Low Power and Shutdown PSA for the Nuclear Power Plants with WWER440 Type Reactors

2.1. Plant operating modes and plant operational states

The definition of the plant operating mode varies from country to country. The Slovak plants have adopted the USA definitions. There are seven operating modes, numbered 1 to 7.These are:

1. Full power operation,

2. Reactor criticality,

3. Hot shutdown,

4. Semi-hot shutdown,

5. Cold shutdown – reactor vessel is closed,

6. Cold shutdown – reactor vessel is open and

7. Empty reactor vessel (the fuel is removed from the reactor vessel and located to the spent fuel pool).

Understanding of plant operating modes and its characteristics in terms of systems available and the general plant conditions is essential for the development of the low power and shutdown PSA model. Operating modes are also highly important for defining the interface between power PSA and low power and shutdown PSA. For an integrated PSA model of a plant, it is significant to adequately define the interface between power PSA and low power and shutdown PSA. This interface does not necessarily coincide with the definition of the operating modes. Typically, the full power PSA considers 100% nominal power.

In terms of the thermal hydraulic response to an initiating event, there is not much difference between 100% power and lower power levels, expect that at lower power levels the time available for selected corrective actions may be somewhat greater. The 100% power case is therefore conservatively a representative of the whole spectrum of power levels.

When the reactor power reaches a certain power level, the automatic actuation of the safety systems is disabled. Depending on the reactor design, and in some cases on operating practice, this could be between 0-10% nominal power. This point is the natural interface between the full power PSA and SPSA (see Fig.1).

While the reactor is on low power, even without automatic actuation of safety systems, the power PSA models (with appropriate modifications) could be used to determine the risk level. This is generally true also for the hot stand-by mode.

Once the reactor is in the shutdown mode, and especially when the decay heat is removed via residual heat removal system (RHR), the state of the plant is such that most of the power PSA models are not applicable without major modifications.

Plant operating modes are important from the standpoint of the conduct of the plant operation. For a SPSA the plant operating modes do not mean much. Due to extensive changes in plant configuration during a shutdown period, it is necessary to define plant operational states (POSs) which will properly reflect the plant configuration during an outage evolution.

The POS is used to define boundary conditions within which there would be no changes in major characteristics which are important for PSA modelling.

The POS is defined as a period during a plant operating mode when important characteristics are distinctively different from another plant operating state. The important characteristics describing a plant operating state are:

• RCS temperature and pressure,

• RCS water level (inventory),

• Decay heat removal,

• Availability of safety and support systems,

• Containment integrity,

• System alignments and

• Reactivity margins.

Some or all characteristics indicated above should be considered in defining the plant operational states. It is obvious that defining the POSs for every possible plant condition may result in a very large number of POSs. The attempt to define all the POSs which are relevant for SPSA could result in several hundreds POSs. One of the initial activities related to defining the POSs is their grouping to reduce the number of POSs to a manageable level. The grouping process shall consider issues like specific success criteria, typical IEs and system availability. The actual practice varies among PSA practitioners, but the general guidance is always to distinct POS in their main characteristic. A typical number of POSs considered in SPSA varies from 10 to 15. Newer studies tend to have more POSs than the early ones. It should bee noted that the scope and objectives of a SPSA have a dominant effect on the selection of the POSs.

Examples of POSs for a WWER440 type reactor are shortly described below:

1. POS1. The reactor is sub-critical. The RCS pressure is between the nominal pressure and 4 MPa. The RCS temperature is between nominal and 180°C. All trains of the safety systems are available (exceptions are allowed by the limiting conditions of operation). All SGs are connected to the reactor vessel. The primary to secondary side heat removal operates in the steam-water regime using the auxiliary feedwater system and steam removal via the steam dump station to the condenser initially and via the technological condenser at the end of POS. In this POS the containment is closed.

2. POS2. RCS temperature is below 180°C but above 100°C. The RCS pressure is 1-4 MPa. All trains of the safety systems are available (exceptions are allowed by the limiting conditions of operation). Some ESFAS signals are disconnected when the RCS temperature is below 180°C. All SGs are connected to the reactor vessel. In the first part of this POS the secondary side heat removal is in the steam-water regime. At the end of POS the RHR is working in the water-water regime, RHR pump is running and the heat removal is performed via the technological condenser. At the end of this POS the containment is open.

