Open access peer-reviewed chapter

Issues of the Seismic Safety of Nuclear Power Plants

By Tamás János Katona

Submitted: May 9th 2016Reviewed: September 19th 2016Published: February 1st 2017

DOI: 10.5772/65853

Downloaded: 1579


Seismic safety of nuclear power plants became an eminent importance after the Great Tohoku earthquake on 11th of March, 2011 and subsequent disaster of the Fukushima Dai-ichi nuclear power plant. Intensive works are in progress all over the world that include review of the site seismic hazard assessment, revision of the design bases, evaluation of vulnerability, and development of accident management capabilities of the plants. The lessons learned from the Fukushima-accident changed the paradigm of the design. Preparedness to the impossible, i.e. the development of means and procedures for ensuring the plant safety in extreme improbable situations became great importance. Main objective of the Chapter is to provide brief insight into the actual issues of seismic safety of nuclear power plants, provide interpretation of these issues, and show the possible solutions and scientific challenges. The “specific-to-nuclear” aspects of the characterisation of seismic hazard, including fault displacement are discussed. The actual design requirements, safety analysis procedures are briefly presented with main focus on the design extension situations. Operation aspects and problems for restart after earthquake are also discussed. The Chapter is more focusing on seismic safety of the inland plants, located on soil sites, in low-to-moderate (diffuse) seismicity regions.


  • design basis
  • ground motion
  • ground displacement
  • defence-in-depth
  • design extension
  • liquefaction
  • safety analysis
  • margins
  • operation

1. Introduction

The nuclear catastrophe at the Fukushima-Dai-ichi plant caused by the Great Tōhoku earthquake followed by a huge tsunami on 11th of March 2011 alarmed worldwide attention to the safety of nuclear power plants (NPP). Enormous natural effects caused the accident. However, the devastating consequences would have been limited or even avoided, if the provisions for tsunamis in the original design would be adequate. The nuclear catastrophe triggered actions worldwide: a comprehensive, complementary safety reviews, i.e. “stress-tests” have been launched in European Union member states just after 11th of March 2011. Similar programmes have been implemented in all countries operating nuclear power plants. The stress-tests have been aimed to the review of seismic hazard assessments for sites of nuclear power plants and to the verification of the design bases, as well as to the evaluation of margins against earthquake effects. Prompt and long-term measures have been decided by the nuclear operators for improvement of the accident management capabilities of the plants. The case of Fukushima Dai-ichi plant shows that the proper definition of the design basis hazard effects has to include also the phenomena generated by the earthquake (e.g. tsunami, soil liquefaction) and thorough checking whether the beyond design basis hazard effects can cause cliff-edge effect, i.e. sudden loss of safety functions due to effects exceeding the design basis one. Updated information for these programmes is provided at for the European Union, for the United States at and for Japan at

The lessons learned gave essential feedback for upgrading the safety of operating reactors (see Refs. [1, 2]) and challenged the philosophy of the design of new plants. Instead of the “design for sufficient low probability of effects for ensuring the acceptable risk”, the new design paradigm is “to be prepared for the impossible”. Since an accident can never be completely ruled out, the necessary provisions for dealing with and managing a radiological emergency situation, onsite and offsite, must be planned, tested and regularly reviewed [3, 4].

Despite the severe accident of the Fukushima Dai-ichi plant, the nuclear power plants survive earthquakes. The International Atomic Energy Agency International Seismic Safety Centre collected the information on the earthquake experiences reported by the operators. More than two hundred magnitude >6 earthquakes have been registered (mainly in Japan) within 300 km epicentral distance from nuclear power plants (NPP) [5]. In most of the cases, there is no damage reported manly because of negligible effects at the site. However, there are important cases, including the Tōhoku earthquake, when the consequences have been either serious or enlightening for upgrading the operating and design of new nuclear power plants. Brief summary of experiences is given in Ref. [6]. One of the first event happened in Armenia when the Medzamor Nuclear Power Plant experienced minor shaking by Spitak earthquake (magnitude 6.8) in 1988. The epicentre was about 75 km from the plant. Although no damage occurred there, the plant was closed for 6 years due to safety concerns.

The most important lessons learned can be extracted from the earthquake experiences of nuclear power plants in Japan, where after singular warning cases the 11 March 2011 Tōhoku earthquake brought to temporary phaseout all nuclear power plants for radical safety review and upgrade.

The consequences of the Miyagi earthquake (August 2005, magnitude 7.2) at the Onagawa NPP were negligible, although the recorded ground motions exceeded those the plant was designed for. The plant was restarted 5 months after the earthquake. The Onagawa Nuclear Power Plant was the closest nuclear power plant to the epicentre of the 11 March 2011 Tōhoku earthquake. Contrary to the Fukushima Dai-ichi plant, the 14-m-high seawall protected the Onagawa NPP from flooding. All safety systems functioned as designed, the reactors automatically were shutdown, and no damage of safety-related systems, structures and components (SSCs) occurred. A fire broke out in the turbine hall that did not challenge the plant safety [7]. The case of Onagawa NPP demonstrates that the proper definition of the design basis, e.g. the tsunami height is essential precondition of the safety. The Onagawa NPP has successfully passed the stress-test launched after Fukushima Dai-ichi accident in Japan [8]. The plant is ready to restart.

In July 2007, the Chūetsu offshore earthquake (Mw = 6.6) hit the Kashiwazaki-Kariwa NPP, the largest plant in the world. The experienced ground motions exceeded significantly the design basis level (0.69 g compared to the safe shutdown level of 0.45 g). Although there was no damage to the safety systems, the thorough proof of the plant post-earthquake condition and the reassessment of the seismic safety, which includes also re-evaluation of the site seismicity, identified the needs of certain upgrading measures, e.g. establishment of plant own fire-fighting capability [9]. The plant was idle for 21 months after the earthquake than the units No 1 and 5–7 have been restarted and operated up to April 2011. The units 2–4 have been not restarted. After 2011 Tōhoku earthquake, the plant was shutdown, stress-test and safety improvements have been carried out. The plant is not in operation.

In spite of the severe accident of the Fukushima Daiichi plant caused by the tsunami after Great Tohoku earthquake, the behaviour of 13 nuclear units in the impacted area on the East-shore of the Honshu Island demonstrated high resistance against ground vibrations due to earthquake. It seems, that the design of nuclear power plants complying with state-of-the art nuclear safety regulations and acceptable in the nuclear industry codes and standards ensure sufficient capacity to withstand the ground vibratory effects of earthquakes. The stress-tests of reactors in Japan after 11 of March 2011 resulted in justification of the external hazard design basis, quantification of margins beyond design basis and enhancing the tsunami protection of the sites, as well as in the improving the severe accident management capabilities of the plants. The capability of plants to withstand beyond design basis vibratory motion has been found to be adequate. For example, the stress-test of the Ohi NPP found that the units 3 and 4 would be able to withstand an earthquake with ground acceleration of up to 1.260 g that is exceeding 1.8 times its design basis of 0.7 g [10].

The stress-test in Japan also resulted in the strengthening of the regulatory structure and safety requirements. In October 2012, the new, independent from the industry Nuclear Regulation Authority (NRA) has been established. NRA announced that henceforth nuclear power plant restart reviews would comprise safety assessment by NRA based on safety guidelines in the new regulatory requirements [11]. Main focuses of the reformed safety requirements are as follows: emphasis on defence-in-depth concept, assessment and enhancement of the protective measures against extreme natural hazards, measures against severe accidents (and terrorism), elimination of common cause failures, back-fitting to the existing plants. One of the new focuses of the NRA was the proofing of the potentially active faults at the nuclear sites and development standards concerning displacement and ground deformation in addition to those for seismic ground motion. The new requirements with regard to the existence of active faults at the plant vicinity have been enforced in July 2013, and a methodical study has been published in September 2013 [12]. The active faults at the site vicinity affect the design basis ground motion and depending on the distance from the plant they can cause permanent disruption of the ground that can impact the safety functions of the SSCs. The faults that can cause permanent surface disruption are generally called capable, exceptions are Japan and Russia, where the term active fault is still used for structures capable to cause surface deformation. In earlier Japanese practice, the nearby active faults have been integrated into the deterministic hazard assessment that resulted in very high design basis accelerations. Especially after revision of the regulation in 2006, when the magnitude of the just below the site source has been increased from the value of 6.5–6.7. The earthquake experience demonstrated that the vibratory motion can be managed by proper design, but the surface rupture below or in the very vicinity of the safety-related structures can cause very significant and not properly studied effects, e.g. relative movements below the foundations, tilting of the structures. The issue has been already recognized before the accident of the Fukushima Dai-ichi NPP; see Ref. [13]. By definition, the fault is considered active if it shows evidence of past movements a recurring nature within such a period that it is reasonable to conclude that further movements at or near the surface may occur. The time frame has been increased from 50,000 years to 125,000 years (in 2006) and now the Japanese Nuclear Regulatory Authority requires 400,000 years in uncertain cases. In 2012–2013, it was recognized that the shatter zones beneath the Higashidori NPP are likely to be active, seismogenic faults. The fractures at the Tsuruga NPP, that lie close to or pass beneath Unit 2, could also be active faults. Clarification of the nature of below site faults became condition of the restart for Higashidori and Tsuruga NPPs, thus the operators invited independent investigation teams to review and to ascertain the scientific validity of the fault activity [14, 15]. In 2016, the Nuclear Regulatory Authority indicated that at four other NPP sites (Ohi, Mihama, Shika and Monju) might also have active faults [1619].

As of April 2016, total of 16 pressurized water reactors (PWRs) and 10 boiling water reactors (BWRs) have filed application for the conformity review at the Nuclear Safety Authority. Out of 16 PWR cases, five PWRs received the NRA’s permission for changes in reactor installation and two PWRs have been restarted [20].

A conscious development of the seismic safety of nuclear power plants can be recognized in the United States. In the past several decades, the Nuclear Regulatory Commission (NRC) and the industry have undertaken a number of initiatives to address potential plant vulnerabilities to natural phenomena. In 1977, the NRC initiated the systematic evaluation program to review among the others seismic designs of older operating nuclear reactor plants in order to reconfirm and document their safety. In 1980, the NRC established the Unresolved Safety Issue A-46 program that was focused on the seismic re-qualification of some mechanical and electrical equipment of the operation plants for the design basis ground motion. In 1991, the NRC initialized the program for Individual Plant Examination of External Events (IPEEE) for severe accident vulnerabilities that included evaluation of seismic safety and verification of the seismic adequacy of equipment for the design basis earthquake; see Ref. [21]. Following the processes in the United States, the OECD countries (except Japan) also performed some limited re-evaluation of their older nuclear power plants for seismic events [22]. As it is mentioned above, Japan started to consider the seismic safety re-evaluation of NPPs after Kashiwazaki-Kariwa event. Most extensive programmes have been performed in Eastern European countries. These programmes were motivated mainly by the strengthening of the regulations, changing the understanding of the site seismic hazard and consequently, establishing new seismic design basis. The operators of WWER reactors implemented comprehensive programmes for evaluating and upgrading the seismic safety of their nuclear power plants [2325].

In the past decades, thanks to the abovementioned seismic safety programmes, essential methodological developments have been performed in the regulation as well as in the practice of seismic hazard assessment, design and qualification procedures, quantification of margin with respect to the design basis and seismic safety analysis. Probabilistic seismic hazard assessment (PSHA) methodology has been developed and adopted for the re-assessment and updates of the seismic hazard characterization. Contrary to the deterministic seismic hazard assessment, the PSHA accounts the randomness of the natural phenomena as well as the epistemic uncertainties. The hazard curve from PSHA is also to use in the seismic probabilistic safety analyses that provide quantitative judgement of safety with respect to earthquakes. The methodological developments have been made mainly in the United States and have been promoted also by International Atomic Energy Agency (IAEA) guidelines. The divergence between the practice of Japan and the countries following the IAEA guidelines has become obvious after Chūetsu offshore earthquake while the situation Kashiwazaki-Kariwa NPP have been assessed by the international community [9, 26]. The United States approach regarding seismic margin evaluation has been justified in the practice as 23 August 2011, a 5.8 magnitude earthquake occurred, 11 miles from the North Anna NPP, United States, Virginia. Although the ground motion experienced at the site exceeded the design basis, the plant survived the earthquakes without significant damages as it was to expect on the basis of seismic margin assessment [27].

