Elements of nuclear safety

i i ELEMENTS OF NUCLEAR SAFETY Jacques LIBMANN English translation by Jean Mary Dalens Avenue du Hoggar Zone Indu...

Author: J. Libmann

127 downloads 1536 Views 27MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

i

i

ELEMENTS OF NUCLEAR SAFETY

Jacques LIBMANN

English translation by Jean Mary Dalens

Avenue du Hoggar Zone Industrielle de Courtabœuf BP 112 91944 Les Ulis cedex A, France

Book series coordinated by Henri Mètivier Books already published: Agriculture, Environnement et Nuclèaire : comment reagir en cas d'accident Auteurs : Rene Coulon, Jacques Delmas, Gerard Griperay, Philippe Guetat, Rene Loyau, Claude Madelmont, Rèm ; yMaximilien, Jean-Claude Rottereau Traitement de la contamination interne accidentelle des travailleurs Auteurs : M.H. Bhattacharyya, B.D. Breistenstein, H. Mètivier, B.A. Muggenburg, G.N. Stradling, V. Volf Approche de la surete des sites nuclèaires Auteur : Jean Faure Circonstances et consequences de la pollution radioactive dans I'ancienne Union soviètique D. Robeau, Coordinateur. Auteurs : Jean-Claude Nènot, Christian Chenal, Sabine Charmasson, Daniel Robeau, M. Bertin, Philippe Renaud, Henri Maubert, Andre Jouve, Alexandre Grebenkov Elements desûretènuclèaire Elements of Nuclear Safety (Russian version in preparation) Auteur: Jacques Libmann Le tritium - de I'environnement a I'Homme Yves Belot, Monique Roy et Henri Mètivier, Coordinateurs. Auteurs : Y. Belot, M. Roy, H. Mètivier, P. Pihet, Ph. Duport, A. Flüry-Hèrard, E. Rabin, Ph. Boucquey, F. Briot, P. Giroux, J.Y. Hervè, J.P. Le Goff et G. Pescayre Radionuclides in the Oceans P. Guèguèniat, P. Germain and H. Mètivier, Coordinators

ISBN : 2-86883-286-5 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broad-casting, reproduction on microfilms or in other ways, and storage in data banks. Duplication of this publication or parts thereof is only permitted under the provisions of the French Copyright law of March 11, 1957. Violations fall under the prosecution act of the French Copyright Law. © Les Editions de Physique 1996

Foreword This basically educational document draws much of its substance from all the various activities of the Institute for Nuclear Safety and Protection (IPSN), the technical support body of the Nuclear Installation Safety Directorate (DSIN). The latter organizations however may under no circumstances be considered liable for its contents. Its purpose was to heighten awareness among analysts and more generally among all those concerned by nuclear safety. The safety picture presented is consequently not intended to be well-balanced. It is moreover imbued with the activities and viewpoints of the IPSN, which is only one of the safety organisms concerned. The present document is an extensively supplemented revision of work published in 1988 by the National Institute for Nuclear Science and Technology (INSTN) under the title "Approche et analyse de lasûretèdes rèacteurs eau sous pression". As in the previous case, this work would not have been possible without the technical and financial assistance of the DSIN. The personal acknowledgments featured in the 1988 publication remain intact for the present version, as follows: Monique Libmann; MarieClaire Dupuis, Bernard Barrachin, Andr Cayol, Bernard Fourest; Daniel Quèniart,Yves Chelet, Fran ois Cognè. The basic raw material for a general review of the activity of a large group is the actual work of the members of the group considered. This was, of course, the case for the present document and I should like to mention in a far from exhaustive list some of those on whom I relied for assistance: Roland Avet-Flancart, Bernard Barbe, Alain Bardot, Bernard Barrachin, Bernard Bartholmè, Geneviève Beaumont, Claude Birac, Christine Bonnet, Jean Bourgeois, Louis Brègeon, Jacques Brisbois, Jean-Paul Bussac, Gerard Cadolle, Marc Champ, Yves Chelet, Alain Chesnel, Jean-Pierre Clausner, Francois Cogne, Yvon Cornille, Patrick Cousinou, Bernard Crabol, Michel Delage, Gerard Delettre, Gerard Depond, Yves Droulers, Fran ois Ducamp, Jacques Duco, Marie-Claire Dupuis, Veronique Fauchille, Jean Faure, Christine Feltin, Bernard Fourest, Denis Goetsch, Christian Giroux, Alain

IV

Elements of nuclear safety

Gouffon, Gilbert Gros, Fran ois Heili, Jean-Yves Henry, Karine Herviou, Jean Jalouneix, Laurent Janot, Martial Jorel, Anne Jouzier, Patrick Jude, Mil ne Julien-Dolias, Jeanne-Marie Lanore, Michel Laverie, Corentin Le Doare, Catherine Lecomte, Joseph Lewi, Alain L'Homme, Marcel Le Meur, Agnes Levret, Daniel Manesse, Jean-Marie Matt i, Jean-Pierre Merle, Henri Metivier, Jean-Luc Milhem, Bagher Mohammadioun, Jean-Claude N not, Jacques Ney, Nicole Parmentier, Dorothee Pattee, Fr d rique Pichereau, Jean-Louis Pierrey, Jean-Claude Puit, Daniel Queniart, Bruno Rague, Henri Roche, Francois Rollinger, Lucien Rousseau, Monique Roy, Jacques Savornin, Jean-Jacques Seveon, Henri Bureau, Pierre Tanguy, Nicholas Tricot, Serge Vidal-Servat... Consistency of principles and their expression was once again assured by Daniel Queniart, who thus made a decisive contribution to the contents of this text. The readability of the book, both for French and foreign readers, was vastly improved thanks to the advice and comments of Nathalie Rutschkowsky. Philippe Vesseron and Henri Metivier fostered its publication in this form, whilst Etienne Benoist encouraged its translation into English and Russian. To Monique Libmann and Monique Roy was entrusted the thankless task of rereading. I am most honored that Mr. Andre-Claude Lacoste, Director of the DSIN and Chairman of the Board of Management of the IPSN, has accepted to preface the book. I thank them all. Needless to say, any errors and imperfections which may nevertheless have been overlooked remain my entire responsibility. Jacques Libmann

Preface Like many other industrial safety fields, nuclear safety has developed considerably over the last few decades. An essential component of the very notion of safety is doubtless the ceaseless quest for improvement. The impact of these developments on organizations is in part related to the more widespread use of nuclear energy. The prime responsibility of nuclear operators for the safety of their plants is now clearly acknowledged by the International Convention on Nuclear Safety, as is the necessity for each country concerned to constitute a competent safety authority, independent of organisms promoting nuclear energy. It was only in 1973 that such a nuclear safety authority (SCSIN) was set up in France, as a department of the ministry of industry. Twenty years later, it became the DSIN (nuclear installation safety directorate), responsible to the ministers for industry and for the environment respectively. For several years now, the running of this department has been supervised by the Parliamentary Office for Assessment of Scientific and Technological Options and the implementation of nuclear safety statutory provisions is currently being considered. Technical repercussions have also been extensive, since ideas have considerably progressed in France since the initial adoption of the American PWR design, accompanied by its already voluminous package of regulatory or pararegulatory texts. The EDF and Framatome engineers, together with those of the safety authority and its technical support structure, the IPSN, had first to become thoroughly acquainted with the basic reactor type before gradually moving on to a more practical approach, involving the control of accidents considered as beyond design basis events in American practice and even those culminating in core meltdown. Deep thinking along these lines even led to certain previously adopted but inadequately validated criteria being called into question, such as the use of fuels with high burnup fractions. These gradual developments, prompted by know-how advances, whether based on operating feedback or research and development results, are the subject matter of Jacques Libmann's book.

VI

Elements of nuclear safety

Throughout his career at the IPSN, Jacques Libmann has personally followed all the varied details of this progression, as now witnessed by his book. Many of you will remember him from their training courses, both in France and abroad, when he succeeded in convincing his listeners of the soundness of the basic safety principles which have gradually been defined. The publication of this book will doubtless widen his audience even further and will be beneficial to all those seeking either an introduction to nuclear safety or further insight into specific aspects of the subject. The time history approach has the advantage of showing how real improvements are achieved, sometimes after false starts, by pragmatic research where accepted ideas may have to be called into question. Current developments are aimed beyond national contexts at European, or even worldwide harmonization of safety practices, together with significant improvements on the safety level presently attained. This is notably the goal of the future PWR developed by the French and German utilities and plant builders (EPR project). May Jacques Libmann's book assist all those, whether they be designers, operators or safety authority specialists, who, in France or abroad, are responsible for nuclear plant safety issues! Andre-Claude LACOSTE Directeur de la S ret des installations Nucleaires

Contents 1. 1.1. 1.2. 1.3. 1.4. 2. 2.1. 2.2. 2.3. 2.4. 2.5. 3. 3.1. 3.2. 3.3. 3.4. 3.5. 4. 4.1. 4.2. 4.3. 4.4. 4.5. 4.6. 5. 5.1.

Introduction

1

Radioactivity and the biological effects of ionizing radiation..

5

Units used Natural radioactivity Biological effects of ionizing radiation Radiation protection principles

5 6 7 16

Nuclear safety organization

19

Nuclear security and safety Nuclear safety organization and responsibility sharing Safety analysis reports and regulations Developments in safety goals Safety Culture

20 21 23 27 28

Deterministic safety approach

31

Determination of specific risks Potential risks, residual risks, acceptable risks The barriers The defense in depth concept Quality Control

31 33 35 38 45

Analysis of operating conditions

47

Classification of operating conditions Definition of design basis operating condition categories Choice of operating conditions Operating conditions: list and subdivisions Operating condition analysis process Consideration of internal or external hazards

47 49 50 52 55 64

Assessment of the radiological consequences of accidents

65

Quantities of radioactive products involved

66

VIII 5.2. 5.3. 5.4. 5.5. 5.6. 5.7 5.8. 5.9.

Elements of nuclear safety Release rates Transfer and deposit in reactor systems Transfer and deposit in buildings Leak rate to the outside atmosphere and filtering provisions Environmental transport and deposit conditions Pathways to man Dose conversion factors Changes in radiological consequence calculation methods

67 68 68 69 69 72 72 74

An example of accident analysis: LOCA

75

6.1. 6.2. 6.3. 6.4. 6.5.

Physical effects of a large break Assumptions adopted in safety analysis Acceptability criteria and results Evaluation of radiological consequences Safety demonstration evolution

72 82 84 85 90

7.

Assessment of safety justifications

91

6.

7.1. 7.2. 7.3. 8. 8.1. 8.2. 8.3. 9. 9.1. 9.2. 9.3. 9.4. 9.5. 9.6.

Data drawn from operating condition studies Checking the number of lines of defense New safety demonstration requirements for the N4 series

92 105 108

A particular barrier point: the steam generator tubes

113

Steam generator tube rupture without human intervention Complementary French studies Dealing with the problem for the N4 series

115 117 118

Internal hazards

121

Missiles from inside the containment The results of piping breaks Turbogenerator bursting Protection against load dropping Fire protection Internal flooding

122 123 124 126 129 132

10. External hazards 10.1. 10.2. 10.3. 10.4. 10.5.

Determination of earthquake hazards Protection against aircraft crashes Industrial hazards Floods Protection against other external hazards

11. Complementary operating conditions 11.1. Origins 11.2. The position of the safety authorities

135 136 141 145 147 149 151 151 152

Contents 11.3. Complementary operating conditions 12. Probabilistic assessment of an accident sequence 12.1. 12.2. 12.3. 12.4. 12.5.

Effects of failures and initial assumptions Chronological list of the elements forming the scenario Required data Assessment results Revision of scenarios and their probabilities

13. The accident at Three Mile Island

IX 153 163 163 164 165 166 168 171

13.1. The accident 13.2. Causes of the accident 13.3. Lessons learned from the accident

171 177 180

14. The state-oriented approach

183

14.1. 14.2. 14.3. 14.4 14.5.

Limits of the event-related approach Development of the state-oriented approach First application of the state-oriented approach Generalization of the state-oriented approach Safety panels

15. Preparation for the management of severe accidents 15.1. 15.2. 15.3. 15.4. 15.5. 15.6. 15.7. 15.8. 15.9.

Core and vessel degradation The Rasmussen report "Source terms" Severe accident management studies in France Radiological consequences of source term S3 and intervention provisions List of ultimate emergency procedures Summary of procedures Internal Emergency Plan The fourth level of defense in depth

16. Special risks associated with criticality accidents 16.1. 16.2. 16.3. 16.4. 16.5.

Theoretical scenario A plausible scenario and corrective measures Identification of other dilution scenarios Other criticality accident hazards International information

17. Emergency preparedness and IPSN resources 17.1. Emergency preparedness 17.2. Role of the IPSN crisis team 17.3. Method and tools of the assessment cell

183 184 185 188 189 191 191 194 196 198 209 213 213 214 215 217 217 220 221 222 224 227 227 230 231

X

Elements of nuclear safety

17.4. 17.5. 17.6. 17.7.

Methods and tools of the radiological consequences cell Conclusion on the method and tools External Emergency Plan Environmental transfer and deposit conditions

238 240 241 242

18. Severe accident research and development work

247

18.1. 18.2. 18.3. 18.4. 18.5.

Thermal hydraulic codes Fission product codes Fission product experiments Corium and containment building behavior studies Other on-going surveys

19. Probabilistic safety assessment 19.1. 19.2. 19.3. 19.4. 19.5. 19.6. 19.7.

Initiation of the studies Aims and organization of the studies Core meltdown probability assessment method Specificities of French studies Results of the 900 PSA survey Results of the 1300 PSA Comparison with studies undertaken abroad

20. Applications and development of probabilistic studies. 20.1. 20.2. 20.3. 20.4.

Use of probabilistic safety studies Development of these studies and tools Probabilistic assessment of radioactive release Conclusions on the probabilistic safety studies

21. The Chernobyl accident 21.1. 21.2. 21.3. 21.4. 21.5. 21.6. 21.7. 21.8.

The Chernobyl plant and the RBMK reactors The accident The release and its consequences Causes of the accident and lessons learned Future of the other Chernobyl units Lessons drawn in France Information of the general public and communication After Chernobyl

22. General operating rules 22.1. 22.2. 22.3. 22.4.

General operating rules Technical Operating Specifications Initial and periodic tests Emergency operating procedures

248 250 252 253 254 257 258 259 260 263 266 272 274

277 277 285 288 289 291 292 297 300 312 315 315 317 318 319 320 323 331 335

Contents

23. Incident analysis 23.1. Incident selection 23.2. Significant incident analysis methods 23.3. Case of a repetitive incident 24. Detailed analysis of incidents involving human factors 24.1. 24.2. 24.3. 24.4. 24.5. 24.6. 24.7.

XI

339 341 345 352 359

Pressurizer heater damage at Flamanville 2 Isolation of pressurizer level sensors at Cruas 2 Isolation of pressurizer level sensors at Gravelines 4 Analysis and lessons Check on sensor operability General considerations on maintenance activity quality Defense in depth applied to operation

360 366 368 369 374 374 377

25. Preventive maintenance and in-service surveillance

379

25.1. 25.2. 25.3. 25.4. 25.5.

In-service surveillance for large components Preventive maintenance of equipment Steam generators Steam line defects Closure head adapter cracking

26. Some French precursors 26.1. Incidents 26.2. Latent nonconformances revealed by inspections 27. Periodic safety review 27.1. Safety review methodology 27.2. Fessenheim and Bugey plant safety reviews 27.3. Safety review of the CP1 and CP2 standardized 900 MWe plant series 28. The international dimension 28.1. 28.2. 28.3. 28.4. 28.5.

The IAEA standards and guides program The Incident Reporting System French-German comparisons Services proposed by the IAEA Plants of soviet design

29. The next generation of reactors 29.1. 29.2. 29.3. 29.4. 29.5.

Setting up of French-German safety options Changes in safety objectives Application of the defense in depth concept Preliminary characteristics of the EPR project Illustration of defense in depth provisions

379 381 382 390 392 399 400 411 419 420 423 430 439 441 442 444 446 450 461 462 463 465 466 471

XII

Elements of nuclear safety

30. Safety considerations on other nuclear installations

473

30.1. 30.2. 30.3. 30.4. 30.5. 30.6. 30.7. 30.8. 30.9.

477 477 479 482 486 495 500 504 506

Safety organization changes at the CEA General safety approach Safety objectives, notion of acceptability Risk potentials Design bases Safety analysis of an installation Operating safety Plant end of life Conclusion of this chapter

Conclusion

507

Appendix A - Basic safety rules

509

A.1 A.2

509

Rules concerning pressurized water reactors (June 1995) Rules concerning basic nuclear installations other than reactors (June 1995)

511

Appendix B - Regulatory texts related to quality

513

B.1. B.2.

513 520

Order of August, 10,1984 Circular of August, 10, 1984

Appendix C - French nuclear power plants

533

C.1. C.2. C.3. C.4.

533 534 535 535

Graphite-moderated, gas-cooled reactors (GCR) Heavy water reactor (HWR) fast breeder reactors (FBR) Pressurized water reactor (PWR)

Appendix D - Basic Nuclear Installations

539

D.1. D.2. D.3. D.4. D.5.

539 540 541 542 542

Experimental reactors in service Fuel cycle basic nuclear installations Other CEA basic nuclear installations Other nuclear installations Particle accelerators considered as basic nuclear installations

Introduction Nuclear installations present a specific risk in that they all contain, by definition, more or less substantial quantities of radioactive products. These can result in the exposure of individuals, populations or the environment to ionizing radiation and the consequences thereof. Nuclear installations for electricity generation fall, of course, in this category. Other sources of energy also involve risks, but our present purpose is not to draw comparisons. Moreover, we are well aware of public sensitivity in this respect, where radioactivity effects are associated far more with the military explosions of Hiroshima and Nagasaki, and now with Chernobyl, than with natural radioactivity or the benefits of radiotherapy. Our intention here is simply to present the methods and concepts used in the nuclear industry to ensure a satisfactory safety level for this activity. Safety results from a set of technical and organizational measures taken at all stages in the life of an installation to ensure that its operation and, more generally speaking, its very existence, present a sufficiently low-level risk as to be deemed acceptable for the staff, the general public and the environment. So what is actually involved is: • ensuring normal operating conditions which are conducive neither to excessive exposure of workers nor to release to the environment of radioactive waste with a high activity level • incident and accident prevention • limiting the consequences to workers, populations and the environment of any incidents and accidents which could nevertheless occur. This gives rise to provisions covering plant operation, but also its design, construction and decommissioning. It is to be noted that the idea of an acceptable risk is not grounded on clearly defined, absolute criteria, but is rather the result of choices of a sociopolitical nature which may evolve over a period of time and may differ from one country to another, depending on local economic conditions. In

2

Elements of nuclear safety

this context, it is the role of the technicians to propose, but the final decision is based on political assessments integrating other contingencies. For any given installation, the process begins with identification of the nature and extent of the risks entailed. Only after this has been done can methods for ensuring safety be defined and analyzed. Several decades have now elapsed since nuclear plant construction and operation began in France. The reactors of the first type used in France, which were natural uranium-fuelled, graphite-moderated and CO2-cooled, have now all been shut down. Several of the installations currently in service were built to earlier standards, at least as regards technological developments and safety issues. Most of the pressurized water reactors presently operating in France were designed on the basis of the American plants under construction at the end of the sixties and the beginning of the seventies, at a time when world experience in this type of undertaking was limited. It is consequently not surprising that, although the basic principles defined at the outset of a project are not easily called into question, safety criteria approaches and analysis methods have considerably altered over the period of time involved. Now that substantial experience has been acquired, we are, or course, able to check whether the principles underlying the initial approach are still satisfactory and to compare actual plant behavior with the estimates made beforehand. The world's two most dramatic nuclear accidents, Three Mile Island in 1979 and Chernobyl in 1986, figure largely in this analytical process, without however overshadowing the many minor difficulties to be contended with in the daily running of an installation. Rather than describe current approaches to safety from a static status angle, we have opted for a partly historical presentation which reveals more clearly their dynamic and evolutive character. We shall base most of this presentation on the pressurized water reactors operated in France, although many other examples will also be used. In this document, we shall consider successively: • the deterministic approach, which is the main safety approach method • safety analysis methods based on accident analysis • the enhancement of these methods by development of the probabilistic safety approach and preparation for the management of particularly severe accident situations • operating feedback • subsequent evolution paths and the international dimension. Each subject will be illustrated with a number of examples.

Introduction

3

General topics such as the human factor or the importance of quality, could have been dealt with in separate chapters, but we have preferred, on the contrary, to avoid isolating them so that they can be referred to in the many contexts directly concerned by them. Finally, we shall insofar as possible base our discussion of the elements of this approach on general aspects, applicable to all nuclear installations, for it will be seen that if responses in each case must be adapted to specific potential risks, the same types of questions re-occur and have to be systematically examined. In order to situate the purpose of nuclear safety, we shall summarize in an introductory chapter the biological effects of radiation together with the main basic principles of radiation protection. This should enable the reader to better comprehend the extent of the consequences of the phenomena discussed. Similarly, safety awareness and practice involve a sharing of responsibilities defined by regulatory texts. In order to conserve the technical and philosophical rather than administrative disposition we have adopted, the second chapter will describe the organizational principles governing relations between the safety partners. This will give rise to reflections on the determination of "acceptable" risks and on what is now referred to as Safety Culture, to which we trust the present document will contribute.

This page intentionally left blank

1

Radioactivity and the biological effects of ionizing radiation

At the International Conference on the Safety of Nuclear Energy: Strategy for the Future, held in Vienna (Austria) on September 2-6, 1991, it was deemed advisable to present the basic biological effects of radioactivity to enable at least overall understanding, with a view to prevention, of possible radiological consequences of abnormal situations and of the basic principles of radiation protection. It is on the same grounds that the present work begins with a chapter on this subject. The text is adapted from the conference document prepared by an international working party entrusted with presenting the basic principles of safe use of nuclear energy. It draws extensively on the conclusions formulated by the organizations competent on this question, the International Commission on Radiological Protection (ICRP) and notably its publication No. 60, but also on certain more recent observations on the populations exposed following the Chernobyl disaster.

1.1. Units used The radioactivity unit is the becquerel (Bq), equal to 1 disintegration per second. As this unit is extremely small, multiplying prefixes are often employed: mega (M) = 106, giga (G) = 109 or tera (T) = 1012. The former unit is the curie (Ci), equal to 3.7 1010 disintegrations per second or becquerels and historically defined as the activity of one gram of radium 226. Since this unit is relatively large, minimizing prefixes were used: micro ( ) = 10-6, nano (n) = 10-9, pico (p) = 10-12.

Two units are used to express radiation effects on the human body. The gray (Gy) expresses the energy deposited in matter by a particle or radiation. 1 gray = 1 joule per kilo of material. It is the SI absorbed dose unit, replacing the former rad (1 Gy = 100 rad).

6

Elements of nuclear safety

The shorter the path of each energy depositing particle, the greater will be the potential noxiousness of the absorbed dose. For comparison purposes, quality factors are used to express absorbed doses of any type in terms of dose equivalents for reference X and radiation effects. This quality factor is, by definition, 1 for electrons and X and radiation, 20 for alpha particles and heavy nuclei and from 5 to 20 for neutrons and protons. The dose equivalent is expressed in sievert (Sv). The former unit is the rem (1 Sv = 100 rem). Each tissue and organ has a specific sensitivity to cancer risks. For 100 cancers observed following homogeneous external exposure, there are 12 lung cancers, 5 breast cancers and 1 skin cancer, for instance. So a weighting (or sensitivity) factor is introduced to transpose the dose equivalent into an effective dose. In the event of internal contamination, irradiation continues until the radioelement responsible has been removed. In this case, we calculate the dose commitment due to the contamination, extrapolated over the next 50 years. In accordance with current regulations, this calculation is performed at the time of contamination. Effective and committed doses are also expressed in sievert. In accordance with regulatory practice, the term "dose" shall generally refer in what follows to an effective dose. The relationship between a becquerel and the corresponding gray or sievert number depends on the particle or radiation energy and its mode of interaction with the substance considered and, in the case of internal contamination, on the length of time the radioelement stays inside the organism.

1.2. Natural radioactivity Since the origin of man, humanity has been exposed to a wide spectrum of natural ionizing radiation. This exposure is due to cosmic radiation, gamma radiation from the earth and radioactive products naturally present in the human body, originating from food and water (mainly lead 210 and potassium 40) and from inhalation (mainly radon 222). The annual dose due to these natural sources averaged over all populations of the globe is between 2 and 3 millisievert (mSv), but varies between 1 and 5 mSv according to the place considered. Under average conditions, the contributions of the cosmic rays, the gamma rays from the ground and ingested products are approximately the same and equal to 0.3 to 0.4 mSv. So the fraction due to radon inhalation is much larger, representing up to 40% of this natural irradiation. It varies considerably according to place, dwellings, living conditions.

1 - Radioactivity and the biological effects of ionizing radiation

7

These values encompass marked variations and higher local doses can be observed in various places. Doses due to cosmic rays can be up to five times higher in high altitude inhabited areas. Annual doses due to terrestrial gamma rays can reach 35 mSv in certain places. The highest doses are due to radon and extreme annual doses can be in the region of 1 Sv. In France, the dose received by an individual can vary by a factor of 4, or even more for people living near uranium mines. On a worldwide basis, the variation factor is 16. In developed countries, the use of radiation for medical purposes adds a mean individual dose of 1 mSv per year. Obviously, the fact that natural radiation exists is no justification for additional exposure to artificial sources, such as nuclear energy. The only justification could be the overall benefit to society. However, these natural radiation dose levels are useful for purposes of comparison.

1.3. Biological effects of ionizing radiation 1.3.1. Biological processes Ionization, which involves the dispatch of an outer shell electron by a particle or radiation, modifies the atoms and molecules, at least momentarily. This can sometimes cause cell damage, which, unless correctly repaired, prevents the cell from surviving or reproducing or, more rarely, gives rise to a viable but modified cell. If enough cells are destroyed, the damage will be observable, corresponding to the loss of a tissue function. Beyond a certain exposure level, or threshold, impairment will be evident and its seriousness will increase with the dose. This type of effect is called "deterministic" or certain. A transformed but still living cell can sometimes lead to a malignant tumor or cancer, after a fairly long time lapse, known as the latent period. The probability of this type of cancer occurring depends on the dose received but the seriousness of the cancer is not conditioned by the dose. In this case, we describe the effect as "stochastic", random or probabilistic. If the function of the damaged cell is to transmit genetic data to descendants, effects of varying types and degrees of seriousness could appear in the descendants of the person irradiated. These are hereditary or genetic effects. As can be seen, it is not easy to appraise the consequences of exposure. They can include the probability of death, which perhaps would not occur for 20 or 30 years, the certainty of illness or death if the dose is strong

8

Elements of nuclear safety

enough and the possible transmission of negative effects to future generations. It is customary to express effects in terms of probability of deaths incurred or serious hereditary deficiencies. This simplification makes no reference to the time intervals involved nor to less serious but significant consequences, such as non-fatal cancers, but these aspects are covered in the ICRP publication N. 60. Radioactive products released to the environment can transit from the environment to man. Other living species will also be exposed. In this context, the rules deemed appropriate for the protection of man ensure that no overall risk is run by the other living species, which are generally less sensitive than man. Certain species could occasionally be affected, but this would be a transitional, localized phenomenon. This is the case for a wooded area in the vicinity of the Chernobyl plant. Accidental release can result in limitations to use by man of plant and animal products without the products themselves being affected.

1.3.2. Quantitative radiation risk assessment The best sources of information on the biological effects of radiation are constituted by direct observation of the effects on man. However, biological research on microorganisms, in vitro cells and animals provide much complementary data on damage mechanisms and dose response relationships.

1.3.2.1. Deterministic effects Data on deterministic effects on man are provided by the effects observed on the pioneer radiologists, the effects of the Hiroshima and Nagasaki atomic bombs, the secondary effects of radiotherapies and the consequences of severe radiological accidents, some of which have occurred at nuclear power plants, due to medical or industrial sources. For most human organs, the serious deterministic effect threshold is equal to or above 1 Gy, especially if the dose is received in as short a time as about a minute. It is to be noted that what counts at these levels is directly the energy absorbed, i.e. the number of grays, regardless of quality factor aspects. Certain organs, such as the crystalline lenses or the skin, are more sensitive in the event of external exposure. With present radiation protection practice and standards, deterministic effects can only occur in accident situations.

1 - Radioactivity and the biological effects of ionizing radiation

9

The following guide data are based on experience of brief high level exposure: • beyond 10 Gy, death occurs rapidly • an untreated 5 Gy dose proves fatal in 50% of cases within 2 months • a 2 Gy dose causes rashes, loss of head and body hair • first short term effects (nausea, vomiting) are observed for a 1 Gy dose.

1.3.2.2. Stochastic effects To date, the three main data sources on stochastic effects are the epidemiological studies performed on the survivors of the bombing of Hiroshima and Nagasaki, on patients exposed to radiation for medical treatment or diagnosis and on certain classified workers, exposed professionally to radiation or radioactive products. Considered in the light of biological research results, these studies form the basis of the principles of radiation protection. The interpretation aspects of epidemiological studies are extremely demanding and under no circumstances enable conclusions to be reached as to the effects of very low doses, i.e. those below or approximately equal to the inevitable natural doses. This is because cancers and genetic illnesses frequently occur naturally in the population. The increase in cases of cancer causing death or other consequences of very low doses is so low as to be indistinguishable from other variations related to a lack of precision in relevant statistics or to various demographical factors. A significant increase in malignant tumors in human beings has only been observed for large, homogeneous populations, and for doses exceeding about 0.2 Sv, which was the case for the Japanese populations exposed. It should be borne in mind that the inevitable lifetime integrated dose for an individual due to natural radioactivity always exceeds 0.1 Sv. Epidemiological studies are proceeding in France and throughout the world, with the active participation of the IPSN (French Institute for Nuclear Safety and Protection). They notably concern the effects of radon on classified workers, such as those employed in uranium mines, and on living accommodation in certain regions. They also concern nuclear energy workers, including for France the staff of the CEA (French Atomic Energy Commission). Victims of the Chernobyl accident are also providing input for such studies, since the medical assistance they receive gives rise to the recording of scientific observations. Available observations corresponding to doses well beyond natural levels, interpreted on the basis of biological research results, can be extrapolated to give a reasonably accurate estimate of low dose risk levels. Radiation protection specialists are generally at one in considering that in the light of present knowledge in this respect and from the standpoint of protection

10

Elements of nuclear safety

and regulatory procedure, thus implying extreme prudence, a linear relationship without a threshold should be adopted between doses and stochastic effects. It is generally accepted that taking 5% as the probability of occurrence of fatal cancer due to one sievert for the whole population exposed to low doses should not underestimate the risk involved. Genetic effects have not been explicitly demonstrated in man. Assessments are consequently based on experiments on animals, on lines consistent with human observations. The extensive scale of gravity of genetic disorders makes it difficult to define a proportionality coefficient, but for deficiencies classified as "severe", the ICRP considers a coefficient of 1% per sievert for the whole population. A child in the womb can be affected by exposure, although this would not appear to be the case during the first weeks of pregnancy. Beyond this period, a dose to the fetus exceeding 0.1 Sv can impede its development. Certain child cancers may be related to prenatal exposure, as shown by the thyroid cancer studies carried out on children exposed during the Chernobyl accident. The sensitivity of the fetus is doubtless slightly higher than that of the adult. Japanese data indicate that the intelligence quotient of infants irradiated during pregnancy may be affected. The most sensitive period is between 8 and 15 weeks after conception but there is probably no significant difference for doses below 0.1 Sv.

1.3.2.3. Data derived from the Chernobyl accident The health monitoring of populations irradiated by the Chernobyl fallout and of the "liquidators" entrusted with cleaning the site during the weeks and months which followed the explosion of the reactor core, has enhanced our knowledge of radiation effects in two specific areas. The number of thyroid cancers in exposed children is much higher than expected. The most exposed populations and especially some of the liquidators whom it has been possible to trace, revealed a degree of morbidity, i.e. a relative frequency and gravity of diseases not specific to radioactivity, far higher than observed on an average for their fellow citizens. This health deterioration was first interpreted as evidence of post-traumatic stress disorder, characterized by anxiety, depression, psychosomatic illnesses and causing strained family relationships, divorces, increased consumption of alcohol, excessive use of medicines, violence, suicides and, more generally, behavioral problems.

1 - Radioactivity and the biological effects of ionizing radiation

11

Russian researchers and doctors from the All Russia Center of Ecological Medicine* noted, in studies which had remained secret, similarities between what they observed in the highly contaminated areas around Chernobyl, especially in the case of certain liquidators, and what they had noted in the Ural areas contaminated by the Kyshtym accident in 1957, involving the explosion and dispersion of a vessel containing a large quantity of radioactive products, and the Kazakhstan zones irradiated during atmospheric nuclear tests. These researchers are notably considering the possibility of radiation-induced impairment of the immune system resulting in the development of various non-specific pathologies. This team has now collected data concerning 75 000 of the 450 000 liquidators. Respiratory, digestive and central nervous system problems were observed in a significant proportion of those where exposure had exceeded 0.25 Gy. This value is below the generally accepted threshold for the appearance of deterministic effects. Many publications on this subject are now available, either from the United Nations Scientific Committee on the Effects of Atomic Radiations (UNSCEAR) or the Organization for Economic Cooperation and Development (OECD). Mortality assessments for these populations have so far given conflicting results. If it is certain that deaths occur in these populations, it is obvious that this is also the case in unexposed populations, so that without accurate data on the mortality rates in both populations it is difficult to reach conclusions. The ICRP publication N. 60 gives an idea of annual mortality rate variations according to sex and age for the populations of 18 industrialized countries where health conditions are considered satisfactory (Fig. 1.1.). These graphs are not directly applicable to populations where the average lifetime is shorter. However, they give minimum estimates showing, for instance, that in a 10 year period, about 10 000 to 20 000 deaths should be expected in a population of 1 million men aged between 20 and 30 at the beginning of the period considered. Owing to the problems involved in assessing the exposures due to the Chernobyl disaster, it has not yet been possible to determine the relationship between doses and effects. Doctors and scientists are presently concentrating on collecting as much reliable data as possible with a view to launching the requisite complementary studies.

This is an interministerial organization responsible to the ministries for health and for defense, the State Committee on Chernobyl, the State Committee on health supervision and epidemiological surveys and the Military Academy of Medicine.

12

Elements of nuclear safety

Fig. 1.1. Annual mortality probability as a function of age (developed countries).

1.3.3. Epidemiology limitations Observation of low dose effects is impeded by the statistical and demographical limits of epidemiological studies.

1.3.3.1. Statistical limitations The mean cancer mortality rate observed in developed countries is about 20 to 30%, covering cancers of all origins and notably any natural radioactivity effects. This mean rate masks significant variations from one population to another. In particular, as cancer is an illness which generally develops slowly, the risk of death by cancer increases with age. This means that the cancer

7 - Radioactivity and the biological effects of ionizing radiation

13

mortality rate tends to increase in long-lived populations, where other causes of death have diminished.

Fig. 1.2. Number of deaths observed in metropolitan France.

This is what can be seen on the charts presented, based on the annual tables of numbers and rates of death from all causes (Fig. 1.2.) and by cancer (Fig. 1.3.) recorded and published in France by INSERM* for male and female populations. The statistical significance of these tables, based on a population of over 50 000 000 people, is considerable. They report yearly more than 500 000 deaths, where cancer is the identified cause in 130 000 cases. The following facts are noteworthy: • a slight drop in the annual mortality rate whereas there is a slight increase in the population due to an increase in the average life span • fluctuations in these figures, which can reach 3% from one year to another • the slow, fairly regular increase in the number of cancer deaths • the much higher number of fatal cancers in men than in women, notably due to tobacco and alcohol • a certain increase in the proportion of cancers as causes of death, this increase tending to be higher for men (Fig. 1.4.). Despite the size of the sample, fluctuations are obvious but the reasons for them are difficult to identify. This gives an initial idea of the limits to what can be conclusively established by observation alone. * INSERM, Service d'information sur les causes medicales de deces, SC8, 44 Chemin de ronde, 78110 Le Vesinet.

Elements of nuclear safety

14

Number of cancer deaths per year

Fig. 1.3. Number of cancer deaths in metropolitan France.

On the basis of statistical considerations and bearing in mind the relationship between the absorbed dose and the probability of fatal cancer being induced, we have to compare two homogeneous population groups, each comprising about 1 000 people, in order to establish significant observations as to the effects of a 1 Sv dose on all the members of one of the groups.

%

Fig. 1.4. Percentage of cancers in causes of death in metropolitan France.

1 - Radioactivity and the biological effects of ionizing radiation

15

To be able to observe the effects of a 0.1 Sv dose, we should need two groups of 100 000 people, with one group having systematically received the dose considered. For a 10 mSv dose, which is still higher than the mean natural exposure level, we should need two equivalent groups of 10 000 000 people, which is not realistically obtainable.

1.3.3.2. Demographical limitations The second difficulty pertains to the necessity to check that no factor which could influence the proportion of cancers has varied between the observed group and the reference group. But there are a large number of these factors. The first concerns sex and age distributions, but corrections can be made. Others concern living conditions, feeding habits, genetic composition (degrees of consanguinity), the environment, various infection hazards. Corrections in all these fields are inaccurate or inexistent. For geographically separated groups, it is highly unlikely that these different factors could be satisfactorily controlled, which introduces an additional uncertainty of a few percent. Two reference groups may be characterized by cancer percentages in the causes of death of 25% for one and 23 to 27% for the other, without it being possible to explain exactly why this is so. This prevents significant observation of the effects of doses smaller than 0.5 Sv, even for very large groups. The only exception, of course, concerns the studies undertaken following the Japanese explosions where irradiated and reference groups came from a homogeneous population. On the other hand, if there is no difference between the two groups, the harmlessness of doses lower than 0.5 Sv cannot be confirmed.

1.3.3.3. Other uncertainties There are, in addition, other sources of significant uncertainties. Most of the ionizing radiation effects observed pertain to brief high level exposures with high dose rates. However, in the case of high dose rates, several ionization phenomena can occur in the same cell in a short space of time, thereby amplifying the biological effects as compared with those resulting from low doses and low dose rates. The International Commission for Radiological Protection (ICRP) considers that this increase in the biological effect per unit dose of high doses at high dose rates as compared with low doses at low dose rates, the total exposure being, of course, constant, can be by a factor of 2 in cases amenable

16

Elements of nuclear safety

to direct observation. This coefficient* is applied by the ICRP to determine the effects of low doses received over long periods, postulating a linear dose response relationship. We have little precise knowledge of this factor and in certain UNSCEAR studies, it is considered that it may vary between 2 and 10. The choice made by the ICRP is again intended to promote a prudent approach to protection. Moreover, it is difficult to accurately determine the dose received by each survivor of the Hiroshima and Nagasaki bombings, as for each victim of an accident. A re-assessment of the doses caused by the neutrons released during the Hiroshima and Nagasaki explosions is one of the factors which led to modifications to the ICRP recommendations. Another uncertainty is related to the fact that since the entire population observed is not yet deceased, we have to extrapolate the number of deaths to be attributed to radiation. There are two possible approaches. The additive approach consists in adding to the expected cancer rate in a population a surplus related to radiation. This would produce a wave of additional cancers, followed by a return to normal. The total would be easy to assess once the wave had passed. The multiplicative approach, on the other hand, considers the expected cancer rate in a normal population to be multiplied by radiation effects. In this case, the excess cancer among survivors will continue to increase throughout the lifetime of the sample group and can only be estimated once the entire population considered has died. It is difficult to model the reality of the problem set. As a precaution, the ICRP adopted the more pessimistic multiplicative model, but this pessimism should not exceed a factor of 2. Finally, it is no simple matter to apply observations made on a specific ethnic group to other groups. The cancer percentage for a specific organ may vary considerably, maybe by a factor of 10, but this difference is attenuated when all cancer cases are considered. It is most unlikely that the overall radiation sensitivity of a specific population of a country where the standard of living is relatively high would differ from the mean value by more than 30%.

1.4. Radiation protection principles In the light of present knowledge of the effects of ionizing radiation, the purpose of radiation protection is to preclude insofar as possible deterministic health effects by keeping doses below the specified thresholds and stringently limit the incidence of stochastic effects to a level deemed acceptable. * DDREF dose and dose rate effect factor.

7 - Radioactivity and the biological effects of ionizing radiation

17

In order to structure the principles to be applied, radiation protection specialists differentiate between two types of activity, both related to the existence, creation or use of radioactive products. These are known as "practices" and "interventions". The term "practice" refers to any human activity liable to increase the level of exposure of populations to radiation, as for example, by creating new sources of radioactivity. Using nuclear reactors for the generation of electricity falls within this category. The term "intervention" refers to any human activity liable to diminish the exposure level by modifying, for example, the transfer pathways between the source and man. An "intervention" is any protective action taken after an accident. The radiation protection system recommended by the ICRP for practices is based on the following three general principles: • no practice shall be adopted if the benefit to be gained by it is not sufficient with respect to the radiological detriment which it could cause. This is the principle of justification. • the doses induced by any radioactive source related to a practice shall be maintained as low as reasonably achievable (ALARA), taking social and economic factors into account. This is the principle of optimization. • the exposure undergone by any person due to controllable sources shall be subjected to individual limits deemed acceptable. This is the principle of limitation of individual doses. The new ICRP document, publication N. 60, published in 1991, deals in similar fashion with exposures liable to result from incidents or accidents and necessitating interventions. The principles to be respected in this case are as follows: • the dose reduction expected to be achieved by an intervention must be sufficient to counterbalance the prejudice to the workers involved and the cost, including the social cost, of the intervention • the intervention shall be planned in detail to ensure that the net benefit of the dose reduction be as comprehensive as could be reasonably expected • certain interventions liable to give rise to high doses for certain workers can only be justified by the need to prevent serious deterministic effects for a wider population. In this case, the principle of limitation of individual doses is inapplicable, since this could limit the beneficial effects for the community of undertaking an intervention. On the other hand, using the notion of potential exposure for installation design assessment raises difficulties discussed in 30.3. It can only be based on measurable individual risks, like the induction of a fatal cancer which has to be associated with the corresponding exposure probability. But both these terms are questionable.

18

Elements of nuclear safety

The probability that a quantity of radioactive products liable to involve consequences for surrounding populations will be released can only be assessed with a considerable margin of uncertainty since it depends on the probability of the initiator, on the various events contributing to the scenario and on the behavior of retaining and containment systems. This uncertainty usually covers several powers of 10. It is also obvious, since the Chernobyl accident, that the individual health risk (probability that a fatal cancer will be caused) is not an adequate criterion for measuring the consequences of a nuclear accident. The number of persons involved, the degree to which the lives of individuals and communities will be disrupted and the economic consequences of countermeasures which will have to be implemented may themselves be unacceptable, without it being possible to associate a proportionality factor with an exposure level. Discussions are proceeding. These general radiation protection principles are formalized as specific norms relating to the different radioactive products, their modes of transmission to man, their "biological efficiency", differentiating between different categories of workers concerned and different population groups. Transposing from radioactivity expressed in Bq to exposure levels for individuals is discussed in sections 5.8, 6.4.1, 21.3.2 and 30.4.2. The ICRP N. 60 publication fixes annual dose limits which must not be exceeded: • 20 mSv per year over 5 years for workers without exceeding 50 mSv for any year. • 1 mSv for the general public. Adoption of these limits in France is presently proceeding.

2

Nuclear safety organization

The organization of nuclear safety in France has undergone modifications with passing time. It initially depended on the Atomic Energy Commission, which, when it was founded in 1945, was entrusted with the development of all aspects necessary to the utilization of this type of energy. In 1973, a specific safety organism was set up by decree within the ministry in charge of industry. This was the SCSIN (Central Service for the Safety of Nuclear Installations). In 1988, this central service was, in addition, placed at the disposal of the State Secretariat for Major Risks, the functions of which were subsequently taken over by the ministry for the environment, although it remained attached to the ministry for industry with regard to staff management. In 1991, this service became a directorate, the DSIN (Nuclear Installation Safety Directorate), with the same attributions. On a parallel, in 1976, that part of the CEA particularly assigned to the analysis and assessment of safety and radiological protection, was grouped in an institute, the IPSN (Institute for Nuclear Safety and Protection). The autonomy of this institute within the CEA has been reinforced several times and again in 1990 with a view to emphasizing the independence of safety structures with respect to all operating authorities. Other organizations are also involved in safety activities (Fig. 2.1). These are notably: • the Parliamentary Office for Assessment of Scientific and Technological Options, the scope of which is not limited to nuclear matters • the Interministerial Commission for Basic Nuclear Installations which is consulted for basic nuclear installation creation and modification license applications and on the relevant regulations • the High Council for Nuclear Safety and Information grouping managerial technical staff, representatives of the trade unions and of associations for the protection of nature and the environment and journalists. Its assignments cover all questions relating to the safety of nuclear installations and the information of the general public and the media • the Standing Groups, comprising high level experts who may be consulted by the Nuclear Installation Safety Directorate on the main assessments requested from the IPSN

Elements of nuclear safety

20

• the Local Information Committees attached to all major power generating installations, most of which are nuclear. PARLIAMENTARY OFFICE FOR ASSESSMENT OF SCIENTIFIC AND TECHNICAL OPTIONS THE MINISTER IN CHARGE OF INDUSTRIE

ASSESSMENT STUDIES CONSULT • the high council for nuclear safety and information • the interministerial for basic Nuclear Installations

THE MINISTER IN CHARGE OF THE ENVIRONMENT

GOVERNMENTAL AUTHORITIES

TECHNICAL

Regional Industry Research and Environment Directorates

NUCLEAR INSTALLATION SAFETY DIRECTORATE DSIN

DRIRE

SUPPORTS INSTITUTE FOR NUCLEAR SAFETY AND PROTECTION IPSN

NUCLEAR

WASTE

REACTORS

REPOSITORIES

OTHER NUCLEAR INSTALLATIONS

NUCLEAR SECTION OF THE CENTRAL COMMISSION FOR PRESSURE VESSELS

STANDING GROUPS OF EXPERTS

Fig. 2.1. Nuclear safety in France, organization of the public authorities They are fully described in a brochure published in 1995 entitled "Nuclear Safety Supervision in France"*.

2.1. Nuclear security and safety Since the boundaries between these two terms are not always perceived in exactly the same way, it may be helpful to reiterate the comparative definition given by the DSIN itself: Nuclear safety implies the prevention of accidents - including those induced with malicious intent - and the mitigation of their effects. It also encompasses the technical provisions made to ensure the normal operation of facilities, without excessive exposure of workers, by optimizing the production and management of radioactive wastes and effluents.

* Direction de la surete des installations nucleaires, Documentation.

2 - Nuclear safety organization

21

Its scope falls within that of nuclear security, a wider concept, aimed at ensuring the overall protection of people and property against dangers, harmful effects and any forms of inconvenience which could result from the construction, operation and decommissioning of fixed or mobile nuclear installations, as well as from the storage, transport, use or transformation of natural or artificial radioactive substances.

2.2. Nuclear safety organization and responsibility sharing It should be noted that both the presentation below and the entire document only directly apply to fixed civil nuclear installations and concern neither military activities nor sources used for medical or industrial purposes. The principles of nuclear safety organization in France comply with the recommendations formulated by international organizations such as the IAEA (International Atomic Energy Agency) but also integrate national specificities. The main French nuclear installations are operated by particularly large organizations: EDF (Electricite de France) for the nuclear power reactors, COGEMA for most of the fuel cycle installations, the CEA (Atomic Energy Commission) and its subsidiaries for most other installations. This means that the operating authorities are far less partitioned than in most other countries and generally take part in the design definition of their plants, which implies a particularly high level of competence in the field concerned. In addition, the CEA has acquired special scientific and technical competence in safety related areas. This leads to a three-party nuclear safety organization where functions are complementary. It is the operator who is first and foremost responsible for the safety of his installation since he alone is in a position to implement directly safety related measures. However, he must vindicate his actions before the public authorities responsible for ensuring the protection of people and property throughout the national territory. Public authority actions in the nuclear field are conducted by the DSIN (Nuclear Installation Safety Directorate). This directorate is a relatively light structure, entrusted with conducting all actions related to regulatory procedures, the definition of technical regulations and surveillance of the installations. For the latter activity, the DSIN is assisted by the 8 nuclear sections (DIN) set up within the DRIRE (Regional Directorates for Industry, Research and the Environment). For technical assessment of the justifica-

22

Elements of nuclear safety

tions put forward by the operators, the DSIN is assisted by an expertizing organism which is uninvolved in the "production" of the installations, the IPSN (Institute for Nuclear Protection and Safety). DSIN and IPSN are both required to contribute to informing the general public on the safety of the installations. So nuclear safety is basically structured on three independent, but very closely related sectors, where only the supervisory ministries, usually represented by the DSIN and the DIN, are empowered to enjoin. This is "the safety authority", whereas the DSIN, the DIN and the IPSN constitute "the safety organizations". We must not overlook an additional sector, which has no institutional role but which could have played such a vital role in some countries. We are referring, of course, to public opinion. A safety assessment starts with a written report from the operator, which contains his own safety analysis and which is binding on him. A documentary working basis is indispensable for reference purposes. An analysis may also be initiated by the DSIN or the IPSN on questions they require clarified. An assessment terminates with an IPSN document, which is equivalent to a binding expert opinion, followed by a document issued by the public authorities, generally the DSIN. The necessity for written documents by no means implies that only administrative tasks are involved, even if correct application of current regulations always has to be checked. A detailed, continuous technical and scientific interchange must be set up. This implies that all concerned are steeped in safety principles and practices and thoroughly acquainted with the installations, their operating conditions and the phenomena involved. The competence of the nuclear safety technical assessment organism is an indispensable factor in the controlled evolution of principles and their practical application. It notably prevents risks of going astray in response to demagogic and unrealistic demands devoid of technical consistency. The fact that the safety partners are independent does not imply hostility. Transparent technical interchange is both a token of mutual respect and a means of communicating know-how and preoccupations. It must in particular enable the safety concerns of the safety organisms to be shared with the operators. The ideal situation is not to have to impose anything on the operator since, convinced by the arguments presented, he has dealt with the problem on his own. This, in fact, is one of the aspects of his responsibility. It is in a context such as this that solutions representing optimum trade-offs are most likely to emerge. What then remains is to assess whether the technical solutions proposed are appropriate for the problems set.

2 - Nuclear safety organization

23

2.3. Safety analysis reports and regulations The examination of applications received by the safety authorities involves extensive discussions with the applicant, focused on the safety analysis reports. These are the basic documents to be submitted by the operator in support of requests for authorization to construct, start up, begin commercial operation and finally shut down. From the start-up stage, general operating rules must be submitted at the same time as safety analysis reports. To facilitate the drafting of these reports and their subsequent analysis, ministerial directive were issued on March 27, 1973 giving a plan for guidance, together with indications as to the manner in which installation safety analysis reports should be presented regarding basic methodology and a number of special cases. The highly formalized American method has not been adopted in France, even for those nuclear units manufactured directly under license. We have no highly detailed standard format and no standard review plan based on the same breakdown. The contents are however entirely equivalent, as is shown by the safety analysis reports prepared by the plant builders for export projects. It is not left entirely up to the safety analysis technician to make judgements based upon his own references, as to what is enough or not. As the role of the public authorities is to safeguard persons and property, it is up to them to specify, at any given moment, the aims of safety measures and the limits of acceptability, without necessarily resorting to strictly formalized presentations. It must be borne in mind that these concepts are liable to change for reasons other than the purely technical, which will be discussed later on. Public authority requirements and provisions are contained in what is generally referred to as the regulations. Since a 1963 decree, the ministry in charge of industry has been responsible for technical regulations governing nuclear safety. This responsibility is currently shared with the ministry in charge of the environment. There are various levels of documentation (Fig. 2.2.), but only those at the highest level are of a statutory character. General technical regulations The general technical regulations are contained to date in three ministerial orders. The first, dated June 15, 1970, dealt with prestressed concrete nuclear reactor vessels and did not concern light water reactors.

24

Elements of nuclear safety

DRAWN UP BY GOVERNMENTAL AUTHORITIES

MINISTERIAL ORDERS

BASIC SAFETY RULES

APPROVED

DESIGN AND CONSTRUCTION RULES

BY GOVERNMENTAL AUTHORITIES

DRAFTED

BY OPERATORS

DOCUMENTS SPECIFIC TO AN INSTALLATION

Fig. 2.2 Organization of French regulatory documents.

The second, dated February 26, 1974, dealt with the application of regulations governing pressure vessels to light water reactor main primary systems. The third, dated August 10, 1984, dealt with the quality of design, construction and operation of basic nuclear installations. The text and associated application circular constitute Appendix B of the present document.

Basic safety rules (RFS) A number of technical rules of a general nature have been drawn up by the DSIN and their technical advisors and are published in the form of "Basic Safety Rules". These documents specify those conditions which must be met in order to comply with French technical regulatory practice. They are generally issued after a certain experience of the problems considered has been acquired. Operators and manufacturers thus have access to the provisions deemed acceptable by the safety authorities in the areas dealt with. Observance of these rules facilitates safety analysis and justifications but is not compulsory. Operators and manufacturers have the right to propose alternative arrangements provided they can show that they fulfill the safety requirements defined in the rules to at least an equivalent level. Publication of these documents, a full list of which is appended, began in 1980. More than twenty of them apply to pressurized water reactors, nearly twenty to other installations.

2 - Nuclear safety organization

25

The RFS are not, unless otherwise explicitly specified, to be applied retroactively. Furthermore, in order to ensure that standardization of plant series is maintained, they are only required to be taken into account for installation design after three years if nuclear units of the same standardized plant series have already been authorized. These documents have thus been drafted with an eye to the future. However, an underlying concern for continuity is apparent in their contents, since the state of the art and operating feedback are taken into account.

Design and construction rules The French nuclear industry has drawn up codes and standards called Design and Construction Rules (RCC), which formalize standard practice to be used in the field of nuclear engineering. Drafting and publishing these detailed documents is beyond the competence of the safety organizations. However, the safety authorities carry out detailed analyses of the RCC and their later revisions to ensure that they meet the objectives specified during the authorization stage for each installation. These investigations can give rise to requests for modification. The DSIN can then officially formulate their agreement to use of the RCC by means of specially prepared Basic Safety Rules. There are sets of design and construction rules for several different engineering branches: • mechanical equipment - RCC.M • electrical equipment - RCC.E • civil engineering - RCC.G • fire protection - RCC.I • fuel - RCC.C. Finally, a last type of RCC, the RCC.P, concerning processes, is drafted by EDF and describes all the safety principles and provisions adopted for each of the standardized plant series. Other sets of codes and standards concerning inservice surveillance are drawn up under the same conditions as the RCC. The first of these, the rules for the inservice surveillance of nuclear island mechanical equipment in PWRs (RSEM) is presently being analyzed by the safety organisms. It should be followed by equivalent documents on civil works (RSEG) and electrical equipment (RSEE).

26

Elements of nuclear safety

Ministerial directives The documents which have just been described are all of a general character. They apply to all French nuclear power plant units, taking into account the rules concerning retroactivity which are considered on a case by case basis. Following examination of the safety options relating to the most recent standardized nuclear units, ministerial directives issued in 1979 and 1983 define the obligations and main installation characteristics for the 1300 MWe and 1400 MWe series of nuclear units, notably regarding safety. More recently, a safety option exercise on next generation reactors was carried out in a French-German context. It is presented in Chapter 29. These directives supplement the rules of a technical nature published by the DSIN in the form of basic safety rules.

Letters and advices issued by the DSIN A number of DSIN letters, although not strictly speaking of a regulatory nature, establish the aims and specify the requirements which constitute the statutory legal aspects of nuclear safety in France. The importance of this is not to be overlooked, as we shall see in Chapter 11. All these documents together have gradually replaced the corresponding American documents which were previously used as references for analysis of French 900 MWe units and the first group of 1300 MWe units. Those issued by the public authorities are to be found in Document 1606 published by the French Republic Official Gazette, "Safety of Nuclear Installations in France - Legislation and Regulations" published in January 1995.

Developments in the content of safety analysis reports Regulatory and quasi-regulatory documents require prior technical discussion between the safety authorities and the organizations wishing to build and operate nuclear plants of the type considered. These exchanges mainly take place at the time of plant safety assessments. The results of these discussions are progressively incorporated into the successive revisions of the safety analysis reports, as are also the results of discussions on options and technical decisions which are outside the scope of the regulations. Attention is drawn to the overlapping character of the regulations and the contents of the safety analysis reports. The endorsement of safety reports which are the result of technical discussions and the formulation of

2 - Nuclear safety organization

27

which justifies the technical options taken up with respect to the criteria to be met have, in effect, a certain regulatory status. This endorsement is in fact formalized since the license authorizing construction of a basic nuclear installation, which ratifies the preliminary safety analysis report commitments, is issued in the form of a decree. The publication of "doctrine" in the form of regulatory documents can consequently be considered to be less urgent when common agreement has been reached and is reflected in the safety analysis reports and when the entire process is sustained by continuous interchange. Other trends relating to principles, plant design or operating modes will be adopted during the lifetime of installations. Each application from an operator which has been assessed and approved becomes an integral part of the contract between the operator and the safety authorities.

2.4. Developments in safety goals Safety is by no means an immutable, conclusive concept. It develops as greater insight is gained from continued research, from innovative experiments at the plants themselves or direct operating experience in France and throughout the world. Standard aims may change, as we shall see, but in this context, the role of the technicians is simply to propose. Decisions are political, since only at this level can all the economic, environmental and social parameters be considered. To date, for the main installations, the acceptability limits adopted regarding accident situations have been based on limitation of the effects of an accident on the health of the nearby population, calculated with all due circumspection. This involves limiting increases in the probability of occurrence of fatal cancer to such low values as to be imperceptible with respect to the cancer mortality figure for developed countries, standing at about 25%. The Chernobyl accident showed that it was also important to provide against psychological, social and economic consequences due to the displacement of populations, should this prove necessary, or, in a wider context, to restrictions in the consumption or marketing of foodstuffs. It also confirmed the interest of more realistic assessment of potential release levels. This will result, in the future, in far more stringent limitations for anticipated accident release levels. These new constraints will be integrated in the design of future plants. In France, the main driving force behind safety aim developments is represented by the IPSN, which contributes to the detection of safety problems and makes proposals accordingly. These developments are also influ-

28

Elements of nuclear safety

enced by international trends in the nuclear world, stimulated by the innumerable contacts between the countries concerned but also by the major international organizations in charge of these questions, the Nuclear Energy Agency of the Organization for Economic Cooperation and Development (OECD) and the IAEA. At all these levels, public opinion is an unremitting stimulus but plays no technical role. The definition of technical solutions, on the other hand, is the task of the organizations entrusted with the operation of the installation and the related financial liability. If this were not so and solutions were proposed by the analysts themselves, certain aspects might be overlooked and there would no longer be provision for external expertise.

2.5. Safety Culture It was also further to the Chernobyl accident that the IAEA and the experts it had convened introduced and developed the concept of "Safety Culture". We have no hesitation in recommending that our readers consult the reports issued by the International Nuclear Safety Advisory Group (INSAG) concerning the basic safety principles for nuclear power plants (INSAG 3) and Safety Culture (INSAG 4), but the most important points are nevertheless reproduced below. These two documents concern explicitly nuclear power reactors but there is nothing in their content which limits application of the principles they contain to nuclear installations. Two aspects are dealt with, one concerning individual and small group attitudes, the other focusing on structures and organizations actively involved. These two aspects are indissociable (Fig. 2.3.). Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, nuclear plant safety issues receive the attention warranted by their significance. Safety culture refers to the personal dedication and accountability of all individuals engaged in any activity which has a bearing on the safety of nuclear power plants, an all pervading safety thinking which allows an inherently questioning attitude, the prevention of complacency, a commitment to excellence, the fostering of both personal accountability and corporate self-regulation in safety matters and acknowledgement of the absolute necessity for all forms of communication. In any important activity, the manner in which people act is conditioned by requirements set at a high level. The highest level affecting nuclear plant safety is the legislative level, at which the national basis for safety culture is set. Within an organisation, similar considerations apply. Policies promoted at a high level create the working environment and condition individual behaviour.

2 - Nuclear safety organization

29

It is the responsibility of managers to institute such practices in accordance with their organisation's safety policy and objectives.* STATEMENT of SAFETY POLICY

DEFINITION of RESPONSIBILITIES

POLICY LEVEL COMMITMENT

MANAGERS' COMMITMENT

REWARDS and SANCTIONS AUDIT, REVIEW and COMPARISON

RESOURCES SELF-REGULATION

DEFINITION and CONTROL of SAFETY PRACTICES QUALIFICATIONS and TRAINING

— MANAGEMENT STRUCTURES

QUESTIONING ATTITUDE INDIVIDUALS' COMMITMENT

RIGOUROUS and PRUDENT APPROACH COMMUNICATION

SAFETY CULTURE

Fig. 2.3. Diagrammatic presentation of safety culture (INSAG 4).

As will be seen, this concern for safety culture and its behavioral component will be extensively reflected in the various chapters of the present document, but a culture and the attitudes it induces are not grounded solely on apprehending facts. Administrative structures, the sharing of responsibilities but with room left for personal initiative, social ties and other factors inherent to life in a large organization have intersecting influences on these attitudes. This subject is the topic of on-going discussions, notably at EDF.

* These extracts are taken from paragraphs 6, 7,16 18, 35 and 62 of the IAEA document, Security Collection N. 75 - INSAG 4 published in 1991.

This page intentionally left blank

3

Deterministic safety approach

This chapter, like most of the following ones, is focused on pressurized water reactors of the type developed in France, but the principles are more general in scope. These reactors stem from the license agreement with the American company Westinghouse, from which the French power plant builder Framatome gradually withdrew, to achieve an entirely French design for the N4 standardized series of reactors. However it must be said that, as compared with other pressurized water reactors in different parts of the world, the design consistency is still very apparent. Appendix C gives certain technical information and indicates the locations and first criticality dates for the French power reactors.

3.1. Determination of specific risks Nuclear reactors have two specific characteristics which differentiate them from other energy production installations: • these reactors accumulate a large quantity of radioactive products (Table 3.1.) from which staff must be protected and the large scale dispersal of which to the environment would constitute a major accident • significant energy release continues for a very long time, even after reactor shutdown, since it is related to the radioactivity of the fission products contained in the reactor core. Plant safety therefore depends on adequate protection with respect to radiation sources together with their confinement. If the sources are localized in the appropriate areas provided, radiation protection can be achieved by the judicious installation of absorbent shields of a suitable material and thickness. Difficulties arise mainly from dispersal of radioactive products outside the standard localized areas. The possible causes of such dispersal shall therefore be investigated. Radioactive products are, for the most part, produced within the fissile material itself and it is desirable that they remain there until the fuel has

32

Elements of nuclear safety

been reprocessed in a suitable plant. Correct cooling of the fuel and fuel cladding is therefore essential. Table 3.1. Maximum activity of some of the main fission products in TBq*. Core, 2 hours after shutdown Rare gases Iodine Cesium

107

Spent fuel

2 10

106 106

107

2 104

7

Primary system

Gaseous effluents

3 102 20

2 102

It should be pointed out that: • under normal operating conditions, a nuclear reactor has no "natural" power level. In order to be able to operate for at least a year without refuelling and counterbalance various power-related effects, the core has to contain a quantity of fissile material far exceeding the critical mass at cold shutdown. The power level produced by this material consequently results from combining various parameters which must be controlled from outside • under particular operating conditions, the energy released in a nuclear reactor can increase extremely quickly, in an uncontrolled manner and can then only be limited by neutron feedback effects related to temperature rises or fuel dispersal • energy released in fuel which was part of a chain reaction cannot afterwards be annulled, even when the reaction is over. In fact, radioactive products deriving from fission must themselves release a certain amount of energy in order to reach a stable state. They do this with a decay period specific to each element which can be very short (less than 1 second), or average (months or years) or very long (hundreds or thousands of years). Although decreasing, the power produced will for a long time be greater than one-thousandth of the rated power and this calls for continuous cooling (Table 3.2). Prevention of specific risks therefore requires: • efficient control of the chain reaction and hence the power produced • fuel cooling assured under thermal hydraulic conditions designed to maintain fuel clad integrity, thus constituting an initial containment system • containment of radioactive products in the fuel but also in the primary coolant, in the reactor building constituting the containment or in other parts of the plant unit. Maintaining these three safety functions is the key to reactor safety. * 900 MWe PWR, maximum burnup 33, 000 MWd/tU. 1 TBq = 1012 Bq = 27 Ci (Curie)

3 - Deterministic safety approach

33

Table 3.2. Radioactive decay power*. Time after shutdown 1 second 1 minute 1 hour 1 day 1 week 1 month 1 year 10 years 100 years 1000 years

Percentage of the initial thermal power 17

%

5

%

1.5

%

0.5 0.3 0.15 0.03 0.003 0.001 0.0002

% % % % % % %

Thermal power produced in MW 500 150 45 15 9 4.5 1 0.1 0.03 0.006

3.2. Potential risks, residual risks, acceptable risks Estimation of the risks associated with operation of a nuclear installation requires that a distinction be made, as for all industrial facilities, between potential risks, which would exist in the absence of all protective measures, and residual risks, which remain despite provisions made to prevent accidents and, if an accident occurs, to minimize the consequences. Nuclear safety is specifically concerned with this dual objective. Potential risks are clearly defined by the radioactive substances involved, so that the only difficulties involved concern estimating residual risks, since it is impossible to claim that these can be reduced to zero level. These risks are subject to a double estimation, in terms of the probability of possible accidents and in terms of seriousness, depending on the gravity of accident consequences. The idea of probability arises naturally when problems of safety are broached. The logical and instinctive approach is to ensure that an accident is all the more unlikely the higher the risk of serious environmental consequences. It is essential that a very severe accident with major consequences be considered as highly improbable.

* 3 000 MWth reactor (approximately 1 000 MWe) at end of cycle, uranium fuelled, maximum burnup: 33 000 MWd/t.

34

Elements of nuclear safety

This natural approach was the guiding principle in the early work carried out in the field of nuclear safety. The "Farmer curve" (Fig. 3.1.), produced at the beginning of the seventies, shows an authorized area and a forbidden area on either side of a curve plotted on a probability versus consequences graph, with the consequences expressed as radioactive iodine release. Only the symbolic aspect is presented here. The designers of nuclear power plants then engaged upon a thorough study and more precise definition of this curve by matching probability ranges with radiological consequences which could be considered acceptable. A few years later, the safety organizations specified an indicative limit for the maximum accident probability likely to give rise to consequences deemed unacceptable. This by no means implies that situations of even lower probability should receive no attention. It has to be shown that all types of accidents considered credible have been taken into account and are covered by the accident studies performed and that the systems provided to prevent their development or mitigate their consequences, the engineered safety systems built into the installations, effectively enable the safety objectives to be achieved. Safety specialists have progressively developed an entire arsenal of principles, concepts and methods applicable both at the design stage and at the construction and operating stages.

Fig. 3.1. Relation between probability and consequences. Farmer graph.

These are, firstly, the barriers, secondly the defense in depth concept, which has been gradually extended, and thirdly the probabilistic studies, which will be discussed in other chapters.

3 - Deterministic safety approach

35

3.3. The barriers When France adopted the pressurized water reactor system, built under American license, our country had already built several major nationallydesigned installations and perfected an appropriate safety approach, the barrier method. It is this method which was applied to the light water reactors in the first place. The defense in depth concept, of American origin, was subsequently adopted by the plant designers and safety organisms in France and adapted in the light of their experience. Jean Bourgeois, former director of the Institute for Nuclear Safety and Protection (IPSN) described the barrier method as follows, at the Congress held in Vittel in 1973. "Protection of the public against the consequences of an accidental release of fission products rests on the interposition of a series of leaktight barriers. Safety analysis therefore consists firstly in ensuring the validity of each of these barriers and their correct operation under normal and accident reactor operating conditions. This kind of analysis emphasizes the progressive nature of safety by distinguishing three successive but interrelated stages: • prevention: the validity of each barrier must be demonstrated for the materials selected, their adaptation to the operating conditions and maintenance of the specified characteristics over a period of time. It is essential that the technological limits be shown so that the real margin between these limits and the operating conditions can be defined with a good degree of certainty 3nd barrier: Reactor containment building

Fig. 3.2. Main PWR barriers.

36

Elements of nuclear safety

• monitoring: this is designed to detect any drift to within the margins defined above in order to be able, if necessary, to actuate a corrective action, either manually or automatically, in good time for return to normal operating conditions • mitigating action: in the event of accidental exceeding of the technological limits, the purpose of protective action is to prevent the release of radioactive products or to limit the scale of the release. For each type of reactor, there are generally three or four barriers (Fig 3.2.), considered to be both leaktight and resistant: the fuel cladding, the reactor coolant pressure boundary, the primary containment and possibly the secondary containment. Each of these is examined in detail under the three operating conditions described below: • normal operation: the simplest and best defined category for which the fixing of margins with regard to technological limits must take into account any uncertainties which might exist • normal operating transients (startup, power buildup, load variations): as a general rule, the safety margins fixed for normal operating conditions must allow these transients to be absorbed without tripping irreversible corrective actions • abnormal operating transients, following equipment failure or induced by human error: the drawing up of various possible sequences reveals critical points and hence enables improvement of reliability or monitoring processes. In order to synthesize this survey of the barriers and particularly to determine their independence from each other, which is essential for safety assessment, an examination of the development of typical major accidents must be undertaken. This final process has a rather formal character as, in certain cases, it involves postulating events which cannot be precisely identified. This has the advantage of allowing assessment of the dynamic response of radioactive products to transfer from the core to the outside containment vessel and of providing an order of magnitude for site radiological consequences if the integrity of all barriers were to be breached". This method is deterministic, since it attests the possibility of a certain number of accident situations. It was applied during the first 900 MWe PWR unit examinations at the beginning of the 1970s and revealed certain difficulties. If the definition of the first barrier is simple despite its extent, i.e. fuel clads for all fuel rods, this is not true for the other two barriers. The reactor coolant pressure boundary is clearly defined within the reactor building. It branches out, however, in a fairly complex manner in the auxiliary building where volume and boron concentration control is carried out, together with primary fluid purification. The spent fuel pit has the same function, despite its free surface. As we have just seen, the reactor building containment is not the only place containing spent fuel or primary coolant. Delimitation of the third barrier is thus also fairly complex.

3 - Deterministic safety approach

37

Finally and most importantly, this succession of three barriers implies one markedly important fact: the steam generator tubes with a considerable total surface area (more than 1 hectare) and a very thin wall (about 1 mm) simultaneously fulfill the function of primary coolant enclosure and containment (second and third barriers). The secondary system, where the design pressure is below that of the primary system, must be protected against overpressures by safety valves. It can consequently not be considered as leaktight if a steam generator tube break allows a secondary system pressure buildup imparted by the primary system. This is a serious and difficult to avoid strain on the notion of a succession of independent barriers. It is a characteristic and well-known PWR problem, which we shall return to in Chapter 8.

Fig. 3.3. Vertical section of a 1300 MWe PWR P'4 standardized unit.

These reflections have contributed to the evolution of safety thinking from the barrier method to the defense in depth concept. This concept in fact includes the barrier method, but enables an analysis of installations to be carried out which is both more comprehensive and more detailed.

38

Elements of nuclear safety

For other nuclear installations, whether large or small, the barrier method has also been applied from the outset and remains an essential principle of safety assessment.

3.4. The defense in depth concept The defense in depth concept is not an installation examination technique eliciting a particular technical solution, as is the case in a graded barrier context, but is a method of reasoning and a general framework enabling more complete examination of an entire installation and the objective is as much design improvement as analysis. It was developed in the United States in the sixties and was notably the design basis for the Westinghouse nuclear power reactors. The approach linking successively prevention, monitoring and mitigating action is broadened to cover all safety related components and structures. We shall see that this approach, initially developed for plant design analysis, is also well adapted to operating organization. Before describing the different stages involved, the principle can be simply summarized as follows: Although the precautionary measures taken with respect to errors, incidents and accidents are, in theory, such as to prevent their occurrence, it is nevertheless assumed that accidents do occur and provisions are made for dealing with them so that their consequences can be restricted to levels deemed acceptable. This does not obviate the need to study still more severe sitautions, the causes of which may as yet be unknown, and to be ready to confront them under the best possible conditions. The approach combines the prevention of abnormal situations and their degradation with the mitigation of their consequences. It is a deterministic method, since a certain number of incidents and accidents are postulated. The defense in depth concept consists in a set of actions, items of equipment or procedures, classified in levels, the prime aim of each of which is to prevent degradations liable to lead to the next level and to mitigate the consequences of failure of the previous level. The efficiency of mitigation must not lead to cutbacks in prevention, which takes precedence. The approach itself has been gradually perfected and its various stages will be referred to throughout this document. In July 1995, the IAEA International Nuclear Safety Advisory Group adopted a document on this subject (INSAG 10, Defense in Depth in

3 - Deterministic safety approach

39

Nuclear Power Plant Safety). Its publication in English, followed by the other official IAEA languages is currently proceeding. This document presents the history of the concept since its inception, how it is currently applied and indicates advisable modifications for its application to the next generation of reactors. It is fully discussed in what follows and we shall revert to it in Chapter 29, devoted to the next generation of reactors.