3. POS3. The RCS temperature is between T_{brittle fracture} and 40°C. The HPSI pumps are disconnected. These pumps are available in this POS for the accident mitigation only under the conditions defined in the limiting conditions of operation. However, exceptions are possible in case of the severe accidents (for example if primary bleed and feed is needed). One train of the safety systems is unavailable due to preventive maintenance. Two SGs are connected to the reactor vessel for residual heat removal in natural circulation, one loop is in reserve mode of operation (with one main isolation valve (MIV) fully closed and one MIV fully open). The RHR is working in the water-water regime and the heat is removed via the technological condenser.

4. POS4. The RCS temperature is 40°C. The RCS pressure is the atmospheric pressure. The reactor vessel is being open (drainage of vessel level is needed). One train of the safety systems is in the planned maintenance. Two SGs are connected to the reactor vessel; one SG is in the reserve mode. The RHR is working in the water-water regime and the heat is removed via the technological condenser. The water level is increased in the refuelling cavity in the end of POS.

5. POS5S. The RCS temperature is 40°C. The RCS pressure is the atmospheric pressure. The reactor vessel is open and the refuelling cavity is filled to the refuelling level. One train of the safety systems is unavailable due to the planned maintenance. Two SGs are connected to the reactor vessel; one SG is in the reserve mode. The RHR is working in the water-water regime and the heat is removed via the technological condenser.

6. POS5L. RCS temperature is 40°C. RCS pressure is the atmospheric pressure. The reactor vessel is open and the refuelling cavity is filled to the refuelling level. All fuel elements are located into the spent fuel pool. One train of the safety systems is unavailable due to the planned maintenance. This POS occurs only once per four years during the long refuelling outage. This POS contains all steps of POS5S. In addition, the reactor vessel inspection is being performed.

7. POS6. The RCS temperature is 40°C. The RCS pressure is the atmospheric pressure. In this POS the reactor vessel is being closed (drainage of the reactor vessel level is needed). One train of the safety systems is in the planned maintenance. Two SGs are connected to the reactor vessel; one SG is in the reserve mode. The RHR is working in the water-water regime and the heat is removed via the technological condenser.

8. POS7. The RCS temperature is between T_{brittle fracture} and 40°C. The RCS pressure is between the atmospheric pressure and 2 MPa. There is a peak pressure of 3.5 MPa during a pressure test. The HPSI pumps are disconnected. These pumps are available for the accident mitigation only under the conditions defined in the limiting conditions of operation. Exception is possible during the severe accident (for example if primary bleed and feed is needed). Initially two SGs are connected to the reactor vessel; one SG is in the reserve mode. The RHR is working in the water-water regime and the heat is removed via the technological condenser. At the end of POS the RCS is heated by five main coolant pumps and the containment is closed.

9. POS8. The RCS pressure test is performed at the pressure of 13.7 MPa. Also the high pressure dynamic test at the pressure of 17.2 MPa is being performed (once per four years or if new welding is performed in the RCS).The RHR is stopped. If the pressure test is not successful the plant is returned to POS7. Given the test successful the plant goes to POS9 and the containment is closed.

10. POS9. RCS temperature and pressure is gradually increasing to 200°C and to 12.26 MPa. The RCS coolant is heated by the main coolant pumps. At 180°C the interlocked ESFAS signals are becoming available. All trains of the safety systems are available (exceptions are based on the limiting conditions of operation). The primary to secondary side heat removal is performed in the steam-water regime by the AFW system. All SGs are connected to the reactor vessel.

11. POS10. The reactor is on the power. The RCS pressure is nominal. The temperature is increasing from 200°C to 260°C. All trains of the safety systems are available (exceptions are based on the limiting conditions of operation). At the RCS temperature of 245°C another ESFAS signals are becoming available. At the end of POS the reactor power is 2% of the nominal power.

Examples of POS duration in hours per year are presented in Table 1. Power 1 and 2 is duration of low power operation.

2.2. The initiating events

Defining a list of initiating events is the major step, which influence the whole SPSA development process. While the main aim is similar to power PSA, actual initiators considered in a SPSA are different from those of the power PSA. The profile of initiators also highly depends on the actual outage considered (lengths and type forced, refuelling, etc.). Three broad categories of internal initiators are typically considered in a SPSA, and they are as follows:

• Loss of cooling,

• Loss of coolant (LOCA) and

• Reactivity events.

LOCA represents a group of events which result in loss of heat removal from the core. When the core is cooled by the RHR system, its failure is the main initiator in that group.