The advances of the United States regulation and practice became more explicit after the severe accident at Fukushima Dai-ichi NPP [28]. The basic statement and starting point of the post-Fukushima actions in the United States was that “the continued operation and licensing of nuclear power plants do not pose an imminent risk to safety” [29]. This confident but critical approach to the Fukushima-issue resulted in a very systematic evaluation of lessons learned and rational definition of the actions in the United States that is essentially differing to the reaction of many professionals and especially the officials in Japan and in European Union. The way how to implement the seismic near-term task force recommendations of the NRC in the area of seismic safety are defined in Ref. [30]. The screening is based on the development of the site-specific ground motion response spectra (GMRS) in accordance with the Regulatory Guide 1.208 [31] and their comparison to the design basis safe shutdown earthquake (SSE) response spectra. For the plants where the GMRS exceeds the SSE additional actions have to be implemented for justification of seismic safety and margin to withstand the beyond design basis earthquakes. An Expedited Seismic Evaluation Procedure (ESEP) was developed to focus initial resources on the review of a subset of the plant equipment that can be relied upon to protect the reactor core following beyond design basis seismic events [32].

In the European Union, the focused safety assessment of the nuclear power plants did not reveal dramatic safety deficiencies [33]. In general, the seismic design basis is satisfactorily determined on the basis of events consistent with a 10–4 per annum return frequency. The existence of necessary margins with respect to the earthquakes exceeding the design basis one that ensures to avoid the cliff-edge effects. In some countries, the design basis horizontal peak ground acceleration (PGA) has to be set for 0.1 g in compliance with IAEA guidance [34, 35]. The active/capable fault issue has also been addressed at some plants; see for example Slovenian stress-test report in Ref. [36]. The stress-tests did not identify dramatic safety deficiencies at European NPPs. In all countries, the stress-test resulted in the strengthening of the safety requirements, consequent implementation of the defence-in-depth concept, an improvement of severe accident management and mitigation of severe accident consequences accounting for the specific issues at multi-unit sites. The whole stress-test process resulted in strengthening the regulatory requirements and harmonization of national regulations; see Refs. [37, 38].

The recent status of seismic safety of nuclear power plants demonstrate that the acceptable level of safety can be assured, and the robustness of the plants can be demonstrated, if the definition of the seismic hazard is adequate and updated regularly. Nevertheless, the earthquakes might be the dominating contributors to the overall risk of nuclear power plants as it has been demonstrated by the seismic probabilistic safety assessments (SPSA) of several nuclear power plants. It is mainly because of large uncertainty of the characterization of seismic hazard and complex behaviour of the plant hence all systems, structures and components are affected by the earthquake.

The safety aspects of operation of nuclear power plants have primary importance. However, the operation of nuclear power plants cannot be ignored. The nuclear power production has enormous economic importance in many countries [39, 40]. Consequently, the issue of safe continuation or restart of operation after an earthquake has also a great importance. Obviously, there is a need for reliable justification of plant safe status after earthquake for avoiding long shutdown time and consequent economic losses. A rapid assessment of the post-event plant status is very important for assessing the conditions for restart or in extreme cases for assessing the plant condition for emergency management. With this respect, the case of Kashiwazaki-Kariwa NPP demonstrates the negative experience and the positive one is the case of North-Anna NPP. The lessons learned from the Fukushima Dai-ichi accident shows the importance of adequate judgement on the post-earthquake plant condition.

Main objective of the Chapter is to provide brief insight into the actual issues of seismic safety of nuclear power plants. The most important and “specific-to-nuclear” aspects of the characterization of earthquake and associated with earthquakes hazards and definition of the design basis ground motion and fault displacement are presented. The change by Fukushima accident paradigm of safety and its manifestation in design, safety evaluation and operation are in the focus of the chapter. The intention is to provide information on the seismic safety issues that is relevant mainly for the inland plants, located on soil sites, in low-to-moderate (diffuse) seismicity regions. The chapter structured as follows:

  • Overview of the burning issues of the seismic safety of nuclear power plants in the introduction

  • Overview of basic safety requirements

  • Peculiarities of site characterization and definition of the design basis and design basis extension

  • Basic design requirements focusing more on the design extension issues

  • Brief overview of the seismic safety assessment issues

  • Operational aspects of seismic safety, Earthquake preparedness, procedures

  • Restart after earthquake, post-event inspections, damage indicators.

The chapter is not intended to provide textbook information either for the characterization of site seismic hazard or for the aseismic design of nuclear power plants. Definition of the generic terms of seismology and seismic engineering are assumed to be known. The terms related to seismic safety of the nuclear power plants are explained, only.


2. Basic principles of seismic safety

2.1. Safety objectives

The fundamental safety objective of design and operation of nuclear power plant is to protect people and the environment in case of any malfunctions, failures of the plant systems, structures and components, which may occur during the plant lifetime including those caused by rarely occurring earthquakes [41]. The earthquakes affect the site and plant in a complex manner, by vibratory ground motion, permanent ground deformations, and seismic induced ground failure or flooding. There are also other phenomena related to the tectonic environment that can affect the plant safety, e.g. tectonic creep, after-slip, uplift and subsidence. Earthquakes are the most challenging the safety external hazards that affect simultaneously all items important to safety, including systems to manage severe accidents. Widespread failures at the plant and site, and in surrounding area can hindrance to human intervention.

From technical point of view, to protect the human life and the environment in case of earthquakes, the fundamental safety functions have to be ensured that are as follows:

  1. Control of reactivity in the reactor and spent fuel pool;

  2. Removal of heat from the reactor and from the spent fuel pool;

  3. Confinement of radioactive material, shielding against radiation, as well as limitation of accidental radioactive releases.

Those systems, structures and components that are necessary to fulfil the fundamental safety functions and/or affect the fundamental safety functions are indicated as “items important to safety”.

2.2. Compliance with safety objective

2.2.1. Concept of the design defence in depth

According to the Principle 8 in IAEA Safety Fundamentals [41], the primary means of preventing and mitigating the consequences of accidents is ‘defence-in-depth’. Defence-in-depth is a systematic combination of consecutive and independent levels of protection. If one level of protection or barrier were to fail, the subsequent level or barrier would be available. The levels of defence are as follows:

  1. Prevention.

  2. Control of anticipated operational occurrences.

  3. Control of accidents.

  4. Mitigate the release in a severe accident via ensuring integrity and leak-tightness of the containment so as to prevent the exceedance of the severe accidents release limits (for example, protection the containment from the hydrogen explosion).

  5. Mitigation of consequences of the radiological consequences to the population in the event with release of considerable amounts of radioactive substances by emergency preparedness arrangements.

The entire system for ensuring the plant safety is given in Table 1; see Ref. [3].

LevelsObjectiveEssential meansRadiological consequencesAssociated plant condition categories
Level 1Prevention of abnormal operation and failuresConservative design and
high quality in construction and operation, control of main plant parameters
inside defined limits
Operation within the authorized limitsNormal operation
Level 2Control of abnormal operation and failuresControl and limiting
systems and other surveillance features
Anticipated operational occurrences
3.a Control of accident to
limit radiological releases and prevent escalation to core melt conditions
Reactor protection system, safety systems, accident proceduresNo off-site radiological impact or only minor radiological impactPostulated single initiating events
Level 3 3.bAdditional safety
features, accident
Design Extension Conditions: Postulated multiple failure events; Accident caused by a rare external events without severe fuel failure
Level 4Control of accidents
with core melt to limit off
-site releases
Complementary safety features to mitigate core
melt, Management of accidents with core melt (severe accidents)
Off-site radiological impact may imply limited protective measures in area and timePostulated core melt accidents. Confined fuel melt – also considered as design extension condition
Level 5Mitigation of
consequences of
significant releases of radioactive material
Off-site emergency
response Intervention
Off-site radiological impact necessitating protective measures

Table 1.

The structure of the levels of defence-in-depth.

The levels of defence belong to certain plant conditions that should have different annual probabilities, see Table 2.

LevelDenominationFrequency (1/year)
Level 1Normal operationQuasi continuous
Level 2Operational eventsf > 10−2
Level 3Design basis accidents10−2 > f > 10−4
Design extension accidents10−4 > f > 10−6
Level 4Design extension accidents with limited but confined core melt10−6 > f
Level 5Severe accidents

Table 2.

Categorization of plant statuses according to annual frequency.

For sake of clarity, a brief definition of most important terms has to be performed here:

  • Design basisrefers to the range of conditions and events (i.e. earthquakes and phenomena associated with) taken explicitly into account in the design of a facility, according to the established criteria, such that the facility can withstand them without exceeding authorized limits by the planned operation of safety systems.

  • Design basis conditionsmean the normal operation, anticipated operational occurrences and accidents in which the degradation of the reactor core is excluded due to design features.

  • Design basis earthquake(DBE) or safe shutdown earthquake (SSE) refers to the earthquakes affecting the plant site effect of those are used in the design of SSCs ensuring the basic safety functions as it is required by the nuclear safety regulations and in compliance with industrial standards. These effects are the vibratory ground motion and surface deformation. The design basis earthquake surface deformation is distortion of geologic strata at or near the ground surface by the processes of folding or faulting as a result of various earth forces. Tectonic surface deformation is associated with earthquake processes. The design basis earthquake has to be defined at required annual frequency of occurrence (return period) and confidence level. Design basis earthquake should not result in reactor core melt.

  • The operating basis earthquakeground motion (OBE) is the vibratory ground motion for which al SSCs necessary for continued safe operation will remain functional. The operating basis earthquake ground motion is only associated with plant shutdown and inspection unless specifically selected by the plant owner as a design input.

  • Design extension conditionsrefer to the accidents not considered in the design basis, including accidents with significant degradation of the reactor core. However, releases of radioactive material are kept within acceptable limits. The accidents caused by a rare external event, e.g. earthquakes exceeding design basis one, in which a considerable part of the fuel in a reactor or in a spent fuel pool loses its original structure are to classified for design extension. Some national regulations define two levels of design extension conditions:

    • Design extension conditions 1 (DEC1) are consequences of complex sequences not accounted for in the design basis. The DEC1 should not result in core damage and the plant can be brought into safe shutdown condition.

    • Design extension conditions 2 (DEC2) are severe accidents with core damage. However, the heat removal from the core can be established or restored in DEC 2 and the releases from the containment have to be limited.

  • Severe accidentsrefer to the accidents in which considerable part of the fuel in reactor loses its integrity. Accident sequences with core melt resulting from external hazards which would lead to early or large releases should be practically eliminated. The practical elimination should be primarily based either on the obvious physically impossibility for the accidents to occur, or on the design provisions that eliminate these accident sequence with a high degree of confidence.

2.2.2. Acceptance criteria

The compliance with basic safety objectives needs proper qualitative measure. The “authorized limits”, i.e. the dose restrictions guaranties the avoidance of adverse effects to the people and environment. From this point of view, the normal operation can be qualified to be acceptable if the annual dose of an individual in the population, arising from the normal operation of a nuclear power plant, is 0.1 mSv. The same limit is valid for anticipated operation occurrences. Limits for accident are usually set to 1 mSv/event or 5 mSv/event, depending on the probability of extension condition that can be defined by amount of radioactive substances released. For example, in Finland, in order to restrict long-term effects, the limit for the atmospheric release of cesium-137 is 100 TBq [42]. The possibility of exceeding the limit shall be extremely small. Even in the case of severe accidents, the release of radioactive substances shall not necessitate large-scale protective measures for the public nor any long-term restrictions on the use of extensive areas of land and water. The possibility of a release in the early stages of the accident requiring measures to protect the public shall be extremely small.

Probabilistic criteria for acceptance can be expressed in terms of annual frequency of core damage (CDF) or large early releases of radioactive substances (LERF) that are directly related to the design. Considering all the design basis operational statuses and initiating events collectively, the CDF ≤ 10−5/a and LERF ≤ 10−6/a are generally accepted events. In some countries, the limit 20 mSv is defined for design extension conditions. In some countries, the “limited environmental effect” is required in case of design.

2.3. How to ensure the seismic safety?

Traditionally, the design of the nuclear facilities adapted the two-level concept: design for safety, accounting for a high-level, low probability of exceedance seismic excitation for design basis and design for service, using a moderate level of seismic excitation for operational limit.

