Assumptions and methods applicable while complying with newly defined design basis requirements
Experience of the March 11 2011, Great Tohoku earthquake clearly demonstrated that the earthquakes might be the dominating contributors to the overall risk of nuclear power plants (Institute of Nuclear Power Operations [INPO], 2011); International Atomic Energy Agency [IAEA], 2007). The seismic probabilistic safety assessments of several nuclear power plants also provided similar results. On the other hand, experiences show that plants survive much larger earthquakes than those considered in the design base, as it was the case of Kashiwazaki-Kariwa plant, where the safety classified structures, systems and components survived the Niigata-Chuetsu-Oki earthquake in 2007 without damage and loss of function (IAEA, 2007). In spite of the nuclear catastrophe of the Fukushima Daiichi plant caused by the tsunami after Great Tohoku earthquake 11th of March 2011, the behaviour of thirteen nuclear unit in the impacted area on the East-shore of the Honshu Island demonstrated high earthquake resistance. Consequently, proper understanding and assessment of the safety for the case earthquake (and generally for the external hazards) is very important for the operating nuclear power plants.
For the operating plants basic questions to be answered are, whether the nuclear power plant (NPP) is safe enough within the design basis and whether the operation can be continued safely if an earthquake hits the plant.
The designer and operators were mainly focusing on the first question, i.e. whether the reactor can be shut down, cooled-down, the residual heat can be removed from the core and spent-fuel stored at the plant, and the radioactive releases can be limited below the acceptable level in case of an earthquake. The second question became important especially after series of events when large nuclear capacities were shutdown for assessment of plant post-earthquake condition and justification of safety before their restart (Onagawa NPP in 2005, Shika NPP in 2007, Kashiwazaki-Kariwa NPP in 2007, Hamaoka NPP in 2009). Obviously, there is a need for reliable justification of plant safe status after felt earthquake for avoiding long shutdown time and consequent economic losses. Recently, the importance of the rapid assessment of the post-event plant status became very important from the point of view of the emergency management. This is one of the lessons learnt from the stress tests of nuclear operators following the Fukushima Dai-ichi accident.
Operators of nuclear power plants worldwide performed seismic re-evaluation and upgrading programmes of nuclear power plants during last three decades. A summary of international effort is given e.g. in (Campbell, et al, 1988; Gürpinar & Godoy, 1998) and in the special report issued by Nuclear Energy Agency, thereafter NEA, (NEA, 1998). The re-evaluation and upgrading of the seismic safety of the operating nuclear power plants were motivated mainly by the changing understanding of the seismic hazard at plant sites and/or recognition of inadequacy of design and/or qualification of certain safety related systems, structures and components relative to the seismic hazard or state-of-the-art of the technique and the requirements. In some countries, the existence of necessary margins with respect to the beyond design base earthquakes and avoidance of the cliff edge effects have to be demonstrated. The scope of the seismic re-qualification and upgrading programmes includes the definition of the pre-earthquake preparedness and post-earthquake actions at the plants.
All operating nuclear power plants in the United States are conducting an Individual Plant Examination of External Events, including earthquakes beyond the design basis, and about two-thirds of the operating plants are conducting parallel programs for verifying the seismic adequacy of equipment for the design basis earthquake; see (Campbell, et al, 1988). Western European countries also performed some re-evaluation of their older nuclear power plants for seismic events (NEA, 1998). Most extensive programmes have been performed in Eastern-European countries, where the operators implemented comprehensive programmes for evaluating and upgrading the seismic safety of their operating nuclear power plants (Gürpinar and Godoy, 1998; IAEA, 1995, 2000). Seismic re-qualification has been performed at following VVER plants:
NPP Paks, Hungary VVER 440-213, 4 units
NPP Mochovce, Slovakia VVER 440-213, 2 units
NPP V2 Bohunice, Slovakia VVER 440-213, 2 units
NPP Dukovany, Czech Republic VVER 440-213, 4 units
NPP Medzamor, Armenia, VVER 440(specific design) 1 unit
NPP Temelin, Czech Republic, VVER-1000, 2 units
NPP Kozloduy Unit 5 and 6, Bulgaria, VVER-1000, 2 units
The scope of seismic safety programmes at VVER-440/213 plants was the most extensive. It includes the re-evaluation of the hazard, reinforcement of structures and components, qualification of the active equipment, installation of seismic instrumentation and development of appropriate procedures. The seismic safety programme implemented at Paks NPP was one of the most complex one. The implementation of measures was completed in 2003. Therefore the peculiarities of the programme, its scope and the applied methodologies could not be properly addressed and interpreted in the referenced above review papers. Originally the Paks NPP has not been designed and qualified for the earthquake loads. The seismic safety programme at Paks NPP has therefore aimed at design basis reconstitution. The re-evaluation of site seismic hazard included all required geological, geophysical, seismological and geotechnical investigations. The seismic design basis had been newly defined. Formally the compliance with design basis requirements has to be ensured by design methods and standards. It was already recognised that a consequent and full scope re-design in line with design codes and standards and subsequent upgrading might be impossible at Paks NPP. It should be recognised that use of methodologies developed for the justification of the seismic safety of operating plants does not ensure the compliance with design basis requirements and cannot be directly applied for VVER plants. The qualification of the nuclear power plant have been executed for the newly defined design basis earthquake by applying procedures and criteria for the design, combined with the methods and techniques developed for seismic re-evaluation of operating nuclear power plants. The selection and use of methodologies has been graded in accordance with safety and seismic classification of the SSCs. After implementing the measures for design basis reconstitution, the achieved level of safety has been quantified via seismic PSA, which provides the core damage frequency.
The question of the safe continuation of operation became very important as the World largest Kashiwazaki-Kariwa plant was shutdown for long-term after Niigata-Chuetsu-Oki earthquake in 2007 that caused a 0.67g ground motion acceleration at the site (value measured at the Unit 1 base mat). The safety classified SSCs designed for PGA 0.27g survived the earthquake without damage and loss of function while the non-safety structures were heavily damaged. The justification of the safety took two years.
The decision on the continuation of the operation is rather simple if the earthquake does not exceed the operational base (OBE) level. The case becomes more difficult if the OBE-level is exceeded and there are obvious damages in place. The justification of operability is even more complex if the earthquake loads exceed the design base level and there are no obvious failures/damages as it happened at the Kashiwazaki-Kariwa plant. Obviously, the judgement on the continuation of operation should be based on the set of information regarding capability of SSCs to survive an earthquake and on the post-event inspections, tests and analyses. It would be very reasonable to have in advance an assessment method for the plant status to ensure the effectiveness of the post-earthquake walk-downs and other actions, and to limit the time of shutdown. The methods for judgement on the safe continuation of operation can be developed on the basis of the design information. The results of the seismic probabilistic safety analysis (seismic PSA) or margin assessment provide useful additional information regarding weak-links. The design provides deterministic type information that no failure or damage should be expected if the earthquake loads do not exceed the design base level. However, the probability of damage is not zero even if the loads are less than the design base one. The seismic PSA provides the core damage frequency as the output of the analysis, which is a measure of the seismic safety. The PSA is generally failure oriented. The seismic PSA shows the weak links. This knowledge can be very useful for the planning of the post-event inspections. Similar information is provided by the seismic margin analysis, which quantifies the capability of the plant to survive an event greater than the design basis one.
After the severe accident at Fukushima NPP the operators in European Union, U.S. and some other countries including Japan performed comprehensive safety and risk evaluation of operating nuclear power plants, see e.g. (European Commission, 2011). These tests/reviews will launch different re-evaluation and upgrading programmes with regard to seismic safety and for improvement of the capability to cope with the beyond design base earthquake and associated events (fire, flood) at the existing plants. This process includes at some sites the re-assessment of the site hazard motivated by recent events and/or new scientific evidences, for example in the U.S. (NRC, 2011). These lessons learned will also affect the projects under preparation and/or implementation. For the new plants, it has to be demonstrated that the plant has sufficient margins with respect to the design basis extension earthquake loads of and avoiding the cliff-edge effect. Consequently, the lessons learned from the former projects for evaluation of the seismic safety and upgrading of operating plants are still of great practical importance.
1.2. Objective of the Chapter
Objective of the recent Chapter is to provide practical insights to the re-evaluation and upgrading of seismic safety of operating plants.
Evaluation of seismic safety and re-qualification of operating plants require specific approach; the safety goals have to be ensured in reasonable manner, avoiding unnecessary conservatism, contrary to the design that is ab’ovo conservative. State-of-the-art methodologies have to be implemented in every aspect of the re-evaluation and upgrading process. The optimisation of the measures from logistics point of view is very important under the condition of an operating plant.
International Atomic Energy Agency developed a comprehensive Safety Guide on “Evaluation of Seismic Safety for Existing Nuclear Installations” (IAEA, 2009a). The supporting document of this Guide is the Safety Report Series No 28 on “Seismic Evaluation of Existing Nuclear Power Plants” (IAEA, 2003) that summarises the before 2003 experience in the seismic evaluation and upgrading of the operating plants. These documents focus mainly on the methodologies for seismic safety evaluation that do not involve a change in the design basis earthquake.
In this Chapter the case of seismic evaluation and upgrading methodologies and solutions are presented. The Chapter includes the case for upgrading of an operating nuclear power plant originally not designed for earthquake. Based on the graded approach, the feasibility of the application of seismic design methods combined with those developed for the re-evaluation of existing plants is demonstrated.
New areas of the seismic safety evaluation of operating plants are also addressed in the Chapter that were triggered by recent events, the Kashiwazaki-Kariwa plant and the Fukushima Dai-ichi plant, that are focusing on the assessment and assurance of the beyond design base capability of the nuclear power plants, periodic review of safety, etc.
1.3. Scope of the Chapter
Scope of the Chapter covers
the basic principles for ensuring the seismic safety of nuclear power plants,
typical cases of the re-evaluation and re-qualification programmes, including cases of design basis reconstitution and studies for restart after an earthquake as well as the evaluation of the beyond design base capabilities of the plants,
the applicable re-evaluation methodologies,
the most important aspects of the pre-earthquake preparedness and post-earthquake actions,
the full scope implementation example,
the aspects of maintaining the seismic qualification during operation and periodic safety review.