Loss of coolant events are a challenge to the RCS integrity in the same way as during full power operation. However, the profile and the causes of LOCAs are significantly different in the shutdown mode. In the shutdown mode breaks of pipes and reactor vessel rupture are still possible, but the dominant sources for LOCAs are the drain-down events, including inadvertent opening of valve and similar, both drain-downs to the plant rooms inside the containment or to another system (intersystem LOCA outside the containment) should be considered in a SPSA. Cold over-pressurisation events which are challenging the integrity of primary circuit may be broadly grouped with this category.

Reactivity events are a specific category due to their specific issues and consequences. Reactivity accidents can lead to a local or a full core criticality. Examples like boron dilution, unintentional withdrawal of control rods or refuelling errors are considered in the SPSA. Experience has shown that many such events occurred at NPPs, and their frequencies are high, though the consequences are low (recoveries are possible in many of those events). Some phenomena, like unborated slug of water entering the core and its consequences, are still being analysed.

Like in a full power PSA, hazards can be divided into two groups, internal hazards and external hazards. Internal events include fires, floods and events like drop of heavy loads. These events in comparison to power state are differently treated in a SPSA due to their specific attributes. Internal fire can have higher frequencies in comparison to the power operation. The possible fire locations increase during an outage due to maintenance activities. A fire during an outage is usually initiated by some repair work like welding, while fires during the power operation are usually initiated by electric circuits. Flooding has increased frequency due to maintenance activities where floods would be caused by opening isolation valves and similar activities. Drop of heavy load is an event which is seldom considered in the power PSA but it could have significant impact on the SPSA results. Numerous operations with overhead cranes has actually been analysed in several studies, although the results were not found to dominate the risk profile.

In addition, the external hazards must be taken into consideration: aircraft crash, external meteorological conditions, seismic events and impact of the neighbouring industry.

2.2.2. Assignment of IE to POS

The first stage of POS assignment was done mostly on the basis of possibility of an occurrence. For instance, the breaks were not considered unless there was an overpressure in the circuit, the human errors associated with a maintenance were not considered unless some maintenance activities were conducted in the specific POS, etc.

In general, the assignment of an applicable POS to the initiating event group was carried out by the considering each event included into the group. In many cases the applicability of POS was dependent on the particular scenario either through a particular plant configuration or through specific maintenance activities associated with a certain POS.

In general, the frequency of IE was not taken into account in the POS assignment process. However, in some cases the frequency was considered in a qualitative way.

For some POS the risk impact of the event was expected to be very low either due to a low frequency or small consequences or both. However, only a qualitative and subjective judgement could be provided to justify such observations. Therefore, the event credibility level is not indicated in the POS assignment results.

However, a credit was given to the fact that during a specific POS the conditions for IE may change (e.g. the pressure is decreasing to atmospheric, so the credibility of a LOCA is diminished). Another aspect that was addressed explicitly was the case when an event was applicable to a part of POS only (but not a negligible part). This aspect was also subsequently considered in an estimating of IE frequency.

Since the selection of POS for IE calculation also depends on the expected frequencies and consequences, another stage of grouping was needed in a co-operation with other PSA tasks. In this stage a consideration was given to the assumptions taken during the accident sequence modelling and to the frequency estimation.

For some POS to which an initiating event was applicable the consequence of this event was considered negligible. The accident sequence task revealed such cases and these events were screened out for these POS. Typical examples of such screening include: events related to loss of the reactor core cooling in POS5S (because of a large inventory of the water in the reactor refuelling pool) and in POS8 (because the system does not need any cooling and the RHR is switched off) or the loss of working cooling pump in any POS (because of a relatively low decay heat generation in the spent fuel pool (exception is POS5S).

Initiating events were considered for the deletion if they lead to the core damage in a time period greater than 24 h. However, it should be noted that simply exceeding this 24 h window was not, by itself, considered to be sufficient reason for deleting initiating events.

Frequency of the events during particular POS was not taken into account in the initial stage of the grouping and POS assignment tasks. For some assigned POS an initiating event (or even a whole group of events) was screened out later due to a low frequency (provided that it was not expected to have a very high risk impact).

The duration of some POS is very short comparing with other POS, so an initiator or even the whole group can be screened out on that basis as well (see Table 1). Example for IE assignment to POS is provided in Table 2.

2.3. The screening process

IE with available recovery times longer than 24 hours could be screened out without much danger of leaving out important results. IE with very short recovery times, which are those earlier in an outage and which involve very specific system availability, shall not be screened-out because of their generally high importance.

Screening process can be performed in two phases:

• After screening-out the clearly unimportant events, the draft event trees can be developed for remaining sequences.