3.4.1. The defense in depth levels The defense in depth concept now comprises five levels. The way in which these levels are structured may vary from one country to another or be influenced by plant design but the main principles are common. The presentation below is consistent with the new INSAG document.

First level: prevention of abnormal operation and failures The installation must be endowed with excellent intrinsic resistance to its own failures or specified hazards in order to reduce the risk of failure. This implies that following preliminary delineation of the installation, as exhaustive a study as possible of its normal and foreseeable operating conditions be conducted to determine for each major system, structure or component, the worst mechanical, thermal, pressure stresses or those due to environment, layout, etc. for which allowance must be made. Normal operating transients and the various shutdown situations are included in normal operating conditions. The installation components can then be designed, constructed, installed, checked, tested and operated by following clearly defined and qualified rules, while allowing adequate margins with regard to specific limits at all times to underwrite correct behavior of the installation. These margins should be such that systems designed to deal with abnormal situations need not be actuated on an everyday basis. A moderate-paced process with a computer-based control system will diminish operating staff stress hazards. Man-machine interface provisions and time allowances for manual intervention can make a significant contribution. In the same way, the various disturbances or hazards deriving from a source external to the plant and which the installation must be able to withstand without operating disturbances or, in other cases, without causing significant radioactive discharge, shall be specified. Site selection with a view to limiting such constraints can play a decisive role.

40

Elements of nuclear safety

In this way, it is possible to determine a reference seismic level, extreme meteorological conditions expressed as wind speed, weight of snow, maximum overpressure wave, temperature range, etc. The new stress factors thus derived shall be used in the same way as before. Sets of rules and codes, previously described, define in a precise and prescriptive manner the conditions for design, supply, manufacture, erection, checking, initial and periodic testing, operation and preventive maintenance of all safety related equipment and structures in the plant in order to guarantee their quality in the widest sense of this term. The selection of appropriate staff for each stage, from design to operation, their appropriate training, the overall organization, the sharing of responsibilities or the operating procedures contribute to the prevention of failures throughout plant life. This also applies to the systematic use of operating feedback. On this basis may be defined the authorized operating range for the plant and its general operating rules.

Second level: control of abnormal operation and detection of failures The installation must be prevented from straying beyond the authorized operating conditions which have just been defined and sufficiently reliable regulation, control and protection* systems must be designed with the capacity to inhibit any abnormal development before equipment is loaded beyond its rated operating conditions, so defined as to allow substantial margins with respect to failure risks. Temperature, pressure and nuclear and thermal power control systems shall be installed to prevent excessive incident development without interfering with power plant operation. With a plant design procuring a stable core and high thermal inertia, it is easier to hold the installation within the authorized limits. Systems for measuring the radioactivity levels of certain fluids and of the atmosphere in various facilities shall assume monitoring requirements and check the effectiveness of the various barriers and purification systems. Malfunctions clearly signalled in the control room can be better dealt with by the operators without undue delay.

* Control systems are sometimes included in first level provisions. The INSAG document places automatic shutdown at third level. But these variations make no difference to the general principle.

3 - Deterministic safety approach

41

Finally, the protection systems, the most important of which is the emergency shutdown system but also including, for example, safety valves, shall be capable of rapidly arresting any undesirable phenomenon, inadequately controlled by the relevant systems, even if this entails shutting down the reactor. Furthermore, a periodic equipment surveillance program enables any abnormal developments in major equipment to be spotted. Such developments would otherwise be likely to lead to failures over a period of time. Periodic weld inspections, crack and leak detection, routine system testing pertain to these preventive surveillance activities.

Third level: control of accidents within the design basis The first two levels of defense in depth, prevention and keeping the reactor within the authorized limits, are designed to eliminate with a high degree of reliability, the risk of plant failure. However, despite the care devoted to these two levels and with the obvious aim of safety, a complete series of incidents and accidents is postulated by assuming that failures could be as serious as a total instantaneous main pipe break in a primary coolant loop or a steam line or could concern reactivity control. This places us in a deterministic context, which is one of the essential elements of the safety approach. We are then required to install systems for limiting the effects of these accidents to acceptable levels, even if this involves the design and installation of safety systems having no function under normal plant operating conditions. These are the engineered safeguard systems*. Startup of these systems must be automatic and human intervention should only be required after a time lapse allowing for a carefully considered diagnosis to be reached. In the postulated situations, the correct operation of these systems ensures that core structure integrity will be unaffected, which means that it can subsequently be cooled. Release to the environment will consequently be limited. The choice of incidents and accidents must be made from the beginning of the design phase of a project so that those systems required for limiting • For PWR's built in France, these systems are: • the systems injecting emergency water into the reactor coolant system • the steam generator auxiliary feedwater supply system • the containment withstanding an overpressure of about 4 bar rel associated with the sytems ensuring internal spraying, the automatic isolation of penetrations, containment atmosphere monitoring and, in the case of double-wall containment, depressurization of the annulus.

42

Elements of nuclear safety

the consequences of incidents or accidents integrate perfectly with the overall installation design. This choice must be made with the greatest care as it is very difficult to insert major systems in a completed construction at a later date.

Fourth level: control of severe plant conditions including prevention of accident progression and mitigation of severe accident consequences In the context of on-going analysis of risks of plant failure, such as the accident which occurred at Three Mile Island in 1979 (Chapter 13), it was decided to consider cases of multiple failure and, more generally, the means required to contend with plant situations which had bypassed the first three levels of the defense in depth strategy or which were considered as part of the residual risk. Such situations can lead to core meltdown and consequently to even higher release levels. The concern here is consequently to reduce the probability of such situations by preparing appropriate procedures and equipment to withstand additional scenarios corresponding to multiple failures. These are the complementary measures described in Chapter 11. Every endeavor would also be necessary to limit radioactive release due to a very serious occurrence which would nevertheless have involved core meltdown and to gain time to arrange for protective measures for the populations in the vicinity of the site. It is then essential that the containment function be maintained under the best possible conditions. The latter accident management actions are defined in emergency procedures and are outlined in the internal emergency plan (PUI) for the plant concerned and will be discussed in detail in Chapter 15. These measures can only be implemented efficiently if operators are suitably trained and duly supported by the organizational structures provided by the utility.

Fifth level: mitigation of radiological consequences for populations of significant offsite release of radioactive materials Population protection measures because of high release levels (evacuation, confinement indoors, with doors and windows closed, distribution of stable iodine tablets, restrictions on certain foodstuffs, etc.) would only be necessary in the event of failure or inefficiency of the measures described above. So we are still in a defense in depth connotation.

3 - Deterministic safety approach

43

The conditions of this evacuation or confinement are within the scope of the public authorities, including the Civil Security Authority. They are supplemented by the preparation of long or short term measures for checking the consumption or marketing of foodstuffs which could be contaminated. Such measures are included in the external emergency plans (PPI) and will be described in Chapter 17. The decision to implement such measures will be based on analysis of the situation by the operator and the safety organisms and then on environmental radioactivity measurements. The corresponding methods are described in the same chapter. Periodical drilling will also be necessary in this area to ensure adequate efficiency of the resources and linkups provided.

Mitigation of radiological consequences of significant off-site release of radioactive materials Control of severe plant conditions including prevention of accident progression and mitigation of severe accident consequences Control of accidents within design basis Control of abnormal operation and detection of failures Prevention of abnormal operation and failure by conservative design and high quality in operation Control, limiting and protective systems and other surveillance features Engineered safety features ensuring safety functions and accident procedures Complementary measures and accident management Off-site emergency response

Fig. 3.4. The defense in depth concept: purposes, methods and means (INSAG 10).

44

Elements of nuclear safety

Elements common to the different levels Defense in depth can only be satisfactorily implemented if care is taken at each level to ensure an appropriate degree of conservatism, quality control and attitudes stemming from safety culture. The notions of conservatism and safety margins, very closely linked with the deterministic approach, apply particularly to the first three levels of defense in depth under conditions discussed in the following chapters. Severe accidents, on the other hand, generally require a less conservative approach and realistic assessments are preferable when populations have to be protected against substantial radioactive release. Quality control will be dealt with at the end of this chapter. Finally, as mentioned in the previous chapter, all those actively involved in plant safety, whether they be operators, constructors, contractors or members of safety organisms, must be thoroughly versed in safety culture.

3.4.2. General comments The notion of successive defense levels implies that these levels be as independent as possible. It will consequently be very important to ensure that the same event or failure, whether single or multiple, could not affect several levels simultaneously, thereby calling the entire approach into question. This would be the case, for example, if a specific failure inhibited the systems provided to limit the consequences of the event considered. We shall come back to this problem several times. Safety system reliability must be adequate. Special design, layout and maintenance rules are applied to this aspect. These will be presented in the next chapter. The fourth level was set up to fill in the gaps revealed in the situations envisaged prior to 1975. This level thus covers measures for the prevention of substantial core meltdown which ought to have been included in the third level and provisions for the management of more severe accidents which fit better into this stage in the phasing of preventive actions. In the most recent French standardized plant series, the N4, complementary preventive measures decided on at the design stage are dealt with in a manner which is closer to the method used for engineered safeguards, without this being a matter of principle. The fourth level nevertheless conserves its dual character, covering management of the most severe accidents with particularly low probabilities and compensation for any initial design deficiencies.

3 - Deterministic safety approach

45

However, in view of the efforts made, it should now be possible to considerably limit radioactive release in a substantial majority of even highly degraded situations. Until recently, levels 4 and 5 were combined in one level. In accordance with the logic of the defense in depth concept, the need for protective actions with respect to populations in the vicinity of the site effectively corresponds to the failure, or relative failure, of the measures taken at the previous level. There must consequently be a differentiation between the two levels involved.

3.5. Quality control The efficiency of these principles and methods would be limited if the quality control of all activities involved in the design, supply, manufacture, erection, tests and inspections, operating preparations and the actual operation itself were not fully ensured. This depends on the motivation of all concerned and implies appropriate organizational procedures. Provisions relating to quality are structured in a regulatory document, the ministerial order of August 10, 1984 concerning the quality of the design, construction and operation of basic nuclear installations, together with its application instructions. The importance of these documents is such that they are appended (Appendix B). The reader may thus consult them directly. However, although they are not summarized in the present text, there will be many references to them. Quality control was first implemented by EDF with the following activity organization rules: • specify in writing what has to be done • do what is specified • report in writing what has been done. This procedure ensures clear, accessible records of all safety-related activities but can cause communication problems between those preparing interventions and those carrying them out. The former, required to specify work to be done by others, must be familiar with safety principles and with the specific risks associated with the intervention. Their technical background must be such as to enable them to determine what has to be done, but they may lack detailed knowledge of how it is to be done. Those responsible for actually doing the work, on the other hand, are well acquainted with the close range details, but may have difficulty in interpreting the specified instructions in terms of their own practical working methods. Moreover, they are usually not accustomed to writing detailed reports.

46

Elements of nuclear safety

These apparently straightforward principles are consequently not always easy to apply. As for safety culture, discussions are proceeding on this subject, especially at EDF.

4

Analysis of operating conditions

An essential part of safety analysis comprises investigation of the various situations which the installation can be required to withstand, ranging from normal operating conditions to more and more severe accident conditions. According to the defense in depth concept, prevention does not suffice to make a plant absolutely accident-proof. The few exceptions to this rule will of course be examined. As we shall see, the first accidents considered were those due to possible weaknesses of the installation itself. Risks deriving from interaction between the various power plant systems have been progressively identified and taken into account. Similarly, the possibility of external hazards, either natural or connected with human activity, has been investigated and the results used to determine design or installation constraints. These different families of accidents will be examined successively in this and the following chapters.

4.1. Classification of operating conditions The principle that incidents or accidents can occur despite precautions taken to prevent them is an inadequate basis for determination of the characteristics of these phenomena. All accidents do not have the same degree of probability and acceptable consequences are therefore not the same in each case. Discussions conducted in France in 1975 on the basis of an American standard (ANSI N. 18.2) led to acceptance by the safety authorities of an EDF plant design proposal, featuring a table showing the correspondence between estimated frequency ranges and the maximum allowable orders of magnitude for radiological consequences. As the estimated frequency of incident or accident operating conditions is not directly derived from experience but from assessments, it is natural that the figures given are only orders of magnitude covering, in each case, a factor of 100. Regarding the levels of acceptable radiological consequences indicated for the third and fourth categories, these figures are only orders of magni-

Elements of nuclear safety

48

tude suggested by the operating utility and accepted by the safety authorities. They have no statutory character (Table 4.1.). Table 4.1. Classification of plant operating conditions (The frequency/consequences relationship is only valid in the context of the defined conditions of analysis)

Categories of operating conditions

Order of magnitude of annual frequency per unit

Order of magnitude of maximum allowable radiological consequences at site perimeter

Category 1 normal operating conditions

permanent or frequent

Observance of effluent release permit limits for the site, over the year (some 10 Sv)

Category 2 minor but frequent incidents

10-2 to 1 per incident

Observance of effluent release permit limits for the site per incident (some 10 Sv)

Category 3 unlikely incidents

10-4 to 10-2 per incident

Whole body < 5 mSv, Thyroid < 15 mSv

Category 4 limiting faults

10-6 to 10-4 per accident

Whole body < 150 mSv, Thyroid < 450 mSv

The value adopted for the maximum allowable third category conditions, 5 mSv is the same as that for the annual permissible exposure level for members of the public proposed by the International Commission for Radiological Protection (ICRP) in 1977. This is an accepted value but has no regulatory character. The table is common to the three generations of PWR's presently operating, the 900 MWe, the 1300 MWe and the 1400 MWe. We shall see in Chapter 29 that significant changes are to be expected in the next series of PWR's. It should be noted that the expression "operating condition" was preferred to the terms transient, incident or accident, since it is more general and concerns the entire plant. This terminology also avoids use of the term "situation" which is more correctly used to describe the status of a specific item of equipment and is used notably in the statutory regulations governing pressure vessels. The term is however commonly used to describe any plant condition.

4 - Analysis of operating conditions

49

4.2. Definition of design basis operating condition categories It is worth drawing out the implications of the various categories given in Table 4.1. Normal operating conditions correspond to states and transients taken into account at the first level of defense in depth. They cover the entire range authorized by the Operating Technical Specifications. This is the normal daily routine of the plant. If there is any possibility of release of radioactive substances into the environment, this release must be totally controlled, carried out under special specified conditions and, of course, accounted for. The annual cumulative release must not exceed values laid down by an interministerial authorization order for liquid and gaseous release levels unique to each site. The effects of these bounding case release levels, calculated under pessimistic conditions, does not exceed a few tens of Sv. Minor but frequent incidents in the second category are those considered at the second level of defense in depth. They can result in plant operation outside the prescribed limits and must be controlled by regulation and protection provisions. Analysis of these incidents can provide a basis for determining the salient features of these provisions. They are associated with a fairly high frequency level and they are therefore considered as almost inevitable. Because of this, the release resulting from each such incident, accounted for in this case over a period of a few hours, must not exceed the annual authorized release levels. This implies that any release of radioactive substances due to an incident of this type must take place through monitored channels, stack or discharge piping, so that, although these releases are inadvertent and uncontrolled, they can nevertheless be fully accounted for. The unlikely accidents of the third category can involve uncontrolled releases but estimation of the consequences of these releases must show that they remain at relatively low levels: the equivalent whole body dose after exposure of two hours for members of the public occupying the most unfavorable position at the site boundary and with the least favorable weather conditions must be less than 5 mSv. If we refer to the coefficients presented in Chapter 1 linking absorbed dose and probability of fatal cancer being induced, we find that a 5 mSv dose would increase the cancer risk for an individual by 0.025%, whereas the "natural" percentage observed in the French population exceeds 25%. The limiting fault accidents in the fourth category are the most serious accidents under consideration in this first approach.

50

Elements of nuclear safety

Significant damage to fuel is admitted, but the installation must nonetheless remain in a stable or only slowly developing situation after automatic implementation of protection or engineered safety systems. The equivalent whole body dose received in two hours at the site boundary must remain below 150 mSv under assessment conditions as unfavorable as the foregoing. Despite the very low occurrence of such accidents, we are still far removed from doses inducing inevitable biological effects, the thresholds for which are at least three times higher. The probability of fatal cancers being thereby induced remains below 1 %.

4.3. Choice of operating conditions The second category transient initiating events are investigated among the possible causes for the variation of parameters affecting fuel cooling. These families of initiators are examined one after the other. The neutron flux, and hence the energy released in the fuel, can increase due to the following direct reactivity effects: • uncontrolled rod withdrawal • gradual inadvertent dilution of boric acid present in the primary coolant but also to indirect effects: • inadvertent opening of a secondary system valve • increase in turbine drawn power. The primary coolant flow which transfers the energy produced in the core to the steam generators can decrease due to shutdown of a pump but also, and in this case more sharply, due to the coastdown of all the primary coolant pumps, moderated by their flywheels, in the event of loss of offsite power. A drop in primary pressure level, which is also detrimental to correct fuel cooling, could be due to the inadvertent opening of a pressurizer valve or excessive spraying in the pressurizer. Another phenomenon, connected with the long term strength of the reactor vessel, is also considered: inadvertent actuation of the safety injection system. Neutron irradiation modifies the characteristics of the vessel metal and welds: the vessel metal embrittlement temperature rises to a level in the vicinity of that of the safety injection water. It is consequently important to prevent such loads or ensure their surveillance. Postulated accidents divided between the third and fourth categories are investigated along the same lines (excessive power increases, inadequate fuel cooling) by identifying the events or malfunctions liable to involve the loss of barriers. The initiators are no longer parameter variations but real failures, even involving pipe breaks, despite the significant design margins allowed.

4 - Analysis of operating conditions

51

Neutron flux increases analyzed could be due, for instance, to control rod ejection or a steam line break. Drops in primary coolant flowrate will be due to more and more rapid pump coastdown. Pressure losses will be accompanied by loss of primary fluid since they will be due to increasingly serious breaks. Double-ended guillotine pipe breaks without forewarning are postulated, with displacement of the two pipe ends allowing the fluid to flow out unchecked. We shall come back to the various assumptions associated with pipe breaks in Chapter 7 and shall discuss the leak-before-break concept which is less used in France than in certain other countries. Direct release of radioactive products contained in the radioactive gas or contaminated water tanks inside the various facilities is considered, as is total rupture of all fuel rods in a fuel element during handling in the reactor building or the fuel building. This results in a large number of possible accident scenarios from which a selection is made based on two main principles: • identification of bounding case accidents • exclusion by additional prevention of a certain number of accidents.

4.3.1. The bounding case accident concept The number of accidents or incidents to be investigated can be decreased by identifying the most penalizing situation within a group of incidents of the same type. An example will demonstrate this approach. Auxiliary buildings comprise a number of radioactive gas or contaminated water tanks. If these tanks are of a similar design and quality and are located in facilities equipped with retention or ventilation systems of equivalent efficiency, it is not necessary to examine the consequences of rupture of each of these containers. It is sufficient to investigate the worst case in each family of events and ascertain that the consequences are acceptable in order to be able to generalize this finding to other tanks of the same type. The accident which is investigated will be considered the "bounding case accident" for the entire family. We shall see below that the choice of the hypotheses relative to the investigated accident scenarios gives the idea of "bounding case accident" a still more significant aspect, which goes beyond simply maximizing radiological consequences.

52

Elements of nuclear safety

4.3.2. Exclusion by prevention of a certain number of accidents If, as we shall see below, devices can be found to limit the consequences of most accidents to acceptable values - these are the engineered safeguard systems, included in some countries under the heading "engineered safety systems" - analysis is rather less straightforward for certain particularly serious accidents. In view of the difficulty of limiting the consequences of these accidents, efforts were focused on optimizing the prevention of such situations, with a view to "excluding" them. This is the case for fast fracture of large components like the reactor vessel, the steam generator outer shell, the pressurizer or the primary pump casing. The mechanical stress to which vessel internals, fuel elements, steam generator tubes, or the containment building might be subject makes direct control of these accidents extremely difficult, or even impossible. Worldwide industrial experience in this field would appear, however, to indicate that for apparatus of this kind which has been well designed, well constructed and carefully monitored, the probability of this type of fracture is extremely low. We have therefore agreed that accidents of this type should not be taken into account and that the third level of the defense in depth concept be omitted from the design basis but that this decision should be counterbalanced by an increase in design, construction and operating safety margins and by special initial and in-service inspection.

4.4. Operating conditions: list and subdivisions In 1970, when the preliminary safety analysis report for the first 900 MWe nuclear unit constructed in France at the Fessenheim power plant was submitted, the operating conditions were subdivided into three groups: • operating transients and incidents • accidents activating safety devices (engineered safeguard systems) • loss of coolant accidents. Both the list and the division were derived from American practice and represented the outcome of discussions between US plant designers and safety authorities. Acceptability criteria were not always clearly defined. During the progressive adaptation of this reactor system to French codes and standards culminating in the 1300 MWe reactors, this list was reconsidered and slightly expanded by the French safety partners. The four categories listed in Table 4.1 were specified with their estimated frequency

4 - Analysis of operating conditions

53

ranges and indication of the maximum allowable radiological consequences for the design studies. The operating transients and incidents were placed in the second category. The accidents were subdivided and assigned to either the third or fourth category, without making a special case of loss of coolant accidents. This gave, in 1976, the following lists:

Category 2: incidents of moderate frequency the consequences of which must be extremely limited Reactivity incidents • Uncontrolled withdrawal of rods with the reactor subcritical or power operating • Gradual uncontrolled dilution of boric acid • Startup of an inactive primary loop • Incorrect operation of steam generator main feedwater supply • Excessive load increase. Disturbance of core physics • Incorrect position, drop of a control rod, or control rod bank • Partial loss-of-flow accident • Total turbine load loss, turbine trip • Loss of offsite power causing loss of reactor coolant pump power supply • Loss of steam generator main feedwater supply. Primary breaks • Brief inadvertent opening of a pressurizer valve • Momentary depressurization of the primary system. Secondary breaks • Inadvertent opening of a secondary system valve. Reactor vessel enbrittlement • Inadvertent startup of safety injection or emergency boration.

Category 3: very infrequent accidents the consequences of which must be sufficiently limited Reactivity • Control rod withdrawal at full power. Disturbance of core physics • Forced reduction of primary coolant flowrate • Incorrect position of an assembly in the core.

54

Elements of nuclear safety

Primary breaks • Loss of primary coolant, small break • Inadvertent opening of a pressurizer valve, long term depressurization. Secondary breaks • Small break in a secondary pipe. Radioactive release • Rupture of chemical and volume control system tank • Rupture of gaseous waste treatment system tank.

Category 4: serious postulated accidents the consequences of which must remain acceptable Reactivity • Control rod ejection. Disturbance of core physics • Primary pump rotor blocked. Primary breaks • Loss of coolant accident • Total rupture of a steam generator tube. Secondary breaks • Large break in a main secondary water or steam line. Radioactivity release • Fuel handling accidents. Worldwide experience has since shown a classification error which will be examined below (Chapter 8). Rupture of a steam generator tube, here classified in the fourth category, has in fact a probability level which should place it in the third category. This modification was introduced into the list of operating conditions to be taken into account for the design of nuclear units of the new 1400 MWe N4 standardized plant series. This formal classification modification cannot be made for nuclear power plants which have already been designed and constructed, but compensatory measures have been taken. One might be tempted to believe that a category transfer of this kind would help to resolve the problem as accidents in the third category are less serious than those in the fourth category. The reality of the situation is, however, quite different. This accident was transferred because its probability was found to be much higher than was initially assumed, but this does not make the accident less serious, rather, it requires that the accident be made less serious. In order to respect the specified new radiological consequence

4 - Analysis of operating conditions

55

limits, which are thirty times lower, the operating utility had to modify certain equipment and impose special constraints with regard to primary coolant activity, for example. Of course, in both cases, as for all other design basis accident studies, the calculation of consequences is based on a set of conservative postulates which will be discussed further on. Another classification error concerns primary coolant pump rotor blocking. The frequency of occurrence of this accident worldwide is also higher than that initially estimated. However, as it does not affect fuel and involves no radioactive release, the only modifications made have consisted in reinforcing inspection provisions for primary coolant pump shafts, with a view to limiting outage risks. Moreover, the division of accidents into two categories has certain limiting effects on the concept of a bounding case accident. If the consequences of a major secondary break cover the consequences of a minor secondary break, this does not obviate the need for detailed examination of the latter failure. The fact that a major break has acceptable consequences in the fourth category does not imply that a minor break necessarily has acceptable consequences in the third category.

4.5. Operating condition analysis process As we have just seen, the incidents and accidents which were chosen were generally not the fruits of experience but of research into the conditions under which the characteristic operating parameters of the reactor and of associated systems develop along lines unfavorable to safety. These conditions will therefore not be examined for their own sake but rather to guard against a type of transient or phenomenon giving rise to risks. For this reason, the incident or accident under investigation shall be interrogated from the point of view of a whole set of postulates or design conditions chosen to aggravate the situation and therefore ensure that the result can function satisfactorily as a new bounding case. The probability of occurrence of these more penalizing conditions is disregarded in determining the probability order of magnitude for the scenario considered. This will also be the method for proceeding from incidents or accidents with single initiators to those with combined initiators, which are more representative of what actually occurs. In this way, we shall examine in the rest of this chapter, the choice of initial conditions, the qualification of calculation codes, the "single failure criterion" and the rules for conventional load combinations.

56

Elements of nuclear safety

4.5.1. Choice of initial conditions A nuclear power plant has an entire range of authorized operating levels at its disposal, from full power to shutdown for refuelling. At each of these levels the characteristic parameters - pressure, temperature, flowrate, volume, voltage, frequency, radioactivity and contamination - have authorized variation limits. Measurement, adjustment and control methods for these parameters do not however provide complete accuracy. For each study, pessimistic parameter values are chosen for the anticipated occurrence considered and for equipment precision. As the examples will show, this set of values is liable to change even during investigation stages of a single accident. If the anticipated phenomenon is the departure of nucleate boiling on the fuel clads, which is a highly undesirable cooling condition involving possible loss of cladding integrity, increased values of the heat produced and the average primary temperature will be used. The coolant pressure value, on the other hand, will be chosen by combining conditions which lead to its reduction. In order to analyze a primary coolant leak, contamination of the fluid by radioactive iodine, the most significant substance in the short term from the radiological standpoint, is set at a value exceeding that authorized for permanent operation. It should be noted that this value has rarely been overstepped in the course of several hundred reactor-years, and then only very briefly. Accidents which call into question reactivity injections by control rod movements are examined at the beginning of the cycle when the moderator feedback is weakest. Those due to a cold surge in the secondary system are examined at the end of the cycle when, in the absence of boron in the primary coolant, the reactivity will be most affected. Furthermore, if there is a release of fission products normally retained by the cladding, it shall be assumed that the fuel is at the end of an equilibrium core cycle, which will increase the quantity of radioactive products present. Although these initial conditions are only representative of a very short time period in the life span of an installation - a few percent of the total life span in each case - this decrease of probability will not be taken into account for the physical situation under consideration. This is thus a resolutely deterministic approach to design basis accident analysis and the estimated frequency ranges only concern the initiators.

4 - Analysis of operating conditions

57

4.5.2. Use of qualified computer codes Despite the very large number of old and recent studies, it is extremely difficult to represent exactly the complex phenomena which come into play during an accident. We do not therefore have at our disposal a computer code representing the precise development and maximum values of the most significant parameters. Uncertainties and inaccuracies remain into which current research and development programs are endeavoring to provide greater insight. For investigation of conventional accidents and checking of the acceptability of their consequences, only those codes shall be used which are sufficiently stringent as determined by their qualification testing. This method does not eliminate uncertainties but demonstrates plant safety. These codes shall be subject to additional studies and constant amendment in order to reduce, through a more thorough knowledge of phenomena and modelling methods, those safety margins which are thought to be excessive. These improvements shall also enable the happily rare discovery of occasions when certain former results were insufficiently stringent. This was the case at the beginning of the 1980s for estimation of overpressure in the P'4 reactor containments resulting from a main steam line break. Adequate margins allowed for elsewhere enabled this unexpected setback to be absorbed with no consequences for the reactor containment design. This example, which is not unique, confirms the importance of significant margins in the various phases of estimation of system and equipment characteristics. Due to their deliberately exaggerated character, these codes cannot be used for drawing up accident operating procedures as the accident development which they outline is too far from contingent reality. In these cases, "best estimate" codes have to be used.

4.5.3. The single failure criterion In view of their importance, systems actuated during incidents or accidents must have a very high level of reliability. As a reliability study is extremely difficult to carry out at the point of installation design and schematic drafting of systems, a deterministic approach, which is perhaps more approximate but easier to use on the drawing board, was preferred at the design stage. This is the "single failure criterion" which can be summarized as follows: Safety related systems must be able to fulfill their function in an adequate manner even in the event of failure of any one of their components.

58

Elements of nuclear safety

The application of this criterion to electrical systems is simple: it is postulated that at the moment a system is actuated a single component is faulty. Of course, the component selected will be that with the most serious consequences in the event of faulty operation in the context considered. For mechanical systems, active components for which correct operation requires external actuation (pumps, valves, power-assisted check valves) are differentiated from passive components (pipes, heat exchangers, simple check valves, etc.). An active failure might just as easily be due to failure to operate of a required component as to inadvertent operation of that component. A passive failure could be a worsening leak, the consequences of which could be limited if it were located and contained. In the opposite case, all the fluid involved shall be assumed to be lost. Blocking of a flow would also be a passive failure. Bearing this distinction in mind, the single failure criterion is applied in the following manner; even if there are slight differences between its use as a design criterion and as an analysis criterion: • protection and engineered safeguard systems must fully ensure their function despite any electrical or active mechanical failure • any of these systems having to ensure service over a long period of time must continue to function even if, after about 24 hours, an active or passive failure occurs. The manner in which this principle should be applied has given rise to much discussion in the world of nuclear engineering, particularly regarding two related themes: • how should equipment or system unavailability due to already recognized breakdowns or maintenance be allowed for? • should human error be taken into account and if so, how? Some countries opted for the installation of triple or quadruple systems, each of them with the capacity to ensure two-thirds or half of the required functions. These are known as 3 or 4 "train", "line" or "channel" systems. The French nuclear partners, after investigation of a wide range of possible solutions, decided, as had the licensor for the 900 MWe units, on a solution comprising two trains each capable of fulfilling the required function on its own. This technical solution limits equipment requirements and thereby capital outlay and simplifies the installation. On the other hand, this solution imposes a high degree of vigilance regarding availability of the two channels, which results in severe constraints on the allowable duration of contingent unavailability and stringent limitations on voluntary unavailability of one line, for maintenance for

4 - Analysis of operating conditions

59

instance, during operating periods when the system is required for safety reasons. For the investigation of each accident or incident, the most penalizing failure is identified for the phenomenon being examined. In certain circumstances, where normal operation of the two channels is the most penalizing condition, this is the condition that should be taken into account. Finally, during investigation of a LOCA, the choice of faulty equipment will be different, depending on whether fuel rod cooling or overpressure levels in the reactor containment are examined. An explanation of the single failure criterion can be attempted a posteriori, in terms of reliability, while remaining within the confines of orders of magnitude and rough approximations. Experience shows that, in general, a complex system comprising valves, pumps, sensors and various motors fails to start up when switched on about one time out of a hundred. If therefore a fourth category accident is allotted the maximum corresponding probability, i.e. 10-4 per year, the risk of seeing this initiating event and the failure of a postulated corresponding single channel engineered safeguard system occur together is 10-4 x 10-2 i.e. 10-6 per year. The corresponding situation would be a particularly serious occurrence and its estimated probability has been found to be excessive. However, in an equally simplified manner, a redundant system comprising two independent channels, each capable of fulfilling the required function, would have a total failure-to-start probability of about 10-4, if failures liable to simultaneously affect the two channels are ignored. This degree of probability, combined with that of the same initiating event as above, gives a serious accident probability of 10-8 per year, which is considered acceptable. However, in order to be able to disregard, as we have just done, simultaneous failure of the two redundant channels (usually called common mode failures or simply common modes), a double condition must be fulfilled: • avoidance of the possibility of a single hazard affecting equipment in both channels • limitation, insofar as possible, of failures common to several identical items of equipment. The first condition, concerning hazards outside the systems themselves, resulted in very strict layout and installation rules. "Redundant" system channels shall be installed in different, completely separate facilities. This geographic separation leads, for example, to the two diesel generators being located in completely separate facilities, with a calculated distance between them, which is great enough to ensure that even if an aircraft were to crash into the installation it would not destroy both generators.

60

Elements of nuclear safety

Figure 4.1. gives an example of engineered safeguard equipment layout for a standard P4 plant unit.

Fig. 4.1. Equipment layout in a P4 1300 MWe PWR.

4 - Analysis of operating conditions

61

In the vicinity of the circuits to which redundant systems must be connected, geographical separation is no longer possible. Physical separation by means of suitable walls is then required. Equivalent solutions have to be found for electrical equipment or control and instrumentation systems in the vicinity of the control room equipment. Internal common mode failures are much more difficult to identify and prevent. These failures concern design, manufacturing or maintenance errors which are liable to affect several items of equipment. They therefore concern the general quality of the plant or its operation. Reliability statistics for equipment show that the combination of common mode failures represents about 3 to 5% of the causes of simultaneous failure of two identical items of equipment. This level falls to about 1 to 2% for triple failure. For example, if the failure-to-operate probability is 10-2 for a single train, • it is 3 10-4 and not 10-4 for two identical trains • and 10-4 and not 10-6 for three identical trains, taking the low levels for the common mode failure rates. Hence the benefit obtained by single redundancy diminishes as additional channels are added. This approach to the prevention of common mode failure overlooks a component the importance of which has only gradually been fully perceived. We are referring to the incidence of human factors and to failures related to maintenance activities or to plant operating procedures. It was not until the Three Mile Island accident, in 1979, that the full importance of human factors in nuclear engineering activities was realized. A few more years then elapsed before the detection, reporting and circulation of examples of errors related to repair work or maintenance, which had imperilled the availability or smooth running of several, or even all safety related devices. The few examples below are among the most spectacular but obviously do not suffice to fine down the common mode failure probability values. The first example concerns a plant unit abroad, characterized by a 4 train redundancy level, each with a 50% capacity. The function is therefore entirely assured by 2 trains out of 4. With this system, maintenance work can be carried out train by train, without any particular constraints. This plant is also equipped with a 4 train ultimate emergency system, which means that there are eight diesel-generator sets. In 1987, in the course of a routine inspection to adjust a setpoint on the eight diesels, a maintenance team unaccustomed to dealing with this equip-

62

Elements of nuclear safety

ment and using a procedure which was not clearly formulated, terminated their work leaving the eight diesels in a configuration preventing their automatic startup. The abnormal condition was identified and corrected 15 hours later by a patrol inspection team. In 1989, there were many occurrences of this type in France, which will be discussed in Chapters 24 and 26, such as the wrong parts left on the three safety valves of a pressurizer or the isolating of four out of the five level sensors on another pressurizer. For the 900 and 1300 MWe plants, the single failure criterion was applied to equipment actuated in the first stage of the accidents analyzed, corresponding to the automatic response of the plant. For the N4 series, it has been extended to include other equipment required by the operators to bring the accident under control and achieve safe shutdown of the reactor. An example of such equipment is the pressurizer spray system.

4.5.4. Conventional load combinations The single failure criterion is not the only convention used in accident analysis to heighten the bounding case character of the cases considered and, where possible, of their consequences. In an equally formal manner, we consider load combinations comprising the mechanical effects of a major earthquake (the safe shutdown earthquake, SSE, described in Chapter 10), total loss of offsite power and fourth category large breaks, without increasing the reference radiological consequences. Although the facts had not been presented from this angle, it is entirely logical to combine a major earthquake with loss of the electricity transmission lines which are not designed to withstand a phenomenon of this nature. So this is an additional way of worsening the most serious postulated accident conditions in order to increase the bounding case character. We have seen that the single failure criterion required, in its French application, that all equipment necessary for control of accident situations should be duplicated with provision for two completely separate channels. With this new load combination, the electrical equipment for each of these lines must be backed up by a self-contained automatic startup generator, independent of the national grid. Each nuclear unit is therefore equipped with two diesel generators, with a unit power rating of a few MW and capable of supplying this power 40 seconds after the startup command. This response time is taken into account in accident studies since engi-

4 - Analysis of operating conditions

63

neered safeguard systems are only fully efficient after this time lapse. An earthquake must neither cause an accident, since the mechanical loads it could include are used, as we shall see, as a basis for equipment design (first level of defense in depth), nor must it prevent the engineered safeguard systems or reactor containment from functioning normally. This constraint added to the preceding ones signifies that equipment required during large break fourth category accidents must be fully effective during and after an earthquake. The diesel generator sets are clearly concerned by compliance with this requirement.

4.5.5. Prevention of accident degeneration Among the acceptability criteria for second and third category incident and accident consequences, it is specified that such events must not be the cause of an accident in the next category. Detailed analysis of each of these incidents or accidents must therefore determine the mechanical or other stresses brought to bear on devices other than those responsible for initiating the events considered, in order to ensure that they will not also subsequently fail. A whole series of load combinations is established which must be taken into account in equipment design. Similarly, a fourth category accident occurring in one part of the installation must neither spread to other parts of the installation nor prevent correct operation of the equipment provided to limit the consequences of such an event to acceptable values. For example, a primary loop break must not cause another break in the same loop, nor a break in another loop, nor serious disturbance of the safety injection system. The stresses due to piping deformation and jetting induced on the concrete and the primary loop bunker are studied in detail, since these structures provide the basic support for the affected loop as well as the adjoining loops. The results of studies required by the third level of defense in depth are thus used as design basis data at the first level of this process (the repetitive nature of which is now apparent) at least during the initial phase of new projects. Appropriate safety margins are then introduced in the course of preliminary studies and their adequacy is confirmed during the final demonstrations.

64

Elements of nuclear safety

4.6. Consideration of internal or external hazards In 1971, when the licensing procedure for the first 900 MWe units at the Fessenheim site was initiated with the relevant safety authorities, safety investigation was not limited to accidents caused by direct failures of safety related equipment. A seismic load level was taken into account for the design of safety related equipment and structures. Protection of this equipment (safety injection accumulators, equipment connected with containment spraying, etc.) from missiles coming from primary system high pressure devices should also be added. Concern regarding various external or internal hazards had thus long existed but, under the impetus of safety analysis, this awareness was to be extensively developed. It will be the subject of Chapters 9 and 10.

5

Assessment of the radiological consequences of accidents

Analysis of each of the listed conventional accidents terminates with an assessment of the associated radiological consequences. It has to be demonstrated that these consequences are effectively acceptable, as only very high limit values are indicated in Table 4.1. This assessment involves phenomena and areas of knowledge which are fairly remote from those discussed in relation to equipment design. However, to ensure consistency with the other aspects of safety assessment, the same precautions have been taken to guarantee the bounding case character of the results. Intermediate calculation values are in fact used for the design of a certain number of systems, structures or equipment. This implies notably defining equipment qualification conditions with respect to the accident conditions described in Chapter 7, certain measuring ranges or radiological protection constraints. This requirement has led to the adoption of very extended bounding case values, suitable for the design options considered. But in this context, radiological consequence results are highly overestimated and difficult to use for the preparation of external emergency plans. We shall show in the next chapter the discrepancy there can be between a conventional assessment of radiological consequences and a more realistic estimate of the same sequence. On the other hand, in compliance with a convention the inadequacy of which was only realized much later, assessments were first based on the potential radiological consequences for an individual exposed for two hours at the site boundary to rare gases and iodines, i.e. products liable to have significant short term health effects. Similarly, radioactive products such as cesium, which has slight early effects becoming far more significant in the long term, are disregarded in this approach. The evolution of safety towards international projects and also the Chernobyl accident point to the necessity for more exhaustive, but also more realistic assessments, although maintaining provision for comfortable margins on equipment and components.

66

Elements of nuclear safety

In the studies concerning current nuclear units, the accidental release mode considered is by air. Normal release, which will not be discussed here, is also discharged in liquid form to rivers or the sea. There should normally be no direct release into the ground and the water table. The relevant calculations comprise the following stages: • quantity of radioactive products in the core or reactor systems • release rate for these products during the accident considered • possible modes of transfer and deposit in reactor systems • modes of transfer and deposit in buildings • eak rate from the facility considered to the outside atmosphere and, where applicable, filtering efficiency • environmental diffusion, transport and deposit conditions • pathways to man • conversion of the activity absorbed by exposure, inhalation or ingestion, expressed in becquerels, to doses expressed in sieverts. These stages can be dealt with fairly independently, but attention is particularly drawn to radioactive products with the following unfavorable characteristics: large quantity, easy emission, relatively long decay time, severe biological impact. In the next Chapter, we shall describe in detail a large primary break accident (LOCA), up to the numerical application stage. Only more general data will be given in the present chapter.

5.1. Quantities of radioactive products involved Multiple fissioned fuel contains a more or less complete spectrum of possible radioactive products having an atomic number below that of uranium. It also contains small quantities of transuranians and transplutonians resulting from neutronic capture without fission. These are generally very long decay period alpha emitters. Depending on their radioactive half-lives and any interaction with the neutrons, these substances accumulate incessantly in the reactor fuel as burn-up increases or reaches saturation. The radioactive products in the primary coolant are due to activation of corrosion products and possible fission product leakage through the fuel clads. In this case, accumulation is limited by the periodic renewal of part of the water and by purification.

5 - Assessment of the radiological consequences of accidents

67

Chapter 3 contains a table indicating the quantities of the main radioactive products to be found in a 900 MWe PWR at end of cycle loaded with uranium oxide fuel with a burnup of up to 33 000 MWd/tU. These values and their relative importance would not be the same for a mixed oxide UO2-PuO2 fuel, thus containing plutonium from the outset or for significantly higher burnups. The term "core inventory" is often used to refer to the quantity of radioactive products in the core.

5.2. Release rates The characteristic release rate for each fission product is a particularly important factor. Light water reactor fuel is made of a type of ceramic which is both difficult to melt and relatively impermeable, enclosed in leaktight clads, from which fission products cannot easily escape.

Pellet temperature in °C Fig. 5.1. Release rates of fission products from a PWR UO2 fuel pellet.

68

Elements of nuclear safety

The release rates of the various elements depend to a considerable extent on their physiochemical nature and the temperature of the fuel pellets. Certain substances, notably some iodines and noble gases, manage to migrate in small quantities from the fuel to the clad-pellet gap under normal operating conditions. We are presently able to specify release rates versus time and fuel temperature. The curves (Fig 5.1.) confirm that extensive release generally only occurs when the fuel pellets have melted, which does not happen in design basis accidents, where the clad temperature is limited to 1200 C, that of the pellets being only slightly higher. The clad failure* rate considered in each accident study is obviously an important factor, representative of a phenomenon which can occur at lower temperatures, such as those reached during certain design basis accidents. Radioactive substances located at the onset of the accident in the primary coolant water, the structural materials or the gaseous effluent tanks could escape far more easily.

5.3. Transfer and deposit in reactor systems When clad failure occurs under accident conditions, the radioactive products emitted at high temperature enter the primary cooling system as steam. Some of them will settle on the walls of the system, but this is not the case for the noble gases. The steam cools and may condense forming aerosols, which may also settle on the system walls, depending on thermal hydraulic conditions. In addition, there is the possibility that deposited material may return to circulation, but this also depends on subsequent thermal hydraulic conditions. These phenomena are only taken into account in the event of direct discharge to the atmosphere, as is the case with a steam generator tube break for example. All other cases where the release path is through the containment are consequently rather overestimated.

5.4. Transfer and deposit in buildings When they reach the buildings, all radioactive products are in aerosol form, except the noble gases. They generally stay there for a few hours to several days. High density aerosols tend to agglomerate. "Clad failure" means any lose of tightness, even if this is due to through-wall microcracking. In an accident situation, more severe defects will be involved

5 - Assessment of the radiological consequences of accidents

69

Soluble aerosols will be entrained by steam close to condensation or spray water, thereby gradually reducing their concentration in the atmosphere. This happens with the iodine soluble aerosol, cesium iodine, which can on the other hand, undergo radiolysis in the sump water to produce the gaseous iodine I2. In the other cases, the aerosols settle more slowly, by sedimentation, steam condensation on walls (diffusiophoresis) or due to a thermal gradient between the vector gas and the walls (thermophoresis). These phenomena, the impact of which on release rates is highly significant, are imperfectly known and are currently the subject of research*. Extremely prudent values were defined in the 1970s for the conventional assessments.

5.5. Leak rate to the outside atmosphere and filtering provisions The radioactivity leak rate to the outside atmosphere depends on any overpressure in the building induced by the accident and on the building leak rate and any ventilation and filter systems. Building leak rates and filter system efficiency must be determined with circumspection and periodically checked. Consideration must also be given to the risk of direct leakage to the atmosphere bypassing any filter systems and thereby reducing their overall efficiency.

5.6. Environmental transport and deposit conditions Release directly leaving the buildings or discharged via the stack blends with the outside atmosphere and its behavior depends on local meteorological conditions. Inert gases like the noble gases and certain forms of iodine diffuse. Aerosols, including iodine in particle and molecule form, also diffuse but, in addition, they spontaneously drop to the ground in dry weather or are washed down by rain (Fig. 5.2.).

* See also section 28.3.

70

Elements of nuclear safety

Fig. 5.2. Behavior of release in the atmosphere.

At this stage, the atmospheric transfer coefficients (ATC), expressed in s m-3, and surface transfer coefficients (STC), expressed in m-2, are determined (Fig. 5.3.). The atmospheric transfer coefficient, in association with the activity released, suppresses the time element by considering the total number of disintegrations per m3 which take place throughout plume transit. In the surface transfer coefficient, the time element is kept, since it enables the activity per surface unit to be derived from the number of becquerels released. Design basis accident consequences are appraised using the Le Quinio charts based on continuous release for one hour under weather conditions covering 95% of the possible meteorological situations.

71

5 - Assessment of the radiological consequences of accidents

The characteristic coefficients are then as follows: • atmospheric transfer coefficient for gases: 6 10-5 s m-3, 500 m from the release point (10-6 at a distance of 10 km) • surface transfer coefficient at the same location: 6 10-7 m-2 considering a deposit rate of 1 cm/s (10-8 at a distance of 10 km). For different release times, these values must be corrected by multiplying them by the following corrective factors Fd (Table 5.1.).

Table 5.1 Release duration correction multiplicative factors Fd. Release and exposure time

5 min

10 min

15 min

30 min

1h

2h

8h

12 h

1 day

Corrective factor Fd

3.46

2.45

2

1.41

1

0.71

0.59

0.54

0.45

Charts determined by Robert Le Quinio

Distance from the source in km

Fig. 5.3. Atmospheric diffusion coefficient for aerosols.

72

Elements of nuclear safety

The release time corrective factor takes into account wind swirling effects around a postulated constant mean direction throughout the release time, causing the plume to widen. For a given quantity of release, when the release time increases, the maximum consequences will thus be less severe but will concern a larger angled sector.

5.7. Pathways to man In the event of atmospheric release, the following pathways to man are considered: • immersion in the plume, causing whole body exposure to gamma radiation • inhalations of iodine which will then settle in the thyroid • external exposure to radioactive products deposited on the ground • ingestion of radioactive products deposited on the ground by direct consumption of leafy vegetables or by consumption of meat or milk from animals fed with contaminated grass. In the event of exposure to the plume for more than 2 hours, a respiratory capacity of 30 m3 per day is considered for the first 12 hours. Beyond this, the respiratory capacity considered is reduced to 20 m3 per day to take periods of sleep into account. The thyroid dose for infants is calculated assuming that they are entirely fed on milk from cows which have grazed in pastures so situated as to have been contaminated by iodine deposits. The krypton 85 in the plume also causes skin exposure to beta radiation.

5.8. Dose conversion factors In order to transform the activities of the various substances or families of substances (noble gases, iodines, etc.) into possible effects on individuals, dose conversion factors are used which take into account the corresponding radiation characteristics (type, energy, radioactive half-life, organ where it accumulates, biological half-life), the way in which organs are affected and their sensitivity. There are several different dose conversion factors (DCF): • plume DCF (Sv/TBq s m-3) which gives the integrated dose as the plume passes or immersion dose • deposit DCF (Sv h -1 /TBq m-2) which gives the dose rate for the first hour • effective DCF by inhalation (Sv/TBq s m-3) which gives the whole body dose commitment, weighted for receptor sensitivity

73

5 - Assessment of the radiological consequences of accidents

• thyroid DCF (Sv/TBq s m-3) which gives the thyroid dose commitment by iodine inhalation. These factors have fixed values only for given isotopes. For iodine, for instance, the table below can be drawn up on the basis of the iodine quantities in the reactor core. Considering the wide range of decay periods and dose conversion factors involved, the factor corresponding to 1 TBq of iodine varies with time and tends towards the value associated with I 131 which has a much longer decay period. Table 5.2. Characteristics of iodine isotopes. Isotope Activity (TBq) at t = 0

Decay period

Plume

Deposit

DCF

DCF

Inhalation Thyroid effective inhalation DCF

DCF

I 131 I 132 I 133 I 134 I 135

2.9 106 4.2 106 6.1 106 4.7 106 5.7 106

8.02 2.30 20.8 53 6.55

d h h min h

0.0257 0.161

0.0417 0.178 0.111

1.89 11.2 2.99 12.2 7.13

2.93

96.7

0.0303 0.500 0.00996

16.3

0.566 0.0966 2.83

0.101

The thyroid dose conversion factor of 1 TBq of the mixture of iodine isotopes will be as follows, depending on the time lapse since reactor shutdown: Table 5.3. Thyroid dose conversion factor of the mixture of iodine isotopes. Time

1h

2h

6h

12 h

1d

2d

4d

10 d

30 d

Thyroid DCF

17.2

19.3

24.5

28.1

33.2

40.3

50.2

69.2

93.9

The integrated dose as the plume passes or the dose commitment by inhalation is obtained by the formula: where D is the integrated dose or dose commitment i the exposure mode A the activity released ATC the atmospheric transfer coefficient Fd the release duration correction factor DCFj, the dose conversion factor for exposure mode i.

74

Elements of nuclear safety

The dose rate due to deposits during the first hour after the accident is obtained in the same way: DR = A x STC x DCFd where DR is the dose rate and STC the surface transfer coefficient. After the first hour, the radioactive decay of the element considered must be taken into account, also, in the longer term, its trajectory following rain-washing or penetration into the ground. In both these cases, the activity released is obtained: • from the core inventory for the radionuclides considered, with allowance for decay • from the release rate from the initial medium (core or primary coolant water, for example) associated with the clad failure rate in the case of fuel.

5.9. Changes in radiological consequence calculation methods We have mentioned the conventional character of the approach described. Many coefficients are extremely penalizing, as is shown by extensive comparisons with international practice elsewhere. It is incomplete in that it does not include assessment of the problems raised by the medium and long term management of contaminated areas resulting from the accidents considered. Developments with respect to these two aspects will be discussed further on. Moreover, the dose conversion factor values used are those given in ICRP publication 30, issued in 1979. But the notion of public has since changed and it is no longer a homogeneous adult population which is considered. In more recent texts (publications 56, 67, 69 and 71), attention to age-related biokinetic differences is recommended. For example, the new dose conversion factor for iodine 131 is 5 times higher for an infant than for an adult. For other iodine isotopes, this factor is comprised between 10 and 13. These modifications are not taken into account in the French regulations in force in 1995.

6

An example of accident analysis: LOCA

This chapter consists of a rapid and qualitative account, from the point of view of the physics of the phenomena as much as the design hypotheses, of a loss of coolant accident (LOCA) corresponding to the largest primary system break considered, serving as the design basis for essential safety related components of the installation. This description shall take into account all conventional conservative assumptions. Under real conditions, the situation would not evolve in such a prejudicial fashion. There is a whole spectrum of potential primary system breaks, from those which are sufficiently minor for leakage to be counterbalanced by the Chemical and Volume Control System flowrate, up to complete doubleended rupture of a main primary loop pipe with deflection of both pipe ends. Ruptures of the latter type are liable to occur on the hot leg between the reactor vessel and the steam generator, on the intermediate leg between the steam generator and the primary pump, on the cold leg between the primary pump and the reactor vessel on return towards the reactor core (Fig. 6.1.). The complete spectrum and all locations must be investigated, since the physical and mechanical phenomena and the behavior of engineered safeguard systems vary from one case to another. It will then be possible, as we shall show in the next chapter, to select the most penalizing cases for analysis. Among large breaks, those which occur on the cold leg are the most serious from the thermal hydraulic standpoint, as steam venting can only take place after core dewatering. The pressure loss incurred in the steam generator tubes is extremely high and, in addition, much of the safety injection water will escape directly through the break. Hot leg breaks, on the other hand, involve the most penalizing stresses for reactor vessel internals since the blowdown wave will strike this equipment without any damping effects.

76

Elements of nuclear safety

6.1. Physical effects of a large break The description below concerns a cold leg break located between a primary pump and the reactor vessel.

Fig. 6.1. Diagram of a 3-loop 900 MWe.

6.1.1. Mechanical effects of blowdown During pipe rupture, a depressurization wave of between 50 and 100 bar will sweep through the primary system at a speed of about 1000 meters per second.

6 - An example of accident analysis: LOCA

77

The arrival of this wave front in the vessel will induce negative pressure in the downcomer. The resulting stress on the vessel shell rings and especially on the core support structures, will be about 1500 t, far more than the effect of an earthquake, for example. The control rod mechanisms and reactor vessel internals will be subjected to major stresses, some of them being lateral stresses. As pressure upstream or downstream of the affected primary pump would fall sharply, the pump would operate at a speed which could reach twice the rated speed in forward or reverse flow. The centrifugal force applied to the flywheel would therefore be very high.

6.1.2. Thermal hydraulics and fuel behavior Four distinct phases are involved: • primary system depressurization (blowdown) and drainage • core reflooding • fuel rod rewetting • long term behavior.

6.1.2.1. Blowdown As soon as the break occurs, the primary system rapidly drains. The fluid issues from each broken pipe end at the critical flowrate, i.e. the unstable mixture of water and steam and water and steam emulsion flows out at the speed of sound. Since the fluid flows out from both sides of the pipe, there will be a zero velocity point in the primary system, the stagnation point. The position of this point will change as the process proceeds and will condition core cooling. When this point is located in the core, it will be in an environment where there is little convective heat exchange since there is no circulation. In this case, removal of the heat produced by the fuel rods will depend solely on conduction and radiation. The location of the stagnation point is contingent on vaporization conditions in the different areas of the primary system, pressure losses, notably in the steam generators and the pumps, the position of the break and the fluid characteristics at both pipe ends and on steam and water separation in slow flow areas. Primary system drainage is accompanied by a rapid fall in the primary system pressure level down to saturation pressure in the hot zones between the upper part of the core and the steam generators. Then bulk water flashing occurs in the affected zones. Flow through the core tends to reverse, thereby shifting the stagnation point.

78

Elements of nuclear safety

Fig. 6.2. Cross-section of a 900 MWe PWR reactor vessel.

The vaporization slows down pressure reduction in the primary system, but spreads through the core water which is at a slightly lower temperature. When bulk vaporization conditions are reached in the cold zones, between the steam generators and the reactor vessel inlet, the speed of depressurization reduces still further. Normal core flow resumes.

6 - An example of accident analysis: LOCA

79

The accumulator tanks empty automatically into the primary system when the pressure falls below 40 bar, but without reflooding the core. This phase ends when the containment pressure balances that of the primary system, a few tens of seconds after onset of the accident. In the core, the chain reaction was stopped by the moderator void effect when boiling occurred between the fuel rods, even before emergency shutdown was implemented. Despite the shutdown of nuclear power production, the fuel rods still contain energy and continue to release the decay heat due to fission products. Fuel cooling conditions quickly become unfavorable. As soon as the pressure reduces, burnout occurs and the cladding becomes surrounded with steam, which reduces the heat exchange coefficient by a factor of 100 to 1000. The cladding temperature rapidly increases by transfer of the energy accumulated in the fuel pellets. When there is no liquid left in the core, an adiabatic phase begins. Energy transfer can only take place by radiation and steam conduction. Clad temperatures rise again, but more slowly. An exothermal reaction between the zirconium and the water or steam begins on clads where the temperature has exceeded 850 °C, which further exacerbates the phenomenon. Beyond this temperature, the power released by the water-zirconium reaction doubles every 50 °C and increases in an uncontrollable manner for temperatures little above 1300 °C. It then becomes impossible to stop the reaction before total oxidation of the zircaloy. Under the design basis accident conditions, clad temperatures must not exceed 1200 °C, thus preventing this critical phenomenon. The pressure inside the fuel rods very quickly becomes higher than the outside pressure. The hottest rod clads swell elastically and then plastically and are liable to burst. If this happens, it will occur during the adiabatic phase.

6.1.2.2. Core reflooding By the end of the preceding phase, the accumulator tanks have filled the core lower plenum and the downcomer with water. Low head safety injection, also connected to the cold legs, then takes over. As with the accumulators, the safety injection system is connected to cold legs. The water reaches the level of the bottom of the fuel rods where it vaporizes, thereby preventing direct refilling of the primary system.

80

Elements of nuclear safety

Core reflooding is a purely gravitational phenomenon. The weight of the water column in the downcomer must overcome steam head loss and water droplets moving through the core and, in the event of a cold leg break, the steam generators and pump. The water level in the core rises gradually, without however rewetting the fuel rods. There is a film of steam around the rods preventing direct heat transfer between the cladding and the water. During this phase, a degree of cooling is ensured by steam convection and also by radiation between the dry parts of the fuel rods and water droplets entrained by the steam. In this way, the core is rapidly reflooded without however rewetting the clads, the temperature of which will increase slightly before decreasing.

6.1.2.3. Fuel rod re wetting Unlike core reflooding, which is an essentially gravitational phenomenon, rewetting of the cladding is a thermal phenomenon. It consists of axial conduction along the rods which enable the "wetting front" or "quench front" to move out of the lowest fuel element zone which is the site of relatively low energy release. At this quench front and for several millimeters beyond it, the cladding temperature drops from a possible 1000/1100 °C for the hottest fuel rods to a temperature close to that of boiling water at a pressure of several bar i.e. 130 °C approximately. Axial conduction in the cladding enables cooling of the rods to take place just above the quench front thereby enabling progressive rewetting which continues to the top of the core.

6.1.2.4. Long term behavior and operator intervention When the accident takes place, the energy present in the core, the cooling water and primary system structures is found in the containment in the form of hot water and steam under a pressure of several bar. The residual power due to fission product decay will be gradually added. The safety injection and containment spray are initially supplied by the reserve water provided for this purpose (Reactor Cavity and Spent Fuel Pit Cooling and Treatment System tank). When the low level in this tank is reached, these two systems are connected to the containment sumps collecting overflow water which can then be recycled. Exchangers with a suitable capacity located in the containment spray circuit ensure energy transfer to the site ultimate heat sink.

6 - An example of accident analysis: LOGA

81

This recirculation phase is liable to be very lengthy i.e. months or even years. Given the speed of the initial phenomena, automatic protection methods are alone capable of adequately rapid response. Operators can only verify the correct operation of systems and protection devices and recirculation switching. Their first direct action is connected with the risk of boron crystallization in the core. Water in the primary system contains boron in the form of boric acid* H3BO3 in solution with a boron concentration varying between 0 and 2000 ppm (parts per million) for neutronic reasons (compensation for fuel burnup and temperature effects). Safety injection water always contains 2000 ppm of boron. Special smaller tanks from which water is injected into the primary system to cope with criticality accidents can contain solution with 7000 ppm of boron for the 1300 MWe PWR's and 21 000 ppm for the 900 MWe reactors. But since boric acid, which is relatively insoluble, is not entrained by the steam produced in the reactor core, there is a danger of a gradual buildup of boron concentration and then its crystallization which would block all fluid circulation in the hottest channels. To prevent this from happening, it is planned to change water flow direction in the core periodically by injecting water from the hot legs after a certain time and then reverting to the initial configuration. For the 900 MWe units, the first switch in flow direction must be carried out about 18 hours after the beginning of the accident and be repeated several times afterwards.

6.1.3. Effects on the reactor containment and internal structures In the event of a large break, out-spill into the reactor containment of all the primary system water and a substantial quantity of the safety injection water for cooling fuel and structures causes a significant rise in temperature and pressure in this containment. This phenomenon first occurs in the room containing the damaged pipe, each leg of each loop being more or less separated from the others by the reactor building internal structures which ensure support and routing of these pipes.

* Natural boron comprises 2 isotopes, 10 B (18.3%) and 11 B (81.7%). The 10B has a very high thermal neutron capture cross-section: 4017 barns (1 barn = 10-24 cm2 per atom). By reaction (n, ) it gives stable 7 Li. Natural boron is added to the core coolant water in the form of boric acid, the molar mass of which is 61.8 g, including 10.8 g of boron. A 4% boric acid solution contains 0.7% of boron (7000 ppm).

82

Elements of nuclear safety

Some of the walls of these structures are therefore subjected to major stresses due to pressure differences, the effect of water jets, pipe whip and hydraulic stresses within the primary system. In order to avoid the risk of additional pipe breaks, these stresses must not be transferred to other pipes. These compartments are, however, sufficiently open for the steam contained in them to escape rapidly into the containment itself. Within this area, a first pressure peak is reached at the end of primary system depressurization. Condensation on the walls reduces this pressure and the associated temperature. The steam produced by rewetting the fuel rods could cause the pressure and temperature to rise again until startup of the containment spray system. Startup is automatic when the containment pressure exceeds 2.4 bar abs. but, in view of the startup delay for diesel generators, spraying can only be effective during the reflooding phase. From this point, temperature and pressure reduction will be practically continuous. The containment is consequently subjected to one or two internal pressure peaks, but also to thermal stresses which develop more slowly following progression of the temperature front through the containment concrete. The containment might be subject, at a later period, to overpressure due to explosion of a mixture of hydrogen and oxygen. Oxygen is present in the containment air and hydrogen is released from the following sources: • small quantities of hydrogen deliberately dissolved in the primary system water to "neutralize" water radiolysis in the reactor core • zirconium - water reaction • water radiolysis in the sumps due to radiation of the radioactive products this water contains. Under the specified conditions of this design basis accident, radiolysis in the sumps would have to be extremely intensive for the hydrogen concentration to be sufficient to initiate a deflagration. This allows time to bring to the site the specially designed hydrogen recombination equipment, which is available on demand, but not routine power plant equipment.

6.2. Assumptions adopted in safety analysis In conformity with the principles outlined in Section 4.5, the assumptions retained are intended to give a conservative bounding character to the accident analysis with a view to determining the required characteristics for equipment, protection systems, engineered safeguard systems and the reactor containment.

6 - An example of accident analysis: LOCA

83

These postulates will not always be the same, since the most penalizing are selected for each phenomenon considered. Only the most significant are outlined below.

6.2.1. Assumptions concerning estimation of fuel behavior The postulated conditions are aimed at maximizing the fuel cladding temperature. To this end, the containment pressure is reduced to a minimum, thereby minimizing the density of the steam, which is the only cooling means available during the adiabatic phase. The initial power is taken as equal to 102% of the rated power, increased by the pump power. The neutron flux and power distribution in the core is the least favorable of all the scenarios made possible by the operating conditions and authorized transients. The ratio between power produced in the hottest centimeter of fuel rod and the mean linear power density exceeds 2.3. Residual power due to buildup of fission products corresponds to the reactor state where these values are highest (end of equilibrium cycle). The figure obtained is increased by 20% to cover calculation uncertainties. Thresholds for signals tripping the emergency shutdown and safety injection systems which are normally set at 131 bar and 119 bar respectively are reduced to 129 and 117 bar. Offsite power is assumed to have been lost as soon as the accident occurred. The safety injection and containment spray system pumps must consequently await emergency diesel powering. Safety injection only starts 30 seconds after the startup signal has been sent. In compliance with the single failure criterion, only one channel is operative, thereby slowing down reflooding, rewetting and the overall cooling of the primary system. However, containment spraying is assumed to start up 27 seconds after onset of the accident. Both channels function normally. These two postulates reduce the pressure in the containment and accelerate energy transfers.

6.2.2. Assumptions concerning estimation of consequences for the containment Although we are still discussing the same accident, everything is now arranged so as to worsen the consequences for the containment. Certain specific postulates modify the assumptions outlined above.

84

Elements of nuclear safety

The primary system water temperature is increased by 2.2 °C. The volume of this water is assumed to be 103% that of the cold primary system water. The adiabatic phase during which there is negligible energy transfer between the core and the reactor building atmosphere is not taken into account and this accelerates mass and energy transfer in the containment. The accumulators normally start operating at 42 bar, hence a little earlier than in the above scenario. The safety injection flowrate is maximum. Both channels are operating, which accelerates energy transfer and increases the pressure in the containment. Initial pressure and temperature levels in the containment are maximum permissible values for normal operation. In conformity with the single failure criterion, only one spray channel is assumed to be operating in the containment.

6.3. Acceptability criteria and results These criteria were specified in 1973 by the American Safety Authorities (U.S. NRC) and have not been modified since that time. They are four in number: • peak cladding temperature must remain less than 2000°F (i.e. 1204 °C), to prevent runaway of the reaction between water and zirconium • cladding oxidation rate must, at all points, remain less than 17% of its thickness to prevent embrittlement of the fuel rods at rewetting • the average oxidation rate for core zirconium must remain less than 1 % to limit the quantity of hydrogen produced • the core must retain a geometrical configuration which enables it to be cooled. Parametric investigations have revealed that the break giving rise to the most difficult conditions for the fuel is not a double-ended guillotine break with complete separation, but a break on the cold leg with partial separation. In this case, the accident scenario is more or less as follows: • emergency shutdown signal after 0.5 seconds • safety injection signal after 1 second • start of accumulator injection after 16 seconds • end of blowdown after 25 seconds • start of pump safety injection after 31 seconds • start of core reflooding after 35 seconds • bursting of the hottest fuel rod after 24.5 seconds. The temperature of the hottest fuel clad reaches 1200 °C. The clad with the highest rate of oxidation is only at 6.6%. The quantity of hydrogen produced by zirconium oxidation only repre-

6 - An example of accident analysis: LOCA

85

sents 0.3% of its potential value, hence one-third of the specified value. Under these conditions the general geometrical configuration of the core remains unaltered.

6.4. Evaluation of radiological consequences As we saw in Chapter 5, evaluation of the radiological consequences of a LOCA rests upon a certain number of postulates: • the quantity of fission products built up in the fuel rods before the accident, the "core inventory" • the fission product release rate during the accident, taking into account the fact that some have already accumulated in the clad-pellet gaps and that the others are retained in the fuel • the proportion of fuel rods which have lost their cladding leaktightness, referred to as the clad failure rate • the behavior of released fission products, considering their physicochemical forms and the various phenomena tending to retain them: physical barriers, deposition in the primary system or the reactor containment, entrainment in the containment spray water, etc. • the containment building leak rate and the radioactive product release scenario both from the containment building and from auxiliary buildings • meteorological conditions on the site and the radioactive product mode of release to the environment. Estimates are based on several sets of postulates. The disparity between the results obtained gives an idea of the conservative nature of certain options. Work is in progress to set up a more consistent set of postulates. The extension of international comparisons and, even more so, the preparation of an industrial project for a French-German designed reactor, emphasize requirements in this area. The first set of assumptions we shall discuss was drawn up between 1970 and 1976 by the Nuclear Safety Department, which has now become the Institute for Nuclear Safety and Protection. These assumptions have changed little since then, are considered as "reasonably realistic" and have been used up till now for safety demonstrations. The second set is, by contrast, extremely pessimistic. Of American origin, it was designed to be applied to several types of reactor featuring a reactor containment and only explicitly takes into account systems common to all installations.

86

Elements of nuclear safety

In conclusion, we shall describe a more recent set designed not for safety demonstration but for the preparation of external emergency plans. In this context, a compromise has to be found between the advantages and drawbacks of evacuating populations, confining people indoors or restricting consumption of foodstuffs and the risks actually incurred. Release estimates made in the safety demonstration context could lead to unsuitable provisions being made.

6.4.1. "Reasonably realistic" assumptions Buildup of fission products corresponds to the maximum value during the reactor life span: a third of the core was irradiated for one year, a second third for two years and a third for three years. The accident is postulated as occurring just before a refueling shutdown. We have seen that the limit cladding temperature is 1204 °C. This criterion of course applies to the hottest centimeter of cladding in the core. Neutronic and thermal hydraulic studies show that the power given off by the hottest centimeter of fuel rod is 2.3 times higher than the mean power level. Despite optimization of core loading patterns, the power varies axially along each fuel rod. The discrepancy between maximum and mean values in this direction, called the axial hot spot factor, is about 1.55. The radial power factor reflects power distribution between the different fuel elements, which do not all have the same burnup fraction and are not located in the same neutron flux. This factor is about 1.5. Clad bursts are liable to occur at the hottest points on the hottest fuel rods. Despite temperature restriction for the hottest fuel clad to 1204 °C and the fact that a larger number of fuel rods each release a fairly low amount of power, it is assumed that the integrity of all fuel clads is breached. It is obviously impossible to imagine a worse cladding failure rate, but this scenario is not intended for realistic assessment. In the event of clad failure, release from the rod concerned consists mainly of fission products which had already migrated from the fuel pellets or which did so during the brief thermal transient. The space freed by the fuel pellets inside the clads is assumed to contain 2% of the noble gases but 30% of the krypton 85 and 3% of the iodine. At the time of the accident, the core is considered to contain 5.2 106 TBq of krypton including 0.2 TBq of krypton 85, 14.7 106 TBq of xenon and 28.7 106 TBq of iodine. It is then assumed that all these gases are released in the containment without any retention in the primary system.

6 - An example of accident analysis: LOCA

87

This will lead to 4 105 TBq of noble gases and 8.6 105 TBq of iodine in the containment. The noble gases remain free in the containment but iodine might be retained in varying proportions, depending on its physicochemical form. Iodine might be released in molecule or particle form or combined with organic products. It is assumed that 90% of the iodine is molecular and 10% organic. Only containment spraying is taken into account; deposition on structures is disregarded. 99.9% of the molecular iodine is entrained in the spray water; which has no effect on organic iodine. The containment atmosphere now still contains 4 105 TBq of noble gases, 8.6 104 TBq of organic iodine and 7.7 102 TBq of molecular iodine. In the case of 900 MWe nuclear unit reactor containments - single-wall containments with a metal liner - the allowed daily leak rate at peak pressure is 0.3% by weight of the gas mixture in the containment. A part of this leakage is conventionally assumed to reach the environment without filtering. This is the maximum authorized leak rate. It then decreases but is assumed to remain at half this value for 9 days whereas the internal pressure has practically reverted to normal. With these postulates, within two hours, 0.022% of the products in the containment atmosphere will have escaped, involving 88 TBq of noble gases, 19 TBq of organic iodine and 0.17 TBq of molecular iodine. With the 1300 MWe nuclear units, equipped with double-wall containments, no liner but leak recovery systems with discharge of iodine through active charcoal filters, the release levels are slightly lower. Atmospheric diffusion coefficients and ground deposition coefficients are calculated using charts developed in France by R. Le Quinio. This method considers meteorological conditions covering 95% of the possible scenarios and postulates that release occurs at ground level, which is unfavorable, especially for short distances. These conditions are maintained throughout the release period. As we saw in the previous chapter, the atmospheric transfer coefficient at a distance of 500 m for release lasting two hours is 6 10-5, multiplied by 0.71 to take the release period into account. Using the dose conversion factor corresponding to 1 TBq of iodine in its isotopic composition after a decay period of two hours (19.3), we can then determine the dose commitment to the thyroid. The calculated thyroid absorption dose due to inhalation of iodine within the plume is consequently (19 + 0.17) x 6 10-5 x 0.71 x 19.3 = 15.8 mSv. For whole body exposure due to the plume, the effect of iodine, calculated using the dose conversion factor corresponding to external exposure (DCF = 0.097), must be added to the effect of the noble gases calculated under the same conditions (DCF = 0.024).