The design basis earthquake is denoted as safe shutdown earthquake (SSE) in accordance with the United States terminology; see Ref. [43]. It is called SL-2 earthquake level by the IAEA guideline NS-G-1.6 [35]. Here, the term of design base earthquake (DBE) will be used. According to the international practice, the annual probability of exceedance of the DBE is usually 10−4/a in case of nuclear power plants. SSCs required for basic safety function have to sustain the earthquake loads without loss of function. In the traditional design philosophy, the plant condition after SSE corresponds to the ultimate limit states.

Operability of NPPs should be ensured after the more frequent and moderate severity earthquakes. The operational base earthquake (OBE or SL-1 level according to the IAEA terminology) level is defined as a design level for continuous operation [35]. The OBE was usually defined as an event with frequency of 10−2/a, or a ground motion with peak ground (horizontal) acceleration (PGA) that equals to a given fraction of PGA value of the SSE. Through the years, the concept of designing for two earthquakes has radically changed. Nowadays, the OBE is interpreted as an operational limit and inspection level rather than an obligatory design level. Setting the OBE level is matter of design, operational, economic considerations. For example, there is no need for specific design measures for an OBE, if its PGA is equal or less than 1/3rd of the SSE PGA. Generally, if the OBE level is exceeded, the automatic shutdown of the reactor is not required [43]. In the traditional design philosophy, the post-earthquake plant condition up-to OBE level corresponds to the serviceability limit state.

The application of the defence-in-depth concept (DiD) in the design modified the outlined above traditional design concept:

  1. Levels 1 and 2 ensure serviceability of SSCs of the entire plant, i.e. reliable operation up-to certain level of earthquake effects.

  2. Level 3.a ensures to the serviceability limit states of safety-related SSCs for design basis earthquake effects.

  3. Level 3.b ensures the irreversible serviceability limit states of safety-related SSCs for earthquake effects exceeding those accounted for in the design basis.

  4. Level 4 ensures to the ultimate limit state of safety-related SSCs for earthquake effects exceeding those accounted for in the design basis, and serviceability of SSCs that are dedicated for severe accident management (hardened core SSCs).

  5. Level 5 corresponds to the planning of disaster management using all SSCs that survived the earthquake including mobile, provisional and external equipment.

The defence-in-depth (DiD) hierarchy of protective means has to be in place for the case of earthquakes as it is shown in Table 3.

Level 1 In case of felt earthquake, the plant either continues to operate or shutdown automatically or manually.
The criteria for safe continuation of operation have to be defined.
Level 2 If the operation is terminated but the safety systems have not been activated (except of the safe shutdown automation) means, plans and procedures have to be in place for assessing the post-earthquake conditions and restoring the operational conditions.
Level 3a If the operation is terminated and the safety systems are activated, the plant has to be stabilized in safe condition and thorough inspection, re-assessment are needed for the decision of restoration or permanent shutdown of the reactor.
The safety-related SSCs have to ensure the basic safety functions in case of design basis earthquakes.
Level 3b The design extension condition with respect to earthquakes means that the systems, structures and components needed for fundamental safety functions shall have sufficient margin to withstand earthquakes effects exceeding those in the design basis and ensures the integrity of reactor core.
Level 4 The very rare earthquakes that are sufficient larger than the design basis one should not be excluded from the considerations.
Early or large releases from the accident sequences with core melt should be practically eliminated. Effects of rare and severe earthquakes need to be considered in the design but realistic, best estimate methods and assumptions can be applied.
In spite of the core damage, the radiological consequences have to be limited due to containment.
Level 5 Means, plans and procedures have to be in place for on-site and off-site emergency response to mitigate the consequences of accidents.

Table 3.

Levels of defence-in-depth in case of earthquakes.

Generally, the seismic safety is ensured by the following complex activities:

  1. Proper site selection

  2. Site investigations and evaluation of the site seismic hazard, including associated with the earthquake hazards, e.g. tsunamis, surface rupture, soil liquefaction

  3. Definition of the design basis earthquake and surface displacement

  4. Adequate design with consequent implementation of the defence-in-depth concept and rules of aseismic design that includes:

    1. the suitable dimensioning and lay-out of structures that ensure the required seismic resistance and margins—avoiding cliff-edge effects;

    2. use of verified methodologies and standards applicable for nuclear industry;

    3. use of high-quality and qualified for vibratory effects products;

    4. use of appropriate instrumentation and protection systems;

  5. Evaluation of safety—with feedback to the entire design process

  6. Development of accident-prevention and accident-management procedures

  7. Conscious operation, maintenance and seismic housekeeping

  8. Periodic safety assessment, including re-evaluation of the hazard and subsequent upgrading if needed.

2.4. Site selection, site suitability

The desired seismic safety of NPPs can be ensured by proper selection of the site and adequate investigation and evaluation of site hazards.

The site selection is a preventive measure, while the site characterization is a mitigative measure that aims to limit the potential risk of the facility since it provides the basis for proper definition of the design basis.

It is obvious that the most rational way to protect the plant from the effects of hazards is to select a site with obvious low exposure.

The siting is a multiphase process [44] that starts with the survey of large area for potential sites. The area is defined on the basis of economic (e.g. area for economic development), technical (e.g. availability of cooling water) and safety considerations. The site investigation and hazard evaluation confirms the site selection and provides the necessary information for the derivation of the design basis. This confirmatory activity extends to the whole lifetime of the plant. It is now widely accepted that the hazard assessments have to be reviewed regularly that is an obligatory activity in majority of nuclear power plant operating countries. These periodic safety reviews provide the frame for integration the new scientific evidences and experiences into the site hazard characterization.

Nuclear power plants can be built practically anywhere. From safety point of view, there are a few criteria to be considered for site suitability. The sites shall only be qualified unsuitable, if it is concluded during characterization of external hazards that no engineering solutions exist to design protective measures against those hazards that challenge the safety of plant. The site suitability criteria are defined in the international regulatory documents (see generally in NS-R-3 in Refs. [44, 45] and particularly in national regulations, for example [46] for United States and [47, 48] for Russia.

There are also site features that affect the engineering effort needed for ensuring the plant safety. These features can be considered as discretionary criteria and can be used to facilitate the selection process. A global balance has to be established between the characteristics of a site, on the one hand, and specific design features, site protection measures in order to obtain the required level of safety.

The tectonic environment can affect the plant safety by ground motion due to earthquakes, permanent ground deformations, seismic induced ground failure, tectonic creep, after-slip, uplift and subsidence.

The intensity of ground motion (peak ground acceleration at the free-field) is usually not a matter of suitability considerations. This is subject of discretion that may affect the ranking and selection of the site. The only exception might be the national regulation of Russia. According to this, the sites have to be qualified as unacceptable where the intensity of maximum credible earthquake is I ≥ 9 on MSK-64 [48].

From the point of view of tectonic environment and phenomena, it is unacceptable, if the reliable evidence shows the existence of a fault capable to cause permanent surface movement or dislocation that has the potential to affect the safety of the nuclear installation and cannot been compensated by engineering methods.

2.5. Site seismic hazard evaluation

The geological, seismological and geotechnical investigations performed for site evaluation needed to provide information to support the following:

  1. seismic source characterization input to a probabilistic seismic hazard analysis (PSHA);

  2. evaluation of surface fault rupture hazard;

  3. site response analysis; and

  4. evaluation of seismic-induced ground failure hazard.

The adequacy of the characterization of the hazards is a precondition of the adequacy of the design.

The site seismic hazard is characterized by

  1. hazard curve, i.e. function of annual probability of exceeding given value of peak ground acceleration,

  2. uniform hazard response spectra (UHRS)

at base-rock or outcrop and at the free-field.

For specific calculations, e.g. liquefaction analyses the deaggregation of the hazard, i.e. definition of main contributors to the hazard in form of magnitude-distance bins are needed.

For analyses in time domain, accelerograms are needed. These can be generated fitting to the UHRS or selected from earthquake records and tuned to the UHRS.

The rules and requirements for evaluation of site seismic hazard are given in the IAEA Safety Guide SSG-9 [34]. A brief overview of the subject is given below that focuses on specific “nuclear” aspects of the site seismic hazard evaluation.

3. Definition of the design basis

3.1. Probabilistic attributes of the seismic design basis

3.1.1. Design basis earthquake

The design basis earthquake has to be characterized by maximum ground motion acceleration defined at certain level of annual exceedance probability.

For the definition of exceedance probability compatible with the probabilistic safety targets (acceptable CDF and ELRF, see Section 2.1), let us assume that a single parameter can characterize the damage potential of the earthquake, e.g. the free-field maximum horizontal acceleration, PGA = a. The probabilistic criteria, Pscr, to be screened in to the design basis can be derived from the accepted probability (or annual frequency) of early large releases, PELR that is generally equal or higher than 10−7/a (for plants of older design 10−6/a), and the conditional probability of failure P(ELR|PGA ≥ a)due to a particular impact, the consequence of which is a release exceeding the regulatory limit.

Since the probabilistic target is Pscr×P(ELR|PGAa)<PELR, the screening probability can be written in a very simple way:


In this case, Pscrmeans the probability of an impact affecting the facility, originating from the given source of hazard during, which causes damage that results in an early large release.

The 1/P(ELR|PGA ≥ a)can be interpreted as the required performance of the SSCs, as it is given in the ASCE/SEI 43-05 [49], where the hazard exceedance probability, HDand the target performance PFis defined for SSCs with different importance for safety in a graded manner, i.e.


where RPindicates the probability ratio that practically identical with 1/P(ELR|PGA ≥ a). For the SSCs in highest seismic design category, the RP= 10 and PF= 10−5/a, consequently, the annual hazard exceedance probability is equal to 10−4.

The uncertainty of definition of seismic hazard has to be accounted for in the design basis. Therefore, the confidence level of the hazard definition is also matter of nuclear safety regulation. Generally, the mean characteristics of the hazard are taken into account in the design basis. In some countries, for example, the 10−5/a median value is accepted [50], while in other countries the 84 percentiles. It has to be emphasized, the probability distributions of peak ground acceleration at low exceedance levels are rather skewed, i.e. the mean value exceeds the median one, and will exceed the 84 percentiles at low exceedance levels.

3.1.2. Avoiding the cliff-edge effect: design extension conditions

It is important to avoid the cliff-edge effect, i.e. sudden degradation in case if the experienced earthquake effects exceed those accounted for in the design. It has to be emphasized that it is not a new, post-Fukushima invention, but it is part of safety philosophy since several decades.

For example, according to the ASCE/SEI 43-05 [49] and United States NRC Regulatory Guide 1.208 [51], the response spectra for design basis earthquake ground motion (DRS) has to be defined as DRS = DF∙UHRS, where DF is the design factor depending on the slope factor of the hazard curve, i.e. the ration of spectral amplitudes of the free-field UHRS calculated for the HDand 0.1HD. If the hazard curve is steep, or otherwise, if the increase in spectral amplitude is moderate if the exceedance probability is decreasing by an order of magnitude, the DF ≈ 1and DRS ≈ UHRS. In opposite case, the DF >1and DRS > UHRS. Thus, the above definition of design response spectra provides already the necessary assurance to avoid the cliff-edge effect.

3.1.3. Design basis of SSCs for severe accident management and mitigation

According to the defence-in-depth concept, the Level 3a corresponds to design basis conditions, and the Levels 3b and 4 correspond to the design extension conditions. The design basis of the SSCs having safety relevance in case of Levels 3a and 3.b can be defined as it is described above.

The irreversible serviceability in case of Level 3.b is ensured by designed-in margins.

It is also shown in the ASCE/SEI 43-05 that as long as the seismic demand and structural capacity evaluations have sufficient conservatism that grantee both less than about a 1% probability of unacceptable performance for the design basis ground motion, and less than about a 10% probability of unacceptable performance for a 1.5 times larger PGA than those for design basis. It is shown in the commentary of the code that the nominal factor of safety with respect to the design basis effects is not less than 1.5 with 10% conditional probability of failure. The hazard exceedance level corresponding to the 150% of design basis effect, i.e. to the design basis, depends on steepness of the hazard curve.

Consequently, the SSCs designed for 10−4/a design basis earthquake in compliance with relevant standards will have sufficient margin for performing their intended safety function even if an earthquake with PGA ≤ 1.5 × PGAat 10−4/a. There are plant sites, for example, the Paks site in Hungary, where the hazard curve is rather steep and the 1.5 times of the PGA of the design basis earthquake corresponds to the exceedance probability more than one order of magnitude less than the design basis one [52].

