ML20237B576
| ML20237B576 | |
| Person / Time | |
|---|---|
| Issue date: | 07/31/1987 |
| From: | Brown G, Messieres Candace De, Jeffries J Advisory Committee on Reactor Safeguards |
| To: | |
| Shared Package | |
| ML20237B537 | List: |
| References | |
| FOIA-87-640 ACRS-GENERAL, NUDOCS 8712160359 | |
| Download: ML20237B576 (45) | |
Text
_ _ _ _ _ _
=
REGULATORY ACTIONS TAKEN TO ENHANCE LWR SAFETY IN VARIOUS COUNTRIES ACRS Fellows Dr. Monideep K. De, Task Leader Gilbert M. Brown James A. Jeffries John A. MacEvoy-Casper Sun Ali Tabatabai-January 1987 8712160359 871210 PDR FOIA PDR SORG187-640
_2 CONTENTS s
COUNTRY SECTION 4
France I
Federal Republic of Germany II
~
United Kingdom III Sweden IV Switzerland V
Finland VI Netherlands VII Belgium VIII Italy IX Japan X
y l
[
_._)
r
SUMMARY
s At Dr. David Okrent's request, the ACRS Fellows conducted a study on LWR
-l safety improvements in various countries that seem beyond what has been implemented in U.S. plants. This report documents this effort.
A total of ten countries were studied, nine in Europe, and Japan. The I
availability of literature on LWR safety varied from country to country.
Therefore, the improvements in some countries are reported more fully than others.
The study did not attempt to assess the overall safety of any plant, nor did it investigate the feasibility of implementing the European features in U.S.
i plants.
A significant number of safety improvements have been made in various coun-L tries by modifying plant design and improving emergency procedures.
Some of I
the major improvements are for:
- Station blackout
- Emergency procedures for severe accidents
- Decay heat removal system
- ECCS We believe that some of these changes are improvements that deserve further consideration.
For consistency and clarity, the following format was used for each improve-I ment:
- Regulatory action
- Ba;is
- Implementation i
i l
l
\\
l u _ _ _ _ -_
4 SECTION I FRANCE A.
Pre-Chernobyl 1.
Forwa rdfit Introduction The French have incorporated a number of significant safety improvements, relative to the current generation of US plants, in their 1300-MW Standard Design (P4). The improvements include changes and additions to plant hard-ware, and plant emergency procedures for beyond design basis events and core melt c.onditions. These improvements have been reviewed by the NRC Staff [1].
The changes incorporated provide significant benefits in plant safety.
Safety Goals The regulatory actions taken to improve plant safety were based on safety objectives in terms of probability and consequences. The objectives are discussed in Reference 2 and are:
As a general objective, PWR design should aim at a probability of unacceptable consequences less than 10E-6 per reactor-year.
If a given family of events is not taken into account in the 4
design, then it must be demonstrated that the probability that this family will induce unacceptable consequences is less than 10E-7 per reactor-year.
)
The containment should constitute an ultimate line of defense which
{
would reduce the radioactive release to the environment to a level
]
compatible with a feasible offsite emergency plan.
The following provides a brief description of the various regulatory actions, their bases and implementation.
The details of the design changes are l
described in Reference 1.
AC POWER Regulatory Action:
To include design features (as well as procedures) that enable the plant to cope with a loss of all AC power for up to 3 days.
Basis:
A probabilistic study showed that the probability of occurrence of loss of all AC power (for a significant time) was on the order of 10E-5 which was J
.s.
unacceptable.
The study concluded that the loss of RCP seal cooling during a blackout sequence was a major deficiency in the plant.
Implementation:
Addition of a small steam-driven electrical generator for reactor coolant pump seal cooling and selected instrumentation and controls. Under normal operating conditions the RCP seals at the P4 plants are cooled in the same way as the seals at SNUPPS (i.e., the CCW systen via the thermal barrier and injection via the CVCS). However, if all AC power were lost, the RCP seals would be cooled by injection from a hydraulic test pump that automatically gets power from a steam-driven generator that takes steam from the steam generators upstream of the MSIVs. The steam-driven generator also provides power to control room lighting and to instrumentation and controls for monitoring the primary and secondary plant paraneters necessary to achieve and maintain hot standby.
Addition of a gas turbine to back up diesel generators. A mobile gas turbine generator is located either at the site or in the region so that it can be transported and put into operation within 3 days. The gas turbine is a backup to diesels and other units in the site.
The DC Electrical Power Supply System is improved in terms of (1) the number and arrangement of the batteries, (2) diversity, (3) capacity, and (4) number of battery chargers.
A special procedure, H3, has been developed to respond to a blackout and to utilize the additional hardware described above.
See Table 1 for a list of H procedures.
H stands for hors-dimensionnement, which means in French "beyond design".
The French have calculated that the implementation of the above items has decreased the probability if core melt due to loss of all AC power by a factor of 70.
ECCS Regulatory Action:
To improve the reliability of the Emergency Core Cooling System.
Basis:
In case of a LOCA, the most important sequences leading to core melt result from the failure of the recirculation cooling system. The main causes of the loss of recirculation cooling are:
(1) Human error resulting from the manual switchover from the injection to recirculation phase.
(2) Loss of pumps during operation.
Implementation:
5
' l The P4 plant is. designed for completely automatic injection and switchover from injection from the RWST after a LOCA to recirculation from the contain-ment sumps.
This completely automatic operation is feasible, in part, because the P4 ECCS has dedicated subsystems that do not perform other functions during normal operation.
In the P4 design, the ECCS is not used during normal operation. The plant is designed with an additional-low pressure injection system (2 pumps) that is independent of the RHR system.
In addition, the RHR system is not > sed to feed the safety injection pumps (as it is in the SNVPPS plants), and the SI -
system is independent of the CVCS. The French ECCS system is designed to be functionally independent and physically separate from systems used in normal plant operations.
An interconnection has been made between the Low Pressure Injection System and-the Containment Spray System, and mobile equipment for long-term cooling
-following a LOCA.
This interconnection allows the CS pumps to be used for low pressure safety injection if the LPSI pumps.are unavailable or vice versa.
Fittings for mobile pumps are also available. The H4 procedure has been developed to guide the operator in using these additional ways of injecting water into the core.
Secondary Heat Removal Regulatory Action:
To improve the reliability of the secondary heat removal system during a station bleckout and to extend heat removal capability to 3 days without AC power.
Basis:
1 Result of probabilistic risk assessments have indicated that loss of auxilia-ry feedwater during a station blackout is determined in the short tern by the reliability of the turbine-driven pumps.
In the long term (greater than about 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />), the concern is an alternate supply of water after the conden-sate storage tanks have emptied.
Implementation:
The French design has two turbine-driven AFW pumps instead of the single turbine-driven AFW pump typical of most U.S. plants.
In the P4 design, the demineralized water storage tank is connected for gravity feed to the CST so that the water supply is extended to 3 days (without any AC power) instead of the 8-hour CST supply in most U.S. PWRs.
Interfacing LOCA - Event V 4
Regulatory Action:
Decrease plant risk due to the Interfacing LOCA or Event V sequence.
Basis:
Plant risk assessments have shown the Event V sequence to be a major contrib-utor to overall core melt frequency.
Operational events have occurred in plants that have resulted in the pressurization of the RHR system.
Implementation:
The RHR system in the French P4 plant is located inside containment.
Plant Support System Regulatory Action:
To provide a more reliable cooling system for safety related equipment.
Basis:
Systems interaction studies have showed the benefit of improving the re-liability and independence of plant support systems for safety related equipment.
Implementation:
The P4 charging pumps are cooled by a radiator and fan driven by the pump shaft.
The charging pump motors and lube oil coolers are cooled by air so that there is no dependence en cooling water (CCW or ESW).
The motor-driven AFW pumps are also independent of cooling water systems because their motors and lube oil coolers are cooled by the pumped fluid.
2.
Backfit and Forwardfit Emergency Operating Procedures Regulatory Action:
To develop emergency operating procedures for (1) beyond design basis events, and(2)severeaccidents.
Basis:
i As a result of the accident at THI, the French realized, as in the U.S., the need for procedures for multiple failures and for beyond design basis events.
The French also identified the need to define last-resort measures to prevent core meltdown; and in case of core melt, to provide a controlled and filtered venting of the containment.