88

Elements of nuclear safety

giving a total of approximately 0.17 mSv. The above numerical applications are approximate and simplified. The most recent EDF safety reports contain the following results: • external whole body exposure due to the plume lasting two hours at a distance of 500 m: 0.146 mSv. • internal adult thyroid exposure due to iodine inhalation for two hours at a distance of 500 m: 11.5 mSv. It is clear that, despite the use of pessimistic sets of assumptions, individual dose levels remain low, considering the estimated frequency of the occurrence considered and are well below the values given in the table in Chapter 4 for fourth category accidents, i.e. 150 mSv and 450 mSv respectively. The safety reports also indicate the estimated thyroid dose for an infant fed exclusively and for a long period on milk from cows which had grazed on contaminated grass for two hours at a distance of 500 m: 1.58 Sv. This value is high, but corresponds to a theoretical scenario making no allowances for emergency plan provisions.

6.4.2. Highly pessimistic American assumptions The assumptions specified by American Regulatory Guide 1.4 which is not a statutory document, are as follows: • complete loss of cladding leaktightness • maximum fission product buildup in the fuel. (These two assumptions are identical to those of the previous set.) • release into the containment of 100% of the noble gases and 50% of the iodine contained in the fuel. This does not correspond to the physics of a LOCA but rather to what is known as a core meltdown accident, a less frequent occurrence causing severe damage to fuel with loss of its geometrical configuration and hence significant overheating of the combustible mass. • absence of containment spraying but adsorption on the structures of 50% of the iodine released in the containment. As French reactor containments are equipped with a spray system supplied from two separate trains, this is a more serious scenario than that under investigation. • peak leak rate is postulated for the containment for the first 24 hours, followed by 50% of this leak rate for the remaining duration of the accident. • particularly penalizing environmental dispersion and deposition models.

6 - An example of accident analysis: LOCA

89

The results of these assumption are as follows: • external whole body exposure at 500 meters in two hours: 62 mSv • thyroid exposure under the same conditions: 1.28 Sv. The external exposure in this case is moderate. Thyroid exposure, on the contrary, is high. The total absence of spray facilities increases the consequences due to iodine by a factor of about 10.

6.4.3. International comparisons In view of the extension of international relations, the Commission of the European Communities and the OECD organized comparisons between methods of assessing the radiological consequences of accidents. These comparisons will only be meaningful if it is possible to distinguish differences due to technology and specific accident conditions from those due simply to varying degrees of stringency in the postulates. At the present time, discrepancies of well beyond a factor of 100 are to be found on estimated iodine consequences. The conventional values used in France for safety demonstration purposes are the least favorable. In other countries, however, radioactive products such as cesium or strontium are considered, since they have a significant medium and long term impact.

6.4.4. Realistic assessments for the preparation of emergency plans The accident we are discussing is by no means a specified requirement for preparation of the external emergency plans for population protection which will be discussed in Chapter 17. For the time being, there are no special detailed investigations of assumptions based on a realistic approach to be taken into account in the event of a LOCA. No consensus has consequently been arrived at on this question. However, the calculations given in Section 6.4.1. can be used for this purpose, providing certain coefficients are changed. Nothing need be changed in the core inventory. On the other hand, a clad failure rate of 33% instead of 100%, should cover all contingencies. Similarly, in view of the temperatures involved, the clad-pellet gap will be assumed to contain only 1 % of the noble gases, including krypton 85, and 0.5% of the iodines and cesiums. Finally, only 0.3% of the iodine is considered to be organic, the rest being in particle or molecule form.

90

Elements of nuclear safety

Containment spray efficiency will be penalized by a time lag, but this has no implications for the noble gases, nor for the organic iodine, which would, in any case, be unaffected. A containment leak rate below the design value could also be postulated, but this would have less impact than the changes proposed above. On this basis, we obtain the following release estimates: • 14.4 TBq of noble gases • 0.031 TBq of organic iodine • 0.10 TBq of other iodines. The thyroid dose will then be 0.107 mSv instead of 15.8. The dose due to exposure from the plume is 0.015 mSv instead of 0.17. Doses at these levels require no special immediate provisions with regard to the population. From this realistic standpoint, on the other hand, iodine and cesium deposits must be estimated in order to assess the necessary agri-foodstuff restrictions. The surface transfer coefficient at a distance of 500 m is 6 10-7m-2 (cf. 5.6). Organic iodine behaves like a gas rather than an aerosol. Deposit will consequently be 42 600 Bq m-2 For cesium, the complete calculation starting from the value of the amount in the core indicated in Chapter 3 gives 15 000 Bq m-2. Concentrations at these levels could entail certain provisional agri-foodstuff restrictions over 2 or 3 kilometers in the direction of the wind at the time of the release, but that is a far cry from the maximum permissible consequence limits.

6.5. Safety demonstration evolution The safety approach described above is inherent to the authoritative foundation on which the first 900 MWe nuclear units built in France is based, even if we have referred to certain modifications. In view of available world experience, this foundation was considered an adequate one. Accidents on the reference list were studied in their initial most active phase, covering a period of about thirty minutes or possibly more, to investigate boric acid crystallization risks. No further studies of subsequent phases or of alternative accident scenarios entailing major radioactive release with contingent population evacuation were required from the operating utility as a preliminary to authorization procedures. This approach, although it has not been judged invalid, has been considerably supplemented by input from the constant evolution of safety concerns, significantly disturbed by the Three Mile Island accident and then by the Chernobyl disaster. Answers have gradually been found, after often lengthy investigations.

7

Assessment of safety justifications

As already mentioned, the operator of a nuclear installation is primarily responsible for the safety of his installation. He must consequently perform his own safety analysis. In order to obtain the specified authorizations for plant construction and then its operation, he must submit his analysis to the safety authorities. The IPSN will then proceed to the technical analysis of the justifications presented, whilst the DSIN will procure the official and administrative documents required in conformity with current regulations and government policy in this respect, taking into account the opinion formulated by the IPSN and, where applicable, that of the competent Standing Group. Safety analysis is therefore conducted in the first place by the plant operator who must be able to demonstrate the soundness of all safety related technical decisions he has made. This analysis is carried out in close collaboration with the system designer and manufacturer but overall answerability to the public authorities remains the responsibility of the operator. Assessment of the justifications presented is carried out by the IPSN, in its capacity as technical adviser to the DSIN and appraises the validity and exhaustiveness of the justifications, the efficacy of safety provisions made by the operator and their conformity to regulatory requirements. It is obviously preferable for permanent, iterative technical interchange to be set up between safety organizations and plant operators, thereby enabling any difficulties to be expressed and acceptable solutions to be found before the final completed documents are submitted for approval. This naturally implies consistent observance of the functions and responsibilities of all those concerned. The DSIN can then define the conditions under which will be issued the various decrees or ministerial approvals authorizing the building, startup tests, commissioning and commercial operation of the installation. Appraisal of the safety justifications for an installation comprises two main aspects.

92

Elements of nuclear safety

The first consists in checking for each plant that safety principles and methods of approach, together with any regulatory texts interpreting them, are effectively applied by the operator with the plant designers and builders and that the resulting technical solutions fulfill their purpose. In addition, all consequences of the various normal, incident and accident operating conditions must be examined. The second, more general and unconnected with a specific project, consists in carefully considering the principles and methods themselves with a view to optimizing them by examining them in greater depth and identifying weak points or inconsistencies in these approaches and their application to the design, construction and operation of nuclear installations. As regards light water reactors, changes in safety appraisal have been based on more and more extensive use of the probabilistic approach and on operating feedback concerning both French reactors and others throughout the world, constituting a complementary approach. In this chapter, we shall deal with the first part of the analysis, whilst main developments, operating surveillance and operating feedback will be discussed in later chapters.

7.1. Data drawn from operating condition studies Operating condition studies carried out according to the conventions outlined in the preceding chapters are designed to check that, in view of the protection, safeguard and waste treatment systems, the planned operating modes and the postulated accidents will have acceptable radiological consequences. Furthermore, these studies are the source of a large amount of detailed data which forms one of the bases of safety analysis. From this data can be deduced: • reactor core physical and thermal hydraulic operating conditions • design stresses for structures and equipment • the safety importance of each structure and item of equipment • the functional requirements for each of these items • the functional capacity required for each system • incident and accident procedures • the limits taken into account and the authorized operating range for each installation • assessment of normal and accident release levels • radiation protection conditions on the site.

7 - Assessment of safety justifications

93

We must also include options and investigations aimed at incident and accident prevention based on appropriate selection of materials and manufacturing and control techniques for major items of equipment implying competence in highly specialized fields. These will be considered later on in the context of discussion of operating surveillance and difficulties encountered in this respect.

7.1.1. Physical and thermal hydraulic operating limits for the reactor core The gravity of the radiological consequences of the incidents and accidents considered will obviously depend on the fuel damage caused by these situations. But this damage is directly contingent on the mean thermal output of the fuel, on the maximum local power level and on core cooling conditions defined by the reactor coolant pressure, temperature and flowrate. The phenomena which must be prevented or limited are fuel pellet bursting, their internal meltdown, excessively high clad temperatures liable to cause clad failure or meltdown or repeated mechanical stressing which can cause embrittlement. The main thermal output of the fuel is obviously proportional to the overall thermal output of the reactor. The local power level depends in addition on the shape of the neutron flux in the core and the fuel enrichment distribution pattern. The flux shape and power distribution are notably affected by fuel burnup, control rod positions and degrees of core insertion, control rod movements and the resulting xenon poisoning buildup. Mechanical stresses on the clads may be related, for instance, to the rapidity of power increments. As we have said, the thermal output of a reactor core is regulated by controlling the core reactivity.*

* Reactivity expresses the departure from unity of the number of fissions between one generation and the next. In France, a very small unit is used, the pcm (pour cent mille), which corresponds to an effective multiplication factor of 1.00001. Other countries use the % unit. The greater part of the neutrons involved in the chain reaction are directly released when fission occurs. Their lifetime is short, 25 sec for light water reactors. For some, however, release is delayed, depending on the radioactive decay of certain fission products. These neutrons play an important part in reactor kinetics. Their contribution, named (3, notably depends on the fissile nuclei : 1470 pcm for U 238, 650 pcm for U 235, 210 pcm for Pu 239. The effective (3 value depends on the propor-

94

Elements of nuclear safety

The first condition of this control is core stability with respect to reactivity variations. This is obtained by ensuring that the volume of water between the fuel rods is slightly below that required for optimum neutron slowdown**. A power build-up will increase the temperature of this water, reducing its density and thereby neutron moderation and their capacity to produce more fissions. This negative temperature coefficient introduces a negative reactivity feedback which is essential to the stability of the system and consequently to safety. So it is when the core is cold and when the density of the water it contains is highest that maximum potential reactivity levels are reached. The quantity of fissile materials inserted in the core at each refuelling enables the reactor to operate for at least a year. This available reactivity is compensated for by means of control rods and boron dissolved in the primary coolant water. But control rods which are highly neutron absorbent considerably disturb the local neutron flux and hence the local power level and cause mechanical stressing of the clads. So highly absorbent "black" rods are used for reactor shutdown and less absorbent "grey" rods for short term regulation. Another compromise has to be found between the number of control rods and the overall and individual rod worths used to guarantee rapid shutdown of the reactor by rod drop with a sufficient margin, without ejection of the rod with the highest worth, which is a 4th category accident, giving rise to unacceptable consequences for this category. Using boron dissolved in the water does not entail the same drawbacks, since it is evenly distributed. However, altering the concentration is not a fast process and there is a maximum concentration limit which has serious safety implications. Care has to be taken to prevent the overheating of a moderator containing an excess of neutron poison, which could reduce the density of the poison, thereby causing an increase in reactivity and consequently a power buildup which could be divergent. This is known as a positive temperature coefficient, which is a prohibited situation for the reactors considered. Many plant design and operating constraints, together with protection and engineered safeguard system design are determined by such considerations. tion of these nuclei. For the uranium-fueled French PWR's, the eff varies between 500 and 700 pcm. In the case of mixed oxide fuel, it is between about 450 and 510 pcm, thereby necessitating more control rods. When reactivity is higher than the eff, the time separating two generations of neutrons is very short. Extremely fast power variations can then occur. In some countries, the ( eff is used as the reactivity unit, usually expressed in dollars ($). ** Cf. Section 30.5.3.

7 - Assessment of safety justifications

95

Obviously, the physical and thermal hydraulic design studies must encompass all types of load, all fuel depletion conditions and all reactor states, from rated power to cold shutdown. Any change in fuel characteristics such as, for instance, the introduction of a significant proportion of plutonium oxide mixed with uranium oxide, requires the revision of these design studies.

7.1.2. Assumptions on primary breaks Analysis of possible primary system pipe breaks has direct implications for the analysis of core cooling in an accident situation which we have just discussed. It helps to define the requisite safety injection and containment spray characteristics. Pipe breaks are also considered in the stress analysis of many items of equipment and devices which may be required to withstand the mechanical effects of such breaks without worsening the accident conditions. Examples of such equipment would be: • the NSSS itself (vessel, internals, other piping and associated supports) • the containment and its internal structures including the reactor pit. The size of postulated breaks also has repercussions on the qualification of containment equipment required during and after the accident.

7.1.2.1. French position on this question In France, eleven possible primary pipe break locations are considered. In each case, the break is assumed to be instantaneous. One is longitudinal and the others are perpendicular to the pipe axis (guillotine breaks). A guillotine break on the cold leg at the primary pump outlet is conventionally analyzed, postulating a double-ended break: the gap between the pipe ends is assumed to have widened so that flow from both sides is unhindered. For other breaks, whipping is assumed to be restricted by devices impeding movement. This method is derived from the American licensing provisions, where the breaks were selected according to mechanical criteria and postulated in the most heavily stressed parts of the primary system. Since the introduction of the 1300 MWe nuclear units, safety demonstration has consisted in checking that break postulates considered were bounding cases for all possible primary system breaks in these plants.

96

Elements of nuclear safety

7.1.2.2. The LBB (Leak Before Break) postulate Some countries, like the United States, Germany and the former Soviet Union have considered that, providing adequate precautions were taken in selecting materials and manufacturing processes, in the design, calculation, installation, initial inspection and in-service inspection of piping, the possibility of a major instantaneous pipe break during reactor operation could be excluded, even under stressed conditions. This is the "Leak before break" postulate, which is gradually becoming "Break preclusion". We would point out that the concept of break preclusion is applied in France to the reactor vessel, the primary pump casing, the steam generator bundle wrappers and those parts of the steam lines located between the containment and the main steam line isolation valves. This postulate is justified by special precautions regarding the selection of materials, manufacturing processes, design, sizing and layout rules and in-service inspection routines. The consequences of steam line breaks for the reactor core were nevertheless calculated to ensure that they would not be unacceptable. On the other hand, pipes may be subjected to various degradation mechanisms, such as wastage, vibrations, water hammer, fatigue due to thermal stratification or even to load drops. Owing to the difficulty of mastering such a complex range of phenomena, the break exclusion concept has not so far been adopted in France for main primary system piping. Despite progress in inservice surveillance and potential harmfulness assessments, it would be unreasonable to modify the reactor containment and engineered safeguard system detailed design, presently sized to contend with a double-ended guillotine break.

7.1.3. The importance of items of equipment for safety and safety classification The importance of each item of equipment for safety can be ascertained by two complementary paths. The first has already been touched upon. This is the importance of an item of equipment as incident or accident initiator. It is, therefore, the direct consequences of a component failure which shall determine the selection. If the list of operating conditions only includes the most serious initiating events for each category - the "bounding cases" - we shall here consider all the components likely to cause accidents or incidents of the same family.

7 - Assessment of safety justifications

97

It is in this way, for example, that the first tank of the Boron Recycle System was chosen to check the risks associated with release of its contents, as this tank contains, potentially, the largest amount of radioactive gas in the nuclear auxiliary building. The other tanks, of lower capacity, must not however be overlooked. The second path also resulted from study of incidents or accidents. In the course of these studies, the various systems required to limit the consequences of equipment failure of the first group became apparent. These systems and items of equipment which, of course, include the engineered safeguard systems, comprise not only piping, pumps and valves but also electrical power supplies, sensors and instrumentation and control systems. All these components are equally important, as malfunction of any one of them can impede correct operation of all the rest. Generally speaking, the importance of all support systems must be recognized. For example compressed air, required for operation of some valves and for diesel generator startup and which played a part in ensuring airlock airtightness on most of the 900 MWe unit reactor containment buildings, or the water or ventilation systems used for motor cooling. This approach has only been applied progressively. For example, the American reference for the French 900 MWe standardized plant series did not grant the same level of importance to the Component Cooling System (CCS) and the Essential Service Water System (ESW) as to the Containment Spray System (CSS). However, this latter system which ensures core cooling following a primary break is only effective if the exchangers are supplied, on the secondary side, by cooling water transported by the Component Cooling System which is itself cooled by the Essential Service Water System. The original approach can be explained by the fact that a break in the CCS and ESW Systems does not involve any 'direct radioactive release as these systems transport water which is, at least in theory, uncontaminated. Considered as initiating events, leaks from these systems have no consequences. The same can be said for the steam generator auxiliary feedwater supply system which also only carries clean water. This system is, however, a full engineered safeguard system. It is crucial in the event of a break in steam piping or normal steam generator water supply piping and also in the much more frequent event of interruption of main feedwater supply to the steam generators or loss of offsite power. Reclassification of this circuit in a more stringent category is hence confirmed, in this case too, as being necessary. All this work of analysis concludes with classification of equipment into three categories defined in the design and construction rules for mechanical equipment (RCC.M) and a category IE for electrical equipment (RCC.E).

98

Elements of nuclear safety

The corresponding equipment is then required to comply with the following minimum requirements: • subjection to a design and construction code defining notably the methods to be used for design calculation, procurement, construction and layout • application of quality assurance procedures • performance of routine in-service tests • capability to withstand a safe shutdown earthquake • qualification for normal and accident ambient conditions and earthquake resistance. The category 1E electrical equipment shall in addition be redundant and provided with an emergency power supply. Equipment classification is the subject of a basic safety rule (RFS IV.I.a). This work was subsequently revised for application to the P'4 standardized series units and again for the N4 units, as we shall see at the end of this chapter.

7.1.4. Functional requirements and safety classification The equipment classification which we have just mentioned only represents a first level of prioritization. This is insufficient on its own. It is also necessary to specify precisely what is required of each component and hence define the required functional capacity of each individually. Clearly, following an earthquake which has been classified as a Safe Shutdown Earthquake, the installation is no longer in an operational state. Some pipes, useful in normal operation, might be bent. Pumps and valves required for electricity production might be blocked and incapable of functioning. This may obviate any hope of re-startup at a later time but must not, however, cause an accident involving unacceptable radioactive release. In particular, pipes carrying primary or secondary coolant must retain their leaktightness. For an engineered safeguard system component, however, the situation is entirely different. In compliance with accident design assumptions this component must retain its capability, even after an earthquake of this kind, of fully performing its function. It should be checked by any effective method that the pumps provide their rated flowrate, that piping allows pumped fluids to pass, that the valves can be opened and closed without any difficulty and that all sensors, electrical links and corresponding instrumentation and control systems provide the data required of them clearly and precisely.

7 - Assessment of safety justifications

99

This equipment, much of which is not used during normal operating conditions, must remain in normal functional state. For mechanical equipment it is necessary to differentiate firstly between equipment comprising mechanisms or parts which have to move to fulfill their function, i.e., "nonstatic" components, and other equipment which is referred to as "static". There are, therefore, three functional requirement levels: a - Integrity of the pressure barrier which applies to all the static mechanical components under pressure without consideration of requirements relative to their deformation. This level is designed to guarantee, for these items of equipment, containment of transported fluid. b - The functional capacity which applies to static equipment traversed by fluid is intended to limit equipment deformation to acceptable levels where flow reduction, for example, could not prevent performance of the safety function concerned. c - "Operability" applies to mechanical nonstatic equipment. This aims at ensuring correct operation of mechanisms or movable parts the movement of which is necessary for the carrying out of their appointed safety function. The codes defining equipment design and construction rules such as the American AMSE code or the RCC.M, define the design methods and the criteria levels to be applied to classified equipment and include four criteria levels of decreasing stringency for each category: these "criteria levels" are referred to by the letters A, B, C and D. In the special case of accident operating conditions (categories 3 and 4), it is assumed that: • application of level C and D criteria is, generally, equal to a demonstration of equipment integrity for accident operating conditions of category 3 and 4 respectively • application of level C criteria is, generally, equal to a demonstration of the functional capability of static mechanical equipment • application of level B criteria works towards the demonstration of the operability of nonstatic mechanical equipment: this demonstration must be completed by experimental checks and/or analyses. A detailed examination of safety-related equipment for 1300 MWe units was carried out jointly by Electricite de France and the safety organizations. This enabled the design load combination for this equipment and the applicable criteria levels to be established simultaneously. Following further discussions, a Basic Safety Rule has been issued concerning this data (RFS IV.2.a).

Elements of nuclear safety

100

7.1.5. Equipment qualification under accident conditions We have just seen how the design conditions for mechanical equipment are defined with particular attention to accelerations and differential movement due to a safe shutdown earthquake. This is not, however, adequate to ensure the correct behavior of equipment immediately after an accident occurs and, possibly, for a long period afterwards. If the equipment is located within the containment, it will also be subject to several hours at a high temperature in a humidity and chemical-saturated atmosphere at a radiation level of several hundreds of kGray. As a precaution, we assume that all this occurs on an item of equipment which has already deteriorated through the effects of time, temperature, ambient radiation, and even several earthquakes lower in intensity than a Safe Shutdown Earthquake. Equipment located outside the containment will obviously not be subject to all these conditions. Two qualification programs have therefore been drawn up with a value equal to or higher than that given by the accident studies being taken for each parameter.

Fig. 7.1. Qualification program.

For equipment installed outside the reactor building: • tests introducing high stresses experienced by the equipment, e.g. 1500 startups for motors • seismic tests comprising at least five earthquakes equivalent to a Maximum Historically Possible Earthquake (MHPE) and called an Operating

7 - Assessment of safety justifications

101

Basis Earthquake (OBE) and at least one Safe Shutdown Earthquake (SSE)*. For equipment installed within the reactor building and which is required after an accident (Fig. 7.1.): • an initial aging comprising irradiation at 260 kGy at 70 °C • a series of seismic tests exactly as above, then a further irradiation at 600 kGy at 70 °C • chemical and thermodynamic conditions: 5.5 bar abs. and 156 °C in two thermal shocks followed by a 4-day decay period, equipment spraying with a solution containing boric acid and sodium hydroxide. These two tests simulate the accident period • maintenance of a humid atmosphere at 100 °C for 10 days to simulate one year's post accident atmosphere. The equipment being tested must continue to fulfill its function at all times during the test program. We can define a third qualification program concerning electrical equipment installed in the reactor building, required under normal operating conditions and under earthquake stresses but the availability of which is not required after a thermodynamic accident in the containment. This program comprises only: • aging with irradiation • the series of seismic tests.

7.1.6. Functional capacity of systems The study of listed operating conditions enables a number of operational points of the engineered safeguard systems to be defined, taking into account application of the single failure criterion. These isolated points are not sufficient to completely define these systems and a more detailed, more continuous study grouping together the requirements relative to the various system demands is necessary. Several examples of this process are given below. The safety injection system comprises, notably, low head injection pumps with a high flowrate but a low discharge pressure (20 bar), adapted to large breaks which were examined under the fourth category. Two other high or medium head pumps, depending on the standardized plant series, have a much lower flowrate and are adapted to third category small breaks.

These earthquakes are defined in Chapter 10.

102

Elements of nuclear safety

A continuous spectrum analysis of the size of primary system breaks has shown that, in an intermediate situation not covered by the conventional design situations, the high pressure circuit flowrate was insufficient to offset the leak and that backpressure in the circuit prevented the low head pumps from discharging. Adaptations were therefore necessary. Similarly, if the spray system in the containment is examined, it will be seen to fulfill several major functions, none of which must be overlooked: • protection of the containment: - regarding overpressure - regarding increases in concrete temperature and thermal gradient • core cooling • containment barrier • control of chemical processes in the containment - trapping of iodine - neutralization of substances corrosive for equipment. As an example, the implications of one of these functions can be considered in detail: core cooling. This is a function of the Containment Spray System (CSS) as this system is the only one functioning after a LOCA that is equipped with heat exchangers. When the water suction phase from the reserve water for the spray systems in the containment and the safety injection phase in the core are finished, the systems switch over to suction from the sumps in the containment. The switching sequence, opening of certain valves, closing of others, must be examined in detail along with the data used to trip this sequence. Next, to make this hot water circulate over a period of months, there must be sufficient water in the reactor building sumps for the upstream pump pressure to be adequate. This depends on the quantity of water delivered by the primary system, the volume of water taken from the reserve tank, the shape of the sumps and the efficiency of the anti-vortex system. It is also important that water showering down from the top of the containment is not trapped at any points in the reactor building, particularly in the pools. For this reason the drainage systems at the bottom of these pools and the corresponding instructions must be checked. Circulation can only proceed correctly if the water does not contain too much foreign matter. The sumps are equipped with filters which must retain a sufficient quantity of impurities without clogging. Specifications shall be drawn up concerning the cleanness of the building or the quality of paint to be used, prohibiting, for example, the use of plastic sheeting. This circulation must be assured over a long period of time. All active systems, including the pumps, must consequently be adequately sized with margins regarding the minimum required flowrate and appropriate protection devices to avoid exceeding the maximum flowrate. This equipment must be qualified in all areas particularly regarding resistance to impurity laden fluids.

7 - Assessment of safety justifications

103

The periodic monitoring of this equipment must enable its initial good condition to be guaranteed in the event of an accident. Any devices for repair (after an accident) of the circuit conveying a highly radioactive fluid must be provided for and installed when the plant is built. This circulation is designed to make water pass through the heat exchangers to ensure that it is cooled. On the secondary side of these exchangers is the water for the Component Cooling System (CCS). The water for this system is itself cooled in other heat exchangers by raw water from the Essential Service Water System (ESW). The minimum characteristics of this entire chain must be ensured regarding flowrates and heat exchange capacity, even if the cooling water (sea or river water) is unusually warm. The overall study is, of course, presented on paper at the equipment design and construction phase, but actual tests which should be as complete as possible are also required. They generally take place at the time of unit startup. Finally the operating technical specifications and periodic tests must ensure the continuity of all required characteristics.

7.1.7. Accident or incident procedures Initially, incident or accident studies were essentially carried out, with the help of highly pessimistic codes, to check the acceptability of individual radiological consequences and the capacity of control and engineered safeguard systems alone to bring the installation to a stable condition in a relatively short period. To begin with, accident operating procedures were based on conventional accident studies, focusing on a specific initiator associated with pessimistic views of the various possible effects of a single failure. Subsequently, these procedures were totally rewritten, using realistic codes, and extended to cover much longer time periods. Systematic checking of the consistency and quality of data required for automatic and then manual control of the accident situation has been carried out. This concerns the precision, possible drift, redundance and qualification of all logic protection circuits along with required sensors. It also concerns all the data signalling methods in the control room or locally whether they be indicators or recorders, but also alarms or alarm records enabling the appropriate procedure to be identified. This was all re-examined following various French incidents but, above all, after the accident at Three Mile Island and also for the introduction of the N4 standardized series. The importance of the ergonomic aspect and, more generally, the man-machine interface has thus gradually been acknowledged.

104

Elements of nuclear safety

We shall further discuss procedure assessment in Chapter 22.

7.1.8. Authorized limit values and operating range It has already been pointed out that the initial accident study conditions were chosen with reference to pessimistic values in order to penalize the possible consequences. To retain the bounding case character of these accident studies it is necessary that the installation be maintained at all times within the defined operating range. This will be the function of the technical operating specifications. Any infringement of established thresholds could have an unforeseen negative effect on the development or outcome of an accident. Similarly, the accident studies assume the availability of certain systems and items of equipment. The installation must be capable of coping with any unforeseen single failure at the moment of the incident or accident. The technical specifications* therefore outline for each reactor operating condition the list of equipment the availability of which is essential. It must be borne in mind that application of the single failure criterion to systems relying on only two trains enables just one unforeseen or latent but unknown failure to be dealt with. Discovery of the unavailability of an item of equipment following, for example, a periodic test, requires that, if operation is to continue, the single failure criterion be applied to the other line, since it is assumed that the entire system may be lost. This situation cannot be acceptable for any length of time. On the other hand, to impose immediate withdrawal to a fallback mode where this system is not required might engender a slight risk due to the transient operating condition which this would impose. The time periods for which operation with one channel unavailable for unforeseen reasons can be maintained have therefore been specified for each safety-related system, based on the judgement of the engineer and where necessary substantiated by the probabilistic considerations which shall be outlined in Chapter 20. It should be noted here that these considerations only apply to unavailability revealed by tests and not deliberate or programmed unavailability. The design of systems with two channels each with 100% capacity in French installations imposes, in this connection, certain constraints that three or four channel systems avoid. Operating technical specifications include, therefore, besides the limit values for safety parameters, tables specifying for each instance of unavailability of safety-related equipment, a maximum time period which can be

* See Chapter 22

7 - Assessment of safety justifications

105

tolerated before plant unit withdrawal to a fallback mode, which is itself specified, unless the equipment has been able to be repaired and requalified.

7.1.9. Normal and accident release and radiological conditions in the installation Definition of the various normal operating conditions, the acceptable fuel clad failure rate during operation, the number of each type of transients foreseen, the load following conditions and the type of rod cluster control assembly used enable evaluation of the quantities of water entering and exiting the primary system so as to be able to adjust accordingly the boron concentration and the quantities of radioactive products contained therein. This represents water and gas which must be treated and could subsequently entail deliberate release. This enables the treatment, storage, and waste release systems required to cope with the most penalizing foreseeable situations to be defined without exceeding the authorized release limits. If these systems are well designed, habitual release levels will be kept significantly below the authorized levels which are nonetheless stringent. Definition of the level of radiation sources directly due to fission or activation, or transported to other rooms by liquid or gas, also enables the thickness of required shielding and the level of ventilation in various facilities to be established. In this area, it is not sufficient to simply consider the various conditions connected with normal operation. It might be desirable, even necessary, to service a faulty component locally - outside the reactor building of course in accident conditions where, as the fuel has deteriorated, the primary coolant has become highly radioactive. This is, obviously, only possible if the radiation protection conditions already arranged allow it.

7.2. Checking the number of lines of defense It has already been pointed out in Chapters 4 and 7 that some accidents were not taken into account in the conventional list of operating conditions. These concern mainly the rupture of large apparatus such as the reactor vessel, the steam generator outer shell, the pressurizer or the primary pump casing. Rupture of the reactor vessel and, more simply, any major break in lower structures affecting, for instance a large number of in-core instrumen-

106

Elements of nuclear safety

tation tubes, renders the safety injection system ineffectual. With the design of French installations, it is the water column located around the core between the vessel internals and the vessel, beneath the nozzle level, which enables gradual reflooding of the fuel after a major primary break. Any significant break undermining the efficiency of this water column will make core reflooding uncertain, with extremely serious consequences. Rupture of the reactor vessel is an unlikely event and the manufacturing and checking conditions for this apparatus are specified in such a way as to keep the likelihood of this occurrence to an extremely low level; these conditions are the subject of specific regulatory documents. The case of the in-core instrumentation tubes and their penetrations located in the lower part of the vessel is not dealt with in such a straightforward manner. Hence, the safety authorities have requested both specific precautions for design and construction of these tubes and their support structures to prevent rupture, checks on the risk of pipe whip of ruptured tubes and the consequences for neighboring sound or weakened tubes, and finally parametric studies of the consequences for the core depending on the number of broken tubes. These studies revealed that, for the safety injection system as currently defined to be impeded, five to thirteen tubes out of fifty-five would have to be broken, which seems highly unlikely (case of the 1300 MWe units). Regarding the secondary system, the steam generator outer shell and the main steam line pipe systems located between the containment and the stop valves also constitute a special case. Fast burst of the steam generator outer shell could cause rupture of a large number of steam generator tubes. In this way two major accidents are compounded: a very large secondary break in the containment and a primary break. Together these could cause a very serious situation. Once again it is due to design, construction and in-service inspection methods defined in regulatory documents concerning pressure vessels and carefully evaluated during safety analyses that the probability of this accident occurring is sufficiently low for it to be excluded from the conventional list of operating conditions. In the event of rupture of a main steam line between the containment and the corresponding stop valve, it is not possible to ensure a rapid and complete closing of this valve. As study of a fourth category accident of this kind requires application of the single failure criterion it is necessary to postulate the failure to close of another steam stop valve. There would then be rapid drainage of two steam generators out of three for 900 MWe reactors or out of four for 1300 and 1400 MWe reactors. The corresponding cold surge on the core would induce a power buildup which the concentrated boric acid injection systems associated with the safety injection systems and the

7 - Assessment of safety justifications

107

dropping of all rod cluster control assemblies would not be able to completely control. The reactor core, in particular, could become supercritical again. This would produce a certain fission energy which would further impede core cooling. The American license by defining a "superpipe" associated the idea with special design and checking criteria that enable ruptures of this kind to be disregarded by giving them a sufficiently low probability.

Fig. 7.2. Excluded ruptures.

Study of drainage of two steam generators was, however, requested by the French safety authorities. This study shows that, even under the worst conditions, the consequences remain fairly limited. Furthermore, special attention was focused by both operators and safety organizations on the results of periodic inspections carried out on these pipes and on the various welds connecting the lines of valves at these points. We shall come back to this aspect in Chapter 25. We have just specified those parts of the installation the failure of which has not been provided for by specific engineering safeguard systems (Fig. 7.2.). Therefore, one line of defense is missing in these areas, but this is compensated for by reinforced preventive measures. There exists moreover at least one case of multiple failure, investigated in the mid-seventies and capable of causing the simultaneous loss of two

108

Elements of nuclear safety

lines of defense: in the event of total loss of power, which is a situation which is not provided for in the design arrangement we have just examined, a break could occur at the primary pump seals no longer cooled, whereas the safety injection system, apart from the accumulators, is inoperable owing to loss of pump powering. We shall see in Chapter 11 how and in the light of what studies it was decided to take measures to deal with such situations.

7.3. New safety demonstration requirements for the N4 series The transition from one standardized plant series to another always implies systematic re-examination of safety demonstration methods and consistency. We have already mentioned the changes introduced between the 900 MWe and 1300 MWe plant units. As the reactor design gradually evolved from almost entirely American (Westinghouse license) to become 100% French with the N4 series, this process was facilitated. The detailed re-examination of the steam generator tube rupture accident which we have just mentioned and which is fully discussed in Chapter 8, proved an important element in these decisions. The main points are: • explicit inclusion of the human intervention phase during accident situations • extended application of the single failure criterion • inclusion of earthquakes as initiating events • extension of safety classification.

7.3.1. Explicit inclusion of the human intervention phase during accident situations At the end of the previous chapter, we indicated that the initial analysis was particularly focused on checking engineered safeguard and protection system design and therefore centered attention on the first phases of the accident where these systems start up automatically. Analysis of the steam generator tube rupture accident after its reclassification as a 3rd category event revealed the need for a detailed investigation of the phase during which the operators are required to resort to manual actions. The most important systems for limitation of the radiological consequences of the accident were found not to be the safety classified engineered safeguard systems and the rapidity of operator action was found to be a

7 - Assessment of safety justifications

109

decisive factor with regard to the consequences. This is the case for the secondary system devices for discharge to the atmosphere. Another example is pressurizer spraying, which is indispensable for the management of primary system pressure reduction*. The operating condition design rules defined for the 1400 MWe standardized units explicitly include the human intervention phase until such time as the reactor can be maintained in a safe configuration. The accident studies only consider actions explicitly provided for in the procedures. With this approach, actions and items of equipment can be safety-prioritized, which is in fact one of the methods used for the safety classification of the equipment concerned. This naturally implies that the post-accident operating procedures comprise a means of securing a safe reactor condition using only safety classified equipment. Other equipment, which is not indispensable but may contribute to improving or facilitating reactor control, is also considered as safety related but subjected to less stringent requirements.

7.3.2. Extended application of the single failure criterion Observance of the single failure criterion is one of the characteristic elements of safety related systems. The basic safety rule concerning this criterion contains a long but limitative list of the systems to which it must be applied. As we have already seen, the primary system depressurization system and the secondary system dump to atmosphere devices are not included in this list despite the role they play in a specific accident scenario. Rather than attempting to draw up a new list, the exhaustiveness of which would not be any better demonstrated, it was decided to base the category 2, 3 and 4 accident studies for the N4 series on application of an active or passive failure to any system, component or control device affected by the transient considered and used in the safety demonstration. This is known as the "single aggravating circumstance" concept, proposed by EDF and initially accepted by the safety authorities on an experimental basis since it enhances consistency between the installations.

7.3.3. Earthquakes as initiating events We noted in Chapter 4 that loads due to large primary or secondary system breaks were conventionally assumed to be compounded by loads resulting

* See Chapter 8

110

Elements of nuclear safety

from a safe shutdown earthquake, postulating, in addition, loss of offsite power. Moreover, safety classified equipment used in the safety demonstration shall be designed to withstand a safe shutdown earthquake. The change in approach consists in considering that any design basis incident or accident can be initiated by this earthquake and establishing a relation between this earthquake and loss of offsite power. This relation is, in fact, technically logical since the lines connecting the power plant to the transmission networks are not designed to withstand a severe earthquake. On the basis of its estimated frequency, the safe shutdown earthquake is classified in the 4th category operating conditions. The corresponding studies highlight the underlying logic of the accident analyses and enable it to be checked that provision is made for emergency powering whenever it could be required.

7.3.4. Extension of safety classification Since safety analysis involves examination in ever greater depth, two new categories of equipment have been defined concerning the P'4 type 1300 MWe plants, in an attempt to obtain closer compliance with detailed requirements. The LS category covers mechanical equipment not subjected to pressure. Introduction of the IPS-NC category (safety related, non-classified) is, on the other hand, associated with less stringent requirements, particularly concerned with operating conditions, periodic tests and maintenance for equipment already built. Such equipment is notably that required in the event of internal or external hazards (fire, flood, explosion, etc.), during unit outage. Also included are items of equipment which are useful but not indispensable for post-accident reactor control. The designation IPS-NC would appear to have come to stay, despite its obvious ambiguity. These developments continued throughout examination of the N4 series units, giving rise to the definition of two further categories. Category 2E concerns electrical systems required during the long term post-accident phase and enabling the reactor to be held in a safe configuration. Category SH concerns equipment used for a specific purpose under complementary operating conditions dealt with in Chapter 11. Items of equipment in the new categories LS and 2E are subjected to minimum requirements related to the following areas: • compliance with a design and construction code defining notably design, procurement, construction and layout methods • quality assurance procedures

7 - Assessment of safety justifications

111

• periodic in-service tests • safe shutdown earthquake resistance • qualification under normal and accident ambient conditions and earthquake conditions. The SH category equipment must comply with the following minimum requirements: • compliance with design, construction and qualification rules defined on a case by case basis • quality assurance procedures • periodic in-service tests. The IPS-NC equipment is only subjected to the following minimum requirements: • quality assurance procedures • in-service periodic tests.

This page intentionally left blank

8

A particular barrier point: the steam generator tubes

It has already been shown in Chapter 3 that the succession of three independent barriers between radioactive products derived from fuel fissions and the environment included a highly significant special case: the steam generator tubes. These tubes are clearly part of the reactor coolant pressure boundary since the core cooling water circulates within them. The third barrier, separating the reactor coolant pressure boundary from the environment is not in this case the containment. It can only consist of the enclosures protecting the secondary system, which is very large since it includes the steam header and even the turbogenerator turbines. We can however consider that, in the event of any difficulty, these circuits would be limited to the section between the steam generators and the main steam stop valves for each line. These pressurized enclosures are protected against possible overpressure by valves which vent to the outside atmosphere. The secondary lines also feature steam bypass systems venting to the atmosphere, equipped with control valves. This system is useful when the turbine or its condenser suddenly become unavailable, in which case both existing energy and afterpower can be removed by atmospheric steam release. Its control valves can also be useful at startup when the power produced is too low to start the turbine. However, in view of the volumes of steam discharged in these circumstances, the operator avoids resorting to this possibility in closed piping systems. The characteristics of 900 MWe unit secondary circuits are as follows: pressure of 70.3 bar at zero power and 56 bar at rated power. These circuits are protected against overpressure above 74 bar. For 1300 MWe units, these three figures are respectively 82.6, 71.5 and 86.5 bar. In both cases, the atmospheric steam dump valves open at a pressure one bar lower than the pressure safety relief valve opening threshold. As we know, the primary system is at 155 bar under all normal operating conditions. It is therefore only necessary for a sufficiently large break to occur on one of the steam generator tubes for a water and pressure transfer

114

Elements of nuclear safety

to trip open the atmospheric steam dump and safety valves on the secondary loop concerned. There is, in this case, no barrier between the primary coolant and the environment (Fig. 8.1.). The steam generator tubes with a considerable surface area, greater than 10,000 square meters per unit and with very thin walls (about 1 mm) therefore comprise simultaneously the second and third barriers, in accordance with the usual description of the barriers. In fact, there are only two barriers in this case.

Fig. 8.1. Steam line atmospheric steam dump and safety valves.

The risk of complete rupture of a steam generator tube has not escaped the notice of the designers of this type of reactor and the list of operating conditions taken into account at the design stage places this event in the fourth category i.e. with an estimated frequency of occurrence below or equal to 10-4 per reactor-year.

115

8 - A particular barrier point: the steam generator tubes

Unfortunately, worldwide experience shows that the probability of such an event occurring is considerably higher than this value. Table 8.1. shows the main steam generator tube ruptures or major leaks observed on PWR's of a similar type to the French reactors. At the time of the most recent incident reported, operating experience with this type of reactor was based on about 2 500 reactor operating years. The observed probability of a major leak is consequently about 4 10-3 per unit per year. In probabilistic assessments, the value of 5 10-3 per unit per year is used for this initiator. Table 8.1. Main steam generator tube ruptures or major leaks Country USA

USA Belgium USA USA USA USA USA

Japan USA

Reactor Point Beach 1 Surry 2 Doel2 Prairie Island Ginna North Anna 1 North Anna 1 Mac Guire Mihama 2 Palo Verde

Power rating 500 MWe 800 MWe 400 MWe 500 MWe 500 MWe 940 MWe 940 MWe 1200 MWe 470 MWe 1300 MWe

Date

Maximum leak rate in m3/h

26/2/75 15/9/76 25/7/79 2/10/79 25/1/82 15/7/87 25/2/89 7/3/89 9/2/91 14/03/93

30

75 50 90 170 135 17 120

80

Although a steam generator tube fast break has never been observed in the French PWR's, the defects affecting these tubes and the impossibility to obviate the risk of loose parts would not a priori be compatible with a more favorable diagnosis.

8.1. Steam generator tube rupture without human intervention At this stage, it is worth briefly describing what happens during an accident involving complete rupture of a steam generator tube if the operators allow the installation to continue operating under automatic control. Once again, a pessimistic situation will be described, in this case for a 900 MWe unit, but the scenario would differ only slightly for a 1300 MWe. In view of the pressure differences between the primary and secondary systems, complete rupture of a steam generator tube causes the transfer of 45 kg per second of primary water into the secondary system.

116

Elements of nuclear safety

Pressure rises rapidly in the secondary system to about 72 bar, the minimum pressure for opening the atmospheric steam dump valves. In the primary system, the pressure falls and this trips firstly reactor scram and then startup of the safety injection system when it drops below 121 bar. The corresponding signals cause turbine trip and closure of the stop valves on the steam lines. As the pressure difference has reduced, the water transfer flowrate from primary to secondary system stabilizes at 25 kg per second, i.e. 90 m 3 /h. Steam escaping to the atmosphere contains more and more water from the primary system and is hence slightly contaminated. The steam generator and then the steam line fill with water. After less than 30 minutes, the valves release water and no longer steam. This damages the valves and increases the release rate. Primary water is then progressively released into the atmosphere, along with its initial contamination. The fuel elements are correctly cooled during this phase, so that there are no clad failures. However, if the situation is allowed to continue with no human intervention, we can imagine that all the tank water used by the safety injection system would be transferred to the primary system, then to the secondary system and then to the environment. Unlike a break occurring on the primary system, the lost water is not collected in the containment sumps and is therefore not recycled. Finally, after about twenty hours, the fuel elements would be uncovered causing clad failure and direct transfer of volatile fission products to the environment, which would be a catastrophic, but fortunately highly unlikely event. It must nevertheless be emphasized that such a situation does correspond to correct operation of all automatic control and engineered safeguard systems equipping the standardized plant units. To avoid such a scenario, it would suffice that the operators intervene fairly quickly to reduce the pressure in the primary system and limit the safety injection flowrate. As soon as the pressure in the primary system is equal to or less than that corresponding to steam relief valve opening, these valves can close and there will be no further transfer of water nor release of radioactive products to the atmosphere. A detailed procedure has been drawn up and perfected. It is available in the control rooms and all operators have been specially trained in its use. Under these conditions, radioactive release should be extremely limited, which was in fact the case in the ten examples presented. This procedure restricts water transfer from the primary to the secondary system by controlling the safety injection flowrate and by reducing the primary pressure with sufficient speed. It also makes use of the steam generator blowdown system (APG) to limit the rising water level in the steam generator concerned. Its prime objective is to prevent the opening of devices venting directly to the environment. The refusal to close rate for

8 - A particular barrier point: the steam generator tubes

117

relief valves is by no means negligible, even when the equipment has been normally used. It becomes much higher when a valve designed for steam discharge is releasing water.

8.2. Complementary French studies We have mentioned steam generator tube rupture world statistics without reference to the specific French situation. If no major steam generator tube rupture has occurred in France on standardized nuclear units, many tubes have nevertheless revealed various faults which have sometimes required tube plugging. The different types of faults experienced in France are presented and analyzed in Chapter 25. Some of them could cause instantaneous, complete pipe rupture, without warning leakage beforehand. The risk of one ruptured pipe causing the rupture of one or several neighboring tubes, already in a weakened condition, is far from negligible. Parametric studies have been conducted to determine the behavior of an installation with regard to multiple ruptures in increasingly large numbers while taking into account various additional failures. It should be noted that beyond rupture of five to ten tubes, the overall kinetics only alter slightly as the rate of water transfer is limited by the relation between the safety injection flowrate and the discharge capacity of the secondary relief valves, which holds the system at a pressure of about 70 bar. Procedures have also been adapted to cover these cases. A main steam line break could also cause multiple ruptures of already weakened tubes. These scenarios have also been examined. They are equivalent for the containment to a steam line break occurring simultaneously with a small primary system break. The thermal hydraulic behavior of the reactor core and containment atmosphere will not induce conditions less favorable than the design basis conditions. It is easy to understand that to avoid this kind of accident, the periodic nondestructive test program for these tubes has a special importance, even if it is liable to slightly prolong unit outages and contribute to personnel radiation exposure. Since the radioactive release observed in the event of steam transfer to the atmosphere is directly proportional to the radioactivity of the primary coolant, the authorized activity limits for this fluid have been lowered, especially in plant units particularly affected by problems of steam generator tube weakening. Operating staff receive special training, with frequent refresher sessions, in the management of this type of accident.

118

Elements of nuclear safety

In order to reduce the risk of steam generator tube rupture (and also avoid excessive loss of efficiency due to the plugging of more than 15% of the tubes in a steam generator), it is possible to replace all the steam generators in a unit, although this is by no means a commonplace operation. In view of the significant degradation of the Dampierre unit-1 steam generators, but also to obtain first-hand experience of such an operation carried out without undue urgency, the three stream generators of this unit were replaced in 1990. This large-scale undertaking gave rise to extensive analysis of both safety aspects (quality of major repair work on already contaminated circuits) and radiation protection implications. This test case has enabled more efficient scheduling of the same operation in other units, such as Bugey-5 in 1993, Gravelines 1 in 1994, Saint Laurent Bl in 1995*.

8.3. Dealing with the problem for the N4 series For the only PWR units where these modifications could be implemented at the design stage - the standardized N4 1400 MWe units the design of which was not definitive at the time this classification error came to light - one steam generator tube rupture has been placed in the third category of operating conditions and rupture of two tubes in the fourth category. The approach adopted to control the consequences of this kind of situation is based on analysis of the different accident phases, on thorough acquaintance with the behavior of certain equipment, further substantiated by operating feedback, and on the specific characteristics of the steam generators chosen for the N4 standardized plant units, where the secondary water volume is reduced. We have seen that the crucial element for the sequence of events considered and their consequences is the jamming of the secondary system pressure relief valves in open position. The solution then consists in finding a means of discharging the radioactive release through the atmospheric steam dump valves, which can be isolated, instead of through the pressure safety relief valves, which by definition can not. This implies that the steam dump valves must be sufficiently reliable and their operation guaranteed from the safety standpoint. So these devices must be safety classified, which is not the case in the previous standardized plants. This is not simply a formal arrangement, but the initiation of a whole process of design, sizing, procurement, manufacture, control, qualification, * Cf. Section 25.3.5..

8 - A particular barrier point: the steam generator tubes

119

assembly, periodic tests, including observance of the single failure criterion, emergency-powering, etc., more strictly organized and in general more stringent than for other equipment. This classification is essential if we are to take a system, its characteristics and its operation into account in a deterministic context, with a view to limiting the consequences of an incident or accident. On the other hand, these systems shall be systematically taken into consideration if their influence can be negative. The turbine bypass system to the atmosphere (GCT-A) in the N4 reactors consequently constitutes an additional engineered safeguard system. It is also important that all atmospheric discharge resulting from water transfer from the primary to the secondary system take place via the atmospheric steam dump valves and not the pressure relief valves. This is ensured by clearly differentiating the steam dump valve opening pressure (83 and 84 bar abs.) from that of the pressure relief valves (greater than or equal to 91 bar abs.), i.e. a minimum difference of 7 bar, whereas it was initially only 1 bar for the previous series of plants. The probability of a secondary system leak which cannot be isolated, following single or multiple steam generator tube rupture, is thereby significantly reduced. In addition, systems for the detection of even slight leaks have been optimized to enable fast diagnosis on the part of the operators, thereby limiting possible consequences. One such system notably employs the detection of nitrogen 16. This is a substance with a very short half-life (7.8 seconds) and very high disintegration energy (6.5 MeV), produced in the primary water as it circulates through the reactor core by neutron capture by oxygen 18. Its detection in secondary system water therefore signifies primary to secondary leakage. The high gamma radiation energy characterizing this disintegration enables continuous detection to be carried out through the secondary system piping walls. Some of these provisions, such as adopting different opening pressures for steam dump valves and pressure relief valves, optimization of the steam dump valves, more stringent periodic test programs, including nitrogen 16 measurement for instance, are progressively being introduced at the 900 and 1300 MWe plant units, in order to make it easier to bring such accidents under control and limit risks of significant release to the environment. However, these provisions in no way modify the safety demonstration requirements for these units.

This page intentionally left blank

9

Internal hazards

Under the American license, which is the basis for the 900 MWe standardized nuclear power plants, provision was made to protect installations against certain types of internal missiles (valve stems, sensor thimbles, Control Rod Drive Mechanism drive shafts) and for taking site-specific earthquakes into account in plant design. Continued analysis, both in the United States and in France, of potential hazards and faults, led to progressively extending the scope of protective measures to the field of internal and external hazards which had hitherto not been explored in depth. Reflection and study at the outset had been mainly concentrated on the reactor core in operation. This chapter shall deal with hazards generated by the installation itself, and the next, with external hazards. So the subject here is the protection of safety related systems and systems important for radioactivity containment against hazards originating in circuits or systems of the unit considered or of other units on the site. The purpose of this protection in the case of light water reactors is to maintain the three safety functions: • effecting and maintaining safe shutdown • residual power removal • radioactive product containment. Study of these phenomena has been carried forth gradually, and has at times been linked to observed accidents or incidents. It never followed the sequences adopted for design basis accidents, with the corresponding division into categories of increasing seriousness. The possible consequences of an identified hazard had always to be limited enough to be considered acceptable. The hazards considered may be mechanical, involving missile ejection, or due to fire or flood within the installation. The basic idea is to use appropriate design to prevent the creation or development of hazards, rather than letting hazardous situations occur and

122

Elements of nuclear safety

then limiting any resulting damage. However, application of the concept of defense in depth requires each aspect to be studied in turn. Furthermore, when it proves impossible to study the consequences of a hazard on one part of the target, prudence dictates that the entire building housing it be considered. The analysis, of course, takes into account redundancies and geographical distances between equipment and systems.

9.1. Missiles from inside the containment The analysis of hazards from missiles which are liable to be released within the reactor building is essentially deterministic in nature. All items or parts of items of equipment which may be thrown or flung through space following a fault, for example under the effect of liquid pressure within them, or by the transformation of their elastic energy to kinetic energy, are considered potential missiles. Heavy items which may fall during handling are also considered. Piping elements are not considered potential missiles; conditions and consequences of piping breaks are subject to a special analysis. An anti-missile barrier placed above the vessel head, protects the control rod drive mechanisms and stops most of the missiles they may release. The following parts within the containment are considered to be potential missiles: • the air bleed plugs located at the top of the control rod drive mechanisms • the control rods and associated drive mechanisms • the mechanisms of certain valves • temperature probes • pressurizer heaters. Missile trajectory is studied and verification made that an appropriate barrier could interrupt it before any sensitive equipment was hit. Ejection of the air bleed plug of a control rod drive mechanism is studied in the same way; however, this also causes a reactivity accident which is studied under category 4 as regards its consequences on the core and the primary system. Reactor coolant pump flywheels are not considered by Electricite de France to be potential missiles, because the following precautions are taken: • flywheel design and materials make the risk of a fast break during normal operation extremely low • the speed which would cause ductile failure of the flywheel under increased stress is greater than the maximum speed reached during accidents.

9 - Internal hazards

123

However, at the request of safety organizations, periodic in-service inspection has been established to spot any incipient cracking in zones of irregular shapes, such as inside key slots, for example.

9.2. The results of piping breaks System general installation is designed to prevent a random incident or event from spreading or leading to an accident whose consequences could be greater than those due to the initial incident. Piping breaks or cracks are studied in order to determine what steps must be taken in construction to limit consequences, with two ends: • protecting the equipment of systems needed to bring the reactor to a safe state and limit the radiological consequences of an event • confining the scope of the initial accident, that is, preventing it from spreading from one leg to another, for example, or from one system to another safety-related system. Apart from the loss of the function of the system in question, which is considered in system design studies, the following results of a break or crack are taken into account: • the effect of possibly radioactive fluid flow: jet, flood, exposure and contamination • modification of local atmospheric conditions: pressure, temperature, humidity • dynamic effects of the broken pipe: whip (forming of a plastic swivel joint at the first obstacle encountered by the pipe) and effects on operability of the active elements supported by the pipe. The following measures are taken when installing systems in order to limit the results of a break on neighboring components: • geographical separation (distance) • or physical separation (concrete shells or walls) • or installation of antiwhip devices (frames, stops, fixed points, etc.). It is generally assumed in studies that: • piping containing or carrying high-energy fluid, i.e. at an operating pressure greater than 20 bar relative, or at an operating temperature greater than 100 °C, may break and whip • piping containing or carrying low or medium-energy fluid, i.e. at an operating pressure less than 20 bar relative, and at a temperature less than 100 °C, may crack, with no whip possible • pipe whip of a pipe containing or carrying high-energy fluid can break a pipe of the same type of lesser nominal diameter or crack a thinner pipe of equal or greater nominal diameter.

124

Elements of nuclear safety

These principles were used in the drawing stage of equipment design and installation. But in-depth in situ verifications have been carried out on a 900 MWe unit and a 1300 MWe unit after construction. The few remaining problems identified by these inspections were of course corrected on all units.

9.3. Turbogenerator bursting In the Fessenheim and Bugey plants and the sites of the first standardized series, Tricastin, Gravelines, Dampierre and Le Blayais, the turbogenerator set is tangential to the nuclear island. The hazard presented to the reactor building, or other buildings containing safety-related equipment, by missiles from the bursting of the largest wheels of the turbine LP cylinder was identified at the beginning of construction of the two Fessenheim units. This hazard, not to be confused with that of a few turbine blades breaking, which is much more frequent but only affects the casing of the turbogenerator itself, was determined, on the basis of American studies of plants throughout the world, to be 10-4 per year per turbine. An accident of this type can produce missiles of varying size. For 900 MWe turbogenerators, the most forceful and hence the most dangerous such missile has been estimated to have a weight of 3.6 metric tons, beginning its trajectory at a speed of 92 m/s, giving it an energy of around 27.5 megajoules. This sort of missile would obviously be released perpendicularly, or almost, to the rotation axis and therefore could conceivably hit sensitive parts of the installation. This was in fact what happened following two turbogenerator bursting accidents in the French conventional thermal plants of Porcheville and Gennevilliers. At the Fessenheim units, walls capable of absorbing this energy were installed between the turbine hall and the rooms to be protected. These walls were then directly integrated in the design of other installations with tangential turbogenerators. Taking advantage of other modifications of the turbine hall, Electricite de France adopted radial positioning of the turbine halls for the second standardized series contract of 900 MWe plants (Cruas, Saint Laurent des Eaux, Chinon). This arrangement eliminates the hazard of the nuclear island being hit by a missile from the turbine of the same unit or its twin. Assessment of the 1300 MWe units of the Paluel plant - four independent units with radial turbogenerators - raised the problem of vulnerability of site units 3 and 4 to potential missiles from the turbogenerator sets of units 1 and 2, and vice-versa.

9 - Internal hazards

125

The safety organizations have examined the precautions taken by the operators to minimize risks of turbogenerator bursting by destructive overspeed failure by ductile break, or brittle fracture. These precautions involve prevention of overspeed through the use of appropriate devices, and manufacture and in-service inspection methods making it possible to identify and monitor the progress of faults before they become critical. These preventive measures, while recognized to be useful, were not considered sufficient to obviate the need for application of real ejection statistics to this equipment; these statistics were gathered from 70 000 turbine-years throughout the world and confirm a burst probability of 10-4 per year per turbine. According to these statistics, 70% of breaks occur at nominal speed and 30% at overspeed. Given the plant layout considered, these figures lead to a probability of 4.5 10-6 per unit per year of unacceptable radioactivity release due to one of the four turbogenerator sets bursting. This is significantly higher than the upper limit of 10-7 proposed by the Americans for this type of hazard and already used in France at the time (1977) for certain external hazards. The safety organizations investigated the level of pessimism of this evaluation. The following points were noted without any quantification being possible: • the statistics take all kinds of break into account, regardless of missile size and energy • missiles whose energy is less than or equal to that of one quarter-turbine released at nominal speed will be stopped by the walls of the building with no special protection being used • the most probable trajectory of the most energetic missiles is practically perpendicular to the rotation axis and therefore should not threaten safety-related buildings. These elements led to the following conclusions: • that it is possible to install four 1300 MWe units close together and parallel with no need for additional protection • that different plot plans are preferable whenever site characteristics permit. The first solution is used for cliff sites such as Paluel, Flamanville and Penly. Two other types of layout are used for flat sites: "fan" configuration for Cattenom and Golfech, and "head to head" configuration for Belleville and Chooz (Fig. 9.1.). These solutions are both satisfactory. Among the sites mentioned, only Paluel and Cattenom comprise four units. These principles were subsequently codified in a basic safety rule (RFS I.2.b).

126

Elements of nuclear safety

Fig. 9.1. Layout of turbogenerator sets.

9.4. Protection against load dropping Mention is made in Chapter 4 of the inclusion in design basis operating conditions of rupture of a fuel element which had been dropped during handling. Handling incidents can also give rise to other hazards related to the consequences of loads being dropped on other equipment or structures. The main risk is connected with removal from the site of spent fuel, since this involves the use of extremely heavy shipping casks (1100 kN). However, there are many other sources of such risks, notably inside the reactor buildings. In most industrial installations, provisions are made to protect staff and equipment against falling loads. In a nuclear power plant, this aspect has also to be dealt with, but it is not the subject of our present discussion. We have rather to consider the risks of dispersal of radioactive products or of severe exposure which could result from handling incidents or accidents. If requirements in this respect are to be consistent with those imposed for other sources of radioactivity dispersal, specified reliability levels for hoisting equipment and complementary design precautions have to be far more stringent than those called for in a "conventional" security context.

9 - Internal hazards

127

9.4.1. Hazards related to spent fuel shipping casks Spent fuel transport containers themselves are required to comply with international regulations specifying that they must withstand particularly severe conditions without loss of integrity: • dropping from a height of 9 m onto a rigid structure • perforation test: dropping from a height of 1 m onto a standard punch • totally enclosing 30 minute fire test (flame temperature: 800 °C) • water immersion test: depth of 15 m for 8 hours.

Fig. 9.2. Shipping cask handling in a 900 MWe unit.

The risk of leakage of the contents of the container is consequently not a safety issue for the installation. Moreover, French power plant design restricts the areas where such handling operations may take place. These containers do not enter the reactor building. They are routed by mechanical devices and automatic control systems through the fuel building where the spent fuel storage zone is a prohibited overhead handling area (Fig. 9.2.) The crane used must be designed to withstand a safe shutdown earthquake and satisfy high reliability standards. In compliance with defense in depth requirements, its collapse must nevertheless be postulated and the

128

Elements of nuclear safety

parts of the installation concerned must be so designed that plant safety would be unaffected by this incident. The identified risk is loss of spent fuel pool integrity entailing loss of the water it contains and hence dewatering of the fuel, its overheating and the possible release of radioactive products in the fuel building. A high radioactivity level both in the building and on and around the site would certainly result from direct exposure.

Fig. 9.3. P4 and N4 unit cask loading system.

The container is assumed to be dropped in the loading pit, vertically and slant-wise and structural provisions are made to prevent the impact on the pit from affecting the spent fuel pool. For Fessenheim, which is the oldest plant, initial design provisions were inadequate and the loading pit had to be fitted with snubbers. For the most recent plants, P'4 and N4, this risk is eliminated by the loading arrangements in the pit, where the transport container stays at ground level (Fig. 9.3.). This solution involves, on the other hand, a water outlet at the bottom of the loading pit, the safety of which had to be examined accordingly.

9 - Internal hazards

129

9.4.2. Other handling risks We should like to underline once more the specific risks associated with the handling of filters and resins and those which could be incurred by routine handling operations routed over safety-related piping or equipment. It is by careful attention to these aspects of safety that risks can be identified and satisfactorily dealt with.

9.5. Fire protection In this field too, traditional industrial fire protection methods were used in nuclear power plants for a long time. The potential safety problems of fire in nuclear plants and the need for a specific approach were made clear in 1975 with the very serious incident at the Browns-Ferry plant in the United States. A description of this incident is called for. The fire which broke out at the Spanish plant of Vandellos in December 1989 is discussed further on, since it gave rise to extensive internal flooding. At the Browns-Ferry (Alabama) site at the time of the accident, there were two 1100 MWe boiling water reactors (BWR) in service and a third under construction. A common control room served the two operating reactors. The fire broke out in the cable sorting room, located beneath the control room, at the point where cables passed through a wall to enter the reactor building of unit 1, which was kept in slight negative pressure. The original plug of the cable penetration had been removed to install additional connections. The work had been finished and the personnel was plugging the hole, through which 10 grouped cable runs passes together, using a candle flame to locate leaks in the provisional plug. The highly flammable material caught fire, which spread to the reactor building unbeknown to the personnel. The situation was only discovered when control and instrumentation cables of both units had been seriously damaged, causing them to short-circuit. Several systems in unit 1 were inoperable. The operating personnel were nevertheless able to stop the reactor, placing and keeping it in safe shutdown. There was no release, nor was release ever possible. This incident naturally led to a rapid examination of French plants, general reflection and gradually establishment of quasi-regulatory specifications on this subject. Current methods and principles, which cannot be considered definitive, demonstrate the need for interface between specialists in several techniques: fire protection, of course, safety analysis and radiation protection. The "Design and Construction Rules for PWR Nuclear Power Plants - Fire Protection Rules", RCC.I, defines fire protection as all measures taken to

130

Elements of nuclear safety

prevent the risk and limit the consequences of fire. These measures have three goals: • to ensure the protection of people • to limit damage to equipment which could cause long-term unavailability • to maintain all nuclear safety functions. The first two goals are traditional fire protection goals for any installation. The methods used to reach these goals are based on the traditional approach in three fields: prevention, detection and fire-fighting. Solutions are based on deep thinking on what is known as the "fire triangle" (Fig. 9.4.), all three sides of which are necessary for a fire to occur:

Fig. 9.4. The fire triangle.

The best solution is to suppress at least one side of the triangle hence ensuring that a fire cannot occur. This entails: • reducing the quantities of combustible materials • eliminating or reducing hydrogen • limiting hot spots and energy sources such as electric sparks, welding, various heating operations. The third goal, "to maintain all nuclear safety functions" is specific to nuclear power plants. It requires the protection of all equipment whose failure could endanger the three basic safety functions. The "nuclear safety" aspect of fire protection is handled in France in the same way as all common mode hazards, based on the three following principles: • redundancy • independence • qualification.

9 - Internal hazards

131

The redundancy and independence of safety-related equipment trains result from the application of the singe failure criterion. These principles are therefore already taken into account in installation design. Fire resistance qualification of specific protections such as partitions, doors, ventilation and smoke removal ducts, as well as any other fire protection facilities, remains to be considered. The three basic safety functions are taken into account by a safety analysis which considers all traditional fire protection parameters (heat load, characteristics of combustible material, potential causal conditions, etc.) as well as "nuclear safety" parameters (separation of redundant equipment trains, limitation of contamination, accessibility, etc.). This analysis is generally called a "vulnerability study". The vulnerability study defines "fire safety areas" which are used to confine fires to very specific limits.

Remark on the division into fire areas Strictly speaking, from a safety point of view, two fire areas are sufficient for an entire installation, if the installation is well designed and installed. However, this would hinder fire-fighting, the difficulty of which would increase with the size of the area, not to mention the losses in equipment this could entail. To ensure a rational relationship between fire-fighting means and fire area size, the latter are defined with available fire-fighting systems in mind.

Convergence points and fire common modes Regardless of all the care that goes into the separation of redundant equipment trains and into the vulnerability study and the resulting definition of fire areas, there are inevitably certain convergence points, such as the control room, or piping sections with several different sensors, etc. These are called fire common modes. Fire common modes must be identified and subjected to a functional analysis to determine which are safety-related; the safety function of these modes must then be protected against fire. Easier said than done. First of all, operating conditions during which fire protection must be ensured have to be defined. Required safety systems must then be defined for each of these operating conditions. They are not necessarily the same for normal operation, shutdown, or long-term postaccident conditions. Then it will be decided which redundant equipment must be taken into account, including the support systems they require (compressed air or nitrogen, for example).

132

Elements of nuclear safety

Once this equipment is determined, fire common modes will be identified, including those involving cableways, as equipment may fail due to a fault in electrical supply or control and instrumentation signals. A series of fire common mode sheets is then created, listing additional fire protection methods which have been adopted. In addition, the fire-fighting means selected must not themselves create other hazards, such as: • internal flooding • electrocution, short-circuit • asphyxiation either in normal use or inadvertent operation. Radiological characteristics of the installation must be considered when defining fire-fighting means and defining access points. In areas in the power plant where a fire outbreak seems unlikely but where its consequences would be severe, safety priority may warrant special precautions as to detection and intervention arrangements. This may of course upset established practice in this matter. Other aspects of fire protection in nuclear installations are dealt with in Chapter 30.

9.6. Internal flooding Nuclear safety hazards due to significant flooding, like those due to fire, were not foreseen at first. Traditional methods were used to protect against floods, with electrical cabinets, pumps and equipment often installed raised on small base slabs. Rooms with fluid pipes may have been fitted with drains, sumps and sump pumps, and certain floor openings surrounded by low walls and blanked with plaster. A spectacular incident in October 1980 involving the 2nd unit of the Indian Point, New York, power plant, a Westinghouse 875 MWe pressurized water reactor, attracted attention to the problem of flooding. A once-through cooling water circuit from the nearby Hudson River leaked large quantities of raw water within the containment. The reactor pit in this plant is, by far, the lowest point in the containment, and the reactor vessel bottom head is itself lower than the lowest level of the rest of the installation (Fig. 9.4.). Several faults in the containment and reactor pit sump exhaust pumps and the inattention and skepticism of operators as to sump level indicators let the leak go on and the water level rise. Four hundred cubic meters of water were allowed to accumulate.

9 - Internal hazards

133

The operators didn't react until one of the neutron flux measurement chambers gave an obviously abnormal signal, as part of the equipment was submerged. The plant unit was in power operation while the heat-insulated reactor vessel bottom head was submerged in water! This is obviously not a normal situation.

Fig. 9.5. Cross-sectional view of the Indian Point unit.

French plants are designed and organized very differently from the Indian Point plant. An identical accident is therefore not possible - which does not mean that flood hazards should not be evaluated.

134

Elements of nuclear safety

Of course, separation of redundant equipment trains, if the equipment is in geographically separate rooms, considerably diminishes flood hazards. On the other hand, if separation is only designed to protect against missiles, pipe whip and fire, a water leak in these rooms greater than the discharge capacity of sump pumps may cause flooding which will reach equipment of both trains. Several such incidents have occurred in French plants, causing only equipment inoperability. An example is given in Section 26.1.2. After each incident, corrective measures based on the incident were applied to all plants of the same series. It has also been observed that water from large leaks in non-safety-related rooms can reach safety-related equipment by unexpected paths, such as the ventilation ducts located at lower floors. Appropriate corrective measures have been taken. However, an exhaustive study remains to be made. It should cover these two aspects: leaks in rooms with equipment to be protected, and all possible routes which water may take, including ventilation ducts and cableways. The fire which broke out at the Vandellos power plant in Spain in December 1989 is a good illustration of the possible consequences of a fire and its association with internal flooding problems. The fire was started by a turbogenerator set, hence in the non-nuclear part of the installation. It spread towards the instrumentation and control cables of the residual heat removal pumps. As the plant design was far from recent and no safety reassessment had been performed, cables assigned to normally redundant functions were routed side by side, with no separation. Both trains were consequently destroyed, leaving manual control as the only possibility. Apart from the water input from the fire-fighters, the fire itself had damaged a flexible coupling on the condenser cooling water piping. A very large quantity of water poured through the plant, partially submerging the residual heat removal pumps, which were also inefficiently separated. Owing to the good response of the operator, fuel degradation was prevented and thereby any radioactive release. However, in view of the extent of the damage and the vast refurbishing program which would have been necessary to guarantee a satisfactory safety level, it was decided to decommission the unit.

10

External hazards

We saw that earthquake hazards were taken into account from the beginning of large scale nuclear power plant design and that they often affected the design of safety-related equipment. However, the environment presents other hazards than earthquakes. Hazards may be of natural origin, such as earthquakes, but also wind, storms, floods, volcanic activity, meteorites, etc., or of human origin, such as aircraft crashes, explosions, fire outside the installation or the spreading of toxic gases. These hazards have varying degrees of seriousness. A complete study of the interaction of site and plant should enable determination and evaluation of the hazards the plant presents to its environment. This implies studying local meteorology including wind speed and direction, water tables and hydrogeology in general, and population distribution. These aspects will not be examined in detail here*. As for protection against internal hazards, the purpose of protection of plants against external hazards is to maintain the safety functions: • effecting and maintaining safe shutdown • residual power removal • radioactive product containment. Whenever possible, these hazards are considered probabilistically, for example, aircraft crashes, explosions and, to a degree, floods. Otherwise, deterministic criteria are used. In this chapter, we shall now look in detail at how design basis earthquake characteristics are selected. We shall then consider how to evaluate and take into account the risk of aircraft crashes, external explosions and flood. Other hazards shall be mentioned briefly.

* These aspects are analyzed in detail in the IPSN publication "Approche de la surete des sites nucleaires" by Jean Faure.

136

Elements of nuclear safety

10.1. Determination of earthquake hazards The basic process, deterministic in character, consists in assuming that earthquakes analogous to known historical earthquakes are liable to occur again in the future with the most penalizing epicenter position postulated with regard to site consequences (in terms of MSK intensity), while remaining in line with geological and seismic data. For this purpose, capable faults and tectonic data around the site are examined, together with the relevant historical seismic data (Fig. 10.1.). The investigation, first focused on the site, must be extended geographically as far as needed, and obviously beyond national frontiers where required.

Fig. 10.1. Geographical and seismic data.