In case of Level 4, the designed in margins of the safety relevant SSCs with passive function (e.g. containment) could ensure the integrity. However, the designated severe accident management SSCs have to survive the effects of very severe earthquake and have to be functional after the event. For the definition of the design basis of these SSCs-specific considerations are needed. This can be made, for example, on the basis of the “Eurocode: Basis of structural design”.

Regarding the reliability of structures, the “Eurocode: Basis of structural design” Annex C [53] applies the first-order reliability method for demonstration of the reliability of the partial factor method of design. The probability of failure Pfailis defined by the reliability index, β


where Φ denotes the standardized normal distribution function. For the normally distributed random variable g = RE, β is the ratio of mean value of g, and its standard deviation is, where Ris the resistance and Eis the effect of actions. For example, if target Pfailis equal to 10−6, β= 4.75. The value of the reliability index depends on the importance of the structure, and on the limit state. The index βas well as the Pfailcan be related to reference period 1 year or to the total service lifetime, e.g. 50 years.

As it is given in Section 2, the design basis earthquake causes an irreversible serviceability limit state, while a beyond design basis earthquake causes design extension condition, i.e. ultimate limit state. Thus, the value of βfor the ultimate state and highest reliability class is equal to 5.2 for 1 year, and 4.3 for 50 years.

The failure boundary is, when g = RE = 0. Generally, the design effect of action depends on the actions, geometrical properties of structure and model uncertainties, while the design resistance depends on the material properties, geometrical properties and model uncertainties. The design value of action effects Edand the resistance Rdshould be defined such that the probability having a more unfavourable value will be


where E| ≤1 and R| ≤1 are the sensitivity factors for effects of actions and resistance, respectively, and βis the target reliability index.

Let us consider the SCCs for severe accident management and mitigation and assume that these are of highest reliability class and assume that these SSCs have to be function at 10−5/a mean hazard level and have to be in ultimate condition at 10−6/a hazard level [52].

According to the Code, the minimum value of reliability index for the ultimate limit state and for 1-year reference period is β= 5.2, that corresponds to the target probability of failure Pfail= 10−7/a, and β= 4.75 for the target probability of failure Pfail= 10−6/a. According to the Code, the values αE= 0.7 and αR= 0.8 can be assumed for the sensitivity factors. Results of calculation of annual exceedance probabilities for effects and resistance are given in the Table 4; see Ref. [52].

ααE = −0.7αR = 0.8
P(E < Ed)4.42 × 10−41.36 × 10−4
P(R ≤ Rd)7.2 × 10−51.6 × 10−5

Table 4.

Annual exceedance probabilities for effects and resistance at given target reliability index.

The Code provides formulas for deriving the design values of variables with different given probability distribution (normal, lognormal, Gumbel) that allows the use of the procedure to different type of hazards.

From the considerations above, it can also be concluded, that the annual probability of exceedance for the effects of actions 10 4/a will ensure the desired performance of SSCs. This conclusion can be interpreted in a way that the proper selection of design basis and design by conservative rules provide good chances to withstand the effects of “black-swan” earthquakes [54].

3.2. Evaluation of the design basis ground motion

During last three decades, a significant development can be observed in the methodology of the characterization of the seismic hazard for nuclear facilities. This has been motivated by the difficulties of assessing low probability earthquakes that have to be accounted for in the design basis. The return periods of these earthquakes exceeding the time span of historical records. Main focus of developments was to manage the uncertainty of characterization of low probability events that motivated the development of the probabilistic seismic hazard assessment (PSHA) methods. In addition to the inherent randomness of the phenomena, the PSHA methods take into account the uncertainty of modelling, i.e. epistemic uncertainty due to insufficient knowledge. In the development of PSHA methods, the document of the United States NRC NUREG/CR-6372 [55] published in 1977 was a milestone. The NUREG/CR-6372 defines four progressive levels of analyses in accordance with the completeness of information sources, complexity of analysis, but principally, with the systematic integration of diverse expert opinions. Its uppermost grade is Level 4 PSHA, which is based on the integration of expert opinions using sophisticated expert elicitation method. The practical preference is given to the Level 3 PSHA that also integrate the views of different experts, but with reasonable effort. This methodology is integrated by the document of NUREG/CR-6728 in 2001 [56], which covers the definition of the site response and provides guidance for defining the response spectrum of safe shutdown earthquake (SSE). Recently has been published a comprehensive study on lessons learned from application of the Level 3 and Level 4 SSHAC methodology [57]. Practical guidance to perform PSHA is given in the [58].

The scientific developments are also reflected in IAEA documents. The document 50-SG-S1 issued in 1979 was still fully based on the deterministic method. The IAEA guideline NS-G-3.3 issued in 2002 [59] already more particularly discusses the probabilistic method and pays greater attention to the quantification of uncertainties and to the elaboration of the seismological data base (microseismic monitoring, palaeoseismological examinations) as completely as possible. This tendency unambiguously manifests itself in the document NAÜ SSG-9 [34], which superseded the guideline NS-G-3.3 and recently in Revision 1 of the NS-R-3. There is also essential progress in the use of fault rupture modelling [60], and accounting the palaeoseismicity in the seismic hazard evaluations [61].

The probabilistic method for defining seismic hazard consists of six fundamental steps:

  1. Specification of seismic sources, source areas

  2. Characterization of activity of seismic sources (magnitude-frequency-distribution, cut-off magnitude, depth distribution)

  3. Selection of appropriate attenuation-lows that corresponds to the earth-physics features of the region

  4. Development of logic tree and calculation of seismic hazard curve and definition UHRS at base-rock or outcrop

  5. Accounting the site effects, calculation of the free field UHRS

  6. Deaggregation of the hazard

Although the whole process is data driven, there is significant epistemic and aleatory uncertainty in all steps have:

  • Knowledge of seismogenic potential of geological structures is not unambiguous and, consequently, therefore several seismotectonic models may exists;

  • The knowledge on the activity of seismogenic structures is incomplete since the number of recorded events and the time span of observations is limited, consequently, beside of the instrumental and historical records, the palaeoseismic evidences have great importance [61];

  • The attenuation-lows are based on the statistical processing of particular observations, but the sample number may be very small in areas where the number of strong earthquakes is low.

The logic tree is also suitable to consider the aleatory uncertainty, while the accounting of aleatory uncertainty can be managed by other methods, e.g. by the Monte-Carlo method.

The final output of the PSHA is the hazard curve, i.e. the annual probability of non-exceedance versus PGA and the UHRS at outcrop.

The seismic design basis and the hazard curve is generally defined as mean (black line) of possible realizations. The 14 and 84 percentiles (yellow and brown lines, respectively) and their deviations indicate the extent of the epistemic uncertainty.

Set of hazard curves are shown in Figure 1 each of them corresponds to a branch in the logic tree.

Figure 1.

Hazard curves corresponding to branches of the logic tree.

Important result of the PSHA is the deaggregation of hazard that identifies the contributors to the hazard in magnitude-distance bins as it shown in Figure 2.

Figure 2.

Deaggregation of 10−5/a level PGA for a nuclear site.

Contrary to the PSHA, the deterministic method of seismic hazard evaluation accounts the aleatory uncertainties and the analysis is based on the only true model of seismogenic structures that is most supported by evidences. However, the selection of the only true model disqualifies all other views that might also be supported by observations.

A PSHA SSHAC Level 4 study has been made for Swiss NPP site that is well-published and widely discussed; see Refs. [62, 63].

3.3. Site effect, design basis response spectra

The SSE for the site is characterized by both horizontal and vertical free-field ground motion response spectra at the free ground surface. The procedure for calculating the free-field response is illustrated in Figure 3.

Figure 3.

Calculation of the site-effect.

Ground motions at the foundation level and at the surface can then be computed, with account taken of the transfer functions of the overlying soil layers. The nonlinearity of the transfer to the surface can be essential for sites covered by soft soil layers. The ground response spectra can also be defined at the hypothetical outcrop.

In the designer practice, standardized response spectra are fitted to the free-field PGA; see for example the standardized response spectra given by Regulatory Guide 1.60 in Ref. [64]. The designers select an appropriate PGA for the basic/certified design.

In the United States, PGA = 0.3 g is selected for the new reactors to be certified. The peak ground acceleration of the SSE, referred as the Certified Seismic Design Response Spectra (CSDRS), has been established as 0.30 g for the AP1000 design [65]. These spectra are based on Regulatory Guide 1.60 with an increase in the 25 Hz region. The vertical peak ground acceleration is conservatively assumed to equal the horizontal value of 0.30 g. In Europe, the 0.25 g is set for the standardized response spectra [66]. The site-specific response spectra are used for adjusting the basic or certified design to the site and justification of margins.

3.4. Hazards caused by earthquakes

Among ground vibratory motion, earthquakes can cause surface settlement, permanent surface ruptures, landslides, soil liquefaction and tsunamis. The basic aspects of the surface rupture and soil liquefaction hazard will be presented below.

3.4.1. Evaluation of the design basis permanent surface movement

Surface deformation is distortion of geologic strata at or near the ground surface by the processes of folding or faulting as a result of various earth forces. Tectonic surface deformation is associated with earthquake processes. A fault shall be considered capable to cause permanent surface deformation, if on the basis of complex (geological, geophysical, seismological, palaeoseismological, geomorphological, etc.) investigations show the “evidence of past movement or movements (significant deformations and/or dislocations) of a recurring nature within such a period that it is reasonable to infer that further movements at or near the surface could occur” [34, 46].

The issue of surface rupture and capability/activity of faults at the sites has been addressed already in the “Introduction”. In the earlier regulatory approach, the potential of surface movements was considered as absolute criterion for rejection of the site. The uncertainty, the definition of the surface rupture hazard was judged unacceptable and the possibility of engineering means for protection questionable.

The change of views can be tracked comparing the last three revisions of the United States NRC Standard Review Plan [6769]. Recently, NRC regulations do not restrict building in an area with surface faulting potential, but if that potential exists, the regulations require that surface deformation must be taken into account in the design and operation of the proposed nuclear power plant [69]. Although it is not advised to locate a new plant at a capable fault, the issue seems to be unavoidable at the sites of some operating plants as it has been shown in the Introduction. Nowadays, finding a new nuclear site became rather difficult not because of scientific-technical difficulties but more because of political objections. The old nuclear sites are preferable to use for the location of new plants. Therefore, the analysis of surface fault hazard and consideration of the surface movement is a very burning issue.

The change of views on the surface movement issue reflects the development of the understanding both the phenomenon of surface rupture and the response of the plant to certain surface dislocation. In the IAEA Safety Guide SSG-9 [34], the probabilistic surface rupture hazard analysis is advised for the sites of operating plants, where is seems to be relevant. According to the recent understanding of the issue, the judgement on the fault displacement hazard depends on the measure of displacement that would or would not challenge the safety. The new approach to the tectonic deformation hazard is based on the advances in the methodology to investigate and characterize the surface fault rupture and tectonic deformation achieved during last decades. In the same time, the engineering methods ensuring the required capacity of systems, structures and components to withstand certain amount of earthquake-induced ground deformations have been developed. These achievements are reflected in the new Japanese study [12] and United States standards [70]. The ANSI/ANS-2.30-2015 standard provides criteria and guidelines for assessing coseismic permanent ground deformation hazard due to tectonic surface fault rupture and deformation at nuclear facilities. The procedures and methods for performing probabilistic fault displacement hazard analysis for surface rupture hazard and probabilistic tectonic deformation hazard analysis for surface deformation due to displacements along blind (buried) faults are outlined in the standard. The logic of probabilistic surface displacement rupture hazard assessment is practically the same as the logic of the probabilistic seismic hazard analysis. The output of the fault displacement hazard is characterized by the hazard curve that shows probability of exceeding given level of displacement, i.e. P(d > D) = 1.0 e(λ(z)T), where the λ(z)is the average frequency during time period Twhen the level of total displacement dexceeds Dat the site resulting from earthquakes on all sources in the region. Z includes the contributions from principal- and distributed-fault displacements. The logic and the results of the probabilistic tectonic deformation hazard analysis are the same as in the case of performing probabilistic fault displacement hazard analysis. The ANSI/ANS-2.30-2015 standard references the relevant publications on the subject.

