for a construction steel plate stressed at 150 106 N m 2, the following result is obtained: Lg ¼

Mode II

2 ð1:5 105 Þ E ¼ 0:91 m: ð150 106 Þ2

Among other things, Griffith’s energy formulation gives a logical explanation to the fact that, notwithstanding the very high stresses present at the crack tip, the resistance to its propagation is high for ductile materials.

Mode III

A7-2. Current practice Two of today’s approaches to fracture study are summarized here. The first is based on the use of the stress intensity factor K. The second is based on the J integral. The latter approach is suitable for situations of ductile fracture with strong deformations (ductile materials, low stress triaxiality, and so on). The approach based on the K factor is based on the possibility of representing the stress field around the crack tip by, precisely, a stress intensity factor K, which in turn is dependent on the way the crack is invited to propagate, on the mode of application of the load, on the level and variation of the stress in the material far from the crack tip and, finally, on the type of crack (thickness, elliptical or with constant depth, etc.). The three stress modes usually considered are shown in Figure A7-2. The various load application modes are shown in Figure A7-3.

Figure A7-2. Modes of crack stressing (KI, KII, KIII).

(b)

(a) σ0

y

P X

2a

2a P

σ0 KI = σ0 ∏a

KI =

P ∏a

Figure A7-3. Modes of load application.


The coordinate system generally adopted to describe the stress field around the crack is shown in Figure A7-4. An example of the distribution of stresses around the crack in biaxial geometry is given in Figure A7-5. σy τxy τyz τxz

y σx

x

σz

θ

r

339

The expressions for O(r) in Figure A7-5 represent distributions of stresses in the zones far removed from the crack tip and dependent on the complete stress state of the structure. Figure A7-6 shows KI for the case of a longitudinal crack of various depths in a cylinder wall (such as, for example, in a pipe or the reactor vessel). A variety of already calculated cases exists for the distribution of stresses around a crack tip for various types of cracks and of loading conditions. Guidance on this can be found in specialist texts on fracture mechanics (Milella, 1999; Miannay, 1997; Wilkowski et al., 1997). Figure A7-7 shows the material properties KIC and KIA (intensity factors for crack initiation and for crack arrest of a propagating crack), with reference to a typical pressure vessel steel.

z

Figure A7-4. Coordinate system. 6

σy

y

τ

σ = A0 + A1X + A2X 2 + A3X 3 5

σx

σx

F1

τ

a

r

σy (y = 0)

q

x Crack

Magnification factor

σy R

4

F2 3

F3

σx =

σy =

τxy =

KI

cos

3ϑ  ϑ  ϑ 1 − sin sin + O (r) 2  2 2 

cos

3ϑ  ϑ  ϑ + O (r) 1 − sin sin 2  2 2 

2πr

KI 2πr

KI 2πr

cos

ϑ

sin

2

ϑ

cos

2

3ϑ

+ O (r)

2

σz = 0(planestress) σz = ν(σy + σx) (planestrain)

Figure A7-5. Stresses around the crack tip.

F4 2

1   a2 2a 4 a3 KI = (π ∗ a) A0F1 + A1F2 + A2F3 + A F  π 2 3 π 3 4  0.0

0.1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 Fractional distance through wall [a/t]

0.9

1.0

Figure A7-6. KI for a longitudinal crack in the wall of a cylinder.

340

Nuclear Safety

Figure A7-7. Critical toughness and arrest toughness of a construction steel as a function of temperature (relative to the transition one).

The temperature RTndt is the transition temperature between brittle and ductile rupture. It can be determined by tests on specific toughness specimens or it can be correlated (for increased easiness) with an energy value absorbed in the common Charpy V test (generally 5.1 105 or 8.7 105 J m 2, corresponding to 30 or 50 ft lb 1, respectively. The way in which the various types of data are used is generally the following one:

KI is determined for the crack to be studied. KIC is determined for the material corresponding to the conditions at the crack tip. The comparison between this value and KI indicates if the crack will start to propagate in an unstable way or not. If it can be controlled, then the possibility exists that the crack which started to propagate is arrested at a certain point. For this investigation, KI, corresponding to various stages of extension of the crack has to be again determined. These values have to be compared with the corresponding KIA. If, for a certain stage of crack propagation it is found that KI is lower than KIA, then the crack will stop at that point.

In the case of a reactor pressure vessel the crack may stop because, with its extension, it arrives to

zones of the material which are less embrittled than the one from where the crack has started. In other cases the arrest may occur because the material reached during the propagation is less stressed than the initial one. It is useful to remember the existence of the phenomenon of ‘warm pre-stress’ according to which, in general terms, if a component containing a crack is loaded in warm conditions (i.e. in conditions of good ductility), it is not susceptible to unstable crack propagation for lower load conditions, even if correspondingly the temperature and ductility are lower. This principle, which finds its evident logical basis in the effect of ‘protective’ plasticization at the crack tip, is usually accepted in the following, less ample, formulation: ‘after an initial pre-load, no unstable crack propagation will occur if the stress intensity factor is constant or decreasing’. The J integral method is more widely used especially in cases of strong plasticization of the material during its rupture. This method substantially follows the K factor approach with the difference that the parameter to be evaluated is, now, a special integral operator, called the J integral (Rice, 1968).


y

T

ds

In order to clarify the physical meaning of K and, above all, of J, these quantities can be simply related to each other and with a concept already used by Griffith, that is with the specific potential energy related with the crack area, GR (see Equation A7.3):

n

u

0

ny

n

nx= cosθ = θ

dy

0

nx

ds

ny= sinθ =−

dy ds dx ds

J ¼ GR, for plane problems K2I ¼ GR E, for plane stress states

x

ðwhere E is Young’s modulusÞ

Figure A7-8. Definition of the symbols used in the expression of the J integral.

The integral is defined in Equation A7-2 with the symbols indicated in Figure A7-8: Z

Wdy

@U , @A

T

GR E , for plane strain states 1 2 ðwhere v is the Poisson modulusÞ

K2I ¼

ðA7:4Þ ðA7:5Þ

ðA7:6Þ

References

!

u ds, @x

!@

ðA7:3Þ

assuming a small plastic area at the crack tip, and where R is the specific potential energy related to crack area (J m 2), U is the potential energy (J) and A is the crack area (m2). GR is then the variation of the elastic potential energy of deformation of the material corresponding to the unit variation of the crack area. The following relationships hold:

dx

J¼

GR ¼

X

Γ

y

341

ðA7:2Þ

where T is the stress vector (kg m 2), u is the displacement (m) and W is the strain energy density (J m 3). The integral is calculated along any path which includes the crack tip, as indicated in the figure. It is invariant of the specific path chosen. The value of J that is critical for the material is measured on special samples.

Ewing, D.J.F., Hill, R.J., Journal of Mechanics and Physics of solids, No. 15, p. 115, 1967. Miannay, D.P. (1997) Fracture Mechanics, Springer. Milella, P.P. (1999) ‘Meccanica della frattura’, Ansaldo Nucleare, Corso Perrone, 25, Genova. Rice, J.R., (1968) ‘A path independent integral and the Approximate Analysis of strain Concentration by Notches and Cracks’ Journal of Applied Mechanics, pp. 379–386, 1968. Wilkowski, G.M., et al. (1997) ‘State-of-the-art report on piping fracture mechanics’, NUREG/CR-6540; BMI 2196.


Appendix 8 US general design criteria

The following text is reproduced from the US (1971) ‘General Design Criteria (CFR Part 50, App. A)’.

The criteria document numbering references have been retained.

Applicability

Criterion title

I. Overall Requirements:

Quality Standards and Records Design Bases for Protection Against Natural Phenomena Fire Protection Environmental and Dynamic Effects Design Bases Sharing of Structures, Systems, and Components Reactor Design Reactor Inherent Protection Suppression of Reactor Power Oscillations Instrumentation and Control Reactor Coolant Pressure Boundary Reactor Coolant System Design Containment Design Electric Power Systems Inspection and Testing of Electric Power Systems Control Room Protection System Functions Protection System Reliability and Testability Protection System Independence Protection System Failure Modes Separation of Protection and Control Systems Protection System Requirements for Reactivity Control Malfunctions Reactivity Control System Redundancy and Capability Combined Reactivity Control Systems Capability Reactivity Limits Protection Against Anticipated Operational Occurrences Quality of Reactor Coolant Pressure Boundary Fracture Prevention of Reactor Coolant Pressure Boundary Inspection of Reactor Coolant Pressure Boundary Reactor Coolant Makeup Residual Heat Removal

II. Protection by Multiple Fission Product Barriers:

III. Protection and Reactivity Control Systems:

IV. Fluid Systems:

and

cross-

Criterion number 1 2 3 4 5 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Continued

343

344

Nuclear Safety

Table A8-1. Continued Applicability

Criterion title

Criterion number

V. Reactor Containment:

Emergency Core Cooling Inspection of Containment Heat Removal System Testing of Emergency Core Cooling System Containment Heat Removal Inspection of Containment Heat Removal System Testing of Containment Heat Removal System Containment Atmosphere Cleanup Inspection of Containment Atmosphere Cleanup Systems Testing of Containment Atmosphere Cleanup Systems Cooling Water Inspection of Cooling Water System Testing of Cooling Water System Containment Design Basis Fracture Prevention of Containment Pressure Boundary Capability for Containment Leakage Rate Testing Provisions for Containment Testing and Inspection Systems Penetrating Containment Reactor Coolant Pressure Boundary Penetrating Containment Primary Containment Isolation Closed Systems Isolation Valves Control of Releases of Radioactive Materials to the Environment Fuel Storage and Handling and Radioactivity Control Prevention of Criticality in Fuel Storage and Handling Monitoring Fuel and Waste Storage Monitoring Radioactivity Releases

35 36 37 38 39 40 41 42 43 44 45 46 50 51 52 53 54 55 56 57 60 61 62 63 64

VI. Fuel and Radioactivity Control:

A8-1. Introduction Pursuant to the provisions of x50.34, an application for a construction permit must include the principal design criteria for a proposed facility. The principal design criteria establish the necessary design, fabrication, construction, testing, and performance requirements for structures, systems, and components important to safety; that is, structures, systems, and components that provide reasonable assurance that the facility can be operated without undue risk to the health and safety of the public. These General Design Criteria establish minimum requirements for the principal design criteria for water-cooled nuclear power plants similar in design and location to plants for which construction permits have been issued by the Commission. The General Design Criteria are also considered to be generally applicable to other types of nuclear power units and are intended to provide guidance in establishing the principal design criteria for such other units.

The development of these General Design Criteria is not yet complete. For example, some of the definitions need further amplification. Also, some of the specific design requirements for structures, systems, and components important to safety have not as yet been suitably defined. Their omission does not relieve any applicant from considering these matters in the design of a specific facility and satisfying the necessary safety requirements. These matters include: (1) Consideration of the need to design against single failures of passive components in fluid systems important to safety. (See Definition of Single Failure.) (2) Consideration of redundancy and diversity requirements for fluid systems important to safety. A ‘system’ could consist of a number of subsystems each of which is separately capable of performing the specified system safety function. The minimum acceptable redundancy and diversity of subsystems and components within


a subsystem, and the required interconnection and independence of the subsystems have not yet been developed or defined. (See Criteria 34, 35, 38, 41, and 44.) (3) Consideration of the type, size, and orientation of possible breaks in components of the reactor coolant pressure boundary in determining design requirements to suitably protect against postulated loss-of-coolant accidents. (See Definition of Loss of Coolant Accidents.) (4) Consideration of the possibility of systematic, nonrandom, concurrent failures of redundant elements in the design of protection systems and reactivity control systems. (See Criteria 22, 24, 26, and 29.) It is expected that the criteria will be augmented and changed from time to time as important new requirements for these and other features are developed. There will be some water-cooled nuclear power plants for which the General Design Criteria are not sufficient and for which additional criteria must be identified and satisfied in the interest of public safety. In particular, it is expected that additional or different criteria will be needed to take into account unusual sites and environmental conditions, and for water-cooled nuclear power units of advanced design. Also, there may be water-cooled nuclear power units for which fulfillment of some of the General Design Criteria may not be necessary or appropriate. For plants such as these, departures from the General Design Criteria must be identified and justified.

A8-2. Definitions and explanations Nuclear power unit. A nuclear power unit means a nuclear power reactor and associated equipment necessary for electric power generation and includes those structures, systems, and components required to provide reasonable assurance the facility can be operated without undue risk to the health and safety of the public. Loss of coolant accidents. Loss of coolant accidents mean those postulated accidents that result from the loss of reactor coolant at a rate in excess of the capability of the reactor coolant makeup system from breaks in the reactor coolant pressure

345

boundary, up to and including a break equivalent in size to the double-ended rupture of the largest pipe of the reactor coolant system.1 Single failure. A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.2 Anticipated operational occurrences. Anticipated operational occurrences mean those conditions of normal operation which are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power.

A8-3. Criteria A8-3-1. Overall requirements Criterion 1 – Quality standards and records. Structures, systems, and components important to safety shall be designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed. Where generally recognized codes and standards are used, they shall be identified and evaluated to determine their applicability, adequacy, and sufficiency and shall be supplemented or modified as necessary to assure a quality product in keeping with the required safety function. A quality assurance program shall be established and implemented in order to provide adequate assurance that these structures, systems, and components will satisfactorily perform their safety functions. Appropriate records of the design, fabrication, erection, and testing of structures, systems, and components important to safety shall be maintained by or under the control of the nuclear power unit licensee throughout the life of the unit. Criterion 2 – Design bases for protection against natural phenomena. Structures, systems, and components

346

Nuclear Safety

important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems, and components shall reflect: (1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and (3) the importance of the safety functions to be performed. Criterion 3 – Fire protection. Structures, systems, and components important to safety shall be designed and located to minimize, consistent with other safety requirements, the probability and effect of fires and explosions. Noncombustible and heat resistant materials shall be used wherever practical throughout the unit, particularly in locations such as the containment and control room. Fire detection and fighting systems of appropriate capacity and capability shall be provided and designed to minimize the adverse effects of fires on structures, systems, and components important to safety. Firefighting systems shall be designed to assure that their rupture or inadvertent operation does not significantly impair the safety capability of these structures, systems, and components. Criterion 4 – Environmental and dynamic effects design bases. Structures, systems, and components important to safety shall be designed to accommodate the effects of and to be compatible with the environmental conditions associated with normal operation, maintenance, testing, and postulated accidents, including loss-of-coolant accidents. These structures, systems, and components shall be appropriately protected against dynamic effects, including the effects of missiles, pipe whipping, and discharging fluids, that may result from equipment failures and from events and conditions outside the nuclear power unit. However, dynamic effects associated with postulated pipe ruptures in nuclear power units may be excluded from the design basis when analyses reviewed and approved by the Commission demonstrate that the probability of fluid system piping rupture is extremely low under conditions consistent with the design basis for the piping.

Criterion 5 – Sharing of structures, systems, and components. Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units.

A8-3-2. Protection by Multiple Fission Product Barriers Criterion 10 – Reactor design. The reactor core and associated coolant, control, and protection systems shall be designed with appropriate margin to assure that specified acceptable fuel design limits are not exceeded during any condition of normal operation, including the effects of anticipated operational occurrences. Criterion 11 – Reactor inherent protection. The reactor core and associated coolant systems shall be designed so that in the power operating range the net effect of the prompt inherent nuclear feedback characteristics tends to compensate for a rapid increase in reactivity. Criterion 12 – Suppression of reactor power oscillations. The reactor core and associated coolant, control, and protection systems shall be designed to assure that power oscillations which can result in conditions exceeding specified acceptable fuel design limits are not possible or can be reliably and readily detected and suppressed. Criterion 13 – Instrumentation and control. Instrumentation shall be provided to monitor variables and systems over their anticipated ranges for normal operation, for anticipated operational occurrences, and for accident conditions as appropriate to assure adequate safety, including those variables and systems that can affect the fission process, the integrity of the reactor core, the reactor coolant pressure boundary, and the containment and its associated systems. Appropriate controls shall be provided to maintain these variables and systems within prescribed operating ranges. Criterion 14 – Reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed, fabricated, erected, and tested so as to have an extremely low probability of abnormal leakage, of rapidly propagating failure, and of gross rupture.


Criterion 15 – Reactor coolant system design. The reactor coolant system and associated auxiliary, control, and protection systems shall be designed with sufficient margin to assure that the design conditions of the reactor coolant pressure boundary are not exceeded during any condition of normal operation, including anticipated operational occurrences. Criterion 16 – Containment design. Reactor containment and associated systems shall be provided to establish an essentially leak-tight barrier against the uncontrolled release of radioactivity to the environment and to assure that the containment design conditions important to safety are not exceeded for as long as postulated accident conditions require. Criterion 17 – Electric power systems. An onsite electric power system and an offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assuming the other system is not functioning) shall be to provide sufficient capacity and capability to assure that (1) specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded as a result of anticipated operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents. The onsite electric power supplies, including the batteries, and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. Electric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that

347

core cooling, containment integrity, and other vital safety functions are maintained. Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies. Criterion 18 – Inspection and testing of electric power systems. Electric power systems important to safety shall be designed to permit appropriate periodic inspection and testing of important areas and features, such as wiring, insulation, connections, and switchboards, to assess the continuity of the systems and the condition of their components. The systems shall be designed with a capability to test periodically (1) the operability and functional performance of the components of the systems, such as onsite power sources, relays, switches, and buses, and (2) the operability of the systems as a whole and, under conditions as close to design as practical, the full operation sequence that brings the systems into operation, including operation of applicable portions of the protection system, and the transfer of power among the nuclear power unit, the offsite power system, and the onsite power system. Criterion 19 – Control room. A control room shall be provided from which actions can be taken to operate the nuclear power unit safely under normal conditions and to maintain it in a safe condition under accident conditions, including loss-of-coolant accidents. Adequate radiation protection shall be provided to permit access and occupancy of the control room under accident conditions without personnel receiving radiation exposures in excess of 5 rem whole body, or its equivalent to any part of the body, for the duration of the accident. Equipment at appropriate locations outside the control room shall be provided (1) with a design capability for prompt hot shutdown of the reactor, including necessary instrumentation and controls to maintain the unit in a safe condition during hot shutdown, and (2) with a potential capability for subsequent cold shutdown of the reactor through the use of suitable procedures. Applicants for and holders of construction permits and operating licenses under this part who apply on or after January 10, 1997, applicants for design certifications under part 52 of this chapter

348

Nuclear Safety

who apply on or after January 10, 1997, applicants for and holders of combined licenses under part 52 of this chapter who do not reference a standard design certification, or holders of operating licenses using an alternative source term under x50.67, shall meet the requirements of this criterion, except that with regard to control room access and occupancy, adequate radiation protection shall be provided to ensure that radiation exposures shall not exceed 0.05 Sv (5 rem) total effective dose equivalent (TEDE) as defined in x50.2 for the duration of the accident.

A8-3-3. Protection and Reactivity Control Systems Criterion 20 – Protection system functions. The protection system shall be designed (1) to initiate automatically the operation of appropriate systems including the reactivity control systems, to assure that specified acceptable fuel design limits are not exceeded as a result of anticipated operational occurrences and (2) to sense accident conditions and to initiate the operation of systems and components important to safety. Criterion 21 – Protection system reliability and testability. The protection system shall be designed for high functional reliability and inservice testability commensurate with the safety functions to be performed. Redundancy and independence designed into the protection system shall be sufficient to assure that (1) no single failure results in loss of the protection function and (2) removal from service of any component or channel does not result in loss of the required minimum redundancy unless the acceptable reliability of operation of the protection system can be otherwise demonstrated. The protection system shall be designed to permit periodic testing of its functioning when the reactor is in operation, including a capability to test channels independently to determine failures and losses of redundancy that may have occurred. Criterion 22 – Protection system independence. The protection system shall be designed to assure that the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated accident conditions on redundant channels do not result in loss of the protection function, or shall be demonstrated to be acceptable on some other

defined basis. Design techniques, such as functional diversity or diversity in component design and principles of operation, shall be used to the extent practical to prevent loss of the protection function. Criterion 23 – Protection system failure modes. The protection system shall be designed to fail into a safe state or into a state demonstrated to be acceptable on some other defined basis if conditions such as disconnection of the system, loss of energy (e.g. electric power, instrument air), or postulated adverse environments (e.g. extreme heat or cold, fire, pressure, steam, water, and radiation) are experienced. Criterion 24 – Separation of protection and control systems. The protection system shall be separated from control systems to the extent that failure of any single control system component or channel, or failure or removal from service of any single protection system component or channel which is common to the control and protection systems leaves intact a system satisfying all reliability, redundancy, and independence requirements of the protection system. Interconnection of the protection and control systems shall be limited so as to assure that safety is not significantly impaired. Criterion 25 – Protection system requirements for reactivity control malfunctions. The protection system shall be designed to assure that specified acceptable fuel design limits are not exceeded for any single malfunction of the reactivity control systems, such as accidental withdrawal (not ejection or dropout) of control rods. Criterion 26 – Reactivity control system redundancy and capability. Two independent reactivity control systems of different design principles shall be provided. One of the systems shall use control rods, preferably including a positive means for inserting the rods, and shall be capable of reliably controlling reactivity changes to assure that under conditions of normal operation, including anticipated operational occurrences, and with appropriate margin for malfunctions such as stuck rods, specified acceptable fuel design limits are not exceeded. The second reactivity control system shall be capable of reliably controlling the rate of reactivity changes resulting from planned, normal power changes (including xenon burnout) to assure acceptable fuel design limits are not exceeded. One of the systems shall be capable of holding the reactor core subcritical under cold conditions.


Criterion 27 – Combined reactivity control systems capability. The reactivity control systems shall be designed to have a combined capability, in conjunction with poison addition by the emergency core cooling system, of reliably controlling reactivity changes to assure that under postulated accident conditions and with appropriate margin for stuck rods the capability to cool the core is maintained. Criterion 28 – Reactivity limits. The reactivity control systems shall be designed with appropriate limits on the potential amount and rate of reactivity increase to assure that the effects of postulated reactivity accidents can neither (1) result in damage to the reactor coolant pressure boundary greater than limited local yielding nor (2) sufficiently disturb the core, its support structures or other reactor pressure vessel internals to impair significantly the capability to cool the core. These postulated reactivity accidents shall include consideration of rod ejection (unless prevented by positive means), rod dropout, steam line rupture, changes in reactor coolant temperature and pressure, and cold water addition. Criterion 29 – Protection against anticipated operational occurrences. The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safety functions in the event of anticipated operational occurrences.

A8-3-4. Fluid Systems Criterion 30 – Quality of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed, fabricated, erected, and tested to the highest quality standards practical. Means shall be provided for detecting and, to the extent practical, identifying the location of the source of reactor coolant leakage. Criterion 31 – Fracture prevention of reactor coolant pressure boundary. The reactor coolant pressure boundary shall be designed with sufficient margin to assure that when stressed under operating, maintenance, testing, and postulated accident conditions (1) the boundary behaves in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other

349

conditions of the boundary material under operating, maintenance, testing, and postulated accident conditions and the uncertainties in determining (1) material properties, (2) the effects of irradiation on material properties, (3) residual, steady state and transient stresses, and (4) size of flaws. Criterion 32 – Inspection of reactor coolant pressure boundary. Components which are part of the reactor coolant pressure boundary shall be designed to permit (1) periodic inspection and testing of important areas and features to assess their structural and leaktight integrity, and (2) an appropriate material surveillance program for the reactor pressure vessel. Criterion 33 – Reactor coolant makeup. A system to supply reactor coolant makeup for protection against small breaks in the reactor coolant pressure boundary shall be provided. The system safety function shall be to assure that specified acceptable fuel design limits are not exceeded as a result of reactor coolant loss due to leakage from the reactor coolant pressure boundary and rupture of small piping or other small components which are part of the boundary. The system shall be designed to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished using the piping, pumps, and valves used to maintain coolant inventory during normal reactor operation. Criterion 34 – Residual heat removal. A system to remove residual heat shall be provided. The system safety function shall be to transfer fission product decay heat and other residual heat from the reactor core at a rate such that specified acceptable fuel design limits and the design conditions of the reactor coolant pressure boundary are not exceeded. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 35 – Emergency core cooling. A system to provide abundant emergency core cooling shall be provided. The system safety function shall be

350

Nuclear Safety

to transfer heat from the reactor core following any loss of reactor coolant at a rate such that (1) fuel and clad damage that could interfere with continued effective core cooling is prevented and (2) clad metal-water reaction is limited to negligible amounts. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 36 – Inspection of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic inspection of important components, such as spray rings in the reactor pressure vessel, water injection nozzles, and piping, to assure the integrity and capability of the system. Criterion 37 – Testing of emergency core cooling system. The emergency core cooling system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 38 – Containment heat removal. A system to remove heat from the reactor containment shall be provided. The system safety function shall be to reduce rapidly, consistent with the functioning of other associated systems, the containment pressure and temperature following any loss-of-coolant accident and maintain them at acceptably low levels. Suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation

(assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 39 – Inspection of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic inspection of important components, such as the torus, sumps, spray nozzles, and piping to assure the integrity and capability of the system. Criterion 40 – Testing of containment heat removal system. The containment heat removal system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the system, and (3) the operability of the system as a whole, and under conditions as close to the design as practical the performance of the full operational sequence that brings the system into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of the associated cooling water system. Criterion 41 – Containment atmosphere cleanup. Systems to control fission products, hydrogen, oxygen, and other substances which may be released into the reactor containment shall be provided as necessary to reduce, consistent with the functioning of other associated systems, the concentration and quality of fission products released to the environment following postulated accidents, and to control the concentration of hydrogen or oxygen and other substances in the containment atmosphere following postulated accidents to assure that containment integrity is maintained. Each system shall have suitable redundancy in components and features, and suitable interconnections, leak detection, isolation, and containment capabilities to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) its safety function can be accomplished, assuming a single failure. Criterion 42 – Inspection of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic inspection of important components, such as filter frames, ducts, and piping to assure the integrity and capability of the systems.