1.4. Structure of the Chapter
Section 2 of this Chapter defines the basic principles of seismic safety. Section 3 provides an overview of the methodologies applicable: Section 3.1 outlines the objective and scope of the seismic safety programmes. Section 3.2 provides an overview of applicable methodologies. Sections 3.3 address the issues of restart after earthquake. Section 3.4 outlines the questions of accident management. Sections 3.5 to 3.7 address the walk-down, design of upgrading and role of the peer-review. Section 4 is devoted to the pre-earthquake preparedness and post-earthquake actions. The practical and full scope example of seismic re-evaluation and upgrading is shown in Section 5. Section 6 and 7 are related to the maintenance of the seismic qualification during operation and periodic safety reviews. Extensive list of references is provided to the Chapter in Section 8.
2. Basic principles of seismic safety
The fundamental safety objective of design and operation of nuclear power plant is to protect human life and environment in case of any malfunctions, failures of the plant systems, structures and components which may occur during the plant lifetime including those caused by rarely occurring earthquakes. The generic approach for ensuring this safety objective is the application of the concept of the defence in depth. In accordance with this concept, the following requirements are applicable:
Inherent and/or engineered safety features, safety systems and procedures have to be in place for the case of earthquakes
for leading the plant to a safe shutdown state, i.e.
for the maintaining the sub-criticality in the reactor and spent fuel pool and,
for the cool down and heat removal from the core and spent fuel;
for maintaining at least one protection barrier to ensure that the radiological consequences would be below the required limits.
Means, plans and procedures have to be in place for on-site and off-site emergency response to mitigate the consequences of accidents that result from failure of safety features and accident management measures in case of severe earthquakes.
The seismic safety is ensured by the following complex activities:
Site investigations and evaluation of the site seismic hazard, including hazards caused by the earthquake, like soil liquefaction;
Definition of the characteristics of the design basis earthquake;
Use of qualified components;
Installation of seismic instrumentation;
Development of accident-prevention and accident-management procedures;
Evaluation of safety;
Periodic safety assessment and subsequent upgrading if needed.
The basic safety functions, i.e. shut down, cooling and containment, have to be maintained for the earthquakes within the design basis envelope and with some extent for the severe beyond design basis earthquakes.
Traditionally the design of the nuclear facilities adapted the two-level concept: design for safety, using a high-level seismic excitation for design basis and design for production, using a moderate level of seismic excitation for operational limit.
The design base earthquake has to be defined with quite low probability of exceedance during operating time. This earthquake is the Safe Shutdown Earthquake (SSE) as per U.S. terminology; see U.S. NRC 10CFR Part 50, Domestic Licensing of Production and Utilization Facilities (NRC, 1956). It is called Sicherheitserdbeben, i.e. safety earthquake in German Nuclear Safety Standards 2101 (Kerntechnische Ausschuss [KTA], 1990), it is the maximum design earthquake (MRZ) according to the Russian-Soviet terminology and it is called SL-2 earthquake level by the IAEA guideline NS-G-1.6 (IAEA, 2003b) . Here the term of Design Base Earthquake (DBE) will be used. According to the international practice the annual probability of exceedance of the DBE is usually 10-4/year in case of nuclear power plants. The lower limit of the peak ground acceleration (PGA) of the DBE is set for 0.1g regardless of the site (article 2.7 of NS-G-1.6). The shutdown and cool-down of the reactor, the continuous heat removal from the irradiated fuel (in the reactor core and spent fuel pool), and the limitation of releases have to be ensured in this limit state. SSCs required for basic safety function have to sustain the earthquake loads without loss of function.
Operability of NPPs should be ensured after the moderately frequent and not severe earthquakes. The operational base earthquake (OBE or SL-1 level according to the IAEA terminology) level is defined as a design level for continuous operation. The OBE was usually defined as an event with frequency of 10-2/a, or a ground motion with maximum horizontal acceleration equal to a given fraction of the maximum acceleration value of the SSE. Through the years the concept of designing for two earthquakes has radically changed. Nowadays, the OBE is interpreted as an operational limit and inspection level rather than an obligatory design level. The definition of the OBE level is subject of design, operational, economic considerations; see the IAEA NS-G-3.3 Safety Guide (IAEA, 2002). Design for lower level is not required if the OBE PGA is equal or less than 1/3rd of the SSE PGA, see in Appendix S of the 10 CFR Part 50. Instead of OBE PGA, new criteria for the exceedance of operational limit/inspection level are introduced. The changes of the terminology in the German regulation demonstrate the changes in design concept: the former terms SSE - Sicherheitserdbeben and OBE - Auslegungserdbeben were replaced by the terms design base earthquake and inspections earthquake, i.e. Bemessungserdbeben and Inspektionserdbeben.
3. Tasks for seismic re-evaluation and upgrading of operating NPPs
Major tasks of the seismic re-evaluation and upgrading projects are
identification of the objective and scope of the programme
selection of the methods for the re-evaluation, including definition of the seismic input for the analyses and performance of the analyses
design/development and implementation of modifications and re-qualification measures
evaluation of the achieved safety level, calculation of the core damage frequency due to earthquake.
The tasks are determined by the objective of the project as it has been shown above, i.e. resolution of qualification issues, ensuring the design basis compliance, etc.
3.1. Objective and scope of the seismic safety programmes
Generic objective of the seismic safety programmes is to ensure the basic nuclear safety functions, i.e.
the control of the reactivity in the reactor and spent fuel pool, i.e. the ability to shutdown the reactor and maintain the sub-criticality after the earthquake,
to cool down and heat removal from the core and spent fuel,
to maintain the containment function for the reactor and spent fuel, i.e. limit the release of radioactive substances into the environment.
The functions have to be maintained for the earthquakes within the design basis envelope and with some extent for the earthquakes with parameters exceeding the design basis one.
The basic concept of the seismic safety re-evaluation and of the operating nuclear power plants, and the selection of the methods and criteria is different from that are required in case of the design of new power plants; see the INSAG-8 document “A Common Basis for Judging the Safety of Nuclear Power Plants Built to Earlier Standards” (IAEA, 1995).
The graded approach is used while ensuring the seismic safety of NPPs, i.e. the safety importance of the SSCs is considered and according to this the SSCs are classified into seismic safety classes, which define the requirements assigned to the design, qualification and operation of the SSCs. Well-defined set of plant systems and structures and components are required to be functional during and after the earthquake for bringing the plant in-to stable shutdown condition. Some of those SSCs are passive, e.g. the pressure retaining boundaries or the containment. They shall sustain the vibratory load remaining leak-tight; however some plastic deformation, ductile behaviour might be allowed. In some cases the deformation has to be limited to the elastic for ensuring some active functions. Building structures and equipment supporting structures might be also loaded to plastic region up-to the level, which does not impair the intended safety functions. The active systems functionality requires qualification for the vibratory motion as well as availability of supporting functions, e.g. electrical power supply.
Practically, a conscious and careful evaluation and utilisation of the built-in margins provide the possibility for achieving the target safety level at operating plants by feasible amount of modifications and re-qualifications.
The scope and the methodology of the seismic safety programmes vary with the motivation of the particular project. Practically there have been three different objectives of the past seismic safety programmes:
to resolve the inadequacy of the design and qualification while the seismic design basis remains unchanged, i.e. to comply with the current licensing basis;
to comply with newly defined seismic design basis (modification of design basis either because of new scientific evidences regarding seismic hazard or because of changing regulations);
to evaluate and demonstrate the seismic margin.
The objective and scope of recent seismic safety re-evaluation programmes is to demonstrate the plant safety for the design base extension, to justify the re-start after strong earthquake, and to identify the plant vulnerability in case of severe event and develop adequate accident management provisions.
3.1.1. Resolving the inadequacy issues
Example for the first type of seismic safety programme is the resolution of USI A-46 seismic issues of older, operating nuclear power plants in the U.S. (NRC, 1987). This programme was aimed to demonstrate the seismic adequacy of essential equipment at older operating plants by the use of available seismic experience data for similar equipment. The rules for the resolution of the USI A-46 issues are defined in the Generic Implementation Procedure, thereafter GIP, developed for Seismic Qualification Utility Group [SQUG] (SQUG, 1992). The scope of the programme was limited to the equipment needed for the safe shutdown of the reactor after a design basis earthquake and bringing the plant to a stable hot or cold shutdown condition for as minimum 72 hours of time. A single shutdown path and a backup for decay heat removal were defined. The seismic input used for the qualification was set to the SSE and the design floor response spectra. The core of the GIP is the empirical qualification method and database. The GIP was applied in several countries, e.g. U.K. and Belgium.
3.1.2. Seismic margin programmes
It is important to demonstrate on one hand that the nuclear power plant will remain safe in case of an earthquake that exceeds the design base level, whether the basic safety functions can be lost due to sudden failure (i.e. ‘cliff-edge’ effect). On the other hand it is important to know the contribution of the seismic hazard to the plant core damage frequency. Example for margin assessment and quantification of the seismic safety in terms of core damage frequency is the NRC initiated Individual Plant Examination of External Events, thereafter IPEEE in the U.S. (NRC, 1991). There are three methods for the margin assessment: the seismic PSA, and margin assessment using either the deterministic method developed by EPRI or the probabilistic method developed by the NRC. In this case of deterministic method a reference level earthquake is selected for which – under certain assumptions – the capacity has to be demonstrated. The scope of SSCs considered in the margin assessment depends on the method selected, e.g. in case of seismic PSA the scope of SSCs is identical to the Level 1 PSA plus the containment.
3.1.3. Reconstituting the design basis
The most demanding programmes were those for ensuring the compliance with newly defined design basis.
These programmes include the following tasks:
Evaluation of the seismic hazard of the site that includes the associated with earthquake events, e.g. liquefaction;
Development of the design basis earthquake characteristics;
Identification of the structures, systems and equipment, which are needed for ensuring that basic safety functions;
Evaluation of the seismic capacity of SSCs and identification of the upgrading;
Design and implementation of the necessary corrective measures;
Installation of seismic instrumentation;
Development of pre-earthquake preparedness and post-earthquake measures;
Evaluation of the safety, i.e. quantification of the core damage frequency due to earthquake, quantification of the safety margins.
Depending on the case and the national regulation, the scope of the design base reconstitution programme can cover either all SSCs classified into seismic and safety classes as per new design, or the scope is limited to the SSCs required for safe shutdown and bringing the reactor into stable (hot or cold) shutdown condition. Those non-safety classified SSCs have to be also considered damage/failure of which can disable certain safety functions due to seismic interactions (falling down, flooding, fire).