Implementation:
The H procedures (Table 1) have been developed and implemented in all operat-ing plants [2]. They are similar to the safety function based procedures in the U.S.
For the P4 plants, the H procedures utilizes many of the design improvements described above. A gas turbine has been backfitted in each operational site to supplement the existing external power sources.
In-structions for its use is given in the H3 procedure.
The H4 procedure provides guidance for the use of various pumps, including mobile equipment, for safety injection.
The U procedures (Table 2) are currently being ' developed and will be imple-mented in all plants. See Reference 2 for a good description of the proce-dures. They have been evaluated by the NRC Staff in Reference 3.
Two important differences exist between U.S. emergency procedures (EPs) and the U procedures.
First, the EPs are intended to be used by the same operat-ing staff that have previously been operating the plant, whereas the U procedures are written for the shift safety engineer (a role that has no direct equivalent in the U.S.--an STA has no line authority to direct op-erations).
Secondly, the emphasis in the EPs is on actions to be taken, whereas the U procedures are more concerned with understanding the state of the plant.
The safety engineer is provided with information and guided to find impromptu solutions to a severe condition. The conditions could range i
from severely degraded cores to a core on the containment floor.
J l
Post-Chernobyl [4]
]
The French Industry Minister has asked the country's nuclear safety authori-ty, SCSIN (Service Central de Surete des Installations Nucleaires), to prepare a full report on the consequences of the Chernobyl accident for the French industry.
The report is due early this year and will be reviewed by j
an independent advisory body, the High Council for Nuclear Safety.
Meanwhile, EdF has taken the following initiatives following the Chernobyl accident:
Each nuclear plant will complement its emergency plan with, in liaison with local authorities, a general emergency plan A joint effort with EPRI on the formation of hydrogen during accidents 1
A centralized scheme for collecting radioactivity monitoring information from around nuclear plants I
l
'i-
.g.
Conclusion The NRC Staff has concluded ( NUREG-1206 [1]) that the design changes for the P4 plant described above result in substantial benefits for plant safety. We l
endorse this conclusion and recommend that the U.S. industry carefully ' review these improvements in plant design.
References 1.
U.S. Nuclear Regulatory Commission " Analysis of French (Paluel) Pres-surized Water Reactor Design Differences Compared to Current U.S. PWR Designs", NUREG-1206, June 1986.
2.
P. Tanguy, "The French Approach to Nuclear Power Safety", Nuclear Safety, Vol. 24, No. 5, September-October,1983.
.3.
U.S. Nuclear Regulatory Commission " Management of Severe Accidents",
NUREG/CR-4177, BMI-2123, Vol. 2, May 1985.'
4.
Nuclear News, August 1986, page 125.
l l
i 1
I
)
' Table 1 1
French Emergency Operating Procedures for Beyond Design Basis Events
{
Procedure.
~ Purpose H1 Loss of heat sink H2 Loss of normal and. auxiliary feedwater H3 Loss of electrical supply H4 Use of the interconnection between the low-pressure injection and spray systems H5 Response to Floods Table 2 French Ultimate Emergency Operating Procedures Procedure Purpose U1 Last resort measures to prevent core meltdown U2 Actions in case of inadequate containment isolation U3 Use of mobile units to supplement core-injection or containment spray systems U4 Actions to flood the reactor cavity US Use of controlled, filtered containment venting 1
SECTION II FEDERAL REPUBLIC 0F GERMANY A.
Pre-Chernobyl A.2 Forwa rd-Fit Introduction The Germans moved enthusiastically into use of NPPs. They now have in operation or under construction 25 LWRS. These are split almost evenly between PWRs and BWRs.
In 1985, approximately 31% of their electricity was generated by NPPs.
As they started their plants somewhat later, but used U.S. vendor designs and information, their plants are almost "second generation." Safety modifications include higher pressure containments, separation of systems, higher ECCS flow rates and heads, and plane shields. Apparent reasons for such features are discussed below.
However, it a given to the PWRs (for example, the Konvoi units)ppears more attention was than for the BWRs.
Safety Fundamentals The FRG radiation dose limits are identical to those of the U.S. (Nuclear Safety, Vol 24, No. 6, pages 743-782, November-December,1983.)
Intending a defense in depth in all instances, three consecutive safety levels are utilized. The first includes (1) high safety margins through design and selection of materials, (2) quality assurance, (3) reliability of systems, (4) qualification of operators, and (5) operation-limits ahead of protective devices. The second level is provided by protective systems to initiate measures to bring the plant to a safe condition. The third is comprised of safety systems for limiting accident consequences, such as ECCS and RHR. All plants are protected from external events such as earthquakes, floods, hazardous chemicals, explosions, and airplanes. The use of redundancy and physical separation is fundamental. The N+2 principle allows testability and maintenance without operation interference. The absence of interwoven systems allows a purer utilization of active and passive failure assumptions.
Containments Both quantitative and qualitative requirements of containment materials is given in Section 1 of KTA Safety Standard 3401.
As stated above, it appears FRG gave more attention to the PWR containments as compared to the BWRs.
An example is the PWR progression to Konvoi (convoy) designs while keeping the BWR pressure suppression containments.
If a convoy containment pressure rating is compared to Diablo Canyon-2, the values of 92 and 62 psi appear.
Apparently, the higher value is through adding a 15% margin above calculated pressures, reducing the apparent containment free volume by 2%, adding 2% to the primary coolant system mass and energy inventories, and adding the SG
- 5 (secondary system) inventories as if the tubesheet fails.
In the U.S.,
considerable energy flows through the SGs after a break occurs.
Perhaps all of these result in the almost 50% difference.
A comparison of safety system parameters is given in Table 11-1.
For BWRs, the use of internal recircu-lation pumps allowed design changes and reduced inventories.
They also used their own pressure suppression analytical tools and moved to installation of "X" quenchers, as we sought remedies of swell and pulses through use of both "X" and "T" devices.
Venting of containment annuli, at least for the convoy units, through filters and to a stack can be done.
Also, and this is my personal view, post-accident, longterm cooling is possible by spraying any water on the bare steel containments. They use catalysts for hydrogen control, rather than electricity-dependent thermal units.
ECCS l
The ECCS requirements are given in RSK Guidelines for Pressurized Reactors and the KYA Safety Star,dard 3301.
The safety principles are (1) redundancy (a single failure criterion for both active and passive components), (2) dirversness, and (3) spatial separation. The systems cannot be interwoven and must be separated with regard to power supply, function supply, control instruments, seismic effects, and external hazards.
It is their interpreta-tion of single failure that led to the N+2 criterion.
For example, a 4X50%
design would allow for one failure and one under repair while still having 100% capacity.
As can be seen in Table II-1, there are parameter differences in safety systems as well as bases differences.
For example, where higher flows and heads are shown for ECCS, analytical tools, or their result interpretations, must be different.
Also, where both hot and cold leg coolant injections, and lower pressure accumulators, are used there must be different interpretations of phenomena to support such a design.
A special value is placed on the primary coolant system boundary.
For example, the PWRs do not have any nozzles, even for instruments, below the core. Once again, it appears the PWRs win over the BWRs.
Spent Fuel Storage Both new and spent fuel is stored inside containments. The latter is cooled by safety grade systems which have emergency power.
Emergency Power Supply The power supplies have requirements of reliability, monitorability, and duplicity. The reliat'llity is defined for both availability and testing in regulatory documents. The monitoring is determined by continuous measure-ments.
However, this is not understood. Must the DGs run continuously? One power requirement is that the unit main turbine must be capable of supplying only the house load for long intervals. The onsite emergency power supply is
13 divided into two systems having four trains each.
Each system has the required emergency capacity and one train may not deleteriously affect another.
It appears this requires four 50% trains being duplicated in another system.
RHR Systems It appears that four 50% decay heat removal systems are required. However, the mixture of decay heat, SG feedwater, and LPCI systems was not understood.
B.
Post-Chernobyl The Germans are reexamining their safety systems.
Obviously, the nuclear power attitudes vary greatly between political parties and states.
No specific post-Chernobyl changes have been mandated, but review of remedies for severe accidents is being made.
All post-Chernobyl information came from recent periodicals and is discussed below.