Rules for locating safety relevant structures relative to the near a fault are also advised in the standard. The procedure is as follows:

  1. Define permanent ground deformation zones on the basis of detailed geologic, geophysical, tectonic morphologic investigations.

  2. If the site is within the permanent ground deformation fault displacement analysis and/or tectonic deformation analysis has to be performed to understand the relationship of the building location relative to both the principal and distributed faults.

  3. Assess, whether the site is located within the permanent displacement zone greater than 200 m from principal fault zone and within the proximity (two times maximum foundation dimension) of distributed faulting, but no intersects the building foundation.

  4. Assess, whether the building is located within the permanent displacement zone greater than 200 m from principal fault zone, but the distributed faulting is within 200 m or directly intersects the foundation.

  5. Assess, whether the building is located inside the permanent displacement zone and within 200 m of principal faulting, but no distributed faulting directly intersects the foundation.

  6. Assess, whether the building is located inside the permanent displacement zone and within 200 m of principal faulting, and the distributed faulting directly intersects the foundation.

In all cases, the site can be accepted, if the results of the probabilistic fault displacement hazard analysis demonstrate that fault displacement hazard that is given in form of exceedance probability versus measure of displacement.

The basic concept and motivation of the Japanese study JANSI-FDE-03 rev.1 is to describe framework of the estimation of fault displacement to the assessment of plant safety against on-site fault displacement that account both the direct impact due to discontinuous displacement of the ground and indirect impact due to continuous deformation, such as inclination. The analysis methods have been developed primarily for application to existing plants, but the methods can also be referenced in the design of new plants. In the safety analysis, it is assumed that the secondary fault exists immediately beneath the reactor building and the possibility of its displacement cannot be denied, and its displacement will directly be applied to the reactor building. The design basis displacement δacan be performed via

  1. estimation by geological survey results on the basis of past displacements,

  2. estimation by analysis,

  3. probabilistic fault displacement hazard analysis, selecting the design basis displacement for the annual exceedance probability as in case of other external natural hazards.

The JANSI-FDE-03 rev.1 study references the relevant publications on the methods above.

Since the uncertainty of fault displacement is considered to be larger than that of other natural phenomena, the impact on the facilities arising from beyond design basis displacement δbhas to be examined. In the study, it has been confirmed that secondary fault displacements for δbcan be set to 30 cm with annual exceedance probability is less than 10-5 when the Mw = 6.5.

Deformation in the form of creep or after-slip and uplift and subsidence during subduction zone earthquakes is addressed for example in the Russian regulation seems to be consequent since it not allows to construct NPPs at the sites situated on active faults [71]. In this interpretation active are those faults along which relative displacement of the earth crust’s adjacent blocks by 0.5 m and more took place during the last 1 million years (in the Quaternary period) [72]. (There are Russian normative documents where the attribute “5 mm/year recent movement” is also added, see, e.g. the RB-019-01 norm of the Rosatomnadzor.) The hazards categorized into three categories (hazard degrees) according to their severity measured by maximum allowable effects: high, moderate and low (denoted by I, II and III). The sites are also categorized into three Classes according to the category of site hazards (denoted by letters A, Б and B). According to this, the sites are of Class B, where a sudden movement along the fault (earthquake intensity 8 per MSK-64) is equal or larger than 0.3 m that is categorized as a Severity Degree I. For the creep and recent differential movements, the 0.3 m limit and additionally a larger then 10 6 m/a gradient of the Quaternary movement is set. In this case, considerations have to be made for selection another site. The site is acceptable if the displacement is less than 0.3 m and the velocity gradient of the Quaternary movement is less than 10 6 m/a. It is a remarkable coincidence that this limit is equal of those for beyond design basis displacement in the Japanese study JANSI-FDE-03 rev.1. Obviously, the limit value is related to the value of the limit tilt that can cause essential damages in reinforced concrete structures, that is approximately 0.003 in accordance with several standards. This limit is much less than the tilt of leaning tower of Pisa.

The standards ([34, 70, 72]) and the representative study [12] indicate that there are consolidated and applicable in the nuclear practice knowledge to deal with certain limited surface displacement. The very prudent position of the NRC reflects the reasonable position [69] stating that it is not forbidden building a nuclear power plant in an area with surface faulting potential, but if it is rather difficult to that the safety-related SSCs would maintain their safety functions if surface displacement occurs.

It has to be emphasized, the scientific-technical progress cannot be never braked by prudence, and it was and is always motivated by the needs and revelations. That is reflected in the sample of recent publications on the subject [7380]. Special concerns regarding possibility to characterize the fault capability in moderate to low seismicity areas are discussed in Ref. [81].

3.4.2. Evaluation of liquefaction hazard

The secondary phenomena caused by earthquake have to be matter of acceptance of the site. According to the IAEA Safety Guide SSG-35 [44], if the potential for soil liquefaction is found to be unacceptable, the site shall be deemed unsuitable unless practicable engineering solutions are demonstrated to be available. Soil liquefaction is a ground failure or loss of strength that causes otherwise solid soil to behave temporarily as a viscous liquid. The phenomenon occurs in water-saturated unconsolidated soils affected by seismic waves. Poorly drained fine-grained soils such as sandy, silty and gravelly soils are the most susceptible to liquefaction. Since there are proven engineering solutions for soil stabilization and improvement against liquefaction hazard, the only site evaluation task is to locate the soil layers susceptible to liquefaction. The first screening can be performed on the basis of grain-size-distribution; see Ref. [82]. The screening can be performed calculating the factor of safety to the liquefaction, FSliq, that is the measure of susceptibility that is the ratio of the CRRis the cyclic resistance-ratio, i.e. the available soil resistance to liquefaction expressed in terms of the cyclic stresses required to cause liquefaction, and CSR(cyclic stress ratio) that is the cyclic stress generated by the design earthquake.

The cyclic resistance-ratio CRRcan be calculated as advised by US NRC Regulatory Guide 1.198 [83] on the basis of field and laboratory tests performed in accordance with Regulatory Guide 1.132 [84] and Regulatory Guide 1.138 [85], respectively. The liquefaction susceptibility can be calculated by analytical methods (effective stress method, linear and nonlinear), cyclic strength testing, physical modelling and empirical procedures. The latter are widely used in the practice. For CRR, empirical correlations have been developed on the basis of standard penetration tests (SPT), cone penetration tests (CPT), Becker penetration test (BPT) tests and on the shear wave velocity vs. field data. Since the statement on the liquefaction susceptibility is used for indication of the hazard and the design is focused on the complete avoidance, the analysis by empirical method is acceptable and sufficiently conservative.

In case of existing nuclear power plants at soil sites, the soil liquefaction can be a beyond design basis hazard that can cause design extension conditions. Safety analysis DEC case. Sophisticated methods have to be applied for the development of a best estimate assessment frame for evaluation of plant safety with respect to the liquefaction hazard; see Refs. [8691]. Practical implementation for the Paks NPP site in Hungary can be found in Refs. [9298]. A typical probabilistic liquefaction hazard analysis result, the annual probability of exceedance versus factor of safety, is shown in Figure 4.

Figure 4.

Annual probability of exceedance for factor of safety for different depth at a selected point of the site [94].

Practice shows that the different methods provide very scattering results because of differences in the modelling of the phenomena as it is shown in Figure 5; see Refs. [93, 94].

Figure 5.

Factor of safety to liquefaction versus depth calculated by different methods [94].

The modelling uncertainties can be accounted for by logic tree. A method for dealing with epistemic uncertainty is proposed in Ref. [92] as it is shown in Figure 6.

Figure 6.

Logic tree elaborated for analysis of soil liquefaction [92].

3.5. Graded approach

When defining the design basis earthquake, it is practical to discriminate between nuclear facilities and reactors according to their potential risks [34]. The potential risk can be judged considering to the thermal output of the reactor, the quantity of activity stored, or on the basis of the characterization of the potential risk by means of 2nd or 3rd level PSA.

Designing the SSCs of a plant, the SSCs have to be classified according to the safety relevance. The design basis of the system or component can be defined in a graded way with the consideration of these two classifications. For example, in the case of classification into seismic-safety classes, the IAEA NS-G-1.6, the guideline for seismic-safe design, differentiates three seismic-safety and one “non-seismic-safety” classes or categories.

The ASCE/SEI 43-05 links the performance goal and hazard exceedance probability to the seismic design category that is assigned to the SSC, as a function of severity of consequence of the loss of function. There are five categories, SDC1 means conventional SSCs, while SDC5 is assigned to SSCs with high safety relevance. Target performance goal, PF and the HD is the average frequency of exceedance for the design basis earthquake is linked to the seismic design category and allowable of limit states A-D as it is shown in Table 5.

PF10−44 × 10−510−5
HD4 × 10−44 × 10−410−4

Table 5.

Association of design category, target performance goal and exceedance frequency.

3.6. Regular review of the hazard evaluation

One of the most important lessons learned from the Fukushima-accident is the recognition of importance of regular review and updating of the site seismic hazard evaluation. According to the practice of many countries, the proper frame for the re-evaluation is the periodical safety reviews [99].

The regular assessment of experiences, feedback and periodical safety reviews, together with the safety enhancement measures, form an effective mechanism, which always guarantees the safety of the facility.

4. Basic design requirements

4.1. Generic design requirements and defence-in-depth

The design of the first and the second generation of nuclear power plants was governed by the first three levels of the defence in depth.

The classical two-earthquake-level design ensures continuous operation up-to OBE level exceeded. The design and qualification of practically all SSCs of the plant for OBE corresponds to the Level 1 of DiD. Installing automatic reactor, scram triggered by exceeding the OBE acceleration level corresponds to the Level 2 of DiD. The OBE could be considered as serviceability limit state for all non-safety-related SSCs of the plant.

Level 3.a had been ensured by design and qualification for SSE vibratory motion of SSCs needed for fundamental safety functions, the SSE is irreversible serviceability limit state for the SSCs ensuring fundamental safety functions.

The seismic safety re-evaluation and improvement programmes performed by many operators during last decades had been aimed to establish the compliance with the requirements of three levels of DiD.

The seismic PSA or seismic margin assessments performed used to quantify the seismic safety demonstrate that there are not cliff-edge effects since the margins designed in cover the unexpected beyond design basis earthquake effects. This was the Level 4 DiD in the earlier understanding.

The phenomena (tsunami, landslides, liquefaction) associated with the earthquake either had been considered as part of the design basis and appropriate protective measures had been implemented (for tsunami—breakwater walls, dykes, for liquefaction—soil improvement, appropriate foundation design) or had been excluded by proper site selection.

Extension of the design basis and accounting for the rare and severe external hazards are additional to the general design basis and represent more challenging or less frequent events. Consequently, in the new interpretation of defence-in-depth concept, design has to ensure protective measures for design extension conditions, i.e.:

  1. The SSCs that fulfil the basic safety functions have to be designed and qualified so that ensures extension of the capability due to predefined level of margin (Level 3b), or multiple protection (e.g. breakwater wall and tsunami guards). For these SSCs, the beyond design basis earthquake is irreversible limit state. The design extension conditions corresponding to Level 3.b differ from those corresponding to Level 3.a in the intensity of earthquake vibratory motion, but the response of the plant to the earthquake is as it is considered in the design basis.

  2. Means and procedures have to be in place for the case of very disastrous (black swan) earthquakes and associated with phenomena (Level 4). This can be correlated with ultimate limit state of all safety-related SSCs, except those designed or qualified specifically for DEC conditions (hardened core). Main technical objective is to maintain the integrity and leak-tightness of the containment. An example for a complementary safety feature is the equipment needed to prevent the damage of the containment due to combustion of hydrogen released during the core melt accident. The containment and its safety features shall be able to withstand extreme scenarios that include also the melting of the reactor core.

- Although the severe accidents have to be practically eliminated, means and plans have to be made for the case when the disastrous earthquakes result in severe core damage and releases (Level 5). Typical means and equipment are the bunkered and mobile equipment, and the emergency response centres rescue equipment rapidly available to support local operators.

The large scale common cause failures have to be assumed due to severe earthquakes that obviously enhance the possibility severe accidents. Us of redundant systems that is routine design solution for enhancing the reliability of safety functions does not provide additional safety improvement, since the earthquake affects simultaneously all redundancies that can result in common cause failures. More effective is the use of diverse systems and physical separation of safety systems. For example, in case of earthquake-induced fire, the physical separation can exclude the simultaneous loss of redundant safety systems. The systems dedicated for DEC conditions should be independent from the safety systems used as per design basis.