3.1.4. Recent beyond design base studies
The quantification of the margins has three aspects:
it is part of the design,
it is needed while evaluating the plant condition and justifying the restart after a strong earthquake hit the plant,
it is needed for the development of the severe accident management provisions.
According to the IAEA design requirements NS-R-1 (IAEA, 2000), the seismic design of the plant shall provide for a sufficient safety margin to protect against seismic events. This means that the abrupt lost of function has to be excluded by the design even if the earthquake demand exceed the design base one (see also NS-R-1.6 paragraph 2.39 regarding ‘cliff-edge’ effect).
According to the novel requirements, the capability of the new plants to withstand the loads and conditions of the design basis extension has to be ensured by the design provisions. In case of new plants, a minimum configuration of SSCs for ensuring the shutdown and subcriticality of the reactor, heat removal to the ultimate heat sink and the containment have to remain functional for the accident management purposes. A margin type evaluation has to be performed for demonstration the beyond design base capabilities of the new plants (1.4 times the SSE loads as per EUR requirements and 1.67 times of the SSE loads in the U.S. practice). Best estimate methods can be used for the justification beyond design base capabilities.
The plant safety re-assessment after a strong earthquake requires an overall checking the post-event condition of all SSCs, even those non-safety classified SSCs, since both the safety and operability have to be demonstrated. The possible analysis and testing/inspection methods should be selected and applied in accordance with safety relevance and impact on the operation (Nomoto, 2000). According to (Kassawara, 2008), the probabilistic margin analysis can also be effective in this case.
Recently, the availability of severe accident management provisions become of great importance. The scope of stress tests covers review of compliance with design base requirements, demonstration of beyond design base capacity (avoidance of the cliff-edge effect) and identification of plant vulnerability/damage state and development of severe accident management measures and guidelines. Generally, some margin type analyses have been performed in the participating countries for the possible minimum configurations needed for shutdown and heat removal of the reactor and spent fuel and protection of the containment. Identification of seismic interactions (fires, flooding, logistical obstacles) became important since these can affect the function of the SSCs within the minimum configuration, inhibit the connections of provisory power and cooling lines, impeding the implementation of Severe Accident Management/mitigation measures as it is to see in the country reports at the European Nuclear Safety Regulators Group site (ENSREG, 2012).
3.2. Methodologies for re-evaluation of seismic safety
The methodologies for the seismic re-evaluation and re-qualification are as follows:
Qualification by empirical methods
Quantification of margins:
Design methods – justification by analysis
3.2.1. Qualification by empirical method
Empirical qualification of the plant equipment is a powerful tool for seismic re-qualification of operating NPPs. The empirical qualification methods have been recognised by IAEA in the Safety Guides NS-G-1.6 as well as NS-G-2.13.
The empirical qualification database developed for SQUG covers twenty classes of equipment, e.g. active equipment as well as cable raceways, tanks and heat exchangers (SQUG, 1992; Starck&Thomas, 1990), except of pipelines and structures. As an alternative solution, the U.S. Department of Energy [DoE] has developed the Seismic Evaluation Procedures, a procedure similar to GIP that also covers pipelines and ventilation ducts (DoE, 1997).
The steps of the Generic Implementation Procedure are as follows (SQUG, 1992):
Development of safe shutdown equipment list
Development of seismic demand (in-structure response)
Equipment walk-down and screening
The methodology and the database (the so called SQUG-database) can be adapted to the needs of different programmes for the resolution of design/qualification inadequacy issues.
Generally the process has to be started with development of the list of SSCs requiring re-qualification for a given level of earthquake. The basis of the identification of the scope can be the list of SSCs for safe shutdown or the seismic and/or safety classification database as it was the case at Paks NPP.
Four criteria are used for the verification of seismic capacity: (1) Comparison of the seismic demand to the SQUG bounding spectrum; (2) Checking in the experience database (caveats and inclusion rules); (3) Checking the anchorage; (4) Evaluation of the seismic interactions.
The seismic demand can be defined either by design floor response spectra, or by scaling-up the design floor response spectra to the required level, or by completely new response calculation for the required input (e.g. at Paks NPP the floor response spectra have been calculated for the newly defined DBE).
In case of most of this equipment, the load-bearing capacity is verified by demonstrating that the equipment is adequately anchored. Operability is demonstrated by verifying that the equipment is similar to the equipment of the database created on the basis of experience and that it meets all of the prescriptions included in the GIP.
Important element of the procedure is the walk-down that provides the basis for screening out the obviously rugged items and for the consideration of the as built conditions, since in majority of cases, the load-bearing capacity is ensured, if the equipment is adequately anchored.
The applicability of the empirical qualification method should be carefully checked via reviewing the similarities between the features of the items in the database and item to be qualified at the plant. The empirical method and database were adapted for the qualification of the VVER equipment (Masopust, 2003) and used for the qualification of the VVER at Paks NPP Hungary, Bochunice and Mochovce NPP in Slovakia, though the objective and scope of the particular seismic safety programmes differed very much from those in the USI A-46.
3.2.2. Deterministic margin analysis
The plant design shall ensure sufficient margins against seismic demand, as it is required by the IAEA design requirements NS-R-1 (IAEA, 2000).
In case of operating plants, the objective of the seismic margin assessment (SMA) is to evaluate, quantify the inbuilt seismic margin of those structures, systems and components of the power plant that fulfil their basic safety functions during and after the earthquake. The quantification of the margins is also recommended by the IAEA Safety Guides NS-G-1.6 and NS-G-2.13 (IAEA, 2003 and 2009). The goal of the analysis is to determine the seismic shaking level at which there is a high-confidence-of-low-probability-of-failure (HCLPF). This HCLPF is mathematically defined as 95% confidence of less than 5% probability of failure.
In SMA calculation the seismic capacity CS is to compare to the Seismic Margin Earthquake (SME) demand DS. The capacity and the demand have to be calculated according to codes and standards while some specific assumptions should be accepted. These assumptions are as follows (EPRI, 1998):
Load combination has to consist of normal and SME loads. The ground response spectrum is median-shaped.
Conservative estimate of median damping have to be used.
Best estimate structural model has to be used and the uncertainty in frequencies has to be accounted.
Calculation of the soil-structure interaction has to be best estimate taking into account the parameter variation.
Code specific minimum strength or 95% non-exceedance probability values
Static capacity equations to be used have to be for code ultimate strength (ACI) for concrete, or maximum strength, (AISC) for steel structures, or Service level D (ASME) or functional limits in case of mechanical equipment.
Inelastic energy absorption values to be used for non-brittle failure modes and linear analysis can be taken e.g. from (IAEA, 2003a)
In-structure spectra have to be calculated by frequency shifting rather than peak broadening to account for uncertainty while median damping is used.
The capacity-demand ratio for elastic response is:
where DNS is the concurrent non-seismic demand for all non-seismic loads in the load combination, ∆CS is the reduction of the capacity due to concurrent seismic loading. The inelastic capacity-demand ratio can be similarly calculated taking into account the ductility Fμ. If the inelastic capacity-demand ratio exceeds unity the seismic margin earthquake level SME exceeds the reference level earthquake RLE for what the existence of sufficient margin has to be demonstrated. Otherwise, the built-in capacity that can be utilized for sustaining the seismic demand is equal to, the seismic demand is equal to. The RLE (or more precisely the PGA of the RLE) has to be scaled by the ratio in elastic response case; or by when for inelastic response considered. That value will be the code deterministic failure margin with high confidence for low probability of failure (HCLPF) expressed in terms of the peak ground acceleration, i.e.
The seismic capability active equipment (electrical, electromechanical and I&C) is qualified by tests or empirical method (see Section 3.2.1 above). Based on the qualification or fragility test data or generic data, a bound of the test response spectra have to be defined at about the 99 per-cent exceedance probability level. The in-structure response spectra calculated for the reference level earthquake and the ratio of the bound of the test response spectra and in-structure/floor response spectra has to be calculated. Scaling up the reference level (PGA) with this ratio provides the HCLPF capacity of the equipment. The HCLPF capacity that has to be evaluated for all items needed for ensuring the basic safety function.
A systematic SMA procedure and methodology has been developed by EPRI in NP 6041 Rev 1 consisting of following main elements (EPRI, 1998):
Definition of the Review Level Earthquake (RLE)
Identification of success paths needed to bring the reactor into stable
Two independent functional paths to shutdown
Define components in the paths
Screening out the rugged components
Identify characteristics, vulnerability
Assures verification of as-installed properties and conditions
Seismic capacity evaluation for unscreened components
The SMA seismic input is the Review Level Earthquake (RLE) that should exceed the SSE. The RLE is that screening level at which structures, systems and components, necessary for the shutdown of power plant and for keeping it in the stable shutdown condition and considered to be in the ‘success path’, should be examined. (According to the definition of given in EPRI NP-6041 report, SME is equivalent to RLE specified by NUREG-1407. There are three categories of sites according to the PGA: PGA≤0.3g, 0.3<PGA≤0.5g and PGA>0.5g with reference level PGA 0.3g, 0.5g and >0.5g respectively. For the analysis, the NUREG/CR-0098 median shape ground motion response spectral can be selected.)
In margin analysis, the success path selection must include a primary success path and an alternate success path utilizing to the greatest extent possible, different equipment. One of the paths must also have the capability to mitigate a small pipe break.
The rugged components have to be screened out during the plant walk-down. For those components that were not screened out during the walk-down phase, additional analyses shall be executed to determine the HCLPF. The weakest component in a shutdown path then defines the plant level HCLPF for that path.
For the new design, the margin beyond safe shutdown earthquake has to be demonstrated (HCLPF for at least 1.67 times of the SSE in the US design practice and 1.4 times of the SSE in the European design practice).
The seismic margin assessment procedure is experience and expert judgment driven. Therefore the selection of the team is a decisive precondition for success and adequacy of the result. The development of the safe shutdown equipment list and performance of the walk-downs require very experienced team consisting of systems engineer, structural/seismic engineers trained in design and empirical qualification as well.
3.2.3. Probabilistic seismic safety analysis (seismic PSA)
One of the most complex cases for assessing the nuclear power plant (NPP) safety is the evaluation of the response of the plant to an earthquake load and the risk related with this. The objective of the seismic PSA is to define the contribution of the earthquakes to the core damage frequency of the reactor and finally to the overall risk of plant operation. Risk is expressed as triplets, where Si is the identification/description of the ith scenario or accident sequence; pi is the probability of occurrence of that scenario and Li is the measure of the consequences/losses caused by that scenario.