In the October 1986 issue of Nuclear News (NN, p. 71), it was reported that the FRG Reactor Safety Conmittee (RSK) had been instructed to undertake safety reviews of 19 LWRs. Special emphasis was to be placed on core melt and slow containment pressurization. The NN authors predicted a capability for venting and scheduling of frequent containment inspections would result.
However, the results of this review are not known.
In NN for November 1986 (p. 21), shutdown of Kaerlich, after only one day of operation, at a cost of $900,000 per day, was reported. It is not clear whether a current cooling tower issue, for this B&W-type plant, is related to SB0 and longterm cooling or not.
RWE has made plans to nothball parts of the plant for a lengthy interruption.
A TUV (Technical Supervisory Union) report, made inadvertently public in Germany last November, stated the BWRs at Brunsbuttel and Krummel could suffer failed containments within three hours should a SB0 occur. A loss of residual heat removal could result in failure within 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br />.
These times could also apply to the BWRs at Phillipsburg, Isor, and Wurgassen, but not to the newer plants at Grundreamiingen.
Using similar bases, a PWR containment may not fail for five days. The TUV analyses did not take into account onsite DGs, incoming power lines, or pumped storage power (NN, January 1987,
- p. 65).
An FRG paper on containment venting was presented at the 1986 Wingspread Conference by K. Bracht. However, this analysis was based on hypothetical situations and equipment, not on existing regulatory mandates and systems.
Both early and late venting through filters to a stack was discussed and several pressure and hydrogen concentrations versus time curves were shown.
Overall, late, versus early, venting appeared more desirable. Interestingly, the venting system illustration was identical to an advertisement in NN that month. This system appeared to take gases from the convoy sphere, through particulate and iodine filters located in the annulus, and then release through a stack.
It was stated that an " uncomplicated filtered vent system 1
' i has been developed in FRG," apparently as illustrated identical y in both places.
In conclusion, it appears the Germans are reexamining their safety designs.
This review may result in mandatory venting capabilities and other modifica-tions.
Decay Heat Removal Systems A.
Pre-Chernobyl 1.
Backfit,(plants in operation) a, Regulatory Action Require installation of Special Emergency Decay Heat Renoval Systems b.
Basis Brunsbttel:
Designed to cope with earthquakes, external explos!ons, sabotage, and air-plane crashes not foreseer. in the original design.
c.
Implementation Brunsbttel:
Was requested to backfit the Special Emergency Decay Heat Removal System in May 1979.
The system has dedicated service water, pumping components, process control, and diesel backed power systems, with a remote control room.
The systems are located in a new building connected by a tunnel to the reactor building.
2.
Forwardfit (plants under construction or in the design stage) a.
Regulatory Action BBR at Krlich:
None found.
b.
Basis BBR at Krlich: none found.
c.
In olementation BBR at Krlich (Brown 9averi-B&W PWR):
For emergency feedwater (;quivalent to US aux, feedwater), BBR has a fourfold redundant system, each train of which has an emergency condenser.
BBR also has an emergency bunkered "Notstand" systen to feed the steam generators and provide borated primary system makeup.
Steam generators are fed from a storage pool with a 10 hour1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> inventory. Steam is released to the atmosphere.
All systems, including power supplies are totally l
independent of the standard plant systems.
l l
l I
l l
l l
l l
.',. l.
Table 11-1 Comparison of Konvoi and Diablo Canyon-2 Parameters l
and Safety Systems l
Parameter / System Konvoi DC-2 1
Power, MWt -
3765 3411 i
Fuel U, Pu 0xide U 0xide Primary Coolant Pressure, psi 2282 2254 Containment Design Pressure, psi 92 62 Containment Type S. Sphere Conc. Cyl.
Containment Leak Rate, %/ day 0.25 0.10 Containment Spray No Yes Fan Coolers No Yes Containment Annuli Vent, No./%
2/100 Op. Purge Only No Yes Post Accident Sampling System HPCIS, No./ Flow / Cutoff Head
- 4/990/1600 2/436/1091 LPCIS, No./ Flow / Cutoff Head
- 4/5058/160 2/3037/160 Accumulators, No./ Pressure / Total Vol.
8/364/849 4/669/842 Component Cooling System, No./%
4/50 2/100 DGs, No./%
4/50(X2?)
3/50 Hydrogen Recombiners, No./%
2/100(Ext.)
2/100(Int.)
Pressurizer, cu ft(free vol.)
2295 1800 RHR, No./%
4/50 2/100 Spent Fuel Cooling, Safety Grade Yes Manual Maint.
Emergency Boric Acid Addition Yes No EFW, No./%
4/50 None gpm and psi i
\\
i
SECTION III UNITED KINGDOM DESIGN DIFFERENCES BETWEEN SNUPPS AND SIZEWELL B INTRODUCTION This section presents a brief discussion regarding the safety philosophy in j
the United Kingdom and some of the safety features added by the British to l
the design of the Westinghouse Standard Nuclear Unit Power Plant System I
(SNUPPS) PWR design.
In order to'present the basis for the British change of SNUPPS design and additional of certain safety systems, it is appropriate to review the back.
ground.of the SNUPPS and some of its characteristics.
In the early 1970s, Westinghouse, together with a group of U.S. utilities and Bechtel, evolved a standard PWR design, Standard Nuclear Unit Power Plant System (SNUPPS).
SNUPPS is a conventional Westinghouse four-loop reactor with vertical U-tube steam generators and is typical of todays's U.S. Plants.
The first plant of this series is Callaway.
SNUPPS incorporates a backup emergency boration system, two high-pressure and two intermediate-pressure emergency core cooling pumps, and three diverse auxiliary feedwater supply systems to help remove residual heat from the steam generators. Most of these features are present in other Westinghouse LWRs, and SNUPPS may be regarded as being typical of modern Westinghouse PWRs. The core-melt frequency of these plants as calculated by probabilistic risk assessment (PRA) is usually in the range 1E-04/py to IE-05/py.
The characteristics of the SNUPPS design as characterized by Callaway are presented in Table 111.1.
REGULATORY ' ACTION The basic philosophy of the Health and Safety at Work Act 1974 (provisions for the safety of workers in industrial and commercial activities and for members of the public) is that all that is " reasonably practicable" must be done to ensure safety.
This concept, together with certain limits that should not be exceeded, forms the background to the Nuclear Installations Inspectorate (NII) Judgement.
NII is the UK regulatory authority.
The concept of "so far as it is reasonably practicable" lies at the heart of UK safety legislation and in the nuclear industry has been a powerful stimu-lus for change and improvement.
Fixed limits or requirements come under pressure from the application of this principle to change in a direction of greater safety.
The five fundamental principles of this concept are:
1.
No person shall receive doses in excess of the appropriate dose equiva-lent limit as a result of normal operation.
2.
The exposure of persons shall be kept as low as reasonably practicable.
3.
In regard to principle 2, the collective dose equivalent to operators and to the general public as a result of operation of nuclear installa-tion shall be kept as low as reasonably practicable.
4 All reasonably practicable steps shall be taken to prevent accidents.
5.
All reasonably practicable steps shall be taken to minimize the conse-quences of any accident.
In early 1983, the Central Electricity Generating Board (CEGB) of Great Britain applied to its Secretary of State for Energy for approval to build a nuclear power station at Sizewell in Suffolk, England.
The Sizewell B reactor, which will be the first British nuclear station to employ a PWR i
j design, is similar to the Westinghouse SNUPPS reactor design.
However, CEGB l
has incorporated into the design of the Sizewell -B plant several safe-ty-related systems that differ significantly from SNUPPS and other U.S. PWRs.
l Some of the specific regulatory actions include: measures to reduce offsite radiological consequences from all releases occurring within the primary containment, improving the availability of the safeguards system (ECCS),
improved shutdown system, improved containment performance, inproved reactor l
protection system, and increased equipment redundancy.
BASIS In 1974 the major UK licensee introduced probabilistic criteria to give design targets for the reliability of safety systems. A key criterion was that the total frequency of all accidents leading to large uncontrolled releases should be less than 1 per 1,000,000 reactor years. A subsidiary criterion was that the frequency of such a release from a single accident should be less than IE-7/ year; the intention of this criterion was to avoid any single accident dominating the total.