• The remaining sequences then could be analyses qualitatively or/and quantitatively.

The main idea of the whole process is to select events of higher safety significance and to reduce the level of details in modelling work for sequences with lower safety impact. The final step in the screening process is re-grouping of POSs and initiators. The result of the whole process is a list of safety important POSs and IE groups. The SPSA requires iterative processing for re-defining and re-grouping POSs and IEs several times during the process.

Development of detailed accident sequences (including supporting TH analysis, HRA, etc.) is the most labour intensive part of the SPSA. Its aim is to focus on essential issues only. Establishment of a systematic screening procedure is the best way of removing unimportant accident sequences.

2.4. The accident sequences

2.5. The human reliability analysis

Human reliability analysis is the most important issue in a SPSA. Both the plant outage and the start-up activities involve a large number of operator actions, functional tests and maintenance activities. All of those have to be correctly introduced in a SPSA.

In a SPSA different types of human actions are considered:

• human actions before initiating event, affecting availability of equipment,

• human actions as an IE,

• procedure based post-accident human interactions to terminate an IE,

• human recovery actions to recover the failed equipment or to terminate an event.

Compared to the full power PSA, human interaction analysis in a SPSA is much more complex since they require identification of actual ways the work is being done and consideration of interactions which are not obvious.

The following issues needed to be addressed when evaluating the human interactions during outage safety analysis:

• operating procedures,

• supervision on maintenance activities,

• appreciation of risk during shutdown and

• comprehensive and appropriate training.

The following steps are important for considering human interactions:

• identify all possibly important human interactions during plant outage,

• screen these human interactions and prioritise them from the risk perspective, and

• collect information from plant experienceduring shutdown operating mode, and establish human error data base.

During an outage, the dependencies between human errors tend to be much more complex than during power operation. Testing and maintenance activities during shutdown operation create new dependencies which need to be identified and documented. Cross-connections and support system status may cause hidden dependencies which need to be taken into account.

2.6. Quantification of accident sequences

Quantification of accident sequences is performed for all POSs. First, the total CDF is presented for an average refuelling outage, short refuelling outage and long refuelling outage. Then, the dominant initiating events, accident sequences, minimal cut sets and dominant categories of the basic events are identified. Results of the importance and sensitivity analyses are also summarized.

The task is similar to quantification in the power PSA. However, the sources of data as well as the procedure to develop a data base may be different. Data for component unavailability for SPSA have significantly different emphases than for the power PSA. While in the power PSA the unavailability of safety components are (often) dominated by the failures in stand-by, in SPSA they are clearly dominated by maintenance unavailability. Maintenance schedules and actual duration of various tests and maintenance actions are carefully evaluated to determine the actual equipment availability. Quantification of accident sequences, uncertainty and sensitivity analysis follow the same methodological approach as for the full power PSA. Due to various influences, it was shown that the SPSA results typically have higher uncertainties.

The dominant initiating events identified for all POSs are presented in Table 3. This is graphically depicted in the pie chart in Fig. 2. Instantaneous CDF for each POSs is presented in Fig. 3. The dominant contributions to the total CDF are from POS6, POS4, POS7, POS5S, POS3 and POS5L. The combined contribution of these POSs is 98.1% of total CDF.

2.7. Application of SPSA

The following applications of SPSA model and results are considered:

• outage planning and scheduling,

• optimization of operating and maintenance procedures,

• optimization of limiting conditions of operation,

• accident procedures, emergency planning and

• making decision on hardware modification.

The Equipment Out Of Service (EOOS) risk monitor is developed for the J.Bohunice V2 plant plant in Slovakia. The monitor is used by operator and schedulers of maintenance (see Fig. 4, 5 and 6).

An example for SPSA application is described for the preventive maintenance strategy of the safety systems in the plant: 1) the maintenance activities are performed in operating mode 5 (reactor cavity not flooded) and 6 (the reactor cavity is flooded), 2) only a single train is under preventive maintenance, 3) the second safety train is available based on limiting condition of operation, 4) the third safety train can be or can not be available, the availability is not required by limiting condition of operation, 5) the systems that could be used for decay heat removal and accident mitigation should be available to the maximum extent possible but this is not the case in the plant. Recommendation for changes from SPSA: 1) planned maintenance activities will begin when the reactor cavity is flooded,2) availability of all three safety trains will be required by limiting conditions of operations, 3)one train out of three is allowed to be unavailable due to preventive maintenance.