This process enables one or several Maximum Historically Probable Earthquakes (MHPE) to be determined, which are the earthquake(s) considered, on the basis of the previous analysis, liable to produce significant onsite consequences. The national land mass was thoroughly analyzed at the beginning of the eighties for the purpose of drawing up a seismic map of metropolitan France, undertaken jointly by the BRGM (Bureau of Geological and Mining Research), EDF and the CEA. The capable faults and tectonic regions could thus be determined in a systematic manner for the entire country. A compilation of historical earthquake data has been drawn up and is supplemented by the monitoring and compilation of current instrumental earthquake data (Fig. 10.2.). However, these are general data, which have to be completed and further investigated when it is decided to construct a nuclear power plant on a given site. Certain surface earth tremors which have only affected a limited

10 - External hazards

137

area could have been overlooked in the general survey and the effects of more severe earthquakes may vary significantly from one affected location to another.

Fig. 10.2. Historical and instrumental seismic data.

The MHPE is determined as follows: • historical earthquakes in the tectonic region which includes the site area, with the exception of those which can definitely be linked to a specified capable fault, are considered liable to occur beneath the site • historical earthquakes belonging to a neighboring tectonic region and not directly linked to a specified capable fault are considered liable to occur at the point within that region closest to the site • in both cases, historical earthquakes caused by a specific capable fault are considered liable to occur at the point on this fault which is nearest to the site (Fig. 10.3.).

138

Elements of nuclear safety

For each of these MHPE's, a Safe Shutdown Earthquake (SSE) is specified, which is derived from the MHPE by a simple equation in terms of MSK intensity on the site. Earthquake intensity is the situation of the effects of the earthquake at a given point on the ground surface. For this purpose, the Medvedev Sponheuer - Karnik (MSK) 1964 version of the 12-degree scale derived from the Mercalli scale is used. Intensities are expressed in Roman numerals with no provision for decimals.

Fig. 10.3. Determination of MHPE's.

The MSK scale was designed so that a one-degree increase would correspond to a doubling of the ground motion parameters (Table 10.1.). The MSK scale, estimating surface effects, must not be confused with the RICHTER scale, measuring magnitude; the magnitude provides an estimation of the amount of energy released from the focus. The magnitude of an earthquake is derived from seismograph recordings by a logarithmic relationship.*

* For the 1935 California earthquakes, magnitude was defined as the log of the maximum wave amplitude measured in microns on the given bearings, 100 kilometers from the epicenter, by a standard seismograph (period: 0.8 second, amplification: 2 800). A magnitude of 0 corresponds to a measured amplitude of 1 micrometer.

10 - External hazards

139

In practice, the magnitudes observed since installation of the seismographs at the beginning of the century range from -\, for slight tremors recorded by highly sensitive seismographs in the vicinity of an epicenter, to around 9, which is the estimated magnitude of the major earthquake which occurred in Lisbon in 1755. However, this figure is not an upper limit and, since earthquake magnitude is derived from instrument recordings by calculation, there is nothing to prevent decimals from being used. There is no direct correspondence between the MSK scale and the RICHTER scale since, for the same focus magnitude, surface effects, i.e. intensity, depend notably on the focus depth, on the focal distance and on the nature of the ground considered. Table 10.1. The MSK Scale.

DEGREES OF THE MSK MACROSEISMIC INTENSITY SCALE I

Not noticeable

II

Scarcely noticeable

III

Slight, only partially observed

IV

Widely observed

V

Awakening

VI

Frightening

VII

Damage to buildings

VIII

Destruction of buildings

IX

General damage to buildings

X

General destruction of buildings

XI

Catastrophe

XII

Landscape changes

The use of SSE's and not MHPE's for the design of nuclear power plants enables a certain safety margin to be established. It has in fact been observed that, in certain areas, recent earthquakes were of an intensity greater than that of the SSE indicated by a survey carried out beforehand. Movement of epicenters under or closer to planned plant sites also tends to improve the bounding case characteristics of seismic activity taken into account. Under these conditions, the probability of an SSE occurring on a given site is of the order of magnitude of 10-4 to 10-5 per year. It would be even more difficult to establish a probability of occurrence value for a more severe earthquake, given our current limited knowledge in this respect.

140

Elements of nuclear safety

An earthquake intensity does not constitute data which is directly usable for plant design purposes. A frequency spectrum of accelerations, speeds and horizontal and vertical ground movements is made to correspond to each intensity level for the site considered, notably taking into account the depth of the epicenter and equations of state derived from real recorded spectra compilations. As these spectra are extremely complex, it has been decided to use standard spectra derived from Regulatory Guide 1-60 and bounding the characteristic SSE spectra for the site. In the context of the standardization policy adopted for French nuclear units, the spectra used for design are standard and the level is checked to ensure that it adequately bounds the actual SSE spectra for the site considered. For some nuclear units located in the Paris basin, an area of particularly low seismic activity, a lower standard level has been used. Finally, conversely to the previous case, special arrangements have been made for sites with earthquake characteristics in excess of standard conditions. This might involve particularly rigid rocky soils, risk of surface waves inducing acceleration speed and motion spectra with a particularly large number of high frequencies in excess of the standard spectra, or Safe Shutdown Earthquakes higher than degree VIII on the MSK scale. The dynamic behavior of structures can be modified by placing special aseismic bearing pads between the structure and the earth. These are reinforced concrete pads underneath elastomer support pads with a high degree of horizontal flexibility and vertical stiffness. These pads can be of two types: • completely elastic pads such as those that were felt to be sufficient for the Cruas power plant for example • elastic pads equipped with slipping plates which enable more extensive movement to be neutralized and which were used for sites abroad with more demanding seismic characteristics. In both cases, the entire nuclear island must be built on a single raft to avoid the problems raised by linking several independent buildings. We shall see in Chapter 15 that this type of device has some drawbacks in the event of a very severe but highly improbable accident. Three basic safety rules deal with seismic hazards: • RFS I.2.c: Calculation of seismic motions to be considered in safety analysis. • RFS I.3.b: Seismic instrumentation. • RFS V.2.g: Seismic design for civil works.

10 - External hazards

141

Pseudo-acceleration (g)

Fig. 10.4. Response spectrum (5% damped)(Golfech).

10.2. Protection against aircraft crashes There is a great deal of difference between a flying club aircraft and a Boeing 747. In addition, there is more air traffic over some parts of the countries than over others and the most dangerous moments in flight are take-off and landing. The problem therefore cannot be handled too generally. On the other hand, aviation is highly regulated, and a very large amount of statistical information is available. We were therefore immediately tempted by an approach involving statistical evaluation of hazards, which we shall sum up here in simplified form.

10.2.1. Probability of aircraft crashes Three types of aircraft are considered (Table 10.2.). The first category is commercial aviation, with passenger, freight and postal transport planes. This category includes all aircraft weighing over 5.7 metric tons and accounts for 500 000 flights/year for metropolitan France (a flight is defined as a take-off and landing). The same number of flights cross national airspace without landing in France. The accident-per-flight frequency is about 2 10-6.

142

Elements of nuclear safety

For military aviation, there are around 600 000 flights per year and the probability of a crash is a little over 10-5 per flight. For general aviation (aircraft weighing less than 5.7 metric tons), there are approximately 3 500 000 flights per year and a crash probability in the vicinity of 10-4 per flight, but a crash in this context is taken in a wider sense to include the relatively limited damage resulting from landing mishaps. Table 10.2. Characteristics of different categories of aviation. Commercial Aviation 1 000 000 flights / year 10-6 crash / flight 80 aerodromes

General Aviation 3 500 000 flights / year « 10-4 crash / flight 400 aerodromes

Military Aviation 600 000 flights / year 10-5 crash / flight 40 aerodromes

These values provide a basis for estimation of the mean annual probability of an aircraft crash occurring in France for an airliner, several military aircraft and several hundred light aircraft. In all three cases, crash probability may be divided into three parts: high at landing, medium during flight, small at take-off. By building plants away from approach and take-off zones, the probability is thus reduced by a factor of three. The average hazard over metropolitan France (about 500 000 km2) can therefore be expressed as a crash probability per square meter per year of: • several 10-12 per m2 per year for commercial aviation • around 10-11 per m2 for military aviation • several 10-10 per m2 for general aviation. Given that the sensitive parts of a nuclear power plant, those containing equipment needed to ensure safety functions, have a surface area of less than 20 000 m2 per unit, the annual probability of a crash on these parts is a little over 10-8 for commercial aviation, around 10-7 for military aviation and several 10-6 for general aviation. These are, in general, rather pessimistic evaluations. They take into account neither the fact that flight over plants can be legally forbidden, nor the possibility to avoid certain impact points in many accident scenarios. Using these crash probability figures, associated risks can be assessed by assuming that in the absence of special protective measures, all equipment in a building involved in a crash would be destroyed, which is also a pessimistic standpoint.

10 - External hazards

143

The basic safety rule on hazards related to aircraft crashes (RFS 1.2.a) provides the following guidelines: • the logarithmic order of magnitude of the maximum permissible probability of unacceptable radioactive release occurring at the site boundary is 10-6 per year and per plant unit for each safety function • however, in order to take into account the fact that an accident probability must be compounded by others with similar consequences, for each family of hazards, an admissible probability threshold is set at 10-7 per year and per plant unit for each safety function. In this context, commercial aviation can consequently be disregarded. Military aviation must be examined on a case by case basis. However, specific protective measures must be instituted for general aviation.

10.2.2. Protection against general aviation aircraft crashes Given the characteristics of the aircraft used and the effects of a crash on reinforced concrete structures, two types of missile are considered by EDF: • a 1 500 kg single engine propeller plane, whose 250 kg engine is considered a hard, perforating missile: the CESSNA 210, representing 80% of general aviation traffic • a twin-engine commuter plane with rear-mounted jet engines, weighing 5 700 kg and considered a soft missile causing general shaking of the building hit: the LEARJET 23, representing 20% of general aviation traffic. The impact speed considered is 100 m/s, equal to 360 km/h, which is the take-off and landing speed (Fig. 10.5.). The most important safety-related buildings, including of course the reactor building, are designed to withstand corresponding crashes without damage. Some of these buildings are only protected against perforating impact, which is the most probable. Design assumptions for structures are very strict. Depending on the standard reactor series involved, the steel reinforcements of concrete must remain elastic or undergo only very slight plastic deformation, below 0.8%. In both cases, there is a considerable margin before actual collapse of the building. Internal equipment would only be endangered by the creation of secondary missiles occurring due to building collapse. Numerous tests have been carried out to perfect and qualify the computation codes used to determine the characteristics of the reinforced concrete protection walls, in particular the laws governing perforation of reinforced concrete under the impact of a hard missile.

144

Elements of nuclear safety

Investigation of collapse conditions, defined as steel structure deformation exceeding 10 % shows that, whatever the impact point on a 900 MWe, 1300 MWe or 1400 MWe unit containment building, the latter will withstand the impact of a Mirage 5 weighing over 13 metric tons and moving at a speed of 150 m/s. Force 106 Newtons

Fig. 10.5. Protection against aircraft crashes.

It would perhaps be useful at this point to illustrate what is actually represented by the very low probabilities used as compared with what is observed in everyday life. The diameter of the most sensitive zone in a nuclear unit, the reactor containment, is smaller than or equal to 50 meters. The area of a circle with a 25 km radius is one million times larger. A 10-7 per year probability of impact on a reactor containment therefore corresponds to an aircraft crash probability in this circle of 0.1 per year. Bearing in mind that there are in France about 20 nuclear sites comprising power reactors in operation, the 10-7 per year probability of impact on each reactor of a military aircraft is consistent with statistics showing that one or two military aircraft crash every year within less than 25 km of a French nuclear power plant.

10 - External hazards

145

We have presented, with a few details, the general method used. A site by site survey of local air traffic characteristics is carried out by EDF and presented in the preliminary safety analysis reports. This ensures that standard design provisions are adequate. The survey is, of course, examined in detail by the safety authorities. Any significant subsequent modification of the aeronautical environment would give rise to re-examination of the matter.

10.3. Industrial hazards The "site description" chapter of safety reports has always included a description of the present and projected industrial environment for several kilometers around the installation. This has not led to special constraints for plant construction. However, during examination of the application for authorization to build the Gravelines plant in 1975, it became apparent that the problem merited in-depth consideration. The Gravelines region includes a great deal of industrial activity, involving, in particular, a hydrocarbon storage area, some of whose tanks were 500 m from one of the reactors. The tanker port allowed docking of large ships at distances from 1250 m to 2000 m. As the plant is coastal, ships could run aground less than 650 m from the nuclear units. Their tanks, assumed empty, could then explode. Furthermore, study of the site and its future development revealed a large scale project of the Dunkirk harbor authorities for the construction of an LNG port which presented a potential further risk of explosion: for example, if two ships collided and at least one contained liquid gas, part of the gas could escape; the resulting cloud could drift, and, with the conjunction of unfavorable conditions, explode over the plant. It was clearly necessary to evaluate the potential consequences of such a situation for the plant and to plan special protective measures. Electricite de France then rapidly prepared a methodology for evaluating hazards due to the industrial environment, specifically centered on explosion hazards and similar in spirit to the methodology used for aircraft crashes. The criterion for taking hazards into account is probabilistic and identical to that for aircraft crashes: 10-7 per year per unit and per safety function. In addition, uncertainties are considered with prudence. This methodology led to the decision to protect safety-related buildings at the Gravelines plant against triangular 200 mbar overpressure waves lasting 300 ms, and against heat due to a nearby fire. The buildings and ventilation air inlets of the standard 900 MWe series of plants were therefore modified and reinforced. Spray rings were installed for facades liable to be exposed to the heat of fire outbreaks involving the contents of the nearest tanks. In addition, mounds of earth were placed between the reactors and the vessels.

146

Elements of nuclear safety

Incident overpressure (hPa)

Reduced distance Fig. 10.6. Effects of explosions versus reduced distance (m/k1/3).

Conditions changed, the LNG port was not built and the project seems to have been abandoned, but the prudent approach adopted is the only way to avoid subsequent blocked situations due to incompatibility between a nuclear installation and the development of its industrial environment. The method of hazard analysis, on the other hand, was kept, perfected and systematically applied during preliminary examination of following reactors. A 50 mbar overpressure wave is taken into account for design of standard nuclear units, and it is checked that this is sufficient, taking into account stationary storage facilities as well as trains, trucks, barges and other ships, or pipelines. For information, here are some examples of overpressure: • 100 kg of TNT causes an overpressure wave of 50 mbar at 100 m • 100 metric tons of TNT causes the same overpressure at 1000 m • 1 kg of hydrocarbon is equivalent to 5 to 10 kg of TNT.

10 - External hazards

147

A 50 mbar overpressure wave causes virtually total destruction of windows and some damage to houses. Statistics lead to the following approximate probability figures for explosion of transported explosives: • several 10-9 per km per train • several 10-8 per km per barge • several 10-7 per km per road vehicle. Finally, at startup of 900 MWe plants, the behavior of openings and buildings under overpressure waves was verified. These checks showed that other design constraints of structures and equipment ensured satisfactory resistance.

10.4. Floods It is paradoxical but true that flooding of a nuclear power plant with submersion of the platform causes serious cooling problems for the reactors of the plant. No detailed damage scenario has been prepared, but one can imagine that in the absence of all precautions, submersion or mechanical destruction could destroy all external or internal electrical supplies needed to drive the cooling pumps or any other system, even turbine-operated, used for longterm cooling. Nuclear plants must therefore be protected against plausible external floods by setting platform levels sufficiently high. This level varies as a function of the type of site. In at least one case, it has varied over time. For sites with 900 MWe units, the following rule was applied (Fig. 10.7.): • for river sites, the highest of the following levels is taken: - the thousand-year flood - the conjunction of the highest known flood, or the hundred-year flood if it is greater, and the effect of failure of the largest dam located upstream • for coastal sites, a value is used which corresponds to the calculated maximum tide (coefficient 120) plus the thousand-year coastal flood • for estuary sites, the highest of the following levels is used: - the thousand-year river flood plus the coefficient 120 tide - the hundred-year flood plus the worst-case dam break upstream plus the average tide (coefficient 70) - the thousand-year coastal flood plus the coefficient 120 tide.

148

Elements of nuclear safety

Fig. 10.7. Protection against floods.

In all cases, installations are protected from external floods by setting platforms bearing safety-related equipment at a level not less than that defined by the methods above, and by blanking water access routes located below the platform level. The probabilistic reference values of events or event combinations were applied to the rest of the installation and the probabilistic significance of the different levels was studied. For coastal sites, a coefficient 120 tide, which is a relatively brief and rare occurrence - approximately 2 hours every 17 years - is added to the thousand-year coastal flood value which, in principle, is not correlated and also doesn't last long. Were each of these events to last a full year, the cumulative probability would be around 10-4. Their short duration should mean that several decades are gained.

10 - External hazards

149

In cases where the level is equal to the addition of the hundred-year flood, which usually only lasts a few days per century, and the breaking of a dam, the annual probability of which is estimated at 10-4 - 10-5, the resulting probability level is not very different. The same is not true for sites which use the thousand-year flood to determine design. By definition, the probability of such a situation is 10-3 per year, which is clearly excessive for a phenomenon liable to have significant consequences. However, specialists believe that it is foolish to try to determine scientifically a flood level of clearly lower probability, in the absence of a reliable relevant scientific law. The deluge is not a "probabilizable" event. Therefore, the following procedure was established by those responsible for plant safety: • special precautions are taken to determine the thousand-year flood. Insofar as possible, uncertainties in the determination of flood volume, and corresponding levels, will be defined pessimistically. In particular, the thousand-year flood volume taken into account is not the average calculated value but the upper limit of the 70% confidence interval • this latter value is increased by 15%. Since there is no recognized extrapolation method for the law linking frequency and flood level, the gain achieved is not quantifiable. Safety organizations have therefore requested that means be determined to handle higher floods. This approach is formally presented in a basic safety rule (RFS 1.3.e). Since there is an emergency warning system, it is assumed that the reactor will be placed in safe shutdown before platforms are submerged. Electricite de France has designed various means of shutting off inlets to safety-related buildings These systems will also serve as additional protection for the oldest plants on the Loire, whose platform level was determined on the basis of the thousand-year flood, as the Loire has no large dams. A procedure using protected equipment only specifies all actions necessary to prevent any fuel deterioration or radioactivity release. This is known as procedure H5, to be discussed in the next chapter.

10.5. Protection against other external hazards The risk of volcanic activity in France is very low. No nuclear installation is envisaged at Puy de Dome or in its vicinity. Therefore, no special precau-

150

Elements of nuclear safety

tions against volcanic hazards have been taken in construction of installations. For snow and wind, civil engineers use "Snow and Wind" rules, which are not nuclear-specific. The loads considered are large but, as the statistics they use are quite recent, they do not take into account probabilities as low as those usually used to design nuclear power plants. The "Snow and Wind" rules suggest however that additional safety margins should be taken by designers where this is warranted by what has to be protected. In fact, for buildings and structures containing equipment whose destruction could cause an incident or an accident, loads are usually lower than those considered for aircraft crashes or explosions, although this does not apply to the stacks or the turbine building roof. The cold spells of January 1985 and 1987 revealed certain insufficiencies in protection of French power plants against external cold. The prolonged periods of extreme cold that occurred in those years are neither very frequent nor very unusual. Such periods occur several times in a century. However, in several units located on different sites, small piping with insufficient heat lagging froze, which caused the loss of data needed for plant operation or even for proper operation of a safeguard sequence needed in case of a primary break. These incidents are discussed in Chapter 26. Special equipment layout rules are specified at the design and construction stage for the N4 standardized series of reactors, with a view to better providing against hazards related to extreme cold.

11

Complementary operating conditions

We have just seen how failures due to internal and external hazards, not studied when the PWR system was first selected, were gradually introduced into the preliminary and basic design work for these plants. We have also seen the introduction of probabilistic references to judge the acceptability of provisions made with respect to certain hazards, such as turbine missiles, aircraft crashes and explosions. These two elements were added to initial design without affecting the most sensitive and the most structured part: the study of internal accidents, using the formal method described in detail in Chapters 3 to 8.

11.1. Origins Since 1973, American safety organizations had been discussing the possibility and possible consequences of a failure of the emergency shutdown system associated with a transient (anticipated transient without scram, or ATWS). Emergency shutdown is, in any case, a redundant system, therefore answering to the single-failure criterion. The French safety authorities extended the implications as of 1975, requiring EDF to study the probability and consequences of a complete failure of safety-related systems, in constant or frequent use. The systems involved are those ensuring power supply, those ensuring heat sink availability and that of associated equipment, and those ensuring core cooling, via steam generators. In general, these functions are ensured by several redundant systems. A "safe" power supply system can consist of two relatively independent external mains, the possibility to switch to house load, two redundant diesel generators, one of the sources sufficing alone. During reactor operation, core cooling is ensured by the steam generator normal feedwater system. This system is redundant. Should this system fail or the turbine become inoperable, the reactor is shut down, and steam generators are supplied by means of the Auxiliary Feedwater System (AFW), which itself is redundant. The single failure criterion is thus consistently respected.

152

Elements of nuclear safety

Preliminary investigations on the subject were called "beyond design basis" studies, an expression reserved for studies of very serious accidents whose probability is low. They in fact related above all to operating conditions "left beyond the scope of conventional design." To appreciate the advantage and importance of these new studies, a basic reference was needed. The safety organisms then suggested that the probabilistic references used for external hazards be used.

11.2. The position of the safety authorities In 1977 and 1978, the SCSIN defined, in two letters to Electricite de France, an overall probabilistic goal and practical applications in terms of studies to be undertaken. The main points of these two letters were as follows: • design of units including a pressurized water reactor should be such that the overall probability of the unit causing unacceptable consequences does not exceed 10-6 per year • the probabilistic approach should be used for as many events as possible • the use of a probabilistic approach does not imply demonstration of observance of the overall goal nor direct use of these methods in unit design. However, it can improve the definition of the deterministic criteria used • given the overall goal of 10-6, a value of 10-7 is used as the annual probability of occurrence of unacceptable consequences for each event family for which a probabilistic approach can be used • on the other hand, event families whose estimated frequency is clearly lower than 10-7 per year per unit shall not be taken into account • "realistic" design assumptions and methods may be used to study event families whose consideration in unit design is a result of this complementary approach • the case of simultaneous failure of redundant trains of safety-related systems should be studied in this framework. These principles call for some comments: • the overall goal is set in terms of "unacceptable consequences", which are not defined by law or regulation. These consequences must therefore be determined politically and be subject to modification. Practically speaking, each time a probabilistic approach is used for an event family, a prudent well-defined goal is set in terms of unacceptable consequences: - for aircraft crashes, loss of integrity of buildings sheltering safety-related equipment shall systematically lead to "unacceptable consequences"

11 - Complementary operating conditions

153

- for the total failure of redundant systems, the "unacceptable consequence" shall be considered to be the beginning of core uncovering, with no possibility of rewatering • the probability of 10-6 per year of unacceptable consequences is an "objective" maximum value. The applicant is not required to prove that this goal is reached* • the value of 10-7 per year is not an obligatory threshold value for an event family since there can be compensation with other families with lower probability • additional measures which may prove necessary might include procedures using systems already existing in conventional deterministic design or additional systems. One may be inclined to compare the consequences of the event families analyzed by this method with fourth category operating conditions, just as one is inclined to compare the 10-7 value with the frequency interval lower limit estimated for these conditions. However, this is an area requiring circumspection, for the operating condition table concerns initiating events, compounded by penalizing conditions such as the single failure criterion and loss of offsite power. The probability of this load combination occurring is a priori far lower than that attached to the initiating event alone. In this new approach, the probability is estimated by combining the probabilities associated with each failure involved in the scenario considered.

11.3. Complementary operating conditions The process is applied in the following manner: • the probability of the family of events considered is assessed • if the estimated probability is equal to or greater than 10-7 per year, the consequences are assessed in the context of prevailing plant conditions • if the probability - consequences pair for a family of events is in the unacceptable area, measures to improve the situation must be defined. This can be done by sufficiently reducing the probability or the consequences, or both. Increased redundancy in safety-related systems comes immediately to mind, but we have seen that the gain in failure probability diminishes rapidly when the number of trains increases, due to failures liable to affect all trains simultaneously and for the same reasons (common mode failures). However, better use of existing equipment can lead to improvements. * In this connection, refer to Chapter 19 for the results of probabilistic safety assessments as published in 1990

154

Elements of nuclear safety

We shall now discuss some examples of how these problems have been dealt with.

11.3.1. Anticipated transient without scram (ATWS) As we have seen, American safety organizations raised in 1973 the problem of the failure of the emergency shutdown system (scram), which involves the drop of all the reactor shutdown rod cluster control (RCC) assemblies, during the frequent transients which trigger a scram. The RCC assemblies drop by gravity when their holding mechanisms are de-energized. These devices are de-energized by two series-mounted trip breakers, supplied by two independent channels. It would nonetheless appear that there is a probability of between 10-5 and 10-4 of failure of emergency shutdown for each request. Common mode failures have been observed in the United States on emergency shutdown relays and breakers. Since this is a relatively high probability, the results of a failure of emergency shutdown have been examined for all cases studied of second-category incidents calling for emergency shutdown. The most serious problems are the level of overpressure in the primary cooling system and the continued sufficient cooling of fuel rods. These studies show that if failure of emergency shutdown is the only disturbance caused by the transient, no safety limits are endangered. On the other hand, detailed study of the structure of the logic of the protection system controlling emergency shutdown revealed (in 1978) that, for certain fault localizations in the logic, there is also failure of the trip command for the turbine or the startup command for steam generator auxiliary feedwater system, which commands are generated by the same systems as emergency shutdown. In the first case, stress levels on the primary cooling system are close to the maximum acceptable limits. In the second case, these stresses may eventually exceed permissible limits, when the first transient is the loss of normal water supply to steam generators. It was therefore decided to diversify the control logics of emergency shutdown and of steam generator auxiliary feedwater startup and turbine trip, and even to diversify the sensors generating these signals as of the 1300 MWe plants, which had not yet been built at the time. Damaging cumulative faults can now only come from accidental coincidences whose overall probability is sufficiently low. The ATWS problem is therefore considered to have been solved by installation modifications. It should be noted, however, that in all cases of automatic actuation of protection or safety systems, operation teams are asked to confirm these

11 - Complementary operating conditions

155

commands manually, hence using systems and equipment entirely independent of those used for the initial commands.

11.3.2. Total loss of steam generator feedwater supply During reactor operation, water supply to steam generators is ensured by the Feedwater Flow Control System, which recycles condensed steam after passage through the turbine. This system, which is indispensable for electricity production, is not safety-related. It is not unusual for this system to shut down completely. This is a second-category transient. Furthermore, the original design of 900 and 1300 MWe plants provides for each emergency shutdown of the reactor to stop this system and activate steam generator auxiliary feedwater supply provided by a safety-related system. The steam generator auxiliary feedwater system is driven by two motordriven pumps and one turbine-driven pump in the 900 MWe units, two motordriven pumps and two turbine-driven pumps in the 1300 and 1400 MWe units. The probability of total failure of both systems is of several 10-5 per year, which justifies study of the consequences. Normal steam generator water supply regulation was modified to reduce the frequency of use of the auxiliary feedwater system, but the overall gain was still not sufficient.

11.3.2.1. "Natural" accident scenario As is generally the case in the present paper, the scenario below corresponds to an accumulation of penalizing assumptions. The most unfavorable initial condition is also the most frequent: the reactor is operating at nominal power, and the loss of normal water supply to the steam generators causes emergency shutdown of the reactor and gives the auxiliary feedwater system startup command after 16 seconds. It is postulated that the auxiliary system fails to start. As long as the steam generators contain secondary water, they remove almost all the residual power of the core. But this level drops and the generators dry out after fifteen minutes. As soon as there is no more secondary water in the steam generators, water in the primary cooling system heats up rapidly and expands. As the primary cooling system pressure rises, the pressurizer fills up. The pressurizer relief valves open, but the pressure rise in the primary cooling circuit does not stop right away.

156

Elements of nuclear safety

This pressure stabilizes around 165 bar with the relief valves open. Water from the primary cooling system gradually drains into the containment and core meltdown is inevitable, because no signal started up safety injection, which is normally tripped by low pressure in the primary cooling system.

11.3.2.2. Operator intervention In order to prevent core meltdown, its residual power must be removed; for this, the pressurizer relief valves must be opened without fail, but the water which has leaked from the primary cooling system must be replaced by voluntary safety injection startup. Finally, for safety injection to be effective, it must be started before pressure in the primary cooling system is greater than the discharge pressure of the safety injection. In this case, the core is cooled by water from a once-through system, coming from the safety injection and pouring into the containment (known as "feed and bleed" cooling of the primary system). This involves a sort of chase between the increase in primary pressure and the voluntary opening of the greatest possible number of relief vents, along with safety injection. Operators must therefore act very quickly. If they intervene within fifteen minutes, the core is saved and there is no clad failure. If they intervene within forty-five minutes, the core is generally preserved but there are an increasing number of clad failures. If they intervene after forty-five minutes, their action will have no effect and core meltdown is inevitable. There are ways to identify this accident. They include in particular various secondary cooling water level indicators in the steam generators. These devices have been improved. But deliberately creating a primary break, thereby contaminating the reactor building, is not an easy decision for an operating team to take. This is confirmed by observation of the behavior of operators faced with this type of situation during simulator training. The detailed study of this accident led to an operating procedure enabling core meltdown to be avoided. Some technical measures have been taken to reduce the probability of this accident and to help operator diagnosis.

11 - Complementary operating conditions

157

11.3.3. Total loss of power There are many ways to supply the power needed for safety functions in French nuclear power plants (Fig. 11.1.): • two relatively independent external supplies from the national grid • house load operation, wherein the unit is separated from external power supplies and only operates to supply its auxiliaries • two internal supplies, each comprising a diesel-powered generator set.

Fig. 11.1. 900 MWe plant power supplies.

Any one of these sources can supply all power needed for safety purposes. This power is distributed to equipment which needs it by means of two electrical switchboards, each with its own line. Each diesel generator is allocated to one of the switchboards.

158

Elements of nuclear safety

Total failure of power supply to safety-related equipment may be caused by simultaneous failure of either all power supplies or both electrical switchboards. The total probability of this is of a few 10-5 per year, due in almost equal proportions to failure of supplies or of switchboards. It is therefore necessary to study the consequences.

11.3.3.1. "Natural" accident scenario The loss of both power supply lines causes: • control rods to drop • all motor-driven pumps to stop • all motorized valves to become immobilized, some in safe configurations • "loss" of compressed air, at least after depressurization of the buffer tanks on certain circuits • depletion of batteries and, after an hour, "loss" of all indications and control in the control room. The fact that the reactor stops due to the control rods dropping is a good thing. Shutdown of reactor coolant pumps fitted with adapted flywheels is provided for in case of emergency shutdown and ensures transition of the coolant to natural circulation. Removal of residual power can be ensured by means of steam generators supplied by the turbine-driven auxiliary feedwater pump(s), with steam discharged to the atmosphere. On the other hand, the hydrodynamic seals of reactor coolant pumps will rapidly suffer the consequences of shutdown of chemical and volume control system pumps, which inject water at very high pressure into these seals, and shutdown of the component cooling system, which supplies cold water to the thermal barrier which helps protect them. The result is a significant risk that these seals will become damaged and a primary break occur. But the safety injection system is not operative, except for the accumulator tanks, nor is containment spraying. In a few hours, therefore, a very serious accident could occur.

11.3.3.2. Corrective measures It was decided to make certain modifications to installations and equipment (Fig. 11.2.), and the corresponding operating procedures were added (H3):

11 - Complementary operating conditions

159

• use of the primary system motor-driven test pump*, which has a low flowrate, to regain, after two minutes, injection to the reactor coolant pump seals. This pump is supplied by a small emergency turbogenerator (LLS), installed on each 1300 MWe and 1400 MWe unit and driven by steam from the steam generators (each pair of 900 MWe units is equipped with a test pump and an LLS); • maintenance of a minimum of control and instrumentation functions, allowing control of the pressure and temperature of primary and secondary cooling systems, control of primary system refill and speed control of the turbine-driven pump(s) for auxiliary supply of the steam generator and the atmospheric steam relief valves. The small turbogenerator also supplies the current needed. If water from the primary cooling system is not being discharged, the pressurizer fills up due to the water injection to the reactor coolant pump seals. The necessary space is created by using the steam generators to cool the primary coolant, thereby causing it to contract (at the beginning of this scenario at rated power, primary cooling water, at average temperature 286 °C, has a relative density of approximately 0.7; it should therefore be possible to gain around 100 m3). The first studies show that it would be possible to keep the fuel in a satisfactory condition for 20 hours under these conditions It proved possible to extend this period even more by optimizing procedures and re-supplying the steam generator auxiliary feedwater tank. It should be pointed out that this procedure and the associated equipment make it possible to completely avoid damage to the fuel and significant radioactive release. These periods are now sufficient to re-establish power supply in the following ways: • external power supply by - a unit in house load operation on the same site - a neighboring site - a nearby hydraulic generator set • startup of the site gas turbine or emergency diesel generator provided to supplement the power supply possibilities of each site to improve availability • connection of the backed-up electrical switchboards to the diesel generator of a neighboring unit. • bypassing the inoperable electrical switchboards by means of the connection harnesses used during routine testing.

* The test pump is used to pressurize the primary system for the regulatory startup and periodic tests via the reactor coolant pump seal injection lines.

160

Elements of nuclear safety

Fig. 11.2. Remedying total loss of power situations.

All units in service are now equipped with these systems and the problems of reliability of the additional equipment are gradually being solved.

11.3.4. List of complementary procedures We have just seen in detail three accident situations where probabilistic studies led to the definition of additional provisions. These are not the only ones. We shall only discuss the remaining ones quickly, after giving the list of those accompanied by operating procedures: • HI: Loss of the heat sink or systems ensuring heat transfer to it. • H2: Total loss of water supply to steam generators. • H3: Total loss of power. • H4: Loss of the safety injection system or the containment spray system, during the long-term period following a LOGA type accident. • H5: Protection of certain river sites against floods higher than the thousand-year flood.

11 - Complementary operating conditions

161

Total loss of the heat sink Available site water reserves, and the procedures used to re-supply the steam generator auxiliary feedwater tank, ensure sufficient time to restore the heat sink, or actuate the systems ensuring heat transfer to it, when the primary cooling system is pressurized. The procedures indicate what to do in various situations, whether the reactor be power operating or shut down.

Total loss of the safety injection system or the containment spray system The accident which occurred at the Three Mile Island reactor confirmed the need and also the difficulty of keeping active for months systems rendered inaccessible for maintenance or repair by the radioactivity of the fluid they contain. Probabilistic checks confirmed that the probability of pumping system failure over a period of several months could not be overlooked. The systems concerned each have two pumps, one of which is quickly sufficient. These four pumps have similar characteristics. The installation of connections between the two systems ensure mutual back-up. These connections must, of course, be fitted in advance on systems not yet contaminated. In extension of procedure H4, procedure U3 concerns total failure of all pumps. It mainly consists in prefitted connections accessible after a LOCA, enabling use of a pumping system and, if required, a heat exchanger, which are not routine plant equipment but can be brought to the site in case of emergency. These devices, together with associated radiation protection provisions, are designed to enable intervention, for example, two weeks after the occurrence of a major primary break. The problem of protection of river sites has already been discussed in Section 10.4. Like the I procedures (for Incident) and A procedures (for Accident), derived from the event-oriented deterministic approach, the goal of the H procedures is to prevent or limit damage to fuel. It is important to bear in mind that, given the manner in which the scenarios and corresponding probabilities are determined, the first three H procedures cover events which are far more likely to occur than major primary or secondary system breaks for example, even if attention were drawn to them at a later date.

162

Elements of nuclear safety

The H procedures, by organizing in advance optimal use of all equipment provided in the deterministic context or of relatively little additional equipment, make it possible to prevent clad failures in the situations concerned, thereby supporting the first and third levels of defense in depth. Unfortunately, the letter H used for the designation of these procedures refers to the French expression "hors dimensionnement", meaning "beyond design basis". These terms are reminders of the minor cultural revolution that consisted in using probabilistic methods to select and handle relatively probable operating conditions which are not among the usual deterministic operating conditions. These two expressions are still sometimes used to refer to "complementary" conditions, giving the impression that the latter are less probable than those corresponding to A procedures, which is not the case. This difficulty will disappear once the state-oriented approach presented in Chapter 14 has replaced the event-based procedures.

12

Probabilistic assessment of an accident sequence

As a supplement to the previous chapter, we shall now consider a total loss of power scenario and show the actual steps involved in the probabilistic assessment of a new accident sequence. The scenario selected is that described in Section 11.3.3, where it was presented from a deterministic standpoint focused on the risk of reactor coolant pump seal leakage, which was the new element. We shall now systematically postulate the failure of the various components and systems successively involved and examine the consequences of these failures with the associated time lapses. This survey was carried out at the beginning of the eighties and was used to validate the complementary provisions adopted at that time. The descriptions and numerical values used concern 900 MWe PWR units. We shall then show how these studies were reviewed in the light of our new knowledge. The probabilistic analysis methods and principles involved are discussed in more detail in Chapter 19.

12.1. Effects of failures and initial assumptions Total failure of the power supply is defined here as a simultaneous loss of power on both 6.6 kV switchboards supplying safety-related equipment. A priori, it causes rod drop but it is considered that non-compliance of more than two rods would quickly result in core meltdown, owing to the loss of normal cooling systems (reactor coolant pumps) and of the safety injection system, which are no longer energized. The steam generator auxiliary feedwater supply, using the turbine-driven pumps, suffices to remove the residual power, with atmospheric dump-

164

Elements of nuclear safety

ing of the secondary steam produced. On the other hand, failure of this cooling mode would result in core meltdown after 1 hour if the reactor had been shut down for less than 10 hours. The batteries supplying the control and instrumentation system have a reserve time of 1 hour. Since control of the installation has become impossible, it is considered that core meltdown will take place 1 hour later. The failure of the chemical and volume control system renders unavailable the injection to the reactor coolant pump seals. The failure of the intermediate cooling system causes shutdown of the cold water supply to the pump thermal barriers. The gradual loss of the reactor coolant pump seals and the loss of primary fluid thereby incurred would lead to core meltdown in 3 hours. The provision of an emergency turbogenerator set and its correct operation enable re-energization of the batteries and resumption of the injection to the reactor coolant pump seals by means of the pressure test pump, thereby eliminating these failure paths. Malfunction of this turbogenerator, on the other hand, would bring us back to the previous situation, where failure of the control and instrumentation system would be the first cause of core meltdown, 1 hour before the same consequences would be incurred by the reactor coolant pump seal leakage. The probability of total power loss decreases with the duration of the event. It is feasible to consider that offsite power could be recovered before core meltdown had taken place, in which case the latter would be prevented. However, no allowances are made for the recovery of failed internal equipment since high speed repair work would be extremely difficult to carry out. Many uncertainties subsist regarding physical phenomena, notably the behavior of the reactor coolant pump seals or of the installation deprived of control and instrumentation. Assumptions consequently had to be made, based on the recommendations of experts in the field, pending complementary studies or tests which would allow a more accurate appraisal of what could happen in these circumstances.

12.2. Chronological list of the elements forming the scenario Considering only the first three hours of the accident and using a one hour time unit, we obtain the following list of events: • at 0 hour: - total loss of 6.6 kV power for any length of time Ei - reactor trip AU

12 - Probabilistic assessment of an accident sequence

• from 0 to 1 hour: - failure of auxiliary feedwater system turbine-driven pump - failure of emergency turbogenerator LLS - failure of test pump - recovery of a power source: • from 1 to 2 hours: - failure of auxiliary feedwater system turbine-driven pump - failure of emergency turbogenerator LLS - failure of test pump - recovery of a power source • from 2 to 3 hours: - failure of auxiliary feedwater system turbine-driven pump - failure of emergency turbogenerator LLS - failure of test pump - recovery of a power source

165

ASG 1 LLS 1 PT 1 Rl ASG 2 LLS 2 PT 2 R2 ASG 3 LLS 3 PT 3 R3

12.3. Required data The data base required to estimate the values corresponding to the failure probabilities or the possibilities of recovery can be directly grounded on observed reliability data for the equipment concerned or result from a calculation using failure trees, or even Markov charts in cases where recovery of a complex system is being considered. The values presented in this section are those used in the initial survey. For the equipment concerned, they derive from general data rather than operating feedback, which had only recently been organized at that time. The probability of 6.6 kV source failure depends on the time period considered: Period exceeding

Annual probability

0 hour 1 hour 2 hours 3 hours 10 hours 100 hours

5.63 10-5 3.78 10-5 2.93 10-5 2.40 10-5 8.32 10-6 6.04 10-7

Refusal of more than two rods to drop: 1.3 10-5.

166

Elements of nuclear safety

Failure of the auxiliary feedwater system turbine-driven pump: • at startup * = 4.0 10-3 per demand • during operation = 5.9 10-4 per hour Failure of the emergency turbogenerator LLS: • at startup = 1.3 10-3 per demand • during operation = 2.2 10-4 per hour Failure of the test pump: • at startup = 5.2 10-3 per demand • during operation = 2.0 10-4 per hour The event failure probability can then be determined:

12.4. Assessment results The formula giving the annual core meltdown probability is as follows:

It is to be noted that the (1 - Pi) terms are very close to 1. For a manual calculation, they can be disregarded. Considering the probability of the initiator, total loss of power and failure to recover a power source, the annual probability of core meltdown is due to the following system or equipment failures, listed in the order of the formula, assuming each time that the previous action has been successful: • emergency shutdown 7.3 10-10 • auxiliary feedwater system turbine-driven pump 1.73 10-7 • emergency turbogenerator 4.39 10-8 • test pump 1.29 10-7 • failure of the auxiliary feedwater system between 1 and 2 hours 1.41 10-8 • These parameters are defined in Section 19.3.3

12 - Probabilistic assessment of an accident sequence -7 This gives a core meltdown probability of 3.61 10-7 (Fig. 12.1.).

Fig. 12.1. Fault tree. Total loss of power.

Fig. 12.2. Fault tree without an emergency turbogenerator.

167

168

Elements of nuclear safety

The absence of an emergency turbogenerator simplifies the formula, since the probability of failure of this equipment to operate (P LLS ) is equal to 1. The third term is increased and the last two are equal to zero. The annual probability of core meltdown will then be 2.95 10-5 (Fig. 12.2.). This means that the emergency turbogenerator in the sequence considered represents an improvement by a factor of 80. It is on these grounds that it was decided to equip all 900 MWe units with such a system.

12.5. Revision of scenarios and their probabilities In the framework of the probabilistic safety assessments, the first results of which were published in 1990 and which will be presented in Chapter 19, the total power loss studies were reassessed. The new elements which occurred in the mean time were as follows: • more exhaustive research into failure initiators • handling of reactor shutdown states and technical operating specifications • use of failure rates observed on equipment • better insight into the physical phenomenon pertaining to the reactor coolant pump seals, more accurate assessment of the consequences of control and instrumentation system failure • use of data processing media compatible with more complex requirements. Three families of initiators were systematically processed. These include : • total failure of all power sources (main power line, house load feed, auxiliary line, both diesel generators) • simultaneous failure of both 6.6 kV switchboards (LHA and LHB) • failure of train A (LHA) switchboard compounded by failure of train B diesel generator set. The annual probability of total loss of power, with the unit power operating, is then 1.03 10-4, which is twice the previous value. Power source failure is not always instantaneous. When it occurs gradually, the plant unit may have been placed in hot shutdown. The residual power has then to be removed, but this will have considerably decreased during the few hours which have elapsed, as is shown in Table 3.2. In these circumstances, if the auxiliary feedwater system turbine-driven pump fails to operate, core meltdown will only occur after between 5 and 10 hours.

72 - Probabilistic assessment of an accident sequence

169

On the other hand, certain shutdown conditions, where the primary system is not water-filled, are highly sensitive, since thermal inertia is extremely low and the courses of action open are very limited. In the light of reliability data derived from French plant operating feedback up to the end of 1987, attention was drawn to the number of failures observed on the auxiliary feedwater system turbine-driven pumps and to the difficulties encountered in adapting the emergency turbogenerator sets to the 900 MWe units. The reliability values then adopted were : • failure of the auxiliary feedwater system turbine-driven pump: - at startup = 1.02 10-2 per demand - during operation = 3.2 10-3 per hour • failure of the LLS turbogenerator: - at startup = 1.2 10-2 per demand - during operation = 3.2 10-3 per hour These values are between 2.5 and 16 times higher than the previous ones, since the LLS turbogenerator real performances were as yet not very satisfactory at that time. On the other hand, complementary studies undertaken on two phenomena which had not hitherto been fully investigated resulted in more favorable conclusions. The effect of failure of the control and instrumentation system was reassessed, taking into account existing procedures and operator training. It is no longer considered that a failure of this nature on its own could give rise to core meltdown. The corresponding sequence was eliminated. Reactor coolant pump seal behavior has been the subject of both theoretical and experimental studies. Tests revealed no leaks in excess of 5 t/h per pump. Calculations evidenced that, if there were no damage other than seal rupture, the primary system maximum leak rate would be 60 t/h. On this basis, we adopted a probability of 0.5 for a leak rate of 5 t/h, a probability of 0.2 for a leak rate of 60 t/h and a probability of 0.3 for an intermediate rate of 30 t/h. Of course, this distribution has to be handled with caution. The time periods then available before core meltdown takes place will be 7 hours for the largest leak, 12 hours for the intermediate leak rate and 48 hours if the leak is only 5 t/h per pump. Under these conditions, the calculated annual probability of core meltdown being able to occur in a power operating unit is 3.16 10-7, 92% of which relates to failure of the auxiliary feedwater system turbine-driven pump. But the total annual probability of core meltdown due to total loss of power is 7.66 10-7, considering all reactor states.

170

Elements of nuclear safety

If we consider only the sequence initiated by loss of all power sources, the benefit of the LLS system is far less significant and main efforts have to be focused on improvement of the single auxiliary feedwater system turbine-driven pump equipping the 900 MWe units. This has been done and will be further discussed in Chapter 23. The 1300 MWe units, which are equipped with two of these pumps, are obviously less sensitive to their failures. Conclusions are less clear cut if we consider the simultaneous failure of two switchboards. The probability of recovering these switchboards within two or three hours is slight, so that the impact of LLS system failure on the overall probability of core meltdown calculated for this sequence becomes more significant. This example confirms that decisions regarding supplementary provisions, which always involve lengthy implementation, have to be made rapidly, even if it has subsequently to be shown that other adjustments are also necessary. The time lapse between identification of a complex problem and its complete solution is from 5 to 10 years. The overall probabilistic safety studies will be presented after the chapters on analysis of the Three Mile Island accident and its impact on safety thinking, since otherwise certain provisions and procedures used in these studies would be difficult to understand. Both the calculations presented give calculated core meltdown annual probability values well in excess of 10-7. But these results were nevertheless considered acceptable, which only goes to show that the 10-7 value must not be considered as an acceptability criterion, in the strict meaning of the term. We shall also see that this sequence contributes relatively little to the overall result given by the probabilistic safety study for the 900 MWe units. The improvements made are consequently adequate.

13

The accident at Three Mile Island

The accident which took place on March 28, 1979, at unit 2 of the American nuclear power plant at Three Mile Island received a great deal of attention throughout the world. In the world of nuclear technology, it resulted in considerable analysis, remarkable international exchanges and an overall reexamination of approaches to nuclear safety in theory and practice. Before going on to the lessons learned from the accident, let us discuss what happened.

13.1. The accident The Three Mile Island nuclear power plant is located on the Susquehanna River in Pennsylvania, USA, 16 km from the state capital, Harrisburg, with a population of 90 000. It has two 900 MWe units with pressurized water reactors designed by Babcock and Wilcox. The second unit of the site started commercial operation on December 30, 1978. The Babcock and Wilcox design, differs from the Westinghouse design used in France in that it has different steam generators. Babcock and Wilcox steam generators are of the once-through type, as compared with the Westinghouse U-tube type. These steam generators, of which there were two at the Three Mile Island plant, are much longer, which modifies the relative layout of surrounding equipment but also makes the transition to natural convection cooling conditions more difficult on the primary side. Furthermore, they only contain a small amount of secondary cooling water, making the installation rather sensitive during certain kinds of transient (Fig. 13.1). The accident starts at 4:00 a.m. on Wednesday March 28 with an unexceptional operating incident: loss of normal water supply to the steam generators. Due to the low thermal inertia of the steam generators, the increase in temperature, hence in pressure, in the primary cooling system due to this

172

Elements of nuclear safety

transient, systematically leads to opening of the pressurizer relief valve, thus limiting the pressure spike. This is not a satisfactory design feature. The secondary transient trips the turbine and gives the command for the steam generator auxiliary feedwater pumps to start. The primary transient causes emergency shutdown, which gradually lowers pressure in the primary cooling system. After 12 seconds the relief valve receives normally the command to close.

Fig. 13. 1. Main layout of Three Mile Island NSSS

13 - The accident at Three Mile Island

173

This first phase went through normally on March 28, 1979. All automatic controls worked perfectly, as they did throughout the accident. At this point two equipment failures occurred: • the relief valve, having received the command to close, remains jammed open. The primary cooling system continues to discharge into the pressurizer relief tank, located in the containment, at a flowrate of 60 metric tons per hour (there are approximately 200 metric tons of primary coolant). • the steam generator auxiliary feedwater system pumps start up normally after 30 seconds, but the water cannot reach the steam generators because the connecting valves between the pumps and the steam generators are closed instead of open, due to a maintenance error. The generators dry out in 2 to 3 minutes, stopping all cooling of the primary system. Although the position indicator for these valves located in the control room signal this fault, eight minutes pass before the operators identify the fault and give the command manually to open the valves. Twenty-five minutes pass before the situation of the secondary cooling system stabilizes, after numerous operations, no doubt commanding all the attention of the operating team. During this time, discharge through the pressurizer relief valve continues. After two minutes, pressure in the primary cooling system has decreased to approximately 110 bar. The safety injection system starts up automatically and sends cold water into the primary system. The operators check the indicator of the relief valve and see "valve closed", which in fact is not true. This is the crucial point of the accident: the indicator transmits the command received by the valve, and not its actual position, to the control room. Finally, the operator concentrates on the water level in the pressurizer. In all primary system transient situations, the operator must respect a regulatory operating instruction: "Do not lose the pressurizer steam bubble". When the water level rises to the top of the pressurizer, the operator no longer has the steam blanket needed to regulate pressure; the primary system is entirely filled with liquid phase water and all transients result in sharp pressure variations which stress the reactor coolant pressure boundary. But the water level in the pressurizer, after lowering at first when the valve was opened, then started to rise rapidly, between the first and approximately the sixth minute. This rise is perfectly normal when there is an opening in the upper part of the pressurizer, but the operators in this plant ignored this fact and had not been trained for this type of situation. In any case, faced with this rapid rise in the pressurizer water level, the operators, believing the relief valve to be closed, are afraid to inject too much water into the system, and therefore stop safety injection manually after less than five minutes.

174

Elements of nuclear safety

The operators' mental image of the situation was false, but the actions they decided to perform were obviously based on this image. As of this moment, the water draining from the primary system is not replaced. There is a break in the primary coolant system and the safety injection system is shut down completely. The primary system continues to drain. After 6 minutes, boiling starts. The primary coolant circulating pumps continue to work, circulating a mixture of water and steam comprising more and more steam; however, they manage a certain amount of cooling thanks to the steam generators supplied by the secondary system. The rest of the energy is removed through the primary system break. After fifteen minutes, the pressurizer relief tank rupture disk gives way. The escaping primary coolant now goes directly into the containment. The pressurizer is filled with a mixture of water and steam. Its level indication is meaningless. The proportion of steam in the primary coolant increases. The primary pumps have more and more trouble, and start to cavitate and vibrate. These vibrations become excessive. The operators stop one pump after 1 hour 13 minutes, and the other 27 minutes later, hoping that natural circulation will set up in the primary system. In fact, water and steam separate, with steam accumulating in the top and water in the bottom. There is no longer any circulation of primary fluid and therefore no heat exchange takes place between the reactor core giving off residual heat of a few tens of MW and the steam generators. The heat from the core continues to bring the cooling water to the boil. No more water is being supplied, and the level in the core drops: the core is uncovered. Cooling of the fuel becomes less effective; cladding temperature rapidly increases to 850 °C, then past 1300 °C. At these temperatures, zirconium reacts chemically with steam to form zirconium oxide and hydrogen. This reaction produces heat, increasing temperatures yet more. Fuel cladding melting point is reached, and there is significant release of fuel fission products to the primary coolant and from there to the containment. After 2 hours 14 minutes, a radioactivity alarm goes off in the containment. The operators are forced to realize the gravity of the situation. Realizing that they may well have transferred radioactivity through the relief valve, which had a high leak rate before the accident, they close the line isolating valve and thereby stop discharge. This also stops all heat removal. The core continues to heat, and primary system pressure increases. The operators start up one of the primary pumps, which sends water cooled in the steam generator onto the extremely hot fuel, which disperses those parts of the fuel above the water level within the reactor vessel.

13 - The accident at Three Mile Island

175

After 3 hours 12 minutes, vaporization of water on the fuel has caused primary system pressure to rise to a dangerous point. The operators re-open the relief line isolating valve, drainage starts up again, letting out coolant which is even more radioactive. More radioactivity alarms go off, some of which are outside the reactor building. The water which is spilling into the containment is taken up by automatic sump pumps, which send the contaminated water to storage tanks located in an auxiliary building which is not hermetic. These tanks then overflow and create a source of radioactive steam which can escape outside the plant (Fig. 13.2.).

Fig. 13.2. Radioactive material release paths.

A state of emergency is finally declared. The containment is isolated, stopping transfer from the sump to the auxiliary building. It is now three hours and twenty minutes since the accident began. The operators start the safety injection system again at a low flowrate, causing a new shock between the cold water and the hot fuel, then at nominal flowrate. The core cools, four hours after the first event. It will take another twelve hours to discharge from the primary cooling system most of the hydrogen and incondensable fission gases which prevent it from being filled. This is done by alternately opening and closing the pressurizer relief line and starting up safety injection and primary pumps. A localized explosion of about 320 kg of hydrogen in the containment, after 9 hours 50 minutes, induces a 2 bar pressure spike in the reactor building, without causing any particular damage.

176

Elements of nuclear safety

It is 8:00 p.m. on Wednesday, March 28, 1979. The accident itself is over. However, it will take several days more to calm fears of a possible hydrogen explosion in the reactor vessel.

Fig. 13.3. Core final status.

The damage to the fuel elements far exceeds that provided for in the worst possible design basis accident, which is the loss of primary coolant through a large double-ended guillotine break. Six years later, in 1985, when it was possible to pass a television camera between the lower internal core structures and the vessel, it was found that 45% of the fuel had melted, along with elements of the cladding and the structures totalling 62 metric tons and forming what is called corium. About 20 metric tons of this corium, formed from the upper part of the fuel, had forced its way through an outer ring fuel assembly and the reactor core external baffles to reach the vessel bottom head itself, but fortunately did not melt through it.

13 - The accident at Three Mile Island

177

In spite of this catastrophic fuel situation and the significant transfer of radioactivity to the containment, the immediate radiological consequences in the surrounding area were minimal. Indeed, the containment fulfilled its role almost perfectly. Only the sump transfer pumps were responsible for radioactive release for a limited period. This release, estimated at 13 million curies of xenon and about 10 curies of iodine (i.e. 5 105 and 0.4 TBq), had only very limited consequences. It is estimated that an individual downwind at the edge of the site throughout the accident would have received a dose of less than 1 mSv, equivalent to the annual dose of natural radiation. The operating personnel received a slightly higher, but still quite limited dose during the accident, and had to wear masks for a few hours Three technicians received doses between 30 and 40 mSv during primary coolant sample-taking operations. The collective dose received by the plant workers from the onset of the accident to the end of fuel removal in 1989 is estimated at 60 man-Sv. There were no injuries or deaths.

13.2. Causes of the accident The data needed to analyze the causes and consequences of this accident were widely circulated. All interested parties were able to make their own evaluation, in the United States and elsewhere. Many meetings and document exchanges demonstrated that assessments agreed in every detail. Despite this, the extent of the reactor core damage was collectively underestimated for 6 years. One's first reaction is to emphasize the error in judgement of the operators, who failed to understand the nature of the accident and therefore took a certain number of actions which were, at the very least, ill-adapted. This gets us nowhere. The important question is why the operators did not understand and the answers are rich in information.

13.2.1. Identification of valve position The operators looked quickly at the relief position indicator and saw "valve closed". However, this was an indication of the command given and not of actual position. Indeed, it is easier to create a signal from an electrical closure command than to equip a valve to which access is difficult, with position sensors which are hard to adjust and maintain. Nothing drew attention to this essential fact.

178

Elements of nuclear safety

Other ways of knowing the real position of the relief valve were available to the operators: a temperature indicator on the relief line downstream of the valve, and the water level in the pressurizer relief tank. The operators noted the temperature indications on the relief line. They were abnormally high, but they did not take them into account because they knew that the valve had been leaking at a rather high rate for some time, and because of this the line was always hot. The initial deteriorated condition of the installation therefore deprived them of a means of verification. The water level in the pressurizer relief tank was not indicated in the control room, but in an intermediate room. This level was apparently never checked, as its systematic verification was not required by any operating procedure.

13.2.2. Understanding the behavior of the pressurizer We saw that the operators were disturbed by the fact that the water-steam interface rose and stayed at a very high level in the pressurizer, whereas the primary pressure was decreasing. It should be pointed out that primary pressure and pressurizer level decrease simultaneously in all cases of primary break except one. This is because the steam bubble in the top of the pressurizer drives the water back towards the break. The exceptional case is that where the leak is located at or above the steam bubble level. When this happens, the discharge of steam through the opening causes at least an apparent rise in the pressurizer water level, while primary pressure decreases. This is what happened at Three Mile Island. However, the operators had not been instructed about this special case. Accident situation operating procedures did not foresee it. The operating team was therefore unable to rely on a document giving a methodical way to identify the situation. It found itself alone in an unknown situation. Nevertheless, as was later discussed, it was not exceptional in this kind of reactor for this oft-used relief valve to jam in open position. Furthermore, the same scenario had occurred 18 months earlier in an identical reactor, at Davis Besse. The operators only identified the blocked valve situation after 20 minutes. Because the residual power of the fuel was low, the transient had no effect. Assuming that "no consequences = no importance", no one, neither operators nor analysts, had discussed the incident. No training or procedure had resulted from it. This was a precursor to a serious accident, but was not recognized as such.

13 - The accident at Three Mile Island

179

13.2.3. Shutdown of safety injection Observing that the pressurizer water level was rising, the operators shut down the safety injection. This was not an exceptional action to take. Automatic startup of this system in conditions where it is unnecessary or even a hindrance is not rare in water reactors in general, and particularly not in this type. But the decision to shut down safety injection should only be made after methodical checks have been carried out, defined in specific procedures based on systematic studies. These documents did not exist. The operators also stopped the safety injection system accumulator tanks, which should normally have discharged on their own when the primary system pressure dropped below 45 bar. This is another proof of their complete lack of understanding of the phenomena they were witnessing.

13.2.4. Man-Machine interface We have already given some idea of the quality of information available in the control room. In fact, the problem was much more widespread. Core temperature indicators whose range wasn't wide enough went to their limit and held there. The operators thought they were broken. The operation computer, saturated with data, blocked and was inoperable for 2 hours. Finally, the control room itself was described as looking like a Christmas tree or a fairground. Very many alarms were lit or flashing. The various prealarm, alarm and alert sound signals were operating. At first, the reactor was operating at nominal power. Its emergency shutdown, plus the difficulties of the secondary system, caused status changes in many systems and parameters, all of which set off an alarm. There was no prioritization enabling initial alarm-provoking conditions to be distinguished from their normal consequences. This situation was of no help to the operators.

13.2.5. Isolation of the containment In the design of the Three Mile Island installation, safety injection did not cause automatic isolation of the containment, that is, closing of valves on all piping systems going in or out of the containment and not indispensable for proper operation of safety sequences. Isolation of the containment is intended to stop all exchange between the inside and the outside, to limit any radioactive release. The sump pump was thus able to transfer water increasingly loaded with radioactive products into the nuclear auxiliary building for several hours.

180

Elements of nuclear safety

The isolation command was given manually, rather too late, only when this transfer had triggered radiation alarms in the building. This indicates a design error.

13.2.6. Confinement of radioactivity in the nuclear auxiliary building Water from the sumps entered the nuclear auxiliary building, and because the pipes and storage tanks used were not all hermetic, hot contaminated water spilled into the building and vaporized, releasing the iodine and xenon which it contained. This steam and gas was taken up by the building general ventilation system, through iodine filters of questionable efficiency, and released. If the systems had been hermetic and the iodine filters better monitored, this release would not have happened. Once more, the installation was not in satisfactory condition.

13.2.7. Steam generator auxiliary feedwater system It is important to remember the other example of unsatisfactory installation condition, the incorrect positioning of two essential valves of this system. In this case, it was the quality of maintenance operations which was unsatisfactory.

13.3. Lessons learned from the accident The shock of this accident was considerable, and many lessons were learned. We shall mention many and look at some in detail, after discussing the three most important. Accidents more severe than that considered as the maximum credible accident, the loss of primary coolant through a double-ended guillotine break, are possible. They can occur through multiple minor faults and human error. However, this does not call overall installation design into question. The concept of defense in depth, which demands studies of serious accidents, requires that tough containment structures be provided. This containment easily protected the surrounding population and even plant personnel at Three Mile Island. Man is an essential element of safety.

13 - The accident at Three Mile Island

181

These ideas underlie the themes which we shall develop in the next chapters: • how can core meltdown be avoided in an unknown scenario? • how can preparations be made to handle a crisis situation? This question concerns both plant operators and public authorities. • how can the containment, the last barrier, be protected? • how can severe accident precursors be identified in time and the necessary corrective measures taken? Acknowledgement of the human element has given rise to technical decisions supplementing organizational provisions regarding responsibility sharing and due recognition of the contributions of each and all concerned.

Operating conditions must be improved. This should be done by very thorough training and systematic refreshing of operators, with much use of simulators. The standardization of the French nuclear power program makes it possible to have simulators which are directly representative of the different plants. This training must cover normal operating conditions as well as incidents and accidents. In this way operators are trained under real conditions. It was decided that a "nuclear safety and radiation protection engineer", would be continuously present on each site. He does not intervene directly under normal operating or conventional accident conditions; by monitoring from the safety panel, about which more will be said later, he ensures "functional redundancy" in disturbed situations. The operating team changes introduced in 1993 keep roughly the same distribution of functions as regards safety. The safety engineer, on the other hand, is no longer responsible for radiation protection. The inadequacy of available procedures was flagrant during the Three Mile Island accident. In most countries, and especially in France, operating instructions and procedures were re-examined and rewritten. This was a revision of form and content. The procedures were thoroughly tested on simulators.

The control room must be improved. The observations made at the Three Mile Island plant have an essential role in the design of future control rooms, but the most important points have also been corrected on operating plants or those being constructed. Information presentation was improved, including in particular the elimination of command rather than state indications. Certain measurement

182

Elements of nuclear safety

or indication ranges were widened. New indicators were added, such as the primary coolant boiling monitor (showing the difference between the actual temperature of the primary coolant and the boiling point at primary system pressure). Alarms have been prioritized. The most essential information is now shown on the safety panel. Other lessons learned from this accident have given rise to detailed studies and site implementation, especially in the following two areas: - design, while not itself called into question, may be improved in certain areas: - the confinement role of auxiliary buildings and associated equipment - the management and control of large quantities of highly contaminated water and gas after an accident - the quality and reliability of valves and fittings. Remember that, while safety valves are always designed to open, the nuclear field is about the only one that requires them to close again - the qualification of equipment for the accident conditions we have already discussed. - safety evaluation must not involve only conventional operating condition studies. Analysis methods must be developed taking into account, for example, multiple failures and human errors. As we have seen, this approach was initiated in France several years ago, with the definition of complementary operating conditions. But the Three Mile Island accident made it possible to settle the debate on backfitting on 900 MWe series plants for which authorization had already been obtained and certain of which were already operating.

14

The state-oriented approach

Among the lessons learned from the Three Mile Island accident, we have drawn attention to the efforts devoted to the rewriting and general improvement of incident and accident procedures. This involved a considerable amount of work but afforded significant safety benefits. However, all problems, related to the very principles of the current procedures, have not yet been solved.

14.1. Limits of the event-related approach The incident (I) and accident (A) operating procedures are based on a single identified initiator. The initiator of complementary procedures (H) is an accumulation of simultaneous identified failures, because it involves, each time, all the elements of a redundant system, and only them. The goal assigned to these procedures is to limit, and if possible, prevent, damage to the fuel, which is the main source of disseminable radioactive products, and restore lasting, stable conditions. It is interesting to compare the Three Mile Island accident with the initiators adopted for the I, A and H procedures, i.e. the accumulation of a third-category accident (the pressurizer relief valve remaining open), total but temporary loss of steam generator feedwater, and complete loss of safety injection due to operator misunderstanding. It is clear that reality can be extremely complex. Therefore, the event-related procedures can never cover all possible combinations of events corresponding to cumulative equipment and/or human faults, simultaneous or staggered in time, such as, for example, the mistaken original diagnosis, the poor application of a procedure, the addition of several accidents, the total loss of a safeguard system, etc. Furthermore, the temptation to increase the number of event sequences studied in advance would lead to increasing the number of operating procedures,

184

Elements of nuclear safety

making diagnosis and therefore choice of the correct procedure practically impossible. The event-oriented approach finally leads to another difficulty: the impossibility to revise the diagnosis if developments are otherwise than foreseen in the initial diagnosis. To get out of this deadlock, Electricite de France and Framatome have suggested approaching the selection of corrective measures in any incident or accident situation in another way, using the state-oriented approach. Whereas accident sequences can be multiplied infinitely, possible system cooling and containment states can be counted, from various normal operating conditions to the most severely degraded situations. If it is possible for each abnormal state to determine the operator actions needed to bring the installation to a more satisfactory situation, the operating team would be able to carry out these actions without necessarily identifying the sequence of previous events.

14.2. Development of the state-oriented approach The first step consists in showing that there is a direct relationship between observable states and the actions required by the operator to improve the situation. This implies: • identifying all possible cooling states of the nuclear steam supply system, their stability ranges and their transitions, as completely as possible • characterizing these states by measurable physical parameters • identifying the best corrective and/or reparative operator actions for each state • making a summary of the preceding points wherein only subgroups of states requiring different actions are separated • identifying the physical measurements and data processing in the control room which are necessary to make state diagnoses and follow up the effectiveness of actions taken. The operation of the nuclear steam supply system is therefore analyzed from basic evaluations of the mass, energy and impetus of each of its major elements. We can then determine: • the energy routing: production in the fuel - removal by primary coolant transport/transfer out of the primary system • the accumulation or restitution of energy in the primary and secondary systems • the variation of primary and secondary water mass balance.

14 - The state-oriented approach

185

Different configurations, covering all possibilities, are selected for each of these characteristics, and identified by measurable parameters (pressure level, temperature and temperature variation, void fraction, radioactivity of steam generators on the secondary side, etc.). The possible combinations of these configurations are grouped and show that: • the mass of primary coolant and removal of heat from the primary system define the behavior of the nuclear steam supply system, in particular the circulation of primary coolant and the removal of heat from the fuel • removal of heat from the primary system depends on the state of the secondary system and on the presence of incondensable gas in the system, identified by the difference in temperature of water from the primary and water from the secondary system, known as "primary-secondary pinching" • the state of the secondary system itself depends on the state of each of the steam generators, indicated by the secondary coolant mass, the steam pressure and the level of radioactivity of the secondary coolant. Each overall state thus defined requires specific safety actions on the various systems, depending on their availability (safety injection, charging and letdown system, pressurizer relief and containment spraying, emergency water supply to the steam generators, discharge of steam in the secondary system, isolation of secondary water and steam lines, etc.). These actions should be judiciously selected so as to stabilize, and if possible improve the overall situation with a view to gradually obtaining less and less deteriorated conditions. To take into account the state of available instrumentation - no primary system void fraction measurement, no reactor vessel water level indicators in 900 MWe units - certain states were grouped without calling into question the general approach.

14.3. First application of the state-oriented approach The first application of the state-oriented approach is the definition of emergency procedure Ul. Procedure Ul is intended to ensure the best possible conditions for nuclear steam supply system cooling and core safeguard, in situations where I, A or H procedures relative to well-identified accident sequences prove ill-adapted or ineffective. The goal of the Ul procedure is to prevent, limit or delay core damage and its radiological consequences, according to the gravity of the situation and the extent of remaining facilities.

186

Elements of nuclear safety

Depending on core outlet temperatures and system and equipment availability, this procedure makes it possible to determine the best actions for use of: • steam generators • safety injection • pressurizer relief valves • primary pumps to stop, diminish or delay dangerous developments, thereby allowing time to re-establish operability of failed systems. The decision to abandon an event-oriented procedure being used is made, after emergency shutdown, in the following cases (described in simplified terms): • the core outlet temperature is greater than 350 °C • the margin to primary coolant boiling point is less than 10 °C and the safety injection system is inoperable • all steam generators are inoperable • the pressure-temperature relationship of the primary coolant is developing unfavorably • the containment spray system is inoperable and pressure, temperature or radioactivity in the containment is abnormal. Rather than introducing these criteria into each event-oriented procedure, it seemed more advantageous to proceed as follows: • according to an independent, redundant logic system external to existing procedures, which remain unchanged and may develop independently later if needed • calling on the safety engineer, who constitutes human redundancy to the operator • based on the analysis of nuclear steam supply system cooling states, along with analysis of the operability of the safety systems used • using available instrumentation. This is therefore a special Continuous After-Incident Monitoring (SPI) procedure which has been established (Fig. 14.1.). It is applied cyclically by the Safety Engineer as soon as emergency shutdown is tripped or the margin to primary coolant boiling point is less than 20 °C, and until a normal situation is re-established. This surveillance concerns the following parameters: • the operability of each steam generator, that is, its capacity to remove residual power without the discharged steam being contaminated • the mass of primary cooling water and the core outlet temperature • the capacity of the secondary cooling system to cool and depressurize the primary system • the effective startup of the safeguard systems requested (the steam generator auxiliary feedwater supply, the high or medium head safety injection, the low head safety injection, the containment spraying, etc.)

14 - The state-oriented approach

187

• the pressure, temperature and radioactivity within the containment • the criticality of the core (nuclear flux, position of control rods, boron concentration, etc.).

no SAT

Check of

Safety injection Steam generators Primary coolant pumps

10 °C

oui

Primary mass

Core outlet T 350 °C

no Ul

inventory

yes

Heat

At least 1 SG operative

Safety injection operative

no

Ultimate procedure

no

Recognized ultimate emergency situation

yes

discharge

Stateoriented

Primary coolant no P/T development compatible yes

Containment

building

Normal containment pressure, temperature and radioactivity

no

Check of containment spray system

yes yes

Spraying available

no

Fig. 14.1 Continuous after-incident monitoring procedure.

It enables the Safety Engineer, if need be, to request that operators abandon the procedure under way to apply the Ul procedure. The Safety Engineer then resumes his outside surveillance tactics, using the SPU procedure, which is a new cyclic procedure for monitoring NSSS developments in a recognized ultimate emergency situation.

188

Elements of nuclear safety

The SPI procedure usually makes it possible to confirm, with a slight delay, the major actions already requested by the procedure applied by the operators. In certain cumulative failure cases, it makes it possible to ask operators to take complementary limited actions such as isolating the steam generator, without abandoning the procedure under way. The SPI-U1-SPU provisions therefore constitute a very powerful addition to the I, A and H procedures. It is a further core meltdown prevention procedure, reinforcing the complementary procedures as an element of the fourth level of defense in depth.

14.4. Generalization of the state-oriented approach Studies organized on the state-oriented approach and its precise and measured implementation during frequent incidents culminated in 1990 in a new set of procedures of this type for the startup of the first Penly and Golfech nuclear units. They cover all thermal hydraulic accidents where the reactor is connected to the residual heat removal system. These rules are devised to progressively encompass all primary system incident and accident situations, from emergency shutdown to the most degraded situations, secondary system operating conditions, containment monitoring and the availability of certain systems. With this system, the intellectual and qualitative hiatus between the incident procedures and procedure Ul is consequently suppressed. Similarly, continuity is now assured between third level defense in depth procedures and the fourth level core meltdown prevention procedures, thereby enhancing their efficiency. Full coverage is further afforded by additional event-oriented rules. Responsibility-sharing between the operating team and the Safety Engineer is similar to that defined by the conventional operating documents previously adopted. Comprehensive application of the state-oriented approach was decided for the new N4 standardized reactor series. It is being gradually extended to the different 1300 MWe units, where all reactor vessels are equipped for water level metering. This obviously implied notably retraining of operators, in the light of feedback from the first units where a comprehensive state-oriented approach had been introduced. Finally, this approach will only be applied to the 900 MWe units towards 1997 or 1998 when the reactor vessel water level meters, which are indispensable for these new procedures, have been installed.