Criterion 43 – Testing of containment atmosphere cleanup systems. The containment atmosphere cleanup systems shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and performance of the active components of the systems such as fans, filters, dampers, pumps, and valves and (3) the operability of the systems as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the systems into operation, including operation of applicable portions of the protection system, the transfer between normal and emergency power sources, and the operation of associated systems. Criterion 44 – Cooling water. A system to transfer heat from structures, systems, and components important to safety, to an ultimate heat sink shall be provided. The system safety function shall be to transfer the combined heat load of these structures, systems, and components under normal operating and accident conditions. Suitable redundancy in components and features, and suitable interconnections, leak detection, and isolation capabilities shall be provided to assure that for onsite electric power system operation (assuming offsite power is not available) and for offsite electric power system operation (assuming onsite power is not available) the system safety function can be accomplished, assuming a single failure. Criterion 45 – Inspection of cooling water system. The cooling water system shall be designed to permit appropriate periodic inspection of important components, such as heat exchangers and piping, to assure the integrity and capability of the system. Criterion 46 – Testing of cooling water system. The cooling water system shall be designed to permit appropriate periodic pressure and functional testing to assure (1) the structural and leaktight integrity of its components, (2) the operability and the performance of the active components of the system, and (3) the operability of the system as a whole and, under conditions as close to design as practical, the performance of the full operational sequence that brings the system into operation for reactor shutdown and for loss-of-coolant accidents, including operation of applicable portions of the protection system and the transfer between normal and emergency power sources.

351

A8-3-5. Reactor Containment Criterion 50 – Containment design basis. The reactor containment structure, including access openings, penetrations, and the containment heat removal system shall be designed so that the containment structure and its internal compartments can accommodate, without exceeding the design leakage rate and with sufficient margin, the calculated pressure and temperature conditions resulting from any loss-of-coolant accident. This margin shall reflect consideration of (1) the effects of potential energy sources which have not been included in the determination of the peak conditions, such as energy in steam generators and as required by x50.44 energy from metal-water and other chemical reactions that may result from degradation but not total failure of emergency core cooling functioning, (2) the limited experience and experimental data available for defining accident phenomena and containment responses, and (3) the conservatism of the calculational model and input parameters. Criterion 51 – Fracture prevention of containment pressure boundary. The reactor containment boundary shall be designed with sufficient margin to assure that under operating, maintenance, testing, and postulated accident conditions (1) its ferritic materials behave in a nonbrittle manner and (2) the probability of rapidly propagating fracture is minimized. The design shall reflect consideration of service temperatures and other conditions of the containment boundary material during operation, maintenance, testing, and postulated accident conditions, and the uncertainties in determining (1) material properties, (2) residual, steady state, and transient stresses, and (3) size of flaws. Criterion 52 – Capability for containment leakage rate testing. The reactor containment and other equipment which may be subjected to containment test conditions shall be designed so that periodic integrated leakage rate testing can be conducted at containment design pressure. Criterion 53 – Provisions for containment testing and inspection. The reactor containment shall be designed to permit (1) appropriate periodic inspection of all important areas, such as penetrations, (2) an appropriate surveillance program, and (3) periodic testing at containment design pressure of the leaktightness of penetrations which have resilient seals and expansion bellows.

352

Nuclear Safety

Criterion 54 – Piping systems penetrating containment. Piping systems penetrating primary reactor containment shall be provided with leak detection, isolation, and containment capabilities having redundancy, reliability, and performance capabilities which reflect the importance to safety of isolating these piping systems. Such piping systems shall be designed with a capability to test periodically the operability of the isolation valves and associated apparatus and to determine if valve leakage is within acceptable limits. Criterion 55 – Reactor coolant pressure boundary penetrating containment. Each line that is part of the reactor coolant pressure boundary and that penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis: (1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or (4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment. Isolation valves outside containment shall be located as close to containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Other appropriate requirements to minimize the probability or consequences of an accidental rupture of these lines or of lines connected to them shall be provided as necessary to assure adequate safety. Determination of the appropriateness of these requirements, such as higher quality in design, fabrication, and testing, additional provisions for inservice inspection, protection against more severe natural phenomena, and additional isolation valves and containment, shall include consideration of the population density, use characteristics, and physical characteristics of the site environs.

Criterion 56 – Primary containment isolation. Each line that connects directly to the containment atmosphere and penetrates primary reactor containment shall be provided with containment isolation valves as follows, unless it can be demonstrated that the containment isolation provisions for a specific class of lines, such as instrument lines, are acceptable on some other defined basis: (1) One locked closed isolation valve inside and one locked closed isolation valve outside containment; or (2) One automatic isolation valve inside and one locked closed isolation valve outside containment; or (3) One locked closed isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment; or (4) One automatic isolation valve inside and one automatic isolation valve outside containment. A simple check valve may not be used as the automatic isolation valve outside containment. Isolation valves outside containment shall be located as close to the containment as practical and upon loss of actuating power, automatic isolation valves shall be designed to take the position that provides greater safety. Criterion 57 – Closed system isolation valves. Each line that penetrates primary reactor containment and is neither part of the reactor coolant pressure boundary nor connected directly to the containment atmosphere shall have at least one containment isolation valve which shall be either automatic, or locked closed, or capable of remote manual operation. This valve shall be outside containment and located as close to the containment as practical. A simple check valve may not be used as the automatic isolation valve.

A8-3-6. Fuel and Radioactivity Control Criterion 60 – Control of releases of radioactive materials to the environment. The nuclear power unit design shall include means to control suitably the release of radioactive materials in gaseous and liquid effluents and to handle radioactive solid wastes produced during normal reactor operation, including anticipated operational occurrences. Sufficient holdup


capacity shall be provided for retention of gaseous and liquid effluents containing radioactive materials, particularly where unfavorable site environmental conditions can be expected to impose unusual operational limitations upon the release of such effluents to the environment. Criterion 61 – Fuel storage and handling and radioactivity control. The fuel storage and handling, radioactive waste, and other systems which may contain radioactivity shall be designed to assure adequate safety under normal and postulated accident conditions. These systems shall be designed (1) with a capability to permit appropriate periodic inspection and testing of components important to safety, (2) with suitable shielding for radiation protection, (3) with appropriate containment, confinement, and filtering systems, (4) with a residual heat removal capability having reliability and testability that reflects the importance to safety of decay heat and other residual heat removal, and (5) to prevent significant reduction in fuel storage coolant inventory under accident conditions. Criterion 62 – Prevention of criticality in fuel storage and handling. Criticality in the fuel storage and handling system shall be prevented by physical systems or processes, preferably by use of geometrically safe configurations. Criterion 63 – Monitoring fuel and waste storage. Appropriate systems shall be provided in fuel storage

353

and radioactive waste systems and associated handling areas (1) to detect conditions that may result in loss of residual heat removal capability and excessive radiation levels and (2) to initiate appropriate safety actions. Criterion 64 – Monitoring radioactivity releases. Means shall be provided for monitoring the reactor containment atmosphere, spaces containing components for recirculation of loss-of-coolant accident fluids, effluent discharge paths, and the plant environs for radioactivity that may be released from normal operations, including anticipated operational occurrences, and from postulated accidents. [36 FR 3256, Feb. 20, 1971, as amended at 36 FR 12733, July 7, 1971; 41 FR 6258, Feb. 12, 1976; 43 FR 50163, Oct. 27, 1978; 51 FR 12505, Apr. 11, 1986; 52 FR 41294, Oct. 27, 1987]

Notes 1 Further details relating to the type, size, and orientation of postulated breaks in specific components of the reactor coolant pressure boundary are under development. 2 Single failures of passive components in electric systems should be assumed in designing against a single failure. The conditions under which a single failure of a passive component in a fluid system should be considered in designing the system against a single failure are under development.


Appendix 9 IAEA criteria

Safety of nuclear power plant: Design – Requirements – Safety Standards Series No. NS-R-1, ISBN 92-0-101900-9). This appendix comprises the list of contents for the above IAEA document and is included to show an example of the contents of a modern set of Design Safety Criteria for Nuclear Plants. The complete document can be obtained from the IAEA or viewed at www.iaea.org. CONTENTS 1. INTRODUCTION Background (1.1) Objective (1.2–1.4) Scope (1.5–1.7) Structure (1.8) 2. SAFETY OBJECTIVES AND CONCEPTS Safety objectives (2.1–2.8) The concept of Defense in Depth (2.9–2.11) 3. REQUIREMENTS FOR MANAGEMENT OF SAFETY Responsibilities in management (3.1) Management of design (3.2–3.5) Proven engineering practices (3.6–3.8) Operational experience and safety research (3.9) Safety assessment (3.10–3.12) Independent verification of the safety assessment (3.13) Quality assurance (3.14–3.16) 4. PRINCIPAL TECHNICAL REQUIREMENT Requirements for Defense in Depth (4.1–4.4) Safety functions (4.5–4.7) Accident prevention and plant safety characteristics (4.8) Radiation protection and acceptance criteria (4.9–4.13)

5. REQUIREMENTS FOR PLANT DESIGN Safety classification (5.1–5.3) General design basis (5.4–5.31) Design for reliability of structures, systems and components (5.32–5.42) Provision for in-service testing, maintenance, repair, inspection and monitoring (5.43–5.44) Equipment qualification (5.45–5.46) Ageing (5.47) Human factors (5.48–5.56) Other design considerations (5.57–5.68) Safety analysis (5.69–5.73) 6. REQUIREMENTS FOR DESIGN OF PLANT SYSTEMS Reactor core and associated features (6.1–6.20) Reactor coolant system (6.21–6.42) Containment system (6.43–6.67) Instrumentation and control (6.68–6.86) Emergency control centre (6.87) Emergency power supply (6.88–6.89) Waste treatment and control systems (6.90–6.95) Fuel handling and storage systems (6.96–6.98) Radiation protection (6.99–6.106) APPENDIX I: POSTULATED INITIATING EVENTS APPENDIX II: REDUNDANCY, DIVERSITY AND INDEPENDENCE REFERENCES ANNEX: SAFETY FUNCTIONS FOR BOILING WATER REACTORS, PRESSURIZED WATER REACTORS AND PRESSURE TUBE REACTORS GLOSSARY CONTRIBUTORS TO DRAFTING AND REVIEW ADVISORY BODIES FOR THE ENDORSEMENT OF SAFETY STANDARDS 355


Appendix 10 Primary depressurization systems A10-1. Initial studies The importance of a voluntary primary depressurization system in a PWR has been stressed many times in this book. It is an absolute requirement in a BWR in order to cope with the loss of the main condenser, given the fact that steam release to the outside is excluded for the radioactivity content of the reactor water. A system of this type can have several configurations, but only one type (see Figure A10-1), the ‘Core Rescue System’ (CRS), which was greatly studied between 1980–85, is described here. This system was not only a primary depressurization system, as it also included a subsequent passive water injection function in the primary circuit (low pressure and small flow rate) for the long-term refrigeration of the core. The degree to which the CRS was incorporated into plants depended on how far a particular plant design had progressed, ranging from being an integral part of the design from initial conception to being ‘backfitted’. The system operation does not exploit gravity, which is the type to be preferred, and has been replaced, for the borated water injection (accumulators), by gas under pressure. In fact, where significant pressures are needed, gravity can only be employed on sites having a particular topography, as in the case of the SENA power station located inside a cavern in a hill (Chooz, Belgium). Figure A10-1 shows the functional scheme of a CRS where, for clarity, the necessary redundancies of components are not indicated. The principal system parts are (the dimensions refer to a Westinghouse 312 reactor of about 1000 MWe):

An automatic and manual primary system depressurization line which is connected to the pressurizer top and terminates in a mixture condenser.

The line has an equivalent flow area corresponding to a circular opening of 150 mm diameter. It ensures a quick chain reaction shutdown by void formation in the core and a reliable depressurization (that is protected from the effect of partial plugging) down to pressures lower than 1 MPa, even without any other primary water cooling system, in a time of minutes. A series of three compressed gas accumulators and borated water at low pressure (1.8 MPa, relative), each connected to one of the three cold legs of the primary system. The volume of each accumulator is of about 333 m3, 250 m3 of which are occupied by borated water at 2000 ppm boron. These accumulators are normally isolated from the primary system by non-return valves only, as for the intermediate pressure (4.2 MPa, relative) accumulators commonly installed in PWRs. The connection lines with the primary system are of small diameter (approximately 50 mm), sufficient to supply, in case of primary depressurization, a slow and durable injection of borated water (indicative duration in typical cases 10 hours). Borated water injection performs the double function of maintaining the reactor sub-critical in the long term and of refrigerating it by flooding and vaporization (feed and bleed). A mixture condenser of the indicative volume of about 1500 m3, of which 500 m3 are initially occupied by borated water at 2000 ppm boron and the rest by nitrogen. The function of this component is the collection of the fluid discharged by the primary system and the confinement of the fission products contained in it, the dissipation of its thermal energy to the outside environment and the formation of an additional reserve of water for the long-term cooling of the core, that is beyond the 10 hours (by natural or forced circulation, using the low power pumps, according to the 357

358

Nuclear Safety

CW ST

LO S

VB SV

T

EC N2

V

RPS 6" 2"

A

LPA CP

LD

A

5 cm

PR

P

18 ATA

L

M

T

M N RPV

–A: Air operated –CP: Containment pressure –CW: Containment wall –EC: Emergency condenser –L: Vessel water level –LO: Logics –LPA: Low pressure accumulators –M: Motor operated –N: Neutron flux

–P: –PR: –RPV: –S: –ST: –T: –V: –VB:

Pump Pressurizer Reactor pressure vessel Spray Spray tank Temperature Emergency condenser vault Vacuum breaker

Figure A10-1. Core rescue system.

elevation where the condenser is placed). The condenser should be a vessel of very simple shape (for ease of inspection), cooled from the outside by a gravity driven water spray and subsequent submersion. It is connected to the atmosphere of the reactor containment by safety valves and by

vacuum breakers. The design pressure is the same as that of the containment. The actuation of the external spray occurs by high temperature, 343 K (70 C) in the condenser or manually. The condenser is an easily coolable extension of the containment. It has to be noted that this

Appendix 10 Primary depressurization systems

component could also be omitted, discharging the primary fluid of the depressurization line directly into the containment. The drawback of this solution is, however, the contamination of the containment and the absence of a passive ‘heat sink’. Two of the many core danger conditions under which it is necessary to operate the system, that is to open the depressurization line, are:

The presence of a significant neutron flux together with a fast shutdown actuation signal (Anticipated Transient Without Scram (ATWS) case, that is a transient with the failure of the scram to operate). An excessive temperature of the fluid exiting the core or low water level in the vessel (a situation of dangerous overheating of the core). Indicatively the intervention thresholds to be chosen are: 613 K (340 C) and level below 66 per cent of the fuel element height. It is not believed that the value of these thresholds is very critical. It seems prudent, to further decrease the spurious actuation probability of the system, to envisage a delay of 50–200 s between attainment of an actuation threshold and opening of the depressurization valves. This allows the operators to intervene in cases of clearly erroneous demand for the intervention of the system and also corresponds to what is done in BWR automatic depressurization systems. It may also be useful to operate the system in other dangerous situations.

It has been proposed to automatically open the depressurization valves in case of very high pressure in the containment (e.g. two-thirds of the design pressure). This provision could be useful in case of small breaks in the primary system: the largest part of the efflux flow rate would in this way be diverted to the emergency condenser, stopping the pressure increase in the containment. Other situations where the operation of the CRS might be opportune, according to the specific design characteristics of the plant, are listed in Petrangeli (1985), Milella and Petrangeli (1983) and Petrangeli et al. (1993). The energy required to power the instrumentation and commands can be supplied by a small battery. The actuation energy of the valves may be supplied by small compressed air tanks in the same manner as for the safety-relief valves of many BWRs.

359

At the time, this system was studied in depth by DISP, ENEA, the University of Pisa and the ISPRA Research Centre to find its thermal-hydraulic effectiveness and the reduction of core melt probability which its adoption would have caused. The principal results of these studies are summarized in Petrangeli et al. (1993). The thermal-hydraulic effectiveness of the core cooling, even under extreme conditions, was amply proven. The possible reduction of the core melt probability was estimated to be of a factor of at least 10. The probabilistic analysis was submitted to Prof. Rasmussen for review and was approved by him. Other studies which also gave a positive result were made on peculiar effects of the system operation, such as the thermo-mechanical consequences of its spurious actuation on the reactor pressure vessel (Milella and Petrangeli, 1983). The CRS was not, however, adopted for the reactor then currently being designed in Italy (a Westinghouse 900 MWe plant chosen for the Unified Nuclear Design, PUN). The adoption of the system would have introduced expense and delay which were considered excessive. In any case, its adoption would have introduced an improvement in a plant already considered satisfactory. A system of the CRS type was adopted for a German-designed PWR and, ten years later, by Westinghouse for its advanced passive safety reactor AP 600. Figures A10-2 and A10-3, and Table A10-1 show three documents detailing the studies on the CRS. Figure A10-2 is reproduced from an article in Inside NRC, where the system was announced. Figure A10-3 contains the information which was given to CSNI in 1982. Table A10-1 is part of the US Advisory Committee for Reactor Safeguards (ACRS) answer to a communication containing the description of the system.

A10-2. Depressurization systems for modern design reactors The concept of primary depressurization systems for PWRs has become ever more popular with time. All modern plants, including the EPR (European Pressurized Reactor), incorporate an enhanced ‘feed and bleed’ function according to the conceptual lines

360

Nuclear Safety

Figure A10-2. Inside NRC article on CRS. (Courtesy of Peatts/McGraw-Hill.)


Figure A10-3. Annex to an ACRS (U.S.A.) letter.

361

362

Nuclear Safety

Table A10-1. Information to CSNI on the CRS Present views and trends at DISP (Italy) on LWR risk reduction (Information notes for CSNI, November 1982.) l. It is recognised that a public demand and expectation for a LWR risk reduction still exists in Italy as in many other countries. 2. Two ways in principle exist in order to pursue a risk reduction objective: – enhanced core melt prevention – mitigation of core melt consequences 3. Mitigation of consequences is a rather new undertaking and many years of intensive research and development effort are thought to be necessary in order to get a complete enough phenomenological knowledge for soundly based design activities and for significant risk reduction. Considerations like the following ones tend to support this view: – many uncertainties exist on phenomena related to core melt, as pointed out by research and design professionals; – the investment forecast on severe core damage research by national and international organisations is long lasting (e.g. inside NRC, May 3, 1982; CEC programs); – past experience indicates a progressive widening of the needed research as research work progresses (consider, for example, the research on ECCS performance after the end-of-1960s’ alarm); – the fact that engineering mitigation features as yet proposed are effective on a part only of the foreseeable containment damage scenarios. 4. Mitigation of core melt consequences doesn’t prevent plant extensive contamination and subsequent occupational health and economic burdens. 5. It is believed that a significant potential of risk reduction still exists in the enhancement of core melt prevention by a more attentive use of proven components; exploitation of this potential is at hand now and should be pursued at least in an interim period of time, while knowledge on core melt mitigation makes sufficient progress. 6. It is believed that the most effective way to effect core melt prevention has to be based on: – the recognition that core integrity can be preserved, despite the wide variety of possible plant accident sequences, by two provisions only: core shutdown and core submersion by boiling water; – the adoption of simple, reliable, passive, direct safety systems as those currently accepted for the prevention against other industrial age common dangers (e.g. fire protection means, transportation vehicle emergency arrest, overpressure protection of industrial and family devices). 7. System concepts which satisfy the above listed criteria have been developed in the last two years and are now undergoing final verification at DISP for use on future PWRs (see Annex for a brief description). It can now be evaluated that their adoption may originate a nuclear plant at least ten times safer than most of the current designs. 8. Further information on these systems will be offered to interested national and international organisations as soon as the verification work progresses, in order to share knowledge and to seek for cooperation. ANNEX SSN þ systems for PWRs: a brief description 1. Main components: – primary system automatic depressurisation line through adequately sized relief valve(s) – low-pressure accumulators for borated water injection lasting about ten hours – spray and submersion cooled direct-contact condenser for heat transmission to the environment – connections for fire-fighting corps mobile pumps and augmented borated water preparation devices for long-term water injection in the primary system (plus additional recirculation means from the direct-contact condenser) 2. Actuating signals: – high core fluid temperature – failed scram (coincidence of significant neutron flux with presence of a scram signal) – (low vessel water level or high-high containment pressure to be considered as possible future developments). 3. Functions: – core shutdown (void formation and boron injection) and core cooling (boiling and bleed) by passive and direct means for at least ten hours in case of any of the dominant core melt sequences of risk studies – core cooling by readily and widely available means in the long term. 4. Possible further developments: – pressurised thermal shock prevention – prevention of radioactivity release from steam generator safety/relief valves Continued


363

Table A10-1. Continued Present views and trends at DISP (Italy) on LWR risk reduction (Information notes for CSNI, November 1982.) – prevention of containment contamination by quench tank overflow – simplification or elimination of high pressure safety injection systems and of other cooling systems against external events – extension of the concept to BWRs – use of further passive components 4. Work in progress and possible future activities: – first conceptual design and PRA on risk reduction have been completed and independently reviewed by Prof. Rasmussen. – thermal-hydraulic refined verification are in progress Future possible actions: – further independent PRA – completion of thermal-hydraulic refined verifications and feedback on conceptual design – implementation design work by utility and industry. References – IAEA-Conference, Stockholm Oct.80, Paper CN 39/52 – Report ENEA RT/DISP(82)1 þ Acronym for ‘Sistema di Salvataggio del Nocciolo’, meaning ‘Core Rescue System’. Information to CSNI November ‘82 DISP - Italy

of the depressurization system. Some designs, like AP 600, also have an enhanced depressurization/injection function with a higher injection flow rate than the above described CRS, with the aim of allowing coolant injection into the core by gravity and not by nitrogen accumulator pressure. Voluntary primary depressurization has also been considered as the best means to stop possible Direct Containment Heating (DCH) and to eliminate severe accident sequences with a vessel at high pressure.

References Petrangeli, G. (1985) ‘More intrinsically safe and simplified light water reactors’, RTI – DISP (85), DISP/ENEA. Milella, P. and Petrangeli, G. (1983) ‘Thermo-mechanical effects of a postulated spurious actuation of a core rescue system’, RT/DISP(83)5, DISP/ENEA. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, pp. 25–54.


Appendix 11 Thermal-hydraulic transients of the primary system

A11-1. General remarks This appendix details a simple calculation program that allows the rough evaluation of transients and accidents in the primary system of a PWR. It can however be adapted to other types of water reactors. As noted at the beginning of Appendix 2, here also, for historical reasons, some units of measurement are not those of the Standard International System. The aim of this program is to evaluate the general trend of the parameters which influence the reactor cooling and heat dissipation to the environment in a large number of incident/accident situations. The emphasis has, therefore, been put on the flexibility and speed of the tool more than on its precision and on its degree of detail. Given the limited and specific objective of the program, a (substantially) single volume primary system scheme has been adopted. The file PRIMARYSYSTEM (which can be downloaded from the companion website) shows the simulated components. The reactor pressure vessel and pressurizer are shown as separate components, while in the program they are part of a single calculation volume. This program has been useful in preliminary sizing safety systems during the design phase and in the quick verification of them during safety reviews. This program was first developed (Petrangeli, 1983; Petrangeli et al., 1993) for the study of a new safety system (the CRS described in Appendix 10) based on the voluntary depressurization of the primary system and on the passive injection (by accumulators under pressure) of cooling water. This basic concept has been subsequently applied to various reactor designs. Calculation tools of this kind are very useful to the designer or to the overall system analyst (even if they leave the true specialists of the branch rather puzzled), as they allow the study of many cases and for transient times as long as are desired. It has been observed, with reference to the Three Mile Island accident, that if the time length of the calculated transients had been prolonged beyond the intervention time of the safety systems, the adopted thermal-hydraulic codes (RELAP and so on) could have shown the danger of getting to a situation where the pressurizer is substantially full of liquid while the reactor vessel is nearly empty. As it is known, this situation may cause the operators to erroneously think that all of the primary system is full and therefore make them shut off the safety injection systems. In fact, the calculations performed were stopped precisely at the moment of their intervention. This practice concerning the duration of the calculations was and is motivated by economic reasons. Unfortunately, the program described here would not have been adequate in the Three Mile Island situation as it is too simple (one volume only). The concept, however, that powerful and complex calculation programs must be accompanied by more simply usable tools has a general validity.

365

366

Nuclear Safety

A11-2. General program characteristics Saturation conditions are assumed in the primary system and, therefore, the initial phase of the pressurizer voiding during an accident cannot be simulated. This phase is not of great interest for the prevention of severe core damage which remains the field of deepest interest in the context for which the program has been written. The principal analytical instruments are the mass and energy conservation equations. The heat supplied to the primary system is principally the core decay heat, set equal to the one given by the ANS curve minus 5 per cent, according to a suggestion by Tong (1982) intended to originate better approximation evaluations (best estimates) as opposed to very conservative evaluations. This curve can be multiplied by a factor higher than one, foreseen by the program (KQD factor) in order to obtain conservative results, even if less similar to reality. (See Table A2-2.) The heat exchanged (in either direction) by the primary system with the steam generators during the accident can be simulated by a term decreasing from a given value at an initial time down to zero at a given subsequent time. This term may simulate, for example, the heat absorbed by the residual water of the secondary side of the steam generators after a stop of the feedwater flow. The loss of water from the primary system can be simulated by an efflux from a depressurization system and from a hypothetical break in the primary system itself. The efflux can be of a liquid, homogeneous mixture or steam, as chosen by the user. The pressure transients in the accumulators are simulated as isothermal transformations. The water injection by an ECCS system can be simulated. The simplicity of the program is responsible for the possibility of interrupting a calculation and of easily resuming it using different input data (e.g. if one wants to change the ECCS flow rate from a certain time on).

A11-3. Program description The program is based on a MicrosoftÕ ExcelÕ 97 spreadsheet which includes some Visual BasicÕ for Applications macros. Macro SP is used for the general control, which when needed calls the other 14 subroutines.

