Considerations for External Hazards in Defense in Depth and Plant PSAs

"Considerations for External Hazards in Defense in Depth and Plant PSAs". Aybars G rpinar INSAG Meeting 28/29 April 2015

Contents Defense in Depth New Design Requirements Beyond Design Basis EE EE, BDB, DEC and severe Accidents Considerations in the new (draft) TECDOC EE PSA

New Design Requirements Paragraph 5.21a of SSR-2/1 states the following: The design of the plant shall provide for an adequate margin to protect items ultimately necessary to prevent large or early radioactive releases in the event of levels of natural hazards exceeding those to be considered for design taking into account the site hazard evaluation .

New Design Requirements In SSR-2/1, independence of the different levels of defence in depth is required. One of the major impediments to this independence is common cause failures which may also be triggered by various external hazards. Paragraph 5.21a concerns in a general way SSCs whose failure that may lead to accident conditions and those which are used in confinement/mitigation.

What is ultimately necessary? The Draft TECDOC (IAEA, 2015) suggests the following SSCs for a higher level of protection from external events: Containment structure SSCs necessary to maintain the integrity of the containment Systems necessary to contain the molten core and to remove heat from the containment and transfer heat to the ultimate heat sink in severe accident conditions Systems to prevent hydrogen detonations Alternative power supply (alternative to Emergency Power Supply) SSCs necessary to maintain the ultimate heat sink under severe conditions Supporting systems to allow the functionality of the systems above

Beyond Design Basis EE For operating NPPs, BDB Earthquakes have been considered in the USA (since the 1990s) and then in Europe because of the change in hazard perception, change in methods, regulations and sometimes events exceeding the plant DB. The IAEA was asked to review the seismic safety of the NPPs in Eastern European countries in the 1990s. At this time BDBEs were considered also for these plants.

Beyond Design Basis EE Then at the end of 1990s and beginning of 2000s (with the hopes for a nuclear renaissance), it was felt that instead of re- evaluation and possibly upgrading of existing NPPs (which is costly and not so effective), the concept of BDBE would be integrated into the design of new NPPs. EUR requires a margin of 40% over design, USNRC requires the demonstration of a factor of 1.67 for the plant HCLPF value (both for seismic events).

Beyond Design Basis EE It should be noted that there are two factors integrated in these margins which are part of the design of new NPPs: Due to the uncertainties in PSHA and the evolving hazard evaluation methods and database, there is a finite likelihood that there will be a need to reconsider the adequacy of the DB seismic loads in the future. In parallel to plant state considerations (such as DEC) similar design extension or beyond design concept for external events.

Beyond Design Basis EE However, what is now required by SSR-2/1 is different and needs to be accumulated with the present approach. While the present approach (e.g. 1.67 plant HCLPF) is mainly focussed on SSCs leading to CD, the new requirement is to be applied to a different set of SSCs, those in the next level of DiD.

Beyond Design Basis EE After Fukushima, regulators are rightly thinking of BDB evaluations for other EEs in order to understand and avoid potential cliff edges. The practice from the experience of evaluating existing NPPs (mainly for seismic loads) was always supervised by the regulators but was not always part of the licensing process.

EE, BDB, DEC and Severe Accidents Based on PIEs, Accidents and Severe Accidents are postulated to design plant SSCs and determine management procedures that can cope with these under prescribed safety criteria. EEs are neither PIEs nor accidents. They constitute a separate set of design bases which may, in many cases, govern the design of safety related SSCs. Up to the Design Basis EE level, their combination with Accidents is generally well understood and regulated. This is at least the case for seismic events where seismic categorization defines the above mentioned relationship.

EE, BDB, DEC and Severe Accidents For non-seismic EEs even up to the design basis level the combinations are not clear. Sometimes this is done using the seismic analogy. For EEs which are beyond design (or DEC) there is little guidance on acceptance criteria or loading combinations. Practice is to use the experience from applications to existing NPPs which may differ from country to country.