Phenomena, like soil liquefaction, generated by severe earthquake could be important for some sites as design extension situation.

The planning of severe accident management means and procedures and improvement of the disaster management on the country and international level became great attention [100].

The above design considerations have to be extended to the spent fuel pool, too.

4.2. Design for vibratory ground motion

Experience shows that the nuclear power plant design for the vibratory ground motion effects ensures is well established and conservative.

The IAEA SSR-2/1 [101] provides the general rules for design, particular rules for designing against earthquakes are given in Ref. [102]. Also, national regulations manage the question of safety protection against hazards in relation to level of importance; see, for example, the general design requirements of 10CFR50 Appendix A [46].

The national standards, for example, the ASME BPVC Section III [103], or the in the Russian standard NP-031-01 [104], specify the load combinations, the permissible stresses and the means of calculation of those stresses. The well-developed national standards are comparable [105].

A reasonable way to make the design effort rational is to apply the graded approach. The design basis and requirements with respect to the SSCs reliability can be defined in a graded way with respect to the safety classifications, see for example the IAEA safety guide NS-G-1.6 [102], that define three seismic-safety and one “non-seismic-safety” categories. For example, in the United States NRC regulation, it is reflected in 10CFR50 § 50.69 and Regulatory Guide 1.201 [106], which establish the basis of the categorization of SSCs according to safety relevance. The design codes provide graded approach in accordance with safety and seismic classes, see the Sections NB-3600, NC-3600 and ND-3600 according to the safety classes in the ASME BPVC III. Differentiation depending on the service level is also a conception element of design by “rules”. Standards, for example, ASME BPVC Section III, unambiguously define the service level (design from Service Level A to D) into, which the given level is characterized by, which loads, and in a differentiated way defines the authoritative and permissible loads. The safety relevance is reflected in the selection of the design basis earthquake annual exceedance probability as well. Generally, the safety relevant SSCs have the seismic design basis 10−4/a mean non-exceedance probability. The SSCs not classified have to be designed in accordance with industrial practice, i.e. for 475 return period earthquake as specified by the standard EUROCODE 8 [107].

As it is shown, the design for vibratory effects is well-established. The developments of design and analysis methodologies for vibratory ground motion are oriented on the reasonable decreasing of conservativism of the design methods. For example, accounting the incoherency phenomena in the soil-structure interaction [108111] and development of performance-based design procedures.

4.3. Design for margins

The “design by rules” ensures margins that enable the SSCs to withstand the earthquake effects exceeding those in the design basis. The design codes ensure appropriate margins to compensate the inaccuracy of design methods, the uncertainty of loads and resistances the manufacturing and construction tolerances and defects, as well as the ageing effects.

For the unbiased quantification of the margin, the measure high confidence of low probability of failure (HCLPF) was introduced. High confidence of low probability of failure (HCLPF) is a measure of the seismic capacity of SSCs described in terms of a specified ground motion parameter (e.g. spectral acceleration) corresponding to 1% probability of unacceptable performance on a mean fragility curve. Otherwise, a given system component’s failure probability associated to its HCLPF is lower than 5%, with a confidence of ≥95%.

The HCLPF is to calculate by conservative deterministic failure margin (CDFM) methodology, as given by the equation below, the whole procedure; see Ref [112]:


where aRLEis the reference earthquake maximum horizontal acceleration, usually 0.3 g is selected (NUREG/CR-0098 response spectra fitted to the soil conditions at the site). The CE= CDNEis the part of Ctotal capacity that is available to sustain the earthquake load since it is reduced by operating loads DNE. The D_S is the earthquake load, and ΔCNErepresents the concurrent loads (for example, in a reinforced concrete reinforcing wall, tension simultaneously occurring with shearing). The capacity is defined according to the standards. The ductility is accounted by ductility factor Fμor with the ductility-reduction factor Kμ= 1⁄Fμ. The calculation of system level and plant level HCLPF will be shown below, that needs modelling of systems and the success path of the plant for ensuring the fundamental safety functions.

According to the United States NRC requirements for new NPPs, the minimum acceptable plant level HCLPF is 1.67 times the design basis earthquake. For the new built, the European normative documents require a margin above the design basis equal to 1.4 times design basis peak ground acceleration. For existing plants, the HCLPF margin over the design basis earthquake is recommended as 1.4 according to the United States. Approach; see Ref. [113]. In other countries, this overall plant HCLPF is set to 1.5 [114].

Practical considerations regarding acceptable seismic margin of the severe accident management systems are published in Ref. [52].

4.4. Design for OBE

Operability of NPPs should be ensured after frequent but not severe earthquakes. The OBE is now a specific part of the design. Nowadays, the OBE is interpreted as an operational limit and inspection level rather than an obligatory design level. Definition of the OBE level is subject of owner considerations. Depending on the national regulations, an automatic reactor protection system has to be installed. The non-safety-related SSCs are designed for OBE that is usually selected in accordance with non-nuclear industrial standards. For example, in accordance with EUROCODE 8, the return period of OBE can be set to 475 years [107]. Selection of an OBE level higher than the design basis earthquake as per industrial standards will require additional design and qualification effort.

Design of safety-related SSCs for OBE level is not required, if the OBE PGA is equal or less than 1/3rd of the SSE PGA; see in Appendix S of the 10 CFR Part 50 in Ref. [115]. That exemption is to explain, if the allowable stresses in different service levels are compared to the allowable stresses for the Service Level D as these are defined by the ASME BPVC III.

4.5. Design of DEC provisions

Real challenge is the design DEC provisions since they have to survive the rare earthquakes and remain functional. Generally, it is allowed by the regulation that the SSCs that have to function under design extension conditions can be designed by realistic or best estimate methods. However, the term “realistic and best estimate” is not clearly specified in the regulations [101]. First step for developing a best estimate method is to identify the allowed design state. The ASCE/SEI 43-05 [49] categorizes the SSCs according to the maximum allowable deformation, i.e.:

  • Large permanent distortion, short of collapse—significant damage

  • Moderate permanent distortion—generally repairable damage

  • Limited permanent distortion—minimal damage

  • Essentially elastic behaviour—no damage

These damage categories can be assigned to the SSCs that are needed for different levels of DiD. The code defines the design procedure for each category. Proper definition of the design basis (Section 3.1.3) and design by rules (Sections 4.1–4.4, and 4.6) ensures the required function. The design issues are discussed and practical examples are given in Ref. [52]. There are specific facilities, systems and equipment needed for severe accident management, for example:

For protection of the containment

  1. Severe accident hydrogen management system

  2. In-vessel retention via external vessel cooling

  3. Containment venting

  4. Core catcher (to protect the containment from the molten core material)

Alternative power supply

  1. Autonomous power supply to designated consumers by mobile severe accident diesel generators

  2. Super-emergency diesel generator

Measurement and control systems

  1. Severe accident measurement system

Heat removal to the ultimate heat sink

  1. Alternative hear sink for reactor

  2. Spent fuel pool cooling system

Facilities that have to be available for severe accident management

  1. Protected command centre

  2. Backup command centre

  3. Barrack of fire brigade

These facilities, systems and equipment have to survive the rare earthquakes and be functional autonomously for period of time (e.g. 72 h) without support from outside.

4.6. Accounting for the ground surface displacement

As it has been discussed in Section 3.4.1, surface deformation can be accounted for in the design basis. Capable fault in the vicinity of the plant can cause sudden displacement below safety-related building structures that affect the strength of the foundation material and can result in deformation, inclination of the buildings and relative displacement between the buildings. In case of coseismic fault displacement, both the effects and consequences of vibratory motion and effects and consequence of fault rupture have to be taken into account. The slow tectonic movement can also cause tilting of the safety-related structures. Summary of numerous publications on the modelling of the behaviour of the structure under surface displacement/deformation are given in Refs. [12, 70].

The study JANSI-FDE-03 rev.1 defines the following steps for analysis:

  1. Define the design basis displacement, δa.

  2. Perform analysis of coseismic displacement

  3. Perform analysis of deformation of foundation material

  4. Perform the design extension analysis for displacement δb exceeding the design basis one.

The analysis covers the building structures and the communication lines as well as the SSCs needed for fundamental safety functions. The analysis of the stability of foundation ground is also included into the scope.

The analysis of ground displacement and deformation as well as their consequences requires sophisticated ground-structure modelling and analysis techniques (finite element, discrete element methods, nonlinear, dynamic, etc.).

For the evaluation of integrity of the structures, the loads acting simultaneously have to be accounted for, i.e. the load arising from fault displacement δa, the dead-load, operating loads and seismic load that act together with the design basis displacement. For the design basis displacement δa, the allowable stresses and strains can be selected as for the ultimate conditions. In our understanding, the case is similar to the LS-B in accordance with ASCE/SEI 43-05 [49] or (or LS as per FEMA 365 [116]) conditions. For the beyond design basis displacement δb, the buildings and structures should not collapse LS-A in accordance with ASCE/SEI 43-05 or (or NC as per FEMA 365) conditions. These conditions can be evaluated also applying ASCE 41-03 or EUROCODE 8, Part 3 [117].

It has to be emphasized, that even in the case of DEC that corresponds to the Level 4 of DID, the desired condition of the containment would be to maintain the conditions as it is defined in the IAEA NS-G-1.10 Safety Guide [118]:

  1. Considering the structural integrity of the containment Level III: large permanent deformations. Significant permanent deformations and some local damages.

  2. For leak-tightness, the Level II condition, i.e. possible limited increase in leak rate. The leak rate may exceed the design value, but the leak-tightness can be adequately estimated and considered in the design.

5. Assessment of seismic safety

Safety analysis is a procedure that confirms compliance of the plant safety with the requirements and acceptance prescribed by nuclear regulations. The analysis is based on the physical modelling of the hazard effects and plant response via simulation and expert consideration. Response of power plant to earthquakes and judgement on the safety can be analysed by deterministic and probabilistic methods. These are as follows:

  1. Analysing whether the SSCs can withstand the earthquake effects using the design methods and justifying the code and the compliance for design basis earthquakes.

  2. Quantifying the margins, i.e. the load bearing and functional capacities of SSCs and the entire plant above design basis.

  3. Analysing whether the SSCs can withstand the effects of rare earthquakes (Level 4 of DiD) using specific rules.

  4. Evaluating core damage frequency due to earthquakes by probabilistic safety analysis, i.e. the seismic PSA is based on the modelling of the plant response to earthquake by event tree and fault trees. The seismic PSA includes the assessment of the containment function, too.

Obviously, the first method is nothing else as the design-by-rules. The third and fourth methods can already be considered as a routine one. Therefore, a brief information will only be given below. Most challenging seems to be the evaluation of the design extension conditions that will be discussed in some details.

5.1. Seismic margin analysis: SMA

The analysis and qualification of the margin against the impacts of hazards consists of the following main steps:

  1. Definition of a minimum configuration of SSCs that are needed for ensuring basic safety functions considering.

  2. Analysing the failure modes of the SSCs within the minimum configuration and calculation of HCLPF capacity of SSCs;

  3. The definition of the HCLPF capacity of the entire nuclear power plant.

The calculation of HCLPF by conservative deterministic failure margin (CDFM) methodology is given in Section 4.3. The rules for the calculation procedure and the applicable limitations are given in Ref. [112].

For calculation of HCLPF of a system, the fault tree of the system and its Boolean expression has to be developed. Let us consider a system consisting of two elements, A and B. Let us assume that for the function of the system survival of one of them is sufficient, i.e. an “or” relationship exists between the elements, and the advantageous output is C = A∪B if the elements are fully independent of each other, while in general A ∪ B = A + B − A ∩ B. If both elements are needed for the function of the system, i.e. an “and” relation exists between the elements, the success case is C = A ∩ B. Generalizing this procedure, it is possible to model of behaviour an arbitrarily complex system; see for example NUREG-0492 in Ref. [119]. The HCLPF of the systems needed for fundamental safety functions are calculated via Min-Max procedure. The Min-Max procedure seeks out both the weak link of the system (Min), if the elements are connected in series, and the strongest (Max) if the chains are connected in parallel with each other. Thus, the HCLPF of the system C consisting of elements A and B is as follows


if the model of system is as follows:




For example, the Boolean representation of system E consisting of elements A, B, C and D is as follows


The HCLPF capacity of the system is given as follows:


The detailed description of the method, through the example of the qualification of the margin against earthquake, is included in NUREG/CR-4482 [120].