A11-3-1. Macro Stampa dati This prints the input data of the case under study. These are entered by the user into cells A2:H11. These cells are subsequently used by the program as a set of service cells, with their content being varied at any program step. Therefore, at the end of the run, the numbers contained in the cells refer to the values corresponding to the last step. ’ STAMPA_DATI Macro ’ Macro registrata il 03/11/2001 da Petrangeli Gianni Range(‘‘A31:H41’’).Select Selection.PrintOut Copies:=1 Application.CommandBars(‘‘Stop Recording’’).Visible = False Range(‘‘J16’’).Select Application.Goto Reference:=‘‘STAMPA_DATI’’ Application.WindowState = xlMinimized Application.WindowState = xlNormal Application.Goto Reference:=‘‘STAMPA_DATI’’ Range(‘‘A27’’).Select


367

ChDir ‘‘C:\SP’’ ActiveWorkbook.SaveAs FileName:=‘‘C:\SP\SP.xls’’,FileFormat:=xlNormal, _ Password:=‘‘’’, WriteResPassword:=‘‘’’, ReadOnlyRecommended:=False, _ CreateBackup:=False End Sub The reference cells, containing initial data and the service ones for the calculation of each step are the following: PROGRAM ‘‘PS’’: INPUT DATA AND LAST STEP DATA: Vp (m3) ¼ Vab (m3) ¼

463.3 463.3

DP1 (s) ¼

2

P (MWt) ¼ GS (kg/s) ¼ QS (Cal/s) ¼

2871.3 0 0

TU0 (s) ¼ FL1 ¼ TU0 (s) ¼ P0 (kg/cm2) ¼

600 0 6114.141 70

P1 (kg/cm2) ¼] 70

4/11(2)

VAT1 (m3) ¼ VAT2 (m3) ¼ PA1 (kg/cm2) ¼ DP2 (s) ¼ KA1 (kg/cm2 s) ¼ KQD ¼ TU1GS (s) ¼ TU1QS (s) ¼

118 1012 40 0.2 711 1.45 600 0

VA1 (m3) ¼ VA2 (m3) ¼ PA2 (kg/cm2) ¼ As (cm2) ¼ KA2 (kg/cm2 s) ¼

0 675 15 0 12

TU2GS (s) ¼ TU2QS (s) ¼

6000 0

TUF (s) ¼ FL2 ¼ TU1 (s) ¼ VF (m3/kg) ¼ VFG (m3/kg) ¼ HF (Cal/kg) ¼ HFG (Cal/kg) ¼

6000 0 6114,141 0.0013531 0.0257476 303.48877 358.47058

GUS (kg/s) ¼ GE (kg/s) ¼ QS (Cal/s) ¼ VF1 ¼ VFG1 ¼ HF1 ¼ HFG1 ¼

0 GUB (kg/s) ¼ 0 GA1 (kg/s) ¼ 0 1132.76 0.0013468 x1 ¼ 0.0266207 301.0671 361.50553

DT (s) ¼

Mp (kg) ¼ P0 (kg/cm2) ¼ P1 (kg/m2) ¼ Ab (cm2) ¼ HA (Cal/kg) ¼

79519.2974 94 27.9 49

TU1 ¼

x¼

0.1525122

HS (Cal/kg) ¼ HB (Cal/kg) ¼

661.95934 661.95934 30.93552 GA2 (kg/s) ¼ DT (s) ¼ 265.96065 0.1682713 Mp1 (kg) ¼

301269.55 79519.2974

Symbols Ab, area of break in primary system (cm2) As, equivalent efflux area of the depressurization line (cm2) A1 A2, Accumulators, respectively at intermediate (40 bar) and low (15–20 bar) pressure CRS, Core Rescue System DP1 DP2, variation of the pressure in single step, respectively high (5 bar) and low (15–20 bar) DT, time increment in the generic step (s) ECCS, Emergency Core Cooling System FL1 FL2, service command ‘flags’ for the calculation of the efflux from CRS system (depressurization) and from break G, mass flow rate (kg s 1 or kg cm 2 s 1) GA1 GA2, efflux flow rate from accumulators A1 and A2, respectively (kg s 1) GE, inlet flow rate in the primary system (accumulators þ ECCS) (kg s 1) GS, efflux flow rate of ECCS (kg s 1) GUB, efflux flow rate from assumed break (kg s 1)

368

Nuclear Safety

GUS, efflux from depressurization system (CRS) (kg s 1) HA, enthalpy of the water delivered by accumulators and by ECCS (Cal kg 1) KA1 KA2, efflux coefficients from accumulators A1 and A2, respectively (kg cm2 s 1) KQD, decay power multiplier (¼1.05 for ANS curve) Mp, mass of water in the primary system (liquid þ steam) (kg) P, pressure (kg cm 2) PA1 PA2, A1 and A2 accumulator pressure, respectively (kg cm 2) VA1 VA2, water volume in accumulators A1 and A2, respectively (m3) VAT1 VAT2, total volume in accumulators A1 and A2, respectively (m3) Vab, portion of primary volume below break (m3) Vp, primary system volume (m3) x, x1, average steam quality in the primary system at start and end of step TU1, end time of step (s) TU1GS TU2GS, start and stop time, respectively, for ECCS system (s) TU1QS TU2QS, start and stop time, respectively, for the steam generator heat release or absorption (s) TU0 TUF, start and stop time, respectively, of the calculated transient (s)

11-3-2. Macro Copia_dati This copies the initial data in cells A31:H41 so that they may be kept until the end of the calculation in order to allow the user to evaluate the results. COPIA_DATI() ’ ’ COPIA_DATI Macro ’ Macro registrata il 03/11/2001 da Petrangeli Gianni ’ ’ Range(‘‘A2:H11’’).Select Selection.Copy Range(‘‘A32’’).Select ActiveSheet.Paste Range(‘‘$a$31’’) = ‘‘DATI DI INGRESSO’’ Range(‘‘$a$43’’) = ‘‘RISULTATI DEI PASSI’’ End Sub

11-3-3. Macro HF This evaluates at each step the specific enthalpy of the primary liquid as a function of the initial pressure of the step. Equation A11.1, the approximate formula has been taken from (Santarossa G. et al., 1976) (as have the subsequent properties of the cooling fluid). HF ¼

964:3845p3 þ 188946:5p2 þ 2470981p þ 1649689 , p3 þ 665:0797p2 þ 16075:48p þ 26716:57

ðA11:1Þ

where HF is the specific enthalpy of the liquid water (Cal kg 1) and p is the primary pressure at the start of the step (kg cm 2).


369

As an example, for a pressure of 70 kg cm 2, Equation A11.1 gives a value of 301.1 (Cal kg 1) compared with a handbook value of 298 (Cal kg 1). Sub HF() ’ ’ HF Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni ’ ’ Range(‘‘$d$17’’) = (964.3845 * Range(‘‘$b$15’’) ^ 3 + 188946.5 * Range(‘‘$b$15’’) ^ 2 + 2470981 * Range(‘‘$b$15’’) + 1649689)/(Range(‘‘$b$15’’) ^ 3 + 665.0797 * Range(‘‘$b$15’’) ^ 2 + 16075.48 * Range(‘‘$b$15’’) + 26716.57) Range(‘‘F18’’).Select End Sub

11-3-4. Macro HFG This evaluates the enthalpy of vaporization at the start of the step with the same units as macro HF using Equation A11.2. 231973:9p3 þ 5:284174 107 p2 þ 1:191874 109 p þ 1:575882 109 HFG ¼ p4 þ 82:67094p3 þ 126285:4p2 þ 2315288p þ 2785184

ðA11:2Þ

As an example, for a pressure of 70 (kg cm 2), Equation A11.2 gives a value of 361.5 (Cal kg 1) compared with a handbook value of 357.3 (Cal kg 1). HFG Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni Range(‘‘$d$18’’) = (231973.9 * Range(‘‘$b$15’’) ^ 3 - 52841740 * Range(‘‘$b$15’’) ^ 2 - 1191874000 * Range(‘‘$b$15’’) - 1575882000)/ (Range(‘‘$b$15’’) ^ 4 + 82.67094 * Range(‘‘$b$15’’) ^ 3 - 126285.4 * Range(‘‘$b$15’’) ^ 2 - 2315288 * Range(‘‘$b$15’’) - 2785184) Range(‘‘H17’’).Select End Sub

11-3-5. Macro VF This evaluates the specific volume of the liquid at the start of the step (Equation A11.3). 9:165659 10 4 p3 þ 4:159937 10 1 p2 þ 35:05628p þ 120:077 , VF ¼ p3 þ 251:462p2 þ 31207:36p þ 117706:3

ðA11:3Þ

where VF is the specific volume (m3 kg 1). For 70 (kg cm 2), Equation A11.3 gives 0.001 35 (m3 kg 1) which is equal to the table value. Sub VF() Range(‘‘$D$15’’) = (0.0009165659 * Range(‘‘$b$15’’) ^ 3 - 0.4159937 * Range(‘‘$b$15’’) ^ 2 - 35.05628 * Range(‘‘$b$15’’’’) - 120.077)/(Range(‘‘$b$15’’) ^ 3 - 251.462 * Range(‘‘$b$15’’) ^ 2 - 31207.36 * Range(‘‘$b$15’’) - 117706.3) End Sub

370

Nuclear Safety

11-3-6. Macro VFG This evaluates the differential specific volume of steam–liquid (m3 kg 1) at the start of the step using Equation A11.4). VFG ¼

2:309098 10 3 p4 þ 4:162979p3 þ 857:4263p2 þ 14867:06p þ 3998:127 p4 þ 381:89p3 þ 7810:05p2 þ 3776:419p þ 529:4787

ðA11:4Þ

For 70 (kg cm 2), Equation A11.4 gives 0.027 (m3 kg 1) compared with a table value of 0.026 (m3 kg 1). Four more macros calculate by identical formulae the values of HF1, HFG1, VF1 and VFG1 for the thermo-dynamic properties of the pressure at the end of the step. Sub VFG() ’ ’ VFG Macro ’ Macro registrata il 30/10/2001 da Petrangeli Gianni Range(‘‘$d$16’’) = (-0.002309098 * Range(‘‘$b$15’’) ^ 4 + 4.162979 * Range(‘‘$b$15’’) ^ 3 - 857.4263 * Range(‘‘$b$15’’) ^ 2 - 14867.06 * Range(‘‘$b$15’’) - 3998.127)/(Range(‘‘$b$15’’) ^ 4 - 381.89 * Range(‘‘$b$15’’) ^ 3 - 7810.05 * Range(‘‘$b$15’’) ^ 2 - 3776.419 * Range(‘‘$b$15’’) + 529.4787) End Sub

11-3-7. Macro QS This calculates the heat supplied to the primary system or released by it from/to sources other than the core (typically to the steam generator) using Equation A11.5. QS ¼ 1

TU0 TU1QS , TU2QS TU1QS

ðA11:5Þ

where QS is the maximum thermal power exchanged at the instant TU1QS (s), TU1QS and TU2QS are the times (s) of the start and end of the heat exchange, respectively, and TU0 is the initial time of the step (s). QS() Rem Calcola il calore aggiunto da sorgenti diverse dal nocciolo, come ad esempio i generatori di vapore If Range(‘‘$d$9’’) < Range(‘‘$b$14’’) Then If Range(‘‘$f$9’’) > Range(‘‘b$14’’) Then Range(‘‘$d$22’’) = (1 - ((Range(‘‘$b$14’’) - Range(‘‘$d$9’’))/(Range(‘‘$f$9’’) Range(‘‘$d$9’’)))) * Range(‘‘$B$9’’) Else Range(‘‘$d$22’’) = 0 End If End If End Sub

11-3-8. Macro GU This calculates the weight flow rate which exits from the depressurization line and which exits through an assumed break. According to the liquid level in the primary calculated by the program, the efflux is liquid


371

or non-liquid. In the latter case, it is of steam or of a homogeneous mixture with quality equal to the average one of the primary system according to a choice made by the user as an input datum to the calculation: the parameters FL1 and FL2, refer to the depressurization and to the break, respectively, and are set equal to 0 for steam efflux and to 1 for two-phase efflux. The formulae used for the various cases are: G ¼ ð1:54 10 2 Þp A ðsteamÞ

ðA11:6Þ

G ¼ p1=3 A ðliquidÞ

ðA11:7Þ

G ¼ ðp1=3 1

0:02 X HFGÞ A ðtwo phasesÞ

ðA11:8Þ

2

where G is the weight flow rate (kg s ), p is the primary pressure (kg cm ), A is the efflux area (cm2), X is the average primary steam quality and HFG is the vaporization heat of the water at the primary pressure (Cal kg 1). It is assumed that the opening for the primary depressurization is located on top of the pressurizer (i.e. at the highest point of the system) so liquid efflux will occur only if the program detects a situation where the water volume in the primary system is equal to or higher than the volume of the primary itself. As far as the break is concerned, its location is defined at the start (among the input data) by the volume of the primary system below it and therefore liquid efflux occurs only if the water volume is higher than this given volume. Sub GU() If (Range(‘‘d$15’’) * Range(‘‘$h$2’’)) > Range(‘‘b$2’’) Then Range(‘‘$d$20’’) = Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) Else If Range(‘‘$b$11’’) = 0 Then Range(‘‘$d$20’’) = 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) + Range(‘‘$D$18’’) Else Range(‘‘$D$20’’) = (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$f$5’’) Range(‘‘$f$17’’) = Range(‘‘$d$17’’) + Range(‘‘f$15’’) * Range(‘‘$f$18’’) End If End If If (Range(‘‘$d$15’’) * Range(‘‘$h$2’’)) > Range(‘‘$b$3’’) Then Range(‘‘$f$20’’) = Range(‘‘$b$15’’) ^ (1/3) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) = Range(‘‘$d$17’’) Else If Range(‘‘$d$11’’) = 0 Then Range(‘‘$f$20’’) = 0.0154 * Range(‘‘$b$15’’) * Range(‘‘$h$5’’) Range(‘‘$f$18’’) = Range(‘‘$d$17’’) + Range(‘‘$d$18’’) Else Range(‘‘f$20’’) = (Range(‘‘$b$15’’) ^ (1/3) - 0.02 * Range(‘‘$f$15’’) * Range(‘‘$d$18’’)) * Range(‘‘$h$5’’)

372

Nuclear Safety

Range(‘‘$f$18’’) = Range(‘‘$d$17’’) + Range(‘‘f$15’’) * Range(‘‘$d$18’’) End If End If End Sub

11-3-9. Macro GE This evaluates the liquid flow rate entering the primary system using Equation A11.9. It is composed of the efflux of the two series of accumulators (intermediate and low pressure) whose characteristics are specified in the input data and by the efflux of an injection safety system (ECCS), operating between two given times (TU1GS and TU2GS) for a given flow rate GS. 1 G ¼ K p , 2

ðA11:9Þ

where G is the weight flow rate (kg s 1), K is the efflux coefficient (kg5cm s 1) and p is the pressure difference between accumulators and primary system (kg cm 2). The program sets the efflux from each series of accumulators to zero when their pressure is lower than the primary one and when the water volume in them is zero. Sub GE() Rem calcola la portata entrante nel primario durante il passo (accumulatori 1 e 2 ed ECCS) Rem Qui si calcola la portata uscente dagli accum. A1 If Range(‘‘$d$4’’) > Range(‘‘$b$15’’) Then If Range(‘‘$f$2’’) > 0 Then Range(‘‘$d$21’’) = (Range(‘‘$d$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$d$6’’) Range(‘‘$f$21’’) = Range(‘‘$D$21’’) Else Range(‘‘$d$21’’) = 0 Range(‘‘$f$21’’) = Range(‘‘$D$21’’) End If End If Rem Qui si calcola la portata uscente dagli accum. A2 If Range(‘‘$f$4’’) > Range(‘‘$b$15’’) Then If Range(‘‘$f$3’’) > 0 Then Range(‘‘$d$21’’) = Range(‘‘$d$21’’) + (Range(‘‘$f$4’’) - Range(‘‘$b$15’’)) ^ 0.5 * Range(‘‘$f$6’’) Range(‘‘$h$21’’) = Range(‘‘$d$21’’) - Range(‘‘$f$21’’) Else Range(‘‘$h$21’’) = 0 End If End If Rem Qui si aggiunge la portata GS degli ECCS If Range(‘‘$d$8’’) < Range(‘‘$b$14’’) Then If Range(‘‘$b$14’’) < Range(‘‘$f$8’’) Then Range(‘‘$d$21’’) = Range(‘‘$d$21’’) + Range(‘‘$b$8’’) End If End If End Sub


373

11-3-10. Macro DT This calculates the time, DT, necessary to cover the given pressure interval (DP1 or DP2) and essentially includes the mass and energy conservation equations in a finite differences form: Mp1 H1 Mp0 H0 J Vp(P1 P0) ¼ DT(Q þ GE HE GU HU) Mp1¼Mp0 þ (GE GU) DT Where Mp is the primary fluid mass (kg), H is the enthalpy of the primary fluid (Cal kg 1), J is the mechanical equivalent of the Calorie, Vp is the primary volume (m3), P is the primary pressure (kg cm 2), Q is the heat supplied to the primary system or released by it (Cal), GE is the entering flow rate (kg s 1), GU is the exiting flow rate (kg s 1) and 0 and 1 are the indexes for the start and end of the step, respectively. The interval DT for each step is given by Equation A11.10.

M0 HF1

HFG1 HFG0 VF1 þ VF0 VFG1 VFG0

DT ¼ HFG1 ð239 P Kqd 0:124 TU0 0:283 Þ þ Ge Ha HF1 þ VF1 VFG1

, HFG1 HFG0 23:4ðP1 P0Þ þVp VFG1 VFG0

HFG1 HFG1 Gus Hus HF1 þ VF1 Gub Hub HF1 þ VF1 þ Qs VFG1 VFG1 HF0

ðA11:10Þ

where Kqd is the coefficient for the decay heat described in Section A11-2, P is the reactor thermal power (MWth) and Gus and Gub are the flow rate going out from the depressurization system and from the break (kg s 1), respectively. The other symbols have been defined earlier. Sub DT() Range(‘‘$h$22’’) = (Range(‘‘$h$2’’) * (Range(‘‘$d$25’’) Range(‘‘$d$17’’) Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’)) + Range(‘‘$d$15’’) * (Range(‘‘$d$18’’)/Range(‘‘$d$16’’))) + Range(‘‘$b$2’’) * (Range(‘‘$d$26’’)/ Range(‘‘$d$24’’) Range(‘‘$d$18’’)/Range(‘‘$d$16’’) 23.4 * (Range(‘‘$b$23’’) Range(‘‘$b$15’’)))) Range(‘‘$e$22’’) = (239 * Range(‘‘$b$7’’) * Range(‘‘$d$7’’) * 0.124 * Range(‘‘$b$14’’) ^ ( 0.283) + Range(‘‘$d$21’’) * (Range(‘‘$h$6’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) Range(‘‘$d$20’’) * (Range(‘‘$f$17’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) Range(‘‘$f$20’’) * (Range(‘‘$f$18’’) Range(‘‘$d$25’’) + Range(‘‘$d$23’’) * (Range(‘‘$d$26’’)/Range(‘‘$d$24’’))) + Range(‘‘$d$22’’)) Range(‘‘$g$22’’) = Range(‘‘$h$22’’)/Range(‘‘$e$22’’) End Sub

11-3-11. Macro PS This is the general program which connects together all the other subroutines. It initially calls the subroutine Stampa Dati which produces a paper copy of the input data supplied by the user. The subroutine Copia Dati copies these data to the spreadsheet. Subsequently, it chooses the pressure interval between the two given

374

Nuclear Safety

values DP1 and DP2 (usually smaller). At the start, DP1 is chosen, then a series of conditions are inserted in the program which implement the following:

The shortest step is chosen if the time interval resulting from the calculation of the step is too long to guarantee the required precision, that is longer than 1000 s (the case for slowly varying pressure). It may happen that even with the shorter step, the time interval is longer than 1000 s and in these conditions, the calculation is repeated using an even shorter DP2. A negative pressure step is chosen if the calculated time interval is negative (in the case of an inversion in the pressure trend).

Then the program calculates all the quantities necessary to find DT using the various subroutines and finally it calculates DT. If it is not necessary to repeat the step in order to change the chosen DP. The program writes the results of the step in the spreadsheet and, having put the input data for the subsequent step in cells A2:H6, it runs the following. Sub SP() Call COPIA_DATI Call STAMPA_DATI Range(‘‘$a$14’’) = ‘‘TU0[s]=’’ Range(‘‘$a$15’’) = ‘‘P0[Kg/cm2]=’’ Range(‘‘$c$14’’) = ‘‘TU1[s]=’’ Range(‘‘$c$15’’) = ‘‘VF[m3/Kg]=’’ Range(‘‘$e$15’’) = ‘‘x=’’ Range(‘‘$c$16’’) = ‘‘VFG[m3/Kg]=’’ Range(‘‘$c$17’’) = ‘‘HF[KL/Kg]=’’ Range(‘‘$e$17’’) = ‘‘HS[Kl/Kg]=’’ Range(‘‘$c$18’’) = ‘‘HFG[KL/Kg]=’’ Range(‘‘$e$18’’) = ‘‘HB[KL/Kg]=’’ Range(‘‘$c$20’’) = ‘‘GUS[Kg/s]=’’ Range(‘‘$e$20’’) = ‘‘GUB[Kg/s]=’’ Range(‘‘$c$21’’) = ‘‘GE[Kg/s]=’’ Range(‘‘$e$21’’) = ‘‘GA1[Kg/s]=’’ Range(‘‘$g$21’’) = ‘‘GA2[Kg/s]=’’ Range(‘‘$c$22’’) = ‘‘QS[KL/s]=’’ Range(‘‘$f$22’’) = ‘‘DT[s]=’’ Range(‘‘$a$23’’) = ‘‘P1[Kg/cm2]’’ Range(‘‘$c$23’’) = ‘‘VF1=’’ Range(‘‘$e$23’’) = ‘‘x1=’’ Range(‘‘$g$23’’) = ‘‘Mp1[Kg]=’’ Range(‘‘$c$24’’) = ‘‘VFG1=’’ Range(‘‘$c$25’’) = ‘‘HF1=’’ Range(‘‘$c$26’’) = ‘‘HFG1=’’ Range(‘‘$a$59957’’) = Range(‘‘$b$10’’) Range(‘‘$b$59957’’) = Range(‘‘$h$3’’) Range(‘‘$c$59957’’) = Range(‘‘$h$2’’) co = 0 Rem impostazione pressione iniziale e tempo iniziale Range(‘‘$b$14’’) = Range(‘‘$b$10’’) Range(‘‘$d$14’’) = Range(‘‘$b$10’’)


Range(‘‘$b$15’’) = Range(‘‘$h$3’’) Rem inizia il loop principale Do While Range(‘‘$b$14’’) < Range(‘‘$d$10’’) Rem calcolo pressione finale del passo a passo lungo Range(‘‘$b$23’’) = Range(‘‘$b$15’’) - Range(‘‘$b$5’’) GoTo Fine_ciclo_a_passo_temporale_lungo Rem label per cambiare passo Passo_temporale_breve: Range(‘‘$b$23’’) = Range(‘‘b$15’’) - Range(‘‘$d$5’’) Rem fine del passo temporale breve Fine_ciclo_a_passo_temporale_lungo: Call VF Call VF1 Call VFG Call VFG1 Call HF Call Modulo6.HF1 Call HFG Call HFG1 Call GU Call GE Call QS Call DT If Range(‘‘$g$22’’) < 0 Then Range(‘‘$d$5’’) = -Range(‘‘d$5’’) Range(‘‘b$5’’) = -Range(‘‘b$5’’) GoTo Passo_temporale_breve Else End If Rem scrive TU1 in d14 Range(‘‘$d$14’’) = Range(‘‘d$14’’) + Range(‘‘$g$22’’) Rem xo Range(‘‘$f$15’’) = (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) Range(‘‘$d$16’’)

-

375

Range(‘‘$d$15’’))/

Rem si calcola Mp1 e si colloca anche come Mp del passo successivo Range(‘‘$h$23’’) = (Range(‘‘$d$21’’) - Range(‘‘$d$20’’) - Range(‘‘$f$20’’)) * Range(‘‘$g$22’’) + Range(‘‘$h$2’’) Range(‘‘$h$2’’) = Range(‘‘$h$23’’) Rem x1 Range(‘‘$f$23’’) = (Range(‘‘$b$2’’)/Range(‘‘$h$2’’) - Range(‘‘$d$23’’))/ Range(‘‘$d$24’’) Range(‘‘h’’ & ((co + 1) * 12 + 32)) = Range(‘‘h2’’) Range(‘‘g’’ & ((co + 1) * 12 + 32)) = "Mp[Kg]=" Rem Si calcola PA1 del passo successivo e si sostituisce al precedente valore Range(‘‘$d$4’’) = Range(‘‘$d$4’’) * (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))/ (Range(‘‘$f$21’’)/1000 + (Range(‘‘$d$2’’) - Range(‘‘$f$2’’))) Range(‘‘d’’ & ((co + 1) * 12 + 34)) = Range(‘‘$d$4’’)

376

Nuclear Safety

Range(‘‘c’’ & ((co + 1) * 12 + 34)) = ‘‘PA1[Kg/cm2]=’’ Rem Si calcola PA2 del passo successivo e si sostituisce al precedente valore Range(‘‘$f$4’’) = Range(‘‘$f$4’’) * (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))/ (Range(‘‘$h$21’’)/1000 + (Range(‘‘$d$3’’) - Range(‘‘$f$3’’))) Range(‘‘f’’ & ((co + 1) * 12 + 34)) = Range(‘‘$f$4’’) Range(‘‘$e’’ & ((co + 1) * 12 + 34)) = ‘‘PA2[Kg/cm2]=’’ Rem Si calcola VA1 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$2’’) = Range(‘‘$f$2’’) - (Range(‘‘$f$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$2’’) > 0 Then Range(‘‘$f$2’’) = Range(‘‘$f$2’’) Else Range(‘‘$f$2’’) = 0 End If Range(‘‘f’’ & ((co + 1) * 12 + 32)) = Range(‘‘$f$2’’) Range(‘‘e’’ & ((co + 1) * 12 + 32)) = ‘‘VA1[m3/Kg]=’’ Rem Si calcola VA2 e si fa il test ‘‘pieno-vuoto’’ Range(‘‘$F$3’’) = Range(‘‘$f$3’’) - (Range(‘‘$h$21’’) * Range(‘‘$g$22’’))/1000 If Range(‘‘$f$3’’) > 0 Then Range(‘‘$f$3’’) = Range(‘‘$f$3’’) Else Range(‘‘$f$3’’) = 0 End If Rem Scrittura dati per grafico Range(‘‘a’’ & (59958 + co)) = Range(‘‘$d$14’’) Range(‘‘b’’ & (59958 + co)) = Range(‘‘$b$23’’) Range(‘‘c’’ & (59958 + co)) = Range(‘‘$h$23’’) Rem Scrittura valori VA2,P1,DT,TU1,x,x1,GUS,GUB Range(‘‘f’’ & ((co + 1) * 12 + 33)) = Range(‘‘$f$3’’) Range(‘‘e’’ & ((co + 1) * 12 + 33)) = ‘‘VA2[m3/Kg]=’’ Range(‘‘h’’ & ((co + 1) * 12 + 34)) = Range(‘‘$b$23’’) Range(‘‘g’’ & ((co + 1) * 12 + 34)) = ‘‘P1[Kg/cm2]=’’ Range(‘‘f’’ & ((co + 1) * 12 + 40)) = Range(‘‘$g$22’’) Range(‘‘e’’ & ((co + 1) * 12 + 40)) = ‘‘DT[s]=’’ Range(‘‘h’’ & ((co + 1) * 12 + 40)) = Range(‘‘$d$14’’) Range(‘‘g’’ & ((co + 1) * 12 + 40)) = ‘‘TU1=’’ Range(‘‘$b$14’’) = Range(‘‘$d$14’’) Range(‘‘$b$15’’) = Range(‘‘$b$23’’) Range(‘‘e’’ & ((co + 1) * 12 + 35)) = ‘‘x=’’ Range(‘‘f’’ & ((co + 1) * 12 + 35)) = Range(‘‘$f$15’’) Range(‘‘e’’ & ((co + 1) * 12 + 36)) = ‘‘x1=’’ Range(‘‘f’’ & ((co + 1) * 12 + 36)) = Range(‘‘$f$23’’) Range(‘‘c’’ & ((co + 1) * 12 + 37)) = ‘‘GUS[Kg/s]=’’ Range(‘‘d’’ & ((co + 1) * 12 + 37)) = Range(‘‘$d$20’’) Range(‘‘e’’ & ((co + 1) * 12 + 37)) = ‘‘GUB[Kg/s]=’’ Range(‘‘f’’ & ((co + 1) * 12 + 37)) = Range(‘‘$f$20’’) Range(’’g’’& ((co + 1) * 12 + 37))=‘‘GE[Kg/s]’’ Range(’’h’’& ((co + 1) * 12 + 37))=Range(‘‘$d$21’’) co = co + 1 Loop End Sub


377

A11-4. Using the program The program CSPSen.xls is available on the companion website. On running the program the initial page of the spreadsheet is displayed with the cells A1:Al1 filled with the input data of a sample case. The numerical data of the sample case have to be replaced by the data of the case to be studied. The spreadsheet program calls macro SP and the calculation proceeds automatically. Initially the input data is printed and then results populate the cells. Usually at least 500 steps are necessary for a transient duration of ten hours. Once the calculation has been performed, it is advised to answer ‘No’ to the question Salvare le modifiche? (‘Save the modifications?’) in order to preserve the sample opening page for future use. The following data are written in the first three columns starting at cell A59995: time, primary pressure and weight of remaining primary fluid. These data can be used to draw two graphs for the pressure and the liquid weight, which are particularly meaningful to evaluate the transient trend. Other graphs and results can be obtained from the result sheet. It is advised to choose, for the transients with liquid efflux, a DP1 of 5 (kg cm 2) and an initial DP2 of 0.5 (kg cm 2). If the calculated DT is in any case too long (indicatively higher than 1000 s) the calculation should be repeated with a lower DP2, down to 0.3–0.2 (kg cm 2). It is advisable not to leave zeros in the input data and to replace them with very small, mutually consistent, numbers.