In case of earthquake, the probability of damage/failure of a structure or component Pfail depends on a rather complex load vector that expresses all features of the earthquake excitation (peak ground acceleration, duration of strong motion and frequency distribution of the energy of excitation). The Pfail can be calculated as follows:
where the represents the hazard, i.e. it is the probability density function of applied loads and denotes the conditional probability of failure. The Equation (3) is theoretically precise. Nevertheless, in the practice the peak ground acceleration is used as a single load parameter. There were also some attempts made for using the cumulative absolute velocity for load parameter (Katona, 2010, 2011).
The basics of the seismic PSA were outlined in (Kennedy & Ravindra, 1984). Frequencies of core damage caused by an earthquake are calculated by modelling of the plant behaviour by event trees constructed to simulate the plant system response. Fault trees are needed for the development of the probability of failure of particular components taking into account all failure modes. The hazard is expressed as complementary probability: 1-cumulative probability function, i.e. probability that the peak ground acceleration exceeds a given value. The fragility is defined as the conditional probability of core damage as a function of a – the PGA at free surface. The behaviour of the plant is modelled by the Boolean description of sequences leading to failure. Plant level fragility is obtained by combining component fragilities according to the Boolean-expression of the sequence leading to core damage. The plant level fragility is defined as the conditional probability of core damage as a function of free field PGA at the site. Plant level fragilities are convolved with the seismic hazard curves to obtain a set of doublets for the plant damage state. A great number of studies have been published on the seismic PSA, a review and referencing all of them is impossible in the frame of recent study. The method is now well developed and standardised by ASME in ASME/ANS RA-S–2008 (ASME, 2008) (see also the addendum ASME/ANS RA-Sa–2009).
According to ASME/ANS RA-S-2008, for evaluation of core damage frequency the doublets have to be calculated, where fij is the frequency of the earthquake induced plant damage state,
where pij is the discrete probability of this frequency; qi is the probability associated with ith fragility curve fi(a) and pj is the probability associated with jth hazard curve Hj. The seismic fragility fi(a) is the conditional probability of failure for a given value of seismic input parameter, e.g. peak ground acceleration. The fragility curve fi(a) is the ith representation of the conditional probability of the core damage. In the practice both the hazard and fragility is accounted by point estimates with subsequent uncertainty evaluation. The fragility is modelled by lognormal distribution:
where, is the logarithm of median capacity Cm, and the βC is the composite logarithmic standard deviation expressing the epistemic and aleatory uncertainty. The lognormal distribution of the fragility is a consequence of the representation of the median capacity, Cm, as a product and large number of different factors, Fi representing the uncertainties of all contributing to the capacity factors as well as the uncertainty in demand, i.e.. According to the central limit theorem the sum of random variables tends to the normal random variable independent form the distribution of each of them. This rule is applicable to the logarithm of the product above.
The HCLPF is related to the Cm as follows:
where k0 and k are constants that can be defined on the basis of probabilistic seismic hazard assessment (PSHA).
The basic steps of seismic PSA are the followings:
Determination of seismic hazard by PSHA
Fault trees and event trees
Define accident sequences, associated systems, components
Fragility analysis of SSCs – Conditional failure probability
Integration of hazard and fragility resulting in seismic core damage frequency.
Since the level of core damage probability to be assessed is very low, the assessment of seismic hazard has to be performed up to very low level of annual probability, e.g. up-to 10-7/a or less. The median hazard curve can be used which can be defined adapting the guidance in the IAEA Safety Guide SSG-9 (IAEA, 2010).
The consideration of uncertainty in both fragility and seismic hazard is important for adequate safety assessment. The above formulation uncouples the uncertainties in the load and resistance parameters, embodied in the in the fragility and load probability density functions respectively. These uncertainties are usually of different origins and it is convenient to be able to treat them separately.
The level 1+ seismic PSA gives estimation for the probability of seismic induced reactor core-melt. The level 1+ means the examination of containment that includes the evaluation of the safety of containment integrity and isolation as well as the development of bypass.
The experiences of the seismic probabilistic safety (risk) studies performed in the U.S. are summarised in (NRC, 2010). In comparison with core damage frequency (CDF) due to internal initiators, the seismic core damage frequencies seem to be dominating. Similar conclusion can be made regarding seismic PSA results obtained for the Paks NPP, where the contribution of the seismic events to the total CDF is approximately equal to 75 per-cent of the total CDF; see also (Riechner et al., 2008) on the Swiss experiences. Generally, the acceptable level of the annual probability of reactor core damage due to seismic events is of order of magnitude 10-5. It seems that the uncertainties dominate the seismic CDF caused by both uncertainty of the hazard definition, especially in the range below 10-5/a frequencies, and by the uncertainty of the fragilities.
An interval representation can be proposed for accounting the uncertainty of the fragility (Durga et al., 2009; Katona, 2010). The fragility is a doublet composed from set of fragility functions fi(a) with probability weight qi, where the variable a is the horizontal component of the ground motion acceleration. It can be represented by a probability box (p-box), , where F(a) is the conditional probability distribution of the failure. The is the probability-box specified by a left side, and a right side distribution functions, where the relations and are valid.
The most trivial case for the use of p-box can be the screening according to ruggedness of the component. The rugged components might be described by p-box with lower and upper bounding value of the variable a, or any other damage indicator, i.e. cumulative absolute velocity. The probability bounds can be defined via expert elicitation.
It can also be convenient to express the uncertainty of fragility in form of a p-box, defined by a lower bound u(p) and an upper bound d(p) on the function L-1(p) defined as inverse of the probability distribution F(a), i.e., where p is probability level.
As it was mentioned above, in the practice the lognormal distribution is applied for fragility of structures. If the bounds on mean, and standard deviation of a lognormal distribution L are known, the bounds on the distribution can be obtained by computing the envelope of all lognormal distributions L that have parameters within the specified intervals: and.
3.2.4. Probabilistic margin analysis
The NRC seismic margins method (NUREG CR 5334) is a truncation of PSA, i.e. the plant systems are modelled by Boolean method, while the systems needed for ensuring the basic safety functions are considered, the seismic fragility curves are developed, and the plant level HCLPF is computed (Campbell, 1998). The procedure does not involve the use of a seismic hazard for the computation of the HCLPF and the core damage frequency is not calculated.
The NRC seismic margins method involves the following steps (Prassinos at al, 1986):
Selection of the review level earthquake
Development of systems models
Initial component ruggedness screening
Development of component and structural - fragilities
Determination of plant level HCLPF
The systems models and fragility curves are used to determine the dominant accident sequences and the plant level HCLPF. The RLE selection and walk-down procedures are similar to those used in the EPRI margin method. The screening is conducted to eliminate many components from fragility computations.
The HCLPF capacities for components in each system included into the plant model have to be defined and combined according to the Boolean representation of the system via minimum-maximum procedure: minimum HCLPF of the elements connected by or-gate and maximum HCLPF of the elements connected by the and-gate. For example, if the Boolean representation of a system composed from elements A, B, C and D is equal to A*(B+C)*D then the HCLPF of the system is equal to Maximum of (A; Minimum of (B, C); D). The plant HCLPF can also been calculated via convolution procedure.
3.2.5. Use of design methods and standards
A consequent use of design methods and standards for the re-evaluation and upgrading is not practicable for the operating plants. However, in case if the plant was not designed for earthquakes or the hazard was very underestimated, the design methods and standards have to be used for achieving the compliance with design basis requirements as much as practicable.
The graded approach has to be applied for appropriate selection of evaluation methods. Deviation from design procedures can be accepted in case of qualification of outliers of Class 3 (seismic classification see e.g. IAEA Safety Guide NS-G-1.6 (IAEA, 2003b), safety classification principles are given e.g. in the IAEA NS-R-1 (IAEA, 2000b).
The possibility of differentiation at design is exposed by guideline NS-G-1.6:
Class 1:design ensuring the function and great safety margin are necessary
Class 2:items are classified because of seismic interactions; they ‘can be designed with smaller safety margin’
Class 3:these can be designed differentiated according to hazard
Class 4:general industrial standard can be used
The assumptions and methods applicable for each tasks of the seismic re-evaluation and upgrading of the operating plants with the aim of design basis reconstitution are given in the Table 1. Practical example is given in Section 5 below.
|Evaluation of the seismic hazard of the site that includes the associated with earthquake events, e.g. liquefaction;|
Development of the design basis earthquake characteristics;
|As for new design, preferable PSHA (see the IAEA NS-R-3, SSG-9 and NS-G-3.6)|
DBE as for new design – The Ground Motion Response Spectra have to be modified in accordance to ASCE/SEI 43-05 (ASCE, 2005) and Reg. Guide 1.208 (NRC, 2007) to be taken for design basis response spectra.
|Identification of the structures, systems and equipment, which are needed for ensuring that basic safety functions;||According to the safety and seismic classification plus interacting SSCs.|
Stable shutdown conditions have to be ensured as minimum for 72 hours. Single failure criterion has to be applied.
|Evaluation of the seismic capacity of SSCs and identification of the upgrading;||Graded approach: Class 1-3 evaluation by analysis according to design codes; Class 1 and 2 outliers has to be fixed; For Class 3 outliers justification via less conservative method (realistic damping, inelastic response) or upgrade;|
|Design and implementation of the necessary corrective measures (fixes and qualifications);||Design of modification according to codes and standards.|
Qualification by tests or empirical method.
|Installation of seismic instrumentation; Development of pre-earthquake preparedness and post-earthquake measures;||According to the IAEA NS-G-1.6, NRC Regulatory Guide and 1.12, 1.166 and 1.167, (IAEA, 1995; NRC, 1997a, 1997b, 2000, EPRI, 1988, 1989, ANS 2002)|
|Evaluation of the CDF due to earthquake, quantification of the safety margins.||Seismic PSA|
3.3. Studies for restart after strong earthquake
There are specific procedures developed for the evaluation of the plant safety after a strong earthquake that are part of the plant emergency procedures (EOPs) for the case of earthquake, e.g. (NRC, 1997a, 1997b), (EPRI, 1989), (ANS, 2002) and (IAEA 2011).
The post-earthquake evaluation is in principle eclectic. The practicable methods are e.g. the evaluation by analysis, margin assessment, checking the post-earthquake condition of equipment along empirical criteria, in-service inspections and testing. Selection of the method can be performed on the basis of walk-down and visual inspection’s experiences, safety classification, etc. Lessons learnt from the case of the Kashiwazaki-Kariwa plant after the 2007 earthquake are of great importance.