14 - The state-oriented approach

189

14.5. Safety panels We have seen that the control rooms of all operating nuclear units have been modified for increased clarity and precision of information. Presentation of controls and actuators has also been improved to avoid confusion. Amendments of this type have of course been applied even more widely to standardized series units at the design or construction stages. In addition, control rooms have been equipped with a system recapitulating essential data under accident conditions and providing a number of operating aids. This system is the safety panel, specific to each plant unit. The safety panel comprises three parts: • the "state indicator lights" show the state of safety or safeguard action requests: emergency shutdown, safety injection, containment spraying, containment isolation, etc. • the "core cooling monitor" determines the sub-saturation margin from the primary system pressure and a number of temperature measurements made in the reactor vessel. This margin is the difference between the maximum primary coolant water temperature measured and the boiling temperature of this water at the pressure measured. The sub-saturation margin, often designated ATsat, and the maximum measured temperature of the primary coolant are displayed on the panel • multiple-function data processing equipment acquires, processes and presents data for diagnosis and operating aid purposes. It thus provides for: • chronological identification of faults which gave rise to safety or safeguard actions and corresponding action reports • presentation on mimic screens of the position of safety devices and any deviation from reference states • aid to identification of the causes of a safety injection • operation aid for safety injection • computer-generated graphics summarizing plant parameter changes within their authorized range versus time, with a thirty-minute storage capacity • application aid for the Ul state-oriented approach procedure and the surveillance procedures applicable after an incident (SPI) and during implementation of the Ul procedure (SPU). Two display screens and a dialog console are available to the operators at the control console. A screen and console, located within the control room but outside the operations area, enables the Safety Engineer to follow development of the state of the installation without interfering with the normal operating team. A third set of equipment is located in the crisis equipment room where

190

Elements of nuclear safety

engineers would gather during a serious accident. This would help them to assess the situation without having to disturb the operators with too many questions. This is just one of the organizational elements in the event of a severe accident which we shall discuss in Chapter 17. All this should add up to an effective answer to many of the problems faced by the operators at the Three Mile Island plant and by the managers and specialists called in after a few hours. This, in any case, is what the numerous tests on simulators, with teams acting under operating conditions, would tend to indicate.

15

Preparation for the management of severe accidents

Environmental release due to the Three Mile Island accident was very slight owing to the satisfactory behavior of the reactor containment. However, both those directly responsible for the plant and the local and federal authorities were unsure for several days how the situation was going to develop and were considering evacuating populations. Finally, it was decided to evacuate only pregnant women, which in fact proved to have been unnecessary. This event made it evident that means had to be provided for the systematic management of such situations should they reoccur despite improved preventive measures. This implied two prerequisites. First, vindicate increased reliance on reactor containment behavior, even under conditions well outside the design basis spectrum. Secondly, provide tools forecasting possible ways in which the situation could develop, indicating corresponding release breakdowns and the paths to the environment under the specific conditions of the accident considered. All authorities concerned would then be able to make timely and well adapted decisions for the protection of populations and the environment. These aspects will be investigated in this and the next two chapters. Before assessing containment behavior, we have to consider the successive physical phenomena liable to occur in a pressurized water power reactor during what is known as a "severe accident", i.e. an accident the potential consequences of which exceed those of design basis accidents. Before such conditions could be reached, the fuel would presumably have had to be significantly degraded by more or less complete core meltdown.

15.1. Core and vessel degradation Chapter 6, which dealt with loss of coolant accidents, describes an accident scenario liable to cause a degree of fuel clad degradation. This accident sequence involves implementation of at least one safety injection and containment spraying channel, in conformity with the design basis postulates.

192

Elements of nuclear safety

We now have to consider the sequence of phenomena which would occur under different conditions corresponding to the total failure to respond of these two safeguard systems and of other core meltdown prevention procedures.

15.1.1. Core dewatering There are two categories of primary system drainage situations: • primary system breaks, causing core dewatering at a relatively low pressure, a few tens of bars at most • failure of secondary system cooling procedures, resulting in water and steam dumping through the pressurizer relief valves, inducing core dewatering at high pressure, in the vicinity of the normal operating pressure. Depending on the initial condition, the size of the break, the accident sequence, the safeguard system failure level, dewatering may take from less than a minute to several hours or even days. For example, a 5 cm diameter hole on a main primary system pipe would result in fuel uncovering in 30 minutes if no safety injection were available.

15.1.2. Fuel degradation As the water level recedes, the temperature of the uncovered part of the core rises due to the residual power. The zircaloy clads, which are at a temperature of 350 °C or less under normal operating conditions, start deforming at between 700 and 900 °C. If the pressure in the vessel is low, they swell and burst. If this pressure is high, they collapse onto the fuel pellets, facilitating the formation of a eutectic UO2-Zr which melts at around 1200 to 1400 °C In both these cases, the volatile fission products which have accumulated in the clad-pellet gap are released into the primary system. The zirconium in the clads oxidizes upon contact with the steam. The kinetics of this phenomenon increase rapidly with temperature and double every 50 °C. But it must be borne in mind that: • this is an exothermic phenomenon, producing locally power exceeding the residual power, which means that the phenomenon is also divergent • the reaction releases hydrogen* to the primary system and then to the containment. This will considerably reduce the cooling capacity of the • The oxidizing of 1 kilogram of zircaloy produces about half a cubic meter of hydrogen at normal pressure and temperature. Considering the quantities of zirconium

15 - Preparation for the management of severe accidents

193

steam generators and generate a risk of hydrogen combustion within the containment • the clads are embrittled, which accelerates their destruction in the event of a thermal shock. When the fuel pellet temperature increases, the fission product release kinetics increase, as shown in Figure 5.1. At between about 1300 and 1500 °C, the control rod constituents, silver, indium and cadmium melt and vaporize. At around 1800 °C, the oxidized part of the clads will melt and begin to flow. It is not until a temperature of 2700 to 2800 °C is reached that, unless a eutectic is formed with the zirconium, the uranium oxide itself melts, thereby inducing loss of core geometry by local, and then general, collapse. This will give rise to formation of the first corium, which is a molten mass of fuel and structural materials, held in their molten condition by the residual heat of the fission products. Practically all of the most volatile fission products have at this point escaped from the fuel.

15.1.3. Vessel degradation The collapse of the core components induces the sudden vaporization of any water remaining at the bottom of the vessel, more or less closely followed, depending on the primary system pressure, by perforation of the vessel bottom head. This can take a few tens of minutes or several hours. If the primary system is pressurized, the corium may be dispersed on leaving the vessel. This could facilitate a further sudden interaction with any water at the bottom of the vessel. However; in all cases, it is postulated for accident management studies that all the corium collects in the bottom of the vessel.

15.1.4. Basemat erosion The basemat concrete then decomposes under the thermal effects of the residual power released in the corium, increased in the initial phase by heat due to the oxidation of metals, such as the vessel steel or the remaining zirconium.

present in each type of installation, this corresponds to the production of about 1 kilogram of hydrogen per MWe.

194

Elements of nuclear safety

The free water, bound water and carbon dioxide gas contained in the concrete will be released and penetrate the corium, where they will contribute to the oxidation of any remaining metal materials and the production of hydrogen and carbon monoxide, both of which are combustible. The calcium and silica oxides will be gradually integrated into the corium. As soon as the oxidation reaction is over, the corium will gradually cool. The temperature of the oxide phase containing the main non-volatile radioactive products will stabilize for a long period at between 1300 and 1500 °C when a near-equilibrium is reached between the residual power and the thermal losses at the corium surface and the corium-concrete interface. If a denser metal phase remains, it will contain few radioactive products. It will cool faster and solidify within a few hours, thereby slowing down the progression of the corium. So the fast basemat erosion phase would last about an hour and would correspond to concrete degradation to a depth of about 1 meter (Table 15.1.). The rate of erosion would then decrease to a few centimeters per hour, strongly influenced by the specific properties of concrete. The erosion stops when the corium-concrete interface temperature falls below the concrete decomposition temperature, which is about 1100 °C. However, basemat melt-through is circumspectly considered unavoidable. The corium would then stop after penetrating a few meters into the subsoil. As residual power decreases and its volume increases, it then cools by thermal conduction and solidifies. Table 15.1. Basemat erosion kinetics. Erosion depth

2m

3m

4m

5m

Minimum time Maximum time

0.8 d 1.4 d

1.5 d 2.9 d

2.5 d 4.5 d

3.8 d 6.2 d

Complementary studies have been undertaken to investigate basemat fast cracking hazards related to the thermal shock caused by contact with the corium.

15.2. The Rasmussen report At the request of the American safety authorities, Professor Norman C. Rasmussen of the Massachusetts Institute of Technology (MIT), conducted from 1972 to 1975 a scientific investigation into hazards created by the use of nuclear power reactors.

15 - Preparation for the management of severe accidents

195

This overall survey based on earlier studies was organized round the systematic analysis of accident scenarios aimed at defining a relationship between probabilities and numbers of dead. The Rasmussen report, published in 1975 under the references WASH 1400 and NUREG 75-014, is still the basis of all PWR severe accident studies. It is also the first example of a probabilistic safety study giving figures for the probable impact on the population. The French safety authorities took an immediate interest in this survey, less from the standpoint of the probabilities and consequences for populations, which involve considerable uncertainties, than with regard to the phenomenology of reactor core degradation and the behavior of a reactor containment. The Three Mile Island accident obviously further stimulated discussions on these subjects and caused the various nuclear participants in France to move on from theoretical assessments to the implementation of practical measures. This accident was in fact a remarkable demonstration of the extreme importance for the protection of the general public and the environment of an efficient, durable containment. The Chernobyl accident, an unfortunate example of core degradation with uncontained radioactive release, only serves to reinforce this conviction. The Rasmussen containment failure mode classification is still used and comprises six main modes: • mode a: steam explosion in the vessel or reactor pit, inducing loss of containment integrity in the short term • mode P: initial or fast-induced lack of integrity • mode y: hydrogen explosion • mode 8: slow overpressurization • mode e: basemat melt-through by the corium. Mode V, which bypasses the containment using outgoing pipes, is dealt with separately, since it does not directly concern the behavior of the containment building. The families of scenarios described culminating in these containment degradations correspond, except mode (3, to accidents involving in the more or less long term, the formation of corium, providing the molten fuel is not dispersed, and rupture of the reactor vessel. It should be borne in mind that with the fuel enrichment proportions adopted for nuclear power plants equipped with light water reactors, a chain reaction cannot take place without an appropriately disposed moderator. On the other hand, a very small number of fuel elements, having maintained their geometry and submerged in pure water, can constitute a critical configuration.

196

Elements of nuclear safety

Whatever the size and geometry of the compact corium, reverting to criticality should not be possible. However, investigations are still proceeding into possible unforeseen geometries and specific mixtures. The Rasmussen report describes a large number of special sequences, grouped in families, all related to the technology of the American reactor which provided the basis for studies and know-how at that time. Their systematic presentation in this document would require entering into details unrelated to present purposes. None of them are associated with reactivity accidents characterized by high speed kinetics. Thorough analysis of the Rasmussen report from the standpoint of French nuclear units started in 1975. It was, from the outset, mainly focussed on the definition of means of limiting the consequences of severe accidents. It was organized around two complementary topics: • simplified characteristics of types of release • analysis of failure modes and provisions to deal with them. Deeper insight together with the probabilistic safety studies which will be presented in subsequent chapters enable initial trends to be brought into line with more realistic views and solutions, which will gradually be taken into account.

15.3. "Source terms" The IPSN sought to characterize specific types of release called "source terms". A source term is a specific type of release characteristic of a reactor family and representative of a type of accident, i.e. in general, a mode of containment failure following complete core meltdown. It is taken into consideration to define appropriate corrective actions for the protection of populations under these extreme emergency conditions. There are three source terms, listed below in decreasing order of seriousness: • source term SI corresponds to early containment failure a few hours after onset of the accident • source term S2 corresponds to direct release to the atmosphere following loss of containment integrity one or several days after accident initiation • source term S3 corresponds to indirect, delayed release to the atmosphere, through paths enabling a certain amount of fission products to be retained. These studies were underway at the time of the Three Mile Island accident. Provisional values which would have been smoothed became set val-

15 - Preparation for the management of severe accidents

197

ues, which explains the inappropriate precision of certain figures (Table 15.2.). As in the Rasmussen survey, assessments were aimed at reality. The purpose here was not to provide a safety demonstration based on penalizing assumptions, but to optimize plants where basic design has been definitely adopted or to define organizational procedures for the protection of the general public. However, each source term covers, by definition, a certain number of possible scenarios. The values retained in this context are presented as percentages of the initial activity of the radioactive products present in the reactor core: Table 15.2 Percentage of radioactive products released to the atmosphere. Source term Noble gases Mineral iodine Organic iodine Cesium Tellurium Strontium Ruthenium Lanthanides and Actinides

SI

S2

S3

80 60 0.7 40 8 5 2 0.3

75 2.7

75 0.3

0.55 5.5 5.5 0.6 0.5

0.08

0.55 0.35 0.35 0.04 0.03 0.005

Modes a, (3 and y without prevention and mitigation provisions could lead to SI type release. Mode b could lead to S2 type release. Mode e, loss of containment integrity by basemat melt-through, could lead to S3 type release. Uncertainties remain as to iodine and aerosol behavior, despite the continued implementation of large scale experimental research programs. The gradual improvement of our knowledge in these areas could ultimately modify the source terms presently defined. It would also lead to design optimization for future reactors where the defense in depth provisions would enhance prevention of substantial radioactive release.

198

Elements of nuclear safety

15.4. Severe accident management studies in France In tandem with the definition of source terms, the French study programs included examination of each of the Rasmussen degradation modes to determine their relevance to French plants and define ways of lessening the probability or consequences by reinforcing the final containment barrier. For there may be simple means of preserving or restoring containment integrity, but these could only be used under particularly difficult conditions if their implementation had been thoroughly prepared beforehand. The different failure modes were then considered under conditions postulated in the light of the Rasmussen report and discussions on the French standardized power plants. The following scenario was thus postulated, for instance: with primary system cooling no longer assured, the system drains, the core melts and penetrates through the bottom of the vessel in about 2 hours. The basemat is eroded by the corium produced, which finally melts through it. The kinetics of this accident are relatively slow. This scenario could correspond to that of a large primary break compounded by total loss of safety injection and containment spray capability. Incidents or anomalies observed in France show that simultaneous failure of the pumps actuating these two systems is by no means simply a farfetched supposition. Several incidents and nonconformances are possible precursors. This is the case for the sump filter anomaly observed on the 1300 MWe units, for the incompatibility between different lubricants or the necessity to sample for quality control a significant quantity of the safety injection pump seal oil. These anomalies will be considered in detail in Chapter 26. They were detected in the course of inspection or maintenance operations - confirming the importance and efficiency of the latter - and were of course corrected. Such anomalies on their own could not cause a primary system break. However, the probability of occurrence of the type of scenario described would not seem high enough to call into question the design basis of the plants concerned. But, on grounds of defense in depth, we nevertheless do our utmost to improve the possibilities offered for the practical control of such situations, based on realistic scenarios. The Rasmussen containment degradation modes are being re-examined on this basis with a view to determining their plausibility and defining possible improvements in the framework of a given design basis. These studies are based on knowledge which is as yet compartmental. This justifies the organization and pursuance of experimental work in diffi-

15 - Preparation for the management of severe accidents

199

cult fields. Although results are still pending, decisions nevertheless have to be made. The options retained in this context are consequently not sanctioned by the same quality level and degree of certainty as were obtained for the plant design basis situations. This is one of the basic characteristics of severe accident management studies. It will obviously evolve as new data becomes available. In 1981, EDF was requested to define ultimate emergency procedures designed to prevent or minimize the radiological consequences of severe accidents. Provisions in this respect have been progressively proposed by the national utility and their principles accepted by the safety authorities. All French plants have now been equipped accordingly. However, greater insight into these questions and continued research could result in further modifications.

15.4.1. Loss of containment integrity due to a steam explosion The Rasmussen mode a scenario is as follows: a large primary system break occurs and neither the safety injection nor the containment spray systems are operable. After 1 to 2 hours, the core melts and drops either into the bottom of the vessel or through the vessel into the reactor pit. In both cases, if the corium is sufficiently dispersed and if there is water in the bottom of the vessel or of the reactor pit, a steam explosion could occur upon contact with the water, releasing sufficient energy to project missiles which could impair containment integrity. Mode a thus implies considerable dispersion of the fuel for the heat transfer area between the hot fuel and the water to be large enough to cause a steam explosion and also requires a sufficient quantity of water. On the basis of the scenarios described, this occurrence seems highly unlikely, but in the present state of the art, this cannot be demonstrated. Studies are still proceeding, but experts assembled by the OECD considered loss of containment integrity due to this phenomenon to be sufficiently unlikely and this mode was not retained in the French study programs. It was not until the Chernobyl accident and the reopening of criticality accident study programs that this mode came back to the forefront, in the context of entirely different scenarios. The kinetics of the phenomenon are, in any case, too sudden for accident management procedures to be of any assistance. We shall come back in Chapter 16 to these studies, which have mainly given rise to preventive measures.

200

Elements of nuclear safety

15.4.2. Containment isolation faults Containment integrity is continuously monitored by comparing the containment gas injection rate (leaks from compressed gas systems or valve motion controlled by these gases) with internal pressure changes. Routine tests on the containment penetration isolation valves confirm that they are operating correctly. Pressurization of the containment at startup and every ten years enables its leak rate to be compared with the specified values. These provisions should suffice to preclude any serious isolation faults prior to the accident. Leaks can however occur if the automatic isolation of the various penetrations under accident conditions fails to operate correctly or if the air locks are defective. This loss of containment integrity mode, mode b, is extremely important, since it can lead to radioactive release to the environment very early on in the accident. The short time interval involved is not sufficient for radioactive decay and deposition in the containment to play a role, nor for the public authorities to take steps for the short term protection of populations in the immediate vicinity of the plant. In order to deal with such situations, EDF developed procedure U2: "procedure in the event of a containment isolation fault". The purpose of this procedure is to monitor containment integrity under accident conditions, as soon as a certain level of radioactivity is detected in the containment, even in the case of minor accidents, and to identify and localize any defects, providing, if possible, remedial action. This procedure supplements the continuous monitoring of the containment leak rate under normal operating conditions. U2 comprises a set of actions defining: • containment surveillance conditions, by measuring radioactivity released from the stack, present in the sumps or in peripheral facilities and their ventilation ductwork, and by verification of the condition of isolation valves • the types of action to be taken, such as confirmation of isolation commands, the localization of leaks and the determination of how to eliminate them, the containment of a room or, at a later stage, the reinjection of liquid wastes into the reactor building. With all these different precautions, it should be possible to restrict short term release to values defined for design basis accidents.

15.4.3. Hydrogen production and combustion In the description of LOCA accidents in Chapter 6, we mentioned the risk of a water-zirconium reaction, producing both energy and hydrogen.

15 - Preparation for the management of severe accidents

201

In the context of 4th category accidents, it is stipulated that clad temperature shall not exceed 1204 °C and that the reaction shall not concern more than 1% of the zirconium involved. In the circumstances considered, since core meltdown is postulated together with formation of corium, it must be assumed that much of the zirconium in the core will have reacted with water and released hydrogen, according to mechanisms described at the beginning of this chapter. As long as this hydrogen remains in the primary system, it cannot burn because there is no free oxygen. This is no longer the case if it reaches the containment atmosphere. However, for there to be an explosion, there has to be an appropriate blend of hydrogen, air and steam (see SHAPIRO chart, Fig. 15.1.). Combustion also requires a detonator. Metal corrosion in the containment, radiolysis* of sump water and corium-concrete interaction are also sources of hydrogen, but the quantities produced by the first two phenomena are slight. Corium-concrete interaction, on the other hand, can produce in 48 hours a quantity of hydrogen equivalent to that resulting from a zirconium reaction. Mode Y corresponds to loss of containment integrity due to a hydrogen and carbon monoxide explosion in the reactor containment. In fact, we have to differentiate between two types of fast combustion: deflagration and detonation, the conditions and consequences of which are very different.

15.4.3.1. Deflagration A deflagration is a form of combustion which, once initiated, is propagated through the mixture by gas conduction heating and diffusion of free radicals in the unburnt gas area. Propagation occurs at a speed of several meters per second. It can be triggered with relatively low proportions of hydrogen (the SHAPIRO chart gives a threshold of about 4% in dry air). The initiating energy level required is slight, less than 1 millijoule. A hot spot of about 500 °C can trigger spontaneous ignition if there is no steam. On the other hand, beyond a steam concentration of 50 to 60%, there is no risk of deflagration. The mean containment concentrations reached under accident conditions having induced major zirconium-steam reactions are amply sufficient for hydrogen deflagration providing there is no steam inertization. Such deflagrations occur with extreme rapidity, doubtless before there has been any significant contribution from the reaction between the corium and the

* Radiation-induced decomposition of water into free hydrogen and oxygen.

202

Elements of nuclear safety

basemat, which means that the two modes of hydrogen production would be disconnected.

Fig. 15.1. Shapiro chart. Ignitibility limits for the H 2 - H2O - air mixture.

The immediate or delayed operation of the containment spray system, which will lead to condensation of the steam in the containment, would have a significant effect on the triggering of a deflagration. If we postulate the combustion of all the hydrogen produced by oxidation of all zirconium present in the vessel in a single deflagration, the maximum instantaneous pressure reached in the containment would not suffice to fissure the liner in a 900 MWe unit, at least in parts without discontinuities, which means that satisfactory overall leaktightness would be preserved. Such an incident could, on the other hand, cause at least transient through-wall cracking in the 1300 MWe unit inner containments (the concrete is prestressed), although sufficient margins would be preserved with respect to structural failure. Table 15.3. presents pressures calculated under adiabatic conditions, but also taking into account heat exchanges with the structures, which is more realistic.

203

15 - Preparation for the management of severe accidents

The effects of concrete thermal stressing are under investigation. It is indispensable to ensure in all cases that isolation valves and electric cable penetrations remain unimpaired. Table 15.3. H2 production and containment characteristics. CPO

CP1-2

P4

P'4

N4

Free volume (m3)

46 000

50 400

81 500

70440

73000

Zircaloy mass (kg)

19 820

21 600

27920

27920

29660

9 766

10 651

13765

13765

14623

19.1%

19.3%

15.8%

17.8%

18.2%

4.7 bar*

5 bar

4.8 bar

5.2 bar

5.3 bar

7.5 bar

8.1 bar

8.3 bar

13 bar

10.4 bar

11. 8 bar

11. 8 bar

10.7 bar

8.95 bar

9.75 bar

9.75 bar

9.2 bar

7.6 bar

8.3 bar

8.3 bar

Standardized plant series

H2 produced by 100% oxidation (TPN m3) Mean H2 concentration in a dry atmosphere Design basis pressure Through-wall cracking limit Collapse limit Maximum deflagration pressure under adiabatic conditions Maximum deflagration pressure with heat exchanges

< 9.2 bar

It should be borne in mind that this table is based on two postulates: reaction of all vessel zirconium with the water and combustion of the hydrogen produced in a single deflagration. In the majority of cases, the hydrogen would progressively exit the core as soon as produced, entrained by the escaping primary fluid. There could then be several successive deflagrations, none of which could cause an overpressure which would damage the containment.

* The pressures are indicated in absolute values.

204

Elements of nuclear safety

It is interesting to note in this connection that the possibility is being considered of equipping containments with various systems including ignition systems, which would result in semi-continuous hydrogen combustion. Pressure peaks obtained would then be much lower. An appropriately sized catalytic recombination system could also be envisaged for removal of free hydrogen before concentrations compatible with deflagration could be reached. However, they would be inadequate in cases of fast hydrogen release. Weighing up the advantages and drawbacks of such systems has not yet yielded sufficiently conclusive results for a decision to be made for current French plants which comprise large containments.

15.4.3.2. Detonation A detonation is a form of combustion occurring at the interface between supersonic shock waves and the unburnt gas compression wave, producing a chemical reaction. A detonation implies far higher hydrogen concentrations than a deflagration. The SHAPIRO chart defines the detonation range as between 18 and 55% of hydrogen in dry air. Recent experiments show that the threshold would be lower for very large volumes. The required initiating energy level is, on the other hand, very high, 5 kj for a 30% H2 concentration, but 250 kj for a 20% concentration and about 50 MJ when it is only 15% (Fig. 15.2.). The presence of steam raises both the concentration threshold and the initiating energy requirements. But it is logical to assume that a considerable proportion of the primary system water will be in the containment following core meltdown. At least part of the 300 or 400 m3 of water would certainly be there, in the form of steam, especially if the containment spray system is inoperable. If this system had been working, there would have been a deflagration. A case where this were otherwise would correspond to a loss of core cooling resulting from major primary coolant leakage outside the containment. But in this case, it would seem probable that the hydrogen would be entrained to the atmosphere, as would the volatile fission products. It is in the 900 MWe reactor containments that the theoretical possible hydrogen concentrations are highest. They are located towards the lower detonation limit of the Shapiro chart. They would be diminished by the presence of steam. However, the initiating energy levels required for plausible concentrations are sufficiently high for a generalized detonation in the containment to be excluded.

15 - Preparation for the management of severe accidents

205

Hydrogen percentage in volume Fig. 15.2. Energy required to initiate a detonation in an unconfined atmosphere. In the course of experiments, flame acceleration mechanisms have been observed in pipes featuring discontinuities, able to induce transition from deflagration to detonation, but these results are difficult to extrapolate to the dimensions of a containment. Studies are proceeding to determine the characteristic dimension beyond which the phenomenon disappears and also the consequences of a detonation in a bunkerized area. All things considered, the probability of loss of containment integrity due to hydrogen combustion seems slight. At the present time, no accident provisions are made in this respect. There is consequently no special procedure for these circumstances. However, complementary investigations are still proceeding, notably concerning the conditions under which the various gases mix, the risks of stratification and local hydrogen concentrations and also the degree to which containment strength is affected by the differences in rebar densities.

206

Elements of nuclear safety

15.4.4. Slow pressure buildups in the containment Mode 5 corresponds to a mean term containment failure caused by atmosphere overheating due to the inefficient removal of fission product energy and the gradual release of very large quantities of gas during basemat erosion of the corium. These gases could also be accompanied by steam from the water used to try and impede the corium advance by cooling it. In these circumstances, the containment pressure could rise steadily, reaching the design basis limit after about 24 hours and then continuing relentlessly beyond. It was decided to deal with the possibility of irremediable loss of containment integrity by overpressure by providing a containment pressure control device, consisting of a filtered venting system designed for use when required: • to restrict containment pressure to the design basis value • to reduce by a factor of at least 10 the aerosols contained in the gases released • to route the filtered gases to the stack which is equipped to monitor their radioactivity and facilitate their atmospheric dispersion. The solution adopted consists in using a containment penetration initially intended for depressurization purposes during acceptance pressure tests and the subsequent routine leak tests. A set of valves, a pressure-reducing device and a sand bed filter package, 42 m2 in face area and 80 cm deep, are fitted between this penetration and the stack. Investigations into sand bed filter efficiency and optimization of the system were undertaken by the IPSN in the R&D department located at the Cadarache study center. These investigations confirmed that the required degree of efficiency could be obtained and even exceeded (FUCHIA tests). However, a detailed analysis of the system once installed showed that use of the filter raised problems of radiological protection on the site and of filter cooling. In addition, the possibility of a hydrogen deflagration before the gases entered the filter had to be prevented. Various complementary measures were defined accordingly. More recently, it was decided to install a prefiltration package inside the containment. This should solve the remaining problems satisfactorily. The U5 procedure "containment depressurization" would only be implemented under severe accident conditions after close consultation with the EDF central services and the public authorities.

15 - Preparation for the management of severe accidents

207

15.4.5. Early release paths through the basemat The vessel failure postulated in severe accident studies results in the corium falling through to the bottom of the reactor pit. We described at the beginning of this chapter various physical events related to erosion by thermal phenomena. Mode £ corresponds to basemat "rupture" after its complete meltthrough by the corium. This would require between one and several days, depending on the basemat characteristics (4.20 m for the standardized 900 MWe units and 3 m for the 1300 and 1400 MWe units). This period would allow the decay of short-lived radioactive products and the deposition of many others on the containment walls or in the sump. If the corium fell through the basemat, it would soon stop in the soil beneath, but the groundwater could eventually be polluted by leaching processes*. Solutions include drilling a system of shafts round the affected unit, equipped with pumps to prevent the transfer of contaminated water to bleeding points, rivers or the sea. Any water at the bottom of the containment, injected to try and cool the corium, would be heavily laden with radioactive products and could pour out into the soil through the hole in the basemat, as could the containment gases forced out by the internal pressure. It could prove more difficult to confine these contaminations. The atmospheric release would nevertheless be bounded by source term S3. This description makes no mention of the basemat channels which could be more rapidly affected by the corium, providing outlets for the pressurized gases in the containment. All light water reactor buildings comprise dynamic testing systems, designed to monitor basemat deformation with time, especially during containment pressurization for periodic strength and tightness tests. These devices are located 1 m below the basemat surface in the 1300 MWe units and 1.70 m below in the 900 MWe units (Fig. 15.3.). The 1300 MWe units are equipped in addition with a basemat draining system, located 2 m below the surface. There are also certain special cases, such as nuclear units built on snubbers. Compensatory measures were consequently defined and are the subject of procedure U4: "handling early release paths through the basemats".

* Washing of free surfaces leading to extraction of soluble products.

208

Elements of nuclear safety

Sealing systems, plugging beneath the reactor pit and permanent obstructions have been installed. No further action is required of the operators on this particular point, so that procedure U4 in fact no longer exists. They are aimed at benefitting fully from radioactive decay and ground filtration in the event of basemat perforation and extending the time available to make the necessary off site provisions.

Fig. 15.3. Rasmussen containment failure modes.

15.4.6. Identification and analysis of other scenarios We have discussed the impact of the Rasmussen report as an initiator of severe accident studies in France and in most of the countries using nuclear power. However, the investigations are not restricted to analysis of the containment failure modes described in the report. We have already mentioned the risks of direct release to the atmosphere due to mishandled steam generator tube break sequences. The possibility of other direct release paths, bypassing the containment, is being carefully examined with a view to defining complementary preventive measures and protective actions if and when required. Mode V corresponds to such cases, postulating significant direct leaks in peripheral buildings, due to defective tightness of the safety injection sys-

15 - Preparation for the management of severe accidents

209

tern check valves. Another containment bypass has been identified on French plants. It is related to the fact that the Reactor Cavity and Spent Fuel Pit Cooling and Treatment system, which is outside the containment and not pressure-resistant, is connected to the Residual Heat Removal system, which is designed to withstand 40 bar pressures. Structural provisions, together with special surveillance and procedures combine to make this risk sufficiently improbable. Finally, in the next chapter, we shall look at special cases of beyond design basis criticality accidents.

15.5. Radiological consequences of source term S3 and intervention provisions On the basis of the accident studies presented above and providing the ultimate emergency procedures are implemented, "maximum plausible release" values are bounded by source term S3. The radiological consequences corresponding to this source term have been assessed and population protection measures examined in the light of these consequences.

15.5.1. Assessment of radiological consequences Since we are no longer in a design basis context, the assessment was not based on the Le Quinio charts presented in Chapter 5, but on a more recent set of charts derived from the Doury charts, designed to deal with more realistic and more varied situations. These charts take into account atmospheric stability, wind speed and rain. They will be presented in greater detail in Chapter 17. To calculate them, it was considered that source term S3 could be represented by a scenario involving a sand filter which would enable containment depressurization within 24 hours, with release beginning 24 hours after onset of the accident. During the first 24 hours, a containment leak rate of 0.3% per day of the mass contained is postulated, with half of this leakage escaping directly to the atmosphere, the other half being recovered and filtered with a 100 factor efficiency.

210

Elements of nuclear safety

Whole body dose equivalent due to external exposure (Sv)

Fig. 15.4. Radiological consequences due to source term S3.

Three types of weather conditions were considered: • 1: normal diffusion, wind of 5 m/s, no rain (ND5d) • 2: normal diffusion, wind of 5 m/s, rain at 1 mm/h (ND5r) • 3: low diffusion, wind of 2 m/s, no rain (LD2). The graphs show results obtained for: • whole body dose equivalents due to the plume compounded by ground deposits • thyroid dose equivalents due to iodine. These results have now to be compared with the possibilities of implementation of protective measures for the general public. For this, we shall consider the recommendations formulated by the International Commission on Radiological Protection before assessing the possibilities of intervention by civil security teams in areas around the sites.

15.5.2. ICRP recommendations for accident situations The International Commission for Radiological Protection proposed in its publication 63, released in 1993, a procedure ensuring population protection under accident conditions (Table 15.4.).

15 - Preparation for the management of severe accidents

211

Thyroid dose equivalent (Sv

Fig. 15.5. Radiological consequences due to source term S3.

The procedure defines intervention levels mainly concerning evacuation and confinement indoors, accompanied by the distribution of stable iodine, but is so devised as to be open to constant improvement, as mentioned in Chapter 1. Evacuation, confinement indoors or the administration of stable iodine can obviously involve drawbacks with respect to the physical or psychological well-being of the populations concerned or those assigned with implementing these measures. Such drawbacks have also to be carefully weighed up. The same caution applies when considering restrictions on the consumption of certain foodstuffs. The yardstick for intervention is the dose prevented by the implementation of the protective action. The indications in the above table are accompanied by cautious considerations making full allowance for optimization. So the indications on the two graphs representing the radiological consequences associated with source term S3 are to be considered with prudence.

15.5.3. Scope of civil security interventions Since the beginning of the eighties, the public authorities have also been working on the definition of realistic possibilities of implementation of pro-

212

Elements of nuclear safety

tective measures for populations in the vicinity of nuclear sites. They have estimated that, given the characteristics of the French sites, they could implement the following provisions within 12 to 24 hours after the onset of an accident: • evacuating the population in a 5 km radius round the site • sheltering (confinement indoors) of the population in a 5-10 km radius round the site. Complementary measures would, of course, be envisaged for the longer term. It is clear from comparison that this degree of intervention would provide satisfactory protection in the event of release not exceeding source term S3. Table 15.4. ICRP publication 63 recommendations. Intervention level of averted dose in mSv Type of intervention

Almost always justified

Sheltering 50 Administration of stable 500 (equivalent dose to • j\t-j\ iodine thyroid) .. (< , 1.. week) , -, Evacuation TAM, i u A A Whole body dose Equivalent dose to skin r

Relocation Restrictions on a single foodstuff

cnn 500 5000 1000

10 (in 1 year)

Range of optimized values

, Not, more . „ than a factor of 10 , lower . ... than , the justified value

5-15 mSv per month for prolonged exposure 1000 to 10,000 Bq/kg ((3 y emitters) 10 to 100 Bq/kg (a emitters)

The onsite severe accident procedures are consequently consistent with the population protection provisions, with respect to recommendations currently in force. It should also be noted that, since the Chernobyl accident, greater attention is paid to the social and economic disturbances created by longer term problems, such as those resulting from food chain contamination. The foodstuff marketing limits defined by the CEC following this accident are extremely penalizing, but have no actual health physics signification. With release corresponding to source term S3, these limits would have to be applied at considerable distances from the damaged plant for more or less long periods of time. This is a preoccupation which will lead to "maximum plausible release" figures being more stringently limited for future reactors.

15 - Preparation for the management of severe accidents

213

15.6. List of ultimate emergency procedures As in the case of the complementary procedures, the identification initials and numbering of these ultimate emergency procedures were decided in the heat of the moment on the basis of the numerous studies undertaken in the aftermath of the Three Mile Island accident, before the results obtained had been logically interrelated. Here too, the transition to a generalized state-oriented approach will remove these minor inconsistencies. Procedure Ul was presented in Chapter 14. It is unmistakably aimed at preventing core meltdown, even if it also provides for the subsequent management of such situations. It thus precedes the other procedures, which postulate its failure. Although its identification initial classifies it in the ultimate emergency series, procedure U3: "use of mobile facilities to back up safety injection and containment spraying", already presented in Chapter 11, does not correspond to containment protection after core meltdown. On the contrary, it is designed to prevent or limit this occurrence. As an extension to procedure H4, which provides for mutual backup of the permanently installed pumps used for the low head safety injection and containment spray systems, procedure U3 is used in the event of total loss of these pumps. Basically, it consists of pre-installed connection devices, accessible after an accident, which would enable the use of pumping facilities and a heat exchanger if necessary which are not permanently installed in the units. The capacity of the equipment provided for and the radiological protection afforded would enable intervention 15 days after a large primary break, for example, although it is hoped that this period could be shortened without having to consider the possibility of restoring containment spraying in the short term. The existence of the H4-U3 facilities consequently does not affect the phenomena we have just described, since they are aimed at core meltdown prevention. There remain the following two procedures: • U2: procedure in the event of a containment isolation fault • U5: containment depressurization.

15.7. Summary of procedures Table 15.5. summarizes the correspondence between the various categories of operating conditions and the procedures and provisions to contend with them.

214

Elements of nuclear safety

It should be borne in mind that, in parallel with the operator procedures, the safety engineer follows surveillance procedure SP1 and, in a Ul context, surveillance procedure SPU. Table 15.5. Procedure application ranges.

Order of magnitude of frequencies or probabilities

Design basis operating range Estimated frequencies of initiating events

Complementary operating range Realistic probabilities

Ultimate procedure application range

Permanent or frequent 10- 2 tol

io-4 to icr2 io-6 to icr4
-6

A A

Ul U2 H

Ul U2

H

Ul U2 U3 U4 U5

In addition to these procedures, the Severe Accident Intervention Guide used by the crisis teams resolves possible contradictions between actions required by the different procedures. In order to safeguard the reactor core, water has to be poured over the fuel by all available means, even though this water can have undesirable effects on the containment pressure level. Similarly, restarting containment spraying will lower the steam concentration but could have adverse effects with regard to deflagration hazards. The Guide indicates current thinking in this area and provides operators with pertinent advice accordingly. It also contains decision elements as to whether procedure U5 should be used.

15.8. Internal Emergency Plan The actions described above are part of a more comprehensive plan, broadly applicable to all nuclear installations and known as the Internal Emergency Plan. This plan provides the link between the damaged plant and the ouside emergency teams whose action is organized by the external emergency plan, which will be described in Chapter 17.

15 - Preparation for the management of severe accidents

215

The Internal Emergency Plan is applied on the plant site under the responsibility of the operating organization. Its main purposes are to ensure : • plant control and safeguard • emergency aid for any site casualties • protection for site personnel • warning and information of the public authorities. Local crisis organization is conducted from • a decision center, the plant management control station • three operational centers : - the local unit control station, in the control room - the site radiological monitoring control station - the site logistic control station (transport, fluids, etc) This plan is coordinated with the off-site action plans by means of three mutually adopted levels of application: • Level 1: accident without radiological hazards but requiring assistance from outside emergency teams • Level 2: accident with radiological hazards confined to the site • Level 3: radiological accident involving or liable to involve health consequences beyond the site.

15.9. The fourth level of defense in depth We presented the fourth level of defense in depth in Chapter 3. Ultimate procedures and crisis management actions will deal with plant situations liable to give rise to substantial radioactive release beyond the site, after failure of all measures taken at the prevention, surveillance, protection and safeguard stages. This in fact constitutes a further line of defense. However, we are still in a deterministic context, based on extremely prudent options and compensating more or less for uncertainties and knowledge deficiencies by rather pessimistic assumptions. The corresponding elements were defined at the beginning of the eighties for plants existing at that time. Differences are planned for the plants of the future, where severe accidents would be included in the design basis data (Chapter 29). In this respect, if research and knowledge acquisition continue, decisions will have to be made to provide designers with clearly defined safety goals which will be valid for a reasonable period of time.

This page intentionally left blank

16

Special risks associated with criticality accidents

The contents of the previous chapter imply that the risk of fast containment failure is sufficiently low to be practically excluded. We presented the reasons supporting this assertion at the beginning of our severe accident analyses. We also indicated that criticality accident hazards should be the subject of adequate preventive measures. This topic will be dealt with in the present chapter. The elements presented have only been under discussion since 1988. It was the Chernobyl accident, a criticality accident overlooked by the designers and unknown to the operators which led to a revision by the French nuclear partners of the way in which accidents were envisaged and handled in France. Plant unit design scenarios were reassessed, as were the associated postulates. The possibility of new sequences was investigated, leading to consideration of a new theoretical scenario liable to result in major consequences. This was then followed by the identification of realistic scenarios and the elaboration of appropriate preventive measures.

16.1. Theoretical scenario For this scenario to be meaningful, it must be remembered that a pressurized water reactor core is under-moderated* and that its reactivity is controlled by control rods inserted in certain fuel elements and also by boron in the form of boric acid dissolved in the primary coolant. The control rods regulate the power level and shutdown under operating conditions. The boron counterbalances depletion of the fissile materials in the core and the various poisoning effects related notably to fuel and coolant temperatures or to the accumulation of xenon 133. When the reactor is cold, more boron is required than when it is power operating, since the control rods alone are unable to hold the core sub-critical in this configuration.

* See Sections 7.1.1 and 30.5.3.

Elements of nuclear safety

218

The proportion of the reactivity to be controlled by the boron depends on the power produced, the core temperature under operating, hot standby or shutdown conditions, the fuel burnup (Fig. 16.1.). With the reactor cold after reloading and all rods inserted, a concentration of about 1000 ppm (parts per million) of boron is required to obtain a critical assembly. This suffices to control the 12 000 pcm* of available reactivity. If certain control rod banks are removed from the reactor core, which is consistent with the rod cluster control assembly configurations allowed in the various reactor shutdown states, 1 450 ppm of boron is required to control the 15 000 pcm of available reactivity. At hot shutdown, i.e. with the primary coolant at 286 °C, and the shutdown rod cluster control assemblies withdrawn, about 900 ppm of boron is required to control the 7 000 pcm of available reactivity, since the boron efficiency is diminished under high temperature conditions owing to the lower density of the water. Potentiel core reactivity with all rods inserted (pcm)

Primary coolant temperature (°C) Fig. 16.1. Potential reactivity of a non-borated core.

The technical operating specifications require a subcriticality margin varying between 5 000 pcm (cold shutdown for refueling) and 1 000 pcm (beginning of cycle cold and hot shutdown), necessitating boron concentrations of between 2 000 and 1 000 pcm at the beginning of a cycle. With these boron concentrations, the operator has sufficient time to take action in the case of slow, even dilution in the primary fluid. The accident scenario examined is as follows: • formation of a non-borated water "plug" in a primary loop (with reactor coolant pumps shut down) * The reactivity units are defined in Chapter 7.

16 - Special risks associated with criticality accidents

219

• restartup of the reactor coolant pump for the loop considered • fast injection into the core of the non-borated water plug • very fast transition to criticality, involving the insertion of more than 300 calories per gram in the hottest fuel pellets (if 5 000 pcm or more is inserted into a core which was initially just critical) • bursting of these pellets and dispersion in minute fragments • interaction of these very hot dust particles with the coolant which has not had time to reach boiling point upon contact with the clads • steam explosion due to the extended heat exchange area when the fuel and water interact • primary system pressure transient, conditioned by the number of burst pellets • primary system break if the pressure transient is sufficiently forceful, with possible projection of missiles • containment rupture caused by these missiles. This scenario differs from the design basis criticality accidents (Chapter 4) by the pellet bursting and dispersion hazards involved. Pellet bursting implies an extremely high energy input and produces a far more sudden steam explosion than that due to boiling upon contact with the clads, since the heat exchange area is of an entirely different order of magnitude. The risk of fuel dispersion and fast interaction with water in a high energy scenario has been known for a long time: one of the design basis reactivity accident acceptance criteria is that the energy input be limited to 200 cal/g, which leaves experimentally demonstrated margins for only slightly irradiated fuel. Far less is known about what would happen next, which means that the phenomena postulated cannot be excluded, even if their occurrence is not certain. It is to be noted that the studies on this scenario were based on pessimistic assumptions, owing to the uncertainties associated with the phenomena considered. No allowances were consequently made for possibilities of erosion of the water plug during its formation or of the dispersion and mixing of this water during its transfer to the core. These phenomena would of course have considerably mitigated the accident consequences. On the other hand, this scenario obviously corresponds to the Rasmussen mode a, and would give rise to immediate SI type release. It was thus indispensable to use the theoretical scenario described to try and identify plausible sequences which could lead to such an accident and define further preventive measures accordingly if necessary. In this case, accident management provisions are inapplicable, owing to the speed of the phenomenon considered (about 1 second).

220

Elements of nuclear safety

Faced with uncertainties as to the actual consequences of a steam explosion, the limit energy input criterion was systematically specified at 200 cal/g. It was consequently considered for reasons of simplification that exceeding this value would give unacceptable consequences. Here again, this is a pessimistic assumption, at least in the case of low burnup fuel. New test programs have been implemented to check the validity of this limit for highly irradiated fuel (cf. Section 18.5.2).

16.2. A plausible scenario and corrective measures Based on the physical studies described above, the systematic sequence analyses performed in the context of probabilistic safety studies evidenced a scenario with an estimated probability of around 10"4 per reactor per year, prior to corrective action. The scenario is as follows: • the reactor is in a hot shutdown condition. Boric acid dilution is proceeding with a view to rediverging with a boron concentration of about 1 000 ppm. This dilution, starting from a value of 2 000 ppm, is required after each shutdown and lasts about 5 hours • during the dilution, a loss of offsite power stops the reactor coolant pumps • it is then assumed that, since residual power is low, the water in the primary system fails or ceases to circulate naturally • the Chemical and Volume Control and Reactor Boron and Water Makeup system charging pumps are automatically emergency powered by the auxiliary offsite power supply, without operator action. Dilution continues and the primary loop receiving the non-borated water through the feed line fills in about 15 minutes. Non-borated water can then over-flow and accumulate at the bottom of the vessel. • power is then restored to the reactor coolant pump on the loop providing the normal pressurizer spray feed by the auxiliary power supply line or resumption of the power supply on the main line. The pump restarts, in conformity with the operating procedure. On the even-numbered 900 MWe units and all the 1300 MWe units of the P4 series, this primary pump serves the same loop as the charge line injecting the non-borated water. • a non-borated water plug, colder than the core water, is then sent to the core. Studies have been performed on the basis of introduction into the core of a horizontal front of cold non-borated water. The criteria are those corresponding to a rod ejection accident (4th category):

16 - Special risks associated with criticality accidents

221

• clad temperature < 1482 °C • energy input < 200 cal/g • molten fuel fraction < 10%. These criteria are reached for a non-borated water volume of about 1 m3 for a 900 MWe reactor. These studies may be considered pessimistic for the following reasons: • it is assumed that the reactor was just critical when loss of the main power supply occurred • no allowances are made for the reactor coolant pump buildup to a full speed transient after restartup • it is assumed that the water in the restarted loop fails to mix with the borated water in the rest of the primary system • the 200 cal/g criterion used is below the risk of dispersion of significant quantities of fuel. However, these studies also show that the reactivity insertion able to induce these conditions is much lower than anticipated. Simply overstepping prompt criticality conditions will suffice, where the reactivity exceeds the proportion of delayed neutrons (3eff, i.e. about 550 pcm. As soon as this scenario had been identified, EDF designed and installed on all units concerned a provisional automatic control device transforming dilution commands into boration actions (injection of water with a 2 000 ppm boron content from the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System tank) in the event of reactor coolant pump shutdown during dilution. This provision significantly reduces, by a factor of about 100, the probability of the scenario. It has also provided an opportunity of stimulating plant staff awareness of criticality accident hazards in this context. An experimental program on an instrumented mockup was also implemented by EDF to gain further insight into hydraulic dispersion and mixing phenomena.

16.3. Identification of other dilution scenarios Attempts to identify other scenarios have continued, involving systematic investigation of possible initiators for all NSSS configurations, especially those where the primary system is cold, therefore requiring a particularly high boron concentration. In such cases, mixing of the pure water plug with the borated water in the rest of the primary system might not suffice to avert the accident, since the water at 60 °C containing 650 ppm of boron would have an effect equivalent to that of non-borated water at 286 °C.

222

Elements of nuclear safety

The following sources of non-borated water have been identified as possible criticality accident initiators: • introduction of secondary system water via an inefficiently plugged steam generator tube • reactor coolant pump thermal barrier leak • introduction of pure water from a Chemical and Volume Control system demineralizer • startup of the residual heat removal system after unscheduled dilution of the water it contains. A precursor of the first case mentioned, introduction into the primary system of non-borated water via a steam generator tube which had been cut and incompletely plugged, occurred in 1990 in one of the Blayais plant units. The appropriate reaction of the operators enabled a criticality accident to be avoided, but the incident nevertheless confirms the possibility of this type of scenario. A precursor of slower introduction of non-borated water into the core was observed at Belleville in 1991*. After pressurization prior to the hydrotesting of a pure water accumulator, operation of its drain valve was tested. The accumulator was supposed to be empty, but in fact contained 16 m3 of water. Part of this water circulated by gravity to the core, without resumption of criticality. The non-borated water had mixed with the water from the Residual Heat Removal System and its flow had been obstructed by closure of the accumulator vent pipe. In other circumstances, far more water would have entered the core much more quickly. Since the occurrence of this incident, borated water is used for accumulator hydrotesting. All the scenarios mentioned are being examined to assess the corresponding risks and define appropriate preventive measures.

16.4. Other criticality accident hazards 16.4.1. Introduction of cold water plugs The first scenarios involved a rapid drop in boron concentration, at constant temperature. Further studies focused on sequences where water colder than the primary coolant entered the core. With a constant boron concentration, a reduction of the coolant temperature, initially at 297 °C causes a significant reactivity insertion (Fig. 16.2.).

*Cf. Section 26.1.8.

16 - Special risks associated with criticality accidents

223

Among the feasible scenarios considered, there is one which is similar to the non-borated water plug case described above. Reactor coolant pump hydrodynamic seals are supplied with water from the Chemical and Volume Control System to ensure their overall leaktightness. The boron concentration in this water is the same as that of the water this system injects into the reactor coolant system. But, unlike the water circulating through the regenerative heat exchangers which reaches primary coolant temperature before injection into one of the loops, the seal water is cold (= 40 °C). In the event of failure of the normal power supply during hot shutdown, the water supply to reactor coolant pump seals is maintained. This cold water can then fill the intermediate loops if the after-power is unable to maintain natural circulation in the primary system. As soon as a reactor coolant pump restarts, all this water, more or less mixed, is inserted in the core.

Temperature induced reactivity variation (pcm)

Primary system water temperature (°C) Fig. 16.2. Overall effect of core coolant variations under shutdown conditions.

With a view to counteracting the possible effects of this family of sequences, the probability of which also seems significant, EDF proposed in 1993, four years after the initial anti-dilution modification, that one of the trigger signals be changed. Injection of borated water from the fuel pool water reserves was tripped by the simultaneous occurrence of reactor coolant pump stoppage and a configuration allowing input of non-borated water to the primary system. The first signal is maintained, but the second is

224

Elements of nuclear safety

now based on a core residual power calculation aimed at assessing natural circulation possibilities. It combines the core cooling period since shutdown with an estimation of the power level reached beforehand.

16.4.2. Thermal hydraulic studies Since discovery of the first scenario, EDF has undertaken a large number of surveys to try and define the risks with less uncertainty. We have already mentioned the hydraulic investigation of mixing propensities when a reactor coolant pump is started. Other thermal hydraulic studies have attempted to define the conditions under which natural circulation could induce mixing by flow or erosion of the non-borated water plug. Mixing seems satisfactory in some, but not all, cases, which means that the problem remains, even if the accident probability is lower. In particular, thermosiphon circulation could stop in a primary loop once the residual power had decreased, i.e. a few days after reactor shutdown. These studies are proving more time-consuming than anticipated. Precautions are being gradually introduced in the various operating and maintenance procedures. In addition, plant operators have been made aware of criticality accident hazards, which enabled, for instance, the input of (non-borated) secondary water into the primary system of a Blayais plant unit, described above, to be efficiently dealt with. The EDF on-going study programs on this question are aimed at: • modifying the conservative approach to the physical studies, adopted owing to insufficient knowledge • identifying even in maintenance-related situations various fast dilution or cold water input scenarios liable to lead to severe consequences. These studies will of course be submitted to careful critical assessment by the IPSN.

16.5. International information The scenarios considered have obviously been presented, as soon and as widely as possible, to our partners abroad, both in the context of bilateral agreements and of international meetings organized by the OECD Nuclear Energy Agency or by the IAEA.

16 - Special risks associated with criticality accidents

225

Since the Three Mile Island accident, this is a normal reflex, at least in the Western nuclear community. Reporting even a theoretical accident precursor to other operators or safety organizations is as important as presenting real incidents. For this is the domain of safety culture. The initial skepticism encountered seems to be losing ground, especially in probabilistic study circles. These trends are grounded on different designs, especially with regard to the emergency powering of differents systems and components which could reduce the probability of occurrence of certain scenarios, although without, of course, eliminating them in their entirety. But concrete conclusions are still hard to come by. However, the efforts made in France must not be discouraged before unequivocal conclusions have been reached on these questions.

This page intentionally left blank

17

Emergency preparedness and IPSN resources

All the measures taken to limit and delay severe accident consequences would be of little interest if the time saved was not used to make appropriate provisions for population protection outside the plant. This doesn't mean that evacuation should be ordered for every minor incident - that would be both ridiculous and dangerous. Consequently, an organization was set up by the French public authorities in cooperation with the main nuclear plant operators. The structures described hereafter refer to standardized French PWR's, but the basic principles apply to any plant.

17.1. Emergency Preparedness Starting from each plant which, first, can detect and identify any significant abnormal situation, this organization involves EDF headquarters and many government departments : the General Secretariat of the Interministerial Commission for Nuclear Safety, the Civil Security Board, the Nuclear Installation Safety Directorate, the Office for Protection against Ionizing Radiation (OPRI) and, finally, the Prefet concerned, who is the local Government Representative. Only two persons are authorized to take operational decisions, the plant operator, who has to take direct action regarding the source of radioactivity and to implement the Internal Emergency Plan outlined in Chapter 15, and the local Government Representative, who has to make decisions regarding the maintaining of law and order and population protection in the framework of the External Emergency Plan described at the end of this chapter. Both these persons are obviously advised by their respective national authorities.

228

Elements of nuclear safety

17.1.1. Role of the safety authority In the event of a nuclear crisis, the Nuclear Installation Safety Directorate assisted by the competent Regional Directorate for Industry, Research and the Environment would have three functions: • assist the local Government Representative • ensure that judicious provisions have been made by the plant operator • take part in the information of the population. In order to be able to assist the local Government Representative, the DSIN must be provided with a technical analysis of the accident comprising a diagnosis of the situation at the affected plant and a forecast of how it will evolve, particularly with regard to possible radioactive release. This analysis is performed by IPSN under conditions and with resources described further on in this chapter. The diagnosis and forecast will enable the DSIN to advise the local Government Representative as to counter-measures which could prove necessary to protect populations: distribution of stable iodine, confinement indoors, evacuation in very severe cases. Since these measures concern radiation protection, advice given to the local Government Representative would obviously have been previously discussed with the minister for health and the associated health physics technical support structure OPRI. Whether in an emergency or under normal operating conditions, the plant operator remains responsible for the safety of his installations. It is not the role of the DSIN to lay down the technical measures to be taken to contend with an accident. However, certain operations can have serious consequences for the environment, such as containment venting, for example. It is for this reason that safety authority ratification is required in such cases. Finally, a nuclear accident provokes a huge demand for information on the part of both populations and media, in France and abroad. All those likely to be concerned would be subjected to severe pressure from the media. It would be unrealistic to insist that outside communication be entrusted to one organization. However, it is most important that such communication be as homogeneous and consistent as possible. For this reason, it is planned to set up an interministerial information cell, attached to the ministry for industry, ensuring harmonized communications between the different ministries, based on the statements of the local Government Representative and the plant operator, in both local and national contexts. The DSIN would prepare the technical communication elements for this cell and ensure their consistency with bulletins issued by the other organizations concerned.

77 - Emergency preparedness and IPSN resources

229

17.1.2. Material resources and organization A prerequisite for crisis management activities is an alarm system to mobilize those required to deal with a nuclear accident. Most DSIN and DRIRE technical staff carry an individual alarm device, which can be triggered directly by the nuclear plant operators on a 24-hour, 7 days a week basis. IPSN on-call personnel are similarly equipped. The national crisis organization is based on a decision network associating the Central Command Stations (CCS) of the plant concerned, of EDF headquarters, of the Nuclear Installation Safety Directorate and of the local Government Office concerned and on an advisory network composed of EDF technical crisis centers (local and national level) and of the IPSN teams (Fig. 17.1.).

Fig. 17.1. Organization in case of an accident on an EDF NPP.

230

Elements of nuclear safety

Each crisis center reports to its Central Command Station. In this context, IPSN provides technical assistance to DSIN. Each participant has all the necessary technical and liaison facilities to efficiently act when needed. Periodical crisis exercises are carried out to test all or part of the provisions adopted. When an incident or accident occurs at a nuclear plant, the DSIN, in charge of the responsibilities of the Ministries of Industry and of the Environment in that respect, actuates the following organization: • a Central Command Station (CCS), located in the Ministry of Industry's crisis center, under the direction of the head of the DSIN or his representative • a crisis team, located in the IPSN technical crisis center at Fontenay-auxRoses • a local team, split up between the site and the local authority, composed of basic nuclear installation inspectors, engineers from the relevant Regional Directorate for Industry, Research and the Environment (DRIRE), from DSIN and possibly IPSN. On site, the primary role of the team is to ensure proper transmission of accurate information to the DSIN crisis team. The head of this local team, designated by the DSIN Central Command Station, should work with the local Government Representative.

17.2. Role of the IPSN crisis team The task assigned to IPSN in this context is as follows : • provide DSIN with the technical data required to judge the measures taken by the plant operator • forecast developments of the situation from the technical point of view and of the radioactive release involved, including characterization, localization and environmental consequences of such release. These estimates should enable public authorities to take appropriate steps to ensure both population and environment protection. The process is thus iterative: based on available information regarding latest developments, a diagnosis is made on the current situation and subsequent developments are forecast. Zones where special protective measures such as evacuation, sheltering, distribution of stable iodine or restrictions on the consumption or marketing of local produce could be required, can then be identified. At the IPSN technical crisis center, two separate teams, coordinated at management level, work on identification of the plant condition and possible accident evolution ("assessment" cell) and on calculation of the associat-

17 - Emergency preparedness and IPSN resources

231

ed radiological consequences and necessary population protective measures to be implemented ("radiological consequences" cell). The first cell is composed of eight to ten people. These are specialists directly assigned to the technical crisis center and engineers from other units well aware of plant systems and operation. The second cell is, initially, only composed of specialists assigned to the technical crisis center. Except in the case of an initial release, the "assessment" cell comes into action first to assess the possibility of radioactive release and the delay before it happens. The work of the second team, on the other hand, may continue after the actual accident sequence is over. The purpose then is to direct and monitor post-accident provisions, using measurements made on site and around the plant to ensure that short, medium and long term measures taken are appropriate to the release observed and recommend additional measures if required. Each team has its own tools, which have been gradually optimized and computer-based since 1981 when IPSN was required to set up a technical crisis center.

17.3. Method and tools of the assessment cell The method used was defined by EDF, together with IPSN and Framatome. It is used by the different crisis teams. It is aimed at structuring the approach of the different teams and guiding concerted action.

77.3.1. Principle of the method The "triple diagnosis, triple forecast" method is based on the defense in depth concept. Determining the condition of the different barriers allows identification of the type of accident. Identification of the main occurrences enables the release to be quantified and the state of the safety functions ensuring the integrity of the barriers to be assessed. This diagnosis can then be used to forecast subsequent developments and assess ultimate radioactive release. During the diagnosis step, estimation of the condition of the barriers and safety functions is based on observation of variations in the main plant physical parameters and the condition of systems and on determination of

Elements of nuclear safety

232

complementary parameters through calculation. Diagnosis of the accident allows it to fall in a general category for which prevailing parameters to be watched, main physical phenomena, and likely developments have previously been assessed or can be estimated. For forecasting, the method is based on assessment of the evolution of barrier conditions with associated times involved, taking into account the present and foreseen condition of safety functions and the long term availability of safeguard systems (Table 17.1.). Two cases may then arise : • if the diagnosis shows that all safety functions are ensured, the plant unit is in a stable or fairly stable state. Forecasting will then be carried out in two steps. First, it is assumed that accident conditions will not worsen. Second, the appearance of one or several plausible additional failures is postulated. Selection of these failures is based on the condition of safety functions, the results of tests performed and expert judgment, • if, on the other hand, a safety function has already failed, forecasting focusses on possible developments without any additional aggravating circumstances. Table 17.1. Barrier condition assessment. Sound

Clad failures

Meltdown

Sound

Break inside the containment

Break outside the containment

Steam generator tube break

Containment Sound

Leak exceeding design basis leak

Containment bypass via primary system

Containment bypass via a steam generator

Fuel Primary system

Actual or possible fission product release is quantified by means of simplified, realistic modeling of main physical phenomena and, as soon as possible, based on measurement results. The safety functions under consideration here are a little more detailed than those presented in the previous chapters (Table 17.2.). They include control of subcriticality, maintaining an adequate amount of water in the primary system, removal of residual heat from the core and containment control. The latter function includes control of residual heat removal from the containment, composition of the containment atmosphere and efficiency of the containment isolation systems. Implementation of the method is recorded on a recapitulative data sheet, describing the present and foreseen conditions of the different barriers and safety functions and the associated radioactive release.

233

17 - Emergency preparedness and IPSN resources Table 17.2. Safety function condition assessment. Sub-criticality

Comfortable margin

Small margin

Water inventory

Satisfactory

Degraded

Primary pressure/ temperature

Satisfactory

Inadequate

Containment

Satisfactory

Hydrogen explosion risk

Doubt Core uncovered

Doubt Doubt

Slow pressurization

Use of sand bed filter

17.3.2. Practical implementation of the method The method is implemented in relatively distinct but iterative steps. The first step is initial diagnosis. It starts with the the crisis team being set up and goes on for about one hour. Information from the damaged plant is gathered and analyzed; parameters for which no information is available are identified and estimated; a summary report, in a predefined form is then drawn up. Necessary data are of three types : • initial data, related to plant condition prior to the occurrence of the initiating event (reactor state, load history, fuel condition, etc.) • system actuation and operation up to that time, (protection commands, account of automatic actions, operating procedures followed, availability of systems, etc.) • evolution of parameters related to physical phenomena in NSSS and containment (primary and secondary system pressures and temperatures, reactor vessel and pressurizer water levels, primary and secondary system water injection rates, activity and dose rate measurements in the containment and peripheral buildings, etc.). A hundred complementary measurements were deemed necessary to diagnose plant condition in this context. There are three data transmission systems: • an audioconference system, enabling discussion with the EDF crisis team on the site, using a special telephone network • several fax machines periodically receiving lists of the instant values for 40 physical parameters, obtained from the displays in the control room

234

Elements of nuclear safety

• a computer used to request from the damaged reactor data processing system computer-generated images describing system condition and procedures implemented. The technical crisis center includes a workstation, similar to that of a safety engineer, which is connected to the affected plant in the event of an accident. In addition, this data processing system transmits each minute the selected hundred measurements, which are locally processed and filed. The data are displayed in such a way that modifications to the state of the barriers and safety functions can be followed on the screen. Their validation is based on knowledge of the measurement systems used, the qualification of the associated sensors, the thermal hydraulic or mechanical stresses involved, the availability of the relevant power supplies and on comparisons between different data. Observation of physical parameter plotting enables deduction of phenomena involved, taking into account the known automatic protection orders, operator-initiated reactor control sequences and availability of safeguard systems. Comparison with reference sequences can help in understanding the situation. The quantitative diagnosis step can then start. Thermal hydraulic conditions of the primary system are assessed by determination of a mass energy balance based on data received. This is used to calculate variables which cannot be measured. Any deviation from calculated estimates requires modification of the complementary assumptions made. Activity transfers inside the plant are determined by means of physical models used to calculate concentrations of radionuclides in different areas, on the basis of general laws derived from severe accident parametric studies. Results obtained are expressed in terms of activity concentrations or dose rates and compared with available measurement results. At the end of the initial diagnosis step, a recapitulative data sheet is filled in, involving various crisis teams. Any discrepancy between crisis team findings must be explained and may lead to reassessments.

17.3.3. Real time accident monitoring and outcome forecasting The second step consists in observing accident evolution and forecasting possible developments. It is a continuous process until the reactor has returned to a stable safe configuration.

17 - Emergency preparedness and IPSN resources

235

After identification of the type of accident and assessment of the state of barriers and safety functions, main physical parameters, conditions of the various systems and operator actions are monitored in real time. Calculation of thermal hydraulic parameters and radioactivity transfers are updated, taking into account new data acquired. This allows detection of any new occurrence at the site, which could require modification of assumptions previously made. It could even result in changing the type of accident considered, consequently requiring use of different software aids. Accident outcome forecasting uses two types of specialized tools (thermal hydraulic parameters, fission product transfers). These calculations also require complementary assumptions, particularly regarding ultimate availability of safeguard systems. Physical models and laws are the same as those used in the diagnosis software, but, in this case, associated with additional assumptions, they enable prospective calculation of the trends in physical parameter changes. Further recapitulative data sheets are filled in jointly with the other crisis teams. During this step, an attempt is made to quantify the time left before a critical situation is reached, by trying to answer, when appropriate, the following questions : • size of the primary system break (diagnosis data) • time left before core dewatering, clad failures, core meltdown • percentage of clad failures and molten core • localization and quantification of the containment leak • quantification of the hydrogen risk • activity released. These assessments, associated with knowledge of the operator actions required by procedures and availability of systems required, enable estimation of plausible radioactive release within the next 24 or 48 hours. Determination of release which has actually occurred is mainly based on measurements. Radioactive release data provide the input for the unit responsible for assessing radiological consequences.

17.3.4. Assessment cell tools Software aids for assessing the condition of a plant are contained in a package known as SESAME (Schema d'Evolution des Situations Accidentelles et Moyens d'Evaluation) (Fig 17.2.). These are high-speed routines using correlations or simplified physical models. They are developed and validated by

236

Elements of nuclear safety

comparison with the results of codes such as those used in the ESCADRE system, designed for realistic assessment of severe PWR accidents. BRECHEMETRE estimates the size of the primary system break, using a primary system water mass balance, taking into account the safety injection rate and a critical flowrate* correlation. SCHEHERASADE determines the time before core dewatering by assessing modifications to the mass of water in the primary system, using a mass and energy balance between the primary and secondary systems. SINBAD contains a set of correlations pertaining to : • thermal hydraulics, describing water conditions as a function of associated pressure and temperature • fuel condition, estimating the degree of degradation and the time left before clad failures occur • containment condition, indicating leak rates to recovery systems and to the environment. For the latter aspect, it uses results provided by the expert system ALIBABA which diagnoses containment leakage. This diagnosis is based on radioactivity measurements in the auxiliary buildings and ventilation systems and on data related to the closure of containment isolation valves. CRAC assesses the negative reactivity margin, taking into account effects related to control rod positions, fuel, moderator, boron concentration and xenon buildup. PERSAN calculates fission product release to the environment for accidents where there is no direct leakage from the containment, unlike in the case of steam generator tube ruptures. It calculates and monitors, versus time, fission product release to and outside the primary system, fission product deposits in the containment with or without spray, proportion of containment leakage direct to the atmosphere and that via peripheral buildings, filter efficiency and fission product deposits in the peripheral buildings. This software uses data from several other modules. RTGV calculates fission product release to the environment in case of steam generator tube ruptures occurring before core degradation.

* The critical flowrate is the maximum flow rate through an opening. The maximum possible velocity is the velocity of sound in this fluid. For a mixture of water and steam, under conditions representative of a pipe break, this velocity ranges from 800 m/s for pure water to 400 m/s for pure steam, with a minimum of 150 m/s when the proportion of steam represents half the volume of the mixture.

17 - Emergency preparedness and IPSN resources

237

ALADIN is an expert system providing information on the availability of safeguard systems. These data supplement those displayed on the safety panel. It focuses particularly on the consequences of power supply unavailabilities. ALADIN output data are used by several other tools. HYDROMEL estimates the risk of hydrogen explosion in the containment based on the composition of the mixture as assessed by the code and on the SHAPIRO chart and calculates the maximum pressure and temperature reached in case of a deflagration, together with the composition of the gaseous mixture left in the containment after this explosion.

PERSAN

BRECHEMETRE

Source term for accidents different from SGTR

CRAC Reactivity evaluation

SCHEHERASADE

Delay before core uncovery

Delay before core uncovery

Delay before

clad failures and Fraction core of meltdown Fission products released inside and outside the primary circuit

I

Size of the primary circuit break

Containment deposits and release

SINBAD Physical state of the fuel + quantification of containment leaks HYDROMEL

ALADIN

Hydrogen risk

Safety system availability

ALIBABA Containment leakage localisation

Filtration and deposits in auxiliary buildings

RTGV Source term in case of steam generator tube

Source term

rupture

Fig. 17.2. SESAME system programs.

238

Elements of nuclear safety

17.4. Methods and tools of the radiological consequences cell It was not deemed necessary to define formal procedures for this team since, as far as the immediate response step is concerned, only a small group of specialists is involved and no engineer in charge of the plant follow-up is needed. Since quantity, kinetics and time parameters will be included in the release forecast, additional elements required for assessment of associated radiological consequences are the meteorological data: wind direction and speed, atmospheric stability, rain. During the stage before the release, simple methods based on operational charts are used. Results cannot be more accurate than the weather forecasts for the next 24 to 48 hours. For example, during such a period of time there is a 30% probability for the wind direction to shift outside the ± 30° zone round the forecast direction in case of a site with pronounced topographic relief. During and after the release, on the other hand, meteorological conditions are measured. Data are thus far more precise. Uncertainty on the wind direction, for instance, is then only ±10°. In the event of an accident with possible radioactive release to the environment, the "Meteo France" crisis center is actuated and a direct computerized data link with this service is set up. It gives more accurate forecasts, providing figures and more detailed data in the vicinity of the site, together with trajectories enabling calculation of long distance radiological consequences. Some programs are designed to directly use these data. The Technical Crisis Center also receives "Meteotel" images, provided by interpretation of Europe-wide data from the "Meteosat" satellite. These include a rain map, based on detection by a radar network, covering the whole of France. A 36-hour forecast is given by the PERIDOT program, for 6-hour periods and several altitudes. These are updated every 12 hours. While the release is actually going on, meteorological data are supplied from the weather station on the site, using the same channels as for transmission of technical data on the plant unit conditions. All these elements allow radiological consequence forecasts and proposition of countermeasures. Then, on the basis of the effective release figures, it is possible to form a more and more accurate picture of local conditions and countermeasures required. The scope of this assessment must encompass all zones affected by deposits, so that radionuclide concentration in local agri-foodstuff products, for instance, can be estimated and compared to the marketing limits set by the CEC. However, any decision in this respect will be based on actual measurement results.