A11-5. Other formulae for the expanded use of the program The version of the program described here does not foresee the study of Anticipated Transients Without Scram (ATWS) or the calculation of the pressure in a water tank where the primary liquid from the depressurization system is discharged. For additional calculations of this type, the following notes and formulae may be useful.

A11-5-1. ATWS For calculations of this type, the evaluation of the shutdown effect of the depressurization is interesting. The depressurization, in fact, causes a loss of primary liquid and a pressure decrease which increase the steam volume in the core (the void content of the core is increased) with consequent introduction of negative reactivity and shutdown of the chain reaction. These evaluations can be done taking into account that results consistent with refined calculations are obtained by assuming that the core shutdown occurs for an average void ratio in the primary system of 30 per cent. The value of can be calculated by the following formulae: ¼

X 1 þ Xð

¼

1019:2 P

,

ðA11:11Þ

2:28:

ðA11:12Þ

1Þ

where

The values of X (average quality in the primary system) and of P are obtained by the PS program, where the heat supplied to the system must be increased in the first phase of the transient in order to take into account the heat produced by the still active chain reaction. This can be obtained, for example, by artificially increasing the decay heat KQD coefficient.

378

Nuclear Safety

A11-5-2. Pressure in a depressurization water discharge tank Normally it can be assumed that the energy supply to the tank only increases the liquid water temperature. That is, both the energy for the production of steam in the tank and the enthalpy of the water in the tank in comparison with the enthalpy of the incoming water can be disregarded. In this way the temperature increase in the tank is calculated using Equation A11.13. T1

T0 ¼

DTðGUS HUS Ma

QEÞ

,

ðA11:13Þ

where QE is the heat exchanged with the outside of the tank (Cal) in the time step and Ma is the water mass in the tank (kg). The vapour pressure in the tank can be calculated using the approximate Equation A11.14 (or by using the steam tables and saturated steam diagrams). T is the temperature ( C). Pv ¼

4:241304 10 9 T4 þ 2:284709 10 6 T3 2:952689 10 4 T2 þ 2:16481 10 2 T 0:5712048 ð2:066907 10 11 ÞT4 ð3:211231 10 8 ÞT3 þ ð2:049397 10 5 ÞT2 ð6:895268 10 3 ÞT þ 1 ðA11:14Þ

This formula has been developed for high pressures and its approximation is considered unacceptable (error higher than 20 per cent) for temperatures lower than 60 C (corresponding to a vapour pressure of 0.2031 (kg cm 2). More data and formulae for thermo-hydraulic calculations in the primary system and in the depressurization systems can be found in (Petrangeli, 1983).

References Petrangeli, G. (1983), ‘Transient, one-volume calculations for a PWR equipped with a core rescue system (SSN)’, RT/DISP(83)2, ENEA – DISP, Roma, Italy. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, 143, pp. 25–54. Tong, L.S. (1982) ‘Some design issues for future LWRs’, Notes for a seminar, January. Santarossa G. et al. (1976), ‘Raccolta di formulazioni delle proprieta` termodinamiche e del trasporto dell’acqua’, Rapporto interno SATN-1-76, DISP/CENTR Servizio Analisi Termoidraulica e Neutronica, Enea/Disp, Roma, Italy.

Appendix 12 The atmospheric dispersion of releases

This appendix describes four simple programs for calculating the atmospheric dispersion of releases on the basis of the formulae of Chapter 6. As noted at the beginning of Appendix 2, for historical reasons some of the measurement units do not belong to the S.I. system.

Program DR1 is for an instantaneous radioactivity release and calculates the cloud-concentration, (Ci s m 3), and the ground concentration, Ct (Ci m 2), in a ground position chosen downwind from the release point. Program DR2 calculates the cloud-concentration, (Ci s m 2), for a continuous release. Programs DR1FUM and DR2FUM, respectively, perform the same calculations for the fumigation case.

The programs are written in Visual BasicÕ for Applications (VBA) for execution in MicrosoftÕ ExcelÕ . They can be downloaded from the companion website (Files: DISPERSION1, DISPERSION2, FUMIGATION1, FUMIGATION2). Program DR1 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b9’’) u = Range(‘‘b5’’) h = Range(‘‘b7’’) Q = Range(‘‘b8’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 lsz = 0.9238 * x ^ 2 - 3.5634 * x + 4.4731 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 lsz = 0.0049 * x ^ 3 - 0.135 * x ^ 2 + 1.4082 * x - 1.6325 379

380

Nuclear Safety

sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 lsz = 0.0011 * x ^ 3 - 0.144 * x ^ 2 + 1.5033 * x - 2.0967 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b12’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (examples): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 2500 Release height (m) ¼ 100 Release activity (Ci) ¼ 1 Lateral distance, y (m) ¼ 0 Deposition vel. (m s 1) ¼ 0.01

(Pasquill category B, D or F) (average wind speed in x direction) (distance from the point chosen on the ground) (height at which release occurs) (activity released) (lateral distance of chosen point from plume axis) (deposition velocity of particles)

Results: (Ci s m 3) ¼ 8.31155E-06 Ct (Ci m 2) ¼ 8.31155E-08

(cloud concentration at the chosen point) (ground concentration at the chosen point)

Program DR2 Dim x As Double Dim y As Double Dim u As Double Dim h As Double Dim Q As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b9’’) u = Range(‘‘b5’’) h = Range(‘‘b7’’) Q = Range(‘‘b8’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 lsz = 0.9238 * x ^ 2 - 3.5634 * x + 4.4731 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2))))


381

Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 lsz = 0.0049 * x ^ 3 - 0.135 * x ^ 2 + 1.4082 * x - 1.6325 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 lsz = 0.0011 * x ^ 3 - 0.144 * x ^ 2 + 1.5033 * x - 2.0967 sy = 10 ^ lsy sz = 10 ^ lsz chi = (Q/(3.1415 * sy * sz * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)) + (h ^ 2/(2 * sz ^ 2)))) Range(‘‘b11’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 600 Release height (m) ¼ 30 Release activity (Ci/s) ¼ 1 Lateral distance, y (m) ¼ 0

(Pasquill category B, D or F) (average wind speed in x direction) (distance from the point chosen on the ground) (height at which release occurs (stack)) (activity released per second) (lateral distance of chosen point from plume axis)

Results: (Ci m 3) ¼ 0.000125151

(cloud concentration at the chosen point)

Program DR1FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b8’’) u = Range(‘‘b5’’) hi = Range(‘‘b10’’) Q = Range(‘‘b7’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 sy = 10 ^ lsy

382

Nuclear Safety

chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b12’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ F Wind (m s 1) ¼ 1 Distance (m) ¼ 1500 Release activity (Ci) ¼ 1 Lateral distance, y (m) ¼ 0 Deposition vel. (m s 1) ¼ 0.01 Inversion height (m) ¼ 100

(Pasquill cat. B, D or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (deposition velocity of particles) (inversion height)

Results: (Ci s m 3) ¼ 7.65607E-05 Ct (Ci m 2) ¼ 7.65607E-07

(cloud-concentration at the chosen point) (ground concentration at the chosen point)

Program DR2FUM Dim x As Double Dim y As Double Dim u As Double Dim hi As Double Dim Q As Double Dim sy As Double x = Log(Range(‘‘b6’’))/Log(10) y = Range(‘‘b8’’) u = Range(‘‘b5’’) hi = Range(‘‘b9’’) Q = Range(‘‘b7’’) If Range(‘‘b4’’) = ‘‘B’’ Then lsy = 0.0027 * x ^ 3 - 0.0585 * x ^ 2 + 1.2136 * x - 1.0106 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2))))


Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘D’’ Then lsy = 0.0148 * x ^ 3 - 0.1752 * x ^ 2 + 1.5541 * x - 1.6231 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) = chi Else If Range(‘‘b4’’) = ‘‘F’’ Then lsy = 0.0044 * x ^ 3 - 0.0713 * x ^ 2 + 1.2271 * x - 1.6022 sy = 10 ^ lsy chi = (Q/((2 * 3.1415) ^ 0.5 * sy * hi * u)) * Exp(-((y ^ 2/(2 * sy ^ 2)))) Range(‘‘b11’’) = chi End If End If End If End Sub The MicrosoftÕ ExcelÕ cells for the input data and output results are (example): Input data: Category ¼ D Wind (m s 1) ¼ 1 Distance (m) ¼ 1500 Release activity (Ci s 1) ¼ 1 Lateral distance, y (m) ¼ 0 Inversion height (m) ¼ 100

Results: (Ci m 3) ¼ 3.81255E-05

(Pasquill cat. B, D or F for space below inversion height) (average wind speed in x direction) (distance from the point chosen on the ground) (activity released per second) (lateral distance of chosen point from plume axis) (inversion height)

(cloud-concentration at the chosen point)

383


Appendix 13 Regulatory framework and safety documents

A13-1. Regulatory framework A legal framework has to be established that provides for the regulation of nuclear activities and for the clear assignment of safety responsibilities.AR1, AR201 Legislative institutions should produce laws which assign the prime responsibility for safety to the operating organization and establish a regulatory body responsible for a system of licensing, for the regulatory control of nuclear activities and for enforcing the relevant regulations. It is also very useful, although not done everywhere, for the legislative power of a country to define in general terms the safety level which nuclear installation should achieve in order to give the industrial organizations and the regulatory body general guidance in their activities. For example, the classes of nuclear installations, the orders of magnitude of the amount and the probability of the maximum accident release or consequences should be established at the top of the people’s representation structure, with a balanced view of the risks and benefits to society. The prime responsibility for the safety of the installation rests with the operating organization. It is responsible for establishing its safety criteria (which should be approved by the regulatory body) and for the compliance of the design, construction and operation of the installation with them and with relevant safety standards. Procedures and arrangements for the safe control of the installation under all conditions should also be established together with the maintenance of a competent and fully trained staff and for the control of fissile and radioactive materials utilized or generated. It is the responsibility of the regulatory body to set the detailed safety objectives and standards and to

monitor and enforce them. Effective independence of the regulatory body from organizations that promote nuclear activities should be in place in order to ensure the absence of undue pressures from competing interests. An important function of the regulatory body is to communicate to the public any information concerning safety and in particular its regulatory decisions and opinions. In many cases, the regulatory body is supported by a dedicated technical support organization (TSO) which performs technical analyses and studies. These are used in reviews and in other activities by the regulatory body. The personnel of the two organizations may comprise several tens of people to a few thousands people according to the size of the nuclear programme and the activities entrusted to the body itself. Usually the regulatory body has access to confirmatory research, which creates a way to directly get supporting technical information necessary to a well-based regulatory activity. A review of existing regulatory frameworks for various countries is included in (OECD, 1991).

A13-2. Safety documents The principal documents concerning plant safety vary according to the specific requirements of each country, however some conceptual generalizations, accepted everywhere, can be made. The following documentation will be briefly discussed:

The safety report. The probabilistic safety evaluation (PRA or PSA). The environmental impact assessment (EIA). The external emergency plan. The operation manual, including the emergency procedures. 385

386

The The The The

Nuclear Safety

operation organization document. pre-operational test programme. technical specifications for operation. periodic safety reviews.

Other documents result from inspection activities on plant construction and operation.

A13-2-1. The safety report The safety report (SR) is the principal document for the demonstration that the design and the construction of a nuclear plant on a specific site are such that it can be operated without undue risk to the workers and the public. Here the assumption is made that the SR contains the treatment of both the aspects relevant to the site and those concerning the plant (description and analysis). It must be noted, however, that in various regulatory systems, the two issues are dealt with in separate documents. It is easy to understand that this subdivision quickens the time for site selection and for preparatory work on it, however the acceptability of a site also depends on the characteristics of the plant to be installed on it. The problem is easily solved for proven plants. In different cases, various parts of the information on the plant safety characteristics must be presented in advance and inserted in the part of the SR devoted to the site. In case of separation and of advanced presentation of the part of the report relevant to the site, it will be in any case necessary to link the approval of the site to the compliance with some reasonably assumed plant characteristics. The SR is a ‘living’ document which evolves and changes with time. The principal factors of this change are: the progression of the detailed design, the design modifications decided during the construction and the operation of the plant and the needs for adjustments due to the progress of safety knowledge. It has also to be noted that, for the demonstration of the plant safety, more detailed information concerning both design and analyses than is usually included in the SR is also necessary. The corresponding documents are termed ‘support documents’ (following the IAEA (1979) nomenclature). In some regulatory systems (e.g. in the Italian one) these supporting documents take the form of Detailed Design Reports (DDR) which have to be submitted, for approval, to the national control body.

Usually, the principal stages of the SR are:

the preliminary safety report: to be submitted before the site approval and the plant construction permit; and the final safety report: to be submitted before fuel loading.

While the preliminary safety report describes many plant data at the level of initial solutions and plans, the final safety report shows the plant ‘as built’ (in its final form) as a result of the design, validation and modification activities. The content of the SR may, for simplicity, be subdivided in the following five parts:

Site Quality assurance Criteria and standards Design Nuclear safety and radiation protection analysis.

The needs of radiation protection and of containment and mitigation of the effluents must permeate all the content of the SR and therefore are not indicated as separate parts of the SR. It is strongly advised that one or more radiation protection design experts are part of the design organization. In addition to the systems specifically devoted to radiation protection tasks, some design aspects must be the subject of complete evaluation, such as the following: the general and detailed plant layout; the space available for operation, inspection and maintenance tasks; the choice of materials; system specifications and component specifications and location. Other issues which may be part of the SR or be the subject of separate documents, are:

organization for pre-operational tests and operation; pre-operational test programme; operational limits, operation conditions and procedures; emergency plans; decommissioning schemes; physical protection.

The objectives of the SR information on the site are:

assessment of the feasibility of a safe plant on the site;


definition of the site parameters necessary to plant design (external events and so on); evaluation of the possible impact of the plant operation on the surrounding population and environment.

These three objectives must be followed keeping in mind both the normal operating conditions and the exceptional and accidental ones. A sample list of the contents of a safety report is given in NRC Regulatory Guide 1.70 (USNRC, 1978). What has to be underlined is that, in the light of experience, many unfavourable characteristics of a site cannot be corrected by design provisions. In other words, various site exclusion criteria exist (an example is included in Appendix 16). A principal section of a safety report should be devoted to the description of the quality assurance programmes of the plant owner and of its contractors during the design, construction, testing and operation of the plant. The methods for the implementation of the quality assurance functions should also be described. The section of the SR devoted to criteria and standards is particularly important. All the standards to be adopted for the plant should be listed, which usually can be divided into three levels of generality: the general criteria (general safety and radiation protection objectives and functional system objectives) and general applicable country laws (health protection limits, fire protection laws, etc.), the guides at the level of system and component (e.g. the NRC Regulatory Guides and the standard review plan) which usually are not compulsory but simply indicate an acceptable way of proceeding, and, finally, the technical standards for components (ASME III Code for Pressure Components, etc.). It is important to note that all the standards (and particularly those concerning components) evolve with time and that, therefore, the specific issue used has to be indicated. How does one proceed if a standard changes during the design? This problem, typically the result of revisions (every five or ten years) of the safety of operating plants, is usually tackled and solved as follows:

If the revision is due to formal improvements and no new safety problem is involved as a consequence of the progress in knowledge, then no special analysis or modification is necessary.

387

If the revision is intended to solve some new safety problem, then: additional, more precise analyses are performed in order to demonstrate, possibly, that the existing design which followed the old standard is still acceptable in the light of the new knowledge; modifications to operation parameters or rules are introduced, if possible, in order to compensate for the ‘inadequacy’ of the standards adopted for the design; if any other action is inadequate, plant modifications have to be made in order to take account of the new knowledge.

The part of the SR devoted to the description of the design should offer a concise yet complete description of the entire plant. It should allow the reviewers:

to obtain an overall view of the systems and structures of the plant, as far as their characteristics and integrated functioning is concerned, either in normal and in transient and accident conditions, including the possibility of external, natural and unnatural, events; to understand and evaluate the design solutions and the main operational limits adopted to satisfy the reference criteria and the safety and protection standards.

In particular, special problems caused by specific site characteristics should be described and discussed. Similarly, possible plant design aspects should be described which have not yet been satisfactorily solved, together with the possible research and development programmes aimed at the identification of a satisfactory solution. A comparison table, moreover, should be supplied showing plant data and corresponding data of other similar recent plants, with the indication of the condition of the other plants (degree of completion and authorization, operational situation, etc.). In general terms, the objective of safety analysis (SA) is to demonstrate that the plant design and its operating procedures (together with well-trained personnel) ensure a high level of protection of the population and workers in case of malfunctions, human errors or assumed external events. Therefore, the contents of the SA is a set of dynamic studies of the most significant transients and

388

Nuclear Safety

accidents, giving an evaluation of their consequences on the plant and on the outside environment. The SA must offer a clear picture of the integrated behaviour of the plant in fault conditions. The integrity and the behaviour of the barriers between the radioactive substances and the environment are the main concern of the plant response evaluation. The information supplied by the SA, together with the information contained in the balance of the SR, should be sufficient to convince reviewers that the plant design is acceptable from a safety and radiation protection point of view, at the authorization stage to which the SR applies. The SA is usually structured as follows:

The initiating events (which in general descend from the general design criteria), usually subdivided in a certain number (often four) operation conditions. The acceptance criteria and the design methods, usually contained in the general criteria and in the system component guides. The analyses and the conclusions.

On the basis of past experiences (see Appendix 17), it is recommended that particular attention is given to the length in (real) time for which the transients and accident are calculated. These parameters can be established tentatively beforehand, but they can be defined only after calculation as they can indicate the presence of situations which may confuse the operators. Moreover, in the evaluations, it should be ensured that sufficient time exists to allow for the correct intervention of the operators, up to the attainment of perfectly stabilized plant conditions.

The PSA, used in this way, can be limited to level 1 or 2, that is at the first core damage or at the releases from the containment, respectively. A complete risk analysis (PRA), performed, for example, to verify the compliance of the plant with preselected risk objectives, must also include level 3, that is the probabilistic evaluation of the accident consequences.

A13-2-3. The environmental impact assessment The environmental impact assessment (EIA) is now compulsory nearly everywhere. It follows official channels that are usually different from those of the safety evaluation and health protection. Many issues, however, of the two processes coincide and it is useful if the two analyses proceed in parallel. The EIA commences with the initial strategic planning of the works. During the development of the two processes (nuclear safety and environmental impact) information exchange should take place between the authorities responsible, for example by a mutual participation of observers in the commission meetings and in working groups.

A13-2-4. The external emergency plan Before fuel loading, an external emergency plan (EEP) must be operative as a part of the Defence in Depth (see Chapter 9). To this end, usually, a dedicated issue of the safety evaluation is prepared, containing the technical basis for the external emergency plan.

A13-2-2. The probabilistic safety assessment

A13-2-5. The operation manual, including the emergency procedures

The probabilistic safety assessment (PSA) is now a companion of the SR for every new plant. In fact, after some initial doubts, it is now recognized as a valid knowledge and evaluation tool for a plant and also as valid help in the design and operation of it (see Chapter 11). It is understood, then, that PSA must be developed in parallel with the design, initially making many working assumptions on the features of the plant as it will be at the end. IAEA requirements demand that a summary of the plant PSA is included in the safety report.

The operation manual, which includes the emergency procedures (EP) and the internal emergency plan, must be available before any operation with nuclear fuel. It is important that the EP includes, in order to prevent severe accidents, the procedures based on the analysis of the plant states (symptom oriented) as well as the more traditional ones based on the analysis of specific accident sequences (event oriented).AR178 In the symptom-based approach, operator actions result from the monitoring of


plant symptoms rather than from the identification of the details of the event taking place. For example, the operator responds to the symptom of loss of primary water inventory as opposed to the specific event of a loss of coolant accident. The need for this kind of procedure was indicated by the Three Mile Island accident where the operators were confronted with a confusing situation (see Appendix 17) and were not able to timely identify the precise event taking place. Subsequently, it was confirmed that it was possible to develop emergency procedures on the basis of the damaging symptoms of the event rather than of the origin of the event and its consequences. The two concepts partly overlap, but by following the symptom-based approach it is not necessary to lose precious time in identifying, by a process of selection and elimination, the event origin and features. In general, some critical safety functions are identified (attainment of sub-criticality, availability of coolant in the core, availability of an efficient containment function) and the operator action is to identify which critical safety function is not available to the desired degree and to try, with the support of the emergency symptom-based procedures, to restore the function itself. The difference between event-based procedures and symptom-based procedures is the possibility of quickly diagnosing the plant accident situation. If this diagnosis can be made, then the event-based procedures are followed. If it cannot, then the symptom-based procedures are used. It is apparent from the preceding sentences that both sets of procedures are intended to be used in any nuclear plant. The process of developing modern procedures is still ongoing on many plants and it takes a remarkable effort. Some plants decide to have a dedicated procedure development group of experts. Some other plants carry out procedure development with other work groups, such as operations staff or operational experience feedback staff, as a part time responsibility. In any case, a plant procedures group ensures an efficient and effective method for development, distribution and revision of plant procedures, resulting in lower cost and more uniform quality. Close cooperation between the procedures group and the technical departments on a plant is essential. Symptom-based procedures require the NPP to complete a significant amount of site-specific thermal-hydraulic analyses of bounding scenarios. These analyses ensure that a generic set of operator actions for loss of each critical safety function are

389

sufficient to mitigate the most severe challenge to that critical safety function. Owners Groups may share the same package of procedures but the EPs and the supporting thermal-hydraulic analyses are plant specific. In recent years it has been determined that a potential for external release of radioactive products not only exists while the plant is operating at power but also when it is in a low power or shutdown condition. EPs, therefore, have been expanded in order to cover situations where the reactor cooling system may be depressurized and the vessel head removed. Due to the specific requirements of certain plant configurations that may exist during shutdown, together with the reduced level of automatic protection, many of these procedures are specific to these plant conditions and initiating events and thus are very event specific. It has also been recognized that the operator needs additional guidance for those conditions beyond the design basis accidents where core damage exists or is imminent. Hence the evolution of severe accident management guidelines (SAMGs). Due to the wide variety of conditions that may exist, these guidelines have been written in a symptombased format. Symptom-based, event-based and integrated (a combination of the two) approaches to emergency operating procedures exist. Verification and validation of procedures are two very important elements in the procedures development work. Verification is defined as the process of determining if a procedure is administratively and technically correct. Validation is the process of evaluating procedures to ensure that they are usable and they will function as intended. These two processes should be performed using a graded approach, that is devoting more effort where the consequences of some inadequacy are more serious. Administrative procedures such as record keeping verification and validation can be accomplished through a tabletop review. For emergency operating procedures, verification may include checking the technical information against design documents while validation might include the use of mock-ups of the plant and a full-scope control room simulator, as well as direct use of the plant. Checklists are available for verification and validation (IAEA, 1998).AR178 It is highly recommended that the plant designer participates in the procedure preparation and review phases.

390

Nuclear Safety

A13-2-6. Operation organization document The operation organization document describes the functions, responsibilities and mutual relationships of the plant personnel. The adequacy of its contents directly affects the adequacy of the human element to which the plant is entrusted. Great weight should be placed on this document as its content gives a measure of the attention given to the human factors of safety. The operation organization document should include training and personal/professional development issues.