The justification of the continuation of the operation after a strong earthquake (even if it is below the SSE-level) is a rather complex issue.
The design is success oriented. Consequently, the comparison design versus experienced parameters provides basis for a deterministic statement, whether an SSC will fail or not.
The seismic PSA is failure oriented, it indicate the week links that have to be carefully checked. The margin studies quantify the built-in capacities/reserves that may cover the demand even beyond the design base, see (Kassawara, 2008).
Although it is the most time-consuming and expensive, the careful testing and the implementation of state-of-the-art analysis methods and removing the unnecessary conservatism of material parameters (mainly the damping) seems to be the most powerful tool for the evaluation of post-event situation.
There is an obvious need for a better damage indicator as the PGA and response spectra of the experienced earthquake and the comparison of these to the design base PGA and response spectra. The cumulative absolute velocity (CAV) is a good indicator for no damage according to the EPRI study (EPRI, 1988). Some recent studies show that the CAV can be used for damage indicator for assessing the post-event conditions, especially for the fatigue failure mode, since the CAV can be correlated to the product of the number of load cycles and the stress amplitudes, thus the fatigue lifetime limit can be written as a function of the CAV (Katona, 2011). Comparing of the Niigata-Chuetsu-Oki earthquake in 2007 and the Great Tohoku earthquake in 2011, the most significant difference is not in the PGA but in the overall energy of the ground motion that is properly characterised by the CAV value.
3.4. Severe accident management oriented studies
Recently, the severe accident management (SAM) studies with regard to extreme environmental conditions and hazards become great importance. For the planning of the accident management and mitigation measures and development of the severe accident management guidelines, the possible accident scenarios have to be known and the plant vulnerabilities and robust features have to be identified. For the design of technical means for the accident management/mitigation, the post-event conditions have to be forecasted.
For the adequate preparation for severe accident situations, simultaneous occurrence of extremities has to be assumed. Occurrence of additional earthquake induced events has to be expected, if the beyond design basis hits the plant. For example soil liquefaction can be the dominating issue and cause cliff-edge effect on soft soil sites if a strong beyond design base earthquake hits the site, while the liquefaction may not happen in design base case.
It has to be also assumed that extreme conditions, including logistical obstacles due to on-site and off-site damages will be in place while the accident management measures have to be implemented.
The seismic PSA and margin type analyses provide the basis for the definition of the possible damage sequences and identification of effective measures. According to the PSA experience, the most serious is the sequence of the total loss of power and possibility of the heat removal to the ultimate heat sink or even loss the ultimate heat sink while the containment isolation is lost with or without of containment isolation with or without significant structural damage of the containment.
Essential task of the studies related to severe accident management is the aseismic design of the connections of the provisional systems for cooling the reactor and spent fuel pool (pipelines for cooling and DC/AC power cabling and connections). The design basis of these provisions has to be defined well beyond the plant “usual” design basis. The seismic hazard curve should be available for this reason.
The concept and the main tasks of the severe accident management studies are as follows:
identification of possible minimum configurations needed for shutdown and heat removal of the reactor and spent fuel and protection of the containment
identification of provisional and mobile tools for ensuring the heat removal and containment protection
plant walk-down for
screening out the robust elements
identification of interactions affecting the SSCs within the minimum configuration and the inhibiting the connections of provisional power and cooling lines
identification of the logistical obstacles impeding the implementation of SAM measures
identification of the measures needed for SAM
assessment/quantification of the margins
3.5. Role of the walk-downs
As it has been shown in the Sections above, the walk-down of the power plant is a key element of the seismic re-evaluation and re-qualification of the operating NPPs. The walk-downs provide the opportunity to see what is difficult or impossible to recognise just looking, reviewing the documentation. The aim of the walk-down is as follows:
to check the as-is conditions, i.e.
the as-is lay-out conditions,
the adequacy of the anchorages,
to check the compliance with the conditions in the re-qualification database,
to identify those interactions, which can potentially affect the performance of the seismic safety related structures, systems and components during the occurrence of an earthquake and can render this equipment inoperable,
to check the feasibility of upgrading measures.
Examples for checking the interaction items during the walk-down are listed below:
unreinforced masonry walls adjacent to safety-related equipment may fall and impact safety-related equipment or cause loss of function of such equipment,
fire extinguishers may fall and impact or roll into safety-related equipment, or spurious actuation of the fire extinguish system may happen,
inadequately anchored or braced equipment as vessels, tanks, heat exchangers, cabinets etc. may overturn, slide and impact adjacent safety-related equipment,
equipment carts, chains, air bottles, welding equipment etc. may roll into, slide, overturn, or otherwise impact safety-related equipment,
storage cabinets, office cabinets, files, bookcases etc. located, for instance in control rooms, may fall and impact adjacent safety-related equipment,
break/damage of non-safety related piping, tanks, heating may cause spray, flood and loss of function of the safety related systems,
flexible piping, cable trays, conduits, and heating, ventilation and air-conditioning (HVAC) ducts may deflect and impact adjacent safety-related equipment,
anchor movement may cause breaks in nearby piping, cable trays, conduits, HVAC ducts etc. that may fall or deflect and impact adjacent safety-related equipment,
emergency lights and lower ceiling panels can fall down and damage safety-related equipment free crane hooks may bang safety-related equipment in their vicinity,
The plant walk-down is also required for the assessment of the severe earthquake vulnerabilities and design of accident management and mitigation measures, including the identification of the on-site and off-site logistical obstacles.
3.6. Design of upgrading
Design of the upgrading have to be performed according to the design codes and standards and for the design basis earthquake as defined by current licensing basis.
The seismic upgrading are design modifications requiring proper configuration management and regulatory approvals.
3.7. Role of the peer-reviews
All methods presented above for the re-evaluation and re-qualification of the operating plants require specific knowledge and experience and decisively based on the expert judgement. Consequently, the re-evaluation, re-qualification and upgrading of operating plants have to be peer reviewed to provide an independent overview of its adequacy. The recommendations for the peer review are part of the descriptions of the procedures and also given in the (IAEA, 2003, 2009).
4. Pre-earthquake preparedness and post-earthquake actions
4.1. Operating basis earthquake (OBE) exceedance
Operating basis earthquake level is understood as a limit for the continuation of the safe operation. If the plant is designed for two levels of earthquake, i.e. OBE and SSE, the limit of safe operation should be set equal to the OBE PGA measured at free-field, or to the response acceleration level at an appropriate location of the structure, e.g. at containment basement, calculated for the OBE. If the acceleration is crossing the set level the reactor protection system is actuated automatically. An automatic seismic trip system could be designed in accordance with the concept of the reactor protection system design with regard to the instrumentation, redundancy and the logic of the generation of actuating command. The system design should eliminate as much as possible the spurious trips. There are different concepts for selection of the trigger level. A "high level" trip could be set based on some per-cent of the SSE (usually chosen as greater than 60% of the SSE level) and could be designed to minimize spurious trips due to after-shock and low acceleration earthquakes. A "low level" trip would be set to activate on the compressional waves (P waves) when this first arrival caused displacement or acceleration greater than the calculated maximum allowable P wave for an OBE. The decision on the OBE exceedance per acceleration level crossing could be considered as traditional. Considerations have been made regarding advisability of the automated reactor shutdown in case of small earthquakes (Cummings, 1976, IAEA, 1995). There are plants and sites in low and moderate seismic activity regions where an automatic PGA or acceleration level triggered shutdown can be caused by practically harmless ground motions. There are plants that are practically not designed for two levels of earthquakes just upgraded to comply with the SSE related requirements. For these cases the U.S. NRC Regulatory Guide and 1.12, 1.166 and 1.167, and the IAEA as well as the NRC documents on the “Advisability of seismic scram“ provide guidance; see the also the (IAEA, 1995).
At the plant in the moderate seismicity regions the operational limit related to the OBE exceedance is formulated in terms of cumulative absolute velocity and spectral amplitude of the acceleration and velocity response spectra measured at the free field; see (NRC, 1997a, 1997b and 2000; EPRI, 1988; 1989, ANS 2002). According to U.S. NRC Regulatory Guide 1.166 the OBE exceedance criteria are as follows:
“The OBE response spectrum is exceeded if any one of the three components (two horizontal and one vertical) of the 5 percent of critical damping response spectra generated using the free-field ground motion is larger than:
The corresponding design response spectral acceleration (OBE spectrum if used in the design, otherwise 1/3 of the safe shutdown earthquake ground motion (SSE) spectrum) or 0.2g, whichever is greater, for frequencies between 2 to 10 Hz, or
The corresponding design response spectral velocity (OBE spectrum if used in the design, otherwise 1/3 of the SSE spectrum) or a spectral velocity of 6 inches per second (15.24 centimeters per second), whichever is greater, for frequencies between 1 and 2 Hz.”
The CAV is defined for each component of the free-field ground motion as
where a(t) is a component of the ground acceleration, T is the duration of the strong motion.
There are certain rules for the numerical calculation of the CAV: (1) the absolute acceleration (g units) time-history is divided into 1-second intervals, (2) each 1-second interval that has at least 1 exceedance of 0.025g is integrated over time, (3) all the integrated values are summed together to arrive at the CAV.
The CAV check is exceeded if any CAV calculation is greater than 0.16 g-seconds.
If the response spectrum check and the CAV check were exceeded, the OBE was exceeded and plant shutdown is required.
4.2. Seismic instrumentation
The seismic instrumentation has two important roles:
to provide information for the decision on OBE exceedance
to register the plant response for the post-event evaluation of the plant condition.
The instrumentation providing response records for the evaluation post-event condition of the plant should be installed at most important/significant location of the structures and main components.
The instrumentation for the judgement on the OBE exceedance has to be designed and fitted to the concept of limitation of the operation in case of earthquake. The instrumentation and voting logic for automatic scram should have the same structure, redundancy etc. as the reactor protection system.
For example the Soviet designed SIAZ (System of Industrial Antisesmic Protection) system initiating automatic reactor scram consists of nine tri-axial accelerometers in three independent systems with independent electric power supply and two sets of them. Contrary to this the tri-axial accelerometers for evaluation of OBE exceedance via CAV and response spectrum criteria should be installed at protected free-field locations.