17 - Emergency preparedness and IPSN resources

239

These measurements may also be used by the "assessment" cell, in the event of a containment bypass scenario, for example. Radiological consequence assessment uses two mainly computerized systems together with manual devices. The CONRAD system is used to calculate transfer of contaminated products to the environment. The CART system provides a representation of the radiological situation of contaminated areas with respect to the different geographical characteristics of the sites (natural, economic and human environment). CONRAD includes three systems to calculate atmospheric release consequences within a radius of a few tens of kilometers round the site and one long distance calculation system. The first system is a set of 29 atmospheric and surface transfer operational charts, which can be used quickly, by hand, at the beginning of the crisis situation, when there is little available information on the release which could be anticipated, or to provide approximations based on measurements. It covers all possible weather situations, which will be discussed in greater detail at the end of this chapter. It provides a preliminary assessment of the radiological consequences, enabling appraisal of measures to be taken in the short term. These charts have an aperture angle integrating an uncertainty of ± 15° on the wind direction. For sites with pronounced topographic relief, such as cliff sites for instance, there is a special site by site adaptation of the charts. Multiplication of transfer coefficients by activity released and dose conversion factors provides fast indications regarding level of risk in different areas. The second system is a program based on a gaussian model of the plume, giving integrated doses for a set of weather conditions. The third system, the SIROCCO code, uses the "puff" model, and enables processing of all release kinetics, all meteorological conditions and possible variations versus time. It calculates dose rates and external exposure doses due to immersion in the plume or deposits, inhalation doses to various organs and effective doses. These results can be used to plot isometric curves or to assess possible consequences in specific selected areas, such as highly populated zones. For longer distance assessments, a special version of the code has been developed, SIROCCO-LD, using wind trajectories supplied by "Meteo France". In addition, manual charts have been prepared for different release scenarios to enable rapid estimation of long distance consequences (up to 5 000 km). The purpose of the CART system is to provide the clearest possible image of the radiological situation in areas which have been or could be

240

Elements of nuclear safety

contaminated. These images can then be used to determine in which areas radioactivity measurements and contamination mapping are most urgent. Calculation or measurement results can be presented on digitized site maps, on a local, regional or national scale. Indications include population distribution, communication networks, hydrographic conditions, soil and land-use maps. At the post-accident stage, this system is used to summarize the recorded measurement results, eliminate inconsistencies and produce validated contamination maps.

17.5. Conclusion on the method and tools For each simplified model, a parametric study of the associated physical phenomenon, based on experiments and computer codes is needed to determine the most sensitive variables and to propose realistic laws for the specific area of use. Since release calculations aim at defining contermeasures for the population, they must be as realistic as possible to avoid erroneous decisions. Ability of the crisis organization to properly and efficiently fulfill its mission in case of a severe accident at a nuclear power plant can be guaranteed only by adequate situational training. Over a period of ten years, such training sessions have provided invaluable feedback. They particularly highlighted the importance of rational, hard and fast rules in organizing the team work. They also evidenced the need for initial training and periodical practical refresher courses for the experts assigned to the technical crisis center. National crisis exercises are carried out every six months; each one focusses on specific objectives defined by a committee composed of various members of the national crisis organization. Scenarios, drawn up by IPSN and EDF in turn, are based on existing accident studies and on results of probabilistic safety studies. The duration of these exercises is between six and twelve hours and generally includes a period when the selected transient is run on a simulator connected to the national crisis centers, with an actual operating team in action, followed by a period of data transmission through preformatted messages. Various crisis teams have then to use their own methods and tools to carry out the tasks assigned to them. After the exercise, debriefing meetings are organized to check if the objectives have been met, if tools provided proved efficient and to discuss difficulties encountered. The IPSN technical crisis center organization was modified to take into account feedback from situational training sessions. Expert workstations

17 - Emergency preparedness and IPSN resources

241

were created accordingly and profiles of experts needed were clearly defined.

17.6. External Emergency Plan The organization of local emergency actions for protection of the population and the environment beyond the site is defined in the External Emergency Plan. It is placed under the responsibility of the local Government Representative. This plan specifies command structures, tasks assigned to different services and the warning procedures set up. It lists available specialized resources and required transmission systems. The command structure is based on : • a central command headquarters, located at the local Government offices, which centralizes all information, prepares decisions and provides the links between all authorities involved • an operational command headquarters, which conducts actual field work and centralizes radiological measurement data. The local Government Representative, the heads of the various local services and their representatives go to their assigned HQ's to fulfill their assignments which depend on the level at which the plan is to be implemented. The local Government Representative is responsible for population protection decisions. Provisions are made in the plan for three types of countermeasures: • sheltering of populations • zoned evacuation of populations • distribution of stable iodine. Warning procedures specify information channels to be used: • between the operator and public authorities • between the local Government offices and involved services • for the population, by permanently installed sirens, mobile systems for transmission of oral messages, sound-radio and television receivers, etc. The plan lists not only general provisions made with regard to medical assistance, law and order, transport and civil works, but also specialized services, such as the Mobile Radiological Units and, more generally, the Office for Protection against Ionizing Radiation, any CEA unit or IPSN. The External Emergency Plan, as soon as completed and quite apart from any critical situation, contributes to the information of the population.

242

Elements of nuclear safety

It is a public document, which can be consulted by all those interested at the town halls of all the localities concerned by its implementation. Associated with it are leaflets containing recommendations to the population in the event of an accident which are distributed to all homes within a radius of 10 km around the site.

17.7. Environmental transfer and deposit conditions Release from buildings, directly or via the stack, will diffuse through the outside atmosphere and its behavior will depend on local weather conditions. Inert gases, such as noble gases and certain forms of iodine, will be diffused and transported by wind. Aerosols, which include the other forms of iodine, are also diffused and transported but, in addition, are partially deposited on the ground in dry weather, or washed down by rain in wet weather. So the process will differ according to the meteorological conditions. In Chapter 5, the method to determine the radiological consequences of design basis accidents is described. It uses, conventionally, the bounding case Le Quinio coefficients, which is justified in this context. For severe accident surveys and the management of real accidents, more realistic assessments were necessary, more sensitive to atmospheric conditions. In what follows, we only describe what is currently available in operational chart forms, suitable for fast assessments. The conventional options as to wind speed or atmospheric stability used for these charts are of course unnecessary for computerized systems like SIROCCO. Weather conditions are defined by atmospheric stability, wind speed and presence or absence of precipitations. Atmospheric stability is characterized by the vertical thermal gradient. If this is only slightly negative or even positive, there will be few vertical wind fluctuations. Diffusion is then considered poor. Otherwise, it is normal. Wind speed at plant site is measured either at a level of 10 m from the ground or, if possible, between 50 and 100 m. The operational charts are generally based on four wind speed ranges corresponding to levels between 50 and 100 m above ground level: less than 2 m/s, between 2 and 5 m/s, between 5 and 10 m/s and over 10 m/s. Poor diffusion is practically impossible for a wind speed exceeding 7 m/s. For measurements 10 m from ground level, the corresponding wind speeds are less than 1 m/s, between 1 and 3 m/s, between 3 and 7 m/s and over 7 m/s.

243

7 7 - Emergency preparedness and IPSN resources Table 17.3. Meteorological condition symbols used in the charts. Angle Wind speed ranges between 50 and 100 m (in m/s) u<2 210

360° 75° 45° 35°

Gas Poor Normal diffusion diffusion

DNC*g DN2g DN5g DN10g

DFCg DF2g DF5g

Aerosols Poor Normal Normal diffusion diffusion diffusion without with rain ram DNCa DN2a DN5a DN10a

DNCap DN2ap DN5ap DN10ap

DFCa DF2a DF5a

*C = calm.

With these wind speeds are associated aperture angles with respect to the areas where diffusion and deposit take place. A light wind, at a speed of less than 2 m/s measured between 50 and 100 m from the ground, will give no preferential transport direction. The effects of the release will be observed in all directions. For a wind at a speed of between 2 and 5 m/s, these effects will be dispersed in an angle of 75° around the mean estimated direction. The angle will of course be smaller for higher wind speeds (45° and 35° for the two highest wind speed ranges). An aerosol deposit rate of 5 10-3 m/s has been adopted for "dry" deposits. In the event of rain, the aerosol washout rate is 10-4 per second, per mm of water, per hour. Gases are unaffected. The operational charts, using the above sets of conditions, were based on a diffusion model developed by IPSN from the DOURY model. The theoretical bases for a French-German model, which will replace current practice in both countries, have now been defined and new charts should be available in 1996. For a theoretical release of 1 TBq over a 5 minute period, the coefficients and charts give the integrated atmospheric concentrations and surface concentrations versus distance. It should be borne in mind that the Le Quinio model pertains to continuous release for 1 hour. The curves given in this chapter and those in Chapter 5 may consequently only be compared after application of appropriate coefficients. The detailed charts obtained are useful for the management of real accidents. The atmospheric diffusion coefficient is observed to vary between extremes roughly by a factor of 10 at a given distance and, in general, to decrease as the reciprocal of the distance raised to the second power.

Elements of nuclear safety

244

Gas ATC s (s/m2)

Distance from emission point (in km) • DF5g

DF2g * DFCg

DN10g

DN5g ADN2g

DNCg

Fig.17.3. Gas atmospheric transfer coefficients (s/m3).

In order to take release duration into account, the transfer coefficients must be divided by the following corrective factors (Table 17.4.): Table 17.4. Duration corrective factor.

Release duration and exposure time Corrective factor

5 min

30 min

1h

2h

8h

12 h

1

1.5

3

4

7

8

>1 day 9.5

245

17 - Emergency preparedness and IPSN resources

Aerosol ATC s (s/m 2 )

Distance from emission point (in km) • DF5a

DF2a

DFCa

DN10a 4 DN5a A DN2a

• DNCa

DN10ap x DN5ap • DN2ap

DNCap

Fig 17.4. Aerosol atmospheric transfer coefficients (s/m3).

In order to take release duration into account, the transfer coefficients must be divided by the following corrective factors (Table 17.5.): Table 17.5. Duration corrective factor. Release duration and exposure time Corrective factor

5 min 1

30 min 1 h 1.5

3

2h

8h

12 h

>1 day

4

7

8

9.5

This page intentionally left blank

18

Severe accident research and development work

Research and development on nuclear installations in general and nuclear power plants in particular includes not only design and performance improvement but also a whole range of studies related to different safety aspects. This work is carried out by the CEA or other organizations, such as plant designers and operators. IPSN is obviously particularly involved in safety studies, where it usually takes the lead. Its active participation in this field and the supervision of all such studies currently proceeding result in the acquisition of common new know-how and the enhancement of the competence of the institute. However, this presentation is limited to a brief description of the severe accident studies, the importance of which has been stressed in previous chapters. We have seen how a time came when basic rules had to be defined for the preparation of severe accident management so that the operating utility could determine how to mitigate the consequences of these events by appropriate provisions, which could then be assessed by the safety authorities. This in no way detracts from the need for ever deeper knowledge in more recent fields of research. Assumptions deemed prudent have been adopted but their penalizing character has to be reviewed and assessed, as has consistency of the overall safety level thereby achieved. In addition, the inclusion of severe accidents in future reactor design basis implies experimentation and more and more sophisticated modelling of phenomena involved. New provisions made in this field will be added to those pertaining to other safety aspects and to those related to performance improvement. IPSN, and before that, units of the CEA from which it originated, have implemented experimental research programs aimed notably at gaining greater insight into accident situations, which could then be modelled. Depending on the interest of the different partners and the scope (notably the related financial outlay) of the work involved, such programs may be run jointly with other CEA departments, EDF, Framatome, or even with outside organizations: European Union, United States, Japan, etc.

248

Elements of nuclear safety

In similar fashion, France takes part in programs carried out abroad and benefits from the results obtained. So, for a very long time now, in the accident situation field, it has been considered important to refrain from complacency and acquired results are constantly called into question. In the foregoing chapters, the need for deeper knowledge in the fields of thermal hydraulics or aerosol behavior has been discussed. By means of a few examples, we shall show that the research programs implemented by IPSN and other organizations are much wider in scope. Experiments are usually aimed at modelling the phenomena involved and devising suitable tools (generally software) to provide answers to questions raised by the safety analysis and enable crisis management to be grounded on solid physical bases. Owing to the time spans involved for major projects, these answers are often rather belated. Identification of requirements and corresponding decisions consequently have to be anticipated. The program results are then used to appraise the conservative character of the options adopted and, if necessary, adjust them. The severe accident programs are also used to extend and validate a code system, originally intended for determination of the "source terms" discussed in Chapter 15. With the gradual improvement of the models, this system, known as ESCADRE (Systeme frangais de Codes de Calcul des Accidents Des Reacteurs a Eau), is currently used to study severe accident situation management strategies. ESCADRE combines thermal hydraulic codes with others describing fission product behavior. Its design basis is realistic, enabling assessment of what is actually liable to occur in a severe accident situation and appraisal of the benefits derived from the various countermeasures (Fig. 18.1. and 18.2.). A cooperation agreement with Germany has been signed with a view to producing a common system of severe accident codes, known as ASTEC, based on the ESCADRE system. This project is proceeding. After presentation of the codes, some of the experiments performed will be briefly described.

18.1. Thermal hydraulic codes The severe accident analysis codes all refer back to CATHARE, which models NSSS behavior from normal operating conditions to conventional design basis limit conditions (fuel damage limits). This code was mainly validated on the Bethsy test mockup, which constitutes a full scale model of a reactor in height, with the volumes represented on a smaller scale (1:100), and on analytical experiments.

18 - Severe accident research and development work

249

Using CATHARE results, the VULCAIN/(EMISS) code analyzes primary system thermal hydraulics during core degradation, interaction between the molten materials and the bottom of the vessel, fission product and energy release in the containment.

Fig.18.1. Application of the ESCADRE codes.

The JERICHO code uses VULCAIN mass and energy transfer data to study thermal hydraulics in the containment, analyzing modifications to pressure, temperature and composition of the containment atmosphere. It can be used to appraise the effects and efficiency of containment spraying and also describes hydrogen combustion phenomena. WECHSL/CALTHER calculates the corium-concrete interaction, together with the resulting gas quantities and flowrates in the containment.

250

Elements of nuclear safety

ICARE, more physics-related and more detailed, better adapted to coupling with CATHARE, also analyzes core behavior under degraded conditions. Its scope is narrower than that of VULCAIN but it is more accurate. Based notably on the PHEBUS CSD (severely degraded core) experiments, it is used to validate certain VULCAIN results. It also contributed to preparation of the PHEBUS PF (fission products) program, designed to analyze in the course of a series of overall experiments, radioactive product transfer in various configurations from the fuel to a representation of the environment.

18.2. Fission product codes The quantities and changing behavior of the various fission products in the core, in the containment and in release from the containment are assessed on the basis of general data on fission product production and their radioactive decay chains grouped in the PHADO code, which takes into account fuel type, burnup and relevant operating history. The VULCAIN code uses the fuel degradation state (cladding condition, fuel temperatures reached) to determine the corresponding fission product releases. Curves showing the fission product release rates from a uranium oxide pellet were presented in Chapter 5. Tests on the VERCORS rig at 2300 °C enable realistic assessment of the proportion of fission products emitted at this temperature (Table 18.1.). Tests at 2800 °C would be required to fine down the transuranian values. Table 18.1. Release rates from a UO2 pellet during a severe accident. Elements released during core meltdown Kr, Xe, I, Br, Cs, Rb, Te, Sb, Ag, Sn Ba, Rh, Mo Sr, Ru, As, In, Cd, Tc, Zr, La Y, Ce Nb Np, Pu, Am, Cm

Fraction emitted at 2300 °C 1 0.5 - 0.8 0.01 - 0.1 0.001 - 0.03 0.001 0.0002 - 0.001

The SOPHIE code describes vaporized fission product behavior in primary system piping between the core and the pipe break. The AEROSOLS code analyzes non-vaporized aerosol behavior in the piping and containment, the conditions under which they deposit on walls or are entrained by the spray water and thereby the fraction remaining in suspension in the containment atmosphere and liable to escape as a function of time.

18 - Severe accident research and development work

251

These two codes will be combined to form SOPHAEROS.

Fig. 18.2. The Escadre system. The IODE code is devised to deal with the specific case of iodine, which is a particularly important substance as regards radiological consequences. The short term radiological impact is largely contingent on its chemical behavior and radiation response.

252

Elements of nuclear safety

The CONRAD code system, presented in the previous chapter because it is used in the Technical Crisis Center, uses IODE and AEROSOLS data in association with weather condition predictions to estimate the radiological consequences for the environment.

18.3. Fission product experiments The models are based on whole series of physical experiments which gradually provide the requisite data. Analytical experiments deal with separate effects, yielding input for models of individual phenomena, which can then be combined. They are performed at the IPSN, at other CEA units or abroad (Fig. 18.3.). Those particularly concerned by radioactive product behavior are as follows: • HEVA, VERCORS and EMAIC, which deal with fission product release from fuel and the influence of the control rod absorber materials (silverindium-cadmium, AIC) on their behavior • DEVAP, which analyzes fission product adsorption as steam on representative primary system materials • TUBA and TRANSAT, which investigate aerosol retention in small and medium diameter piping • PITEAS, which analyzes aerosol physics in a containment containing steam • IODE, which investigates the chemistry of iodine on contact with different media and CAIMAN which performs more general iodine tests, taking account of circumstances representative of reactor accident conditions • CARAIDAS, experimental study in aerosol and gaseous iodine removal from a containment by spray droplets. The PHEBUS PF program, on the other hand, provides for a series of overall experiments focussed on fission product behavior and transfer from the fuel to a representation of the environment via the systems and the containment. Its purpose is to validate the ESCADRE system codes used for severe accident release assessment, by means of a 1:5000 scale mockup using real fission products in directly representative chemical conditions. It aims at verifying that essential phenomena have not been overlooked and confirming the validity of the basic assumptions made to model the phenomena, with regard to: • chemical forms of the fission products • additivity of separate effects, and consequently interactions between phenomena, particularly in iodine chemistry.

18 - Severe accident research and development work

253

Fig. 18.3. Fission product experiments.

18.4. Corium and containment building behavior studies A project has been initiated covering the analysis and modeling of interaction between dispersed corium and water. The purpose is to determine the possibility, conditions and phenomenology of a steam explosion, together with the energy released and to predict vessel resistance with respect to the corresponding dynamic load. The survey is scheduled over several years. It is based on experiments carried out at the Grenoble Study Center by the Nuclear Reactor Department (BILLEAU tests). Experiments performed at the Euratom center of ISPRA (FARO, KROTOS), in Germany (PWI, LSCM, BERDA), in England (MIXA) will also be used. Modelling will involve adapting the TRIO-MC codes for the steam explosion itself and the PLEXUS code, from the CASTEM system, for structure behavior.

254

Elements of nuclear safety

WECHSL, for examination of the corium-concrete interaction, has been validated against German experiments, but is being further developed, using the CORINE test results obtained at Grenoble by the Nuclear Reactor Department and, among others, American experimental findings (ACE Advanced Containment Experiments performed at the Argonne National Laboratory and SURC performed at the Sandia Laboratories). The CROCO code and experiments undertaken by IPSN are aimed at calculating the corium spreading propensity in the reactor pit or a recovery system. Increased experimental insight into hydrogen explosions depends on extensive international cooperation with the Canadians and Russians (RUT experiment performed by the Kurtchatov Institute). IPSN has nevertheless decided to develop the TONUS code to calculate hydrogen behavior and associated containment integrity risks.

18.5. Other on-going surveys We shall give here only a few characteristic examples selected from the very large number of safety-related studies undertaken in different technical fields.

18.5.1. Investigations on aging These studies concern notably: • the behavior of the primary system metal structures subjected to irradiation, thermal cycling and erosion • irradiation-induced aging of polymers used for electric cable insulation • behavior of paints used inside containments. Surveys on primary system structural materials are related to the prevention of pipe breaks. They deal with crack propagation conditions and risks. They are aimed at providing more accurate data on the potential harmfulness and conditions of stability of defects when subjected to stresses such as those which could be induced in the course of an accident. Research into the improvement of early fault detection systems is also continuing in the context of non-destructive test method improvement. Investigations into polymer aging are proceeding in an international context, with the US safety authority, the Nuclear Regulatory Commission. This is known as the "Veille" program, using notably for the experimental part, the experimental reactor Osiris and the irradiation facility Poseidon.

18 - Severe accident research and development work

255

The detachment of paint in the reactor building under accident conditions could jeopardize cooling fluid recirculation by obstructing the containment sumps. Tests in this connection use an irradiator to simulate ambient accident conditions.

18.5.2. Investigation of increased burnup effects The EDF proposal to increase burnup to 52 000 MWd/tU or beyond can diminish the characteristics of the fuel rods and especially the zircaloy clads. The validity of criteria imposed for a loss of coolant accident must be confirmed for this range of burnup fractions. This is also the case for assessment of the maximum acceptable energy input in the event of a reactivity accident such as control rod ejection or injection of a non-borated water plug. The limit value adopted of 200 calories per gram could be excessive for high burnup fuels. Analysis of fuel behavior under the effects of the quench front at core rewatering is the subject of a program undertaken jointly with EDF. The first experimental sequence (TAGCIS) uses fuel which is non-irradiated, but pre-corroded to simulate irradiation effects, the next will use fuel with a burnup of 57 000 MWd/tU. The NSRR tests conducted in Japan on fuel behavior under reactivity accident conditions (with the participation of an IPSN engineer) are still proceeding but the facility used is not compatible with the whole range of energy inputs to be investigated. A similar series of experiments has been launched in France on the CABRI reactor operated by the IPSN at the Cadarache Study Center. Pre-irradiated fuel is inserted in a sodium loop, which makes test loop pressurization unnecessary but is not entirely representative. The Americans have also resumed equivalent overall experimentation (SPERT). All three of these test programs have revealed highly irradiated fuel rod failures for lower energy inputs than expected: 85 cal/g for fuel with a 32 000 MWd/t burnup at SPERT, 60 cal/g for 50 000 MWd/t at NSSR and 30 cal/g for 64 000 MWd/t at Cabri. Despite appearances, a graph plotted with these three points, obtained under conditions which are not equivalent, would not be meaningful. Moreover, the fuel rod destructions observed did not involve pellet bursting into fine particles but their dispersion in much larger fragments after interaction between pellets and zirconium clads, the latter showing signs of significant hydriding. So these programs must continue, focusing also on identification of possible equivalent or higher energy inputs occurring during somewhat slower transients, more representative of real reactivity accidents.

This page intentionally left blank

19

Probabilistic safety assessment

We have already referred to several examples of use of probabilistic studies for the assessment of plant safety. The first case concerned determining the probability of occurrence of an event, such as an aircraft crash on a given target or damage to a target by a missile resulting from a turbine burst. We then examined how probabilistic studies were applied to cases of loss of simple or complex functions, after definition of a goal expressed in terms of probability of unacceptable consequences ensuing. It is normal that, in compliance with the safety authority requests formulated in 1977 and presented in Chapter 11, this approach should have been generalized, the purpose being to determine, not simply for a given function but for the plant unit as a whole, the overall probability of occurrence of an extreme event, such as core meltdown. This is what we call in France "evaluation probabiliste de surete" (EPS), formerly known as "analyse probabiliste de risque", with their English counterparts PRA (probabilistic risk assessment) and PSA (probabilistic safety assessment), the change in name indicating a more dynamic, less fatalistic approach to safety. It was in the United States that the first overall nuclear power plant risk assessment was presented in 1975, the RASMUSSEN report already discussed in Chapter 15. Since this time, the methodology adopted has been extensively used. Its purpose is obviously not simply to estimate absolute probability values for core meltdown, radioactive release or the number of casualties. These values are in fact tainted with considerable uncertainty, which makes them difficult to use to define overall probabilistic goals. Such surveys are, above all, an abundant source of information on probability components and their relative importance. This provides a means of defining priorities and concentrating efforts on sensitive areas. Partial probabilistic studies, covering a given function, as seen in Chapter 11, or a specific operating state, can nevertheless always be used to deal with a particular safety problem.

258

Elements of nuclear safety

In this chapter, we shall discuss the methods and results of probabilistic safety studies carried out in France and published in 1990. Developments and subsequent applications of these studies will be described in the next chapter. Overall probabilistic safety studies may be undertaken to assess: • the probability of occurrence of core meltdown (level 1 PSA) • the probability of radioactive products being released outside the containment (level 2 PSA) • the probability of members of the general public being affected by this release (level 3 PSA) with indication of the probability components. With respect to the organization of the present document, these three levels are discussed as follows. The first 14 chapters concern level 1, irrespective of the different core meltdown conditions. The events discussed in Chapter 15 concern level 2. However, instead of adopting a deterministic approach to the phenomena, simply assuming that they occur, we now have to establish a relationship between an offsite release level and its probability. In this context, core meltdown conditions may have to be considered. The purpose of level 3 is to estimate how the health of populations would be affected by release of radioactive products. This implies calculating, among other quantities, the efficiency of off-site countermeasures, together with the effects produced by low doses, on the basis of the theoretical linear relationship used in radiation protection (Chapter 1). These levels are closely intermingled, since determination of a relationship between probability and effects on members of the public implies determination of the release level probabilities, which in turn depend on the probabilities of occurrence of different types of core meltdown. What is also implied is that the uncertainties on results obtained increase from one level to the next.

19.1. Initiation of the studies It was in 1982 that the IPSN decided to perform an exhaustive Probabilistic Safety Assessment (PSA), restricted however to determination of the probability of core meltdown occurring on a standard French 900 MWe PWR. France's standardized series of reactors (6+28 MWe plant units, all very similar) enables acquisition of realistic reliability data bases on equipment and the most frequent initiators, which is a particularly favorable study context from the quality standpoint. The reactor considered is a CP2 type PWR (second set of 900 MWe plant units), integrating all the modifications adopted prior to January 1, 1990.

19 - Probabilistic safety assessment

259

The model, which was gradually adapted to take these modifications into account, thus corresponds to the Saint Laurent des Eaux, Cruas or Chinon units, integrating a number of specified modifications and differing little from other 900 MWe nuclear units. The purpose was to assess the probability of core meltdown being induced by internal events which could occur in the plant (equipment failures or human errors) with a view to better understanding potential risks and constituting a tool suitable for safety analysis. In 1986, EDF decided to perform an equivalent survey for a 1300 MWe reactor, the reference in this case being unit 3 at the Paluel nuclear power plant. So the French PSA surveys performed so far have been level 1 studies. They disregard internal and external hazards, such as fires, floods and earthquakes. As we continue our analysis, other limitations will be noted. The probability of occurrence of core meltdown is assessed by identifying all scenarios which could lead to such an accident (the "accident sequences") and calculating their probabilities, using basic data relating to system dynamics, equipment failures and human errors.

19.2. Aims and organization of the studies The general purpose was to develop safety analysis tools to assist assessment of the importance of safety problems arising under operating conditions and facilitate decisions as to whether modifications are necessary. Examples would be: • highlighting relatively weak design aspects, liable to lead to equipment or operating procedure modifications in the units concerned and to design changes for future units • determining the incidence of equipment reliability and thereby the relative safety importance • analysis of technical operating specifications and instructions • analysis of periodic testing and in-service maintenance • identification of priority research areas. In order to attain this overall objective, it was decided to perform studies with the following more specific aims: • carry out PSA's as exhaustive and detailed as possible, covering all reactor states • make use of operating feedback from French plants • systematically consider the operating instructions • select a computerized tool to perform sensitivity calculations on basic studies with a view to updating the latter in the light of new data and knowledge.

260

Elements of nuclear safety

A consistency commission provided opportunities for frequent contacts between EDF and IPSN, aimed at harmonizing insofar as possible the approaches to certain difficult problems, such as equipment reliability data, initiator probabilities, common mode failures, human reliability, in order to obtain consistent reference studies such that models could be exchanged and used without basic technical adaptations. This working method is a special feature of interaction between the operating utility and the safety organisms, providing an excellent setting for tool design but inappropriate for a safety demonstration. The development of computation codes such as CATHARE is another example of work undertaken in common by even more closely integrated teams in the neutronic and thermal hydraulic fields.

19.3. Core meltdown probability assessment methods Since publication in 1975 in the United States of the first probabilistic risk assessment, known as WASH 1400 or the Rasmussen report, the large number of surveys carried out worldwide have gradually resulted in more efficient methods. The approach used in France, for instance, is very similar to that adopted for recent American or German studies. However, a special effort was made to assess risks associated with outages and long term situations. These two fields had so far been little investigated and it will be seen that these studies yielded particularly interesting results.

19.3.1. Definition of accident sequences The event on which a probability assessment is focussed is a rare occurrence which is generally not directly observable. Research is consequently based on sequences of events which can be observed. As we saw in Chapter 12, the method consists in constructing event trees, derived from initiating events and defined by the successive failures of systems and procedures. Each branch of an event tree is an accident sequence for which a functional or physical analysis determines whether it will culminate in core meltdown or not. By definition, any event conducive to a development or reactor condition requiring a protective or safeguard action is considered as an initiator. All initiators leading to similar event trees are grouped in one family. So, in practice, we analyze about ten families representing about a hundred initiators.

19 - Probabilistic safety assessment

261

For a 900 MWe unit assessment, the list of initiators is as follows : • loss of coolant accidents • steam generator tube breaks • secondary water or steam line breaks • total loss of ultimate heat sink • total failure of the main feedwater supply (steam generators) • total power loss • anticipated transients without scram • primary and secondary transients including boric acid dilutions • loss of power and compressed air sources.

19.3.2. System analysis The operating process and failure modes of all systems involved in an accident sequence have to be analyzed in detail with a view to obtaining a model usable for quantitative assessments. Conventional reliability methods are employed, the most frequently used model being the failure tree. A failure tree is a logic diagram linking by a deductive method the event analyzed (system failure) with the series of events liable to bring it about (component failures).

component 1 available, component 2 failed 10

both components available 11

both components failed ( 00

component 2 available, component 1 failed

Fig. 19.1. Markov state graph : availability of a two-train redundant system.

262

Elements of nuclear safety

Sometimes other models have to be used, such as operational state graphs (Markov method), to include system state changes and take repair possibilities into account (Fig.19.1.).

19.3.3. Reliability data The parameters used to model component failure are: • A: failure rate per unit of time (assumed constant) • y : probability of failure to start • u : repair rate per unit of time • b : parameter characterizing the proportion of common cause failures. There are various world reliability data banks, which are either general or specific to nuclear installations. In France, EDF has equipped its nuclear power plants with facilities for the collection and processing of operating feedback data, including notably the reliability data record system, designed to monitor 400 different components and currently integrated in a more comprehensive tool, SAPHIR.

19.3.4. Consideration of human factors Human factors play a major role in accident situations. This role may be positive (repair and restartup of systems, implementation of appropriate procedures or mitigating strategies) or negative (inadequate action, involving confusion, omission, inappropriate decisions). The inclusion of human factors is consequently essential for the performance of a PSA. But this is a particularly difficult field, not easy to quantify. The method used for the 900 and 1300 PSA's was developed gradually in France, on the basis of international models and work undertaken by EDF. Human actions considered may be classified in two main categories: • pre-accident errors, which can contribute to system unavailability or produce initiators • actions undertaken in accident situations (diagnosis, implementation of procedures, actions not specified in procedures) liable to influence the way in which the sequences develop. The organization of the operating team, the role of the safety engineer and the existence of crisis teams were explicitly included on the basis of their structure at the end of the eighties. The procedures used are those of the event-oriented approach (I, A and H procedures), supplemented by the state-oriented procedure Ul.

19 - Probabilistic safety assessment

263

19.3.5. Quantification of accident sequences The probability of occurrence of each accident sequence is calculated by combining the probabilities associated with the events constituting the sequence. This quantification is obtained by means of sometimes complex models and the processing of a vast amount of data (a hundred or so system failure models, several thousand accident sequences). We saw in the example presented in Chapter 12 that determination of the probability values for a highly simplified sequence fast becomes extremely time-consuming. Computerized tools are consequently indispensable. The LESSEPS* software, developed by EDF for its own requirements, is able to perform the computations involved and to store all the necessary data. It was also adopted for 900 PSA purposes.

19.4. Specificities of French studies 19.4.1. Reactor states The initiators were not identified and analyzed only for power operating reactors (as was usually the case for such studies undertaken at that time abroad), but systematically for all reactor states, including cold shutdown. Six states were considered: • state A corresponds to all reactor operating modes and all shutdown situations where primary system pressure exceeds 139 bars or the temperature exceeds 280 °C. This state covers all situations where water makeup by safety injection is automatic in the event of an accident and is thus valid about 85% of the time • state B covers a short phase, corresponding to about 0.5% of the time, occurring between the previous conditions and those enabling use of the residual heat removal system • state C covers situations where, with the reactor coolant system full of water, cooling is assured by the residual heat removal system and if necessary taken over by the fuel pool cooling system. It corresponds to 3% of the time • state D covers situations where the reactor coolant system is partially drained, corresponding to about 5% of the time • state E covers refueling outages with the reactor cavity flooded, corresponding to about 2% of the time * LESSEPS(C) EOF 1992.

264

Elements of nuclear safety

• state F groups all states where the reactor vessel contains no fuel, corresponding to about 3% of the time. Also noteworthy is the special effort made to investigate cases involving the loss of supporting systems, such as compressed air and standby power sources, notably the low voltage switchboards.

19.4.2. Post-accident situations Accident sequences were analyzed up to core meltdown or up to a condition where the risk of this occurring could be considered negligible. Investigation of the latter conditions has involved analysis of long term post-accident situations. Reactor coolant system breaks were considered over a period of one year after the accident.

19.4.3. Repairs and mitigating measures If realistic scenarios are to be defined, notably for long term sequences, we have to include the eventuality of failed systems being repaired and possible human endeavors to apply a procedure or implement a mitigating strategy. Actions provided for in the incident, accident and complementary procedures I, A and H and in procedure Ul* for emergency prevention of core degradation, based on a state-oriented approach, have been systematically integrated in French probabilistic safety studies. Extensive thermal hydraulic parametric computations have been performed, with a view notably to determining the time remaining for action before core meltdown ensues. This was the case, in particular, for determination of the efficiency of "feed and bleed" cooling, whereby residual heat is removed from the fuel by water circulation between the safety injection, the core, the pressurizer relief valve (bleed) and the reactor containment sumps.

19.4.4. Equipment reliability data The standardized reactor policy adopted in France is particularly favorable to the acquisition of truly representative reliability data. The 900 MWe series, for instance, comprises 34 similar units and this situation has been made use of to obtain specific data which is given preference over any other information source.

*Cf. Chapters 11 and 15.

265

19 - Probabilistic safety assessment

Operating feedback from the smaller, more recent, 1300 MWe series has been similarly used. The PSA data base was compiled from data collected and processed by EDF. These data were analyzed by IPSN and, in most cases, discussion enabled the two organizations to reach a common position.

19.4.5. Human reliability data Here again, international data sources are available, but, wherever possible, French operating feedback has been used to ensure realistic data in this field. These data are mainly used: • to identify possible errors • to quantify their probabilities by direct statistics when there are an adequate number of cases • to construct models so that available data can be extrapolated to other situations. The main original sources of information were real incidents, specific inquiries or interviews and observations reported by EDF on test series on simulators (Fig. 19.2.). Failure probability

Oper itiug team without safety enginteer

Time available (minutes) Fig. 19.2. Failure probability for the diagnosis.

266

Elements of nuclear safety

This involves more than 200 observations made on operating teams placed in simulated incident or accident situations, by a group of ergonomics and human factor specialists. Sophisticated observation and recording techniques were used. These tests were a particularly precious source of information, more relevant to the French situation than other data available in literature. Figure 19.2. gives an example of results obtained with these tests. The four curves correspond to the following cases: • curve 1: incident corresponding to a procedure without safety injection • curve 2: incident corresponding to a procedure with safety injection • curve 3: fairly difficult diagnosis • curve 4: difficult diagnosis. Event-oriented procedures were used. These make it difficult to revert to a correct procedure after an error.

19.5. Results of the 900 PSA survey The total probability of core meltdown obtained in this survey is approximately 5 10~5 per reactor-year

19.5.1. General remarks As will be seen further on, it is not easy to compare the results obtained in various probabilistic safety assessments, since this involves detailed analysis of all postulates and data. However, it can be indicated that the value obtained is similar to results obtained abroad. If we exclude zero power accident sequences and restrict the duration of the sequences considered to 24 hours, the computed probability of core meltdown drops to 2 10'5 per reactor-year. However, it must be borne in mind that, as it is at present, the 900 PSA excludes internal fires and floods and external hazards, which, according to certain other studies, make a significant contribution. Certain sequences which could occur during an outage with the reactor partially drained have also been excluded, because it was assumed that the problems identified could be rapidly solved, so that the corresponding sequences would make no significant contribution. The total result is distributed over a large number of sequences and event families, from which may be inferred a relatively uniform structure of safety in 900 MWe units (Table 19.1.). Outage situations contribute 32% to the total probability of core meltdown. This high percentage is due to the fact that, in most cases, there are

19 - Probabilistic safety assessment

267

no automatic systems to deal with accident situations in these circumstances, which means that human action is required. The risk per outage hour is thus much higher than that corresponding to operating periods. However, it should be noted that the associated uncertainty is high, with regard both to the probabilities of human errors and to the frequencies of occurrence of initiating events. E states (outage for refueling, reactor cavity flooded) and F states (reactor vessel containing no fuel) make negligible contributions. Table 19.1. Results of the 900 MW PSA (May 1990).

A

B

C

D

Total per family

Large primary breaks

1.210-6

7.1 10-9

1.1 ID'6

-

2.3 10-6

Medium primary breaks

4.1 1C)-6

2.3 10-8

1.1 10-6

-

5.2 10-6

Small breaks + pressurizer breaks

9.2 1CT6

2.8 ID'7

1.8 10-6

5.8 10-6

1.710-5

Primary coolant losses outside the reactor containment

1.0 ICr8

Secondary line breaks

9.1 ICr7

5.0 lO'9

-

-

9.2 10-7

SG tube ruptures and secondary line breaks

2.3 ICr6

5.4 10-9

2.1 10-8

-

2.3 10-6

Loss of ultimate heat sink

9.4 ICr6

2.6 ID'8

-

-

9.4 l0-6

Loss of SG feedwater supply

5.8 ICr7

1.910-6

-

-

2.5 10-6

Loss of power

3.1 1C-7

1.910-7

1.3 10-7

1.4 10-7

7.7 10-7

ATWS

4.3 ICr6

-

-

-

4.3 10-6

Primary and secondary transients

1.310-6

-

-

3.2 10-6

4.5 l0-6

3.4 10-5

2.4 10-6

4.2 10-6

9.110-6

4.95 10-5

68%

5%

9%

18%

STATES FAMILIES

1.010-7

1.1 ID'7

TOTAL

268

Elements of nuclear safety

Human factors play a major role, since sequences containing at least one human error contribute about 70% to the computed core meltdown probability. Human factors also affect system failure probability and initiator frequencies. However, it must be noted that, in most cases, human actions were introduced as possibilities of recovering degraded situations, sequences leading to core meltdown involve then failure of the operators to control the situation. If human factors were disregarded, the core meltdown probability would be higher and it cannot be simply concluded that 70% of the risk is dtie to human error. It is worth noting that the incidence of human factors is particularly significant in sequences where a fast response is required, as in the case of pipe breaks during repair outages (state D) or in cases of total loss of cooling water (HI situation). Common mode failures prevail in safety system failure probabilities, which was to be expected, since these systems are redundant. The contribution of certain non-redundant systems (water intake) is also significant. Although the 900 PSA does not currently consider reactor containment integrity and fission product release, the sequences resulting in core meltdown nevertheless include three types of situations with potentially widely differing external radiological consequences: • The computed annual probability of core meltdowns under primary system low pressure conditions is 3.8 10"5, i.e. 76% of the total probability. In most of these cases, release should be confined. • The computed annual probability of core meltdowns under high pressure conditions is 9.5 10~6, i.e. 18% of the total probability. These accidents are due mainly to families including total loss of main feedwater supply, total loss of power and transients involving failure to respond of the emergency shutdown system. However, it must be emphasized that this estimation disregards the primary system depressurization actions provided for in the severe accident management procedures when core meltdown has become inevitable. On the other hand, recent studies tend to indicate that certain small breaks could also lead to vessel melt-through under high pressure conditions. • The computed annual probability of core meltdowns with containment bypassing (primary coolant loss outside the reactor containment or steam generator tube rupture occurring simultaneously with a secondary system relief valve jammed open or a steam line break) is 2.4 10"6, i.e. 5% of the total probability. In these cases, the uncertainty involved is particularly high. These scenarios result in direct release to the environment.

19 - Probabilistic safety assessment

269

19.5.2. Inclusion of repairs and mitigating measures The actions defined in the complementary procedures (H) and emergency procedures (U) can significantly reduce core meltdown probability with respect to the figures obtained if only the event-oriented procedures (I and A) are used. The contribution of sequences involving a primary break and long term unavailability of the systems required to control the consequences is not negligible, but nevertheless minor. On the other hand, if we exclude the possibility of mutual backup between the safety injection and containment spray pumping facilities and the possibility of sending water to the core using external mobile equipment (procedures H4-U3), the computed long term core meltdown probability is multiplied by a factor of about 10 and the total probability of core meltdown due to these sequences by a factor of 1.6. The complementary measures (turbogenerator emergency power supply LLS, gas turbine) provided for in procedure H3 (total power loss), render harmless sequences leading to a reactor coolant pump seal leak. Inclusion of procedure H2 (feed and bleed cooling) reduces by more than a factor of 10 the computed core meltdown probability following a total loss of main feedwater supply. Action by the safety engineer was introduced in all cases where SPI and Ul procedures can enable recovery of a degraded situation. Introduction of the SPI-U1-SPU procedures reduces by a factor of 3 to 10 the probabilities of a large number of sequences, such as those corresponding to a small primary break or a steam generator tube rupture, with failure of the high head safety injection system, and all sequences involving failure of the auxiliary feedwater supply.

19.5.3. Uncertainty on the results PSA results are marred by inevitable uncertainties which must be identified, in the interest of both the credibility of the study and the uses to which it could be put. The major sources of uncertainty fall into four categories.

19.5.3.1. Uncertainties due to a lack of exhaustiveness in the field considered It is obvious that the exhaustiveness of a probabilistic safety assessment cannot really be demonstrated, even if the work has been carried out with the

270

Elements of nuclear safety

intention of covering the largest possible number of situations, notably by including zero power reactor states and loss of source or transient type initiators. Two new scenarios making significant contributions (piston effect* during shutdown, reported by the United States, and a reactivity accident due to a non-bora ted water plug) were discovered in 1989 and others have appeared since. We have, in addition, already drawn attention in Section 19.5.1 to the fact that certain shutdown situations with the core partially drained have not been included in the 900 PSA. This is also the case for the additional reactivity accident scenarios mentioned in Chapter 16. Finally, if the incidents observed during plant operation have been extensively considered to define the initiators and their associated probabilities, we still have to check that certain particularly unexpected interactions between systems are effectively covered in the modelling. We shall come back to this point in the next chapter.

19.5.3.2. Uncertainties related to the degree of detail In plant description At least for certain sequences, PSA results are strongly influenced by the degree of detail in plant description, which is one of the strong points of the method, since results closely reflect the plant described. This means that a significant scenario could be overlooked if the description used fails to encompass all existing configurations. A good example of this is provided by one of the elements in the criticality accident sequences presented in Chapter 16. For this accident to happen, non-borated water has to have accumulated in a loop whilst circulation was interrupted in the primary system and the first reactor coolant pump to be restarted has to be on the same loop. This cannot occur on the odd-numbered 900 MWe units used as models. When the scenario had been planned, IPSN made a preliminary assessment as to whether further investigations were necessary. The probability of core meltdown due to this scenario proved extremely slight. It was, in fact, considered highly unlikely that the operators would first start a pump other * The piston effect can occur during an outage, with the reactor coolant partially drained and the reactor vessel head installed, under conditions where one or several steam generator channel heads are open on the cold leg, where there is no hot leg outlet and where the residual heat removal system fails. The steam then produced by coolant boiling along the fuel pins accumulates under the vessel head and counter-flushes the water from the core, with the result that the fuel can be rapidly de watered.

19 - Probabilistic safety assessment

271

than that used for normal pressurizer spraying, which is the only one to be emergency-powered from the auxiliary transformer. So, to begin with, the sequence was classified as negligible. Equivalent preliminary estimations were made by EDF. But on P4 type units, the reactor coolant pump assuring the normal pressurizer spray feed is on the loop where a non-borated water plug could form. The contribution of this sequence to overall core meltdown probability was deemed highly significant. This led to consideration of the even-numbered 900 MWe units, which proved to be equivalent to the P4 units. The model used for the detailed 900 MWe unit study consequently considered the least favorable option. The probability of core meltdown due to this sequence for all 900 MWe units is then equivalent to that calculated for the P4 units, representing one of the most significant contributions to the computed overall probability ofcore meltdown and necessitating the provision of appropriate preventive devices on the units concerned.

19.5.3.3. Data uncertainties Data on component reliability, initiator frequencies, common mode failures, human reliability are essential elements in a probabilistic safety study. The error factor associated with each of these values, corresponding to the limits of a 90% confidence interval, can be estimated at between 3 and 10, depending on the data. The least certain values are common mode failure coefficients, the frequencies of rarely observed initiators, such as large primary breaks, cold breaks, steam line breaks compounded by steam generator tube ruptures or water intake failure, and also data pertaining to human factors, notably in situations which do not correspond to real observation (diagnosis of complex situations after significant time lapses).

19.5.3.4. Model uncertainties The assessment involves modelling component response to accident situations, such as the behavior of steam generator relief valves when water is flowing through them, the resistance of reactor coolant pump seals in the event of failure of the seal water injection system and, in general, the operation of equipment beyond specified or qualified limits, notably the low head safety injection pumps in cases of failure of the containment spray system which cools the injection water. The impact on results of the models adopted can be considerable but is difficult to assess quantitatively.

272

Elements of nuclear safety

Other uncertainties are related to inadequate insight into certain physical phenomena, such as mixing conditions in the event of inadvertent dilution. We could also include the assumptions used for appraisal of the efficiency of systems required to operate under conditions other than those for which they were designed. These different problems are generally dealt with in the PSA context by use of fairly conservative assumptions. With a view to assessing the influence of these uncertainties, we must list the sources and assess their importance by means of sensitivity studies. This would improve the validity of inter-sequence comparisons. Certain such assessments are scheduled for the second stage in the study. It must be noted that these uncertainties are not inherent to probabilistic safety studies but are due in general to knowledge limitations. The PSA, on the contrary, draws attention to fields where further insight would be particularly useful.

19.6. Results of the 1300 PSA 19.6.1. Result analysis Most of the 900 PSA considerations discussed above are applicable to the equivalent assessment conducted by EOF for the 1300 MWe plant units. So we shall simply give the results and explain any differences. The total core meltdown probability is approximately: 1 W'5 per reactor-year for all initiators considered in the assessment. For the purposes of this study, EDF subjected acknowledged uncertainties on data used to mathematical analysis, which indicated that the 90% confidence interval was 2 10~6 - 2 10~5. This calculation does not of course reflect the limits of the scope of the study itself. The same calculation performed in a 900 MWe unit context gave similar results. If we consider only state A (Table 19.2.), with the unit power operating or on hot shutdown, the computed annual core meltdown probability is 4.7 10-6. The influence of intermediate or cold shutdown states is consequently considerable, since they represent about 55% of the total probability. There is no evidently prevalent sequence, even though loss of coolant situations cover more than 50% of the total. Sequences involving at least one operator error represent about 80% of the total, which however gives no indication as to the positive effects of operator actions implemented to recover such situations.

19 - Probabilistic safety assessment

273

Table 19.2. 1300 PSA results (May 1990).

A

B

C

D

Total per family

Primary breaks

1.5 10-6

5.2 10-7

2.0 10-6

2.8 10-6

2.3 10-6

Secondary line breaks

7.6 10-7

5.7 10-9

-

-

7.6 10-7

SG tube and secondary line breaks

4.6 10-7

1.2 10-9

-

-

4.6 10-7

Loss of ultimate heat sink

8.7 10-8

2.5 10-8

7.1 10-9

5.3 10-10

1.2 10-7

Loss of SG feedwater supply

2.5 10-7

1.010-8

-

-

2.6 10-7

Loss of power

2.5 10-8

2.1 10-8

1.6 10-8

7.2 10-8

ATWS

1.2 10-6

-

-

-

1.2 10-6

Primary transients

2.4 10-7

4.3 10-10

8.7 10-8

5.8 10-7

9.1 10-7

Secondary transients

4.5 10-8

-

-

-

4.8 10-8

1.3 10-7

-

-

1.3 10-7

4.7 10-6

5.8 10-7

2.1 10-6

3.4 10-6

1.08 10-5

44%

5%

20%

31%

STATES FAMILIES

Loss of sources

-8

1.010

TOTAL

19.6.2. Differences between the two studies There is a difference of a factor of 5 between the PSA 900 and PSA 1300 overall core meltdown probabilities, in favor of the more recent units. This discrepancy is not surprising, even if we note that it is partly due to differences between certain data or certain modelling postulates. The uncertainty factors involved for each assessment may also have contributed. The 1300 MWe units were designed with a view to enhancing the reliability and efficiency of certain safety functions. The benefits achieved can now be assessed. These design differences include: • in the 1300 MWe units, the medium pressure safety injection system pumps take suction directly in the containment sumps, thereby making the function more completely redundant

274

Elements of nuclear safety

• the 1300 MWe unit auxiliary feed water supply system comprises two turbine-driven pumps. We noted the importance of these components when we examined total power loss situations. • the two trains of the residual heat removal system are more completely independent in the 1300 MWe units • provisions for mutual backup of pumping facilities between the safety injection and containment spray systems and the possibilities of sending water to the core by means of external mobile equipment differ slightly from one series to another, leading to possible differences in the risks of human errors during erection operations • the 1300 MWe units are equipped with an automatic controller which isolates the chemical and volume control system letdown line if the temperature of the reactor coolant water becomes high. This controller protects the system pumps, which then take suction from the reactor cavity and spent fuel pit cooling and treatment system tank. It is to be noted that these improvements mostly concern systems used in the event of accidents during power operation. This explains the increase in the relative contribution of shutdown states to the overall core meltdown probability.

19.7. Comparison with studies undertaken abroad It is of course tempting to compare French results with those obtained for equivalent studies elsewhere in the world (Table 19.3.). This is a difficult task since, for the comparisons to be valid, it is not simply the raw results which are to be compared. The postulates used have to be examined in detail, as also the reliability values adopted with their supporting evidence and the scope of each study. As we have said, only the French assessments consider plant outages and the long term development of accident situations. A comparison is consequently not possible in these areas but must be limited to power operating states. The German study undertaken on the reactor Biblis B, on the other hand, considers internal hazards such as fires and floods and external hazards such as earthquakes. A comparison was performed by a French-German team, on the basis of the two French assessments, the German Biblis B study, the widely published (NUREG 1150) American studies on the Sequoyah and Surry reactors, the two successive Japanese studies, published in 1990 and 1992 and the study on the English PWR Sizewell B. These comparisons have systematically given rise to technical exchanges and discussions going far beyond a simple analysis of documents. Working groups were formed with Japanese and English participants.

19 - Probabilistic safety assessment

275

Comparisons concerned the list and frequencies of initiators, the accident sequence construction methods, system reliability, quantification tools, reliability data, consideration of common mode failures, human factors, the operating range investigated. Table 19.3. International comparisons. REACTOR

SEQUOYAH SURRY 900 (CP2) 1300 (PALUEL) BIBLIS B SIZEWELL B lapan (1992)

Raw result, with unit power operating

Result in terms of a common basis

5.7 10-5 3.9 10-5 3.2 10-5 4.2 10-6 3.0 10-6 4.1 10-6 1.910-6

5.7 10-5 3.9 10-5 2.4 10-5 3.6 10-6 3.0 10-6 2.1 10-6 1.5 l0-6

Despite wide variations in the details of the study elements considered and, in particular, in the way of considering common mode failures in plant units with high redundancy levels, results seem nevertheless consistent, which would tend to indicate certain compensatory effects of the different postulates adopted by the various teams. Of course, the comparisons are not restricted to overall figures but lead on to far more detailed analyses.

This page intentionally left blank

20

Applications and development of probabilistic studies

The data provided by probabilistic safety studies are used for many important purposes. As we have mentioned, they are primarily concerned with detailed analysis of the components of computed core meltdown probability and the relative weights of these factors rather than with absolute values. These tools enable the safety importance of a system, component or procedure to be better appraised, which is particularly useful for defining priorities for improvements, determining acceptable unavailability periods for equipment, deciding on appropriate frequencies for periodic testing or maintenance. It will be seen that they could ultimately give rise to significant changes of attitude with regard, for instance, to the notion and importance of fallback modes. However, such applications imply bearing in mind the characteristics and limits of these studies, together with the uncertainties associated with the data and models used. Moreover, if it is logical to focus attention on improving equipment or procedures which are obviously decisive for plant safety, caution is required before relaxing vigilance with regard to other equipment or procedures. Subsequent investigations could reveal circumstances where their importance is presently underestimated. The reactivity accident risk assessment stages discussed in the previous chapter (19.5.3.2) illustrate this point. This cautious standpoint is not adopted by all countries, notably the United States. The Probabilistic Safety Study results published in May 1990 constitute only a stage, albeit essential, in the process. The subsequent complementary and development work does not prevent utilization of current tools, which can itself give rise to new requests for studies or adaptations.

20.1. Use of probabilistic safety studies The results presented in the previous chapter were obtained by means of complex models of the installations. These models, once attained, are avail-

278

Elements of nuclear safety

able for data analysis in many areas, although the processing medium would have to be adapted for certain computations. No detailed complementary analysis is required, on the other hand, to urge forward safety optimization in shutdown states. EDF is currently investigating this problem. These studies could ultimately lead to a set of modifications aimed at better automation of protection and safeguard actions under these conditions.

20.1.1. Result analysis by sequence The first result analysis method is by sequence. With this method, any prevalent sequences are identified and suitable corrective measures determined if required. This was the process followed, for instance, for the reactivity accidents described in Chapter 16. However, if the breakdown is too fine, the large number of sequences obtained will imply a relatively low weighting factor for each, which could lead analyzers to conclude that no improvement was required. Another advantage of this method is that all sequences culminating in equivalent physical situations can be grouped together, as in the case of core meltdown under pressure conditions. The risk of vessel melt-through causing containment degradation in such cases is significantly higher than that involved in cases where the vessel is not pressurized.

20.1.2. Weighting factors This is a transverse method, determining the weight represented by a function, system, type or item of equipment in overall core meltdown probability. This can involve definition of several factors which include the potential risk* decrementation factor and the potential risk incrementation factor, starting from a reference core meltdown probability value Ro. This calculation does not differentiate between types of core meltdown and resulting types of possible release.

20.1.2.1. Potential risk reduction factor This factor, often called the Fussel-Vesely factor, is derived from an overall calculation where the function, system or specific component considered i is * For convenience, the term "risk" is used here to express computed core meltdown probability.

20 - Applications and development of probabilistic studies

279

assumed to be perfectly reliable. The result Rj- can then be compared with the reference value. The risk decrementation factor is then :

This factor indicates the theoretical gain to be achieved by modifying the element considered. It concerns a relative contribution to core meltdown probability expressed as a percentage. As this probability is not a linear function of system failures, the sum of the contributions is greater than 100%. The Fri factor can be used to define optimization priorities for current plant units or can contribute to design option decisions for future plants. Results are now available for the analysis by function for the 900 MWe units, with each function using several systems: • a risk decrementation factor of 34% is associated with the primary system "maintenance of the water inventory" function • a risk decrementation factor of 27% is associated with the "residual heat removal" function • a risk decrementation factor of 17% is associated with the "maintenance of a subcritical core" function. These results convey only a general idea and are only usable if the way in which the systems are grouped by function is known. An analysis by system and for certain components has consequently been performed. It is shown that the absolute theoretical reliability of about ten functions, systems or items of equipment would reduce, for each of them, computed core meltdown probability from 19 to 5%. The systems and functions considered are as follows, in decreasing order of importance: • pump motor cooling for the safety injection and containment spray systems and regulation of the atmosphere of the pump motor rooms by the corresponding ventilation system in the event of repair work. This conclusion is not applicable to the 1300 MWe units where the safeguard pumps are cooled by water from the component cooling system. The risk decrementation factor is 19% and the main sequences involved correspond to primary system breaks and total loss of cooling water • reactor core cooling in the event of a primary break, reactivity control by input of borated water, containment of the primary system water at the recirculation stage by the Safety Injection System, with a risk decrementation factor of 14% • the auxiliary feedwater system, where the risk decrementation factor is also 14%. The main sequences concerned in this case correspond to total

280

• • • •

• • •

Elements of nuclear safety

failure of redundant systems, such as emergency shutdown, the main feedwater supply and the power supply the cooling water (pumping station, sea or river) (10%) the elaboration, emitting and compliance with Reactor Protection System signals (9%, disregarding sensor reliability) nuclear reactor control by the control rods and the associated measurement and reactor control system (Nuclear Instrumentation System) (9%) the intermediate cooling system ensuring: - transfer of residual power after shutdown to the heat sink under normal conditions and in the event of a primary break - cooling of auxiliaries such as the reactor coolant pump, the Chemical and Volume Control System pumps, the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System pumps (9%) protection of the primary system against overpressures by means of the pressurizer relief valves and by using a "feed and bleed" configuration (7%) residual heat removal and maintaining an adequate quantity of water in the long term in the primary system in the event of a primary break, using the complementary procedures H4-U3 (6%) 6.6 kV power supply to low voltage distribution systems from offsite power sources and standby diesel generators (5%).

On the other hand, the risk decrementation factor for the special equipment used in the event of total loss of power, turbogenerator (LLS) and test pumps, is less than 0.5%. The importance of the safeguard system ventilation system recalls the importance of the postulates adopted regarding containment spray and safety injection pump failure conditions and delays in the event of loss of coolant. Appropriate tests aimed at better assessing the validity of these postulates could considerably modify the results. More generally, we conclude that, for the 1300 MWe units, if all systems were perfect, apart from their initiator potential, the computed core meltdown probability would be decreased by 30%, whereas if all human interventions were perfect, the gain would be 70%. This clearly shows the importance of human factors. The results for the same assessment carried out for 900 MWe are a little less diversified.

20.1.2.2. Potential risk incrementation factor This factor (sometimes called the Birnbaum factor) is calculated in similar fashion to that above, the main difference consisting in assuming that the element, system or function considered is totally unavailable and beyond repair.

20 - Applications and development of probabilistic studies

281

This factor is more difficult to determine than that above since it can suddenly highlight low probability sequences which have consequently been less thoroughly investigated. Calculated for a family of equipment, this factor is used to pinpoint special qualification and maintenance requirements. When applied to a specific item of equipment, it is useful for analyzing real incidents or accidents and determining the safety importance of these events. After slight modification, it can be used to determine acceptable unavailability times. According to certain opinions expressed in international literature on the subject, it could contribute to operator decision-making as to whether an unavailability situation and associated duration are acceptable. However, the French position in such cases remains unchanged, advocating application of the technical operating specifications. It should also be possible to use this factor to decide for which equipment a more accurate assessment of observed failure rates would be justified. When applied to human actions, such as a switch to "feed and bleed" mode, it should provide food for thought on the possible automation of actions currently performed by the operators.

20.1.2.4. Technical specifications and fallback modes We have just seen that the potential risk incrementation factor can be used to assess the potential consequences of equipment unavailability. So it is in fact a way of checking the rules applying to equipment unavailabilities and their acceptable durations. This will be discussed further in Chapter 22. Up till now, this assessment was based on an adapted formula, since the criterion adopted was that the duration of each unavailability should not result in an increase in core meltdown probability exceeding 10-7 per year. The corresponding formula is : It gives the annual amount of time which could lead to an increase of 10-7 in core meltdown probability if the operating state of the plant were not modified. This calculation disregards risks incurred under fallback mode conditions. But the switch to a fallback mode always involves one of the shut-

282

Elements of nuclear safety

down states which, as we saw in the previous chapter, have a non-negligible risk level. If we assess the core meltdown probability for each of the states considered on an hourly rate and compare the results with the mean hourly rate (Table 20.1), we observe significant discrepancies which are far from consistently in favor of the fallback operating modes. This is obviously not so in the case of state E, when the reactor vessel is open and the reactor cavity above it water-filled, since the thermal inertia of the system under these conditions is considerable. Nor does it apply to state F, where the core has been unloaded. But these states can only be reached by transition through states B, C and D, since the primary system has to be depressurized to atmospheric pressure level and all primary water has to be drained from the steam generator tubes in order to be able to open the vessel head without submerging its outer surface. Table 20.1. Comparison of relative hourly risks for the different states. State

A B C D E F

Characteristics Power operation and hot shutdown Between hot shutdown and transition to RHRS Shutdown under RHRS conditions, with primary system water filled Primary system open, partially drained Primary system open, reactor cavity water-filled Fuel unloaded

Time%

Risk% (1990)

Relative hourly rate

85%

68%

0.8

0.5%

5%

10

3% 5%

9% 18%

3 3.6

2% 3%

=0 =0

0 0

These figures should only be considered as indicative. State B was studied with more pessimistic postulates than the others and state C could require finer divisions as adopted in other recent studies. Discussions as to the relevance of certain fallback modes and the authorized time allowances to reach them are still in the very early stages but, once ways have been found to improve the reliability of these states, they could lead to significant revisions of opinions on the safety impact of certain unavailabilities with their corresponding fallback modes.

20.1.3. Conditional core meltdown probabilities Core meltdown probability has been assessed by associating, for each sequence considered, the probability of occurrence of an initiator with the

283

20 - Applications and development of probabilistic studies

probability that this initiator will lead to core meltdown. This second factor is known as conditional core meltdown probability. Table 20.2. Conditional core meltdown probabilities. Initiator

Vessel rupture Auxiliary feedwater system failure while operating Small steam generator tube rupture Loss of main feedwater supply Loss of main power supply

Initiator Core meltdown Conditional annual annual probability frequency frequency

10-7

10-7

1

3.4 10-4

1.4 10-6

410-3

4.8 10-2 1.91

1.5 10-7 3.1 10-6 7.5 10-8

3.6 10-6 1.6 10-6 2.5 10-7

0.3

It can be very useful in making a preliminary assessment of the importance of a real incident. In this case, the probability associated with the initiators is 1 since they have already occurred. Table 20.2. gives only certain characteristic examples.

20.1.4. Analyses of real accidents and comparison with the model Using the tools constituted by the probabilistic safety studies to assess observed incidents, the potential severity of these situations can be determined. The potential risk incrementation factor and the conditional core meltdown probability are in this case well adapted. Analyzing real incidents is moreover a means of ensuring that the description of the sequences actually observed is contained in the model and thereby of checking the latter's completeness. It also affords an opportunity of testing the tool's flexibility and defining further developments. The most complete study performed to date concerns the failure of an emergency switchboard at unit 4 of the Cruas plant. Arc initiation on one of the poles of the contactor supplying an essential service water system pump caused the cell to explode, followed by an outbreak of fire and the destruction of the main train B emergency switchboard, resulting in the unavailability of all train B safeguard equipment. This incident was caused by wear on shock absorbing washers inside the contactor. The situation was brought under control without radioactive release problems arising.

284

Elements of nuclear safety

This incident illustrated the possibility of a common mode failure affecting both emergency switchboards, due to wear on the washers which are identical in both cases. This aging problem had already been identified. It also showed that an incident affecting equipment downstream from a switchboard could cause the latter to fail, which had not been envisaged in the model, since protection against electrical faults was considered highly efficient. Identifying this common mode and new type of fault (downstream incident affecting upstream equipment in an electric system) obviously gives no indications as to the corresponding values. Preliminary calculations have shown that this type of failure could increase the computed core meltdown probability by several tens of percent. Assessment of the conditional core meltdown probability for the Cruas incident gives a significant value, in the vicinity of 10-2. It takes into account the actual situation with regard to equipment availability at the time of the incident but also the real repair time (27 hours as against 72 hours used in the studies). This type of study thus highlights both the precursory nature of the incident considered and the value of the PSA tool, as to contents and flexibility.

20.1.5. Safety reassessment tool If enhancement of the reliability of shutdown states or other risk components is currently much debated, the safety reassessment of the 900 MWe units would provide an opportunity for more systematic utilization of results obtained. This will be discussed in Chapter 27.

20.1.6. General remarks on the utilization of probabilistic study results The utilization of probabilistic safety study results could, in certain cases, lead to attitudes which are contrary to one of the safety culture principles, "the prevention of complacency". It is certain that achieving a predefined target sometimes tends to slacken further efforts. In the same way, when a set reliability value is determined for a complex function, this may lead to definition for a given system of a reliability target below that which could be achieved without any particular difficulty by use of appropriate techniques, which would be a pity.

20 - Applications and development of probabilistic studies

285

This can occur in the context of both periodic safety review and design basis definition for future plants.

20.2. Development of these studies and tools The current 900 PSA development program includes the following aspects: • updating of the study to cover the adaptations and additions resulting from current applications, including the measures taken to enhance shutdown safety • adaptation of the tool to facilitate its use • extension of the scope to cover fire hazards and determination of seismic margins • initiation of a "level 2" study aimed at determining the probability of radioactive release outside the containment.

20.2.1. Updating the initial study Changes have taken place in the plants and operating teams since the reference situation at the end of December 1989. There will be others. Their inclusion should result in lower core meltdown probability computed values. On the other hand, we have already indicated that certain sequences identified were not integrated in the study which gave the 1990 results. A comparison between the sequences included in the current study and those observed during real incidents can also give rise to complementary investigations and modification of models. This could mean that the probability of certain sequences would be increased. The availability of new thermal hydraulic computation tools, such as the SIPA simulator, will also enable confirmation or modification of certain postulates formulated over-cautiously, in the absence of adequate data. This updating will also involve modification of the tool, which has to be made usable by analysts who are not probabilistic specialists and have not been involved in the collaboration between EDF and IPSN on these matters.

20.2.2. Extension of scope The study concerning inclusion of internal fires in the 900 PSA has started. It will require several years of work and changes to the processing medium. It should logically lead to a higher core meltdown probability. But above all, it

286

Elements of nuclear safety

could evidence that the importance of certain equipment currently classified as "low incidence" items would have to be reexamined. Complementary studies on earthquakes have also been initiated, but along fairly different lines.

20.2.2.1. Inclusion of fires A fire can cause an initiator, in the sense given to the term in probabilistic safety studies. However, considering the multiple failures which could be caused by a fire, all the corresponding initiators may not have been integrated in the present study. Fires can both disturb reactor operation and damage one or several items of equipment required to control the situation. The time required to repair equipment damaged by fire is usually long. Finally, damage to certain electric cables can cause inadvertent startup of equipment The study has been undertaken in two stages. The first consists in identifying the areas in the plant where a fire could significantly contribute to the overall probability of core meltdown. This implies: • listing the positions of safety related equipment • identifying initiators which could result from a fire • selecting "critical zones" by estimating the contribution of a fire to overall core meltdown probability for each zone. The critical zones will then be analyzed in greater detail: • by identification of fire scenarios • by fire development studies • by quantification of the fire scenarios and the corresponding core meltdown sequences. This study will consider equipment the failure of which was not included in the current assessment, notably the control and instrumentation system cables. Finally, it must be noted that inclusion of fires may increase still further the contribution of shutdown situations to the computed overall probabilities, since: • work requiring heat sources may be undertaken during outages • combustible materials may be brought into the plant on these occasions • redundancies may be reduced. • the design of systems only used in shutdown circumstances and the identification of common fire modes has not been as thoroughly investigated

20 - Applications and development of probabilistic studies

287

as for other systems. Instructions for physical separation may thus be inadequate.

20.2.2.2. Determination of seismic margins Existing international surveys confirm the difficulty of performing a probabilistic assessment of the consequences of earthquakes exceeding design basis conditions. In addition, both the design and construction rules and the qualification tests lead to significant margins. Initiator frequency is all the more difficult to determine in cases where it may be advisable to differentiate between deep, distant earthquakes, inducing low frequency motion on the site, and closer, shallow earthquakes, inducing higher frequency motion. In addition, if French plant units are almost identically built, in the context of the standardized series policy, seismic conditions are specific to each site and margins with respect to the standard design have to be assessed on a case by case basis. Investigations have already been carried out to see whether equipment not subjected to earthquake resistance requirements was liable to disturb the satisfactory operation of safety related equipment (Chapter 7). Subject to observance of the rules of the art as to design and construction, the concrete structures and static mechanical equipment offer significant margins with respect to collapse, since they are designed to withstand the safe shutdown earthquakes specific to the site. Moreover, for the reactor containment and mechanical equipment subjected to pressure, seismic loads are generally lower than those due to other sources. Non-static safety related equipment, such as pumps, valves, contactors, etc. are qualified to withstand stresses far in excess of those which would be induced by the design basis earthquake. However, the use of F- importance factors is being considered to determine equipment and components where a design basis revision would be advisable. Since the power transmission lines from the main and auxiliary external sources are not designed to withstand such a severe earthquake, it is normal to postulate their failure under these conditions. F- factors must consequently be determined for this particular configuration. Design calculations for safety related buildings outside the nuclear island, such as the water intake structures for instance, are based on a design spectrum specific to the site, which results in normal margins, although more limited than for standard buildings. Finally, sites where reappraisal of the seismicity shows that the initial

288

Elements of nuclear safety

data resulted in underestimated design calculations should be the subject of particular attention. As may be seen, the determination of seismic margins will make use of the weighting factors derived from the probabilistic safety studies, a priori without modifying the contents nor the result of these studies.

20.3. Probabilistic assessment of radioactive release Further to the "level 1" probabilistic studies concerning core meltdown, the purpose of the "level 2" studies is to assess the radioactive release probabilities associated with severe accident sequences. PSA level 2 will provide a new opportunity for systematic examination of the 900 MWe unit containment possible failure modes, whether on continuous structures or openings, taking isolation and filtering systems into account. What is in fact involved is to reexamine the phenomena described in Chapter 15, studied independently and from a deterministic standpoint, with a view to obtaining a realistic appraisal, with which probabilities would be associated. As for the level 1 study, we shall obtain overall release levels paired with probabilities, but it should be possible: • to estimate the contributions of the procedures and the severe accident guidelines (GIAG) • to decide whether improvements are necessary and determine the associated priorities as to procedures and technical resources • to classify research and development priorities • to reassess, in due course, provisions proposed for future reactors. The study is structured round a preliminary qualitative event tree featuring the accident scenarios and considering all possible types of containment failure. The next stage consists in: • using the 900 level 1 PSA to identify initial core degradation states liable to lead to containment degradation, with the corresponding probabilities • performing the physical studies required to assess containment behavior and quantify release according to the behavior of the safeguard systems, the severe accident management facilities and the reactor containment • determining the probabilities for the different types of containment failure and the associated release.

20 - Applications and development of probabilistic studies

289

The latter point implies, notably: • detailed knowledge of factors influencing iodine and aerosol release (sump water chemistry, dose rates, paint, wall condensation, role of the containment spray system, etc.) • assessment of energy transfers from the corium, the effects of a hydrogen explosion, the penetration leaktightness conditions, cerium-concrete interaction, etc. It is obvious that for certain phenomena (hydrogen detonation, deflagration-detonation transition, energetic interaction between dispersed fuel and water) it will be difficult to use clearly substantiated probability values. The quantifications used will integrate the state of the art and feasible progression paths.

20.4. Conclusions on the probabilistic safety studies The existing probabilistic safety studies were carried out with constant concern for realism and exhaustiveness. Their limits and uncertainties must nevertheless be borne in mind. However, these studies presently constitute an important tool for the safety assessment of the units concerned, particularly as they were computerized. These tools were moreover so constructed as to be able to accommodate the acquisition of new data, even if this required modifications to the processing medium. By inclusion of complementary developments, new studies and ever more operating feedback, it will be possible to reduce some of the uncertainties and achieve more and more balanced assessments. One of the main advantages of the probabilistic safety studies is their ability to incorporate "living" material.

This page intentionally left blank

21

The Chernobyl accident

On April 26, 1986, at 1:23:44 a.m. (local time), the Russian nuclear power reactor Chernobyl-4 exploded. This accident, which is by far the most severe civil nuclear accident which has ever occurred, caused: • two immediate deaths by polytrauma, the death of 28 people within two months and subsequently of 14 others, • acute exposure syndromes for 237 people, including the short and medium term victims, • the fast evacuation of 135,000 people, • the irradiation and contamination of millions of individuals at significant levels liable to induce during their lifetime about 500 additional deaths from leukemia and 6,000 from cancer, • the appearance, since 1990, of a significant excess in thyroid cancer in children (about 700 by the end of 1995), • a widespread deterioration of the state of health of the most exposed populations, • the long term contamination of extensive areas of territories in Ukraine, Bielorussia and Russia, • economic, social and psychological upheaval in these countries together with institutional and political repercussions, • measurable contamination in many European countries, including France, • profound disturbance throughout Europe and indeed throughout the world. Six to eight hundred thousand people, the "liquidators", were required to carry out preliminary site decontamination work under precarious radiation protection conditions (about two hundred thousand in 1986 and 1987). The Chernobyl plant reactors are of the RBMK type (initials of the Russian words PeaKTOp BOJIBIIIOH MOIUHOCTH KanajibMbiH, meaning high power, pressure tube reactor), the characteristics of which are: low enriched uranium fuel, graphite moderator, boiling water coolant circulating in pressure tubes. Such reactors are only to be found in certain countries of the former Soviet Union, Russia, Ukraine and Lithuania.