A13-2-7. The pre-operational test programme The initial test programme concerns a particularly delicate phase in the plant life, in which possible design or construction deficiencies usually come to the open. The test programme comprises two phases: nonnuclear (before fuel loading) and nuclear. The tests are often termed ‘pre-operational’ and ‘nuclear’, respectively. In the pre-operational tests, components and systems are tested. Integrated tests of several interacting systems are performed too. Therefore, the functional consistency of the systems to the design is verified, as well as the absence of vibrations, normal operation in general and the normal expansion and contraction of systems while they heat up and cool down, etc. It is very desirable that operating personnel directly take part in the pre-operational tests, together with the representatives of the contractors, in order to get used to the plant components. It is not usually considered necessary that the preoperational tests programme is explicitly approved by the safety control body, but its contents, time schedule and results are, however, timely communicated to it. On the other hand, the nuclear tests programme must have prior approval because it must fully demonstration the safety characteristics of the plant and because, whilst it is being carried out, the risk of accidents involving radioactive products starts. However, not all conceivable tests can be performed, as some of them would be detrimental to systems and components and therefore dangerous

in view of the subsequent life of the plant (e.g. the capability of a safety injection system to introduce cold water at full flow in an operating plant will never be tested because the water injected would cause an unacceptable thermal transient on structures and components). In these cases, partial yet demonstrative tests are performed. As far as the contents of a test programme is concerned, specific documents should be consulted (Petrangeli, 1985). Here, it is sufficient to say that it is very important that the procedure of any single test includes a clear specification of the acceptance limits of the test, in order to avoid long and costly discussions between the organization responsible for the tests and the safety control body during the performance of the tests themselves. The test period, in fact, is a particularly delicate phase in the life of the plant, either for the intrinsic difficulties of the tuning of the plant and for the huge organization necessary for all the tests and the measures to be performed. The nature of the ‘final exam’ also leads to high psychological tension. Therefore, any unnecessary disturbance or delay must be avoided. It is often convenient to specify three levels of acceptability of each test:

acceptance; acceptance after review by the designer without test programme stoppage; non-acceptance.

As far as possible, the tests should comply with normal operating procedures. The tests are a good opportunity to test the procedures, too and to amend them, if necessary. On the basis of practical experience, at least nine months are necessary for the pre-operational tests and at least three months for the nuclear tests. Causes, sometimes trivial, of delay may always intervene, thus extending the time required. Often a great deal of time is lost because of defective pipe support anchorages, pipe vibrations and fluid leakages from systems and from buildings.

A13-2-8. The technical specifications for operation The objective of the technical specifications (TS) is to define conditions and limits for the operation of the


plant, compatible with its safety, and to define the specifications and the programmes for periodic surveillance of the various parts of the plant. The operational limits concern plant parameters such as pressures, temperatures, etc. and the minimum availability of systems and components for the various operating modes (full power, cold shutdown and so on). Particularly important is an initial part of the TS devoted to definitions. An example of a particularly delicate definition is the one concerning the word ‘operable’: one of the most common within the TS! The TS text, with the aid of the initial definitions, must be clear and unmistakable. In fact the TS are the first support of the plant operators for fundamental decisions, such as the continuation of operation at power in the presence of irregular plant situations. Frequently, little time for discussions and interpretation is available when decisions of this kind have to be taken. The probabilistic plant analysis offers a rational basis for decisions concerning the TS, either for the choice of operating limits or for the intervals between tests and inspections of parts of the plant (periodic surveillance). The TS must be available before fuel loading.

A13-2-9. The periodic safety reviews Operating personnel must pay continuous attention to plant safety and conduct periodic reviews in order to improve the plant and its operating procedures as

391

a result of research and of operating experience of similar plants. An operating licence usually requires revision every ten years. As already mentioned in Section 13-2-1 in connection with criteria and standards, the case may occur that new knowledge or new standards may generate doubts about the consistency of the criteria and about the adequacy of the plant or its procedures. In that section it was noted that the situation has to be primarily assessed to see if the discrepancy is formal or substantial in nature. Even in the latter case, various degrees of action are available, such as a more refined analysis, modifications to limits and operating procedures and, finally, plant improvements.

References IAEA (1979), ‘Information to be submitted in support of licensing applications for nuclear power plants’, IAEA Safety Series 50-SG-G2, Vienna. IAEA (1998), ‘Good practices with respect to the development and use of Nuclear Power Plant procedures’, TECDOC 1058, IAEA,Vienna. Petrangeli, G. (1985) ‘Licensing procedures: Parts I–III’, CEE Training Seminar on PWR Safety, Cairo, Nov– Dec. USNRC (1978) ‘Standard format and content of safety analysis reports for nuclear power plants: LWR edition’, Regulatory Guide 1.70, Rev. 3, Nov. OECD, ‘Licensing Systems and Inspection of Nuclear Installations’, OECD, Nuclear Energy Agency, Paris 1991.


Appendix 14 USNRC Regulatory Guides and Standard Review Plan This Appendix gives an example of a USNRC Regulatory Guide and a chapter of the Standard Review Plan to provide useful reference technical information and data. The numbering system and cross-references of the original documents are retained. All illustrations in the original documents have been removed.

A14-1. Extracts from a regulatory guide REGULATORY GUIDE 1.3 Assumptions used for evaluating the potential radiological consequences of a loss of coolant accident for boiling water reactors. A. INTRODUCTION Section 50.34 of l0 CFR Part 50 requires that each applicant for a construction permit or operating license provide an analysis and evaluation of the design and performance of structures, systems, and components of the facility with the objective of assessing the risk to public health and safety resulting from operation of the facility. The design basis loss of coolant accident (LOCA) is one of the postulated accidents used to evaluate the adequacy of these structures, systems, and components with respect to the public health and safety. This guide gives acceptable assumptions that may be used in evaluating the radiological consequences of this accident for a boiling water reactor. In some cases, unusual site characteristics, plant design features, or other factors may require different assumptions which will he considered on an individual case basis. The Advisory Committee on Reactor Safeguards has been consulted concerning this guide and has concurred in the regulatory position.

B. DISCUSSION [. . .] within the guidelines of 10 CFR Part 100. (During the construction permit review, guideline exposures of 20 rem whole body and 150 rem thyroid should be used rather than the values given in x100.1 1 in order to allow for (a) uncertainties in final design details and meteorology or (b) new data and calculational techniques that might influence the final design of engineered safety features or the dose reduction factors allowed for these features.)

C. REGULATORY POSITION (1) The assumptions related to the release of radioactive material from the fuel and containment are as follows: (a) Twenty-five percent of the equilibrium radioactive iodine inventory developed from maximum full power operation of the core should be assumed to be immediately available for leakage from the primary reactor containment. Ninety-one percent of this 25 percent is to be assumed to be in the form of elemental iodine, 5 percent of this 25 percent in the form of particulate iodine, and 4 percent of this 25 percent in the form of organic iodides. (b) One hundred percent of the equilibrium radioactive noble gas inventory developed from maximum full power operation of the core should be assumed to be immediately available for leakage from the reactor containment. (c) The effects of radiological decay during holdup in the containment or other buildings should be taken into account. (d) The reduction in the amount of radioactive material available for leakage to the 393

394

Nuclear Safety

environment by containment sprays, recirculating filter systems, or other engineered safety features may be taken into account. but the amount of reduction in concentration of radioactive materials should be evaluated on an individual case basis. (e) The primary containment should be assumed to leak at the leak rate incorporated or to be incorporated in the technical specifications for the duration of the accident. The leakage should be assumed to pass directly to the emergency exhaust system without mixing in the surrounding reactor building atmosphere and should then be assumed to be released as an elevated plume for those facilities with stacks. (f) No credit should be given for retention of iodine in the suppression pool. (2) Acceptable assumptions for atmospheric diffusion and dose conversion are: (a) Elevated releases should be considered to be at the height equal to no more than the actual stack height. Certain site dependent conditions may exist, such as surrounding elevated topography or nearby structures which will have the effect of reducing the actual stack height. The degree of stack height reduction should be evaluated on an individual case basis. Also, special meteorological and geographical conditions may exist which can contribute to greater ground level concentrations in the immediate neighborhood of a stack. For example, fumigation should always be assumed to occur: however, the length of time that a fumigation condition exists is strongly dependent on geographical and seasonal factors and should be evaluated on a case-by-case basis. [. . .] (b) No correction should be made for depletion of the effluent plume of radioactive iodine due to deposition on the ground, or for the radiological decay of iodine in transit. (c) For the first 8 hours, the breathing rate of persons offsite should be assumed to be 3.47 10 4 cubic meters per second. From 8 to 24 hours following the accident, the breathing rate should be assumed to be of 1.75 10 4 cubic meters per second. After that until the end of the accident, the rate should be assumed to be 2.32 10 4 cubic

meters per second. (These values were developed from the average daily breathing rate [2 107 cm3 day 1] assumed in the report of ICRP, Committee II-1959.) (d) The iodine dose conversion factors are given in ICRP publication 2, Report of Committee II, ‘‘Permissible Dose for Internal Radiation,’’ 1959. (e) External whole body dose should be calculated using ‘‘Infinite Cloud’’ assumptions, i.e., the dimensions of the cloud are assumed to be large compared to the distance that the gamma rays and beta particles travel. ‘‘Such a cloud would be considered an infinite cloud for a receptor at the center because any additional [gamma and] beta emitting material beyond the cloud dimensions would not alter the flux of (gamma rays and) beta particles to the receptor’’ (Meteorology and Atomic Energy, Section 7.4.1.1ARxxx – editorial additions made so that gamma and beta emitting material could be considered). Under these conditions the rate of energy absorption per unit volume is equal to the rate of energy released per unit volume. For an infinite uniform cloud containing curies of beta radioactivity per cubic meter, the beta dose in air at the cloud center is: 0 ðA14:1Þ D ¼ 0:4571E 1

The surface body dose rate from beta emitters in the infinite cloud can be approximated as being one-half this amount. From a semi-infinite cloud, the gamma dose rate in air is given by a formula equal to (A 14-1) with the coefficient 0.457 changed to 0.507; here also, for a semi-infinite cloud, the coefficient is one half. Where: 0 D ¼ beta dose rate from an infinite cloud (rad/sec); E ¼ average gamma or beta energy per disintegration (Mev/dis); ¼ concentration of beta or gamma emitting isotope in the cloud (curie/m3) (f) The following specific assumptions are acceptable with respect to the radioactive cloud dose calculations: (1) The dose at any distance from the reactor should be calculated based on

Appendix 14 USNRC Regulatory Guides and Standard Review Plan

the maximum concentration in the plume at that distance taking into account specific meteorological, topographical, and other characteristics which may affect the maximum plume concentration. These site related characteristics must be evaluated on an individual case basis. In the case of beta radiation, the receptor is assumed to be exposed to an infinite cloud at the maximum ground level concentration at that distance from the reactor. In the case of gamma radiation, the receptor is assumed to be exposed to only one-half the cloud owing to the presence of the ground. The maximum cloud concentration always should be assumed to be at ground level. (2) The appropriate average beta and gamma energies emitted per disintegration, as given in the Table of Isotopes, Sixth Edition, by C.M. Lederer, J.M. Hollander, 1. Perlman University of California, Berkeley; Lawrence Radiation Laboratory; should be used. (g) For BWRs with stacks the atmospheric diffusion model should be as follows: (1) The basic equation for atmospheric diffusion from an elevated release is: =Q ¼

expð h2 =2z2 Þ uy z

ðA14:2Þ

Where . . . (2) For time periods of greater than 8 hours the plume from an elevated release should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Equation A14.2 multiplied by 2.032 y/u. (3) The atmospheric diffusion model for an elevated release as a function of the distance from the reactor, is based on the information in Table A14-1. (h) For BWRs without stacks the atmospheric diffusion model should be as follows: (1) The 0–8 hour ground level release concentrations may be reduced by a factor ranging from one to a maximum of three (see Figure. . . ) for additional dispersion produced by the turbulent

395

wake of the reactor building in calculating potential exposures. The volumetric building wake correction factor, as defined in section 3-3-5-2 of Meteorology and Atomic Energy 1968, should be used only in the 0–8 hour period; it is used with a shape factor of I/2 and the minimum cross-sectional area of the reactor building only. (2) The basic equation for atmospheric diffusion from a ground level point source is: =Q ¼ 1=y z

ðA14:3Þ

Where . . . (3) For time periods of greater than 8 hours the plume should be assumed to meander and spread uniformly over a 22.5 sector. The resultant equation is Equation A14.3 multiplied by 2.032 y/u. (4) The atmospheric diffusion model for ground level releases is based on the information in Table A14-2. (5) . . . D. IMPLEMENTATION The purpose of the revision (indicated . . .

A14-2. List of contents and extracts from a sample chapter of the Standard Review Plan SRP 1: List of contents NUREG-0800 Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants LWR Edition Draft Report for Comment INTRODUCTION SRP NO. CHAPTER 1 INTRODUCTION AND GENERAL DESCRIPTION OF PLANT 1.8 Interfaces for Standard Designs CHAPTER 2 SITE CHARACTERISTICS 2.1.1 Site Location and Description 2.1.2 Exclusion Area Authority and Control

396

Nuclear Safety

Table A14-1 Time Following Accident

Atmospheric Conditions

0–8 hours

See Figure . . .

8–24 hours

See Figure . . .

1–4 days

See Figure . . .

4–30 days

See Figure . . .

Envelope of Pasquill diffusion categories based on Figure . . ., Meteorology and Atomic Energy-1968, assuming various stack heights; windspeed 1 meter/sec; uniform direction. Envelope of Pasquill diffusion categories, windspeed 1 meter/sec: variable direction within a 22.5 sector. Envelope of Pasquill diffusion categories with the following relationship used to represent maximum plume concentrations as a function of distance: Atmospheric Condition Case 1 40% Pasquill A 60% Pasquill C Atmospheric Condition Case 2 50% Pasquill C 50% Pasquill D Atmospheric Condition Case 3 33.3% Pasquill C 33.3% Pasquill D 33.3% Pasquill E: Atmospheric Condition Case 4 33.3% Pasquill D 33.3% Pasquill E: 33.3% Pasquill F Atmospheric Condition Case 5 50% Pasquill D 50% Pasquill F windspeed variable (Pasquill Types A, B, E, and F, windspeed 2 meter/sec; Pasquill Types C and D windspeed 3 meter/sec): variable direction within a 22.5 sector. Same diffusion relations as given above; windspeed variable dependent on Pasquill Type used: wind direction 33.3% frequency in a 22.5 sector.

Table A14-2 Time Following Accident

Atmospheric Conditions

0–8 hours 8–24 hours

Pasquill Type F, windspeed 1 meter/sec, uniform direction Pasquill Type F, windspeed 1 meter/sec, variable direction within a 22.5 sector (a) 40% Pasquill Type D, windspeed 3 meter/sec (b) 60% Pasquill Type F, windspeed 2 meter/sec (c) wind direction variable within a 22.5 sector (a) 33.3%; 4 Pasquill Type C, windspeed 3 meter/sec (b) 33.3% Pasquill Type D, windspeed 3 meter/sec (c) 33.3% Pasquill Type F windspeed 2 meter/sec (d) Wind direction 33.3% frequency in a 22.5 sector

1–4 days

4–30 days


2.1.3 Population Distribution 2.2.1–2.2.2 Identification of Potential Hazards in Site Vicinity 2.2.3 Evaluation of Potential Accidents 2.3.1 Regional Climatology 2.3.2 Local Meteorology 2.3.3 Onsite Meteorological Measurements Programs 2.3.4 Short-term Dispersion Estimates for Accidental Atmospheric Releases 2.3.5 Long-Term Diffusion Estimates 2.3.6 Site Parameter Envelope [Future] 2.4.1 Hydrologic Description 2.4.2 Floods 2.4.3 Probable Maximum Flood (PMF) on Streams and Rivers 2.4.4 Potential Dam Failures 2.4.5 Probable Maximum Surge and Seiche Flooding 2.4.6 Probable Maximum Tsunami Flooding 2.4.7 Ice Effects 2.4.8 Cooling Water Canals and Reservoirs 2.4.9 Channel Diversions 2.4.10 Flooding Protection Requirements 2.4.11 Cooling Water Supply 2.4.12 Groundwater 2.4.13 Accidental Releases of Liquid Effluents in Ground and Surface Waters 2.4.14 Technical Specifications and Emergency Operation Requirements 2.5.1 Basic Geologic and Seismic Information [Future] 2.5.2 Vibratory Ground Motion [Future] 2.5.3 Surface Faulting [Future] 2.5.4 Stability of Subsurface Materials and Foundations 2.5.5 Stability of Slopes CHAPTER 3 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT, AND SYSTEMS 3.2.1 Seismic Classification 3.2.2 System Quality Group Classification 3.3.1 Wind Loadings 3.3.2 Tornado Loadings 3.4.1 Flood Protection 3.4.2 Analysis Procedures 3.5.1.1 Internally Generated Missiles (Outside Containment) 3.5.1.2 Internally Generated Missiles (Inside Containment)

397

3.5.1.3 Turbine Missiles 3.5.1.4 Missiles Generated by Natural Phenomena 3.5.1.5 Site Proximity Missiles (Except Aircraft) 3.5.1.6 Aircraft Hazards 3.5.2 Structures, Systems, and Components to be Protected from Externally Generated Missiles 3.5.3 Barrier Design Procedures 3.6.1 Plant Design for Protection Against Postulated Piping Failures in Fluid Systems Outside Containment 3.6.2 Determination of Rupture Locations and Dynamic Effects Associated with the Postulated Rupture of Piping 3.7.1 Seismic Design Parameters 3.7.2 Seismic System Analysis 3.7.3 Seismic Subsystem Analysis 3.7.4 Seismic Instrumentation 3.8.1 Concrete Containment 3.8.2 Steel Containment 3.8.3 Concrete and Steel Internal Structures of Steel or Concrete Containments 3.8.4 Other Seismic Category I Structures 3.8.5 Foundations 3.9.1 Special Topics for Mechanical Components 3.9.2 Dynamic Testing and Analysis of Systems, Components, and Equipment 3.9.3 ASME Code Class 1, 2, and 3 Components, Component Supports, and Core Support Structures 3.9.4 Control Rod Drive Systems 3.9.5 Reactor Pressure Vessel Internals 3.9.6 Inservice Testing of Pumps and Valves 3.10 Seismic and Dynamic Qualification of Mechanical and Electrical Equipment 3.11 Environmental Qualification of Mechanical and Electrical Equipment 3.12 Interfacing System Loss of Coolant Accident (ISLOCA) – Design Review for Systems Interfacing with the Reactor Coolant System [Future] 3.13 Threaded Fasteners CHAPTER 4 REACTOR 4.2 Fuel System Design 4.3 Nuclear Design 4.4 Thermal and Hydraulic Design 4.5.1 Control Rod Drive Structural Materials 4.5.2 Reactor Internal and Core Support Materials 4.6 Functional Design of Control Rod Drive System

398

Nuclear Safety

CHAPTER 5 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS 5.2.1.1 Compliance with the Codes and Standards Rule, 10 CFR 50.55a 5.2.1.2 Applicable Code Cases 5.2.2 Overpressure Protection 5.2.3 Reactor Coolant Pressure Boundary Materials 5.2.4 Reactor Coolant Pressure Boundary Inservice Inspection and Testing 5.2.5 Reactor Coolant Pressure Boundary Leakage Detection 5.3.1 Reactor Vessel Materials 5.3.2 Pressure-Temperature Limits and Pressurized Thermal Shock 5.3.3 Reactor Vessel Integrity 5.4 Components and Subsystem Design 5.4.1.1 Pump Flywheel Integrity (PWR) 5.4.2.1 Steam Generator Materials 5.4.2.2 Steam Generator Tube Inservice Inspection 5.4.6 Reactor Core Isolation Cooling System (BWR) 5.4.7 Residual Heat Removal (RHR) System 5.4.8 Reactor Water Cleanup System (BWR) 5.4.11 Pressurizer Relief Tank 5.4.12 Reactor Coolant System High Point Vents CHAPTER 6 ENGINEERED SAFETY FEATURES 6.1.1 Engineered Safety Features Materials 6.1.2 Protective Coating Systems (Paints) – Organic Materials 6.2.1 Containment Functional Design 6.2.1.1.A PWR Dry Containments, Including Subatmospheric Containments 6.2.1.1.B Ice Condenser Containments 6.2.1.1.C Pressure-Suppression Type BWR Containments 6.2.1.2 Subcompartment Analysis 6.2.1.3 Mass and Energy Release Analysis for Postulated Loss-of-Coolant 6.2.1.4 Mass and Energy Release Analysis for Postulated Secondary System Pipe Ruptures 6.2.1.5 Minimum Containment Pressure Analysis for Emergency Core Cooling System Performance Capability Studies 6.2.2 Containment Heat Removal Systems 6.2.3 Secondary Containment Functional Design 6.2.4 Containment Isolation System 6.2.5 Combustible Gas Control in Containment 6.2.6 Containment Leakage Testing

6.2.7 Fracture Prevention of Containment Pressure Boundary 6.3 Emergency Core Cooling System 6.4 Control Room Habitability System 6.5.1 ESF Atmosphere Cleanup Systems 6.5.2 Containment Spray as a Fission Product Cleanup System 6.5.3 Fission Product Control Systems and Structures 6.5.4 Ice Condenser as a Fission Product Cleanup System 6.5.5 Pressure Suppression Pool as a Fission Product Cleanup System 6.6 Inservice Inspection of Class 2 and 3 Components 6.7 Main Steam Isolation Valve Leakage Control System (BWR) 6.8 Reactor Coolant Depressurization Systems (PWR)[Future] CHAPTER 7 INSTRUMENTATION AND CONTROLS [Future] CHAPTER 8 ELECTRIC POWER 8.1 Electric Power – Introduction 8.2 Offsite Power System 8.3.1 AC Power Systems (Onsite) 8.3.2 DC Power Systems (Onsite) 8.4 Station Blackout [Future] 8-A Branch Technical Positions (PSB) 8-B General Agenda, Station Site Visits CHAPTER 9 AUXILIARY SYSTEMS 9.1.1 New Fuel Storage 9.1.2 Spent Fuel Storage 9.1.3 Spent Fuel Pool Cooling and Cleanup System 9.1.4 Light Load Handling System (Related to Refueling) 9.1.5 Overhead Heavy Load Handling Systems 9.2.1 Station Service Water System 9.2.2 Reactor Auxiliary Cooling Water Systems 9.2.3 Demineralized Water Makeup System 9.2.4 Potable and Sanitary Water Systems 9.2.5 Ultimate Heat Sink 9.2.6 Condensate Storage Facilities 9.3.1 Compressed Air System 9.3.2 Process and Post-accident Sampling Systems 9.3.3 Equipment and Floor Drainage System 9.3.4 Chemical and Volume Control System (PWR) (Including Boron Recovery System) 9.3.5 Standby Liquid Control System (BWR)


9.4.1 Control Room Area Ventilation System 9.4.2 Spent Fuel Pool Area Ventilation System 9.4.3 Auxiliary and Radwaste Area Ventilation System 9.4.4 Turbine Area Ventilation System 9.4.5 Engineered Safety Feature Ventilation System 9.5.1 Fire Protection Program 9.5.2 Communications Systems 9.5.3 Lighting Systems 9.5.4 Emergency Diesel Engine Fuel Oil Storage and Transfer System 9.5.5 Emergency Diesel Engine Cooling Water System 9.5.6 Emergency Diesel Engine Starting System 9.5.7 Emergency Diesel Engine Lubrication System 9.5.8 Emergency Diesel Engine Combustion Air Intake and Exhaust CHAPTER 10 STEAM AND POWER CONVERSION SYSTEM 10.2 Turbine Generator 10.2.3 Turbine Rotor Integrity 10.3 Main Steam Supply System 10.3.6 Steam and Feedwater System Materials 10.4.1 Main Condensers 10.4.2 Main Condenser Evacuation System 10.4.3 Turbine Gland Sealing System 10.4.4 Turbine Bypass System 10.4.5 Circulating Water System 10.4.6 Condensate Cleanup System 10.4.7 Condensate and Feedwater System 10.4.8 Steam Generator Blowdown System (PWR) 10.4.9 Auxiliary Feedwater System (PWR) CHAPTER 11 RADIOACTIVE WASTE MANAGEMENT 11.1 Source Terms 11.2 Liquid Waste Management Systems 11.3 Gaseous Waste Management Systems 11.4 Solid Waste Management Systems 11.5 Process and Effluent Radiological Monitoring Instrumentation and Sampling Systems CHAPTER 12 RADIATION PROTECTION 12.1 Assuring that Occupational Radiation Exposures Are As Low As Is Reasonably Achievable 12.2 Radiation Sources 12.3–12.4 Radiation Protection Design Features 12.5 Operational Radiation Protection Program

399

CHAPTER 13 CONDUCT OF OPERATIONS 13.1.1 Management and Technical Support Organization 13.1.2–13.1.3 Operating Organization 13.2.1 Reactor Operator Training 13.2.2 Training For Non-Licensed Plant Staff 13.3 Emergency Planning 13.4 Operational Review 13.5.1.1 Administrative Procedures – General 13.5.1.2 Administrative Procedures – Initial Test Program 13.5.2.1 Operating and Emergency Operating Procedures 13.5.2.2 Maintenance and Other Operating Procedures 13.6 Physical Security CHAPTER 14 INITIAL TEST PROGRAM AND ITAAC-DESIGN CERTIFICATION 14.2 Initial Plant Test Program – Final Safety Analysis Report 14.3 Inspections, Tests, Analyses, and Acceptance Criteria – Design Certification 14.3.1 Site Parameters (Tier 1) 14.3.2 Structural and Systems Engineering (Tier 1) 14.3.3 Piping Systems and Components (Tier 1) 14.3.4 Reactor Systems (Tier 1) 14.3.5 Instrumentation and Controls (Tier 1) 14.3.6 Electrical Systems (Tier 1) 14.3.7 Plant Systems (Tier 1) 14.3.8 Radiation Protection and Emergency Preparedness (Tier 1) 14.3.9 Human Factors Engineering (Tier 1) 14.3.10 Initial Test Program and D-RAP (Tier 1) 14.3.11 Containment Systems and Severe Accidents (Tier 1) CHAPTER 15 ACCIDENT ANALYSIS 15.0 Accident Analysis – Introduction 15.1.1–15.1.4 Decrease in Feedwater Temperature, Increase in Feedwater Flow, Increase in Steam Flow, and Inadvertent Opening of a Steam Generator Relief or Safety Valve 15.1.5 Steam System Piping Failures Inside and Outside of Containment (PWR) 15.1.5.A Radiological Consequences of Main Steam Line Failures Outside Containment of a PWR 15.2.1–15.2.5 Loss of External Load; Turbine Trip; Loss of Condenser Vacuum; Closure of Main Steam