4.3. Development of emergency operational procedures
Activities that have to be executed during earthquake should be defined and adequate emergency operational procedures for accident prevention should be developed for the case of earthquake. The documents (NRC, 1997a, 1997b and 2000; EPRI, 1988; 1989, ANS 2002) and the (IAEA, 2011) provide guidelines for the development of the procedure.
The development of earthquake related severe accident management guidelines can be performed on the basis of severe accident oriented studies (Section 3.4) and IAEA documents (IAEA, 2009b).
5. Implementation example – Seismic safety programme at Paks NPP
5.1. Basic principles and outline of the programme
The case of Paks NPP is significantly different from the cases of other nuclear power plants regarding the initial basis and objective of their seismic safety programmes. Ab’ovo, Paks NPP has not been designed and qualified for the earthquake loads. The reason was twofold: the site seismicity was underestimated and the design basis was set to the MSK-64 intesity 5 that was equal to the intensity of the historically credible earthquake plus one intensity ball. In mid eighties the safety deficiency had been recognised and a programme for the definition of the site seismic hazard had been launched, which had been extended to a comprehensive site evaluation programme, including geological, geophysical, seismological and geotechnical investigations as for design basis regarding the scope and the methodology. The probabilistic seismic hazard assessment had been completed in 1995 and the design basis earthquake had been defined on the 10-4/a non-exceedance level. The Hungarian Regulatory Authority had approved the new design basis, and requested to launch a programme for ensuring the compliance with newly defined design basis.
It was already recognised at the very beginning of the seismic safety programme that a consequent and full scope re-design in line with design codes and standards and subsequent upgrading might be impossible at Paks NPP. Therefore, acknowledging the international practice and IAEA recommendations, the Hungarian authorities allowed the use of methodologies for seismic re-evaluation and re-qualification of operating NPPs, less conservative than the design procedures. Admittedly, in early phase of the implementation of the seismic safety programme of Paks NPP, there was a bloodless hope that the issues at Paks NPP could be managed via application of SQUG/GIP, EPRI deterministic seismic margin method, Seismic Evaluation Procedures of the DoE (see Section 3.2 above).
Contrary to the relative alleviations regarding selection of the re-qualification methodologies, the scope of the seismic safety evaluation and upgrades was set by the regulation as for re-design, covering not only the seismic safety classified SSCs (including interacting items), but the whole scope of safety classified SSCs with three times full redundancy with application of the single failure criterion has been accounted instead of considering a success path and a backup only, etc. Also the process requirements were set as for new design, e.g. the heat removal after the design base earthquake shall be ensured unlimited in time, contrary to the 72 hours requirement applicable in usual margin-type assessment.
The real objective has been clearly understood after performing the first Periodic Safety Reviews in 1999, since the compliance with the just issued Nuclear Safety Regulations (Governmental Decree No 108/1997) requested to be achieved and demonstrated. It was recognised that the methodologies mentioned above does not provide the required for Paks NPP result regarding design base reconstitution, on the other hand they can’t be directly applied for VVER plants, certain adaptation was needed for accounting the VVER design features.
The qualification of the Paks NPP have been executed as for the newly defined design basis earthquake by applying procedures and criteria for the new design, combined with the methods and techniques developed for seismic re-evaluation of operating nuclear power plants. The seismic safety programme of the Paks NPP is presented below in Figure 1.
The description of the project as given below clearly indicates the similarities and differences between the programmes as understood in (Gürpinar & Godoy, 1998; Campbell at al, 1998) and programme at Paks NPP (Katona, 2001).
The selection and use of methodologies has been graded in accordance with safety relevance of the system, structure or component.
The Hungarian regulation requires performance of probabilistic safety analyses for internal and external events/initiators. Therefore, after implementing the seismic safety upgrading measures, the achieved level of safety has been quantified via seismic PSA, which provides the value of the CDF and also indicated certain week links to be avoided or accounted.
The implementation of the programme was broken into three phases:
Preparatory phase before 1995: The objective was to prepare the programme in a way that it could be executed within reasonable technical and economical limits (example see in Section 5.4). Learning and trial of the methods were going on simultaneously with the site evaluation. The conservatism had to be handled carefully during the seismic safety assessment. The easy to perform fixes had been designed for preliminary conservative seismic input and implemented. The easy-fix project covers 10184 items for 4 units. The volumes of the works are given in Table 2. Total amount of structural steel used for fixes is equal to 445 tons. Safety related batteries for all four units have been replaced and fixed in the frame of the easy-fix project.
Between 1996-1999: Selection of the methodology, evaluation of as-is seismic capacity and identification of the fixes had been performed.
The programme was broken down into manageable tasks and projects while the uniformity of the requirements and assumptions between these tasks had been ensured by appropriate quality assurance programme and methodological and criteria documents developed for each task.
|Task||number of items||fixes|
|I&C (cabinets, racks)||2061||anchorages and top bracing|
|brick walls||281||steel frame fixes|
|total number of easy-fix items||5507|
|Qualification and upgrades||Time frame||Tasks/Volume|
|Electrical and I&C equipment||1993-2002||Qualifications, replacements|
|High energy pipelines of primary circuit and equipment||1997-1999||250 fixes (GERB viscous-dampers)|
|Structure of the turbine and reactor hall||1999-2000||1360 t of steel fixes|
|Support bridge at localization towers||2000-2001||300 t of steel fixes|
|Other classified pipelines of primary circuit and the components||1998-2000||760 fixes|
|Classified piping and components of secondary circuit, fixes of supporting steel structures in the turbine building||2000-2002||160 t of added steel structures|
|Other classified pipelines and equipment||2001-2002||80 fixes|
|Measures identified by seismic PSA||2002-||Fixing the joints in the turbine building, relays qualification|
5.2. The seismic design basis
5.2.1. Seismic hazard
Full-scope site geological, geophysical, seismological and geotechnical investigation and evaluation has been performed with subsequent probabilistic seismic hazard assessment (PSHA). The methodology is described in (Tóth et al., 2009).
The design base earthquake is defined on the 10-4/a non-exceedance level, taken on the mean hazard curve. Recent Hungarian regulatory requirement is: the design base event has to be defined on the median hazard curve at 0.005 non-exceedance probability for the total lifetime of the plant, which means exactly a 10-4/a frequency for a 50 years operational lifetime (or approximately 10-5/a for a new built).
The horizontal and vertical peak ground accelerations (PGA) are equal to 0.25g and 0.2g respectively. (The PGA correlated to the original design basis seismicity was 0.025g.)
The uniform hazard response spectra were defined for the Pannonian surface (as for a virtual outcrop) below the site. The ground motion response spectra (GMRS) are calculated taking into account the nonlinear features of the soft soil layer covering the site.
The results are shown in Figure 4.
The acceptability of the obtained ground motion response spectra for the design base was justified earlier (in 1995) by comparison with deterministically defined 84% response spectra (on the basis of US NRC Draft Guide 1032 issued later as Regulatory Guide 1.165) and recently per U.S. NRC Regulatory Guide 1.208 (NRC, 2005) and ASCE/SEI 43-05 procedure (ASCE, 2005). The latter ensure the avoidance of the cliff-edge effect with respect to the seismic input, since the increase in the amplitudes in ground motion response spectra due to relatively small increase (one order of magnitude) in the exceedance probability is accounted.
The parameters of a 10-2/a non-exceedance level earthquake have also been defined. The PGA is equal to 0.087g in this case. This information is used for certain fatigue type analyses. The response spectrum and cumulative absolute velocity criteria are used for the definition of OBE exceedance; see US NRC Regulatory Guide 1.166 (NRC, 1997a).
5.2.2. Geotechnical conditions
There is Pleistocene layer of 25-30 m covering the site, the upper 12-15 part of which originates from floods and consists of fine structure, well classified sand, while its lower part consist of sandy gravel and gravel. Under the Pleistocene layers, there are various upper Pannonian layers, which are irregularly divided by sandstone ridges. These ridges are cemented to various extents and can be regarded as semi-rock. The 25-30 m saturated young soft soil (~300m/s shear-wave velocity) covering the eroded Pannonian surface at the site is susceptible to liquefaction at the depth 10-15 m. The probabilistic liquefaction analysis performed in 1995 has shown that the best estimate return period of the occurrence of liquefaction exceeds 10000 years therefore the liquefaction was not considered as a design basis phenomenon.
For the seismic PSA purposes, the evaluation of the site effects was extended to very low probabilities (10−4÷10−6/a). According to the seismic PSA the building relative settlement due to the liquefaction is the dominating effect contributing to the CDF just below the design basis probability level. This experience triggered a state-of-the-art analysis of the liquefaction. It was also observed that the uncertainty of the analysis is essential due to uncertainty of soil parameters and the methods.
Liquefaction susceptibility can be expressed in terms of factor of safety FSliq against the occurrence of liquefaction as,
where CRR is the cyclic resistance ration and the CSR is cyclic stress ratio, see Regulatory Guide 1.198 (NRC, 2003). The cyclic stress generated by the given earthquake is as follows (Seed and Idriss 1971):
where av is the equivalent shear stress amplitude, amax is the peak horizontal acceleration at ground surface, g is the acceleration of gravity, v0 and ’v0 are the total and effective vertical overburden stresses, respectively, and rd is a nonlinear stress reduction coefficient that varies with depth.
Depending on the method used the value of safety factor varies in rather wide range. The methodologies (Seed & Idriss, 1971, 1982; Tokimatsu & Yoshimi, 1983) used for Paks site resulted in a relative low margin, while the analysis via effective stress method provides much larger margins (Győri et al, 2002).
The building settlement caused by earthquake can affect the underground communications (service water piping and emergency power supply cables) due to relative displacements. This effect will be amplified if liquefaction occurs. The dominant failure mode in the acceleration ranges higher than the design basis is due to the relative building caused by the soil liquefaction. This makes it necessary to re-qualify the underground lines and connections jeopardized by the settlement of the main building or, if it is necessary, to modify them to make their relative movement unimpeded. An advanced probabilistic liquefaction and relative building settlement analysis is going on using an amended soil parameter database in relation to the investigation of beyond design base vulnerabilities performed for severe accident management reasons (Győri et al, 2011).
5.3. Identification of SSCs for safe shutdown – Seismic classification
The procedure for the safe shutdown, cool-down and long-term heat removal of the reactors has been elaborated in two versions (Katona, 2003).