Based on information available in literature and those provided by MRC staff, it was noted that many of the safeguards implemented in the British PWR design (Sizewell B) are based on four sets of components, e.g. there are four diesel generators and four high head safety injection pumps. The reasons for so much redundancy have been broadly described by CEGB and are presented in the following paragraphs.
The CEGB Design Safety Guidelines set very stringent targets on the reliabil-ity to be achieved by the safeguard systems.
These are such as to demand substantial redundancy of safeguard plant, and for the more probable faults and fault sequences they demand diversity of plant as well.
The reason for the diversity requirement is that addition of more and more sets of redundant equipment results in diminishing returns due to the risk of common mode failures in that plant, recognized by the Design Safety Guidelines cut-off rules with respect to the reliability which may be claimed of redundant systems.
l
i It should also be noted that an important factor in the CEGB Design Guide-i lines is the requirement where reasonably practicable that there should be sufficient redundancy of plant to permit on-line maintenance of safeguards equipment. This was a substantial factor leading to the choice of four trains of much of the safeguards equipt.:2nt.
The CEGB further noted that in general, with four sets of equipment it is possible to remain safe with one set under maintenance, one set to fail and still have a comparatively reliable system of plant available for operation.
IMPLEMENTATION An improved version of the SNUPPS design, and one in which the greatest attention has been given to safety, was prepared by the Central Electricity Generating Board (CEGB) in the United Kingdom for a plant designated Sizewell B.
To meet the stringent requirements posed by the high population density in the vicinity of the site, the CEGB made an it. tensive five-year study, of the reactor safety problems and the measures that might be taken to minimize the probability of an accident.
The Sizewell B design modified that of the SNUPPS with the following ad-ditions:
1.
Four high-pressure safety injection (HPSI) pumps dedicated to safety, each with heads lower than 2000 psi and with higher flow volume than Callaway's.
The actuation of the HPSI pumps will automatically shut down the higher head charging pumps, thus preventing overpressurization in overcooling transients.
2.
Four accumulators, any two of which are sufficient for core cooling at the 600 psi pressure range (instead of the required three at Callaway).
3.
Four low-pressure pumps to recirculate water for core cooling at low pressures and for containment sprays. These pumps are dedicated to residual heat removal.
In addition, the high pressure HPSI suction is automatically switched to the containment sump when the refueling water storage tank is low. In older Westinghouse reactors, including SNUPPS, such switching to this backup source of water must be done manually.
4.
An additional steam-driven auxiliary feed pump, in addition to the two electric pumps already in SNUPPS. All the pumps are farther apart than at Callaway and are therefore less subject to common-mode failure.
5.
Four diesel generators (instead of two) to provide energency power in case of loss of offsite power.
6.
A microprocessor-based reactor protection system backed up by a secon-dary protection system based on solid-state switches.
7.
An emergency boration system as a backup reactor trip system to cope with anticipated transients without scram.
8.
An extra diesel-driven emergency charging pump to make up for pump seal 1
leakage during station blackout.
t 9.
An additional isolation valve between the high-pressure reactor cooling system and the low-pressure residual heat removal system to minimize the 1
chance of the containment bypass accident sequence.
10.
Connections to provide water from fire pumps to containment safety features.-
l 11.
Construction of ring forgings with no major welds in the beltline region of the reactor pressure vessel to minimize the chance of vessel brittle failure due to irradiation and overcooling transients.
- 12. A secondary containment vessel to further reduce the probability of an escape of radioactive material to the environment.
Table'III.2 presents the rated characteristics arid attributes of the Sizewell B.
The probabilistic risk assessment for the Sizewell B reactor gives a mean core-melt frequency of 1.1E-06/py. The frequency of a large release of radioactivity is estimated to be 3E- 08/py.
The cumulative impact of the measures designed to improve safety beyond that of the standard SNUPPS design has been estimated to increase the power plant capital cost of about 20 percent.
i DISCUSSION A comparison and assessment (both quantitative and qualitative) of the design differences between the two reactor designs were made by the NRC in 1983.
Major design differences and the additional features added by the British to the Sizewell B Reactor were selected and analyzed.
The results of this r
evaluation are published in NUREG-0999; Sizewell B-Analysis of British Application of U.S. PWR Technology.
In the NRC report, the assessment of addition of these safety features and the potential impact of their implementation en the safety of U.S. plants was i
accomplished by applying probabilistic risk assessment (PRA) methods and best
)
engineering judgement.
The most significant design changes were analyzed and i
were ranked, on a relative basis, based on their perceived safety impact on the U.S. SNUPPS design. Table III.3. presents the summary of these analyses.
The ranking scheme seems to follow the guidelines used by the NRC Office of Nuclear Reactor Regulation (NRR) in prioritization of generic reactor safety issues. The safety significance of the design changes are grouped into:
high, moderate, and low.
As mentioned before, PRA methods and engineering judgement were used to quantify the safety significance of these design changes.
In my opinion, extreme caution should be applied in interpreting these results.
These are intended more to serve as a relative ranking of the importance and safety significance of these design changes rather than absolute measurement of their impact on overall plant safety. The ranking i
t.
____________i
..i,,
process is also highly dependent upon the methods, data, and the assumptions used by the authors.
Although several of these design changes have a very good potential to improve the availability, reliability, and the safety of the U.S. reactors (e.g., requiring a higher degree of redundancy), other factors which effect the overall safety of a plant should also be considered before any con-clusions are reached regarding the impact of implementing these design changes. Some of these other factors influencing the overall plant safety and availability include:. operating. procedures, maintenance and inspection activities, human factors, use of front-line and secondary systems, etc.
REFERENCES 1.
Sizewell B Analysis of British Application of U.S. PWR Technology, ilVREG-0999, U.S. Nuclear Regulatory Commission,1983.
2.
R. D. Anthony, Nuclear Safety Philosophy in the United Kingdom, NUCLEAR SAFETY' Journal, OCT. - DEC 1986.
3.
A. M. Weinberg, et. al., The Second Nuclear Era, ORAU/IEA-84-6(M),
Institute for. Energy Ar.alysis, Oak Ridge Associated Universities, 1984.
l r
TABLE III.1 Rated Characteristics and Attributes of the Westinghouse Sil0PPS Design Output, MWth 3411 Themal Efficiency, 33 Availability Comparable to LWRs Thennal Capacity of Primary System Comparable to LWRs Potential Reactivity Insertion Mechanisms I
liechanical Systems Comparable to LWRs Coolant Voiding Negative Coef Doppler Temperature Negative Coef Mechanical Bending, Compression Negative Coef Others None Known Transients Susceptibility Comparable to LWRs i
Subsequent Response:
Redundancy of safety Systems Improved 1
Complexity of Safety Systems Comparable to LWRs Potential for Recovery Higher than Existing LWRs Common Cause Uncertainty Comparable to LWRs LOCAs i
Susceptibility Comparable to LWRs Subsequent Response:
Redundancy of safety Systems Improved Slightly Complexity of safety Systems Comparable to LWRs Common Cause Uncertainty Comparable to LWRs Station Blackout Susceptibili ty Comparable to LWRs Subsequent Response Comparable to LWRs Susceptibility to Fuel Diversion Little Weapons Value Susceptibility to Sabotage, Terrorists Comparable to LWRs l
l I
1
23 -
TABLE 111.2 Rated Characteristics and Attributes of the Sizewell B Design Output, MWth 3411 Thermal Efficiency, %
33 Availability Comparable to LWRs Thermal Capacity of Primary System Comparable to LWRs Poten-tial Reactivity Insertion Mechanisms Mechanical Systems Comparable to LWRs Coelant Voiding Negative Coef Doppler Temperature Negative Coef Mechanical Bending, Compression Negative Coef Others None Known Transients Susceptibility.
Improved (feedwater)
Subsequent Response:
Redundancy of Safety Systems Improved Slightly Complexity of Safety Systems Comparable to LWRs Potential for Recovery Higher than Existing LWRs Common Cause Uncertainty Subject to Same Uncertainty LOCAs Susceptibility Comparable to LWRs Subsequent Response:
i Redundancy of Safety Systems Improved Slightly (addedHPI,LPI)
Complexity of Safety Systems Comparable to LWRs Common Cause Uncertainty Comparable to LWRs Station l
Blackout Susceptibility Improved Slightly.