400

Nuclear Safety

Isolation Valve (BWR); and Steam Pressure Regulator Failure (Closed) 15.2.6 Loss of Non emergency AC Power to the Station Auxiliaries 15.2.7 Loss of Normal Feedwater Flow 15.2.8 Feedwater System Pipe Breaks Inside and Outside Containment 15.3.1–15.3.2 Loss of Forced Reactor Coolant Flow Including Trip of Pump Motor and Flow Controller Malfunctions 15.3.3–15.3.4 Reactor Coolant Pump Rotor Seizure and Reactor Coolant Pump Shaft Break 15.4.1 Uncontrolled Control Rod Assembly Withdrawal from a Subcritical or Low Power Startup Condition 15.4.2 Uncontrolled Control Rod Assembly Withdrawal at Power 15.4.3 Control Rod Misoperation (System Malfunction or Operator) 15.4.4–15.4.5 Startup of an Inactive Loop or Recirculation Loop at an Incorrect Temperature, and Flow Controller Malfunction Causing an Increase in BWR Core Flow Rate 15.4.6 Chemical and Volume Control System Malfunction that Results in a Decrease in Boron Concentration in the Reactor Coolant (PWR) 15.4.7 Inadvertent Loading and Operation of a Fuel Assembly in an Improper Position 15.4.8 Spectrum of Rod Ejection Accidents (PWR) 15.4.8.A Radiological Consequences of a Control Rod Ejection Accident (PWR) 15.4.9 Spectrum of Rod Drop Accidents (BWR) 15.4.9.A Radiological Consequences of Control Rod Drop Accident (BWR) 15.5.1–15.5.2 Inadvertent Operation of ECCS and Chemical and Volume Control System Malfunction that Increases Reactor Coolant Inventory 15.6.1 Inadvertent Opening of a PWR Pressurizer Pressure Relief Valve or a BWR Pressure Relief Valve 15.6.2 Radiological Consequences of the Failure of Small Lines Carrying Primary Coolant Outside Containment 15.6.3 Radiological Consequences of Steam Generator Tube Failure 15.6.4 Radiological Consequences of Main Steam Line Failure Outside Containment (BWR) 15.6.5 Loss-of-Coolant Accidents Resulting From Spectrum of Postulated Piping Breaks Within the Reactor Coolant Pressure Boundary

15.6.5.A Radiological Consequences of a Design Basis Loss-of-Coolant Accident Including Containment Leakage Contribution 15.6.5.B Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Engineered Safety Feature Components Outside Containment 15.6.5.D Radiological Consequences of a Design Basis Loss-of-Coolant Accident: Leakage From Main Steam Isolation Valve Leakage Control System (BWR) 15.7.3 Postulated Radioactive Releases Due to Liquid-Containing Tank Failures 15.7.4 Radiological Consequences of Fuel Handling Accidents 15.7.5 Spent Fuel Cask Drop Accidents 15.8 Anticipated Transients Without Scram [Future] CHAPTER 16 TECHNICAL SPECIFICATIONS 16.0 Technical Specifications CHAPTER 17 QUALITY ASSURANCE 17.1 Quality Assurance During the Design and Construction Phases 17.2 Quality Assurance During the Operations Phase 17.3 Quality Assurance Program Description 17.4 Reliability Assurance Program CHAPTER 18 HUMAN FACTORS ENGINEERING 18.0 Human Factors Engineering CHAPTER 19 SEVERE ACCIDENTS 19.1 Probabilistic Risk Assessment [Future] 19.2 Severe Accident Containment Performance [Future] APPENDIX I INTEGRATED IMPACTS APPENDIX II POTENTIAL IMPACTS

A14-3. Sample chapter The following is a sample chapter from Ch. 6.5.2 ‘Containment Spray as a Fission Product Cleanup System’. 6.5.2 CONTAINMENT SPRAY AS A FISSION PRODUCT CLEANUP SYSTEM REVIEW RESPONSIBILITIES Primary – Materials and Chemical Engineering Branch (EMCB) Secondary – Plant Systems Branch (SPLB)


Emergency Preparedness and Radiation Protection Branch (PERB) I. AREAS OF REVIEW . . . (1) Fission Product Removal Requirement for Containment Spray . . . (2) Design Bases . . . (3) System Design The information on the design of the spray system, including any subsystems and supporting systems, is reviewed to familiarize the reviewer with the design and operation of the system. The information includes: (a) The description of the basic design concept; the systems, subsystems, and support systems required to carry out the fission product scrubbing function of the system; and the components and instrumentation employed in these systems. (b) The process and instrumentation diagrams. (c) Layout drawings (plans, elevations, isometrics) of the spray distribution headers. (d) Plan views and elevations of the containment building layout. (4) Testing and Inspections . . . (5) Technical Specifications . . . II. ACCEPTANCE CRITERIA . . . The acceptance criteria for the fission product cleanup function of the containment spray system are based on meeting the relevant requirements of the following regulations: A. General Design Criterion 41 (Reference. . . ) as it relates to containment atmosphere cleanup systems being designed to control fission product releases to the reactor containment following postulated accidents. B. Specific criteria necessary to meet the relevant requirements of General Design Criteria 41, 42, and 43 include: (1) Design Requirements for Fission Product Removal The containment spray system should be designed in accordance with the requirements of ANSI/ANS 56.5 (Reference. . . ), except that requirements for any spray additive or other pH control system in this reference need not be followed. (a) System Operation The containment spray system should be designed to be initiated automatically by an

401

appropriate accident signal and to be transferred automatically from the injection mode to the recirculation mode to ensure continuous operation until the design objectives of the system have been achieved. In all cases, the operating period should not be less than two hours. Additives to the spray solution may be initiated manually or automatically, or may be stored in the containment sump to be dissolved during the spray injection period. (b) Coverage of Containment Building Volume In order to ensure full spray coverage of the containment building volume, the following should be observed: (1) The spray nozzles should be located as high in the containment building as practicable to maximize the spray drop fall distance. (2) The layout of the spray nozzles and distribution headers should be such that the cross-sectional area of the containment building covered by the spray is as large as practicable and that a nearly homogeneous distribution of spray in the containment building space is produced. Unsprayed regions in the upper containment building and, in particular, an unsprayed annulus adjacent to the containment building liner should be avoided wherever possible. (3) In designing the layout of the spray nozzle positions and orientations, the effect of the post-accident atmosphere should be considered, including the effects of post-accident conditions that result in the maximum possible density of the containment atmosphere. (c) Promotion of Containment Building Atmosphere Mixing Because the effectiveness of the containment spray system depends on a well-mixed containment atmosphere, all design features enhancing post-accident mixing should be considered. (d) Spray Nozzles The nozzles used in the containment spray system should be of a design that minimizes the possibility of clogging while producing drop sizes effective for iodine absorption.

402

Nuclear Safety

(e)

(f)

(g)

(h) (i)

The nozzles should not have internal moving parts such as swirl vanes, turbulence promoters, etc. They should not have orifices or internal restrictions which would narrow the flow passage to less than 0.64 cm (0.25 inch) one quarter of an inch in diameter. Spray Solution The partition of iodine between liquid and gas phases is enhanced by the alkalinity of the solution. The spray system should be designed so that the spray solution is within material compatibility constraints. Iodine scrubbing credit is given for spray solutions whose chemistry, including any additives, has been demonstrated to be effective for iodine absorption and retention under post-accident conditions. Containment Sump Solution Mixing The containment sump should be designed to permit mixing of emergency core cooling system (ECCS) and spray solutions. Drains to the engineered safety features sump should be provided for all regions of the containment which would collect a significant quantity of the spray solution. Alternatively, allowance should be made for ‘‘dead’’ volumes in the determination of the pH of the sump solution and the quantities of additives injected. Containment Sump and Recirculation Spray Solutions The pH of the aqueous solution collected in the containment sump after completion of injection of containment spray and ECCS water, and all additives for reactivity control, fission product removal, or other purposes, should be maintained at a level sufficiently high to provide assurance that significant long-term iodine re-evolution does not occur. Long-term iodine retention is calculated on the basis of the expected long-term partition coefficient. Long-term iodine retention may be assumed only when the equilibrium sump solution pH, after mixing and dilution with the primary coolant and ECCS injection, is above 7 (Reference. . . ). This pH value should be achieved by the onset of the spray recirculation mode. Storage of Additives . . . Single Failure . . .

(2) Testing . . . (3) Technical Specifications . . . III. REVIEW PROCEDURES . . . C. Fission Product Cleanup Models The reviewer estimates the area of the interior surfaces of the containment building which could be washed by the spray system, the volume flow rate of the system (assuming single failure), the average drop fall height and the mass-mean diameter of the spray drops, from inspection of the information in the SAR. The effectiveness of a containment spray system may be estimated by considering the chemical and physical processes that could occur during an accident in which the system operates. Models containing such considerations are reviewed on case-by-case bases. NUREG/CR-5966 (Reference. . . ) provides a method for review of containment spray models and evaluating the effectiveness of the spray design in the removal of fission products from the containment atmosphere. This model is used in conjunction with the fission product release assumptions in NUREG1465. In the absence of detailed models, the following simplifications may be used: Experimental results (References. . . ) and computer simulations of the chemical kinetics involved (Reference. . . ) show that an important factor determining the effectiveness of sprays against elemental iodine vapor is the concentration of iodine in the spray solution. Experiments with fresh sprays having no dissolved iodine were observed to be quite effective in the scrubbing of elemental iodine even at a pH as low as 5 (References. . . ). However, solutions having dissolved iodine, such as the sump solutions that recirculate after an accident, may revolatilize iodine if the solutions are acidic (References. . . ). Chemical additives in the spray solution have no significant effect upon aerosol particle removal because this removal process is largely mechanical in nature. (1) Elemental iodine removal during spraying of fresh solution During injection, the removal of elemental iodine by wall deposition may be estimated by w ¼ Kw A/V. (Note: this is the fraction of iodine removed by the spray in one second, order of magnitude ¼ 3 10 3). Here, w is the first-order removal coefficient by wall deposition, A is the wetted surface area,


V is the containment building net free volume, and Kw is a mass-transfer coefficient. All available experimental data are conservatively enveloped if Kw is taken to be 4.9 meters per hour (Reference. . . ). During injection, the effectiveness of the spray against elemental iodine vapor is chiefly determined by the rate at which fresh solution surface area is introduced into the containment building atmosphere. The rate of solution surface created per unit gas volume in the containment atmosphere may be estimated as (6F/VD), where F is the volume flow rate of the spray pump, V is the containment building net free volume, and D is the mass-mean diameter of the spray drops. The first-order removal coefficient by spray, s, may be taken to be s ¼ 6 Kg T F/V D, where Kg is the gas-phase mass-transfer coefficient, and T is the time of fall of the drops, which may be estimated by the ratio of the average fall height to the terminal velocity of the mass-mean drop (Reference. . . ). The above expression represents a first-order approximation if a well-mixed droplet model is used for the spray efficiency. The expression is valid for s values equal to or greater than ten per hour. s is to be limited to 20 per hour to prevent extrapolation beyond the existing data for boric acid solutions with a pH of 5 (References. . . ). For s values less than ten per hour, analyses using a more sophisticated expression are recommended. (2) Elemental iodine removal during recirculation of sump solution The sump solution at the end of injection is assumed to contain fission products washed from the reactor core as well as those removed from the containment atmosphere. The radiation absorbed by the sump solution, if the solution is acidic, would generate hydrogen peroxide (Reference. . . ) in sufficient amount to react with both iodide and iodate ions and 32 raise the possibility of elemental iodine re-evolution (Reference. . . ). For sump solutions having pH values less than 7, molecular iodine vapour should be conservatively assumed to evolve into the containment atmosphere (Reference. . . ). Information on the partition coefficients for molecular iodine can be found in References . . ..

403

The equilibrium partitioning of iodine between the sump liquid and the containment atmosphere is examined for the extreme additive concentrations determined in Section III.1.a.(2), in combination with the range of temperatures possible in the containment atmosphere and the sump solution. The reviewer should consider all known sources and sinks of acids and bases (e.g. alkaline earth and alkali metal oxides, nitric acid generated by radiolysis of nitrogen and water, alkaline salts or lye additives) in a post-accident containment environment. The minimum iodine partition coefficient determined for these conditions forms the basis of the ultimate iodine decontamination factor in the staff’s analysis described in subsection III.4.d. (3) Organic iodides It is conservative to assume that organic iodides are not removed by either spray or wall deposition. Radiolytic destruction of iodomethane may be modeled, but such a model must also consider radiolytic production (Reference. . . ). Engineered safety features designed to remove organic iodides are reviewed on a case-by-case basis. (4) Particulates The first-order removal coefficient, p, for particulates may be estimated by p ¼ 3 h F E/ 2 V D, where h is the fall height of the spray drops, V is the containment building net free volume, F is the spray flow, and (E/D) is the ratio of a dimensionless collection efficiency E to the average spray drop diameter D. Since the removal of particulate material depends markedly upon the relative sizes of the particles and the spray drops, it is convenient to combine parameters that cannot be known (Reference. . . ). It is conservative to assume (E/ D) to be 10 per meter initially (i.e. 1% efficiency for spray drops of one millimeter in diameter), changing abruptly to one per meter after the aerosol mass has been depleted by a factor of 50 (i.e. 98% of the suspended mass is ten times more readily removed than the remaining 2%). D. The iodine decontamination factor, DF, is defined as the maximum iodine concentration in the containment atmosphere divided by the concentration of iodine in the containment atmosphere at some time after decontamination. DF for the containment atmosphere achieved by the containment spray

404

Nuclear Safety

system is determined from the following equation (Reference. . . ): DF ¼ 1 þ Vs H/Vc, where H is the effective iodine partition coefficient, Vs is the volume of liquid in containment sump and sump overflow, and Vc is the containment building net free volume less Vg. The maximum decontamination factor is 200 for elemental iodine. The effectiveness of the spray in removing elemental iodine shall be presumed to end at that time, post-LOCA, when the maximum elemental iodine DF is reached. Because the removal mechanisms for organic iodides and particulate iodines are significantly different from and slower than that for elemental iodine, there is no need to limit the DF for organic iodides and particulate iodines. For standard design certification reviews under 10 CFR Part 52, the procedures above should be

followed, as modified by the procedures in SRP Section 14-3 (proposed), to verify that the design set forth in the standard safety analysis report, including inspections, tests, analysis, and acceptance criteria (ITAAC), site interface requirements and combined license action items, meet the acceptance criteria given in subsection II. SRP Section 14-3 (proposed) contains procedures for the review of certified design material (CDM) for the standard design, including the site parameters, interface criteria, and ITAAC. IV. EVALUATION FINDINGS . . . V. IMPLEMENTATION . . . The following guidance is provided to applicants and licensees about the staff’s plans for using this SRP section . . . VI. REFERENCES . . .

Appendix 15 Safety cage

A15-1. General remarks This appendix considers one of the more ‘extreme’ solutions against severe accidents (see Chapter 5) which consists of a steel-reinforced concrete cage built around a PWR vessel with the purpose of absorbing, by plastic deformation, the energy released by a steam explosion (internal or external to the vessel) and which causes its rupture and the violent projection of its pieces into the surrounding space. A possible conceptual scheme is presented with the verification calculations. (The calculations and drawings are due to Dr Eng Giuseppe Pino.) The results of some experimental tests at a reduced scale performed several years ago on safety cages similar to the one described are presented.

A15-2. Available energy This evaluation is undertaken for an AP 600 reactor. The mass of the molten core is about 110 t (61 t of UO2, 18.8 t of Zr, 29.2 t of stainless steel). The initial temperature of the corium ranges between 2000K and 2500K and the final temperature, after quenching in water, is about 400K. On the basis of the specific heat and of the fusion heat, the specific thermal energy is about 1 MJ kg 1 and therefore the total energy amounts to about 110 000 MJ.

A15-3. Mechanical energy which can be released The conversion of thermal energy into mechanical energy in this phenomenon has a low efficiency, ranging from 2 to 15 per cent with a likely value close to 4–5 per cent.

Therefore the mechanical energy produced by the reaction for all the 110 t of corium will range between 2200 MJ and 16 500 MJ, with a likely value of about 5000 MJ. Considering various assumptions on the fall of corium in water within the vessel, it can be concluded that only 2 per cent of the entire mass takes part in the explosion. Therefore, for steam explosions within the vessel, the value of the energy released may range from 45 MJ to 330 MJ. For hypothetical explosions occurring outside the vessel, a rough first evaluation can be made. If the assumption is made of a corium release from penetrations in the vessel bottom head, the mass which could take part in the explosion is the one which could leave the vessel, at the existing internal pressure, in the typical delay time for the triggering of such explosions (about 1–2 s). For a hole of 100 mm of equivalent diameter, the mass concerned is of the order of 7400 kg which can originate 330 MJ of mechanical energy, given the above discussed efficiency levels. Even in the case of an abrupt failure of the vessel bottom head with the release of all the molten core, phenomena exist which prevent all the fallen mass from taking part in the explosion. It is estimated that not more than 10 per cent of it can be involved, with a release of mechanical energy of the order of 1650 MJ. These values of available energy are comparable but lower than those taken into consideration by the Karlsruhe Research Center (KFK) and quoted in the figures given in Chapter 5 (the reactor in that example is different from the one considered here and some of the estimates concerning the conversion of thermal to mechanical energy are rather different). Both evaluations, however, have their validity. 405

406

Nuclear Safety

A15-4. Overall sizing of a structural cage around the pressure vessel The overall sizing of a structural cage around the vessel is illustrated here. The aim of the cage is to absorb the impact of internally originated missiles having an energy corresponding to a steam

explosion, to a pressure failure of the vessel and to a destructive reactivity excursion. The worst case is discussed, corresponding to a steam explosion with a mechanical energy of 1650 MJ. The structural scheme chosen is shown in Figure A15-1. An upper box-like structure, having 0

2

4

6

8

10 m

Upper steel shell 320 cm Webs

cm

Lower steel shell

m

0

0c

63 55

Annular box-like beam for anchorage of tendons Mobile wall

Ungrouted steel bars Φ 3" 0.476 L = 24 m

440 cm 480 cm

Annular tunnel Connections of tendons to anchorages Tendon anchorages

Figure A15-1. Scheme of structural cage for containment of the effects of a stream explosion.

Appendix 15 Safety cage

a hemispherical shape is located above the vessel, is made from a number of webs with a section of 0.03 1 m, positioned along the meridian lines, and of two curved shells at their inside and outside lines having, respectively, a thickness of 20 and 30 mm. The meridian webs are connected to an annular beam, also of a box-like construction, connected by tendons located on its median circumference with the reinforced concrete structure of the reactor building. In a first-trial sizing, 476 tendons

Cage rings

407

were considered, with a diameter of approximately 76.2 mm (equal to 3 inches), ungrouted for the largest part of their length, about 24 m, and grouted in the reinforced concrete structure in their terminal anchorage zone. The weight of the upper hemispherical structure is about 150 t. Verification of the tendons It is assumed that all the mechanical energy availableis transferred to the ‘missile’ (the entire

Copper tile and plastic explosive Vessel Blocks

Figure A15-2. Lateral view and cross-section of the test vessel and cage.

408

Nuclear Safety

vessel), neglecting the deformation and rupture energy of the pipes. It is also assumed that this energy is totally absorbed by the plastic deformation of the tendons, up to an admissible ductility limit of 0.5("u/"e), according to the suggestions of the ASCE (ASCE, 1997) and where "u and "e are the specific elongation at rupture and the specific elongation at elastic limit, respectively. The material chosen is a special T1 steel with the following characteristics: u ¼ 7 107 kg m 2 and "u 16%. The admissible ductility, ¼ 0.5(0.16/0.002) ¼ 40. The overall yield force which the tendons have to exert is Ry ¼ E/(xe( 1/2)), where E is the absorbed energy (kg m) and xe, the elastic deformation of the tendons, is 0.002 24 ¼ 0.048 m. R y ¼ 165 103=ð0:048ð40

1=2ÞÞ ¼ 87 025 t

The overall tendon cross-section required, Aa ¼ 87025000/7 107 ¼ 1.2432 m2, corresponding to 354 76.2 mm bars, which is fewer than the first trial bars. The verification has therefore had a positive result and some resistance margin exists. It can be verified with similar calculations that the upper hemispherical structure is equally adequate, as well as the lateral structure of the reactor cavity (suitably reinforced by additional steel bars, within the limits of practical feasibility).

A15-5. Experimental tests on steel cages for the containment of vessel explosions Some tests were performed in Italy at the end of the 1960s to verify the calculations and effectiveness of the scheme. The case studied was a little different from that caused by an explosive steam explosions in that the rupture of a pressurized vessel was induced

by the instantaneous creation of a supercritical crack and the surrounding cage had to prevent the separation of vessel fragments in order to limit damage to nearby components and structures. The mechanism of loading the cage and the way in which the containment was obtained were however identical to those of the case examined here. Figure A15-2 shows the lateral view (from which it can be understood why the test team called it salama) and a longitudinal section of the vessel and cage. The latter comprised seven rings connected by four longitudinal bars. Some spacer blocks were attached to the rings in order to simulate a full scale structural scheme, where the vessel should have a rather free space around to be filled by the thermal insulation. The crack was suddenly generated by the firing of a small copper tile externally lined by a plastic explosive, placed along the trace of the crack to be generated. The explosion of the plastic projected on the vessel molten copper, converging at the centreline of the small tile and causing a sharp cut in the vessel steel. CO2 bottles at 1–2 (MPa) were used as the pressure vessel. Both longitudinal (linear axial crack) and circumferential (arc of circle crack) breaks were simulated. The behaviour of the cage (rings and bars) was as anticipated assuming a uniform load on the blocks and on the bars (according to the crack position) and a perfectly elastic–plastic behaviour of the material. For the longitudinal cracks, for example, the cage rings were plastically deformed into almost perfect hexagons.

Reference ASCE 40265, 1997, ‘Design of blast resistant buildings in petrochemical facilities’, 1997, USA.

Appendix 16 Criteria for the site chart (Italy)

A16-1. Population and land use The exclusion criteria adopted are the following: (1) A population factor weighted over circular rings lower than 20 000 with a weight given by Table A16-1 (or by an equivalent bi-logarithmic graph). (2) A population factor weighted on the most unfavourable 22 30 0 sector from the origin up to 50 km, lower than 6500 (with the weight given by r 1.5, where r is the distance in kilometres. (3) A distance of at least 10 km from population centres with many hundreds of thousands of inhabitants. (4) A distance of at least 20 km from population centres with many hundreds of thousands of inhabitants. (5) The availability, around the centre of the site, of a circular area of the diameter of about 1 km which can be put under the direct control of the utility. The criteria on the population distribution and on its weight are connected with the assumption of

Table A16-1. Population factor Distance (km)

Factor

1 2 5 10 15 20

1 0.66 0.25 0.07 0.03 0.001

an accidental release of 3.7 1013 Bq of iodine-131 and of the other associated nuclides, with a maximum effective dose to the individual (adult) equal to 0.01 Sv and with a thyroid maximum dose of a few tens of millisieverts. The criteria concerning population centres are connected with the possibility to proceed, in case of very serious accident, to the evacuation of population centres.

A16-2. Geology, seismology and soil mechanics (1) Areas are excluded which have shown tectonic and volcanic activity in recent geological times (upper Pleistocene). (2) Areas are excluded where historical data indicate earthquakes of intensity X or higher on the Mercalli–Cancani–Sieberg scale. Historical data may be completed by seismotectonic studies in order to determine if the areas without such historical earthquakes are in any case susceptible to originate them in the future and should therefore be excluded. (3) Specific sites have to be excluded where in case of earthquake the following occurrences may happen: maximum ground acceleration incompatible with proven features of the design; unacceptable karstic phenomena; surface faulting; liquefaction beyond the design capabilities. (It is observed that this criterion excludes particular sites having the possibility of movement of surface faults.)

409

410

Nuclear Safety

Table A16-2. Condenser water Flowing water

Wet towers

Dry towers

About 50 m3 s 1 for each 1000 MWe unit at less than 3 km distance

About 1.5 m3 s 1 per unit of 1000 MWe with evaporation of one half and restitution of the remaining amount (minimum flow of the water body of 12 m3 s 1 for at least 355 days per year to comply with water heating limits)

No requirement

A16-3. Engineering requirements (1) Availability of condenser water (see Table A16-2). (2) Ground slopes less than 5–10 per cent on the site. (3) Distance from communication lines less than 10 km with elevation differences lower than 100 m.

A16-4. Extreme events from human activities The following criteria have been temporarily adopted (waiting for design solutions): (1) For military airports, a distance of at least 15 km from the runways and at least 8 km from the airport area. (2) For civil airports, a minimum distance of at least 8 km from the airport area (for airports with small tourism airplanes only, having small dimensions and velocities, about 250 km h 1, the distance is halved).

(3) A distance of at least 8 km from important firing ranges and from areas with non-removable military restrictions. (4) Distances from potentially dangerous industrial installations and from communication lines also for the transport of dangerous substances, to be studied case-by-case.

A16-5. Extreme natural events Areas subject to extreme natural phenomena (floods, snow slides and so on) have to be excluded if absolutely safe design provisions cannot be adopted. For floods, in particular, it should be possible to place the plant at an elevation of objective safety (natural or artificial). Particular attention should be given to:

relatively narrow valleys, dominated by lakes, water reservoirs or dams; areas which could be subject, in case of earthquake, to landslides, snow slides and avalanches; coastal areas subject to tidal waves.