Consideration of other EEs The proposed approach will consider maintaining the established practices for each external hazard (e.g. fault displacement, ground motion, flood hazard, tornado hazard, volcano hazard, airplane crash and explosions) to the extent possible. Furthermore, as seismic safety practices have been well developed over the past several decades, transfer of know-how from this subject area to others may be possible. The type and level of protection needed for each of these hazards will depend on several factors:

Factors to be Considered Potential for causing cliff edge effects Both analyses and experience data show that some external hazards would cause cliff edge effects and others result in incremental increase of damage. Possibility of warning Warning may be in terms of hours or minutes depending on the hazard.

Factors to be Considered Uncertainties involved in hazard derivation (database issues completeness and constraints for maximum values) (i) the database is very short, (ii) the magnitudes of events are not well constrained, (iii) variations of predictive models lead to significant epistemic uncertainties, (iv) conversion of events to design parameters contain large aleatory uncertainties. Where both time and space parameters are used to define the frequencies of exceedance (i.e. where an ergodic assumption may be applicable) or when combinations of more frequent events constitute the composite low frequency hazard, the estimates may be relatively more robust.

Factors to be Considered Insufficient experience in the application of the methodology - The maturity of the subject matter and the collective experience of the nuclear community to deal with the specific hazard is also an important factor. Potential for combination with other external hazards In general, the simultaneous occurrence of two rare events would be screened out from consideration in NPP design. However, when there is a dependency between the two events it is important to understand and consider this dependency.

Factors to be Considered Potential for concomitant internal events (fire/flood) Some external hazards are especially prone to cause internal hazards which may, in combination with the external hazard itself, lead to accident conditions Extent of the common cause physical separation possibilities. This is one of the most important attributes of an external event that may lead to a serious challenge to multiple layers of defence in depth (and causing dependencies in the DiD)

Table 1. Factors to consider in safety margin determination for External hazards for a hypothetical site/plant Fault Disp. Seismic Ground Motion Coastal flood River Flood Tornadoes ACC Explosions Volc anoes Hazard/Criterion Cliff Edge 2 1 5 4 3 3 3 3 Lack of Warning 2 (*) 1 (*) 2 3 2 3 5 3 Uncertainties 4 4 4 3 4 2 2 4 Insufficient experience 4 1 3 2 3 3 3 4 Combination 3 4 4 3 2 1 1 3 Concomitant 3 4 4 3 3 4 3 4 Extent of Common Cause 2 5 5 4 3 2 2 5 20 20 27 22 20 18 19 26 TOTAL (*) Assuming an automatic seismic scram system is installed, otherwise these may be 3 5.

Acceptance Criteria The acceptance criteria related to design basis external hazards should be compatible with the Design Basis Accident criteria. The evaluation of the design basis external events and the associated design aspects should be conservative including adequate safety margins. Acceptance criteria related to BDBEEs should be compatible with the DEC criteria. Evaluation of the BDBEEs and the design features associated with the BDBEEs could be based on best-estimate considerations.

EE PSA In PSAs EEs are known to be significant contributors to CDF and LERF. The tendency maybe that this trend will continue and further increase because the new designs will decrease internal event related CDs and external events are associated with very large uncertainties that are difficult to decrease. Therefore it will be unrealistic to require to keep EE contribution to CD below certain thresholds.

EE PSA EE related probabilities are generally calculated using scenario based, model driven and largely phenomenological approaches. This is because related historical data to calculate event frequencies is insufficient. They are frequency based only to a limited extent. On the other hand internal PSA is generally based on frequency dependent failure rates (e.g. equipment failure, operator mistake, maintenance error etc). How legitimate is it to compare these probabilities?

EE PSA Furthermore EEs generally go to CD in one or two steps (singletons, doubletons) whereas internal failures get to 10-5 levels by the product of several larger frequencies (e.g. 10-1 times 10-2 times 10-2). This means that the estimates of the individual internal event failures and therefore the CDF (their product) is much more robust. This may also contribute to the difficulties of a direct comparison of internal and external event associated CD and LER.

Concurrent EEs IAEA NS-R-3 Paragraph 2.29. The external zone for a proposed site shall be established with account taken of the potential for radiological consequences for people and the feasibility of implementing emergency plans, and of any external events or phenomena that may hinder their implementation. Note that: P[EE/LER] = Contribution of EE to LERF which is generally very significant.