The first version was developed before 1995, when a very conservative guess of the DBE (with PGA 0.35g) was available. For this high demand, a safe shutdown technology was selected that could be realised by the upgrading of the minimum number of systems. It was advisable to select systems for the safe shutdown and cool-down, which are situated in the reinforced concrete containment part of the main building because only this part of the building seemed to sustain the loads. The upgraded and not upgraded systems or parts of systems should be separated in case of earthquake by fast closing valves. The control rods, and boron system would ensure shutdown of the reactor, and the stable subcritical conditions. The reactor should have been cooled-down by the secondary bleed and feed. The long-term heat removal would have been executed through the heat exchangers of the low-pressure emergency core cooling system that should have been modified for the execution of this function. This concept would require modifications in the safety systems and the installation of the great number of valves. Analysing the feasibility issues, it has to be recognised that the implementation of the concept is not only very expensive but it can reduce safety in all other cases than an earthquake because of the modification of the low pressure emergency core cooling system.
Performing the analyses for main building complex, it was recognised that the most critical structure is the gallery building that gives place to several vital systems and I&C equipment. This part of the main building should have been upgraded. Developing the possible technical solution for upgrading the longitudinal gallery building, it turned out that it can be best performed, if the steel frames of the turbine hall and the reactor hall are also fixed. This solution allows the application of structural upgrades that do not require fixes in the over-crowded by equipment and piping gallery building. If it the case, the systems for regular heat removal placed in the turbine hall would be available for heat removal after an earthquake, if their re-qualification is performed. Meantime, in 1995 the site seismic hazard evaluation has been completed which resulted in the DBE with 0.25g PGA. Response and stress calculations made for the newly defined DBE have shown that essential part of the mechanical equipment and pipelines can sustain the DBE demand and the reinforcement of the systems and structures necessary for seismic safety is feasible with reasonable effort.
Theoretical considerations have been made for the evaluation of upgrading effort required for fixing the pipelines and components required for heat removal via systems “as usual”, i.e. systems dedicated for emergency cases. It has been assumed that the “as is” seismic capacity of the pipe segments can be treated as a random variable; its value can be expressed by total design capacity multiplied by several factors representing the randomness of the actual design features, floor-response, etc. If it is the case, the calculated “as is” HCLPF values of pipe segments have to be lognormal distributed. If the distribution is known, the parameters of the distribution can be defined on the basis of HCLPF calculations for “as is” conditions and the number of pipe segments requiring fixes can be evaluated. The distributions of “as is” HCLPF values of pipe segments presented in Figure 5 justified the assumptions and made possible the evaluation of upgrading needs.
Based on the assessment of fixes of the piping and components, the cost of these fixes turned to be cheaper than the (automatic) isolation of the unreinforced parts of the systems by a great number (more than 100/unit) of fast closing valves.
Consequently, instead of a success path and backup for heat removal, the concept has been chosen that is based on the use of systems devoted for heat removal as per design, taking into account the design philosophy of the VVER-440/213 and widely using the synergy between structural and component fixes.
Meantime, the new nuclear regulation issued in 1997 required the upgrading and qualification of the SSCs enrolled into seismic classes. Moreover, the regulation requested to ensure the adequate capacity of the safety classified SSCs for hazards. Consequently, the scope of the seismic safety evaluation and upgrades was set as for re-design, covering not only the seismic safety classified SSCs (including interacting items), but the whole scope of safety classified SSCs with three times full redundancy, with application of the single failure criterion. The stable and unlimited in time cold shutdown condition have to be ensured after the design base earthquake.
According to the selected concept the sub-criticality is maintained by the shutdown and boron control systems. The cool-down is ensured by secondary-side bleed and feed. The continuous cooling is maintained by the heat removal system. In all redundant trains, the SSCs needed for ensuring these safety functions are fixed and qualified for DBE.
Certain modifications have been implemented for making possible the required functioning, e.g. modification of the venting of the tubes of control assemblies on the reactor pressure vessel head. The systems not required for the safety functions are isolated automatically from the seismically qualified one. The procedure was developed assuming that the plant is in normal operational condition; the outside energy supply (grid) and make-up water source is not available for 72 hours.
Loss of coolant accident is not assumed in consequence of the earthquake; hence, the primary system piping is fixed for DBE according to the design rules. Nevertheless, all redundant safety trains including emergency core cooling systems have been upgraded and qualified for DBE. Consequently the sequences with loss-of-coolant can also be managed, although these are already beyond design base sequences according to the safety philosophy.
On the other hand, the consequences of the small breaks (impulse pipes, drains, air vents) shall be examined from the aspect of the dose limits and containment integrity. The break of small-bore pipes shall be considered in connection with the passive single failures (see article 5.3 of NS-G-2.13). The degree of passive single failures is limited to the break of small-bore pipes (<DN50) and to the leakage of the sealing of pumps or valves.
Those non-safety-classified SSCs have to be also fixed for DBE, failure of which may endanger the integrity or functioning of the safety systems. The possibility of fires and flooding induced by earthquake is also avoided via modification and fixing of the relevant systems, and installing letdown systems for lubricant and Hydrogen.
The systems for the heat removal of the spent fuel and refuelling pools are also fixed and qualified for DBE.
The SSCs have been formally classified: Seismic Class 1 – active systems and components, Seismic Class 2 – passive structures and components (thereafter SCs) needed for ensuring the basic safety functions during and after DBE; Seismic Class 3 – SSCs are those, failure of which may inhibit the safety functions (interacting SCs, falling-on, casing fire or flooding, etc.). Seismic Class 4 – no safety functions and no interaction. Obviously, the scope of seismic safety programme at Paks NPP envelops the scope defined in the international practice for the operating nuclear power plants. Chapter 5 of NS-G-2.13 (IAEA, 2009) only prescribes the re-qualification of the minimal number of SSCs necessary for the implementation of safety functions during and after the earthquake. In case of Paks NPP this concept could not been applied since the design basis had to be reconstructed. Thus the requirements of the IAEA NS-R-1 and NS-G-1.6 were applied. The rational for seismic classification is rather questionable. If the safety related safety classified SSCs have to be designed for the design base external hazards, the basic safety functions would be ensured by these SSCs in case of earthquake too, i.e. no need of the seismic and safety classification.
5.4. Response and strength analysis of structures and components
Two approaches can be accepted for analysis of the soil-structure interaction:
flexible volume model, flexible volume frequency domain method
rigid boundary model, rigid boundary time domain method.
In case of the rigid boundary method, the modal damping was limited according to international standards (e.g. KTA 2201.3: 15% for horizontal, 30% for vertical motion). Although the uncertainty of the geotechnical data had been extensively studied, three values of the soil share modulus Gmin, Gav and Gmax, have to be considered for handling the uncertainty of soil parameters, where Gmin = 0.5 Gav and Gmax = 2.0 Gav (according to ASCE-4 (ASCE, 1998), 1.5 Gav is acceptable as minimum value).
The analysis of the structural response and capacity of the structures graded approach have been applied, i.e. the modelling and the analysis method have been selected according to the safety relevance of the structure.
The most important building complex is the VVER-440/V213 main reactor building that consists of the reinforced concrete confinement with the localization tower and the attached longitudinal and transversal gallery buildings, as well as the reactor and turbine hall. The most critical parts of the complex structure are the longitudinal and transversal gallery buildings. A method with solution of the equations of motion in frequency domain has been applied for analysis (Katona et al, 1995 a).
The secondary buildings are box-shaped structures composed of reinforced concrete prefabricated elements or structures composed of foundation and an upper steel structure. Because of the structural complexity of these buildings, an up-to-date 3D modelling was required. The soil-structure interaction was be modelled by frequency independent soil springs and dampers.
Unique blast tests have been performed for empirical modal analysis of the dynamic behaviour of the main building structures and for the verification of the models developed (Katona et al, 1992, 1993a; Halbritter at al, 1993a). These tests provide good information regarding soil-structure interaction under small-strain excitation.
The selection of upgrading concept for buildings has been made iteratively. For all options of upgrading, the response and resistance of modified structure has been made and the optimal solution selected via comparison of response and strength achieved. After selection of final upgrading solution the dynamic calculations have been repeated for the modified configuration for justification of the adequacy of the upgrades and development of the floor response spectra. Latter has little importance for the reinforced concrete containment part of the main building complex, but it was essential, e.g. in the gallery buildings. The same iterative procedure has been applied in case of Reactor Coolant System upgrade, and the fixed configuration has been re-calculated for the justification of code compliance of the integrity (Katona et al, 1999).
The methods for evaluation of as-built capacity of structures and components (passive SCs) have been selected in accordance of safety and seismic class, as follows:
Safety Class 1 and 2 mechanical components, piping, etc. and Safety Class 2 buildings – straightforward design procedure (codes and standards) have been used. For example, for the pressure retaining boundaries Class 1 and 2 German design code KTA, and for the Class 3 ASME; KTA-ASME comparative study also made, purely elastic approach) has been applied;
The Class 3 SCs failed to comply with design codes have been generally evaluated using realistic assumptions for damping and ductility similar to the (IAEA, 2003).
small bore, low-energy pipes – simplified code based method.
The floor response spectra used for the component capacity evaluation was defined according to the design codes (see e.g. ASCE-4-86). However, in case of Class 3 SCs that failed when conservative floor response was used, the calculation was performed for the best estimate floor response spectra (FRS). The best estimate FRS has been obtained either via probabilistic method, or taking into account the inelastic energy absorption, or accounting the equipment-structure mass ratio.
In those cases when the existing supports of pipelines are modified in order to provide adequate seismic capacity, e.g. when the number or type of the supports is changed, it shall be demonstrated on the basis of the relevant nuclear standards (ASME BPVC Section III (ANSI ANS N690) or KTA 3201, 3211, 3205) that the upgraded high energy pipelines and their supports comply with the following criteria:
The effect of restrained thermal expansion due to the modified pipeline’s supports complies with the requirements of the standard;
The requirements of the standard are met without using the ductility.
The pipeline’s supports comply with the requirements of ASME BPVC Section III NF or ANSI ANS N690 or equivalent nuclear standards (e.g. the German KTA) when they are affected by pipeline reaction due to normal operational conditions (including the restrained thermal expansion) + seismic inertia forces + seismic anchor motion loads related to DBE.
5.5. Qualification of active components
The qualification of active components has been made by several methods:
Some systems should be replaced or reconstructed for safety upgrading reasons, e.g. the reactor protection system (Siemens Teleperm XS). The new systems and equipment should be qualified and certified by the supplier for the conservatively defined floor response spectra.
Shaking table testing of sample items.