Appendix 17 The Three Mile Island accident

A17-1. Summary description of the Three Mile Island no.2 Plant Three Mile Island on the Susquehanna River is located about 16 km SE of Harrisburg Pa, USA. It is a flat island with a surface of several square kilometres. Some years ago it was chosen as the site for a nuclear power station with two units named TMI-1 and TMI-2. Each unit has its own reactor and turbine-generator group for the conversion of steam into electric energy. The two units could supply 1700 MW to the grid, sufficient for the needs of 300 000 families (based on the average consumption of a US family). The power station was the joint property of the Pennsylvania Electric Company, the Jersey Central Power & Light Company and the Metropolitan Edison Company. The three companies were part of a ‘holding’, the General Public Utilities Corporation

(GPU). Operational responsibility was vested in Metropolitan Edison. The nuclear part of the plant (i.e. the reactor and its auxiliary systems – the ‘nuclear island’) had been supplied by the Babcock & Wilcox company. The architect engineer, Burns & Roe, had built the remainder of plant. The plant, equipped with a pressurized water reactor, is represented in a simplified way in Figure A17-1. The vessel (1) contains the reactor core (2) in which the control rods can be inserted from above (3). The cooling system is formed by two circuits (in the figure only one is represented), each one provided with two recirculation pumps (4) and with one steam generator (5). The steam produced in the secondary side of the generator is routed to the turbine (6) and converted to water again in the condenser. The condensate returns to the steam generators through

REACTOR BUILDING (CONTAINMENT) (12)

AUXILIARY (15) BUILDING

COOLING TOWER

Stack

(9)

Ventilation filters Waste gas decay tank Waste gas compressor

Pilot-operated relief valve

Safety valve Core flood tank

(8)

Block valve Pressurizer Steam generator

Vent header

TURBINE BUILDING

(5)

Control (3) rods

Turbine

(6)

High pressure injection pump

Vent valve Makeup tank

Generator

Reactor core Makeup line

(1)

Block valve

(2)

Letdown line

Borated water storage tank

Relief valve Radiation waste storage tank

(14)

Rupture disk Cold leg

(13)

Condensate Condensate pump storage tank

Demineralizer

Drain tank

(11)

Transformer

Condensor

Sump

Reactor coolant pump Sump pump (4)

Circulating water pump

Main feedwater pump

Emergency feedwater pump Hot leg

Figure A17-1. Simplified schematic of the TMI 2 plant. 411

412

Nuclear Safety

the normal feedwater pumps (7). The water is also passed through a filtration and purification device which has the objective of maintaining a high degree of purity and therefore of avoiding corrosion of the mechanical components (steam generators, turbine, piping, etc.). In addition to the normal feedwater system, an auxiliary system exists with three pumps which start automatically in case of need. The transformation of water into steam in the secondary side of the steam generators takes heat and therefore cools the water which circulates in the primary system of the same generators. The two water flows, the primary and the secondary one, are in opposite sides of the metal wall of small pipes located in each steam generator. Through this wall the warmer fluid, primary water, transmits heat to the colder fluid, that is the secondary water, and converts it into steam. The primary water, which therefore leaves the generator at a lower temperature than the initial one, is recirculated by pumps (4) through the reactor core and removes the heat produced by the nuclear chain reaction. Once the warmed primary water leaves the core, it re-enters into the steam generators, so starting again its cooling-heating cycle, transporting the heat of nuclear origin and producing the steam which operates the turbine. The stability of the pressure of the primary system is assured by the pressurizer (8). This is a vertical vessel whose volume is normally 60 per cent filled with water and 40 per cent by steam. The lower part of it (filled with water) is connected by a surge line with one of the two primary cooling circuits: electrical heaters are immersed in the water. The upper part (filled with steam) can be sprayed by cold water. The introduction of cold water by the sprays or the switching on of heaters takes care of the control of the pressure. In fact, when cold water is sprayed, the pressure decreases, and when the heaters are switched on, the opposite happens. When the reactor pressure exceeds a certain value, the relief valve (9) is automatically actuated. This valve is located on the upper part of the pressurizer and discharges steam in a discharge collecting tank (10), partly filled with cold water and provided with an emergency rupture disc (11), which avoids its excessive pressurization. When the pressure within the tank reaches the intervention level of the rupture

disc, it breaks off discharging the excess fluid into the containment building (12). The relief valve is preceded by a block valve. If the relief valve remains stuck open, with consequent excessive loss of steam, the block valve can be closed from the control room, so preventing steam efflux from the pressurizer. The liquids collected on the bottom of the containment building are transferred by a sump pump (13) in the radioactive discharges tank (14) located in the auxiliary building (15). This building is provided with a filtered ventilation system. The reactor is assisted by the following Emergency Core Cooling Systems (ECCS):

A high pressure injection system (HPI) with three pumps for the injection of borated water in the reactor. In emergency operation, which is automatically activated by low pressure of the primary system or by high pressure in the containment building, two pumps activate. Analyses show that only one pump is necessary to prevent core damage in cases of small breaks in the cooling system. A flooding system is provided with two systems containing pressurized borated water, which automatically inject water when the pressure goes below a preset value. This system has the objective of protecting the core in cases of intermediate and large breaks in the primary cooling system. A low pressure injection system provided with two pumps which inject borated water in the reactor. The system is automatically operated by the same types of signal as the high pressure system. This system ensures the cooling of the core in cases of large breaks, while in cases of small breaks it operates after the operation of the high pressure system, when the primary pressure has reached a sufficiently low level. Analyses show that only one pump is necessary to guarantee cooling.

The primary circuit and the steam generators are located inside the containment building in prestressed concrete, with a steel liner to assure it is leak-proof. The atmosphere of the building can be refrigerated by fan cooler groups. Recombiners are provided for the treatment of hydrogen (which is possibly released within the building in an accident).


Moreover, a containment atmosphere spray system exists aimed at reducing the temperature, and consequently the pressure, which could be created in the building itself as a consequence of primary coolant loss.

A17-2. The accident On the night of 27–8 March 1979 the TMI-1 unit was stopped as the refuelling operations were being completed. In fact, about every year and half, the water power stations are stopped in order to replace the more exhausted fuel elements with new ones. The second unit, TMI-2, was operating normally at 97 per cent full power. TMI-2 had started its commercial operation phase only a few months earlier, at the end of 1978, after having passed the commissioning tests. Operation personnel were working on the purification plant of the water extracted from the condenser (which receives and condenses the steam released by the turbine). The operations in progress on that equipment consisted in the replacement of the filtering material (resins), normally performed by removal with compressed air, washing in water and subsequent replacement. Possibly, during the operation of resin removal, the washing water accidentally penetrated the compressed air circuit because of a leaking valve. The presence of water in the compressed air system, which is also used for the operation of the big valves on the feedwater pipes, caused the quick closure of these valves and the complete interruption of the secondary water to steam generators. The Three Mile Island Accident started 36 seconds after 4.a.m. TMI-2 had already met problems with the feedwater purification system 18 months before the accident. During this time, however, no effective measures were taken to guarantee the needed safety of operation of this equipment. It must be noted here that the event described, a sudden and total lack of normal feedwater to steam generators, is considered in the safety analyses of power stations, among the relatively frequent ones and therefore plants are protected against them. As we will see, only a fatal combination of erroneous evaluations by the personnel with a general plant situation characterized by a substantially careless plant management and with the malfunction of

413

another plant component, allowed the events (probable and normally without damaging consequences) to escalate into one of the worst nuclear accidents ever to happen. The interruption of feedwater to steam generators causes a decrease of their water level and within a few minutes, for this type of PWR plant, their complete voiding, when all the residual water has been transformed into steam. For this reason an automatic protection system stops the turbine when the water level in the steam generators decreases to a trigger level. This occurred correctly at TMI-2, two seconds from the start of the accident. When the secondary side of a generator dries off, as at TMI-2, the primary water no longer cools down further and therefore returns to the core inlet as warm as it had left it. Passing through the core, it heats up further and increases to ever higher temperatures. In these conditions, it is dangerous to allow the primary temperature to grow beyond certain limits, so it is necessary to stop the nuclear chain reaction, thus substantially reducing the amount of heat produced by the core. The fast shutdown of the TMI-2 reactor, in the conditions described, occurs in the following way. The increase of primary water temperature causes the expansion of the water itself which can expand in the pressurizer, which, as it has been said, is connected to the primary circuit by a pipe and is only partially filled with water: the other part of it is full of steam, as in a pressure cooker (see Figure A17-2). The flow of water into the pressurizer compresses the steam contained in it and increases its pressure. When the pressure has reached a preset value, the chain reaction is arrested by an automatic shutdown system which causes the control rods to fall into the core. This occurred correctly in TMI-2, eight seconds after the start of the accident. In the meantime another event had happened. It too was normal and foreseen: the opening of the relief valve located on the top of the pressurizer. This had a similar effect to opening the valve on a pressure cooker lid. The combination of opening the relief valve with the arrest of the chain reaction (as if the valve on the pressure cooker was opened and the burner shut off) causes a quick decrease of the primary system pressure. However, the automatic control system of

414

Nuclear Safety

Ins.

Ins. Heaters

Surge line nozzle

Figure A17-2. Pressurizer.

the relief valve is designed in such a way that it causes its re-closure when the pressure again reaches sufficiently low values. This lower pressure was reached in TMI-2, thirteen seconds after the start of the accident, but unfortunately, something

malfunctioned and the valve did not automatically re-close. The relief line stayed open for two hours and twenty minutes, transforming a relatively normal event of feedwater interruption into a much more serious accident of loss of coolant from the primary circuit. This malfunction was the only mechanical fault of the events that brought the accident to its serious final consequences. The other events were human evaluation errors and the poor maintenance conditions of the plant. Two systems had been provided to cope with this mechanical failure. The first system signalled to the operators in the control room the ‘open’ status of the valve and, therefore, the lack of its re-closure. It consisted of an instrument, readable in the control room, which measured the temperature in the pipe connecting the relief valve to the steam condensation tank. When the valve was open, hot steam flowed into the pipe and the temperature indicated by the instrument is high. When the valve was closed, the pipe does not contain hot steam and the indicated temperature was low. Additionally, a light on the control console indicated if the valve had received the opening electric command. This indication was, however, indirect and unsafe: in fact, the valve may receive the ‘close’ command and, at the same time, be still open because of a mechanical fault, for example because of a seizure of parts in its mechanism. Also, it is possible for a blown bulb to go undetected thereby giving an incorrect status reading. Both systems were provided so that an operator on seeing the primary pressure decrease in an abnormal way could check if this fact depended on a stuck open relief valve. At TMI-2, thirteen seconds after the start of the accident, the valve position indicator signalled that the closure command had been given. A second system was provided to compensate for the effects of a mechanical fault of the relief valve. This consisted, very simply, of a block valve located on the same pipe as the relief valve. An operator, correctly diagnosing the failure of the relief valve to close by reading the temperature in the pipe, may stop the steam leak by closing this second valve. Hence the name of block valve. At TMI-2, even with these provisions, the carelessness with which, apparently, the plant was managed before the accident prevented the four men who happened to have to cope with it alone in


the first crucial phases of it from taking the correct actions. During one of the post-accident inquiries (Kemeny, 1979), the shift superintendent for TMI-1 and TMI-2 explained that the temperature in the pipe was high even before the accident because of leaks in the relief valve: ‘I have seen, consulting the recordings after the accident, about 198 F. But I remember previous cases . . . slightly higher than 200 [. . .] knowing that the relief valve had opened, I expected that the temperature in the pipe had stayed high and that some time had been necessary for the pipe to cool down below 200 ’. However, the records show that the temperature reached 285 F. Moreover, one of the emergency procedures of the plant says that a temperature of 200 F indicates that the relief valve is open. Another procedure requires the closure of the block valve when the temperature exceeds 130 F. All this indicated that the plant was operated in the usual way even in presence of evident leakages from the relief valve, contrary to any good practice and in violation of the procedures. This operational malpractice is not general in nuclear plants. In particular, an inquiry performed on some power stations after the TMI-2 accident has confirmed that in similar cases of valves affected by significant leaks, the plant has been stopped and the leak eliminated. The delayed closure of the block valve at TMI-2 prevented the operators from distinguishing an accident situation (relief valve stuck open) from a situation of careless operation (relief valve with continuous leaks). As we have seen, once the chain reaction arrest did intervene because of high pressure, the heat generated by the core substantially decreases but does not completely cease. In fact, the radioactive products of the fission reaction of the uranium nucleus and those generated by other secondary phenomena continue to emit radiation which, once absorbed by the surrounding materials, is transformed into heat. This heat, the core ‘decay heat’, immediately after the arrest equals 7 per cent of the power of the preceding operation. It decreases to 1 per cent after about two hours. The decay heat must be removed from the primary circuit by a cooling system, otherwise the primary water and the reactor core will overheat. In the case of normal feedwater loss to steam

415

generators, an auxiliary feedwater system automatically intervenes which, in a similar way to the main system, supplies water to the secondary side of the steam generators and performs, by steam production, the primary system cooling. Fourteen seconds after the start of the accident at TMI-2 an operator observed that the auxiliary feedwater pumps had automatically started as expected. However, he did not notice the two lights on the control panel indicating that two valves, one on each of the two auxiliary feedwater pipes, were shut and that the water could not reach the generators and so provide cooling. Eight minutes after the start of the accident, however, somebody noticed that the water had not arrived at the generators and another operator opened the two closed valves. This delay in the arrival of the auxiliary feedwater to the generators did not greatly affect the accident, but it did distract the operators. The reason why the two valves were closed is not known exactly. According to the technical specifications for operation they had to be in the open position. Two minutes after the start of the accident, because of the continuous loss of steam from the stuck open relief valve and the consequent decrease in the pressure of the primary circuit, the two powerful pumps on the high pressure emergency injection system (HPI) started up, as anticipated, on a ‘too low’ pressure signal (indicative of the presence of a steam or water leak from the primary system). They started to automatically introduce water into the primary circuit. The HPI system is a part of the emergency cooling systems (ECCS), principally aimed at the protection of the core integrity in case of primary loss of coolant (LOCA). These systems are capable of keeping the core submerged in water and therefore cooled even if the largest primary pipe suddenly broke. In fact we have seen that the decay heat of the shutdown core, that is after the chain reaction ceases, must in any case be removed and, in case of a break in a large pipe, it is not possible to rely on the heat removal capability of the steam generators. As the core is under water, its excessive overheating is prevented. In fact the water heats up and is transformed into steam, so cooling the core. It then escapes from the rupture towards the containment building while new water is introduced into the primary circuit by the ECCS system in order to always keep the core submerged.

416

Nuclear Safety

The HPI system at TMI-2 correctly came into operation because the system was undergoing a loss of coolant accident (LOCA) because of the ‘stuck open’ relief valve. But at the time, the operators did not know that yet. They had neither diagnosed a LOCA nor its cause, because the control room pressurizer water level instrumentation indicated a level that was higher than normal. What was happening was an extremely insidious but not yet well-known phenomenon. In a system of pipes and vessels, fluids tend to move from high pressure zones towards low pressure ones. At TMI-2, the lower pressure zone was closer to the opening towards the outside (relief valve open), that is the pressurizer. For this reason, while steam went out of the pressurizer top towards the outside, at the same time the content of the remaining part of the primary system flowed towards the inside of the pressurizer. Without entering into the details of the complex fluid-dynamic phenomena involved, it can be said that that flow succeeded in keeping the water level in the pressurizer high while the primary system was losing its precious content of water. This phenomenon is in some respects similar, even if not for the same reasons, to the one which happens when a gassed soft drink bottle is opened. The gas is suddenly released entraining to the outside part of the liquid. This does not happen because the bottle is too full of liquid, but because the violently outgoing gas entrains it in part. The operators, concentrating their attention on the fact that the level in the pressurizer was higher than normal, were erroneously convinced that the primary system was full of water and that therefore the core was safe. They, unfortunately, made, at this point and later in the course of the accident, some fatal manoeuvres, all consistent, however, with this erroneous conviction of theirs. One of the operators, about two and a half minutes after the start of the HPI pumps, stopped one of them and reduced the water flow rate of the other to a minimum. Subsequently a controlled spillage of the primary water was started. During the subsequent inquiries, he said: ‘The rapidly growing pressurizer level at the start of the accident made me believe that the high pressure injection (HPI) was excessive and that soon we would have the primary system completely full of water’. The control room instrumentation indicated a loss of coolant accident in progress. The indication of

high temperature in the relief valve pipe has already been discussed. Additionally, the continuous decrease of the primary system pressure, even after the HPI intervention, was a clear indication that the system was losing water. Why didn’t the operators correctly interpret the signals? They simply trusted the high pressurizer level indications. A technical superintendent at TMI-2 who arrived on the plant at 03:45, subsequently said: ‘I had the perception that we were in a very unusual situation, since I had never seen the pressurizer level increase and stay at a high value and, at the same time, the pressure staying low. They [the pressure and the level] had always behaved in the same way’. As a consequence of the described evaluation errors the primary circuit continued to lose water for hours and in addition the automatic core cooling system, correctly activated, could not perform its function of fuel integrity protection. It is now known that if the block valve had been closed after one and half or two hours or if the operation of the HPI only had not been arrested, even without the closure of the valve, the Three Mile Island accident would have been no more than a modest nuisance of operation. For completeness of information it has to be added that the possibility of an accident of the type of TMI-2 had been foreseen by some experts. If these foresights had been confirmed by in-depth theoretical studies and possibly by experimental tests, their results, duly made known to interested people, would have enabled the TMI-2 operators to correctly diagnose the fault and react correctly. In September 1977, for example, an event similar to the TMI-2 had happened at the Davis Besse station, USA. Luckily the reactor was operating only at 9 per cent of normal power and therefore the decay heat was small. Moreover, the block valve was closed twenty minutes after the start of the event. No reactor damage therefore occurred. In any case, an engineer of Babcock & Wilcox, the designer of this plant too, warned, in an internal memorandum written before the TMI-2 accident, that if the event had happened on a plant operating at full power, probably the core would have been uncovered with the possibility of fuel damage. An engineer of the Tennessee Valley Authority (TVA) had described, in a draft technical report, the possibility of the phenomenon of increasing water level in the pressurizer with simultaneous decreasing pressure. Not enough time was available, unfortunately, for these


studies to proceed beyond the stage of first initial draft and to become part of the nuclear science before the TMI-2 accident. As the incident at TMI-2 progressed, the indications that severe core damage was occurring became ever clearer. One hour after the start of the accident, at 05:00, the four primary water recirculation pumps started to strongly vibrate and had to be shut down. The vibration was indicative of the presence of steam in the circuit and therefore of a scarcity of water. At 06:00, alarms indicted high radiation in the containment. This was an indication of a release of radioactive products from a core that had been damaged. At 07:00, radiation levels throughout the plant increased prompting the operators to declare a state of internal emergency. This action is taken when an event threatens ‘an uncontrolled release of radioactivity outside the plant’. At 07:24, the station superintendent, worried by the high radiation levels in the primary containment, declared a general emergency, that is ‘an accident capable of causing serious radiological consequences to the health and safety of the population’. In spite of everything, the station personnel continued to believe that the reactor core was covered by water, but at the same time, by some unknown phenomenon, that it had been damaged. The station superintendent would later say: ‘. . . I don’t think that in my mind I was really convinced that the core had remained completely uncovered or uncovered in a substantial measure at that time (eight o’clock in the morning)’. For several hours, the operators did not understand the real condition of the core. Various strategies were tried during that time in order to terminate an unknown, but indicated, core damage situation. It is not possible to give now the rationale for any single manoeuvre performed but certainly the erroneous conviction that the primary system was full of water stayed for many hours in the minds of the operators. About sixteen hours after the start of the accident, manoeuvres were performed which gave clear indication that the control of core cooling had been regained: the block valve was definitively closed, the high pressure injection (HPI) was started up and one of the recirculation pumps of the primary circuit was started up with one steam generator operating. Soon

417

afterwards the decreasing trend of all the primary circuit temperatures, the correct value of the pressure and the good operating conditions of the pumps clearly indicated that the core cooling was again under control. What had happened in the meantime within the reactor core? During the first sixteen hours of the accident the core had, on several occasions and for long periods, dried (even if not completely) and therefore was without adequate cooling (Figures A17-3 and A17-4). It can be calculated that some parts of the core reached temperatures in excess of 3100K. The many safety tests performed over the years indicate the occurrence of two dangerous phenomena when the core temperature exceeds 1500K. The first one consists in the fact that the small tubes (claddings) containing the core uranium, made of a zirconium alloy, show a vigorous chemical reaction with water or steam at these temperatures to generate hydrogen. The hydrogen, in the presence of oxygen or air, may lead to potentially destructive explosions. The second is caused either by nuclear overheating or by the metal (zirconium)-water reaction. It consists of the mechanical damage of the fuel claddings and of the fuel itself, up to its melting, with the consequent liberation of the accumulated radioactive fission products. The nuclear fission (splitting) reaction of the nucleus of the uranium atom leads to the disappearance of the atom itself and to its transformation into two or more lighter, generally radioactive, atoms. These fission products accumulate in the fuel and their release is prevented by the presence of the cladding. Figure 3-6 shows the damaged areas of the core as now known from the available information (OECD, 1994). It can be calculated that about 50 per cent of the zirconium present in the TMI-2 core reacted with water to produce hydrogen and that practically all the volatile fission products were released by the core into the primary circuit and hence, through the stuck open relief valve, into the containment building. Forty-five per cent (62 t) of the fuel melted and about 20 t migrated from their original position and collected on the vessel bottom head. The formation of hydrogen in the core also occurs by the radiolytic decomposition of water molecules, made of hydrogen and of oxygen. This phenomenon generates a mixture of hydrogen and

418

Nuclear Safety

Figure A17-3. Pressure history and periods when the core was uncovered.

System pressure (MPa)

20 B pump transient (174 to 193)

15

HPI on (200 to 217)

Block valve opened

10

Coolant pumps off (100 m) Core relocation Block valve closed (139 m) (174) (224)

5 (100)

0

Initial core heatup

Loss of coolant (core cooled)

100

Degraded core heatup

200 Time (min)

Figure A17-4. Pressure history and significant events in the first hours. oxygen gas. The considerable production of hydrogen during the TMI-2 accident gave the operators further difficulties: no severe consequence, however, ensued.

Firstly, hydrogen collected, because of its low density, in the highest part of the vessel and other primary circuit components, forming large bubbles which impaired the good circulation of water in the


circuit itself. The phenomenon, an air-lock, which occurs in a domestic central heating system when air collects in the pipes, is familiar to many: the radiator stays cold because the water cannot circulate through it. Secondly, for many subsequent days there was concern about the possibility that radiolytic hydrogen and oxygen could detonate within the vessel and damage it. In reality, the first calculations were too conservative and did not account for other phenomena which in effect prevented the accumulation of oxygen in a measure sufficient to give rise to a detonation. In conclusion, it was probably an unfounded fear. A real explosion, on the other hand, happened in the containment building where the hydrogen that had escaped through the relief valve mixed with the air oxygen causing an explosion about 10 hours after the start of the accident without, however, damaging either the containment or other essential equipment. The sudden pressure rise caused by the explosion was recorded by the instruments and was equal to about 0.2 MPa. In addition to the possible effects of hydrogen, the other danger to the plant was the perforation of the vessel by the molten material (about 20 t) which collected on its bottom. With the aim of understanding how the vessel resisted the high temperatures and stresses imposed on it by contact with the corium, an international research programme, the Vessel Investigation Project (VIP) was launched by the OECD. The VIP results are described in OECD (1994). One of the principal conclusions being that, although the vessel wall locally reached temperatures high enough to possibly make it fail, due to the fact that around the hot zone the vessel was relatively cooler, this failure did not happen. In reality, there was always some water on the vessel bottom throughout the accident and it is thought that this water succeeded in penetrating the solidified corium cracks and the gaps between the corium and vessel, thereby refrigerating the largest part of the vessel. The indication given by the accident that a molten core may be confined inside the pressure vessel has not been forgotten by nuclear safety specialists and now this fact is relied upon in various designs (see Chapter 5).

419

A17-3. The consequences of the accident on the outside environment The commission nominated by President Carter to investigate the accident, the ‘Kemeny Commission’ after the name of its chairman, effectively detected responsibilities and deficiencies, and listed the damages caused by the accident. However, its final report, published at the end of October 1979 (Kemeny, 1979), contained the following statement: ‘We conclude that the most serious health effect of the accident was severe mental stress, which was short lived. The highest levels of distress were found among those living within 5 miles of TMI and in families with preschool children’. The TMI-2 accident has been one of the two most serious events in the nuclear industry since its start. It engaged the US technological apparatus for many months, it has worried practically all the world and has cost an estimated one to two billion dollars. However, it has not had consequences on the external environment beyond inconvenience and the state of concern of the population in the immediate neighbourhood of the plant. This concern, to a large part, is due to evaluation errors. Nuclear power stations have been designed taking into account the possibility of accidents and providing the consequent protection, generally multiple, against their effects. In the TMI–2 accident these protections, notwithstanding the damages to the plant, have not missed their principal aim of protecting the integrity of the people and the environment. The following describes the still negligible health damage of radiological origin due to the accident (NUREG, 1979a; Kemeny, 1979). The radiation damage depends on the amount of radiation dose absorbed: the more sievert (or rem) absorbed by exposure to them the more serious are the consequences on the exposed individual. Up to some hundreds of millisieverts, no consequences arise. Beyond 1 Sv up to 2 Sv, nausea, vomiting and indisposition may occur. At about 5 Sv the probability of death is high. For the TMI accident the highest potential individual irradiation outside the plant site is more conveniently expressed in microsievert. It has been in fact measured in 800 Sv. In order to evaluate the

420

Nuclear Safety

importance of this irradiation it is useful to compare it with the one annually absorbed by every one of us just by living in a place, in a certain type of house, of eating and drinking, watching television, travelling by air, undergoing medical diagnoses, etc. In fact, each of us is subject to cosmic radiation and to radiation emitted by the ground, by construction materials, by food and by various electronic devices. The annual doses absorbed in this way vary from place to place, but, for example, the higher the altitude of a town where an individual lives, the higher is the amount of cosmic radiation absorbed. In many countries, the background individual annual dose ranges between 500 Sv and 2.5 mSv. The maximum potential dose at TMI is lower than the typical difference in annual dose from one part of a country and another. Many will be surprised at this. It must, however, be remembered that we live in a radioactive world. Radioactivity is everywhere around us and is part of our environment. It is true that the TMI accident has had minor health consequences of radiological nature. A similar result is obtained if, instead of the individual dose, the collective dose is considered. It is known that in a population receiving even a small individual dose, statistically, lethal cases of cancer may occur. For TMI, various evaluations of this possible effect have been made, also considering the minute dose received due to the accident by individuals living as far as 80 km from the plant. The total population within this distance is about two million. Of these, in the subsequent years, according to the statistical data, about 325 000 will die of cancer for reasons different from the accident. It is practically certain that the possible additional cases of cancer due to the accident will be less than five, and therefore, as this is so low, they are included within the statistical variation of the cases occurring for other reasons (Kemeny, 1979). The same general conclusion holds for the probability that the subsequent offspring of the population involved in the accident show malformations of some type. This reassuring health picture is derived from the measurements taken by various teams of wellequipped specialists operating around the power station and in the air space of the same zone. However, the governor of Pennsylvania, at the time, officially issued recommendations concerning protec-

tive measures and the evacuation of the population. Late in the morning of 30 March, it was suggested that the population within 16 km of the plant should stay inside their houses to shield them to the maximum possible extent from possible radioactive clouds due to releases from the power station. Soon afterwards, roughly at 12:30, following further consultations with health authorities and experts, the governor recommended that pregnant women and preschool children should leave the zone within a radius of 8 km from the power station and that in this zone all the schools should be closed. At 20:30 of the same day, the governor withdrew the first recommendation but the second was only cancelled on 9 April. These precautionary measures, which were subsequently shown to be excessive, were in the largest part suggested by pessimistic evaluations of the possible evolution of plant phenomena and by incredible fortuitous coincidences. For example, a strong belief in the importance on the decisions of the governor was held by a group of experts from the NRC (Nuclear Regulatory Commission, the US control body on the peaceful uses of atomic energy) who suggested the evacuation of women and children. The same experts, in issuing their recommendation, were influenced by the following coincidence. They were evaluating all the possible modes of release of radioactive products from the plant and were calculating the consequences of a release due to excessive pressure from some radioactive gas storage tanks. The calculation indicated the theoretical possibility of radiation at the fence of the plant of 12 mSv per hour. Fifteen or twenty seconds after having obtained this result, they received the news that on site a radiation field of precisely 12 mSv per hour had been measured. They concluded that the unlikely emission of gases from the tanks had happened and recommended the evacuation to the governor. In reality, the measurement had been made by an helicopter which was flying 40 m above the discharge stack. The measurement was not therefore representative of the radiation field on the ground. Another element of confusion and of pessimism was represented by the exceedingly conservative evaluation of the detonation possibility of the hydrogen bubble in the reactor vessel. The recommendations to stay inside and to evacuate the zone, at least for the people most vulnerable to radiation damage, together with news


from television and the press who were not completely reassuring, caused the understandable fear of the inhabitants of the TMI-2 zone. Radiations, unlike other potentially damaging agents and elements (e.g. fire, water, toxic gases) are not detected by our senses, so we feel unsafe and uncertain because we must rely on measurements and the advice of ‘experts’. In this regard, the astonishment of the Harrisburgh major, who wanted to visit the power station during the crisis on 30 March, is highly indicative: ‘Rather strangely, one of the things that impressed me the most and that gave me the maximum sensation of confidence that everything was under control was that everybody on the site, all the employees, the president and so on, went around in their shirts and bare head. I didn’t see any indication of nuclear protection’. The mobilization of all the industrial and health protection national resources was, however, impressive. About ten laboratories in the USA worked night and day to analyse samples taken from the plant and to perform evaluations of the present situation of the reactor and of its possible evolution. The industries of the nuclear field, such as General Electric and Westinghouse, promptly put themselves at the disposal of Babcock & Wilcox, of Metropolitan Edison and of the NRC for whatever assistance might be needed. The pharmaceutical industry, too, had to make a powerful effort. The Mallincrodt Chemical Company of St Louis, in cooperation with ParkeDavis of Detroit and with a manufacturer of machines for filling vials, based in New Jersey, agreed at short notice to supply the Government Department for Health 250 000 doses of potassium iodide. This substance, if ingested in an opportune dose, protects the individual from the negative consequences of the inhalation of radioactive iodine, potentially released to the atmosphere by a nuclear station accident. In fact the inhaled or ingested iodine, radioactive or not, is absorbed by the thyroid until it is not saturated. At this point, even if additional iodine is ingested, it is eliminated by the body. The previous ingestion of potassium iodide saturates the thyroid with iodine and then the further possible inhalation of radioactive iodine has no health consequences as it is promptly eliminated.