The HCLPF capacity defined for the nuclear power plant does not qualify core damage, but allows a conclusion on the likelihood that core damage will not occur (see for example ASME/ANS RA-S-2008 in Ref. [121]). In principle, it is possible, on the basis of the hazard curve, to assign the probability of exceedance or annual frequency, as well, to the impact corresponding to the HCLPF capacity.

5.2. Seismic PSA and PSA-based margin assessment

Seismic PSA contains three essential elements (see for example ASME/ANS RA-S-2008 in Ref. [121]):

  1. assessment of the hazard in the form of a hazard curve showing the exceedance probability versus PGA,

  2. a model of the power plant in the form of event and fault trees,

  3. calculation of the failure rates using fatigue curves,

  4. calculation of the conditional core damage frequency for the plant,

  5. calculation of the core damage frequency of the plant.

The modelling of the plant top events and the seismically induced initiating events (IS) is illustrated in Figure 7 taken from Ref. [122].

Figure 7.

Modelling of seismically induced initiators and accident sequences with master event tree.

The concept of the probabilistic seismic safety assessment is rather simple. The probability of failure can be written in closed form, assuming that the hazard curve can be written as follows:


where k0 is a constant and k = 1⁄(lg(AR), where ARis the quotient of maximum horizontal accelerations in the case of a decrease in one decade of the probability of exceedance.

The conditional probability of structure or component to fail is assumed to be lognormally distributed:


where Cm= HCLPF*e(2,326βC) is median capacity βC= (βU2R2)1/2is standard deviation resulting from βRrandomness and βUepistemic uncertainty. Here, however, βUepistemic uncertainty is negligible, since it is negligible regarding susceptibility for damage. The total probability of failure is as follows:


Seismic margin assessment determined by a probabilistic method contains the second, third and the fourth elements of the above; therefore, the final result will be the conditional probability of core damage as a function of PGA [123]. Hence, the hazard assessment has rather high uncertainty, the capability of the plant ensured by the design is better to quantify by a method that is not integrate into the final result the uncertainty of site hazard evaluation.

Although the seismic PSA procedure is already standardized, further developments are needed for both modelling and fragility part of the PSA.

5.3. Practical example of the seismic margin analysis application

For a practical example showing the benefit of the seismic margin assessment is the case of the North Anna nuclear power plant (USA), on 23 August 2011, the plant was shaken by a magnitude 5.8, shallow-focus earthquake 11 miles away. Both units at the site have been shut down, and no damage compromising nuclear safety occurred. The PGA of the design basis earthquake of the power plant was 0.12 and 0.18 g (depending on the soil under the buildings); in contrast, the PGA of the actual quake was 0.26 g. A more than two-month-long supervision required more than 100.000 h of expert work and 21 million USD [124]. The units were restarted on November 11.

Figure 8 shows the response spectrum of the horizontal acceleration components of design basis earthquakes and operating basis earthquakes for containment base mat, as well as the response spectrum of the same acceleration components of the felt quake. As it can be seen, in the case of the response spectrum of the quake, the spectral amplitudes of the horizontal components exceeded the spectral amplitudes of the design response spectrum by 12%, while the amplitudes of the vertical acceleration response spectrum exceeded those of the design response spectrum by 21% on the average [125]. In addition, and that is what is essential for us, it also indicates the response spectrum of the deterministic SMA reference level earthquake for the base-mat. The exceedance of the design basis is unequivocal. It should also be noted that in the SMA calculation, the NUREG/CR-0098 response spectrum for 0.3 g PGA envelopes the response spectrum of the felt quake. In SMA calculations, only a few components produced HCLPF values lower than 0.3 g, but there was no failure in these cases, either. This is the first time when SMA could be practically and empirically tested and could be qualified as completely successful.

Figure 8.

The response spectrum of the August 23 earthquake at North Anna nuclear power plant, compared to the response spectrum of the design basis (DBE), the operating basis (OBE), and the SMA referential (IPEEE) earthquakes [124].

A summary existing guidance on external hazard modelling is given in Ref. [126]. The limitations of deterministic and probabilistic safety assessments for external hazards are discussed in Ref. [127]. The findings are summarized in Table 6

The basic issues of the external hazard PSA including seismic PSA are identified in Refs. [128, 129]. The areas for further development are according to the latter study as follows:

  1. External hazard screening/frequency assessment

  2. Correlated hazards

  3. External hazard impact assessment

  4. Multi-unit sites

  5. Mission time in Level-1 probabilistic safety assessments

  6. Human reliability assessment for external hazards

  7. Failure possibility for qualified equipment

  8. Hydrogen explosion in the case of station black-out

  9. Transient explosive materials in external event conditions

  10. Connections between plant buildings and compartment

  11. Spent fuel pool; waste treatment facilities

  12. Modelling severe accident management guidelines

Examples of limitations in using current DSA
—incomplete consideration of:
Examples of limitations in using current PSA—difficulties dealing with:
– Cliff-edges in terms of time for component operability while looking for success paths– Consideration of limited mission time (typically 24 h)
– Feasibility of operator actions under
conditions caused by extreme events
– Modelling of the impact of combined hazards on components and human actions
– Complex functional dependencies while
looking for success paths
– Potential loss of important minimal cut sets (MCS) relevant for accidents caused by extreme events because those MCSs may be cut-off due to low probability
– Effects of combined hazards– Large uncertainty probabilistic data may have
– Usage of PSA tools by non-PSA safety analysts
– Considerable time required for modelling
– Difficulty to estimate the frequency of initiating events

Table 6.

Limitations of the deterministic (DSA) and probabilistic (PSA) safety analysis methods while evaluating the plant safety in case of external hazards.

The actual needs for development of seismic PSA have been widely discussed in Refs. [130, 131]. Efforts made for extending the seismic PSA are reported, for example, in Ref. [123]. An attempt to develop alternative methodology is published in Ref. [127]. This research activity was aimed to develop a complementary analysis method to assess the robustness of the protection of nuclear power plants against extreme events and their combinations considering sufficiency of defence-in-depth provisions, including various dependencies, safety margins, application of specific design features, cliff-edge effects, multiple failures, prolonged loss of support systems and the capability of safety important systems for long-term operation. The method utilizes the qualitative information obtained from Level-1 internal initiating events probabilistic safety assessment studies (e.g. minimal cut sets), information on the operability limits of structures, systems and components and feasibility of operator actions under different severe conditions caused by extreme events. An advantage of the new method in comparison to traditional safety analysis is the direct consideration of combined load conditions resulting from the simultaneous occurrence of extreme external events.

5.4. Analysis for beyond design basis earthquake phenomena

A specific case of the safety analyses is the evaluation of plant post-event condition for the design extension conditions. Design extension condition would be that low probability event if a design basis earthquake causes soil liquefaction that was not considered in the design. There are soil sites (for example at Paks NPP, Hungary) where this combination of events can have safety relevance [94, 96]. The deterministic analyses can be rather sophisticated, using coupled nonlinear soil-structure model for calculation of the settlement or differential settlement of the soil that is the input for evaluation of structural integrity. A probabilistic element is also present in the deterministic calculations hence the input parameters used for the calculation of settlement and soil-structure interaction are defined on a certain non-exceedance probability level and derived from the probabilistic seismic hazard assessment [93]. Mechanisms of soil deformations depend on the soil conditions, earthquake parameters and parameters of the structure in a very complex manner. This is shown in Table 7.

Increase in parameterPrimary deformation mechanisms/mechanism of displacement
Localized volumetric
strains due to partial drainage
due to excess
pore pressure
Partial bearing failure due to strength loss
in the
foundation soil
SSI-induced building ratcheting due to cyclic loading of foundation
Rel. density↓↓↓↓↓↓↑↓
Layer thickness↑↑↑↓
Foundation width↑↓↓↓
Static shear stress ratio↑↓
Ratio of height to width↑↑
Building weight↑↓↑↓↑↓↑↓↑↑
3D drainage↑↑↑↓

Table 7.

Relation between mechanism of structural displacement and earthquake parameters as well as parameters of the structure.

It has been recognized, that the differential settlements and relative displacements between the different buildings and piping seems can be the major issue from the point of view of ensuring basic safety functions. This differential movement can be caused by slight variability of depth and thickness of the sediments. Therefore, settlements have to be regarded as the dominant engineering demand parameter.

A simplified event tree is shown in Figure 9. The loss of offsite power (LOSP) is assumed to be the initiating event. The reactor shutdown system (SCRAM system, denoted A) shall ensure the sub-criticality. The emergency power system (B) and the emergency core cooling system (C) are needed for avoiding the core damage. The success path after earthquake will be affected by the liquefaction with time delay ∆tafter strong motion starts. Some systems, once functioning during the earthquake, may not be affected by the liquefaction. For example, once dropped, the control rods will ensure the sub-criticality, though the reactor will be tilted due to the tilting of the reactor building that caused by the liquefaction.

Figure 9.

Simplified plant event tree for earthquake and liquefaction.

Although the time delay might be negligible and the liquefaction affects the ground motion at the site, it is reasonable to split the plant response and damages into two phases: response and damage to vibratory motion and response and damage to the liquefaction. The liquefaction is a separate load case subsequent to the vibratory motion, i.e. the plant structures do not feel the correlation between two phenomena.

Basis for the plant modelling is the model developed for probabilistic seismic safety assessment.

The specific deterministic safety analysis assesses the integrity and function of the plant structures consists of the following steps:

  • Probabilistic seismic hazard assessment that provides the peak ground acceleration and deaggregation matrices that are used to perform probabilistic liquefaction hazard analysis. The PSHA provides the magnitude for the deterministic liquefaction hazard analysis.

  • Calculation of soil settlements due to the liquefaction.

  • Identification of SSCs within the scope of liquefaction safety analysis. These are the SSCs needed (or can be used) for heat removal from reactor and spent fuel pool and limitation of releases:

    1. ­ Containment.

    2. ­ SSCs that have to be functional or preserve their integrity:

      1. The essential service water system that consists of piping, water intake structures and water intake control building. The underground pipelines connect the pumps located in the water intake building to the main reactor building and diesel building while crossing the lower level in the turbine hall. The intake channel is part of the system. Therefore, the slope stability has to be analysed.

      2. The emergency power supply system, the diesel buildings and their lifelines.

      3. The backup systems (e.g. the fire water system) that can be used as ultimate heat sinks in case of severe accident, and backup power supply systems, too.

    3. Structures and systems with limited radioactive inventory (auxiliary building).

    4. Part of the main building housing the control rooms.

    5. Parts of the main building along the escape routes.

    6. Barrack of fire brigade and protected command centre.

    7. Laboratory and service building (workplaces and access to the controlled area)

    8. Buildings that may collapse but should not damage the essential service water and emergency power systems or should not hinder the implementation of emergency measures.

  • Definition of the desired condition of the structures from the point of view of safety and accident mitigation/management. Definition of the criteria for assessing whether the desired condition will be preserved. For example:

    1. Permanent deformation of pipelines of the essential service water systems can be accepted assuming that the overall integrity and leak-tightness is ensured.

    2. The water intake channel has not been blocked if the slopes slide down.

    3. The safety of escape and access routes have to be ensured.

    4. In case of containment the following conditions can be accepted; see Ref. [118]:

      Structural integrity:

      Level II: Local permanent deformations are possible. Structural integrity is ensured, although with margins smaller than those for design base.

      Level III: Significant permanent deformations are possible, and some local damage is also expected. Normally, this level is not considered in case of severe accidents.


      Level II: The leak rate may exceed the design value, but the leak-tightness can be adequately estimated and considered in the design.

      Considering the design of Paks NPP, large permanent deformations of the containment walls and floors are allowed when the deformations are within the strain limits allowable for the liner that ensures the necessary leak-tightness of the containment.

      Relative displacement between containment building and other buildings has to be assessed from the point of view of integrity of essential service water pipelines crossing these locations.

    5. The evacuation is ensured via safe escape routes. A near collapse condition is also acceptable in case of auxiliary building, but it has to preserve certain level of structural integrity for limiting the site radiation level.

  • Development of the analysis methodology in line with graded approach, taking into account the importance of the structure and the features of the structure (e.g. foundation level compared to the depth of layers prone to liquefaction).