(addedDGs)
Subsequent Response Improved (added seal cooling)
Susceptibility to Fuel Diversion Little Weapons Value Susceptibility to Sabotage, Terrorists Comparable to LWRs l
l 0
Table 111.3 Safety Significance of Selected Design Differences between the U.S. SNUPPS Design and the British Version Design Change Safety Significance Addition of steam-driven High charging pumps Upgraded isolation between Low reactor coolant system and RHR Improved ECCS system Low Addition of Emergency Boration Moderate system Addition of backup reactor protection Low system Four segregated AFWS pumps Low to Moderate CCW, ESW, dry cooling towers Low to Moderate (notquantified)
Four segregated 100% diesel generators Moderate
)
i SECTION IV I
1 L
SWEDEN l
l l
A.1 Backfit REGULATORY ACTION:
In 1981, the Swedish government requested that the potential for the acci-dental release of radioactive materials from Swedish nuclear power plants be investigated.
The Swedish parliament believed that all the possibilities to I
further reduce an already extremely small risk of uncontrolled releases of radioactivity should be exploited.
l Proposals to the government improved protection against releases in the case of a severe accident at the Forsmark, Oskarshamn, or Ringhals plants.
Some l.
of the main requirements of these proposals are:
1.
All containments will be protected from overpressure by means of devices l
for controlled pressure relief, capable of automatic actuation-at a l
preset limit.
2.
The primary safety objective will prevent core damage by high quality
[
operation and maintenance as well as preparedness for mitigative actions when needed to restore the core cooling.
i 3.
There is substantially improved knowledge on severe accident phenomena, indicating that the reactor containments have good capabilities to withstand severe accidents, provided certain site specific measures are taken to remove weaknesses.
I 4.
Design specific accident management strategies should be prepared, aimed at protecting the containment and attaining a long term stable state with the core covered and cooled with water in a de-pressurized contain-ment.
The protective measures should be implemented by September,1989 at the latest.
DESCRIPTION:
For Ringhals 1, the calculated results from the MITRA investigations indicate that a pressure relief device, for example a safety valve, prevents gross rupture of the containment leads to a significant reduction of the frequency l
of large releases and of core melt.
Even with uncertainties in the analyt-l ical methodology, it seems likely that some filtering device will be required l
in the venting line.
The principal conclusions derived for the Ringhals 2,3, and 4 <Jnits are:
i The filtered vent has no impact on bypass sequences or sequences I
with failure to isolate containment because the pressure in the t
Y.
containment never rises to the set point and the releases therefore bypass the filtered vent system.
For core melt sequences that occur before overpressure failure of the containment, source terms without the filtered venting system are already very small.
If a filtered venting system were in-stalled, source terms would be reduced but not significantly enough to impact public health and safety.
Work is presently underway to implement the new Swedish strategy for handling
]
severe accidents. -This will include new installations to protect the con-tainment by pressure relief and controlled venting, probably combined with means for providing a back-up source of water for the containment sprays.
A filtered venting system became operable at the Barseback 1 and 2 nuclear power plants on October 31, 1985.
Its main features include a 10,000 cubic meters gravel' bed acting as both a filter and condenser.
Each venting pi;-
has a diameter of 600 m and connects the wetwells of two containments to the filter bed via rupture discs set to 0.65MPa, with the minimal design pressure being 0.5MPa. Prevention and mitigation measures will be implemented by 1989 for the other 10 operating' reactors in Sweden.
The Swedish Nuclear Power Inspectorate proposed that pressure relief devices should be designed so that they can function independently of operator action and other safety systems if the containment design pressure is substantially exceeded. Another proposal includes rapid flooding of the lower drywell in the Forsnark 1-3 and'0skarshamn 3 BWRS, which have pressure suppression containments with an annular pool.
REFERENCES:
Risk Analyses of the Ringhals Plants: Containment Behaviour and Filtered Vent, by Espefalt, Gunsell, Lowenhieln of the Swedish State Power Board and G. Kaiser and P. J. Fulford of NUS Corporation and Swedish Severe Accident Position and Research Status, by L. Hammer of the Swedish Nuclear Power Inspectorate and E. Soderman of ES-Konsult AB dated 4/6/86 and Nuclear Engineering International (9/86), Sweden Takes Steps to Hitigate Severe Accidents, p. 21 Decay Heat Removal System A.
Pre-Chernobyl 1.
Backfit(plantsinoperation) a.
Pegulatory Action Ringhals 1:
The Swedish State Power Board and ASEA ATOM conducted a Level 1 PRA A level 2 PRA (to include external events) will be conducted next.
b.
Basis Ringhals 1:
Reduce the contribution to core melt probability from decay heat removal failure from 50% to 10%.
Comply with new requirements for fire and sabotage protection.
c.
Implementation Ringhals 1 (BWR):
An Auxiliary Feed System, to supplement the standard BWR auxiliary systems, was installed to meet the bases listed above. The AFS consists of:
Non-safety grade local microcomputer control, Dedicated reactor instrumentation for level and pressure, and independent control room signals, Independent power supply using a non-safety grade dedicated diesel located in a separate area from the plant emergency
- diesels, Independent water source (fire water),
Turbine driven AFS pump.
i I
1
l SECTION V SWITZERLAND REGULATORY ACTION:
The intended regulatory action requires improving the plant's accident mitigation capability..
DESCRIPTION:
The Swiss' Muehleberg has an additional suppression pool'which circles the reactor building. The vent pipes are encased in the. reactor building wall and have a submergence of about 600 mm.
The second suppression pool contains about 1000 cubic meters of water, the air space above this pool vents direct-ly to the main ventilation stack.
The outer pool has two main functions:
1.
To limit the overpressure in the reactor building to 0.3 bar following a guillotine break in a main steam line.
2.
To provide a long term (30h) heat sink in the event of a total loss of all normal residual heat removal capability.
Current studies will assess the role of the second suppression pcol for steam venting of the torus wetwell and for iodine retention during severe accident scenarios.
Leibstadt has a Post-LOCA containment filtered venting capability provided by an 80 mm diameter pipe connected to the Standby Gas Treatment System.
REFERENCES:
1.
Letter from Ronald Hauber to R. Naegelin, dated 9/16/86.
A.
Pre-Chelnobyl i
1.
Backfit(plantsinoperation) a.
Regulatory Action i
General Design Criteria for Light Water Reactor Plants, issued by the KSA in I
February,1978 requires that safety system redundancy tolerate a single failure plus one component in repair.
This applies where safety system components require regular maintenance.
One or several heat sinks and their connections to the plant shall be avail-able ttnder all operating modes, including emergency operation. Diverse ultimate heat sinks such as ground water pumps, reservoirs, or emergency cooling towers are required for all operating plants, to cope with loss of the main heat sink.
A independent and self sufficient (Special Emergency) system shall be provid-ed to cool the core... during extreme events, particularly during inter-ventions of third parties.
b.
Basis Beznau:
The Special Emergency Heat Removal System (SES) provides improved protection against external events not considered as design basis during plant design, such as:
~
Airplane crash, Third party intervention, and Lightning strike.
The SES also provides decay heat removal protection with qualified equipment for design basis events that were considered during design, such as:
Safe-shutdown earthquake, External flood, j
Loss of river water, Main steam line break, Small break LOCA, and Steam generator tube rupture.
Finally, SES provides improved protection for events not adequately con-sidered at the' time of construction, such as:
Loss of control room, Major fire in the control building, and Major fire or vessel rupture in the turbine building.
Mhleberg:
The SUSAf1 (described below) was required in order to cope with newly pos-tulated internal and external events such as third party intervention, safe-shutdown earthquake, external flood, airplane crash, internal flood, and fire.
This avoided costly modifications to existing systems.
i c.
Implementation Beznau (West. PWR, 2 loop):
Some equipment is shared between plants. The SES will automatically remove decay heat for up to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. Primary plant functions include emergency boration, reactor coolant pump trip and sealing, and pressure and volume control.
Secondary plant functions include emer power, and and independent cooling water (well) gency feedwater, emergency supply.
Mhleberg (GE BWR/4 mark I):
The Special, Independent, Decay Heat Removal System (SUSAN) will automatical-ly bring the reactor to a cold shutdown condition during a special emergency event involving third party intervention or loss of the main control room or provide decay heat removal during one of the remaining postulated external events.