292

Elements of nuclear safety

We also know that, at the time of the accident, tests were being performed on the reactor under very specific conditions and outside the normal operating range, with low power and systems unavailable or shut off. However, just as in the case of the Three Mile Island accident, we have to go beyond a few comments on RBMK reactor design and the Chernobyl-4 operator errors. It is in this way that what was initially presented as the result of an accumulation of human errors has given rise to: • deep thinking on the minimum characteristics of efficient safety organization in a country • clarification of the notion of safety culture • a more realistic, more thorough approach to assessment of possible accident release and its effects • the updating of reactivity accident data on our own plants • acknowledgment of the information transparency rights of the general public. Many of these points have already been discussed. Safety is a continuous process and impetus from any source must be used to progress in all possible fields.

21.1. The Chernobyl plant and the RBMK reactors The Chernobyl plant is located at the Northern limit of Ukraine, about a hundred kilometers North of Kiev and not far from a relatively large new town, Pripyat, where plant staff and their families lived (Fig. 21.1.). The Bielorussian frontier is very close, only 10 to 15 km to the North. The Russian frontier is 150 km to the Northeast. Chernobyl-4 was one of the fourteen RBMK 1,000 MWe (3,200 MWth) reactors in service. As this type of reactor differs fairly widely from those we are accustomed to in Western Europe, we shall give a rapid description of it as it was at the time. It is a graphite-moderated thermal neutron reactor, fuelled with 2% enriched uranium oxide fuel elements in zirconium-niobium alloy clads, cooled by ordinary boiling water circulating from bottom to top in pressure tubes, also made of zirconium-niobium alloy. In the large stacked graphite moderator, 11.8 m in diameter and 7 m in height, surrounded by a radial reflector, are inserted vertically about 1700 pressure tubes (Fig. 21.2.).

27 - The Chernobyl accident

293

The entire reactor unit stands on a welded metal structure contained in a 21.60 m sided, 25.50 m high concrete pit. A fuelling machine is located over the reactor, for the on-line loadingunloading of the fuel in the pressure tubes.

Fig. 21.1. Central and Eastern Europe (1986).

Power and reactivity are controlled by means of 200 absorber rods, placed in 200 pressure tubes similar to those containing fuel and distributed over the core lattice. The rod drive mechanisms are located above the core, beneath the handling bay protective flooring. The absorber rods consist of boron carbide rings, with a lower graphite extension, 4.5 m in length. The insertion of fully withdrawn rods begins by replacing water by graphite in high neutron flux zones, thereby introducing reactivity. This effect had been observed in 1983 at the Ignalina plant, but the information had not been circulated to the other sites equipped with RBMK units, which included Chernobyl.

294

Elements of nuclear safety

The rods are motor-driven for both withdrawal and insertion. Their maximum insertion speed is 0.4 m/s, which means that complete insertion from a fully withdrawn position requires from 18 to 20 seconds.

Fig. 21.2. Simplified sectional view of an RBMK 1000 unit.

The reactor is cooled by two independent loops, each removing the heat produced by half of the core. Each loop comprises two steam separators (30 m in length and 2.30 m in diameter) and four recirculation pumps (three operating and one on standby). The mixture of steam and water leaving each pressure tube after having passed through the reactor is directly piped to one of these steam separators. The water returns through 12 sets of piping to the headers and recirculation pumps feeding the pressure tubes through a series of headers, subheaders and piping. Each loop comprises 22 sub-headers, each 300 mm in diameter. Water enters the core at 270 °C, heats as it circulates upwards over 2.50 m and boils in the upper part of the core. The core outlet steam quality at full power is 14.5%. The reactor outlet pressure is 70 bar and the temperature 285 °C. Valves are provided to adapt the flowrate of each pressure tube to the power distribution. Each loop supplies a 500 MWe turbogenerator set.

27 - The Chernobyl accident

295

The graphite support block is cooled solely by the pressure tubes. Under operating conditions, its temperature is consequently high except where in contact with the control rod tubes and the reflector. An emergency cooling system provides core cooling in the event of a main cooling system failure (breaks on circulation system piping, steam lines or feed water pipes). As in our own plants, emergency cooling system piping, sub-header and header ruptures are design-postulated, but not rupture of large vessels like the steam separators. But it must be borne in mind that, in these reactors, we are not dealing with a pressurized vessel, but with individual pressure tubes. The design basis accident for these reactors is rupture of a 900 mm diameter header, compounded by loss of offsite power and observance of the single failure criterion. As regards the core itself and its cooling system, this is not fundamentally different from that adopted for our own PWR's. On the other hand, because of the general layout of the plant, the containment system is modular, comprising several leaktight compartments enabling containment of the accidents postulated for the different zones (especially the pressure buildup resulting from a pipe rupture). Four main containment zones are thus defined: the pressure tube feed-pipe zone, the main pump and piping zone, the steam line zone and the core itself. The modules are directly or indirectly connected to the pressure reducing pool, designed for steam condensation and located beneath the concrete pit containing the core. According to the Russian designers, the advantages of such a system reside in the absence of pressure vessel, the absence of steam generator, the continuous refueling implying fuel cycle flexibility, the possibility to adjust coolant flow on a channel-by-channel basis, with individual thermal and clad failure monitoring. The drawbacks are the complexity of the coolant distribution and recovery system, the high accumulation of thermal energy in the metal structures, the graphite and the fuel, but above all the difficulty and complexity of power level control and power distribution adjustment. The latter point calls for a few additional comments. The RBMK reactor core is very large: 11.8 m in diameter, 7 m in height. Radial-azimuthal power oscillations due to Xenon effects are frequently encountered in cores of this size. Monitoring and controlling these oscillations requires many instruments and monopolizes a significant number of control rods. Considering the sensitivity of the in-core instrumentation, the fine power distribution is only accessible beyond 10% of nominal. Below this threshold, only overall information is provided by detectors outside the core, located in the mid-height plane.

296

Elements of nuclear safety

Moreover, the quantity of graphite as compared with the quantity of fuel and their respective layouts are such that moderating functions are amply provided for. In these circumstances, if there is little neutron absorption in the core (few rods inserted, small quantity of U-235 in the fuel owing to its low initial enrichment or its burnup), the cooling water plays no neutron moderating role, unlike what happens in deliberately under-moderated light water reactors. From the neuironies standpoint, this water acts only as an absorbent. As this water heats, its density will decrease, reducing overall neutron absorption in the core. It is then obvious that boiling part of this water at 70 bars, thereby reducing its density by a factor of 20, will increase the proportion of neutrons available to induce fissions. The reactor power will tend to increase, further accentuating the phenomenon. The power coefficient related to the water temperature is thus positive in part of the operating range. That corresponding to the vaporization rate, generally referred to as the void fraction, is also positive, since it depends on the same phenomenon. Fortunately, this effect is not the only one and the fuel temperature effect is always negative, owing to the Doppler* effect. Its absolute value increases with temperature. The overall power coefficient, which is the sum of these two effects plus a few other minor effects, is negative at high power but positive below 700 MWth. Moreover, this coefficient becomes more positive as the control rods are withdrawn. Finally, from the thermal hydraulic standpoint, it should be noted that, for the same power increment, the lower the initial power, the greater will be the steam production, since the coolant mass flowrate is approximately proportional to the power. This set of physical data should have resulted in the inclusion of two stringent constraints in the RBMK reactor technical operating specifications: • prohibition of continuous operation below 700 MWth. Contrary to what was first stated, this constraint was never formally stipulated, • insertion in the core of the equivalent of 30 control rods under normal operating conditions. This second constraint, which is stipulated in the operating documents, was considered as necessary for power distribution control and not as a basic overall requirement for plant safety. It is to be noted that this maintained insertion level also avoids the previously mentioned positive reactivity effects associated with initiation of rod insertion. * The Doppler effect is the increase in neutron capture rate during their slow-down by the U-238 absorption resonances induced by heating.

21 - The Chernobyl accident

297

21.2. The accident The Chernobyl-4 unit had been operating since December 1983. A shutdown for maintenance operations incompatible with reactor operation was scheduled for April 25, 1986. Immediately beforehand, it was planned to perform a special test, intended to demonstrate that, in the event of loss of offsite power, the emergency core cooling system (ECCS) could be powered by one of the turbogenerators, pending startup of the standby diesel generators. With the steam supply to the turbogenerator concerned shut off, power was to be supplied from the turbogenerator rundown. Tests of this type had already been performed, but electrical difficulties had been encountered. A new voltage regulation system had consequently been installed. The required initial power level for this test was 700-1000 MWth. Power reduction started on April 25. By about 1:00 p.m., the reactor power level was 1600 MWth, corresponding to 50%. One of the turbogenerators was then disconnected. In accordance with test program requirements, the ECCS was isolated, although the reason for this is not entirely clear. At this point, the local authorities responsible for electricity dispatching requested the plant to interrupt the power reduction and continue supplying 500 MWe to the grid. The reactor remained at half-power for 9 hours, during which time Xenon buildup in the core had reached its maximum value. To counterbalance this effect, control rods were gradually withdrawn. In addition, throughout this period the ECCS remained isolated, since prolonged operation with a safety system inhibited was not considered dangerous. Towards 11:00 p.m., power reduction was resumed. An hour and a half later, the switchover from automatic power control to manual control failed. The power dropped to 30 MWth. This phenomenon was at first thought to have been due to an operator error, but apparently this was not the case. So the automatic control function was lost. Xenon poisoning began to build up again. Steam production in the core was very low. A large number of control rods had again to be withdrawn in order to drive the power back up to 200 MWth, where it stabilized on April 26, at 1:00 a.m. Although the reactor was now outside the stable operating range (power level below 700 MWth and less than 30 rods inserted), the operators, who had not been made aware of the implications of this situation, decided to perform the test, following the initial test program instructions. As planned, two more main circulation pumps were started at 1:03 a.m. and 1:07 a.m., resulting in excessively high flowrates, well beyond authorized values. Since the core power level was below that envisaged for the

298

Elements of nuclear safety

test sequences, it was difficult to keep the steam pressure and water level in the separator drums within normal limits. So the operators blocked the trip signals corresponding to these parameters, in compliance with the test program procedure. By 1:22 a.m., owing to the Xenon buildup, only the equivalent of 6 to 8 rods remained in the core, whereas with less than the equivalent of 15 rods, immediate reactor shutdown was mandatory. These data were supplied by the operator aid calculator, which was not however equipped to initiate automatic action. The operators were still determined to carry out the test and, in order to be able to repeat it if necessary, they blocked the scram signals from the second turbogenerator. At 1:23 a.m., the turbine stop valves were closed, but the reactor continued to operate. The circulation pumps powered by the turbogenerator began to coast down, the coolant flowrate decreased, the water heated, producing steam. The void effect increased the reactivity level. The core temperature increased, producing even more steam. A diverging situation had been reached. At 1:23:40 a.m., the shift supervisor activated manual reactor scram but the effect produced was the opposite of that anticipated. As the lower part of the control rods entering the core contained no absorbent, the rods simply displaced the water in the pressure tubes, which significantly increased the core reactivity. So the power excursion induced by the increase in void fraction was "assisted" by insertion of the control rods! Calculations indicate that the reactor power soared to 100 x nominal in 4 seconds. The reactor shut down on its own, due to the negative reactivity effect resulting from fuel heating (Doppler effect) and to its partial destruction. The description of what then took place is based on eyewitness accounts, offsite radiation measurements, fuel behavior experiments performed previously, post-accident computations or conjecture. However, it is difficult to assert that the scenario presented below is an exact account of what happened, especially as regards the sequencing of certain phenomena. The power excursion induced a high energy accumulation in the fuel pellets which exploded, releasing uranium oxide in powder form in the fuel channels, where it interacted with the steam, releasing additional energy (phenomena described in Chapter 16). The resulting explosion ruptured certain fuel channels, lifting off the 2,000 ton reactor top slab, thereby disrupting the other fuel channels and the horizontal piping to the steam headers and dragging out the control rods.

21 - The Chernobyl accident

299

A second explosion occurred shortly afterwards. It could have been due to a deflagration of hydrogen which had been formed by interaction between water and the zirconium of the clads and pressure tubes and placed in contact with air after the core disruption. It could also have been due to the reactivity effect resulting from the global boiling of the water following the pressure drop from 70 bar to atmospheric pressure after breakage of all the pressure tubes. It is possible that heating the cold zones of the graphite stack may have induced a "Wigner effect"*, further contributing to energy release and extremely favorable to graphite ignition. The reactor upper structures were destroyed. No normally designed containment building would have been able to withstand these explosions. Incandescent debris shot into the air from the reactor core, the top of which was exposed to the open air. Fires started in thirty places in both Chernobyl-4 and the adjoining unit. Plant emergency teams and firemen from Pripyat and Chernobyl (15 km from the site) very quickly arrived on the scene and had extinguished all the fires in less than three and a half hours. Unfortunately, they were not efficiently protected against contamination and burns, the effects of which were compounded by those of external exposure. Twenty-eight of them died within a few days, in addition to the first two victims of the accident, who were on the top slab and died from polytraumatisms and severe burns. Very quickly, water was injected into the core to cool it and avoid graphite fires, but this proved unsuccessful. Part of the core collapsed. Fuel and graphite debris covered the 1.8 meters thick concrete base slab, which was attacked to a depth of 1 meter. Helicopters then dropped various mixtures of materials onto the reactor, including sand, boron, clay, dolomite and lead, in an attempt to stop the reactor fire and the release of radioactive products. Between April 27 and May 10, 5,000 tons of material gradually covered the reactor, reducing the air flow to the graphite fire and the release of fission products. To begin with, the reactor core was thus partially contained, but the residual power was not being satisfactorily removed and graphite combustion continued. The graphite temperature rose again between May 2 and 5, increasing fission product release. Certain materials dropped onto the reactor mixed with the molten uranium, forming a sort of lava, some of which flowed down through the nozzles to the pressure reducing pools. * Neutron irradiation of graphite impairs the crystal lattice of this material where defects accumulate if the graphite temperature is below 350 °C, each defect retaining a certain quantity of energy. If the graphite temperature rises above 350 °C, the crystal lattice reverts to its stable form and the stored energy is immediately released. This phenomenon was observed on the Windscale reactor in the UK in 1952.

300

Elements of nuclear safety

Pressurized nitrogen was injected under the reactor from May 5 to cool the corium and the rafts and a heat exchanger was installed beneath it. Work then began on the building of a concrete structure to isolate the damaged reactor. In view of the particularly difficult conditions under which it was built, the life span of this concrete entombment was limited. Since 1990, its enclosure in a second containment has been under discussion, but work was carried out in 1995 to limit rainwater penetration and extend the adequacy of current provisions a little longer.

21.3. The release and its consequences There have been many, often contradictory, assessments of the release and its consequences on populations. The initial health situation in the countries considered and the attitude of the political authorities involved do not always facilitate accurate estimations, but things are changing. There are many publications on the subject, often produced by scientists from the countries concerned working in cooperation with associates from Western countries or from international organizations. An overall assessment of the consequences was made at Vienna (Austria) during a meeting held in April 1996 under IAEA, CEC and WHO sponsorship: "Chernobyl 10 years later. Assessment of the consequences of the accident". The information given below draws extensively on the data exchanged on that occasion.

21.3.1. Release kinetics One-third of the radioactivity release was immediate, at the time of the explosions and the core disruption. For the other two-thirds, released approximately between April 27 and May 5, the composition varied according to the different fuel zone temperatures, but they all contained iodine, cesium and probably noble gases in proportions varying according to the phases (Fig. 21.3.). From May 2, the gradual covering of the reactor with materials dropped from a helicopter resulted in an increase in core temperatures, since it was less efficiently cooled, until graphite combustion had been smothered, towards May 6. Release on a far lesser scale nevertheless continued beyond this date. The estimated radioactive release now stands as follows: • about 100% of the noble gases, i.e. 6.5 106 TBq (200 MCi) • 50 to 60% of the iodine 131: 1.5 to 1.9 106 TBq (40 to 50 MCi) • 20 to 40% of the iodine 137: 85 103 TBq (2 MCi) • 3 to 6% of the other fission products, actinides and fuel contained in the core: 7 103 TBq (0.2 MCi).

21 - The Chernobyl accident

301

Activity released excluding noble gases (MCi)

Fig. 21.3. Radioactivity release excluding noble gases.

These release levels consequently correspond to that of source term SI (cf. Chapter 9). The very high temperature of the initial emission entrained the gases and aerosols to a relatively high altitude of between 1000 and 1500 m, which mitigated local consequences but favored diffusion of the radioactive products throughout Europe. In the following days, the releases reached altitudes of 200 to 400 m. In all cases, assessment of the radiological consequences shows that the influence of direct external exposure due to the plume was slight as compared with internal exposure due to aerosols and external exposure due to deposits (especially iodines and cesiums). Owing to highly variable meteorological conditions, the radioactive products were dispersed in almost all directions (Fig. 21.4.). When the plume was rain-washed, there were local radioactivity deposits several hundred kilometers from the plant. This is what caused the disconcerting "leopard skin" contamination distribution which resulted in the belated identification of this contamination to the North and East of Gomel (Fig. 21.5.).

21.3.2. Population protection There were no inhabitants in a 3 km radius round the plant. At Pripyat, the nearest large town which began immediately beyond this distance, the dose equivalent rate began to rise late at night on April 26,

302

Elements of nuclear safety

Fig. 21.4. Initial release trajectories.

reaching 10 mSv/h, i.e. 1 rem/h by April 27, between 24 and 36 hours after the accident. The incredulity of the plant management when confronted with the gravity of the situation delayed decisions. The population was only fully informed on April 27, at the beginning of the afternoon when evacuation began and stable iodine was distributed. Rumors had been rampant since the day before, but no concrete protective measure had been taken. The whole body doses received by the population of Pripyat during the first two days are assessed at between 0.015 and 0.050 Gy.

21 - The Chernobyl accident

Fig. 21.5. Map of cesium 137 ground contamination.

303

Elements of nuclear safety

304

Table 21.1. Assessment of the collective external dose received by the evacuated populations. Distance from the reactor (km)

Size of population

Pripyat* 3 km 3 -7 7 - 10 10 - 15 15 - 20 20 - 25 25 - 30 Total

45000 7000 9000 8200 11600 14 900 39 200 135 000

Collective dose (man-Sv) 1500 3800 4100 2900 600 900 1800 16 000

Mean individual dose (mSv) 33 540 460 350 52 60 46 120

* first town to be evacuated

During the next few days, 90 000 more people were evacuated. All these people were medically examined. The mean collective and individual dose equivalents received by the evacuated populations are summarized in table 21.1. If we consider the release distribution versus time, the wind direction map, the map showing contamination measured in a 10 to 20 km radius around the site and the location of the "red forest" (400 hectares of Norway pines "burnt" by an extremely high radiation level, in the vicinity of 100 Gy), it is evident that had there been a 12 to 24 hour shift in the weather conditions, the population of Pripyat could have been far more severely affected (Fig. 21.6.). The Bielorussian populations, although not far away, to the North of the site, were only informed and, for certain, evacuated later, since the frontiers between Soviet republics proved an efficient barrier to both information and decison-making. This was also the case for the Oblast (administrative region) of Bryansk in Russia. The population of these regions benefitted neither from the distribution of stable iodine nor from rapid restriction decisions with regard to the consumption of contaminated produce. The estimated thyroid doses received by these populations are ten times higher than those of the inhabitants of Pripyat. The contamination maps produced in 1990-1991 showed that the Oblast of Gomel, especially to the South and the Northeast, had been severely affected. Cesium 137 ground contamination exceeded locally 1.5 MBq/m2 (40 Ci/km 2 ). This was also the case in Russia, around and to the North of Novozybkov.

27 - The Chernobyl accident

305

Fig. 21.6. Cesium 137 contamination near the site.

Still further afield, in Russia, the regions of Bryansk-Kaluga-Tula-Orel, located about 500 km from the accident site, also revealed significant levels of contamination (0.2 MBq/m2, 5 Ci/km 2 ). This cesium contamination distribution, which can be observed because of the decay period of this substance, may not be entirely representative of that for iodine. Release kinetics between the initial explosions and the graphite combustion period may have been different for these two substances. In all, about 800 000 people inhabited regions where the radioactivity due to cesium 137 deposits exceeded 0.2 MBq/m2. 33 000 people inhabited regions where this radioactivity exceeded 1.5 MBq/m2. The cesium deposit dose conversion factor is 2.76 Sv h'VTBq.m2. The external exposure due to a 0.2 MBq/m2 (5 Ci/km2) ground contamination is consequently 0.55 uSv/hour (5 mSv/year). Internal exposure by ingestion would increase this by less than 25%. Exposure inside non-contaminated buildings is only about 20% of these values. Apart from exceptional cases (farmers and forestry workers), populations living in these areas are considered to spend 5 hours out-of-doors and 15 hours indoors. This brings these doses down to about 2 mSv/year, which is twice the mean natural exposure value. Long term exposure assessments integrated the radioactive decay period (30 years) and the gradual sinking of cesium 137 into the ground. A total exposure of 1 mSv for the first 4 years after the deposit is followed by a total exposure of only 3 mSv for the next 66 years.

306

Elements of nuclear safety

21.3.3. Health consequences As we saw in Chapter 1, exposure to radiation induced either quasi-immediate, systematic symptoms for doses exceeding certain thresholds or random effects, the probability of which is assumed to be proportional to the doses received, but which only become apparent after a latent period of between several years and several tens of years. The effects to be feared for the exposed populations are illnesses which may be benign (hypothyroidism and thyroid nodules, for instance) or malignant (leukemia, cancer) or the transmission of genetic anomalies to descendants. As soon as exposure and contamination assessments were released, forecasts were made based on experimental knowledge of radiation effects. Now these estimations can be compared with the reality existing nearly ten years later.

21.3.3.1. Short term effects The short term victims of the accident are to be found amongst the plant staff and the firemen directly involved in extinguishing the fires. The deaths during the first months following the accident were thus due to high radiation doses, often combined with severe burns. This combination may have diminished the effectiveness of bone marrow grafting operations, but the overall number of deaths was no surprise, considering the exposure levels involved.

21.3.3.2. Post-accident forecasts In the late 1980s, the committed doses with respect to the life span of people inhabiting the various "controlled areas" where the ground surface activity exceeded 0.6 MBq/m2 (15 Ci/km2) was assessed (Table 21.2.). Table 21.2. Committed dose equivalents in the controlled areas of each region. Region

Populations in zones with more than 0.6 MBq/m 2

Collective dose equivalent (man-Sv)

Mean individual dose (mSv)

Zitomir Kiev Gomel Mogilev Bryansk Total

31200 20800 85700 23300 111 800 272 800

8500 5700 19400 6300 23400 63300

272 274 226

270 209 232

27 - The Chernobyl accident

307

Taking a reference basis of five deaths from cancer induced for 100 manSv, we found an extra 3165 deaths from cancer with respect to a number of natural deaths from cancer of 20% of the population, i.e. 54 560. The increase found in the number of deaths from cancer was consequently about 6%. If we consider the lack of accurate data on the real cancer death percentages, unrelated to radioactivity accidents, it is not certain that the effects of the accident in this respect can be clearly demonstrated after the death of the entire population concerned. Several international organizations have attempted to clarify the health situation in the areas concerned and with the displaced populations. However, difficulties were encountered due to the insufficient data available on the initial situation and the fact that such an assessment would require considerable human and material resources, together with the unreserved support of the local authorities. On the latter point, progress is gradually being made. It is nevertheless obvious that there are health problems in all three of the Republics concerned by the accident. The very real deterioration of the health situation tends more to be considered as related to a post-traumatic stress disorder, characterized by anxiety, depression, psychosomatic illnesses. It is responsible for stressed family relationships, divorces, an increase in alcohol consumption, excessive reliance on medication, aggressivity, suicides and, in general, behavioral disorders. Local doctors and specialists from abroad report a chronic state of anxiety and stress, responsible for erratic pains, insomnia, backwardness at school, etc. all systematically blamed on the Chernobyl disaster. It is, in addition, very likely that the current health monitoring provisions, which are far more extensive than before the accident, are revealing illnesses which previously existed but formerly went unnoticed. The fact that the phenomenon persists ten years after the accident occurred introduces a new concept of chronic environmental stress disorder. It is also apparent that the permanent, large scale evacuation of populations accentuates and fosters anxiety in the communities concerned, giving rise to additional problems of adaptation. The permanent relocation of populations should consequently only be adopted after careful consideration.

21.3.3.3. Thyroid cancers in children We are now approaching the end of the latent period for certain cancers and these findings may again be called into question. In this connection, since 1990 the emergence of an increasing number of thyroid cancers has been observed in children from the Oblast of Gomel and also, to a lesser extent, in

Elements of nuclear safety

308

children from Pripyat and in the population of the part of Russia nearest to Chernobyl (Tables 21.3. and 21.4.). Although initially considered controversial, these observations are now no longer questionable. Up until 1989, these figures are consistent with world-wide observations, i.e. approximately one per million inhabitants per year. These cancers have since concerned children under 15, some of whom were irradiated in the womb after the third month of pregnancy. These cancers appear after a relatively short latent period and are greater in number than was indicated by assessments based on current knowledge of the effects of iodine 131 and the accident release data. Their obvious correlation with most of the areas still cesium-contaminated leaves no doubt as to their origin. It has moreover been noted that the cancer frequency figures for children born after the accident have practically reverted to normal. Results are as follows: Table 21.3. Child thyroid cancers in Byelorussia.

86

87

88

89

Year 90 91

92

93

94

95 Total

1 Gomel Brest 0 1 Others Byelorussia 2

2 0 2 4

1 1 3 5

3 1 3 7

14 7 8 29

34 17 15 66

36 24 19 79

44 21 17 82

48 21 22 91

Region

43 5 11 59

226 97 101 424

Table 21.4. Child thyroid cancers in Ukraine.

Region

Year 91 92

86

87

88

89

90

"Contamined" 3

0

2

4

12

13

"noncontaminated" 0

0

1

1

7

Ukraine

7

8

11

26

8

Number of children

93

94

Total

34

28

25

121

200 000

5

17

24

21

90

8 800 000

22

47

43

39

211

10 800 000

Suitable treatment provided early enough enables survival under normal conditions for several years, with 100% recovery if there are no metastases in the lungs. There have nevertheless been three deaths in Byelorussia.

309

27 - The Chernobyl accident

Number observed per year

Incidence per 100 000 children

Fig. 21.7. Child thyroid cancers in Byelorussia.

Twenty cases have also been observed in Russia, in the Briansk and Kalouga regions. This is doubtless only the beginning of an epidemic which could develop in the new adult population, coming to a head 25 to 30 years after the accident and causing from 4 000 to 8 000 additional cancers. As these particular cancers are relatively rare, the effects of the accident would, in this case, be directly observable.

21.3.3.4. Health monitoring of the "liquidators" Russian research workers and doctors from the All-Russia Center of Environmental Medicine* noted however similarities between what is observed in the highly contaminated areas around Chernobyl and on certain "liquidators" who have been traced and what was noted in the Ural regions contaminated following the Kyshtym accident in 1957, involving the explosion and dispersion of a vessel containing large quantities of radioactive products and the Kazakhstan accident (irradiation incurred by atmospheric nuclear tests) in studies which have only recently been released.

* Interministerial organization, under the jurisdiction of the ministries for health and for defense, the Chernobyl State Committee, the State Committee for health and epidemiological surveillance and the Military Academy of Medicine.

310

Elements of nuclear safety

These researchers have notably put forward the possibility of immune system impairment by radioactivity, leading to the development of various non-specific pathologies. This team has now assembled data on more than 40 000 of the 600 000 "liquidators". Respiratory, digestive and central nervous system disorders were observed in a significant percentage of those who had undergone exposure exceeding 0.25 Gy. This value is below the generally accepted threshold for the appearance of deterministic effects, but it is even difficult to assess the exposure levels themselves, given the conditions at the time. Observations on the mortality of these populations, on the other hand, are contradictory. To interpret them, it must not be forgotten that there is a certain mortality rate at all stages in life, as shown in Fig. 1.1 The IPSN has launched a cooperation program with the All-Russia Center of Ecological Medicine, where combining their observations and experience with our research facilities could contribute to a better understanding of the phenomena considered. 21.3.3.5. Current forecasts The conference held in Vienna in April 1996 provided an opportunity to revise the estimates regarding the number of additional cancer and leukemia deaths which could occur throughout the lifetime of the most exposed populations (Table 21.5.). These figures result from the application to low doses of linear laws adopted for radiation protection assessments. As already mentioned in Chapter I, they are probably overestimated. These figures have to be compared with the numbers of cancer or leukemia deaths expected in populations which are not particularly exposed. As this data was not available for the populations concerned, the corresponding European data was used (the graphs in Chapter 1 apply to the entire French population, where life expectancy is particularly long). Table 21.5. Prediction of "normal" and "excess" death from solid cancers. Population

Number and mean dose (mSv)

Liquidators (1986-1987) Evacuees from the 30 km radius zone Controlled areas (> 555 kBq/m2) Other contaminated areas

200 000 (100 mSv) 135 000 (10 mSv) 270 000 (50 mSv)) 3 700 000 (7mSv)

Number of cancer deaths (all causes)

Anticipated excess

41 500(21%)

2000 (+ 1%) 150 (+0.1%) 1500 (+ 0.6%) 2500 (+0.07%)

21 500 (16%) 43 500 (16%) 433 000 (16%)

27 - The Chernobyl accident

311

A similar calculation for fatal leukemia cases gives a normal expected number of 15 300 (incidence of about 0.3%) with a possible 510 extra cases. These figures are obviously not negligible but, unlike the case of the thyroid cancers, one must be wary of attributing any other cancer which may affect the populations concerned to the aftermath of Chernobyl.

21.3.4. Long distance atmospheric transfers Populations much further away, like those in France, on the other hand, received very low dose equivalents. Although these can be calculated from highly sensitive radioactivity measurements, they should, apart from very specific cases, be well below the annual natural irradiation fluctuations from one region to another. Measurements of the first radioactive cloud were made in Sweden, 48 hours after the explosions. The cloud then returned towards the Soviet Union, as far as the Black Sea, within about ten days. The cloud which passed over France at the beginning of May, slightly contaminating certain areas, particularly in the Southeast, was emitted on April 27. Analysis of trajectories shows that for long period release (10 days) circulating at different altitudes, the variability of wind conditions implies that most directions around the emission source could be covered. Sensitive measurements made in many different countries confirm this aspect. Very soon after the accident, it was known which regions had been mainly affected. But accurate contamination mapping proved difficult owing to the highly uneven distribution patterns, involving "hot spots" where the radioactivity was ten times higher than the mean surface activity value. In France, the mean dose commitment for the 12 months following the accident was approximately 0.06 mSv per person, with regional variations from 0.005 to 0.17 mSv. These are very low doses and may be compared with those due to natural exposure, averaging 2.4 mSv per year. A few patches of contamination of up to 1 Ci/km2 (37 kBq/m2) have been observed in the Mercantour, which is an uninhabited part of the upper Var region.

312

Elements of nuclear safety

21.3.5. Long term contamination risks During cleanup operations, the many tons of core materials ejected onto the site by the second explosion were bulldozed to the foot of the damaged reactor or buried in about 800 storage pits distributed over the site. These debris contain notably strontium and plutonium, but there is no protection against rain-washing into the ground nor with respect to the water table. This contamination migrates into the ground by dissolution and is then transported by the ground water to waterways or springs. These processes are slow but inevitable. They can be limited by construction of a geotechnical barrier, which is a leaktight wall embedded in the ground round the most heavily contaminated area, including the four reactors. This work was undertaken in 1986 downstream from groundwater flows, but had to be interrupted because it was causing a significant rise in the water table level, so that rainwater and the substantial leakage from the condenser cooling raw water systems soaked into the ground but could not drain away. This higher water table level caused by sealing off the most severely contaminated area would flood the plant unit basements, which would obviously prevent their continued operation. Even the large pool providing cooling water for the different units is highly contaminated, since it contains 5 000 m3 of water from the basement areas of the damaged unit. Nearly 2 105 TBq (5 MCi) of radioactive products are, for the most part, concentrated in the sediment of the pool. They migrate several centimeters per year towards the river Pripyat which flows into the Dniepr. This pool, still used to cool the two remaining reactors in service, can only be decontaminated once these two units have been shut down.

21.4. Causes of the accident and lessons learned The first elements provided by the Russian authorities rendered the operators mainly responsible for the accident, referring continually to the violations of operating rules. It now appears that these rules were either inexistent or badly formulated and not clearly understood and that the true causes of the disaster were plant design, highly inadequate safety studies and the indeterminate technical specifications and associated operator training. In fact, it is the entire Soviet nuclear system which is called into question, including designers, builders, operating utilities and even the safety authorities.

21 - The Chernobyl accident

313

Right at the beginning of the test preparations, the safety implications of the test seem to have been overlooked, despite the fact that the test program itself provided for several significant deviations from normal operating procedure, such as switching of the ECCS and starting all eight main circulation pumps. This obviously diminished the plant safety level. The test program had not been submitted for approval to the plant safety commission and was to be supervised only by an electrical engineer. As the test proceeded, many protection systems were successively inhibited: • the safety injection system • emergency shutdown tripped by level and pressure alarms in the separators • emergency shutdown tripped by stoppage of the second turbine. In addition, the operators were quite prepared to continue to keep the reactor running under conditions outside the authorized limits more or less clearly stipulated in the technical operating specifications. Examples of this are: • operation for 9 hours without safety injection possibility • prolonged operation below 700 MWth • control rod insertion well below 30 rod equivalents • continued operation, despite the control rod insertion printout, indicating the necessity to shut down the reactor immediately. The operators acted as if they were totally ignorant of the consequences of these actions. These practices were apparently not exceptional. It is consequently certain that they were both known and tolerated by the plant managers and resident safety authority inspectors. Compounding these operating errors were the following design characteristics of this type of reactor: • instability of the core at low power, due to the very positive void coefficient of the cooling water • absence of a fast scram system without initial contrary effects • few automatic protection systems and a large array of blocking devices. Greater reliance is placed on operator initiative than on automatic systems, initially considered to be less reliable. Various measures have been defined by the Russian designers to make the RBMK reactors less vulnerable with respect to operator errors and procedure violations. All control rods have been fitted with a device ensuring a minimum insertion of 1.20 m and 70 to 80 rods will remain inserted. These two measures reduce the positive void coefficient and enhance rod efficiency. The

314

Elements of nuclear safety

insertion time has moreover been reduced from 19 to 2.5 seconds and the rod design has been modified to eliminate the positive reactivity effect induced by initial insertion. The fuel uranium enrichment has been increased from 2 to 2.4%, with provision for additional control rods. As regards the operators, new approaches to safety organization problems and the concomitant authorization and inspection methods and procedures have been noted. In the more specific area of operating team training, a simulator course, covering all situations, including extremely disturbed operating states, is in preparation. Work with the first simulator provided began in January 1987, but the first full-scope simulator only began operating in 1991. The possibilities for simulation of beyond design basis accidents remain limited. Operating staff should now be in a position to acquire the safety culture which they lacked when they systematically blocked protection systems or continued operating outside authorized limits. In view of the difficult, rapidly changing context of Eastern Europe, the representative of the Russian safety authorities requested Western assistance in connection with the RBMK type reactors in September 1991. This followed German reunification in 1990, when experts from Western Europe were able to inspect in greater detail the Soviet-designed pressurized water reactors, the VVER's. A cooperation program, involving methodology exchanges, was implemented by the developed nuclear countries, covering staff training, in-depth safety analysis of the plants and definition of the necessary modifications. Data transmitted by the end of 1995 were not a sufficient basis for exhaustive safety assessment of these units. These measures, directly based on the accident scenario, do not cover all the safety problems raised by RBMK type reactors. For example, breakage of only a few pressure tubes can raise the top slab, thereby rupturing the other tubes. But pressure tube breakage has already occurred several times and periodical inspections are difficult to carry out. In addition, possibly redundant safety systems are generally housed in the same area where they can all be reached by a single fire or flood. Seismic hazards, for example, would not appear to have been systematically considered.

27 - The Chernobyl accident

315

21.5. Future of the other Chernobyl units In 1990, the Ukrainian parliament voted in favor of shutdown of the three remaining Chernobyl units before 1993. The second unit was shut down in 1991 after a serious fire outbreak in the turbine building. In November 1993, the Ukrainian parliament reconsidered their previous decision, since the electricity generating capacity of the two remaining units was regarded as essential if the country's energy requirements were to be satisfied. Owing to the initial decision to shut these units down in the short term, modifications enabling their continued operation were implemented belatedly and available information on the technical condition of the units at the end of 1995 is not entirely clear. Unit 1, which is a first generation RBMK, features serious safety deficiencies. The auxiliary feedwater systems are only sized to offset small breaks on the reactor cooling system. In units 1 and 3, there is no provision for the separation of redundant equipment nor for seismic resistance. Unit 3 was twinned with the destroyed unit and since it is partially included in the concrete entombment, could be affected by degradations to this structure. Moreover, no major work can be undertaken on the entombment if unit 3 is to remain operational. It is also clear that the area of ground containing several tons of core debris can only be isolated if both units are decommissioned. The position of the European partners and notably France is consequently that it is urgent that a decision be reached on the decommissioning of units 1 and 3 and important that no attempt be made to restart unit 2, as the Ukrainians had intended. Following further international discussions, Ukraine undertook in April 1996 to shut down the two units still operating on the Chernobyl site before the end of the century.

21.6. Lessons drawn in France If it is important to lose no time in drawing main conclusions from accidents on this scale, undue haste is unwise. Detailed technical data was made available very gradually and all has still not yet been released. We can nevertheless summarize the lessons drawn in France. From the purely technical standpoint, the specific design features of the RBMK reactors are too different from those of our own reactors for a direct transposition to be significant.

316

Elements of nuclear safety

All our reactors are equipped with fully automated, high speed emergency shutdown systems. The gas-graphite reactors, currently no longer in service, were not water-cooled and had no positive void effect. The fast breeders which, in very exceptional circumstances, when the sodium coolant temperature exceeds the maximum normal operating temperature by several hundred degrees, can feature a slightly positive void effect, are equipped with multiple scram systems designed to deal with this phenomenon under satisfactory reliability and safety conditions. However, in compliance with defense in depth requirements, a power excursion related to sodium boiling is included in containment design basis data for these reactors. The light water reactors are not concerned by this phenomenon within their operating range. We have already mentioned the complementary study program implemented by EDF, Framatome and IPSN on reactivity accident possibilities not envisaged when the reactors were designed. This led to the identification of a potentially worrying accident sequence, described in Chapter 16. This program was followed by reassessment of all the reactivity accident studies previously performed, with a view to checking their consistency and exhaustiveness by determining available margins (study of fast withdrawal of two or three control rods rather than just one) and identifying new sequences in the different operating configurations and accident situations. As regards staff training and the organization of work, the Soviet Union would not appear to have been as exhaustive as the Western countries in drawing conclusions from the Three Mile Island accident. In France, with present operator training provisions, the required constant presence of the safety engineer during special tests, the appraisal and authorization procedures for non-routine testing, it seems fairly safe to think that such an accumulation of events as took place at Chernobyl would be averted. It has been seen that a timetable change disturbed part of the test conditions, modifying the Xenon buildup and thereby the reactivity margin. The effects of changes to the planned order of activities can be extremely variable. Two incompatible activities, at least with regard to technical operating specification provisions, could become simultaneous. Prudence in this respect is important in all situations, but especially for the organization of shutdowns. Studies have notably been undertaken to investigate the material and human possibilities of operating with protection systems blocked and to examine observed cases of failure to comply with technical operating specifications, with a view to determining the causes and defining suitable corrective measures.

27 - The Chernobyl accident

317

But it is in more general fields that we find the main lessons to be learned from Chernobyl. We are led, for example, to consider from a more practical standpoint the management of a site comprising several units, one of which has been the scene of an accident. More generally, all aspects of post-accident situation management raise more pertinent questions for ourselves. The scale of the provisions to be made after such an accident is huge, whether for fire-fighting in a strongly radioactive environment, for the evacuation of a large number of people, for the treatment of acute radiation sickness cases, for the containment of the radioactive release or for widespread decontamination operations, food chain monitoring programs and programs for continued medical checks on the populations concerned. Finally, in an important field not necessarily related to technical aspects, that of informing the general public and of communication in general, the difficulties encountered have given rise to discussions on the necessity of transparency in all circumstances.

21.7. Information of the general public and communication In the few days immediately following the Chernobyl accident and even more so in the following months, it became evident that the general public and those responsible for informing them had great difficulty in distinguishing clearly between major and lesser events, between accidents and routine nonconformances which occur in nuclear power plants and are reported. Selection criteria for safety-related events or significant incidents, to be discussed in the next chapters, are mainly oriented towards the identification of precursory incidents and potential consequences. Non-specialized members of the general public cannot use them directly to assess observed events. The High Council for Nuclear Safety and Information suggested that a severity scale be defined, which would be easy to understand and use, enabling incidents to be classified according to factual criteria. A working group was organized for the purpose by the DSIN, comprising journalists and representatives of EDF and IPSN. A classification system was proposed, based on the principle adopted for the seismic scale and known as the severity scale for nuclear power reactor incidents and accidents. It is obvious that this scale is not intended to replace the safety analysis criteria. It is simply an additional independent tool, designed to facilitate communication with non-specialized media.

318

Elements of nuclear safety

A six-level scale was adopted, thereby providing a sufficiently accurate picture, without excessively detailed precisions. The severest accidents are at the top of the scale and the three upper levels concern the different types of accident, incidents being classified in the three lower levels. The difference between incidents and accidents depends, wherever possible, on whether authorized limits have been infringed or not. The idea was taken up by the OECD and IAEA which, after international discussions, proposed an International Nuclear Event Scale - INES. It is very similar to the French scale. The main difference consists in the breakdown of the fifth level into two separate levels, aimed at stressing the difference between an accident such as that of Three Mile Island, where there was a high potential risk for populations but no significant release, and an accident requiring implementation of emergency plans to comply with health protection requirements. It must also be possible to distinguish the latter events from disasters such as the Chernobyl accident where, despite the exceptional measures taken, the health consequences were highly significant. In 1994, after the experimental implementation stage of the international scale, the initial French scale was abandoned. However, vigilance is necessary to ensure that INES remains simply an outside information tool and could not be used as a safety indicator for the various installations, which would considerably disrupt the serenity of the classifications.

21.8. After Chernobyl In conclusion, the Chernobyl accident provides no grounds for contesting the basic safety principles adopted for nuclear power plants in the Western countries. But, if it can be said that the Three Mile Island accident converted design code core meltdown into reality, the Chernobyl accident transformed fission product release formulae and atmospheric diffusion charts into human tragedies, then to battles between specialists and deep political indecision throughout an entire continent. It also made further safety progress necessary in all plants throughout the world. Nothing will ever be quite the same again.

22

General operating rules

The frequently catastrophic scenarios referred to throughout this document are obviously not daily happenings in nuclear power plants. Their design and construction play a major role in preventing such situations, but operating conditions and the permanent confrontation between what was anticipated at the design stage and what is accessible to everyday experience form the second indispensable safety element. Far more than design and construction, plant operation is deeply influenced by man and human factors, thereby involving an additional variable. So the safety authorities look very closely at everything related to operation, which, just as in the case of design and construction, in no way lessens the liability of the operating utility. The latter is required: • to prevent incidents by maintaining the design basis safety level of each plant, notably by: - respecting the operational limits and conditions in all operating activities - maintaining and checking the availability and reliability of safety-related equipment by: • periodic testing • preventive or corrective servicing (maintenance) • requalification after repair • managing incident and accident situations occurring in design basis circumstances, using notably: - detection of the slightest operating condition discrepancy with respect to the authorized operating range - elaboration and implementation of incident and accident procedures and preparation for severe accident management - the On-site Emergency Plan, providing for onsite organization and interfacing between the plant concerned and outside emergency teams in the event of a highly disturbed situation

320

Elements of nuclear safety

• improving operative plant safety levels: - by correcting any design, construction or operating defects evidenced by operating feedback or other safety data sources - by extolling good operating practice. This and the following chapters deal with these different aspects of safety and the corresponding assessments which, owing to the very large number of French plants in service, now tend to outweigh other activities of the operators themselves and the safety authorities. Mention must be made of inspection activities, directed as regards safety by the DSIN and shared with the DRIRE. The purpose of these inspections is to check that actual plant running concurs with the commitments and liabilities of the operating utility in this respect. The IPSN engineers assigned to monitor the plant or their specialists prepare these supervisory inspections with the inspectors, at their request, to identify main concerns in the envisaged inspection area. They may even take part in the inspection, but only as technical advisers to the inspectors. On the other hand, the IPSN is attentive to the results obtained and analyses the operator responses.

22.1. General operating rules The safety studies covered by the first 21 chapters of this document enable definition of technical and organizational provisions such as to ensure the safe operation of the installations concerned. However, these are not directly usable in daily plant life. They have to be reformulated as practical reference documents for both operating, surveillance and maintenance personnel. These documents are known as the general operating rules. These rules reflect the different levels of the defense in-depth concept which underlies both operating and design safety. At the outset, the general operating rules were included in the Intermediate and Final Safety Analysis Reports. It was then decided in 1973 that they should constitute a separate document which would be easier to manage and update than safety reports. The plant unit authorization decrees specify that draft general operating rules must be appended to the intermediate and final safety reports and be submitted to the approval of the Ministry for Industry when the fuel loading permit is granted and prior to commissioning.

22.1.1. Contents of the general operating rules The nine chapters of this document concern safety, quality and radiation protection.

22 - General operating rules

321

A first group of chapters deals with operating organization (Chapter 1), operating quality organization (Chapter 2), operating instruction management procedures (Chapter 8). These are the prerequisites for safe operation, in a context where precompiled procedures are used by personnel complying with well-defined skill and training requirements and where responsibility sharing is explicit. A second group concerns radiation protection organization (Chapter 4) and radioactive effluent release procedures (Chapter 5). They are based on general regulatory texts on radiation protection and on the effluent release permits specific to each site. We then come to the Technical Operating Specifications (Chapter 3) dealing with normal operation and defining the conditions to be observed to keep the plant in a safe configuration, consistent with the design provisions and the first level of defense in-depth. The periodic test and inspection programs (Chapter 9) correspond to the second level of defense in-depth: holding the plant within the authorized operating limits. Emergency procedures (Chapter 6) and the On-site Emergency Plan (Chapter 7) correspond to the third and fourth levels. In what follows, we shall focus particularly on the latter three groups.

22.1.2. Limits of the general operating rules These rules do not cover the area pertaining solely to protection of the installation as a generating tool. Nor do they deal with safety concerns arising entirely from design and construction problems and require no subsequent action nor checking in this respect (case of protection against plane crashes, for instance). Any rule which is not associated with safety demonstration will be found in other operating or organization documents. Examples of this are the correct use of equipment having no safety function, standard staff security, ways of improving plant availability and service life. Experience shows, however, that the boundary is not always easy to define. The frontier between what is safety-related and what is not is, to a certain extent, conventional. It is also noteworthy that the general operating rules do not include rules for the control of pressurized equipment, despite the fact that major reactor components, such as the primary and secondary systems, fall into this category. This is because there has been a special set of regulations for pressure vessels in France since the 19th century. It was adapted to the LWR main primary system by a Ministerial Order of February 26,1974 and subsequently to the secondary system as far as the isolation and relief valves.

322

Elements of nuclear safety

In compliance with the specific requirements of these texts, stringent and precise control rules must be defined by both the plant builder and the operating authority. Since pressure vessels are traditionally managed in France by a specialized department of the Ministry for Industry, these documents remain apart.

22.1.3. Regulatory status of the different chapters The nuclear plant authorization decrees specify that, before they can be applied, the general operating rules require the approval of the Ministry for Industry in the context of fuel loading and commissioning permits. It is moreover specified that these rules must be kept updated in conformity with the installation concerned and that waivers with respect to certain chapters may only be granted by the DSIN. The chapters on organization consist of recapitulative documents, laying down principles. Far more detailed documents are available on the plant sites and in the various other facilities of the operating utility. The principles are examined by the safety authorities. Application of these principles and the corresponding detailed internal procedures may be the subject of inspections in the context of plant surveillance, notably with regard to quality organization. Certain organizational aspects are currently the subject of more detailed analyses, based this time on very specific documents. These include, for example, discussion of the constitution of the operating teams, with a view to checking that appropriate means are provided to enable the operators to respond efficiently in the event of an accident, whatever its time of occurrence. The operating team changes related to the creation of a chief reactor operator post and the decision whereby safety engineers had to be on-call at home outside working hours were also analyzed. Another example would be the training programs for various staff whose functions are safety-related. Regular updating of these documents is required. The Technical Operating Specifications are included in their entirety in the general operating rules and are the subject of detailed analysis. These specifications may not be modified, even provisionally, without the prior approval of the DSIN, after analysis of the IPSN. Waivers require prior approval further to application. All instances of operation outside the authorized range are considered to be "safety-related events" or "significant incidents"*.

* Both these terms are defined in Chapter 23.

22 - General operating rules

323

The periodic test and inspection programs for safety-related equipment are only outlined in the general operating rules and their analysis is based on more detailed documents discussed in section 22.3. This is also the case for incident and accident operating procedures, discussed in section 22.4.

22.2. Technical Operating Specifications On the basis of the design studies, limits are determined within which the plant must be held for an incident or accident situation to remain within the bounds of the scenarios analyzed, the radiological consequences of which were deemed acceptable. For operating purposes, these limits have to be expressed in terms of authorized range. This then implies: • restricting the normal operating range so as to ensure that the plant will remain within limits compatible with a barrier response which is consistent with the accident analysis scenarios used to design the protection and engineered safeguard systems • specifying the availability of control, protection and engineered safeguard systems under all normal plant conditions, so that equipment required for application of incident or accident procedures will be effectively ready for use • determining set responses to unavailability of a component or system normally required in a given plant configuration or in the event of abnormal variations in a safety-related parameter. The Technical Operating Specifications comprise a set of documents defining these limits in terms directly usable under normal plant operating conditions*. Their strict application is devised to guarantee correct operation of safety-related systems and preclude severe core degradation in the event of an accident.

22.2.1. Detailed contents of the technical operating specifications In the light of operating feedback, the form and presentation of the technical operating specifications are being modified to facilitate their use. The items listed below are consequently only for guidance. * They consequently do not apply to incident or accident operation where safety is guaranteed by observance of specific procedures. Howeve, parameters and systems not explicitly covered by these procedures must be maintained within the authorized limits.

324

Elements of nuclear safety

The first part of the document presents: • the requisite definitions • the safety limits (design basis limits for parameters such as: thermal power, neutron flux, flow rates, pressures, temperatures and levels, which may not be overstepped under normal operating conditions) • the protection system adjustment values (when a threshold or series of thresholds is overstepped, an automatic action ensures that the safety limits will not be infringed) • the limit operating conditions for the different defined reactor states, together with their justifications and the relevant reference documents. The second part consists of a series of tables concerning: • definition of plant unit operating ranges, comprising one or several standard reactor states, and the equipment and functions which are indispensable in each case • the reactor trip thresholds, the parameter values below which scram is inhibited if the plant condition so requires* • the safeguard system startup thresholds and inhibition values, the safety valve set pressure thresholds • how to deal with the unavailability of a safety-related system or item of equipment • how to deal with an accumulation of unavailabilities • the periodicity of certain preventive maintenance operations • how to deal with an increase in the radioactivity level of the primary system water. Several of the notions referred to in the technical operating specifications require explanation.

22.2.1.1. Standard states Each plant operating range covers one or several "standard states" defined by the combination of conditions as to reactor power level, core reactivity and the means of controlling it, primary system mean pressure and temperature values and, possibly, the primary system water level. There are now thirteen such states, which cover situations where all fuel has been unloaded and very specific conditions such as those involving notably an open primary system. * For example, if a pressure drop in the primary system must automatically trigger the safety injection system if the reactor is power operating, this action must be inhibited if the reactor is shut down, so that the pressure can be deliberately lowered to match pressure and temperature conditions adapted to the residual heat removal system or to enable corrective actions with the closure head off.

22 - General operating rules

325

The main states are as follows (fig. 22.1), the numerical values being noted only for guidance: 1. Cold shutdown for refueling: the reactor cavity above the core is filled with borated water (2000 ppm of boron), the closure head has been removed from the vessel, the primary system is at atmospheric pressure and at a temperature of between 10 and 70 °C. 2. Cold shutdown for primary system servicing with the core loaded: the pressure and temperature conditions are the same as above but the reactor cavity is empty, so that the primary system water level can be lowered to around the primary piping mid-height, thus enabling notably the installation or removal of nozzle dams (SG cover plates) at the junction between the primary loops and the steam generator channel heads*. 3. Normal cold shutdown: the primary system is closed, water-filled and its pressure may reach 31 bar and its temperature 90 °C. 4. Intermediate shutdown with RHR valved in: the primary water temperature may reach 180 °C and the pressure 31 bar; without the pressurizer steam blanket, the pressure has to be controlled by the RHR system. 5. Intermediate shutdown under RHR conditions: in this case, conditions are as above except that the pressurizer is available for pressure control; the reactor can be cooled either by the RHR system or by one or several steam generators. 6. Intermediate shutdown with RHR valved out: the mean primary water temperature is between 160 and 297.2°C, its pressure between 31 and 155 bar, with the mean pressure and temperature match remaining within the specified range (cf. Section 22.2.2). 7. Hot shutdown (at zero power): the reactor is subcritical by at least 1000 pcm; mean primary system pressure and temperature conditions are compatible with reactor restartup. 8. Hot standby: conditions corresponding to those of reactor power buildup to 2% of nominal, with the reactor critical. 9. Power operation at between 2% and 100% of rated power. For each standard state are provided a specification on control rod positions, a list of safety-essential equipment or systems, chemical specifications for the fluids involved, etc. When one of the safety components or systems becomes unavailable or is found to be unavailable during routine testing, the reactor operating conditions have to be modified accordingly within a specific time period. The technical operating specifications stipulate in each case the required new reactor configuration (fallback mode) and the time allowed for this to be obtained in the event of failure to repair and requalify the system concerned. * A diagram will be found in the next chapter (fig. 23.3) showing the position of these cover plates, which once installed enable steam generator tube inspection without unloading the core.

326

Elements of nuclear safety

22.2.1.2. Fallback modes and authorized time allowances A fallback mode state is that which can be obtained and maintained under optimum safety conditions, taking unavailability and initial plant conditions into account. This notion obviously does not concern unavailabilities which directly trip the reactor. For instance, unavailability of the power supply to the control rod latch mechanism will cause the gravity dropping of the rods, since they are no longer held in place. Interruption of the power supply to a primary pump, with the reactor power operating, also results in reactor shutdown by control rod insertion, but in this case induced by the reactor protection system*. In the other cases, the technical operating specifications define a fallback mode selected from the standard states, together with a time allowance based, in particular, on an estimation of risk escalation due to the unavailability. The choice of a fallback mode involves two aspects: • there are one or several standard states where the failed equipment or system is unnecessary or, at least, is less important for safety • transition from the initial state to the fallback mode uses only normal operating procedures. The transition times are mainly estimated with engineer acumen, taking two additional factors into consideration: • the time allowance must be compatible with realistic time requirements for minimum corrective action. If the time allowance is insufficient for repair work to be undertaken, it would be better to specify immediate shutdown • on the other hand, continued operation with unavailability problems should not be authorized for too long a period with respect to realistic repair times, since the operator should be discouraged from leaving the plant unit in a degraded condition. We have seen that probabilistic safety studies can be used to assess acceptable theoretical time periods, but the conclusions reached must be used with caution, taking the above two factors into consideration. We have also mentioned that the calculation method presented only takes into account incrementations in the calculated probability of core meltdown

* The latter situation results from the EOF decision never to operate with a primary loop inactive.

22 - General operating rules

327

under power operation conditions, but not under fallback mode conditions nor under those characterizing the fallback mode transit period. Any reassessment of fallback modes and of the authorized time allowance to reach them could consequently not be undertaken before shutdown safety improvements have been fully defined, implemented on the plants and integrated in the probabilistic studies. We give below an example of fallback mode states and time allowances and their relationship with plant design. The 1300 MWe plant auxiliary feed water system has two motor-driven pumps and two turbine-driven pumps. A 3-day unavailability of any one of these pumps is tolerated under power operation conditions and the specified fallback mode is intermediate shutdown under RHR conditions, with cooling by the RHR system. For the 900 MWe plants, where the auxiliary feedwater system has two motor-driven pumps, but only one turbine-driven pump, a 3-day unavailability of a motor-driven pump is tolerated as in the previous case, but turbine-driven pump unavailability is restricted to 24 hours. The specified fallback mode is as before.

22.2.1.3. Cumulative unavailability We have so far only discussed unavailabilities taken individually, but several unavailabilities could be identified simultaneously. The technical operating specifications indicate how to deal with cases where two particularly important systems are affected by these unavailabilities. These could be, for instance, different safety injection trains, containment spraying, the heat sink, systems linking the heat sink to user systems, off site power sources and diesel generators. Cumulative unavailability is dealt with using a dual input control board which identifies the corresponding fallback modes and time allowances. These times are often fixed at 24 hours but may be only 6 hours when one of the unavailabilities concerns access to the main power source. The relevant fallback mode states will be either intermediate shutdown under RHR conditions or cold shutdown. For example, if, on its own, the failure of a 1300 MWe unit auxiliary feedwater system pump may be tolerated for three days, under power operation conditions, such a failure is not acceptable for more than 24 hours concurrently with the failure of a mean or low head safety injection pump. This allowance is reduced to 6 hours in the event of the initial failure being compounded by the unavailability of the step-down transformer supplying the safety systems via the power transmission line.

328

Elements of nuclear safety

22.2.2. Mean primary pressure and temperature range Figure 22.1. indicates the mean primary pressure and temperature limits for different reactor states. The technical justification data below shows how an authorized operating range is derived from design options. Maintaining a mean pressure-temperature match in the primary system guarantees observance of the safety limits associated with the second barrier.

Fig. 22.1.1300 MWe standard state mean pressure and temperature ranges.

In particular: • observance of the [-Psat, (Tsat ~ 30 °C)] limit leaves an adequate operating range for the pressurizer and precludes boiling in the rest of the primary system • observance of the [Psat, (Tsat - 110 °C)] limit restricts the maximum temper-

22 - General operating rules

329

ature difference between pressurizer and primary system hot leg, thereby minimizing fatigue on the pressurizer and on the surge line between the pressurizer and one of the hot legs, since water motion in the surge lines is frequent during cold and hot shutdown transitions and power transients • observance of the [(Psat + 110 bar), Tsat] limit precludes a pressure difference between primary and secondary systems exceeding 110 bar, which is the maximum steam generator design basis value • observance of the state 6 (intermediate shutdown with RHR valved out) lower temperature limit (160 °C) maintains a margin with respect to the vessel metal NDTT* at end-of-life for a pressure of 172.3 bar (pressurizer relief valve opening threshold). Below this temperature, primary system cooling and protection against overpressures is provided by the residual heat removal system (RHR). • the lower temperature limit (120 °C) of intermediate shutdown under RHR conditions is a value below which the pressurizer steam blanket cannot be maintained. Other pressure or temperature values derive from technological limits, the justification data for which is summarized below: • the RHR system must not be connected to the primary system above 31 bar in order to ensure an adequate margin with respect to the primary system safety valve set pressure threshold (35.5 ± 1 bar) • the reactor coolant pumps may not be kept operating below 25 bar (this value is 27 bar for primary water temperatures exceeding 160 °C) • satisfactory operation of the control rod latch mechanisms is not guaranteed below 4.5 bar • boric acid crystallization will be avoided with a sufficient margin if the water temperature exceeds 10 °C, with a 2000 ppm boron solution • operation of at least one reactor coolant pump is no longer required below 70 °C • 90 °C is the maximum temperature compatible with primary system venting without inducing evaporation hazards after shutdown for refueling or servicing.

* Nil Ductility Transition Temperature, below which the metal becomes embrittled and is liable to fast fracture in the event of a defect compounded by a sharp pressure buildup. This temperature, initially below 0 °C, increases under the effect of neutron irradiation due to accumulated damage to the crystal lattice.

330

Elements of nuclear safety

22.2.3. Appraisal of the technical operating specifications Appraisal of the technical operating specifications by the safety authorities is a lengthy, continuous process. At the outset, French nuclear plants were operated using adapted technical specifications provided by the licenser, Westinghouse. They concerned power operation and dealt only with the protection and engineered safeguard systems. How to deal with cases of equipment unavailability was only determined after the Three Mile Island accident, with the definition of fallback modes. Later on, operating experience in France and abroad showed that safety in shutdown situations implied systematic analysis of available equipment requirements in these situations. This work culminated in 1986 with the adoption of technical specifications for states where the primary fluid temperature was below 90 °C. A systematic physical analysis has still to be performed for intermediate shutdowns. This requirement has already been referred to in connection with the probabilistic assessments concerning this condition. The most delicate situations, such as those where the primary system water level is lowered to around mid-height of the main primary piping (mid-loop operation), have long been the subject of special instructions and require the explicit prior consent of the DSIN. We shall come back to this subject in the next chapter (23.3). Post-accident studies and detailed analysis of incident and accident operating procedures have also led to extension of the technical operating specifications to the measuring equipment required for diagnosis, determination of the appropriate procedure, follow-up of its implementation and review of the results obtained. Specifications were also provided for complementary systems such as ventilation, fire protection and radioactivity monitoring. It is important to ensure that systems contributing even indirectly to plant safety may not remain unavailable indefinitely. Requests for waivers highlight the difficulties encountered by the operating authorities in applying these technical specifications. They are an efficient means of detecting ambiguous or inapplicable instructions, which can then be corrected, but also cases where the operating mode or the plant itself must be modified to respect a principle in the technical specifications which it is felt should not be altered. In order to allow operating personnel to become well acquainted with the technical operating specifications, these documents must not be subject

22 - General operating rules

331

to over frequent changes. They are consequently revised only every two or three years. As already mentioned, EDF has presented a new version of the technical operating specifications, designed to facilitate their application. The modified form and contents were favorably received, but it is only after a few years of actual use that it will be possible to form a valid opinion as to their efficiency.

22.3. Initial and periodic tests The periodic testing of safety-related items of equipment is an additional means of ensuring their availability, thus contributing to the second level of defense in-depth. This is the subject of Chapter 9 of the general operating rules. The periodic tests mentioned concern safety-related equipment and systems, excluding pressure vessels, which, as previously explained, come under inspections defined elsewhere, and auxiliary systems operating continuously in the same configuration as they would have in an incident or accident situation. Periodic testing contributes to ensuring: • that the characteristics of systems or equipment are not impaired with respect to the design basis values • that accident analysis assumptions are adhered to in all circumstances (these values often differ from rated operating values) • that equipment and systems are available, - whether those having a protection or safeguard function and their corresponding auxiliaries - or those required for the implementation of emergency procedures. Each safety-related system is the subject of an exhaustive analysis to determine the tests required to provide an adequate guarantee of equipment availability and ability to fulfill its function. This analysis also checks consistency between the initial demonstrations of system functional capacities carried out during the construction and startup of the first unit of a standardized reactor series, the startup tests systematically performed for each plant unit and the periodic tests aimed at ensuring the durability of these characteristics. For equipment or systems concerned, this analysis forms the basis of periodic test rules defining the conditions under which each test must be performed, the associated acceptability criteria (expected and acceptable values) and the intervals between test series. These requirements are listed in a table constituting the general periodic test program. The table and rules form Chapter 9 of the general operating rules and are submitted to the approval of the safety authorities.

332

Elements of nuclear safety

The test sequences, which are documents used directly by those performing the periodic tests, are prepared by plant staff using the test rules and taking into account the specific features of each installation. Each maintenance worker has his own copy on which he notes results and which can then be used as a test report.

22.3.1 Startup tests It may be objected that the startup tests should be discussed elsewhere, since they are not included in the general operating rules, but we have already mentioned the link between periodic and startup tests. Before the initial plant startup, it has to be checked that equipment and system characteristics and performances are as expected. These tests on separate items of equipment and then on more and more complete systems raise no particular problems for the checking of normal operation characteristics. The difficulties arise when we have to check the behavior of engineered safeguard systems under accident conditions. It is obviously out of the question to induce a guillotine break in primary piping at 155 bar to see whether the safety injection delivery rates are as estimated. Similarly, it would be unthinkable to flood the reactor building by putting the containment spray system into operation. Compromises have consequently to be found between what is possible and what is appropriate and means devised to obtain the necessary data, even indirectly. The successive tests to be carried out on each system are defined by the operating utility, which provides an analysis of test exhaustiveness for safety-related equipment. This implies drafting about a hundred system test principle programs, together with about fifteen test procedures for each program. Each test must then be sequenced in the various plant unit startup stages. These documents and programs are analyzed by the safety organizations to check that the operating utility has satisfied requirements as to: • identification of all operating configurations for the system concerned, in normal and accident situations, with and without unavailability, in the context of what is authorized by the technical operating specifications or postulated by the single failure criterion • determination for each system configuration of the corresponding functional requirements (minimum flow rate, maximum flow rate, authorized variation ranges, etc.) • definition of the functional requirements for each item of equipment (opening under a maximum functional pressure differential, closing under full flow rate, etc.)

22 - General operating rules

333

• projection of the requirements thus defined to test conditions. For safeguard systems, since most of the requirements are derived from accident configurations which cannot be simulated, transpositions and correspondences have to be devised. For example, LHSI pumps and accumulators are tested with the closure head off, which corresponds to a situation with the primary system totally depressurized. This enables pump operation and maximum flow rate to be checked, with allowance for the pressure drops characterizing such conditions. As regards the containment spray system, we use a temporary piping rig returning the water to the containment sumps, which provides a means of testing the system pumps, but in only one accident situation. Circulation through the spray nozzles, which are obturated during the flow rate tests on the rest of the system, is checked by compressed air flow metering. Of course, the tests specified by the pressure vessel regulations, such as buildup to 33% above design pressure, i.e. 228 bar (this is known as the primary system hydrotest) or the 4-hour holding time at 165 bar with a fully reported leak check, are integrated in the startup test programs. An IPSN representative is on the site throughout the startup tests. He is not present as an inspector, but as an analyst. His inclusion in the local startup teams saves time during the program and procedure appraisal period. He checks correct sequencing of the tests in the different plant unit startup test stages, examines results and ensures that overall progression is keyed to satisfactory results. His presence and participation in the site test commissions facilitates the transmission of intermediate reports.

22.3.2. Periodic tests Further to the initial startup checks, the purpose of the periodic tests is to confirm that the requisite equipment and system characteristics are maintained. The periodic test programs form a contractual document included, as we have seen, in the general operating rules. It is subject to safety authority approval. The periodic tests must cover all functions contributing to safety, but must be performed insofar as possible without disturbing plant unit operation. Intervals between tests and test acceptance criteria must be such as to amply ensure that the systems will be capable of fulfilling their functions during the time lapse between two successive periodic tests. The principle is no different from that adopted for the startup tests and continuity between the two types of test is ensured by including in the startup tests a program covering the periodic tests.

334

Elements of nuclear safety

At startup of the first plants, the periodic test programs provided by the licenser were approved. They have since been reviewed for the integration of operating feedback. Operating feedback is here again a most useful source of information, showing for example: • that the failure frequency revealed by the tests is higher than expected, as also are minor breakdowns associated with incidents. Intervals between periodic tests can be adjusted accordingly in these cases • that the tests performed are not entirely representative. The test procedures can then be modified, as was done, for instance, for the tests on the 900 MWe auxiliary feedwater supply turbine-driven pumps • that difficulties in performing certain manual tests can cause incidents, as was the case for certain 900 MWe reactor protection system tests. A programmable controller was designed, tested and installed in these plants • that too frequent or too stringent testing causes equipment degradation and premature aging. Programs can then be modified accordingly. A characteristic example of this concerns the diesel generators, fatigued by needless high-speed startups. Special test conditions were defined, involving "soft" startup for the diesel generator, with automatic removal of this provision in the event of a real operational load. The automatic removal feature is also tested • that endurance tests performed by manufacturers before equipment is delivered are not always representative of plant operating conditions and the influence of other parts of a system. Incidents, of which examples are given in Chapter 26, have drawn attention to these phenomena. At the request of the IPSN, EDF included this type of test in the startup test programs for the new reactor series (N4). For plants already operating, such tests are only undertaken in the light of operating feedback. Generally speaking, each time periodic test conditions require modification of the state of a system or item of equipment, special care must be taken, notably to ensure the removal of the temporary rigs needed for the test, which could disturb or impede correct operation of protection or safeguard systems which only operate on request. After the 1989 incidents discussed elsewhere*, EDF, at the request of the safety authority, introduced the principle of functional requalification in all cases where the different trains of protection or safeguard equipment undergo the same servicing operation during a single outage. The operating utility needs no waiver with respect to the technical operating specifications to perform the periodic tests on systems, even if these tests involve deliberate unavailability of the systems in configurations * Cf. Sections 24.1 and 26.6

335

22 - General operating rules

where they would normally be required. The approval of the general operating rules mentioned in Chapter 9 (Periodic test and inspection programs for safety-related equipment) is equivalent to a generic waiver for these tests. However, this under no circumstances exempts those concerned from complying with the specific rules regarding simultaneous occurrence of unavailabilities.

22.4. Emergency operating procedures The principles of emergency operating procedures covering incident and accident conditions are described in Chapter 6 of the general operating rules. This is one of the elements of the third and fourth defense in-depth levels.

22.4.1. Constitution of the operating procedures Operating strategies and practices under incident or accident conditions are described in several documents, available to operating personnel. This separation derives from analysis of the Three Mile Island accident. The first document, the operating rule, is of a strategic, "statement of grounds", educational nature, used for training purposes. It is subject to safety authority approval (Fig. 22.2.). The second, the reference operating instructions, enables transition between the operating rule and the third document, the plant unit operating instructions, to be used on a real time basis in the event of incident or acciOperating practice

Strategies, principles

Operating

Reference

Plant unit

operating

operating

instructions

instructions

rules

National reference documents

Plant unit documents

Fig. 22.2. Organization of incident and accident operating documents.

336

Elements of nuclear safety

dent. The reference operating instructions are based on the operating rules and itemize the actions required to implement the selected strategy. The plant unit operating instructions take account of specific characteristics (labeling, state with respect to modifications, specific levels, etc.). A special EDF directive sets the limits for discrepancies between reference operating instructions and plant unit operating instructions. The operating strategy can under no circumstances be modified locally. The reference operating instructions have been the subject of extensive simulator testing to improve their presentation and reduce risks of error. Each operator is provided with a document specific to his function in the control room (core and primary system control, secondary system control). A member of the technical supervisory staff, also provided with his own document, follows the actions of the operators and ensures coordination. When an incident or accident procedure is applied, the shift supervisor and the safety engineer closely follow reactor condition, using a special procedure based on a safety panel. They also provide alternative diagnoses and appraisals of the efficiency of measures taken. The reference operating instructions are transmitted, for information, to the safety authorities. The procedures for normal operation are not a priori subjected to DSIN consent.

22.4.2. Procedure analysis Analysis of incident and accident operating procedures took place in several stages, concerning first the event-oriented procedures and then the state-oriented procedures. The first stage consisted in checking: • that the automatic operating conditions for the protection system and startup of the engineered safeguard systems were in conformity with the safety analysis report accident analyses. It must be borne in mind that these analyses are based on application of conventional penalizing assumptions. These actions contribute to diagnosis and to the choice of the procedure to be followed • that the short-term responses required from the operators were compatible with these analyses. The second stage came in the aftermath of the Three Mile Island accident. All procedures were modified by EDF: • to cover a much longer accident period • in the light of realistic physical studies • with a view to identifying the most appropriate operating strategy for the medium and long term

22 - General operating rules

337

• bearing in mind document ergonomics. Assessment by the safety authorities is aimed at appraising the pertinence of these procedures as operator guides to getting a damaged unit back to a safe configuration. This examination concerns the scope of the procedure, the symptoms and data enabling selection of the appropriate procedure, the operating strategy, the interfaces with other documents relevant to control of the unaffected parts of the plant, an exhaustive list of the equipment and data sources used by the procedures, qualification of this equipment, including their measuring range and precision rating. This examination involves associating different sections of the general operating rules. An item of equipment required for the application of a procedure must be included in the available equipment inventory for the initial state of the plant unit affected by the accident (technical operating specifications) and feature the anticipated characteristics, notably as regards accuracy and reliability (periodical tests). The assessment thus results in a cross-check of several chapters of the general operating rules, thereby enhancing their consistency. We give below two characteristic examples of procedure upgrading. The first, dating back several years, concerns the event-oriented operating strategy to be used in the event of a steam generator tube break. Initially, primary system pressure was lowered by cooling the primary fluid, using sound steam generators together with the deliberate opening of the pressurizer letdown line. With the spring valves equipping the letdown line at that time, there was a non-negligible risk of their remaining jammed open. So the pressurizer opening solution was abandoned and primary pressure was lowered simply by cooling the primary fluid. The spring valves were subsequently replaced by SEBIM valve tandems, where the jamming open risk was not the same, but the new operating strategy, which proved satisfactory, was nevertheless maintained. The second, which is more recent, concerns the incidence on operation under accident conditions of the mediocre precision of the water level sensor presently equipping the vessel, in cases where the level is very low (uncertainty of about 30% instead of the expected 12%). Reactor coolant shutdown conditions in these circumstances had consequently to be reexamined. This could lead to the temporary adoption of a procedure applying to more severe accident conditions than those actually experienced.