3.1. The plant damage states

The level 1 PSA sequences are terminated and the level 2 PSA sequences are started with the core damage. The interface between the level 1 and level 2 PSA is accomplished through the definition of plant damage states (PDS). The PDS defines the plant state at the beginning of the core damage and defines the conditions necessary for conducting severe accident progression analysis. PDS are developed as an initial step to a level 2 PSA. The status of some safety systems may not be identifiable from the level 1 PSA models. So, their availability during various core damage sequences must be addressed by means of an extension to the level 1 system models. In the level 2 PSA, post core damage recovery actions (using the existing system in automatic or manual mode) are also identified.

The criteria for binning the level 1 sequences into the plant damage states are based on the following five characteristics of each sequence:

• Time to core damage,

• Status of high pressure and low pressure safety injection system,

• Status of containment spray system and

• Status of containment isolation.

The PDS are further grouped based on POS of the plant at power operation and during refuelling outage. Several POS groups (G0 – G4) were introduced to facilitate the PDS grouping process:

G0:Full power operation

G1:POS1, 9 and 10, which are essentially similar to the full power operation. Both the RCS and the containment are normally closed.

G2:POS2, 3, 7 and 8 in which the RCS is closed but the containment is open.

G3:POS4, 5S and 6, in which both the RCS and containment are open. The fuel is located in the reactor vessel.

G4:POS5L, which is a special case because the fuel is relocated to the spent fuel pool.

3.2. Accident progression analysis

The MELCOR code is used to model all aspects of the severe accident progression, including:

• reactor coolant system thermal-hydraulic response to the initiating event prior to the core damage,

• core heat up, fuel degradation and material relocation within the reactor vessel,

• possible failure of the reactor vessel pressure boundary, and subsequent release of molten fuel and core debris to the containment,

• thermal and chemical interactions between the core debris and containment structures, such as concrete floors, and the containment atmosphere, and

• containment behaviour (including its pressure and temperature history, hydrogen mixing and combustion, and the effect of the operation of containment safeguard systems).

This code provides an integrated framework for the evaluating the timing of key accident events, thermodynamic histories of the reactor coolant system, core and containment, and corresponding estimates of fission product release.

3.3. Containment performance analysis

Deterministic calculations of severe accident progression generate pressure and temperature histories within the containment during the various accident sequences. To determine whether the containment pressure boundary will be able to withstand the loads, quantitative estimates of its structural performance limits must be generated.

Challenges to the containment integrity can take many forms. Therefore, the analysis of containment performance limits must address several topics. Typically, the following containment challenges are considered:

• internal, rapid and slow pressurization transients greater than nominal design conditions,

• high temperatures,

• thermal-mechanical erosion of concrete and steel structures (if contact with ejected core debris is possible),

• impact from internally-generated missiles and

• localised dynamic loads, such as shock waves, hydrogen detonation, etc.

In some instances, these challenges may exist simultaneously. For example, high temperatures often accompany high pressures.

Engineering calculations of structural response to these types of challenges are performed as part of the level 2 PSA. Quantitative failure criteria are developed as the primary reference for estimating the likelihood of containment failure for a wide spectrum of accident sequences. These criteria are based on plant specific design and construction data and represent realistic material response properties.

3.4. Construction of the containment event trees

Probabilistic model in the form of containment event trees (CET) is constructed for the evaluating the containment performance. The model is displaying the alternative accident progressions that may evolve from a given core damage sequence or a plant damage state.

The initiating event of the containment event tree is the PDS. During the construction of CET the following issues are taken into consideration:

1. Important time phases of severe accident progression. Different phenomena may control the nature and intensity of challenges to the containment integrity and the release of radionuclides as an accident proceeds in time. The following time frames are identified:

2. After the core damage begins, but prior to failure of the reactor vessel lower head. This period is characterised by the core damage and radionuclide release from the fuel while core material is confined within the reactor vessel. Hydrogen detonation is possible.

3. Immediately following reactor vessel failure. The level 2 PSA analysis concludes that many of the important challenges to the containment integrity occur just following reactor vessel failure. They often occur as a direct consequence of the release of molten core materials from the reactor vessel to the reactor cavity.

4. Long term accident behaviour. In the absence of the heat removal to the environment, the loads may steadily increase to the point of containment failure in a long term.