421

The first batch of vials arrived in Harrisburgh within 24 hours and the last batch arrived four days later. It was not necessary to use any of them. Despite, the effectiveness of the emergency plans, the TMI-2 experience has shown that the preparations for an emergency must be increased in every country.

A17-4. The actions initiated after the accident The TMI-2 accident was followed by decontamination operations, that is the removal of radioactive products contained in the systems and in the buildings. This has made it possible to enter the containment building in order to complete the decontamination operations within it and to start the inspections of the reactor. In parallel, in the USA and in all countries interested in nuclear energy, studies were initiated in order to understand the development and the causes of the accident and to identify the possible improvements to power stations and to their management which might prevent accidents of similar severity. The studies in question, initiated immediately almost everywhere after the accident, gave substantial results even in the same year. Modifications made to existing plants were relatively few, but very crucial, and have been promptly made. They mainly concerned the automatic protection systems of the reactors which have now been set in a way which takes into account the behaviour, previously not well known, of the pressurizer level in LOCA accidents concerning, as in TMI-2, the high parts of the pressurizer itself. Numerous other improvements were instigated in the aftermath of the accident. The work done by the NRC (Rogovin, 1980; NUREG, 1979b; NUREG, 1979c) has indicated the need for improvements to the instrumentation, to the containment systems, to operator training, skills in safety issues present in each power station, to the operating procedures, to the safety analyses and to the emergency provisions. The Kemeny commission (Kemeny, 1979) concluded its work by saying that the field in which the more fundamental modifications were necessary is that of the mindset and of the working methods of the industry and of the control bodies in USA. It was of the opinion that: ‘after many years of operation

422

Nuclear Safety

of nuclear power plants, with no evidence that any member of the general public has been hurt, the belief that nuclear power plants are sufficiently safe grew into a conviction. One must recognize this to understand why many key steps that could have prevented the accident at Three Mile Island were not taken’. The most important modifications that the Kemeny commission deemed necessary in order to prevent the further occurrence of accidents of the TMI-2 severity, concern the organization and the intervention procedures of the NRC, the operator training, the management of nuclear plants by the utilities, some technical aspects of the plants, the research on the effects of low radiation doses and the emergency provisions. Studies by various working groups in other countries were substantially in agreement with the NRC and with the Kemeny commission recommendations. In Italy, a country well known to the author, the attempt was made to single out through the work of an expert group, among the proposed improvements, the few which appeared to be most effective in unlikely accident situations of various types. This was because even if the study of many thinkable accidents can be made, it is not possible to be certain that all of them have been foreseen, so an effective protection against the unforeseen is necessary. On the other hand, the core of a reactor may ‘die’ from only two ‘illnesses’ only: the lack of water and the lack of neutron poisons for the shutdown of the chain reaction. The first case has happened in TMI-2. It is also true that the study of possible accidents, even if limited, leads to the provision of abundant water for core submersion and for the shutdown of the chain reaction. The area of possible improvement concerns the systems which diagnose the conditions of possible danger to the core itself. For this reason the group recommended, in the first place, the installation, as far as technologically feasible on each reactor, of instrumentation capable of directly and reliably measuring the water level, and the temperature and power local distribution, in the core. Recommendations were then made concerning the improvement of operator training for accident conditions, of the emergency provisions and of the study of accidents in order to pay more attention to the plant control actions even a long time after the event.

Other more specific recommendations concerned detailed characteristics of plant components. Some recommendations of the American study groups were already implemented in Italy, for example the one concerning the consideration of more simultaneous faults in the study of an accident. The studies initiated soon after the accident continued in the field of emergency provisions, of operator training and on the completion of the recommendations. In the subsequent years, the technical thinking on the accident at ENEA-DISP led to the development of a proposal for the Core Rescue System (CRS) (see Appendix 10) based on the voluntary depressurization of the primary system and on the injection of cooling water by passive systems (Petrangeli et al., 1993). This type of system was subsequently adopted in various new reactor designs (e.g. on the AP 600 Westinghouse reactor). In particular, the voluntary depressurization system of the primary circuit, publicly proposed for the first time (for pressurized reactors) in the course of the mentioned studies in Italy, has become a permanent feature in the new PWR plant designs.

References Kemeny, J.G. (chairman) (1979) ‘Report of the President’s Commission on the accident at Three Mile Island: The need for change; the legacy of TMI’, President’s Commission on the accident at Three Mile Island, 2100 M Street, NW Washington, DC 20037. OECD (1994) ‘Three Mile Island reactor pressure vessel investigation project’, OECD-NEA, Paris: OECD. Petrangeli, G., Tononi, R., D’Auria, F. and Mazzini, M. (1993) ‘The SSN: An emergency system based on intentional coolant depressurization for PWRs’, Nuclear Engineering and Design, 143, pp. 25–54. Rogovin, M. (1980) ‘Three Mile Island: A report to the Commissioners and to the public’, NRC Special Inquiry Group. USNRC (1979a) ‘Population dose and health impact of the accident at the Three Mile Island nuclear station’ NUREG 0558, May. USNRC (1979b) ‘TMI-2 lessons learned task force: Final report’, NUREG 0585, October. USNRC (1979c) ‘Investigation into the March 28, 1979, Three Mile Island accident by Office of Inspection and Enforcement’, NUREG 0600, August.

Glossary

Active safety systems Systems which need energy and/or intelligence signals to operate. See also ‘Passive safety systems’, which are the contrary of active systems. Barrier (against radioactive releases) Structure, set of structures or of systems which contrast the uncontrolled ‘release’ of radioactive material to the outside or to the inside of a nuclear plant. For the radioactivity connected to fission products, the plant design provides the following barriers: the fuel matrix, the fuel element claddings, the primary circuit(s), the containment system. Best estimate approach Best estimate approach to safety evaluation or best estimate codes are those which are based on a faithful representation of the plant behaviour; they should be used in a safety analysis in combination with a reasonably conservative selection of input data and a sufficient evaluation of the uncertainties of the results; this approach is accepted by regulatory bodies; it may also be acceptable to use a combination of a best estimate code and realistic assumptions on initial and boundary conditions. The best estimate approach is the opposite of a conservative approach. BWR reactor Nuclear reactor where the steam is directly generated in the core (BWR ¼ Boiling Water Reactor). Conservative approach Conservative approach to safety evaluation or conservative code analyses are those where every assumption is chosen in a conservative way, in the light of the phenomenon to be evaluated. This approach is the opposite of the best estimate approach. Containment Set of systems forming the most external barrier(s) against the uncontrolled release(s) in the environment of the radioactivity of fission and activation products. It includes a ‘containment’ (single or double) in reinforced concrete and/or steel, which contains parts of the plant which can

be possible ‘sources’ of radioactive contamination (including the following: reactor and at least part of its cooling circuit) and auxiliary and service systems (isolation, ventilation, ‘removal’ of contamination, and so on). Core (of a reactor) Region of a reactor where the fission chain reactions occur. ‘Corium’ Mixture of nuclear fuel and of structural materials produced by core melt. ‘DBA’ (Design Basis Accident/s) see ‘Design Basis Accidents’. Degraded event sequence Event sequence(s) where it is assumed that a multiple malfunction (or lack of operation) of event prevention systems or of consequences mitigation systems occurs or extremely unlikely fault modes are assumed concerning single components or systems, including those performing the above mentioned functions. Design basis accidents Accidental events against which the plant safety systems are designed. Event Situation, internal or external to the plant, capable of perturbing its operation and due to malfunctions, faults and ruptures of components, systems or structural plant elements relevant to its safety and to the health protection of workers and of population. Excursion (of power) Fast and uncontrolled increase of the power produced in a nuclear reactor following an accident. Fast shutdown Fast insertion in the nuclear reactor core of negative reactivity, thus causing the immediate stop of the fission chain reaction. Feedback Intrinsic, or introduced from outside, functional characteristics of a system, consisting in the fact that the variable at the exit from the system influences the input one, enhancing its value (positive feedback) or attenuating it (negative feedback). Inherent safety ‘Inherent’ safety means the elimination of hazard by choice of material or design 423

424

Glossary

concept, for example the elimination in a plant of any combustible material (if possible) would demonstrate inherent safety from the danger of fire. Loca Loss of coolant accident. Passive safety systems ‘Passive’ safety systems are defined as the operating safety features of structures and devices designed to counteract specific events without the reliance on mechanical and/or electrical power, forces or ‘intelligence’ signals external to the same structures and devices. Primary circuit Barrier against the dispersion of radioactive material, consisting in the primary cooling circuit and in the vessel in which the core is contained. PWR reactor Nuclear reactor where the core power is transported by pressurized water which circulates in a system of ‘primary’ circuits. The production occurs within a set of Heat Exchangers (Steam Generators), using the thermal energy contained in primary water (PWR ¼ Pressurized Water Reactor).

Reactivity Functional parameter of a nuclear reactor, which expresses an instantaneous balance of the neutron multiplication processes and represents an index of the tendency to the variation of the power generated in the core at a certain instant. If reactivity is zero, then the power stays constant; if the reactivity is positive, the power increases and the contrary happens if the reactivity is negative. Release (of fission products) Dispersion of radioactive contamination outside one or more design barriers (s). Severe accident Event(s) or event sequence capable of producing more serious consequences than those anticipated for design accidents (in particular, significant reactor core melt). Source term Complex of radioactive products released from the plant in case of accident (as a function of time and with specification of their physical form). Vessel Pressure vessel containing the reactor.

Web sites

http://books.elsevier.com/companions/0750667230 This book’s companion web site. The following files can be downloaded: CONTPRESSURE.xls, DISPERSION1.xls, DISPERSION2.xls, DRYCORE.xls, DUHAMEL.xls, FUMIGATION1.xls, FUMIGATION2.xls, PRIMARYSYSTEM.xls www.cordis.lu the European Union site www.doe.gov www.europeanutilityrequirements.org www.iaea.org the IAEA site which contains much technical and regulatory information www.insc.anl.gov the site of the ‘International Nuclear Safety Center’ of United States operating

at the Argonne National with much information on plants and specific technical data www.insc.ru the site of Moscow INSC www.nrc.gov www.nucleartourist.com the site of the Nuclear Energy Institute in the US with information on existing reactors www.nuc.berkeley.edu the site of the Nuclear Department of Berkeley University; it is listed here as an example of the U.S. University sites, very interesting in general; each of them has usually links with the others www.oecd.org this is the site of OECD, Paris, very rich in information, for which authorisation is needed.

425


Index Note: Bold page number indicate the main reference for an entry

Accelerogram, 149, 157 Accidents (examples), 40 Accidents which should not happen, 204 ACMH (Advisory Committee for Major Hazards), 30 Active safety systems, 26 Adiabatic (gradient), 68 Aircraft crash, 189 ALARA, 1 ALARP, 245 ALWR (Advanced Light Water Reactors), 28 AP1000, 10 AP600, 9 Area accidents, 50 ‘As found’ (leakage), 141 ‘As left’ (leakage), 141 Atomic Energy Commission, 3 ATWS, 51, 230, 377 Baneberry (test of), 219 Barriers of defence, 89 Beyond design basis accidents, 51 Bequerel, 80 Best estimate approach, Bhopal, 31 Boiling water (reactors), 229 Bombs (nuclear), 215 Boolean (algebra), 100 Boron dilution accidents, 204 Boron (dissolved) reactivity, 38 Brownsferry (accident), 203 Building effect on dispersion, 75 BWR, 229 Cage (safety), 419 Cassini (Saturn probe), 237 Chernobyl, 279 Claddings, 21 Classification of accidents, 35 Classification of plant components, 117 Cloud concentration, 70 Cloud submersion dose, 81 Coefficient of moderator temperature and of voids, 37

Collective dose (workers), 81 Components (plant), 119 Conservative approach, 95 Containment systems, 141, 285 Control rod ejection accident, 44 Control rods reactivity, 39 Core overheating, 323 Core heat capacity, Core Rescue System (CRS), 8, 357 ‘Corium’, 21 Cosmos, 238 Cost–benefit analysis, 245 Cracks, 120, 337 Criteria (nuclear safety, table), 297 CRS (Core Rescue System), 357 Curie, 80

Damping (earthquakes), 149 Davis Besse, 202 Decay energy, 18 Decay power, 18, 291 Defence in depth, 7, 12, 89 DEMO, 225 Density locks, 29 Deposition velocity, 71 Depressurization (primary, systems), 357 Desalination plants, 233 Design basis accidents, 11, 35 Deterministic effects of radiation, 80 Deterministic method, 10 Deterministic safety analysis, 95 Direct radiation dose, 82 Dispersion of releases, 65, 379 Documentation (safety), 385 Doppler coefficient, 35 Dose, 79, 315 Dose (absorbed), 79 Dose limits, 79 Ductility, 162 Duhamel integral, 163 Dynamic pressure in tanks, 169 Dynamic thermal stress (PTS), 126 427

428

Index

Earthquake, 145 Earthquake (criteria), 145 ECCS (Emergency core cooling systems), 96 Effects of Radiation doses, 80 Effective dose, 79 EIA (Environmental Impact Assessment), 388 Emergency plan (external), 388 Emergency procedures, 388 Enbrittlement (neutron), 124 Enrichment (plants), 233 EPR (European Pressurized Reactor), 10 Equivalent dose, 79 Erroneous beliefs in nuclear safety, 239 EUR criteria, 196, 327 Exclusion zone, 3 Explosions (nuclear), 215 External natural accidents, 51 External impact, 189 EXTERNE, 247 Event tree, 98

Fail safe, 30 Failure rates, 105 Fallout, 216 Fast reactors, 232 Fast shutdown (scram)(trigger limits), 35 Faults, faulting, 149 Fault tree, 99 Filtered containment venting, 53 Fission product reactivity, 39 Flixborough, 26 Floor response spectrum, 171 Fluence, 125 Fluidic diodes, 29 Fracture mechanics, 337 Fragility, 147 Fuel fabrication, 243 Fuel handling accident, 47 Fuel plants, 233 Fujita (scale of), 186 Fumigation, 73 Fusion (safety of . . . reactors), 225 Future accident (to be prevented), 204 Future reactors, 23

Gap (fission products), 63 Gas (reactors), 231 GDC (US General Design Criteria), 343 General design criteria (USA), 355 Genetic effects of radiation, 79 Glossary, 423 GPHS.RTG, 237 Gray, 79

Ground motion (reference), 148 Ground shine dose, 81, 316 Ground (soil) stability (earthquakes), 160

Health consequences of releases, 79 Health Physics units, 79 Heavy clouds, 66 Hereditary effects of radiation, 79, 80 Hiroshima and Nagasaki, 215 History of nuclear safety technology, 2 Hot-cold interface, 29 Human behaviour (probability), 98

IAEA criteria, 196, 355 IFMIF, 225 Impacts (external), 189 INES, event scale, 205 Inhalation dose, 81 Inherent safety, 26 Intensity (seismic), 154 Interfacing systems LOCA, 61 International Nuclear Event Scale (INES), 205 Intrinsic safety, 26 Inverted scram, 9 Inversion, 68 Iodine spike, 15 IPIRG (International Piping Integrity Research Group Program), 133 IRIS reactor, 10 Irradiation embrittlement, 124 IRS (Incident Reporting System), 201 Isolation (seismic), 177 ISCC (Intergranular Stress Corrosion Cracking), 132 ITER, 225

J integral, 338 Justification principle, 79

KI, KIC, KIA, 339 Kyshtym (accident), 203

Large LOCA with failure of recirculation, 62 LD50, 80 Leak before break, 130 Leaks (detection), 132 LER (Licensee Event Report), 201 Levels of defence, 89 Limitation principle, 79 Limits (for reactor operation), 35 Limits of releases on a site, 85

Index Liquefaction, 158 LLE (Loss of life expectancy), 247 LOCA, 46 Long distance dose, 82 Loss of electric power, 58 Loss of electric power with LOCA, 61 Loss of life expectancy, 247 Low population zone, 4 Magnitude (seismic), 154 Marshall Report, 122 Media (and safety), 12 Methyl isocyanate (MIC), 31 Modal (seismic) analysis, 149 Moderator temperature coefficient, 37 Mononobe – Okabe, 161 Most interesting releases, 65 Mururoa, 220 Natural origin accidents, 51 Negative scram: see ‘Inverted scram’, 9 NII criteria, 197 Non-stochastic effect of radiation, 80 Nuclear bombs, 215 Nuclear explosions, 215 Nuclear safety criteria, 195 Nuclides, 13 Objectives (of nuclear safety), 1 Operating experience, 201 Operation manual, 388 Operation organisation document, 340 Optimization principle, 79 Oscillator (simple), 162 Pasquill, 71 Passive safety system, 26 PBMR (Pebble bed modular reactor), 10, 232 Perforation (impact), 191 Periodic safety reviews, 391 PIE (postulated initiating events), 96 Pile (Fermi, CP1), 2 Pipe Fracture Encyclopedia, 133 Pipe whip, 130 Piping, 130 Piping (regulatory positions), 130 Piping (research), 133 PIUS, 29 Plant components, 119 Plant-site complex safety, 85 Plutonium (deposited) dose, 81, 238 PRA, 97 Preoperational test program, 390

429

Pressure in containment, 285 Pressure peak (lateral), 192, 217 Pressure-temperature correlation (water), 378 Pressure tube reactors, 231 Pressure vessels recommendations, 128 Pressure wave, 192 Pressurizer, 18 Primary depressurization systems, 357 Principles of Health Protection and Safety, 79 Probabilistic safety analysis, 97, 388 Probabilistic method, 97 Proliferation, 250 PSA (probabilistic safety analysis), 97, 388 PTS (Pressurised Thermal Shock), 126 PUN criteria, 197 PWR (scheme), 29 Quality assurance, 93 Quality assurance plan, 93 Radiation generating machines, 234 Radiation weighting factor, 80 Radioactive products, 25 Radioactive sources, 234 Radioactive waste, 221 Radioactivity, 80 Rasmussen Report (WASH 1400), 6 Ratcheting, 4 RBMK, 9 Reactivity balance, 40 Reactor Pressure Vessel, 119 Reactor Safeguards Committee, 3 Regulatory framework, 385 Regulatory Guides (NRC), 393 Repair probability, 98 Reprocessing plants, 233 Research (nuclear safety), 199 Research reactors, 232 Release of fission products (conventional from core, TID), 5 Release for accidents (Table), 41 Residual risk, 245 Richter Scale, 154 Risk analyses (credibility), 248 Risk informed method, 246 Risk of human activities, 248 RPV, 119 Rupture probability of pressure vessels, 120, 122 Safe plant (when . . .), 243 Safety analysis, 95 Safety analysis review, 107 Safety approach (general), 122 Safety cage, 405

430

Index

Safety criteria (table), 297 Safety culture, 7 Safety documents, 385 Safety Goal, 248 Safety objectives for sites, 386 Safety Report, 398 Safety systems, 17 Safety systems effectiveness, 21 Saint Laurent Les Eaux, 203 Salama, 408 Satellites (with nuclear plants), 237 Savannah, 234 Scram, 2 Seismic hazard, 98 Seismo-tectonic model, 152 SENA, 209 Severe accidents, 6, 53, 58 Severe accident management, 57 Seveso, 26 Shielding (radiation), 83 Ship propulsion reactors, 234 Sievert, 79 Single failure, 3 Site characteristics, 87 Site criteria (Italian chart), 409 SL1 (accident), 204 Sloshing (of liquids in tanks), 175 SNAP, 237 Sodium cooled fast reactors, 232 Soil resistance (earthquakes), 158, 160 Soil–structure interaction, 150, 173 Solar radiation, 291 ‘Solid’ system, 239 Somatic effects of radiation, 80 Sources (radioactive) and radiogenic machines, 234 Source term, 62, 319 Space-time history, 152 Specific plants and activities, 229 Spectrum (design and verification, for earthquakes), 149 Squib valves, 29 Stack effect on release dispersion, 70 Standard Review Plan, 409 Starfighter, 189 STARFIRE, 226 Start up rate, 39 Stochastic effects of radiation, 80 Storage facility (impact accident), 316 Stress assisted intergranular corrosion, 132 Structures resistance (earthquakes), 162 Submersion doses, 81 Superadiabatic (gradient), 68

Terrorism, 250 Thermal analysis of a dry core, 323 Thermal constant of fuel rod, 326 Thermal plume rise, 75 Thermal shock (vessel), 126 Three Mile Island (TMI) accident, 411 Three Mile Island vessel, 126 Time history seismic analysis, Tissue weighting factor, 80 Tokai Mura (accident), 204 Tolerable risk, 245 ‘Too cheap to meter’, 4 Tornado, 185 Tornado scale, 186 Toughness, 340 Tower (meteorological), 70 Transients (primary, calculation), 365 Transport safety, 234 Tritium, 81, 226 Tsunami, 87 Tube reactors, 231 Underadiabatic gradient, 68 Underground location of nuclear plants, 209 Underground nuclear tests, 218 Underground (buried) structures (earthquake), 175 US general criteria, 195 V sequence, 54 Valves, 134 Vandellos (accident), 204 Vessel, 119 Vessel and severe accidents, 127 Vessel failure prevention, 128 Virtual dose in severe accident, 315 Void coefficient, 37 Voluntary action accidents, 51 Vortex valves, 29 VVER (russian PWRs), 234 WANO, 7, 201 Warm prestressing, 126, 340 Waste (radioactive), 221 Web sites, 425 Wigner energy, 203 Windscale accident, 203 Xenon and Samarium reactivity, 39 YOLL, 247

Technical specifications for operation, 390 Temperature–pressure correlation (water), 378

Zircalloy, 21

Nuclear Safety

Nuclear Safety

Elements of nuclear safety

Radiation Safety in Nuclear Medicine, 2nd Edition

Nuclear Safety: A Human Factors Perspective

Nuclear Power - Operation, Safety and Environment

Safety Culture in Nuclear Power Operations

Risk and Safety Analysis of Nuclear Systems

Nuclear

Safety

Probabilistic Safety Assessment in the Chemical and Nuclear Industries

Effective Corrective Actions to Enhance Operational Safety of Nuclear Installations

Probabilistic safety assessment in the chemical and nuclear industries

Nuclear

Nuclear Competence Building (Nuclear Development)

Nuclear Development Innovation in Nuclear Energy Technology (Nuclear Development)

Nuclear Medicine

Nuclear Jellyfish

Nuclear Time

Nuclear Models

Seeking Safety

Equine Safety

Nuclear Time

Nuclear Structure

Nuclear Structure

Nuclear Reprogramming

Nuclear Dynamics

Nuclear Energy

Nuclear Time

Nuclear Fission

Nuclear Time

Nuclear Safety

Nuclear Safety

Elements of nuclear safety

Radiation Safety in Nuclear Medicine, 2nd Edition

Nuclear Safety: A Human Factors Perspective

Nuclear Power - Operation, Safety and Environment

Safety Culture in Nuclear Power Operations

Risk and Safety Analysis of Nuclear Systems

Nuclear

Safety

Probabilistic Safety Assessment in the Chemical and Nuclear Industries

Effective Corrective Actions to Enhance Operational Safety of Nuclear Installations

Probabilistic safety assessment in the chemical and nuclear industries

Nuclear

Nuclear Competence Building (Nuclear Development)

Nuclear Development Innovation in Nuclear Energy Technology (Nuclear Development)

Nuclear Medicine

Nuclear Jellyfish

Nuclear Time

Nuclear Models

Seeking Safety

Equine Safety

Nuclear Time

Nuclear Structure

Nuclear Structure

Nuclear Reprogramming

Nuclear Dynamics

Nuclear Energy

Nuclear Time

Nuclear Fission

Nuclear Time

Recommend Documents