Qualification via empirical procedures (GIP, GIP-VVER).
For example, the relays have been qualified by replacing the not to be qualified by new one, shaking table testing of samples for in-rack response spectra (Katona et al, 1995b), experience based method, where it was applicable.
Since the GIP database does not specifically include all the equipment of Paks NPP (manufactured in the Soviet Union or Eastern European countries), it was necessary to apply GIP-VVER (Masopust, 2003) incorporating the knowledge and experience gained during the evaluation of VVER type power plants.
The comparison of 1.5 times bounding spectra (BS) to the floor response spectra is always recommended instead of the comparison of bounding spectra to the ground motion response spectra even below the 12 m level of the building.
5.6. Summary of assumptions, codes and standards and methods
The mixed use of the codes was excluded by careful definition of the evaluation packages. The assumptions, allowable stresses, etc. of the KTA and ASME have been compared.
The operability of active technological components should be qualified by empirical re-qualification procedures or test. The equipment classes and applied empirical qualification methods for active and certain passive components are summarised in the Table 6.
|Damping, ductility||Code values or realistic for repeated checking of outliers|
|Structural models||Graded approach to the modelling: best estimate if applicable|
|Floor response spectra||Conservative design floor response spectra.|
In specific case best estimate
|Material strength||Minimum values determined by standard|
|Capacity evaluation||Design type evaluation||KTA, primary system and vital mechanical equipment and pipelines inside the confinement area|
|Margin type evaluation||CDFM+ASME|
|Simplified evaluation||Code based simplified procedures|
|Operability||GIP or GIP-VVER, if applicable, otherwise test|
|Passive equipment (tanks, pressure vessels, etc.)||Component body including internal parts||ASME BPVC Section III, Service level D KTA 3201/3211|
|Supports||ASME BPVC Section III Subsection NF KTA 3205; Subsection according to Classes.|
|Essential nozzles||ASME BPVC Section III, Service level D KTA 3201/3211|
|Component body including internal parts||ASME BPVC Section III, Service level D KTA 3201/3211|
|Supports||ASME BPVC Section III Subsection NF KTA 3205;|
|Essential nozzles||ASME BPVC Section III, Service level D KTA 3201/3211|
|Pipelines||Pipelines||ASME BPVC Section III, Service level D KTA 3201/3211|
|Supports||ASME BPVC Section III Subsection NF KTA 3205;|
|Equipment classes||Recommended qualification procedure|
|A.The original twenty classes:|
|1.Motor Control Centres||GIP if applicable|
GIP-VVER, tests if the item does not fit to the database
|2.Low Voltage Switch-gears|
|3.Medium Voltage Switch-gears|
|4.Transformers||GIP-VVER experience data or tests|
|10.Air Conditioning Devices|
|15.Batteries on Racks|
|Equipment classes||Recommended qualification procedure|
|16.Battery Chargers and Inverters|
|20.Control Panels and Cabinets|
|21.Relays, Switches, Transmitters, Solenoids, Sensors||Test if the item does not fit to the database|
|22.Electrical Penetration Assemblies|
|C.Additional VVER classes:|
|23.Vertical and Horizontal Tanks||Limited analysis, GIP-VVER|
|24.Vertical and Horizontal Heat Exchangers|
|26.Cable Trays and Conduits|
|27.Small and Large Bore Cold Pipes|
5.7. Seismic PSA
The final evaluation of the effectiveness of upgrading measures and justification of the acceptable level of achieved safety in terms of CDF have been made via seismic PSA (Katona & Bareith, 1999; Bareith,2007; Elter, 2006). The seismic PSA demonstrated that the CDF ensured by the implementation of rather extensive upgrading programme is of order of magnitude 10-4/a. The PSA identified also several week links. For example, the capacity of the joints of the turbine hall structure was found insufficient. Eventual collapse of the turbine building may cause steam and feed-water header ruptures that result in total loss of main and auxiliary feed-water and disables closed loop heat removal through the secondary side. Repeated analysis for the case after implementing the additional measures resulted into CDF value of magnitude of 10-5/a, which is acceptable per Hungarian regulations.
The seismic PSA indicated also that the building settlement of the buildings due to the soil liquefaction jeopardizes the communications (pipes for diesel generator cooling and cables coming from the diesel generators) between the buildings. In the lower acceleration ranges the soil liquefaction that cause settlement of the main building plays dominant role in the occurrence probability of total loss of electric power supply. The studies indicated in Section 5.2.2 are focused on the liquefaction hazard.
The methodology of the seismic PSA applied at Paks NPP complies with the best international practice, see IPEEE NUREG-1407 (NRC, 1991) and (IAEA, 1993). The SPSA was developed on the basis of extensive PSA experience and existing PSA models for Paks NPP and information from newly performed response and strength analyses and qualification effort of the plant and plenty of walk-downs.
5.8. Seismic instrumentation and seismic EOPs
In case of an earthquake, the reactor is shutdown either by reactor protection system due to malfunctions, or manually by the operator based on the criteria of CAV and response spectrum criteria for OBE exceedance. The OBE-exceedance criteria is set CAV=0,16gs and response spectrum in the amplified range less than 0,2g. The seismic instrumentation and the pre-earthquake preparedness and post-earthquake actions are defined via adaptation of the IAEA NS-G-1.6, US NRC Regulatory Guide and 1.12, 1.166 and 1.167 respectively. Selection of the OBE exceedance criteria at Paks NPP was based on the analysis of the frequency of expected events, probability and consequences of spurious signals.
It has to be noted that the implementation of the concept and methodology for OBE-exceedance was not a simple copy-paste; it has been adapted to the conditions of Paks NPP. At Paks NPP, if the ggset measured at the base mat, the non-upgraded part of certain systems will be automatically isolated from the upgraded one by quick-closing valves. These system’s parts do not have function during and after an earthquake and the separation will not disturb the operation either. In the same time, there is also a signal for control room. If an earthquake happens, there are two possible cases:
The plant will be shutdown automatically due to disturbances, initiating event(s) caused by the earthquake and the sequence of actuations will depend on the initiating event. Further operator actions depend on the plant condition. The operator actions are defined by EOPs and trained on the simulator.
If the plant remains in operation after earthquake, the decision on OBE exceedance will be made by operator based on CAV and response spectrum criteria. The plant will continue to operate or will be shutdown if OBE exceeded. If the reactor scram initiated but the OBE hasn’t been exceeded, the restart has to be performed after predefined testing and walk-downs.
The seismic recording systems composed from tri-axial accelerometers that are installed at critical locations of structures and main components, provide information for the post-event evaluation of the plant condition.
5.9. Summary of the methods applied at Paks NPP
The comparison of the seismic re-evaluation methods “as usual” and the methods applied at Paks NPP is shown in the Table 7.
|Seismic Margin||Seismic PSA||DB reconstitution at Paks NPP||S PSA at Paks NPP|
|Input||RLE||Hazard curve||PSHA: median 10-4/a non-exceedance, site specific GMRS (UHRS), nonlinear soil, DRS as per Reg. Guide 1.208||Hazard curve;|
Nonlinear soil for GM; Analysis of liquefaction;
|Scope||Success + backup path||Event tree/ fault tree||All Safety related (+ interacting)||Event tree/ fault tree modelling|
|Structural response||Median structural response, frequency shifting||Probabilistic structural response||Conservative structural response, (Gmin, Gmax, Gav), conservative FRS, median FRS in limited cases, Class 3 outside of containment||Detailed information available, from the previous works|
|Screening||Walk-down and screening per margins criteria, experience-based||Walk-down and screening per fragility estimations||Walk-down and screening per margins considerations and GIP, GIP-VVER, only the bounding spectrum criterion was accepted.||Based on the extensive previous works|
|Evaluation, qualification||Analysis of selected SCs (CDFM)||Selected fragility calculations. Median capacities+ log standard deviations||As per new design for Class 1 and 2 SCs, realistic damping and ductility for Class 3; Testing, GIP, GIP-VVER and replacement for active||Detailed information available + fragility development based on the results of the performed analyses;|
qualification of outliers
|Screening + limited fragility||Qualification per screening|
Test or replacement
|Screen and limited fragility development|
|Modifications||Upgrades if needed||Risk informed upgrades||Replacements, upgrading per design requirements||Certain additional needs for upgrades identified|
|Results||Plant level HCLPF||CDF||Design basis reconstituted||Weak links, CDF and its uncertainty evaluated|
6. Maintaining the seismic qualification during operation
6.1. Modification design and procurement of equipment
During modifications, replacements and reconstructions, design and procurement can be executed by complying with the seismic safety requirements corresponding to the seismic and safety classification. These processes are part of the configuration management and subject to authority approval. There is a database for seismic and safety SSCs. A procedure exists ensuring the adequacy of the design and procurement specifications.
6.2. Operation and maintenance aspects
Adequate maintenance and status monitoring programs are in place in order to maintain the required status of elements classified from the point of view of seismic safety and requiring maintenance, e.g. the anchorage of piping and components, damping devices. Maintenance of the qualification for earthquake is also part of the ageing management programmes.
6.3. Seismic housekeeping
The proper housekeeping is not irrelevant from the point of view of seismic safety. The following actions have to be required:
Restoring of fixing elements of cabinets and racks after maintenance
Restoring of the anchorages, fixing bolts, pipe hangers and the damping devices requiring maintenance and review,
Appropriate fixing of maintenance devices stored in the plant area.
7. Periodic safety reviews
According to the IAEA Safety Standard NS-G-2.10, the aim of the Periodic Safety Review (PSR) is “to determine by means of a comprehensive assessment of an existing nuclear power plant: the extent to which the plant conforms to current international safety standards and practices; the extent to which the licensing basis remains valid; the adequacy of the arrangements that are in place to maintain plant safety until the next PSR or the end of plant lifetime; and the safety improvements to be implemented to resolve the safety issues that have been identified.” Regarding external hazards the objective of the review of hazard analysis is to determine the adequacy of protection of the nuclear power plant against internal and external hazards with account taken of the actual plant design, actual site characteristics, the actual condition of SSCs and their predicted state at the end of the period covered by the PSR, and current analytical methods, safety standards and knowledge.
The period of the PSR is generally ten years. During ten years the knowledge and understanding of the site hazard may develop and a feedback from experiences of other plants may motivate review and upgrading programme. As it can be seen from the experiences of plenty of nuclear power plants, the seismic safety, just like the safety in general, is not a static thing and it covers the whole life cycle of the facility.