The SUSAN shares existing RCIC pumps and torus heat removal systems and i
provides additional dedicated scram and isolation logic, special emergency diesels, relief valves, core spray, and reactor refill pumps. Cooling water is independently supplied to the SUSAN equipment bunker from a local river.
2.
Forwardfit (plants under construction or in the design stage) a.
Regulatory Action Single failure plus repair was included in Leibstadt design (BWR/6, MK III).
One or several heat sinks and their connections to the plant shall be avail-able under all operating modes, including emergency operation.
Diverse ultimate heat sinks such as ground water pumps, reservoirs, or emergency
)
cooling towers are required for all plants under construction, to cope with
)
loss of the main heat sink.
l A independent and self sufficient system shall be provided to cool the core l
... during extreme events, particularly during interventions of third
~
parties.
b.
Basis l
Gsgem:
The separate and independent Special Emergency System (SES) shall guarantee decay heat removal for each of the following external events:
l Airplane crash at any point on the plant that could lead to a complete loss of emergency power, Fire, especially in the main control room, Explosion, J
Third party intervention, and t
Lightning strike.
Although already covered in the plant design basis, the SES protects against earthquakes.and flooding.
The system will automatically cool down the plant and maintain it in a safe condition for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />.
Leibstadt:
The SEHRS (described below) is designed to remove decay heat in the event of third pa'rty intervention, fire, airplane crash, external explosion,. lightning strike, and a safe-shutdoyn earthquake.
The SEHRS uses a completely indepen-dent decay heat removal path and heat sink.
c.
Implementation Gsgem (KWU PWR, 3 loop):
The SES has an special emergency panel from which the plant can be brought to a cold shutdown.- SES systems are located either in a special bunker or in the reactor building, which has been designed for the postulated external events. The SES consists of:
Steam generator isolation and relief valves, Two special emergency feedwater systems with pumps direct driven from the emergency power diesels, Two primary system make-up lines and pumps, Two special emergency RHR pumps, feeding the normal RHR heat exchangers, Two special emergency ground water systems to cool the RHR heat exchangers, and Two special emergency power supply diesels.
Leibstadt (GE BWR/6, mark III):
Has a Special Heat Removal System (SEHRS) in addition to standard BWR/6 engineered safeguards.
Two SEHRS pumps cool suppression pool water through a common heat exchanger which is cooled by ground water. Cooled suppression pool water may be pumped into the depressurized reactor vessel or back to the suppression pool.
The system is automatically (actuating and removes decaytwo di
. heat for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> unattended.
Power supplies of the remainder of the plant, but the reactor protection and isolation systems are shared. Systems are housed in an underground bunker, i
3
'. SECTION VI FINLAND I
A.1 Backfit REGULATORY ACTION:
The Finnish Nuclear Regulatory Agency has asked its utilities to complete their severe accident backfits by 1988.
DESCRIPTION:
Finland's nuclear power companies are investigating measures for Finland's severe accident prevention and mitigation programs at their Loviisa and i
Olkiluoto nuclear plants. The severe accident backfit activity in Finland is not a direct outgrowth of the accident at the Chernobyl nuclear power plants in the USSR.
Plans in 1982 required that conta'inments be designed to with-stand a core melt accident, and the agency discussed backfitting existing plants with the utilities before the Chernobyl accident. TVO is proposing to install high capacity safety valves on the containment for use in situations l
where the pressure suppression pool does not work as designed and radioactive steam bypasses the condensate pool. This could be required for rapid venting following pipe break.
No filter is required because there is no activity at the beginning of an accident.
They'are also proposing to install additional pipe lines to connect an existing independent fire protection system to the containment spray system.
t Fire protection pumps could be used to pump water from a special fire pro-tection pool into the containment, which is designed to be completely filled l
with water if necessary. The Finns are adopting a philosophy that places more reliance on manually operated systems and less on automatic systems.
They have not yet decided to install additional filters on vent lines.
A fairly large number of modifications to the Loviisa plant have been made since commissioning.
In the aftermath of the Three Mile Island (TMI) acci-dent many of the plant's safety features were studied. As a result, changes were made.
For instance, in the automation system and in instrument and safety valve settings.
In response to the increased attention being paid to severe core accidents, igniters for burning post-accident hydrogen and high range hydrogen concentration and radiation monitoring instruments were installed in the containment building.
A more extensive modification not related to the TMI accident was caused be l
the higher than anticipated embrittlement rate of the pressure vessel.
In order to slow down this rate and thus to prevent undue shortening of the useful life of the vessel, the outermost fuel elements were replaced by dummies. This could be done without reducing the power level thanks to the conservative design of the core.
Some other measures, for example, increas-ing the temperature of the emergency core cooling system (ECCS) water, were also taken.
(
REFERENCES:
1.
Nucleonics Week, 11/86 and IAEA Safety Codes and Guides (NUSS) in the i
Light of Current Safety Issues, Proceedings of a Symposium, Vienna, 29 October - 2 November 1984 i
l l
L
SECTION VII Decay Heat Removal Systems THE NETHERLANDS A.
Pre-Chernobyl 1.
Backfit (plants in operation) a.
Regulatory Action Borselle:
An mid-1970's assessment of potential degradation of plant systems as a result of unforeseen events led to a decision to improve decay heat removal systems. A 1979 order required an ability to keep the reactor in e safe condition during unforeseen events during which the control room was unavail-able, resulting in the backfit of the alternative decay heat removal system.
b.
Basis Borselle (PWR):
The Reserve Supply System (RSS) will bring the reactor to a safe condition and maintain it there during one or more of the following events:
Loss of main and emergency feedwater, Loss of all cooling water systems, Loss of onsite and offsite power, Uncontrolled secondary system steam loss, and Loss of the control room.
c.
Implementation Borselle:
The RSS is automatic, but interruptible from the control room unless manually started with the " Master Key."
The system has an independent water supply, protection system, diesel generators, primary and secondary injection sys-tems.
RSS is housed in its own building.
1 '
SECTION VIII Decay Heat Removal Systems BELGIUM A.
Pre-Chernobyl 1.
Backfit (plarits in operation) a.
Regulatory Action Doel 1 & 2, and Tihange 1:
The older plants must have a safety evaluation after 10 years.
Doel 3 & Tihange 2 (Fram. PWR, 3 loop):
Have been designed according to NRC rules.
Tihange 2 is being reevaluated for a. larger safe-shutdown earthquake.
b.
Basis All sites:
Consider flooding, aircraft crash and gas cloud explnions in the Second Level Decay Heat Removal System (SLDHRS) design.
Doel 1 & 2:
SLDHRS does not deal with seismic events.
Tihange 1:
SLDHRS should cope with the safe-shutdown earthquake.
Doel 3 & Tihange 2:
These plants are already protected against external explosions, and aircraft crashes, and tornado loadings under the normal decay heat removal systems.
After an external accident, the SLDHRS must automatically bring the plant to a safe shutdown condition and maintain it there for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
c.
Implementation Doel 1 & 2 (West. PWR, 2 loop):
No information is available describing actions taken Tihange 1 (Fram. PWR, 3 loop):
No information is available describing actions taken
- */
- Doel 3 & Tihange 2 (Fram. PWR, 3 loop):
,3 l
These plants are already protected against_ external explosions, and aircraft crashes, and tornado leadings under the normal decay heat removal systems.
In addition to the normal engineered safety features, these plants have a second level of protection consisting of three independent trains of decay heat removal.
The SLDHRS uses dedicated systems with an auxiliary control room, located in a hardened building integrated into the plant.
The independent SLDHRS systems consist of:
I A protection and SCRAli system, Separate borating and charging systems; Steam generator feed system, l
(
Cooling water system, Three diesel generators and electrical distribution, Three atmospheric relief valves, and Reactor coolant pump seals protection.
Systems shared by the SLDHRS include:
l Pressurizer relief valves, One pressurizer heater group supplied by the bunkered IE power supply and controlled by the SLDHRS protection system, RHR is controlled from the SLDHRS control panel, and Duplicate main steam and feedwater isolation valves inside the SLDHRS bunker.
2.
Forwardfit (plants under construction or i.: the design stage) a.