5. It must be noted that release is possible also from the containment which remains intact via the normal leakage.

6. Probabilities associated with events in the CETs are of different types: failure probability of safety system, probability that a human will not perform specific activity or probability of accident phenomena (for example hydrogen burn). Probabilities in the first two cases are developed in similar manner as in the level 1 PSA. The last one represents uncertainty in the occurrence or effects of severe accident phenomena. In this case, the split fraction associated with this event is not based on reliability data. Rather, it is a reflection of the uncertainties in the engineering analyses required to characterise hydrogen generation, release, distribution and combustion. The probabilities are obtained using decomposition event trees.

7. Recognition of the interdependencies of phenomena. Most severe accident phenomena and associated events require certain initial or boundary conditions to be relevant. For example, a steam explosion can only occur if molten core debris comes in contact with the water. Therefore, it may not be meaningful to consider ex-vessel steam explosions during accident scenarios in which the reactor cavity is dry at the time of vessel breach. Logic models for evaluating containment performance capture these and many other such interdependencies among severe accident events and phenomena.

3.5. Source terms

Estimation of the magnitude of fission product release to the environment (i.e. source terms) are a major product of a level 2 PSA. Plant specific source terms were evaluated for the Slovak plants.

The following source terms categories are defined:

1. STC1 - containment intact, containment spray available, no vessel failure,

2. STC2 - containment intact, containment spray unavailable, no vessel failure,

3. STC3 - containment intact, containment spray available, core cooling recovery after vessel failure,

4. STC4 - containment intact, containment spray unavailable, core cooling recovery after vessel failure,

5. STC5 - containment intact, containment spray available, no core cooling recovery after vessel failure,

6. STC6 - containment intact, containment spray unavailable, no core cooling recovery after vessel failure,

7. STC7 - very early containment failure before vessel failure,

8. STC8 - release from the spent fuel pool,

9. STC9 - early containment failure at vessel failure, no core cooling recover after vessel failure,

10. STC10 - late containment failure after vessel failure, core cooling recover after vessel failure,

11. STC11 - late containment failure after vessel failure, no core cooling recover after vessel failure,

12. STC12 - late containment failure without vessel failure,

13. STC13 - containment not isolated, containment spray unavailable, vessel failure

14. STC14 – containment not isolated, containment spray unavailable, open reactor vessel, no vessel failure,

15. STC15 - containment not isolated, containment spray unavailable, open reactor vessel, vessel failure,

16. STC16 - containment bypassed after SGTR,

17. STC17 - containment bypassed after interfacing LOCA.

3.6. Large early release

The effective doses are identified from the source term for the public. Based on the effective doses the countermeasures are implemented, as for example evacuation. Based on an estimate of the effective dose that could be avoided by implementing a particular countermeasure, the lower and upper emergency reference levels are defined. Below the lower level, introduction of the countermeasure would not be justified because of the harm that it would cause. The upper level is the dose level at which every effort should be done to introduce the countermeasure, except in exceptional circumstances. It is set at ten times the dose of the lower level.

The lower and upper levels for sheltering are a dose of 5 mSv and 50 mSv respectively. For evacuation, they are 50 mSv and 500 mSv. These are higher than the recommended dose limit for routine exposure, which is 1 mSv per year for the public. This is because the dose levels are not intended to represent the boundary between what is ‘safe’ and what is ‘unsafe’, but to represent an acceptable balance between the harms and benefits of an action.

In case of fission product release the release is large if more than 1% caesium is released to the environment from the core inventory. It can correspond to the dose of 50 mSv/y for the public.

Large early release is a release to the environment before implementation of required countermeasure (before evacuation). For the purpose of the WWER440 units it is considered that the evacuation can not be performed until 10 h from the beginning of the accident. The release until 10 h is the early release.

For the groups G0, G1 a G2 the Large early release frequency (LERF) is given as sum of frequencies of the following source term categories: STC7 + STC9 + STC13 + STC16 + STC17.

For group G3 the LERF is given by STC14 and STC15 (the reactor vessel is open, the containment is open). For group G4 the LERF is given by STC8 (the spent fuel pool is outside the containment).

3.7. Results

The source term category 14 for group G3 is presented in Table 4 for illustration of the results. The fission product groups Xe, I and Cs are presented in table with the corresponding frequency.

The risk of fission product release from the spent fuel pool is very small in operating mode 7. The source term category frequency is 3.0E-9/y. However, the quantity of fission products in the source term is extremely high because the pool is located outside the containment and the spray system has no impact on the fission products which can be released into the environment. The fuel inventory is also higher in comparison with the core inventory.

The LERF for each group G0-G4 is less than 1.0E-5/y. The requirement of the Nuclear Regulatory Authority is met.