  • Behaviour of the structures can be evaluated taking into account the foundation deformation due to dead weight of the building and additional foundation settlements due to liquefaction. In case of main reactor building, the soil settlement due to the liquefaction is affected by the static stress field. Otherwise, this effect can be neglected and the free-field settlement can be used as approximation of the deformation of foundations.

    In all calculations, best estimate models and mean values of loads and material properties can be accepted. In best estimate models, some non-structural elements contribution to the resistance could be accounted. The calculation can be linear or nonlinear static. In case of containment (main reactor building), coupled soil-structure model is applicable.

  • Evaluation of the integrity can be performed as it was shown in Section 4.6.

  • Performing the analysis and definition of measures for accident mitigation/management.

Figure 10 shows the two extreme cases of the maps of soil settlements developed via CPT-based methodology of Zhang et al. in combination with method of Moss et al. and Robertson and Wride. The third option was the combination of methods Zhang et al. and Boulanger and Idriss. For independent control, the free surface settlement was computed using effective stress method to the average soil profile.

The analysis can demonstrate the availability of safety functions after soil liquefaction.

Figure 10.

Maps of soil settlements at the site calculated by different methodologies.


6. Requirements for operation

6.1. Earthquake preparedness, procedures

The earthquake preparedness and post-earthquake procedures are well defined in the IAEA Safety Reports Series No 66 [132], Regulatory Guide 1.166 of the United States NRC [133],, documents of the EPRI [134, 135]. A very practical task for the operator is to maintain proper seismic housekeeping that is described in the EPRI document [136]. Here, some less emphasized but still important operational aspects of ensuring the earthquake safety are discussed.

6.2. Specific aspects of accident management

Proper design of the plant ensures that the SSCs that required for ensuring the plant safety remain functional both during and after the external event avoiding melting of the reactor core. The structures and systems required for accident management have to remain functional even in case of beyond design basis external events. The plant staff and the disaster management services of the country have to be prepared to manage extreme events and mitigate their consequences. This requirement has been formulated after the Fukushima accident and also adopted in the national regulations [37, 38].

The emergency planning and response requires evaluation of the consequences of external events beyond the scope of the plant design. A disastrous earthquake will cause catastrophic consequences in large area around the plant site. The post-event conditions around the site affect the logistical support of the emergency actions at the plant, influence the psychological condition of the plant personnel and determine the workload of the country’s disaster management personnel.

In the paper [137], a hypothetical case study is presented analysing the consequences of a design basis earthquake for the region around a nuclear power plant of Paks Hungary. The aim of the study is to show, what would happen outside of the Paks Nuclear Power Plant, if a 10−4 annual probability earthquake would happen. In this case, the plant should be brought to safe shutdown condition. Although the plant safe shutdown is ensured, the plant personnel will need a minimum of logistical support from and communication with the outside area. Therefore, the results of the study can be used for planning of the logistical support of the plant accident management staff. The parameters (magnitude, focal depth and possible distance from the site) of the case-study earthquake are selected in accordance with the design basis of the Paks nuclear power plant). For evaluation of the damages of the built environment instrumental intensity map (shake-map) has been developed for the dominating the site seismic hazard earthquake. The distribution of population and housing data used in the study has been obtained by population census held in 2011 and published by the Hungarian Central Statistical Office. Based on these data, the damages have been assessed using European Macroseismic Intensity Scale and the corresponding phenomenological definition of damages. The intensity distribution in the affected by earthquake area is shown in Figure 11.

Serious damages of the unreinforced masonry and adobe dwellings in the area around the plant are expected. That affect the technical conditions for accident management and causes serious psychological load of the personnel doing the services.

There are several non-fixed loess slopes in the settlements and also along roads that are susceptible to sliding due to ground shakings. Sliding of the non-fixed loess slopes can block some roads. The damages of houses and lifelines could cause fires that are sometimes more severe than the effects due to vibratory ground motion.

In case of design basis earthquake, the electrical grid will suffer damages, since the towers of the grid have been designed for wind and ice loads assuming that the (100 years) earthquake loads are bounded with lateral wind loads. Due to the damages of the grid, nearly half of the domestic production will fall out from the power system that causes the collapse of the national grid. The Hungarian Independent Transmission Operator Company Ltd. has a recovery plan for the grid. Rebuilding of the grid could last from several hours to several days, depending on the severity of the damages. The NPP could stay in safe mode for minimum one week or unlimited long if the fuel supply for emergency diesel generators is continuous. It is also possible to operate one of the units on the reduced power level and ensure safe power supply for all units. The substation and the high-voltage towers at the NPP site have been upgraded for the design basis earthquake and these infrastructures will withstand the earthquake. Thus, the NPP will be a stable connection point for restoring the national grid as fast as possible. Since the NPP is the biggest producer in the country it is impossible to restore the grid without the NPP. If all units are out of operation, then for the restart for the first unit needs offsite power. Therefore, there are two independent transmission lines tested to transmit ~20 MW capacity to the NPP to restart the units. Consequently, the loss of power supply for the settlements around the plant will also worsen the situation for the people and make the work more difficult for the emergency services.

Figure 11.

Instrumental intensity map of the selected scenario earthquake.

6.3. Restart after earthquake

After an earthquake, the condition of systems, structures and equipment at nuclear power plants has to be assessed since this information is needed for accident management and for the decision on the continuation of the operation.

There are two important issues to consider after an earthquake at a nuclear power plant: after a strong quake, the status of those systems that provide for basic safety functions has to be evaluated; while after a small quake, the conditions of restart, or (in case the plant remained in operation), the conditions of shutdown have to be determine. The first issue has been put forward by the tragic case of Fukushima, while the second has been the subject of intense investigations since the earthquake at the Kashiwazaki-Kariwa nuclear power plant.

The damaging potential of the earthquake can be characterized by maximum horizontal acceleration of the ground motion, response spectra, cumulative absolute velocity and different instrumental intensity values. These quantities can be correlated to the earthquake characteristics, magnitude, distance, etc. Some of the indices are selective to damage mechanism and can be correlated to load-bearing features of the structures. Different indicators of damaging potential of earthquakes are analysed in the paper [138, 139] from the point of view of applicability for post-event condition assessment at nuclear power plants and for using as criteria for restart of the operation.

A description of the procedure for post-event actions is given in Refs. [140, 141]. Traditionally, the basic damage indicator is the peak horizontal acceleration (PGA). As it has been shown in the Introduction, the plants can survive earthquakes with much larger PGA then those accounted for in the design. Consequently, the PGA cannot be considered as proper damage indicator.

The 23 August 2011 case of the North Anna nuclear power plant provided evidence not just for the adequacy of deterministically defined SMA, but also for the appropriateness of cumulative absolute velocity,


as a failure indicator and failure avoidance criterion. Here, a(t) stands for the ground acceleration component, and T for the duration of the quake. When calculating standardized CAV, noise with an amplitude of ±0.025 g is filtered [142].

The criterion of failure avoidance or exceeding the OBE level is CAV ≥ 0.16 g s for any ground acceleration component. This criterion is not sufficient in itself, for it is also necessary to take into account the amplitude of the acceleration response spectrum calculated at 5% damping between 2 and 10 Hz, which has to be smaller than 0.2 g [140, 141]. In practice, the velocity criterion can be neglected (the spectral amplitude of velocity between 1 and 2 Hz should be ≥0.15 m/s). The CAV ≥ 0.16 g s criterion belongs to the failure conditions of structures not designed for earthquakes, with a large safety margin.

The adequacy of cumulative absolute velocity as a failure avoidance criterion has also been demonstrated by the case of the North Anna nuclear power plant [125]. The case has been also discussed in Ref. [139]. Figure 12 shows the CAV values calculated for the components of measured acceleration, which can be compared with the CAV values of the design basis earthquake and the SMA reference-level quake. As can be seen, although the PGA of the 23 August 2011 quake exceeded the DBE PGA, on the basis of the CAV criterion there were no damages. This short, 25 s quake, the intensive phase of which only lasted for 3.1 s, obviously did not release significant energy, which is clearly indicated by the CAV. As the figure shows, the CAV of the quake is well below the CAV rendered to the DBE, while PGA and the response spectrum exceed it. In the light of this, it is no wonder that all this is majored by the CAV rendered to the reference level earthquake (RLE) used in SAM analysis.

Figure 12.

CAV of the 23 August 2011 earthquake at the North Anna nuclear power plant, and CAV’s of the design basis event and the SMA RLE [125].

We may conclude from this that PGA and the response spectrum are highly conservative indicators of damage and damage avoidance. The DBE CAV is three times higher than the CAV of the actual quake, while the SMA RLE is almost nine or ten times higher than the CAV of the actual quake.

There are several studies published on the adequacy of the CAV as a parameter of energy input that can be well correlated to fatigue-type failure, see, e.g. the studies [143, 144]. The relation between the number of load cycles N with average amplitude Ac, during the T time of strong quakes and the CAV can be approximately written as follows:


Due to the considerable amount of data available, the instrumental scale of the Japan Meteorological Agency IJMA is worthy of special interest. Another damage indicator can be MMI instrumental intensity, used by the US Geological Survey Shake Map. The Arias intensity is also an appropriate measure for damage. In Ref. [139], relations between these damage indicators are established and the similarity of the physical meaning is shown.

7. Conclusion

The brief presentation of the lessons learnt from Fukushima-accident and of discussion of selected issues of the seismic safety of nuclear power plants showed the enormous scientific and technical complexity of the subject. The ruggedness of the operating nuclear power plants against the earthquake vibratory motion is rather high. Nevertheless, the rare, devastating earthquakes are important contributors to the overall risk of nuclear power plant operation. It has also been demonstrated in the Chapter that the use of sophisticated and state-of-the art methods for hazard evaluation and design of the plant, safety against even the devastating earthquakes can be achieved. The experience of the Fukushima-accident changed the design philosophy. Instead of accounting of the effects of rather low probability earthquakes in the design basis, the design has to ensure the safety in case of rare earthquakes providing means and procedures for mitigation of core damage or if it is unavoidable for the mitigation of radioactive releases. Obviously, the responsibility of the designer is extended up-to the area of impossible. These new requirements have been discussed in the chapter, and the defence-in-depth concept is presented that is the basic approach to achieve the required level of safety. First of all, state-of-the-art methods have to be implemented for the site seismic hazard evaluation that includes both the characterization of the vibratory ground motion and the displacement due to surface rupture. The uncertainty of the hazard evaluation is the root cause of inadequate design basis definition. Therefore, the probabilistic hazard assessment methods are preferable in case of hazard evaluation that provides the possibility to quantify and manage the uncertainties. This approach has to be extended to the evaluation of hazards associated with earthquakes phenomena, e.g. soil liquefaction, surface displacement. As it is shown in the Chapter, the design has to be extended to the beyond design basis hazard levels, and the design basis extension conditions has to be accounted for in the design, safety analyses, as well as in the operator pre-earthquake preparedness. Analysis of design extension conditions that can be caused by beyond design basis liquefaction has shown the rather high ruggedness of the operating nuclear power plants.

The earthquakes affect not only the structures, systems and equipment of the plant, but the operators and all people responsible for the accident management. As it has been shown, the post-earthquake conditions at and around the site can be and essential factor influencing the staff while doing the service, and the external support of the accident management.

The safety of nuclear power plants also includes the safe continuous operation in case of a moderate earthquake and the safe restart after an earthquake. The selection and evaluation of appropriate damage indicators for assessing the post-earthquake plant condition is very important for both ensuring the safety and minimizing the economic losses. Finally, the benefits from nuclear power generation fairly compensate the risk, if the scientific-technical achievements are combined by high safety culture of the operators.

© 2017 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Tamás János Katona (February 1st 2017). Issues of the Seismic Safety of Nuclear Power Plants, Earthquakes - Tectonics, Hazard and Risk Mitigation, Taher Zouaghi, IntechOpen, DOI: 10.5772/65853. Available from:

chapter statistics

1579total chapter downloads

1Crossref citations

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

Related Content

This Book

Next chapter

Intelligent Seismic-Acoustic System for Identifying the Area of the Focus of an Expected Earthquake

By Telman Aliev

Related Book

First chapter

Gravity Data Interpretation Using Different New Algorithms: A Comparative Study

By Khalid S. Essa and Mahmoud Elhussein

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us