Regulatory Action Doel 4 & Tihange 3 (West. PWR, 3 loop):
j Have been designed according to NRC rules.
b.
Basis Doel 4 & Tihange 3 (West. PWR, 3 loop):
These plants are protected against aircraft crashes, large fires (such as those associated with aircraft crashes), and external explosions (gas cloud).
____m-
After an external accident, the SLDHRS must automatically bring the plant to a safe shutdown condition and maintain it there for 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
c.
. Implementation Doel4&Tihange3(West.PWR,3 loop):
In addition to the normal engineered safety features, these plants have a second level of protection consisting of three independent trains of decay heat removal, bunkered.
The SLDHRS uses dedicated systems with an auxiliary control room, located in a hardened building integrated into the plant.
The independent'SLDHRS systems consist of:
A protection and SCRAM system, Separate borating and charging systems, Steam generator feed system, Three diesel generators and electrical distribution, Cooling water system, and Reactor coolant pump seals protection.
Systems shared by the SLDHRS include:
Pressurizer relief valves,.
One pressurizer heater group supplied by the bunkered IE power supply and controlled by the SLDHRS projections system, l
RHR is controlled from the SLDHRS control panel, and Duplicate main steam and feedwater isolation valves inside the
)
SLDHRS bunker.
)
i l
,- i,
SECTION IX
, 3 Decay Heat Removal Systems ITALY A.
Pre-Chernebyl 1.
Forwardfit (plants under construction or in the design stage) 4 a.
Regulatory Action ENEA in 1979 introduced new requirements for protection against special man-made events.
b.
Basis The new 1979 requirements were to provide plant projections against the following Special Emergency Conditions (SEC):
Missile impacts on plant structures, and External event pressure waves.
Following a SEC and concurrent with a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> loss of offsite power, the power plant, without operator action, shall be capable of maintaining the
" fuel protection". function for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> in order to avoid unacceptable consequences.
Alto Lazio:
J The Special Emergency and Heat Removal (SEHR) system must withstand a SSE and not result in failure of the primary coolant pressure boundary, containment boundary, or affect ECCS performance.
c.
Implementation Alto Lazio (BWR/6, Mark III):
The SEHR is located in a hardened bunker, and includes the following sys-tems/ components:
l 1
Additional isolation valves on main steam, emergency 1
feedwater, and excess letdown systems, Emergency seal injection for borated coolant makeup, Second excess letdown heat exchanger, Two diesel generators, Two RhR pumps,
t 39 -
The SEHR can initiate the Automatic Depressurization System and initiate core or suppression pool cooling.
_ = _ _ _ _ _ _ _ _ _ _ _ _
e $ .
SECTION X JAPAN A.
JAPANESE SAFETY INSPECTION The basic concept and the fundamental safety criteria for Japanese LWRs are
. based on the regulation and practices in U.S.
Due to differences in Japanese geological formation, societal structures and administrative procedures, the safety standards to suit Japanese circumstances are must. The safety fea-tures and their perfomance of LWRs have been well established and to be standardized.
The principal goal of safety policy for nuclear power plants is to ensure the safety of both the general public and plant employees during normal operation and during accident conditions.
I One of Japanese reactor operating principle, it is their law, is that all LWR's safety related system and equipment shall be inspected periodically every 13 months by the Ministry of International Trade and Industry (MITI).
A safety inspection usually takes about two to three months long, even if it is not necessary to repair or modify the plant facilities.
The inspections plays en important role, contribute to the reliable and safe operation of a plant and mitigates the occurrence of problems, unusual events and accident.
To reduce the length of inspection time and the radiation exposure of work-ers, the MITI and nuclear industries are continuously conducting the improve-ment and standardization programs of LWRs to make the safety inspection and maintenance more effective.
For example, widen reactor containment door for easy access of large repair equipment; use remote and automation inspection to reduce radiation exposure; plan their refueling and maintenance activities using the moden project management techniques, etc.
l B.
SEISMIC Because Japanese is intensely concerned about earthquake problems, antiearth-quake design is a key safety issue for the design of nuclear power plants in this country.
Implementing seismic design measures also helps to gain public acceptance for the construction of nuclear power plants.
In Japan,-the seismic design of reactor fccilities has been and is continu-I ously going forward with large budgets for research and development to obtain l
the maximum results from both analytical and experimental studies. Models in terms of the probabilistic risk assessment (PRA) have conducted by taking into consideration the current reactor design.
From the study, the technical data obtained for NPPs also have been used to resist severe earthquakes and to minimize the accidents.
In earthquake engineering and technology, Japan has become a worldwide leader among advanced nuclear power generating nations. The seismic design techniques in Japan are still in rapid progress; they are moving from evaluation stages to a design standard and to regulatory i
guidelines for the customary used of seismo-logy to improve the reactor's seismic design and to reduce reactor's core-melt probability.
I l
1
- i-41 In 1984, the seismic design standards for nuclear power plants was issued by MITI.
Bcsed on this standards, all earthquake ground motion models shall be designed for and evaluated from the prediction on the free surface of bedrock at the site with all conceivable angles.
In Japan, a reactor vessel, in 1
theory, has be installed on solid rock.
In reality, the rock body beneath l
the reactor may inevitably contain localized weathering, minor cracks, and l
Therefore, it may be vital to examine whether it is capable of safely seams.
I supporting the reactor building against a severe earthquake.
In spite of the variations of each reactor's siting criteria and operating parameters, l
Japanese intents to standardize the seismic design for their LWRs.
This j
standardization policy is in progress.
Now, the earthquake protection is a l
standard safety consideration and requirement for all nuclear reactors.
The goal of the seismic standardization is not just only to improve safety performance and to improve achieve greater economy as well.
j In the United States, earthquakes are a familiar part of the West Coast.
According to the largest recorded earthquake, the magnitudes of ground motion are uniformly distributed.
The frequency of earthquake of a high magnitude is much larger in the Western U.S. than other part of the country.
There-fore, in the Eastern and Central U.S., they are less frequent but still a hazard in terms of the probability of reactor and containment damage by a severe carthquake.
In general, it is believed that Japan's earthquake engineering, seismic l
models, and seismic test equipment are much advanced and more complex than l
those of in the U.S.
Specifically, the following is a summary of the major I
differences between the two counties in this field:
l 1.
Japan considers four classes while the U.S. considers only one class of seismic severities.
Each of the four class used in Japan applies different seismic parameters and acceptable behavior criteria.
2.
In the seismic modeling and severity prediction, Japan us.es a constant vertical acceleration while the U.S. uses a vertical spectrum.
3.
Japan defines active faults based on the occurring displacement velocity.
However, no such dependency is used in the U.S.
4.
Japan defines seismic motion at the surface of base strata.
U.S.
defines seismic motion et the free field surface or the foundation level of building structures.
C.
SEISMIC SCRAM SYSTEM The seismic scram system (SSS) is a special safety device required in Japanese nuclear oower stations.
SSS is not required in U.S., Canada, and other European counties.
A severe earthquake can cause serious damage to both reactor vessel and reactor containment and lead to major safety prob-lems. Hence, SSS is designed to scram the reactor and shut the plant down automatically during a major earthquake.
In Japan, the set-points for the f
stran instrumentation are normally set at 90% SSE level.
However, specific
n r <
47 scram setting f. r various stations varies with individual reactor design and reactor siting.
In the U.S., Diablo Canyon PWR has also equipped an SSS.
It is a three triaxial seismic acceleration detector at diverse locations near and in the reactor building. The activation point of this system is set at the 47% SSE level.
In NUREG/CR-2513, "On the Advisability of an Automatic Seismic Scram", it is a survey and study of other countries' requirements on SSS and current U.S.
regulation on seismic instrumentation by Lawrence Livermore National Labo-ratory (LLNL) scientists. The document identified the advantages and disad-vantages of SSS for rule making recommendations.
The document indicated that to identify the possible advantages of a SSS, one must look at the probabil-ity of safety system failure or the reduction in severity of the consequences of the accident sequences such as a core melt and offsite exposure. The document also indicated that the technical bases of SSS are not clear.
LLNL concluds that "It appears that the SSS requirement is more a result of public interest than a definitive safety need in Japan."
s.
SHAKER TABLES Japan's Public Works Research Institute (PWRI) Earthquake Engineering Labo-ratory has five shaker tables. These table are normally used to conduct vibration tests on highway bridges, submerged tunnels, soil structure inter-action, anc soil liquefication for seismic studies.
PWRI's repair method for highway structure damaged by earthquake may be useful for repairing the structure of nuclear reactors damaged by earthquake. Therefore, these l
methods can be implemented and used for nuclear power plants to minimize nuclear accidents resulting from earthquakes.
Furthermore, the Tadotsu facility has the world's largest shaker table. The surface of this table is 175 square meters.
It is capable of shaking 1000 tons mass in two directions simultaneously. It may be used for the vibration test of reactor pressure vessels and stream turbines or other reactor facil-ities.
NRC has entered into an agreement with future use of the Tadotsu facility to validate piping response predictive computer codes for the inelastic range and to develop seismic risk methods, and to excbange fragili-ty data.
F.
ABWR IN JAPAN The advanced BWR (ABWR) is being jointly developed by General Electric (U.S.)
and Japan's five major utility companies. The basic design of the ABWR was completed in December 1985. Because ABWR design incorporates available advanced nuclear technology and worldwide LWR operating experience, it represents a simplicity and safer nuclear power plant for the next generation of BWRs.
Also, the ABWR has many improved reliability and safety technical features.
(
The objectives of this reactor are to improve operability, improve plant loading capacity factor, improve safety and reliability, reduce construction cost, reduce maintenance cost, reduce operation cost, reduce volume of solid
)
radwaste, and reduce occupation radiation exposure below 100 mrem per year.
1
3.
- 43 Nucleonics Week, January 1,1987, indicated that " Tokyo Electronic Power Co.
has decided to build the first ABWRs." Plans call for construction start in 1989 and operation in 1996."
In.as a contrast, there is no customer yet interested in the ABWR in this country. However, NRC officials hope to have the resources in place during fiscal year 1987 and 1988 to review and certify the ABWR design for use in the U.S. as a standardized possibility of a l
nuclear power plant. The licensing basis agreement is in progress and being reviewed by the ACRS.
G.
CHERN0BYL ACCIDENT AND JAPAN In general, the USSR-designed reactors are considerably different from those used in Japan in terms of structure, design bases, and operating characteris-tics. The reactor at Chernobyl had a number of design problems and insuffi-cient energency safety measures.
It includes the function to shutdown the reactor against a large positive coolant void coefficient and slow insertion-of control rods under emergency conditions. However, the lessons learned from the Chernobyl accident are significant.
The emergency measures and actions taken by USSR during the accident are most beneficial.
Overall, two actions was taken in Japan following the event:
1.
Engi' leering evaluation of the accident, emphasizing a detailed and i
quantitative analysis of the progress of the accident on the basis of e'ailable information and data.
2.
The government held 34 local meetings to explain the accident.
Also, the first public hearing was held on Unit No.4 of Hamaoka Nuclear Power station on the reactor safety and environmental protection.
Before the Chernobyl event, the two greatest shocks to Japan's nuclear power program were the accidents at TMI-2 in 1979 and at the JAPC0 Tsuruga plant in 1981.
From the TMI accident, a precaution was taken and forced a halt to operation at Ohi nuclear plant, which was the only PWR in Japan, to ensure that there were no potential problems with its emergency reactor core cooling system.
From the Tusruga (357-MWe BWR) radioactive liquid release, the safe operations of nuclear power industry has been distrusted. From TMI-2 event learned that any nuclear accident is a financial and psychological disaster for the nuclear industry and for the public.
Since THI-2 incident, an emergency planning policy is necessary for all operating plants in Japan.
In addition, the emergency plans must include precautions against the residual risk associated with all kinds of hazards (e.g., earthquake, floods, typhoons, tsunamis, etc.) that would be beyond or not considered in the design basis concept.
Of course, the Chernobyl accident made all of us focus on reactor safety and public health again.
In Japan a majority of the public believe that nuclear power plant operation presents no health risks. However, a lot of people have a lurking anxiety about the risks associated with highly unlikely nuclear accidents.
Overall, the public is very concerned about safety issues related to radioactive waste disposal and management, spent fuel storage, fuel
,l l
i
E w
4-
_ 44 l
reprocessing, etc., therefore political, technical, economic and psychologi-cal issues exist in Japan to tra Jame extent that they exist in the U.S.
To restore public faith and confidence in the nuclear industry, the Japanese government and the nuclear utilities have taken a new step in safety manage-ment. The Japanese government has taken action as described in item (2) above in order to improve public confidence and to decrease public pressure on the nuclear program.
EARTHQUAKE IN TAIWAN On November 14, 1986, Taiwan encountered a major earthquake.
The peak of this earthquake' measured 7.0 on the Richter Scale and had a focal depth of 6 Km. The duration of this earthquake was estimated to be from 40 to 50 4
seconds.
More than 200 aftershocks were felt over the next 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
At Chinshen Nuclear Power plants Units 1 and 2, located 150 Vm from the epicenter, the maximum acceleration measured at the containment basemat was 0.02g (approximately 3% SSE level). At these two plants there was no ob-served damage reported and they were operated through the earthquakes. These plants are BWR with Mark-I containments placed on firm rock and well moni-tored with seismic instrumentations. Based on this earthquake experience, Taiwan Power Company (TPC) intends to conduct a post-earthquake study, since very few operating nuclear power plants have been subjected to earthquake loading.
If TPC makes the results available to the U.S., the information could be extremely valuable to evaluate the current seismic design criteria and to confirm the analytical predictions from various scismic models used for U.S. nuclear power stations.
REFEREtlCE:
1.
Uchida, H., " Current Status of Huclear Safety Examination in Japan,"
IAEA-SM-275/17.
2.
John Stevenrton, Structural itechanical Associated, April 13-17 the 1981 trip to Japan unpublished report.
3.
NUREG/CR-2513, "On the Advisability of an Automatic Seismic Scram,"
Lawrence Livermore National Laboratory.
)
i 4.
Matsuda et al, "The Japanese Approach to !!uclear Power Safety," Nuclear Safety Vol. 25, No. 4, 1984.22 5.
IAEA, " Nuclear Power and Its Fuel Cycle," Proceedings of IAEA in Salzaurg, 2-13, May 1977.
6.
Japan Electric Association, " Seismic Trip System," March 1979.
j 7.
NRC, " Trip Report - Arlotto and Richardson to Japan 9/29/86-10/09/86."
l IA271020.
t l
1
- a. 8.
Hiroshi Akiyama, " Overview of Research Needs and activities on Earthquake Resistant Design for Nuclear Power Plants," IAEA meeting on Earthquake Ground Motion and Antiseismic Evaluation, 24-28 March Moscow, USSR.
i 9.
Heki Shibata, "Recent Development of Fundamental Philosophy of Anti-Earthquake Design for Nuclear Power Plants in Japan,"
IAEA meeting on Earthquake Ground Motion and Antiseismic Evaluation, 24-28 March Moscow, USSR.
- 10. Hirano, et al, " Earthquake Ground Motion for Seismic Design and Seismic Design for Monju," Reactor Construction and Operating Project Power Reactor and Nuclear Fuel Development Cooperation, Tokyo, Japan.
- 11. Leon Reiter, " Memorandum: IAEA Specialists meeting on Earthquake ground Motion and Antiseismic Evaluation of Nuclear Power Plants, Moscow, USSR, March 24-28, 1986."
12.
Edison G.E., et al, " Application of Reactor Scram Experience in Reliability Analysis of Shutdown Systems," Nuclear Safety, Vol.19, No.6, 1978.
13.
EPRI Journal, "Toward Simplicity in Nuclear Plant Design," July /Augest 1986.
- 14. Wilkins, D.R. et al, " Design Improvements Build on Proven Technology,"
Nuclear Engineering International, June 1986.
15.
Leach L.P. et al, "A Comparison of LOCA Safety in the USA, FRG, and Japan," pp. 1475-1483.
16.
Richard Major, " Memorandum: A Preview of General Electric's ABWR," ACRS, October 16, 1986.
- 17. Richard Major, "Memorat;dum: Review Plan for the General Electric's ABWR Design - SECY-086-347," ACRS, December 10, 1986.
1 l
!