This page intentionally left blank

23

Incident analysis

In addition to discussing the major accidents which have occurred in the nuclear industry, we have also frequently mentioned various incidents observed in France or elsewhere. Such occurrences, even involving only minor faults, are often rich in safety lore. Very early on, EDF devised an operating feedback system, aimed primarily at improving equipment reliability. The IPSN has meanwhile been constituting and using since 1973 an incident data base covering French nuclear research and power reactors. So awareness of the necessity for operating surveillance based on feedback is by no means recent. But it is the Three Mile Island accident which highlighted the full implications of these concerns. As we have already stated, it very soon became obvious that this accident could have been avoided, since it had been preceded by several precursory events, the most serious of which took place at the Davis Besse plant. Pressurizer relief valves had been left open several times on American reactors of this type. Some of these incidents had led to misinterpretation of the situations. However, owing to favorable conditions, low initial power, low residual power, they had not affected the core and had thus resulted in no release of radioactive substances. They were consequently overlooked by both operating and safety authorities and provided no input for the improvement of accident procedures and staff training. Other plants were not informed of these incidents, it being simply assumed that "no consequences = no importance". The Three Mile Island accident entirely discredited this widely held conviction. Since this accident and the ensuing analysis, the detection of precursory events has become one of the main concerns of both the operating and nuclear safety organizations. Operating surveillance and feedback were consequently reorganized with reference to this new criterion, which implies extended resources for the more conventional operating feedback topics. It must not be forgotten that operating feedback has other functions.

340

Elements of nuclear safety

First of all, it is aimed at improving the level and consistency of plant safety by identifying the weakest points and devising suitable corrective measures. This can give rise to equipment modifications, to man-machine interface adaptations or amendments to the general operating rules. It naturally has to be ensured that the planned modifications once implemented give the desired results, without the occurrence of any secondary effects which could be detrimental to safety. At the present time, modifications are tested on a single unit before being carried out on all the plant units concerned. It is also important to be able to detect signs of aging in safety-related equipment as early as possible. More generally, operating surveillance provides information on operating quality, which is the correspondence between the design and construction principles and assumptions and the actual behavior of both men and machines. In practice, these various topics are not considered separately. Using mixed analysis methods provides changes in perspective, producing new elements in different fields. As we know, the French context is very specific: one organization operating a large number of identical or similar reactors, of which it is the architect-engineer. At the end of 1995, thirty-four 900 MWe PWR's and twenty 1300 MWe PWR's were in service. The first 1400 MWe unit is about to start operating. Starting from initial criticality in each plant, this gives an accumulated 900 MWe unit experience of about 480 reactor-years and 1300 MWe unit experience of about 160 reactor-years, thus totalling around 640 reactoryears of experience concerning reactors which are still relatively "young" (Fig. 23.1.). The result is that we have a considerable mass of consistent data, which is a huge advantage for plant operation. On the other hand, it is obvious that with such a system very fast identification of problems liable to occur in a whole family of plants is vital, since otherwise a very specific type of "common mode" failure could lead to national grid power supply deficiencies, which would be difficult to cope with in a country where three-quarters of the electricity comes from nuclear power plants. Likewise, any changes or modifications involving a significant percentage of the installed capacity can only be undertaken in compliance with stringent requirements and with all due precautions.

23 - Incident analysis

341

Number of reactor-years

Fig. 23.1. Cumulated French operating experience as at January 1996.

Among the many activities related to operating surveillance and feedback, we shall discuss in this and the following chapters incident selection and analysis, maintenance and in-service inspection of large equipment. We shall discuss in detail a group of incidents where human factors were particularly crucial, with a view to further highlighting this very important topic, before briefly describing a number of French incidents, which were considered and dealt with as precursors of more serious events.

23.1. Incident selection Nuclear power plants are so complex that unscheduled occurrences are frequent. These are often equipment failures which can be remedied with only minor effects on power generation. Or they may be far more spectacular, affecting the power generation turbogenerator or the steam lines and resulting in unit outages lasting several months but without impairment of radioactive product containment.

342

Elements of nuclear safety

The repercussions of the latter incidents will be far greater than those of the former ones. However, it is in the first category that are generally found the most important safety-related events. Discovery during routine testing of the unavailability of an engineered safety feature, not in use during normal plant operation, is a priori more significant for plant safety than turbine unavailability. In order to ensure that nothing important escaped the safety organizations, the operators could inform them of all events from which they could select those of interest to them. But this would result in a deluge of often useless reports and accounts. In order to facilitate the task of both operators and safety organizations, it was decided to define two groups of safety-related events, of different levels of severity and to which different methods of analysis were applied, whereas all other non-safety-related incidents gave rise to no particular transfer of information.

23.1.1. Safety-related events Presuming that the technical operating specifications comprise all instructions pertaining to the availability of plant unit safety-related equipment and to the limit values assigned to the various operating parameters, any failure of such equipment resulting in it being reported unavailable or any overstepping of a threshold is considered to be a "safety-related event". This definition is fairly straightforward for the operators, since they have to monitor both this equipment and these parameter values in any case. The necessity for reporting these events is well understood by the operating personnel, who are accustomed to using these Specifications, but less well by the maintenance staff. EDF is taking steps to gradually improve this situation. As these safety-related events are not in themselves serious incidents, they need not be the subject of specific reports from the operator, but must, on the other hand, be immediately entered into the national data base, managed by EDF and accessible for safety aspects to the DSIN and the IPSN. This data base can be consulted by system, item of equipment, plant unit, date of event or date of entry into the data base and is known as the "event file", now integrated in SAPHIR. It contains not only "safety-related events" but all events that EDF wishes to handle using this computerized system. Each specific event itemized in the computer file is indexed to indicate whether it is safety-related and thereby accessible to the safety organizations. The number of safety-related events entered into the EDF file is rapidly increasing (2,600 in 1990, 6,800 in 1992, 8,100 in 1994).

23 - Incident analysis

343

Before trying to interpret these figures, it is interesting to note that if the average number of reports per unit is, in 1994, 175 for the 900 MWe plants and 205 for the 1300 MWe plants, these mean values mask considerable variations. For instance, some plants report more than 300 events per unit, whilst others report only 100 or less. The influence of plant management attitudes is obvious, since the same trends are observed for pairs of units. It is also worth noting that certain plants have increased the number of events reported in compliance with recommendations following an EDF inhouse nuclear inspection. So we can congratulate ourselves on having a certain number of teams well aware of the need for transparency and for developing safety culture in personnel categories perhaps less amenable than the reactor operating staff. It must be borne in mind that, at least to begin with, the extension of safety culture may result in an increase in the number of safety-related events reported. The stabilization of this figure observed in 1995 could be due to EDF provisions aimed at reducing the disparities mentioned rather than an indication of impending saturation.

23.1.2. "Significant incidents" Generally speaking, safety-related events do not in themselves call for detailed analysis nor are they severe accident precursors. The latter are more likely to be found in another category of operating nonconformances, classified as "significant incidents". These are generally "safety-related events" which also satisfy certain specific criteria defined by the DSIN after discussion with the operators. These criteria were very precisely defined with a view to obtaining their "automatic" application, without excessively different interpretations from one plant to another. They were formalized in 1982 but, here again, owing to the difficulties encountered and discussed with the safety organizations, EDF periodically revises the corresponding internal procedures to improve uniformity of application between the different plants. The "significant incident" reporting criteria may be summarized as follows: • emergency shutdown, except in the context of a deliberate scheduled action or defects affecting the turbogenerator • implementation of an engineered safeguard system, except in the context of a deliberate scheduled action • any incident where, in any standard operating state, a change of state would be incurred by application of the technical specifications: - long-term unavailability or multiple inoperabilities, - overshooting certain thresholds or authorized values

344

• • • • • • •

Elements of nuclear safety

- actual or potential common mode failure (fire, onsite flooding, system interaction, design or construction error liable to concern several sets of equipment or several plant units, etc.) external hazard: earthquake or plane crash, for example real or assumed malevolent act uncontrolled radioactive release or that exceeding the authorized levels exposure of people beyond the specific worker exposure limits incident of nuclear origin having caused loss of life or serious injuries malfunction or incident placing or able to place the plant outside its design basis operating range any other event deemed sufficiently important by the operating or safety authority. Annual mean number of significant incident per unit

Fig. 23.2. Annual mean number of significant incidents per unit.

A significant incident must be reported to the safety organizations by telex on the day it occurs or on the next working day and be reported within two months in a detailed analysis conforming to a given standard procedure. The first analysis is made by the plant concerned and is supplemented, if required, by a second analysis performed by other specialized EDF departments. Direct exchanges between safety authority analysts and the operators can set up as soon as the telexed report is received. This is particularly the case when it is feared that at least several plants could be concerned by the faults identified or when a severe accident precursor is suspected.

23 - Incident analysis

345

Generally speaking, the mode of definition adopted for safety-related events and significant incidents, closely related to the thresholds and limits stipulated in the technical operating specifications, is observed to ensure fairly good agreement between operating and safety organizations as to what should be reported in cases where plant dynamics are affected. This may not be so, on the other hand, in cases relating to the third criterion. If the mean number of significant incidents has remained more or less constant for several years - about seven per year, per unit - there are significant variations from one site to another (Fig. 23.2.). It may also be noted that almost half of these incidents now occur during unit outages. This confirms the specific difficulties of these periods and probably also witnesses the penetration of safety culture: perhaps certain incidents with no consequences for plant unit operation would previously not have been reported.

23.2. Significant incident analysis methods Methods were no more formalized in this field of analysis than in the others. The methods described below were gradually elaborated by collective team work. From the outset, the IPSN has been an instigator, devising approaches to be adopted and developed by the operating utility.

23.2.1. Collective examination of events and incidents At the IPSN, supervision of a set of plant units (ideally two units) is particularly entrusted to a specific assignment engineer. In order to derive maximum benefit from PWR standardization, each specific assignment engineer is informed of all significant PWR incidents by circulation of the relevant telexes and reports. All the incidents are reviewed during weekly meetings, when the most important occurrences are short-listed. During these meetings, the specific assignment engineers indicate the most significant recent "safety-related events" and exchange available information on incidents abroad. In this way, each analyst is informed of occurrences affecting the French PWR population and of significant incidents reported abroad. In the EDF head office departments, the working method is much the same. The sites in some cases show less interest in what is happening in other plants, which can complicate this type of exchange process.

346

Elements of nuclear safety

23.2.2. Selection of significant incidents for in-depth analysis The significant incidents for in-depth analysis are selected during these meetings. The selection criteria are not formalized but may be outlined as follows: • incidents which have an affinity with the corresponding design basis incidents, with an estimated frequency of below 10"2 per year and per unit, or which are capable of leading to such incidents, possibly under different operating conditions • incidents not foreseen at the design stage • accumulated safety-related system failures and accumulated errors, whether due to random faults, common mode failures or system interaction • incidents giving rise to errors resulting from failure to understand plant behavior or safety requirements. There is consequently a systematic, although often implicit, reference to the design rules and criteria, enabling appraisal both of the gravity of the incident and the validity of the design rules. Since the publication in 1990 of the French PWR probabilistic safety analysis, specialists of these studies have been included in the teams of engineers entrusted with plant supervision. This means that incidents involving failures which could have a significant impact on core meltdown probability can be identified, even under different operating conditions. It was important that these two safety analysis areas should be allowed to interact. For your guidance, the 400 significant incidents on French PWR's reported every year give rise to about twenty in-depth analyses, each of which may cover several incidents.

23.2.3. In-depth analysis An essential element in the identification of severe accident precursor events, in-depth analysis is more usually presented by many lengthy examples than by a brief overview. However, the way in which we have described and analyzed the Three Mile Island accident will suffice for the approach adopted to be understood. A further example will be presented in Chapter 24. The starting point for analysis will be a thorough acquaintance with how the incident took place, which safety functions were implicated, how operators and equipment behaved, what the consequences were, together with knowledge of any similar incidents which may have occurred.

23 - Incident analysis

347

Despite the quality of the operator incident reports, the information supplied usually has to be supplemented by direct contacts with the plant or the relevant EOF head office departments and, in many cases, by inspection of the buildings and equipment concerned. The first action consists in determining whether, in other circumstances, the same accident would have had far more severe consequences. This is known as exploring the degeneration paths and can be summed up by the question "what if ? ...". The second action consists in seeking the root causes of the incident by tracing back as far as possible along the branches of the incident cause tree, not only as regards equipment, but also procedures and human behavior, differentiating between what is specific to the plant considered and what could occur at any units of the same type. The third action consists in applying to other equipment, systems or situations the root causes identified to make sure that they could not initiate entirely different sequences of consequences, which could be potentially serious. For instance, if it is noted that a compressed air circuit check valve was responsible for an incident, it is necessary to identify all check valves of the same type implicated in safety functions to assess the consequences of their postulated failure. Similarly, if a human error seems related to the absence in the pages of the procedure used of a table with enough columns for all the many repetitive actions to be noted, it is necessary to check that the other procedures dealing with repetitive actions do not suffer from similar inadequacy. In a wider context, quality or management deficiencies in the documents used or in the organization and scheduling of work must lead to examination of these aspects for other equivalent activities. This is what we call "generalization". The analysis then proceeds with the identification of incidents of the same type or of possible precursor events. It is, of course, obvious that the in-depth analysis of a significant incident must not be isolated from the overall context of other incidents in France or elsewhere and that parallels should be freely drawn. So this concerns both events having the same material, human or organizational origins and incidents arising from similar scenarios. This grouping of incidents is an essential element in the valid appraisal of data provided by a significant incident. The first corrective steps proposed by the operating utility are often simple compensatory measures, such as instructions aimed at precluding see-

348

Elements of nuclear safety

narios with more severe consequences further to an initiator of the same type as that observed. Such "administrative" steps can generally be taken without loss of time and at low cost. Analysis and operators readily agree on this type of measure. However, it is not so easy to arrive at agreement in cases where modifications to the plant are deemed necessary, especially if these have to be extended to other equipment or several plant units. IPSN in-depth analysis reports on significant incidents systematically conclude with recommendations which may be reformulated by the DSIN as requests to the operating utility or special requirements. Before transmission to the DSIN, draft recommendations are, of course, discussed with the operating authorities both as regards the measures required and the time allowed for their implementation. These technical contacts provide good opportunities for deep thinking. They in no way infringe IPSN autonomy, since points of agreement and disagreement are clearly explained with arguments for or against. It should also be borne in mind that the IPSN is required to express its decision as to the acceptability of proposals made by the operating utility. It is not within the scope of its function to prescribe technical solutions. These have to be determined by those responsible for the installation.

23.2A. Guidelines lor significant incident analysis This analysis method was gradually structured by the EDF head office departments to assist the different plants in conducting as exhaustive an analysis as required. The main steps are as follows: 1. Cause analysis: - data collection - logical sequence of events - identification of failures and inappropriate actions - identification and explanation of discrepancies with respect to the quality assurance system. 2. Assessment of effective consequences: - for reactivity control - for core cooling control - for containment control. 3. Identification of operating scenarios disturbed by failures and mistakes: - characteristics of the disturbed scenarios - identification of the disturbed scenarios.

23 - Incident analysis

349

4. Assessment of potential consequences: - elaboration of an event tree for each disturbed scenario identified considering the initial state, subsequent undermined states, the defense indepth lines of defense provided and the quality assurance system - identification of faulted conditions elsewhere in the plant, in other units in the plant considered or on other French sites. 5. Corrective actions: - required to restart the installation or maintain power operation - required to preclude faulted conditions and inappropriate actions. This method is more and more consistently applied by the plants, resulting in the gradual improvement of significant incident reporting. It is obviously also applied for all in-depth analyses deemed necessary by the EDF head office departments.

23.2.5. Trend analyses and statistical surveys Greatly facilitated by the similarity of the many plant units operating in France, the first surveys of this type concerned the frequency of safety injections and scrams, or the causes and frequency of primary leaks. These studies have led to a gradual reduction in the number of such minor incidents. The scope of this type of survey was enlarged in the eighties to cover examination of all significant incidents by the analysis of a large number of factors, the most important of which are: • initial conditions • circumstances of the incident: periodical test, repair work, servicing • equipment concerned • various aspects of the human factors (procedures, ergonomics, quality organization, etc.) • external causes, where applicable • the specificity of features concerned or, on the contrary, the very general characteristics involved, applicable to a series of plants or to the entire plant population • actual consequences: loss of a barrier, loss of a safety function, uncontrolled release. This factor analysis demonstrated very early on the importance of reactor shutdown periods. Specific technical specifications covering these operating conditions were drafted and are currently applicable. The probabilistic safety studies published in 1990 (Chapter 19) confirmed the importance of outages from the safety standpoint. There are, on the other hand, other types of statistical survey which could have unwanted effects. Plants could be classified, for instance, accord-

350

Elements of nuclear safety

ing to the number of events and significant incidents reported. But this would constitute a very misleading simplification. Acquaintance with the teams involved and the documents provided shows that the plants reporting many events or incidents include those which have to contend with difficulties of various origins and those which are convinced of the need for transparency and whose efforts to heighten safety awareness must not be discouraged. The reverse appraisal applies to many of the plants reporting few events and incidents. We have mentioned elsewhere the increase in the number of safetyrelated event reports, related to the gradual extension of safety culture, but this should only be a short-term effect.

23.2.6. Grouping incidents It is particularly difficult to draw accurate and pertinent conclusions from analyses of incidents where the human factor is the prevailing influence. It is consequently by "families" that are analyzed behavior and circumstances which result in misalignments, confusion between items of equipment and even between plant units. Effective conclusions can only be drawn with due precaution. In the next chapter, we present a series of alignment incidents in this family, concerning pressurizer level sensors. A survey of this type was conducted on incidents leading to operation outside the operating range specified in the general operating rules. The origins of these incidents, which occur from time to time on French PWR units, were sought in five areas: • staff training deficiencies • deficiencies in the checking and quality organization of repair work • deficiencies in scheduling and the information of staff • design defects • safety culture deficiencies. Efforts were made to establish correlations between the rate of occurrence of these faults and the reactor state. It is scarcely surprising to observe that control and organization problems tend mainly to occur at unit restartup and scheduling or communication problems during unit outages. Monitoring the frequency of such incidents over a period of time should enable us to assess the validity of the measures taken by EDF in this respect and indicate areas where any further action may be required. There is another field where essential safety conclusions are reached by grouping incidents, but in this case the classifications depend largely on the

23 - Incident analysis

351

know-how of the analysts concerned. The purpose here is to observe, for instance, that the automatic sequence following the event initiating various incidents features the same type of nonconformances. Thus in the space of three years (1982-1984) and out of about a thousand significant incidents on 900 MWe units, 13 turbine-driven auxiliary feed water pump trips or failures to start after reactor scram have been reported. When consulted, the event file revealed a total of 40 such trips at startup in the space of 100 reactor years. The investigation was then carried further, with various EDF headquarters departments, to find out the corresponding number of startup commands involved. This revealed a rate of failure to start at the first command of 2 10-2, which is a value equivalent to that observed for plants in the United States, and not 3 10-3, which was the value adopted in France at the time for certain probabilistic calculations. In addition, when periodic test results were compared with actual operating results, they were found to be not entirely representative, giving more favorable results than those obtained under actual operating conditions. At the time, periodic tests all took place during power operation of the plant unit with low steam pressure in the secondary system (56 bar), whereas after an emergency shutdown, the turbine driving the pump receives steam at the much higher rated steam pressure corresponding to a zero power configuration (~ 70 bar). Certain periodic tests are currently performed under hot standby conditions, more representative of the aftermath of an emergency shutdown. Further investigations led to identification of the causes of these failures, the elaboration of corrective measures and the implementation of modifications on all the 900 MWe plants. As from 1988, the problem seemed to have been solved and failures to start were exceptional occurrences for a few years. More recently, turbine-driven auxiliary feedwater pump trips have occurred, usually on 1300 MWe units, which were not directly concerned by the modifications, but also on some 900 MWe plant units. Considering the safety role played by this equipment, further investigations will have to be made to explain and correct these failures. So, with this method of observation and analysis, we make full use of the French nuclear power plant population and the corresponding operating experience to achieve realistic reliability values for safety-related equipment and identify residual difficulties with a view to enhancing safety even further. Studies of the same type have been completed or are still proceeding on a wide range of subjects, such as primary leaks, emergency diesel generators, reactor system cleanness, slow boric acid dilution in the primary system, the 6.6 kV circuit breakers, certain 1300 MWe unit valves, gas discharge incidents, etc.

352

Elements of nuclear safety

23.2.7. Use of probabilistic studies We have already discussed a few characteristic examples in Chapter 20. It is worth noting that in the United States, the Nuclear Regulatory Commission (NRC), which required each plant to carry out a probabilistic safety assessment, performs site by site and overall studies concerning the conditional probabilities of core meltdown* for each of the most significant incidents reported each year. For a large, standardized plant population such as that in France, studies of this type could also reveal interesting trends. Provisions in this respect are being made by the EDF headquarters departments and at IPSN.

23.3. Case of a repetitive incident It is often difficult to make a rapid, definitive decision as to the appropriate corrective measures to prevent the reoccurrence of an incident which has been analyzed in detail. A characteristic example of this concerns the risk of interruption of residual heat removal, in circumstances where the primary system is drained to reactor coolant loop level. Incidents of this type have occurred in France and in many countries equipped with similar types of light water reactors.

23.3.1. Initial conditions Partial drainage of the primary system to a level just below that of its upper piping can be used for steam generator blowdown purposes, with air sweeping of the system prior to opening the vessel, thereby limiting radiological hazards for maintenance staff. In addition, in order to enable site operations in the steam generator channel heads and inspection of steam generator tubes without unloading the core, all connections between the SG channel heads and the primary loops had to be closed by means of cover plates. Before these cover plates can be installed, the channel heads must be drained to a level such as to preclude any inadvertent surge of water during the manual positioning of these devices. So the water is drained to a level corresponding to 70% of the primary system hot and cold pipe capacity, which is below that required for preparatory vessel opening operations (Fig. 23.3.).

* Cf. Sections 20.1.3 and 20.1.4

23 - Incident analysis

353

Fig. 23.3. Component layout in a 1300 MWe unit.

The residual heat removal system (RHR) used for core cooling in these configurations is connected to the primary system from below the piping. As the water seal is not very strong, an excessive suction rate or an insufficient water level can create a vortex with air suction. The pumps could then be dewatered, resulting in impairment of core cooling. As none of these difficulties had been foreseen when the plants were designed, only one not very accurate and not very reliable level measurement system had been provided.

23.3.2. Possible consequences In the configurations referred to, a 900 MWe reactor primary system contains only about 70 m3 of water but only the 45 m3 of water in the vicinity of the reactor core and above it are to be taken into consideration for boiling

354

Elements of nuclear safety

calculations. After 3 days of an end-of-life shutdown, the residual power released from the core is about 12 MW. Under these conditions, about 15 minutes without cooling would suffice for the water temperature to escalate from 40 °C to 100 °C*. Core dewatering would then start as soon as the 12.5 m3 of water located above the fuel elements had vaporized. This would take only 40 minutes more**. These time intervals lengthen when the residual heat diminishes but it must be noted that after 1 month, the residual heat will still be 4.5 MW, which allows 40 minutes before boiling occurs and a total of 146 minutes before the beginning of fuel dewatering. These intervals are, in reality, slightly lengthened by the thermal capacity of the core metal structures. If the water boils, there would be a risk of contaminated steam in the reactor building, which may be occupied by staff. Fuel dewatering would result in clad failures, with even more serious radiological consequences for any staff in the building and even for people outside it if the reactor building containment integrity were impaired. The first incident of this type, which was the subject of a detailed IPSN analysis, occurred at Blayais-1 on May 6, 1983, during drainage of the reactor cavity to reinstall the vessel head after refueling. The inadvertent shutoff of the vessel water level sensor, misleading the operators, resulted in an excessively low level being reached, below the water input level to the RHR system, in a 2-hour interruption in residual heat removal and a 20 °C increase in primary water temperature. The reactor was shut down for 93 days and released residual heat of about 1.4 MW. A similar incident had in fact already occurred at Fessenheim in December 1977. The corrective actions proposed by EDF after this incident were as follows: • modification of the vessel water level sensor and systematic checking of the sensor's alignment • modification of the drainage procedure, imposing a limited drain-out rate • clarification of the corresponding procedures • information of other plants and operator training. At the end of 1983, the IPSN suggested that more reliable primary system water level and temperature sensors should also be installed. These

*t= ** f =

d x V x Cp x A6

Pr Vxlv P

=

=

1000 x 45 x 4180 x 60

12500x2250 12000

12000000

940 s i.e. about 15.7 minutes.

2343 s i.e. 39 minutes.

23 - Incident analysis

355

requests were reiterated by the Standing Group for reactors and then by the DSIN in 1987. As the same type of incident had already occurred several times in the United States, the matter was discussed by a working group set up in 1985 by the Nuclear Energy Agency of the Organization for Economic Cooperation and Development (NEA-OECD) to investigate the safety system failures reported to the Incident Reporting System (IRS)*. The group issued a report in November 1986, indicating the existence of 19 IRS reports involving low primary fluid levels during shutdowns, some of which concerned several events. The suggested corrective measures, naturally very general in this context of a wide range of different types of plants, confirmed the recommendations listed above. Other incidents related to residual heat removal occurred at French plants in the following years. At Blayais-4, reactor core cooling was interrupted for 25 minutes in 1985, resulting in a 25 °C rise in the temperature of the primary fluid. In 1987, the RHR pump in service at Cruas-1 operated under disturbed conditions for 3.5 hours without degradation nor loss of the residual heat removal function. However, these incidents have led the operating authorities to reinforce preventive measures: provision of a standby primary water make-up system, using the safety injection water reserves and, in 1988, installation of a second level sensor, based on a different technique from the device already installed, the second sensor being an ultrasonic device. During the same period, several incidents of the same type occurred in the United States, and notably: • at San Onofre-2, in 1986, when residual heat removal was interrupted for 1 hour, resulting in steam emission in the containment • at Diablo Canyon-2, in 1987, when a 1.5 hour interruption of residual heat removal resulted in a high level of radioactivity in the containment. Further to these incidents, the American safety authority, the Nuclear Regulatory Commission (NRC), sent a generic letter to all operators, drawing their attention to the corresponding risks. This letter, together with the first results of the French probabilistic studies, showing the significant incidence of shutdown situations on the calculated overall core meltdown frequency, led EDF to define, in 1989, complementary instructions on cold shutdowns for servicing, for inclusion in the technical operating specifications.

* Cf. Chapter 28.

356

Elements of nuclear safety

These complementary provisions concern the first three defense in-depth levels. • Prevention is enhanced by: - redundancy and diversification of vessel water level indicators - better drain-out procedure - availability of both the RHR system trains and provision for backup of this system, either by a steam generator when the primary system is water-filled and closed, or by the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System when this is not the case - specification of a minimum time lapse before the primary system is opened, such that a reaction time of one hour is allowed before fuel dewatering begins - pressurizer manway to be opened before any other primary system equipment to preclude core drain-out due to pressure buildup in the event of loss of the RHR function - stringent limitation in these configurations of servicing operations on systems connected to the primary system or to the residual heat removal system. • Surveillance is enhanced by: - better monitoring of the RHR system operating parameters (sensors indicating temperatures, pump current requirements, flow rates, pressures) - a hold point before the primary system water level is lowered below the vessel head low level. This hold point can only be lifted after all the above measurements have been checked. • Limitation of consequences in the event of abnormal situations is enhanced by: - the availability of two gravity flow sources of make-up water, the safety injection water tank and the spent fuel pool - continued containment - standby procedures in the event of total loss of power - incident procedures providing make-up water and emergency powering. It was moreover decided in 1990 that all RHR system low water level operations should require the prior consent of the DSIN. Following publication of the probabilistic safety studies which particularly stressed the incidence of these configurations on estimated core meltdown frequency, EDF decided to implement an exhaustive program of studies and tests on the subject. This program comprises an analysis of all relevant operating feedback from France and abroad, complementary thermal hydraulic calculations to determine the RHR system operating margins with respect to cavitation or vortex phenomena and to develop complementary monitoring devices. The results of these studies were presented to the safety authorities at the end of 1994.

23 - Incident analysis

357

The advantages and drawbacks of an automatic water make-up system, adapted to these situations, are currently under discussion. Such a system would have a highly positive safety impact but could put maintenance personnel at risk were it to start up inadvertently whilst the SG cover plates were being installed. Despite all the precautions taken, various incidents have occurred - one per year since 1989, but two in 1993, although without complete loss of the residual heat removal function. Particularly noteworthy is an incident where both level sensors, although of different types and technologies, were unfavorably miscalibrated. Finally, at the beginning of 1994, the lack of precision of certain operating instructions led to a vortex situation being created and maintained for more than 8 hours. Two successive shifts were concerned by this situation. The safety engineer failed to detect any abnormality from the control room. This incident shows that, despite the efforts made by EDF to heighten awareness of the problem on all sites, the message has not been entirely integrated by all those concerned. It also shows the limited efficiency of subjecting operation under certain specific conditions to prior authorization. Applications for such authorizations can apparently be managed at a purely administrative level, disregarding the people involved, so that their detailed analysis is of little interest. This provoked an immediate reaction on the part of the DSIN, which requested the operating authorities to use the RHR system low water level conditions, with the core loaded and at the beginning of shutdown, only when this could not be avoided. So EDF looked for other ways of degassing the primary system, notably by using the Boron Recycle system. The cover plates required for steam generator servicing are installed after all fuel has been unloaded. EDF has also set up a quality control procedure for all operating documents used or able to be used in this configuration, together with special training in this respect for all operating personnel. The relevant documents are being examined by the standing group of experts, further to EDF's decision to install a primary system automatic water makeup device under these conditions.

This page intentionally left blank

24

Detailed analysis of incidents involving human factors

We have taken several opportunities of emphasizing the importance of human factors in nuclear power plant operation. Man usually plays a positive role, but an analysis is called for in all cases where human actions contribute to the initiation or development of incidents. Such analyses are delicate since, both for the workers concerned and those responsible for questioning them, it is important to avoid transition from the notion of error to that of fault. It is happily quite exceptional for unfortunate actions to be solely the result of characterized or deliberate negligence. So we have to undertake detailed analysis of maintenance conditions and the work of maintenance staff in order to identify what depends on the working contexts involved, on work organization and on available facilities and information. Unless all relevant elements are identified and rectified, it is obvious that other similar errors are liable to occur. 1989 was marked in France by the occurrence of several significant incidents related to maintenance operations. Certain similar incidents have since reoccurred. This was the case for the pressurizer level sensor misalignments. The first incident of this type occurred at Flamanville-2 and immediately gave rise to an exhaustive analysis. It was then considered judicious to closely analyze subsequent incidents, in order to assess the efficiency of the corrective measures taken after the first incident and extend the scope of the analysis. The interviews organized to reach a full understanding of the operator actions considered and their circumstances were conducted jointly by EDF and IPSN human factor specialists. The analyses made by the IPSN specialists are summarized below.

360

Elements of nuclear safety

24.1. Pressurizer heater damage at Flamanville-2 On October 23, 1989, unit 2 of the Flamanville nuclear power plant (1300 MWe, type P4) was restarting after servicing of pressurizer piping connections (nozzles), following defects detected on nozzles in other 1300 MWe units. The impulse lines for the five pressurizer water level sensors were included in the connections inspected.

24.1.1. Scenario An important step in the nuclear unit startup procedure is the formation of the pressurizer steam bubble. To begin with, the primary water is cold and entirely liquid, which means that pressure control in the system is difficult. A steam bubble in the pressurizer limits by its compressibility hydraulic induced pressure transients. This bubble is formed by switching on an appropriate number of pressurizer heaters to bring the water in the pressurizer to boiling point. This operation is accelerated by deliberately unbalancing the Chemical and Volume Control System charging and letdown flow rates, inducing the removal of about 30 m 3 /h of water from the primary system, as soon as boiling occurs. The pressurizer steam-water interface level is monitored by four sensors, with a fifth provided for very low levels and for total drain-out of the pressurizer (900 MWe units have only four sensors). Heaters began operating at 3:20 p.m. and an increase in the letdown flow rate was requested by the automatic control system at 3:40 p.m.. Pressures and temperatures were stable by about 4:20 p.m.; so the number of heaters operating was reduced. The operator waited for the highest sensor to indicate that the pressurizer water level was going down. Indications from the other sensors should then have followed successively. At 4:42 p.m., the lowest sensor indicated that the level was going down, whilst all the others continued to indicate the maximum level. The inconsistency of these data and the wrong order in which the signals appeared raised doubts as to the accuracy of the lowest sensor signals. The on-call team was called in around 5:00 p.m., but these workers had completed their working day and left the plant, thereby delaying corrective action. The operator was still waiting for the other four sensors to indicate a lower pressurizer water level and concluded that the level was still high, so he put a further heater into service when the pressure reduced slightly. Between 5:50 p.m. and 6:05 p.m., insulation defects appeared on the heaters, which tripped. The primary pressure receded. The operating team

24 - Detailed analysis of incidents involving human factors

361

diagnosed an incident and tried to switch on other heaters to restore the primary pressure level and protect the reactor coolant pump seals. These additional heaters tripped immediately. The operators then realized that they could be dewatered, since the pressurizer water level was abnormally low. The shift supervisor requested inversion of the charging and letdown flow rates to stabilize the pressure and raise the water level in the pressurizer. It was at this point that the maintenance team which had checked the lowest sensor confirmed that it was working correctly and examined the other sensors to discover that they had remained isolated in a configuration indicating "pressurizer full". These sensors were put back into service at about 7:00 p.m.. The pressurizer water level alarm, triggered by signals from these sensors, could not be activated. The restartup process was interrupted and the unit placed in cold shutdown for servicing. The ensuing examination revealed that 65 heaters had been deteriorated by operation under dewatered conditions. Repairs increased the outage time by several months. The incident had no direct safety consequences, but was nevertheless very carefully analyzed because of the many lessons to be learned in terms of operation and maintenance methods.

24.1.2. The operating team behavior The operator in charge of creating the steam bubble was young. He had been normally trained on a simulator, where this operation is performed and had already participated in the real operation, as second in command, during his complementary site training period. For him, it was unthinkable that four sensors at once could be giving wrong information. His colleagues, the safety engineer, the operating engineer and the automation experts consulted were all of this opinion. The removal of water from the primary system over a long period of time could have drawn the attention of the operating team to pressurizer drain-out hazards. But we know from other examples that it is very difficult to assess water balances. Cross-checking the data supplied by monitoring the rising water level in the Boron Recycle System surge tank, where the primary system water had been sent, would not appear to have been attempted. It is not mentioned in the procedure. Moreover, during startup periods, the problems to be dealt with by the operating team are many and varied. The shift supervisor was busy with a problem concerning the AC generator shaft line. His deputy was fully occupied at the onset of the incident by a chemical problem. Telephone calls dur-

362

Elements of nuclear safety

ing this highly active period were "as numerous as usual", although no figures are available. On the other hand, plant unit computer logging has been used to reconstitute the number of alarms relayed to the control room and acknowledged by the operating team after checking. An alarm was displayed, on an average, every 3 minutes, interrupting the activities of the operators and obliging them to concentrate on difficulties of highly variable importance concerning widely different parts of the plant. Under these conditions, it is difficult to bear in mind the relatively slow progress of a phenomenon such as the lowering of the pressurizer water level, which usually raises no particular problems. The heater tripping was at first considered to be a further problem, unconnected with the primary system procedure under way, but related to recent repair work on the heater electrical system.

24.1.3. The misalignment conditions The pressurizer water levels are measured by differential transducers which measure the weight of a 10 m water column, using eight nozzles on the pressurizer housing. These nozzles also supply the pressure sensors, each of which is equipped with a front valve enabling separation from the measurement system and considered as part of the primary system. Each of these valves has an identification number, indicated on drawings and used in procedures. The reactor control department is responsible for their operation. Each level sensor is equipped with a separator, drain traps, test devices and seven valves considered as part of the instrumentation itself, despite the fact that they are positioned relatively far from the sensor, at two nozzle levels about 11.5 meters apart, either near the pressurizer or beyond the antimissile barrier protecting it. They are accessible from various floor levels spaced over about 12 meters (Fig. 24.1.). These valves have no specific numbering and are locally identified by markings VI to V7, without reference to the corresponding sensor and are generally not shown on reactor control department drawings. The automation department is responsible for their operation. To facilitate servicing of the various pressurizer nozzles, the impulse lines for the five sensors were discoupled in September 1989 and obturated with soluble plugs. A diagram of the system was provided, indicating alignment. When the sensor restarting procedure took place, the nozzle of the lowest sensor, used for primary system drain-out, had not been inspected. The restarting procedure was consequently incomplete and, above all, the job site remained, involving a limited access area at both nozzle levels. These two levels comprise some, but not all, of the valves. Special clothing is required for the limited access area, with a continuous air supply through a

24 - Detailed analysis of incidents involving human factors

363

10 to 20 m hose. Transit from the limited to free access zone and vice versa requires a systematic change of clothing (Fig. 24.2.).

Fig. 24.1. Pressurizer level sensor flow diagram.

Restoration of front valve identification marking, disarranged by the repair work, was planned to take place at the end of the site operation and not prior to sensor alignment. The representative of the manufacturer in charge of the nozzle servicing operations requested the assistance of the plant automation department. Four technicians were assigned but nobody was nominated as specifically responsible for the work. The scheduling department had planned the performance of two separate jobs during the same repair outage (Fig. 24.3.): • air ejection of soluble plugs, using a site operation work sheet qualified on another site. This activity was new to the local site automation experts and was not included in their normal duties; • return to service of the pressurizer level sensors. This activity falls within the scope of the automation experts but is usually only performed on one sensor per year and starting from a different initial state. The site operation work sheet provided corresponded to this other state.

364

Elements of nuclear safety

Fig. 24.2. Level sensor valve layout.

For the planners, the site operation comprised two successive stages, plug removal, followed by restarting of the four sensors. The method was adapted for a team of two. It involved many level changes. But the soluble plug removal sequence was not entirely adapted to the Flamanville-2 equipment and a team of five had been assigned for the job. Faced with the association of two activities, site operation work sheets which were not directly applicable, unusual working conditions and lack of identification marks, the team decided to group the two activities and orga-

24 - Detailed analysis of incidents involving human factors

365

nize the work in such a way as to limit moves, transit between free and limited access zones and level changes. So the team split up accordingly, working on the different sensors in parallel, without appropriate written instructions (Fig. 24.4.).

Fig. 24.3. Planned work program (in sequences).

The work involved all valves associated with each sensor, except for one per sensor. These special valves are located outside the two work areas concerned and their operation is not required for plug removal. They were left as they were.

Fig. 24.4. Actual organization of the work (overlapping of the operations).

Upon completion of this operation, a member of the lower team, which had now joined up with the upper team, asked whether alignment had been dealt with, meaning the alignment of all the valves. A worker who had just completed the alignment operations for one specific valve, understood that it was this valve that was referred to and gave an affirmative answer. Question and answer were elliptic and consequently inefficient. It was then 2:00 p.m., too late to deal with general identification marking. The workers had been on the job without food since 5:00 a.m. Much of the work had had to be done using a ventilated hood. The systems were left as they were.

366

Elements of nuclear safety

The next day, after inspection of the last weld, two technicians removed the last soluble plug and put the last sensor back into service. This time, only one system had to be dealt with, the work sheets were more representative and the experience of the previous day had trained the technicians in the unusual operation of soluble plug removal. One of these technicians was the one who had worried about the alignment the previous day. He carried it out himself and opened the valve which had been left closed for the other sensors. This was then the only sensor providing correct information. When put back into service, all five sensors indicated "zero level", which was correct at the time, so the error was not detected.

24.2. Isolation of pressurizer level sensors at Cruas-2 When the incident occurred, unit 2 of the Cruas plant (900 MWe, type CP2) had just been shut down for two weeks for unscheduled repair work on a steam generator. To revert from cold shutdown for repair to normal cold shutdown, the operators vacuum degassed the primary system before refilling it with water. The unit pressurizer level sensors had been replaced in 1989 by new devices qualified to withstand accident conditions. As these new sensors were vacuum-sensitive, the normal plant procedure was modified. An additive specified isolation of these sensors during the vacuum degassing and was marked "level sensor valves". Closing the front valves would isolate the sensor used for level monitoring during primary system refilling. This monitoring operation would require the presence of a technician on the spot. In addition, this sensor, of different technology, need not be isolated. Adjustments must be made to the valves associated with the sensors concerned and not to the front valves. The procedure does not specify who should isolate the sensor, which valves should be moved and in what way. Those who drafted and checked the procedure were not thoroughly acquainted with measuring systems. On March 24,1990, preparation of the measuring systems prior to vacuum degassing was entrusted to the night shift. The sentence added to the instructions was understood as being addressed to them. An operator and an auxiliary technician went to the work site and tried to understand how the measuring systems operated, but this was very difficult, considering the widely spread layout and the absence of markings. They found two valves open on each system and closed them. They were the sensor bypass valves, so that the bypasses were thus not isolated.

24 - Detailed analysis of incidents involving human factors

367

On March 25, the morning shift carried out the primary system vacuum degassing. In the control room, the operator noted drift in the level indications and realized that the sensors were not vacuum-protected. He sent a technician to close the front valves, except the one corresponding to the lowest sensor. None of these actions are specified in the procedure. The technician who carried out these adjustments drafted a new diagram showing the new alignment and placed it in the appropriate folder, from which he removed the previous diagram, but without noting anything in the shift log book. The afternoon shift refilled the primary system with water. The rising water level in the pressurizer was monitored by the only operational sensor. The team responsible for the preliminary operations came back on duty for the night shift. Its job was to overhaul the pressurizer level measuring systems. The technician who had closed the valves was already in the reactor building when he was instructed to overhaul the sensors. Remembering his action the previous day, he opened the valves that he had closed. Unaware of the modifications made by the morning shift, he left the front valves closed. On March 26 at 8:00 p.m., the restartup commission examined the servicing work sheet which includes a list of operations to be performed to check the availability of equipment required to exit the normal cold shutdown state. Further to the heater deterioration incident at Flamanville-2, the work sheet specified checking of the instrumentation valves by the section in charge of sensors. The members of the commission were unaware of the actions undertaken by the operating department to protect the sensors and considered that the check envisaged was only necessary in cases involving work on the sensor systems. The corresponding check was not requested. On March 27, when the morning shift team arrived at 6:00 a.m., operations connected with the steam bubble were proceeding. At around 7:00 a.m., the only available sensor indicated a level reduction. When the control room operator realized that the other sensors were not also indicating lower levels, he calculated, on the basis of the mismatch between charging and letdown rates, the approximate volume of the bubble and compared it with the level at which the sensors should start reacting. 20 m3 had been drained out. The operator then diagnosed a nonconformance, cut the power supply to the heaters, levelled up the charging and letdown rates and requested an on-the-spot check. The alignment errors were then discovered and, after correction, plant restartup was able to continue.

368

Elements of nuclear safety

24.3. Isolation of pressurizer level sensors at Gravelines-4 Unit 4 of the Gravelines nuclear power plant (900 MWe, type CP1) was restarting after the annual refueling outage. On November 13, 1990, before vacuum degassing of the primary system, an automation department team isolated the pressurizer level sensors in compliance with a request from the operation department. As at Cruas-2, the pressurizer level sensors had been replaced in 1989 by sensors qualified to withstand accident conditions. This was the first time at Gravelines-4 that the pressurizer level sensors had to be isolated prior to vacuum degassing of the primary system. The operation had been prepared by the automation technicians. As at Cruas-2, it does not concern the sensor used to monitor the pressurizer water level during primary system drainout, where the qualification level is different. The "simultaneous action on three redundant trains" aspect is not mentioned in the documents. The site operation file was drafted and edited using the computerized maintenance assistance tool. But since the valves associated with these sensors have no identification marking, those to be actuated could not be clearly indicated in the computer document. The planner was aware of this problem and appended a drawing showing the valves concerned in color. The operation raised no problems. On November 14, the sensors had to be put back into service after refilling the primary system. The automation team had a particularly heavy workload on that day, so a different team was assigned for the sensors. Level sensor and pressure sensor bodies are identical. So, when the maintenance technicians found the sensors, they opened the nearest valves, as would be done to put a pressure sensor back into service. They were unaware that pressurizer water level sensor systems were more complex and so completed only part of the site operation. Their experience of sensor isolation made them consider the document with which they were provided unnecessary. They simply saw the title on the cover but failed to discover the drawing inside. Although he had been working for more than 5 years in the plant automation department, the technician leading the site operation team had never worked on the pressurizer level sensors. He had completely forgotten their specifications, mentioned during his training. No provision had been made for a check after the site operation. On November 16, at 4:00 a.m., the temperature began to rise for formation of the pressurizer steam bubble. In the control room, only one indicator showed an abnormal water level reduction. The operator tried to correlate

24 - Detailed analysis of incidents involving human factors

369

the different parameters. At 6:00 a.m., he reported a mismatch between charging and letdown rates and a consistent lowering of the pressurizer water level signalled only by the lower sensor, the other sensor readings being unchanged. At 6:30 a.m., the lowering of the pressurizer water level was interrupted and the on-call automation team was called in. They discovered the misalignment on the low pressure part of the system and corrected it. As for Cruas-2, the restartup operations were then able to proceed.

24.4. Analysis and lessons Each of these incidents has been the subject of detailed analysis, especially from the human factor standpoint, but discussions have gradually deepened from one analysis to another. What follows is simply a general review and summary. All these elements are considered in the general discussions held by EDF, discussed at the end of this chapter.

24.4.1 Operating team reactions The Flamanville-2 team carried on with the restartup operations, after having alerted the on-call team. This led to the destruction of equipment. The lesson, much publicized, was beneficial to the Cruas-2 and Gravelines-4 operators who, when they observed a nonconformance, interrupted all plant operations, thereby preventing degradation of equipment. In this respect, operating feedback proved efficient. The idea of halting activity when something is unclear obviously goes well beyond the examples presented. It is an important element of defense in-depth in operation and an entirely appropriate safety culture attitude.

24.4.2. Site operations on redundant equipment The risk of common mode failures related to maintenance work had escaped neither the manufacturer and operating utility teams entrusted with preparing the periodic test and inspection programs for safety-related equipment (Chapter 9 of the general operating rules), nor the analysts. When the specific frequency is 2 or 4 refueling outages for inspection of redundant equipment the work sheet tables are marked "one train at each outage". Since the reasons for these requirements were not explicit, the necessity to check all 1300 MWe unit pressurizer level sensor nozzles upset established practice without this being particularly noticed.

370

Elements of nuclear safety

Similarly, replacing the sensors by other devices qualified for accident conditions added a further constraint, since the new equipment can only withstand vacuum conditions for a few hours. This equipment replacement upgrades safety provisions with regard to accident situations, but all the implications of the decision had not been identified. The pressurizer level sensors are not the only components requiring protection when the primary system is degassed. The primary system SEBIM protection valves are also concerned. Constraints related to these valves in fact led to an incident at a Gravelines unit. Equipment protection provisions are, in fact, organized locally and are not integrated in overall safety analysis. This raises the question of the advantages and drawbacks of the two methods of filling the primary system (with or without a vacuum) and, more generally, of the necessity to establish a list of practices of this sort included in site operation schedules.

24.4.3. Equipment design and layout The design and layout of the equipment associated with the pressurizer level sensors by no means facilitates servicing - the situation is scarcely taken in at a glance: • measurements on a 10 m water column imply installation of equipment at several levels and in different rooms • each sensor has seven valves and its overall operation is not immediately apparent • the sensor itself is like other simple devices, such as the pressure sensors • the circuits for each sensor are physically intermingled and one of the valves is not easy to locate, being installed fairly high up, out of sight, behind other equipment • for valves related to instrumentation, it is impossible to determine whether they are open or closed without turning their handwheels.

24.4.4. Equipment designation The incidents described in this chapter and the corresponding analyses clearly evidence that communication is hindered by failure to provide identification marking. In verbal communication, it is indispensable for things to be correctly named if subsequent confusion is to be avoided, especially in the case, for instance, of rapid instructions given when tasks are assigned

24 - Detailed analysis of incidents involving human factors

371

during a busy period. Site operation computerized aids are only of use if the equipment concerned has been correctly named. Similarly, tests have to be specified for clearly named and identified devices. It is worth noting, in this connection, that there are about 12 000 valves in each plant unit. Further to the Flamanville-2 incident, marking of these valves was decided for all units. However, appropriate identification markings may now appear on the equipment itself, the circuit drawings, the alignment and test documents, but this still fails to solve the difficulties incurred by the layout of these devices.

24.4.5. Work scheduling, preparation and organization In an attempt to avoid further loss of time after a long outage at Flamanville-2, it was decided to group special and routine activities, under particular conditions for which the site operation work sheets were not directly applicable. So the site operation team adapted its activities to make them easier and gain time, but in so doing they destroyed their mind's eye view of the fairly complex system they were to deal with. The operation had been scheduled prior to restoration of the front valve markings. Nobody had been named as responsible for the job and there was no independent inspection of the finished work. After the Flamanville-2 incident, the general test work sheet was modified ensuring that, after a shutdown, an alignment inspection of all sensors was completed before unit restartup. However, this modification was overlooked at Cruas-2 and Gravelines-4 since: • at both units, the outage was unscheduled, with a limited work program • inspection of pressurizer level sensor alignment was only considered necessary after work had actually been done on the sensor circuits and not after all site operations.

24.4.6. Document preparation, checking and application Site operation documents may be difficult to draft and check, especially if the operation concerned involves several departments. At Flamanville-2, the servicing technicians were even given a document referring to the alignment of a single sensor on another site.

372

Elements of nuclear safety

Moreover, there is a certain disparity between those responsible for preparing and checking documents (they must have an extensive knowledge of plant safety and operations in order to be able to assess risks and possibilities of interference of a servicing operation with the state of the plant at the time) and the servicing technicians, who must have a closer acquaintance with the component they are going to repair. Considering the number of documents concerned, it is somewhat unrealistic to imagine that all could be checked, unless a prioritization system were introduced. In cases where system and layout are complex, the servicing technicians often have to adapt what is prescribed in the site operation work sheet to what they actually find on the site: geographical environment, constraints related to the presence of other equipment, additional dismounting work which may be necessary. In all industries where human factor surveys have taken place, it has been observed that documents, procedures, site operation work sheets were used otherwise than in the way anticipated (when they were used at all), depending on the experience of the technicians, their understanding of the job to be performed and the working conditions. This is obviously a very difficult subject, raising the problem of the contents of site operation documents and their adaptation to the tasks and the technicians. Progress in this area could only result from extensive field work. The theory that "jobs have to be done according to written instructions" is unsatisfactory, particularly as it tends to make people feel not accountable. The operating utility must determine a compromise between strict application of documents and a certain margin of initiative left to the technicians, validating their professional competence. Striking a balance will also depend on the operations concerned.

24.4.7. Data transmission The efforts of the technician, mentioned in one of the examples given above, who indicated on a drawing, filed separately, the alignment modifications (front valve closure) he had made, were of no avail. Which brings us to the well known problem of data transfer between shift personnel and the drawbacks of working with words rather than drawings, when no isometric charts are available. In current EDF practice, the shift log is mainly used to note elements of information necessary to the next shift team to come on the job. So, in the above case, the modifications made were not noted in the log, since the technician concerned felt that they would not be noticed in the long list of messages transmitted on that particular day.

24 - Detailed analysis of incidents involving human factors

373

The alignment diagram file provides permanently the reference state of systems and should normally be referred to prior to any configuration change. This precaution was not observed, since the shift team concerned had been on the same job the night before, considered that they had all the information they required and had consequently not checked the modifications which had been made in the meantime.

24.4.8. Management of the workload Managing the site operation workload in a nuclear power plant is particularly difficult, especially at the end of a unit outage. The automation specialists are particularly in demand for various adjustments and there is often as much additional work as scheduled work. This has repercussions on general organization: • staff may be required to take part in site operations without having had time to go through the corresponding file beforehand • technicians may have to switch from one task to another, disturbing logical activity sequences • several job files may be handed simultaneously to a shift team, with no particular explanations • the experience and special skills of certain technicians may not be systematically taken into consideration. This can also have repercussions on the precision of information exchanges. The incidence of the workload on communication efficiency and relevance has been evidenced in a large number of surveys. Increases in workload or fatigue result in quantitative modifications (shorter communications) together with qualitative modifications leading to contractions (modification of contents, modification of information coding, with correct coding replaced by codes more easily expressed, acknowledgments becoming implicit).

24.4.9. Staff training For cases like the pressurizer level sensors, it would seem preferable to respect the allocations of duties adopted by the technical assistance departments, in order to maintain the corresponding liabilities. However, it would seem advisable for the operating personnel to have a short training course on the overall operation of the corresponding systems, with presentation of the different devices concerned and their locations. Ignorance of these systems and underestimation of their complexity gave rise to the Cruas-2 incident.

374

Elements of nuclear safety

24.5. Check on sensor operability The family of incidents mentioned in this chapter initiated discussions at the IPSN on the possibility of checking sensor operability. We have seen that the pressurizer water level sensors could only be tested by an actual variation of the water level. Safety-related sensors may be classified in three families: • The first comprises sensors for which the control room display can be validated in a plant unit configuration where these sensors are not required by the technical operating specifications. Measurements can be qualified during operating exercises or periodic tests. Most of the sensors are in this category. • The second comprises sensors for which the control room display can only be validated in situations where these sensors are required by the technical operating specifications. In this case, a formalized alignment inspection is necessary and the date at which the measurement may be considered as validated must be explicitly indicated in the relevant operating documents. • The third comprises sensors for which measurements cannot be checked. In this case, the formalized alignment inspection of both mechanical and electrical parts of the measuring channel must be completed before the system monitored by this sensor is required by the technical operating specifications. In addition, maintenance work on these systems, whether scheduled or not, must be carried out with particular care accordingly. For the 900 MWe units, there are 350 safety-related sensors, 327 of type 1, 20 of type 2 and 3 of type 3. The pressurizer level sensors are of type 2. For the 1300 MWe units, there are 304 safety-related sensors, 277 of type 1, 26 of type 2 and 1 of type 3 (the one that measures the level in the closure head seal leak recovery tank). A second sensor classification is based on failure frequency, whether due to technical or human faults, with consideration of their operating principle. The two classifications together enable assessment of the level of efforts to devote to each of them during site operations and plant unit restartup.

24.6. General considerations on maintenance activity quality The work organization problems related to maintenance operations were examined by a special EDF working group, referring notably to lessons

24 - Detailed analysis of incidents involving human factors

375

learned from the 1989 incidents and, more generally, to unit outage management experience. The investigation paths selected, the successive stages in the discussions and the EDF decisions together with their site implementation were examined by the safety authorities. Only certain important points are presented here.

24.6.1. Common mode failure hazards Maintenance operations on redundant equipment can, as we have seen, induce the same nonconformance on all trains, especially when several such operations are performed during the same time interval. The entire protection or safeguard function concerned can be lost in this way. The operating utility attempted to list all these activities, but this proved difficult since they had to include safety-related potential common mode failures and both programmed and unscheduled site operations. So this risk must be constantly borne in mind by those responsible for the management of unit outages and the site operations performed. It would seem preferable for site operations scheduled in basic maintenance programs, where the rate of recurrence exceeds one year, were distributed over several outages.

24.6.2. Management of "special devices and resources" Two of the 1989 incidents resulted from unintentionally omitting to remove temporary parts used for a test or repair work: • blind flanges closing, inside the containment, the ventilation system required to recombine hydrogen after a primary break (Containment Atmosphere Monitoring System). They remained in place for a whole cycle, preventing implementation of this system had an accident of this type occurred. • solid screws installed on the impulse channels of the three SEBIM valves of a pressurizer to protect them during primary system vacuum degassing and left there for a whole cycle. Had the valves been required, their operation would have been impaired. The special devices and resources used for tests and site operations are many and varied. Some of them were provided for at the design stage, such as the blind flanges at the bottom of the reactor cavity and of the reactor vessel internals compartment, which have to be installed so that these pools can be filled for fuel handling purposes. These devices must be removed when the reactor is operating to prevent containment spray water from remaining

376

Elements of nuclear safety

in these pools. The blind flanges are kept on special racks. If they have not all been returned to the racks, an alarm shows in a display window in the control room. Management in this case raises no particular problems. Most other provisional mechanical appliances (plugs, filters, etc.) do not benefit from the same management and follow-up methods. Those normally kept in glazed door cabinets can be accounted for simply by sight checking the contents of the cabinets. The most often used special electrical devices and resources are temporary connections (straps) and knife switches. The straps are generally easily identified by use of a different color from the normal wiring and also have an identification label. Management is based on a strap log book in the control room. The position of the knife switches, which are very small, can only be checked by opening the cabinets. However, a certain number of incidents show that this method is not entirely foolproof. Several hundred of these special devices are used during an outage. Generally speaking, the majority are managed through various documents, computerized systems and physical organizational provisions (blind flanges at the bottom of the reactor cavity, for instance). However, this is not necessarily the case for those used for short periods by a maintenance team carrying out a complete operation, including the installation and removal of such devices. Since drawing up an exhaustive list of these appliances is totally unrealistic, EDF's solution consists in entrusting their management to the teams who use them. Another problem then arises for equipment used by several teams.

24.6.3. The safety-quality approach The deep thinking undertaken by EDF further to the various 1989 incidents related to maintenance activities led to the plants being provided with discussion guidelines, aimed at better structuring application of the defense in depth approach to different site operations. This preparatory procedure comprises a risk analysis based on a risk analysis guide, listing several tens of potential faults illustrated by examples which include common mode failures, confusion between components, producing unavailabilities, maintaining test provisions and equipment, cleanness, adjoining equipment hazards, etc. The application of this approach should enable classification in terms of human input required for the various preparation, execution, inspection and requalification tasks involved. It could also lead to avoidance, wherever possible, of repair work on the different trains of a redundant system being programmed during the same outage. The idea of splitting this sort of work between different maintenance teams was not adopted because it increases the number of workers involved.

24 - Detailed analysis of incidents involving human factors

377

If the risk analysis leads to identification of a specific risk, preparation of the maintenance job will involve drafting a "Safety-Quality Plan", explaining how such risks can be prevented and indicating the appropriate hold points and corresponding tests, ways of dealing with incidents which could occur during the work, requalification requirements and resources. This document is then used to monitor the maintenance job itself and will also be used to record the various test and inspection results together with information on any abnormal conditions encountered. This practice, which is highly commendable from the safety standpoint, can only be implemented gradually because of problems related to time allowances and available human and equipment resources at the sites. It will only be possible to appraise the real safety benefits in the medium term.

24.6.4. Requalifications The principle of requalification after servicing is only admitted by the operating utility if servicing conditions and special device management provisions do not offer a sufficient guarantee. In such cases, exactly what must be requalified, using which procedure and when, has then to be specified. There are two families of test documents available for requalification during unit outages: • the startup test work sheets, which are normally complete and cover all functions, both quantitatively and qualitatively. On the other hand, these tests may require a plant unit configuration which is not scheduled in the outage program • the periodical test work sheets used to check that systems not concerned by servicing retain their performance level. These are directly usable, but may be insufficient and are only applicable to adapted plant unit configurations. So case by case analysis is necessary in addition to acceptance of the principle and experience will show whether the practices introduced are adequate.

24.7. Defense in depth applied to operation If defense in depth was initially developed to provide technical assistance in plant design, it is also found to be the guiding force underlying the general operating rules.

378

Elements of nuclear safety

As we have seen, this approach also applies to all site operations required during plant operation, whether these be periodic tests, maintenance activities or modifications. There are three main stages: • prevention is ensured by: - careful preparation of site operations and associated documents - assessment of potential risks - checking that planned actions are compatible with the plant configuration, considering the unavailability rules defined in the technical operating specifications - preparation of monitoring and test facilities - choice of systems to limit possible consequences - designation of qualified staff in adequate numbers - strict adherence to the documents prepared - requalification process • surveillance is ensured by: - periodic checking of activities in progress, tests, visual inspections, patrol inspections, hold points - comparison between obtained and expected results, detection of nonconformances - exchange of information as soon as anything unexpected is observed • limitation of possible consequences of incidents or nonconformances is ensured by: - definition beforehand of planned fallback modes - use of automatic or manual equipment or systems, also defined beforehand. The spirit of the approach has thus been instilled at all decisive levels.

25

Preventive maintenance and in-service surveillance

The failure of certain large components in nuclear power plants is "excluded"* from the situations covered by the safety analysis. This implies obtaining and maintaining a very high reliability level for this equipment, in accordance with its design basis characteristics. Throughout the plant lifetime, this entails constant attention to incipient degradation and, where necessary, preventive repair work. Verifications in this respect are made by in-service surveillance provisions and non-destructive testing. For other safety-related equipment, whether mechanical or electrical, preventive maintenance on equipment which can be repaired or replaced can lower the failure rate, thereby contributing to prevention. In this chapter, we discuss the general principles underlying these activities and present a few characteristic examples of difficulties encountered in this area and ways of dealing with them. The examples concern steam generators, steam lines and reactor vessel closure heads.

25.1.

In-service surveillance for large components

The large components in French PWR plants, the failure of which is "excluded", are the reactor vessel, the reactor coolant pump volutes, the steam generator bundle wrappers, or the steam line sections located between the containment and the main stop valves (superpipe sections). A steam generator tube break accident is, on the other hand, postulated in the basic design studies, but its probability of occurrence has proved higher than estimated 20 years ago and can lead to atmospheric release which, although limited, is nonetheless undesirable. *Cf. Chapter 4.

380

Elements of nuclear safety

As the components considered are all pressurized containments, test programs are defined in the context of pressure vessel regulations applied to nuclear power plants. The safety organizations will be concerned with checking that the extent of the planned tests provides sufficient guarantees with regard to safety. Since February 26, 1974, date of the ministerial order applying pressure vessel regulations to LWR's, in-service testing feedback and improved detection devices revealed unexpected difficulties. These involved the vessel (underclad cracking in 1979, or defects affecting the CRDM adapters in the closure head), superpipe sections (weld defects on valve nozzles on main piping), or steam generator tubes. The safety organizations consequently considered that tests and checks should be carried out as often and extensively as possible. The operating utility is concerned with limiting the time spent on tests during unit outages and with reducing to a minimum the exposure of workers performing these tests. Naturally, the safety organizations share the latter conviction. The first basic preventive maintenance program for 900 MWe primary systems, set up by EDF on the basis of experience to date, is currently applicable up to the second full inspection performed 10 years after the first refueling outage. Equivalent provisions have been made for the 1300 MWe plants. Definition of the sequence to this program after the 10-yearly outage is under discussion, since important principles are at stake. The operating utility is anxious to optimize in-service inspection by seeking an optimum trade-off between inspection frequency and risks of equipment impairment, in the light of what is known about damage possibilities in each zone and what has so far been observed. This could result, for instance, in apportioning tests by sampling over all vessels or all reactor coolant pump pressurized casings. The IPSN is of the opinion that this approach is not compliant with the provisions of the 1974 order and considers that the adoption of such a solution would imply an exhaustive acquaintance with equipment degradation and identity of equipment characteristics or of manufacturing characteristics for all equipment of a given type, which is not borne out by experience. Moreover, defense in-depth, which is the basis of the safety approach, implies considering defects not only in places where their occurrence is anticipated, but also in apparently less exposed places, but where the safety consequences would be particularly severe. The closure head adapter example is of particular interest in this connection. The safety importance of the program implemented following discovery of the Bugey-4 vessel head adapter cracks and discussed at the end of this

25 - Preventive maintenance and in-service surveillance

381

chapter confirms the advantages of overall testing, such as that corresponding to the 10-yearly inspection program. These tests can evidence defects in zones where fatigue problems are considered unlikely and where, since there is no identified corrosion risk, specific surveillance is not enforced. These tests have little effect on primary system fatigue and this aspect is, in any case, taken into account in the relevant design basis provisions. This is consequently not a valid reason for envisaging a different distribution of the tests currently performed.

25.2. Preventive maintenance of equipment Each time a test or normal operation shows the performances of an item of equipment to be below standard, a servicing operation is carried out to repair it. This is known as corrective or unscheduled maintenance. In order to reduce the frequency of incident or accident initiators, it may be advisable to take action before a failure occurs. This is the purpose of preventive maintenance for equipment which can be repaired or replaced. It is used as soon as, or even before characteristics are observed to deviate, without the equipment being considered unavailable, according to purely preventive programs based on experience and careful consideration of failure implications. So EOF has set up preventive maintenance programs taking into account the importance of equipment for safety (but also for availability), the types of failure and their probabilities. Documents equivalent to those presented in Chapter 22 for the periodic tests deal with maintenance activities. We have seen that, during unit operating periods, preventive maintenance possibilities are limited for safety-related equipment comprising only two trains, since one train can only be outaged under conditions restricted by the technical operating specifications. Let us take a look at a case which is halfway between corrective and preventive maintenance. The operating utility continuously examines the test results for safetyrelated equipment, compiling the parameter values observed even when they remain within the authorized range. If, for example, the vibration amplitude in a pump bearing regularly increases, it could be beneficial to take action without waiting until the associated limit is reached. The equipment would otherwise become unavailable at an unforeseen time, resulting in operating restrictions as prescribed in the technical operating specifications. The operating utility may wish to undertake servicing at a more convenient time and classify as "unavailable" an item of equipment which is still

382

Elements of nuclear safety

in operating condition. If this practice were frequent, it could lead to cumulated unavailability times which would be prejudicial to safety. Since the technical specifications currently define no annual limits for cumulated unavailability times for given items of equipment, corresponding acceptance criteria cannot be provided. Unlike the periodic tests, the preventive maintenance basic programs are not part of the general operating rules. These programs may be applied without the prior consent of the safety authorities. Their contents define the nature and frequency of the preventive maintenance operations to be performed on the plant units. They can be supplemented if required in the light of operating experience. The purpose of the IPSN examination of these programs, based mainly on operating analysis of similar equipment, in France or abroad, is to check that the specified tests enable sufficiently early detection of "aging" in safety-related equipment and tend to preclude the repetition of incidents and nonconformances already encountered. The "Lifetime Project", introduced by EDF in 1985, with first results presented to the safety authorities in 1991, aims to assess the possible lifetime of present plants. It has provided an opportunity for redefining the in-service surveillance and preventive maintenance programs together with improvements required in plant unit investigation and monitoring provisions.

25.3. Steam generators On several occasions, we have stressed the importance of reliable steam generator tubes for plant safety and the prevention of radioactive release to the environment*. So it is to be expected that these components would be the subject of sustained attention. The analysis consists in identifying the different types of defect which could affect the tubes, assessing the associated tube break hazards and appraising the proposed surveillance programs with the preventive plugging criteria together with the prescribed preventive measures.

25.3.1. Different types of defect Worldwide feedback confirms that steam generator tubes can be affected by widely varying types of defects, due to different mechanical or physicochemical phenomena (Fig. 25.1.). These types of defect appear with time, but * Cf. Chapters 3 and 8.

25 - Preventive maintenance and in-service surveillance

383

sometimes after relatively short operating periods. Despite their number and variety, it is not possible to consider that other types of defect could not appear.

Fig. 25.1. Various types of defect.

The first type, reported by American operating experience, is tube denting by the tube support plate. The other types can be classified according to the phenomenon involved, which may only affect certain plants. They include notably: • Inconel 600 stress corrosion cracking in the reactor coolant water: - in the small U-bends in 900 MWe units

384

Elements of nuclear safety

- in the roll transition zones.* • Inconel 600 cracking induced in certain tube zones by chemical agents: - intergranular corrosion at the tube support plates - secondary side corrosion at the base of the tubes - secondary side circumferential cracking at the base of the tubes in certain plants - secondary side circumferential cracking further to certain types of hard rolling. • Secondary side wear due to: - loose parts - contact between tubes and anti-vibration bars - contact between large U-bends. • Other deformations at the tube support plates. Other phenomena were observed abroad which have not so far occurred in France. An example of this is the vibratory fatigue which resulted in double-ended guillotine breaks at North Anna (USA, 1987) and Mihama (Japan, 1991).

25.3.2. Associated risks The risks associated with steam generator tube degradations are obviously one or several tube breaks under normal or accident operating conditions (steam line break). It must be borne in mind that a steam generator tube break is included in the design basis accidents. However, in conformity with defense in-depth requirements, the possibility of such an occurrence must be severely limited, in particular because it can result in radioactive release to the environment. Under normal operating conditions, the tubes are required to withstand a differential pressure of about 100 bar. However, in an accident situation, such as that corresponding to sudden pressure loss in the secondary system, due to a water or steam line break, this situation must not be worsened by one or several steam generator tube breaks. Should this happen, the pressure difference between the inner and outer tube surfaces will be about 172 bar and this mechanical load will be compounded by the dynamic effects of depressurization and, conventionally, by that of a safe shutdown earthquake.

* Hard rolling consists in expanding the part of a steam generator tube which is inserted in the tube plate to ensure continuous contact between tube and plate. This prevents splitting, which can give rise to severe corrosion. The tube is then welded, on the channel head side. Several successive techniques have been used in an attempt to mitigate the stresses induced.

25 - Preventive maintenance and in-service surveillance

385

Incidents such as that at Bugey-5 in 1984, with the loss of three out of four power sources*, did in fact subject the steam generator tubes to high differential pressures, without reaching the level mentioned above. The analysis considers two types of defect: those where leak before break can be evidenced and those where this cannot be demonstrated. For the former, the plant unit can be shut down before the defect gets out of control and liable to cause leakage of radioactive substances. In these cases, leak surveillance and detection between primary and secondary systems is essential. For the latter, the possibility of a sudden fast burst must be envisaged. In these cases, only preventive surveillance and plugging of affected tubes have any effect.

25.3.3. In-service surveillance and outage inspections 25.3.3.1. In-service surveillance Steam generator in-service permanent surveillance is provided by two methods: noise level detectors capable of locating loose parts and leak level detectors between primary and secondary systems. When the first French plants were put into service, the Technical Operating Specifications required plant unit shutdown when primary-tosecondary leakage exceeded 70 I/h, which is the value used at that time by the American utilities and intended to limit contamination of the secondary system water. It was only when the first tube defects were observed, that the connection between leakage and tube break risk was sought. As the analyses progressed and operating feedback accumulated, the French safety authorities requested EDF to restrict leak rates to lower values, according to the sensitivity of the detection devices and the location of tubes featuring or liable to feature defects. The following measurements were used: • radioactivity of gases removed from the condenser • radioactivity of the water in each steam generator blowdown system • radioactivity of the Nitrogen 16 in the secondary fluid, using a device placed on the steam piping associated with each steam generator.

*Cf. Chapter 26.

386

Elements of nuclear safety

Detection of primary-to-secondary leaks by measuring the Nitrogen 16 through the secondary piping is the most recent, most sensitive and fastest method. Leaks of 3 to 5 I/h, which is about 20 times less than the initially accepted limits, can be detected almost instantly, with a satisfactory degree of accuracy. The results of Nitrogen 16 measurement systems are now considered in the decision process following detection of a primary-to-secondary leak. Duplicating these measurement systems is envisaged, to make them into real safety systems, thereby diminishing the importance of the other, slower systems.

25.3.3.2. Outage inspections A full length inspection of every steam generator tube is carried out with an eddy current axial probe before startup of each plant unit and the recordings are retained. In addition, the roll transition zone is inspected with an eddy current rotating probe. In-service surveillance consists of inspection, at each refuelling outage, of tubes where defects have already been detected and left as they are and of a sample selection of tubes to detect any extension of slow-developing degradations or any new types of defect. The basic sampling ratio is one tube in eight on one of the three steam generators equipping each 900 MWe plant unit and on two out of the four 1300 MWe unit steam generators. In order to ensure inspection of all steam generator tubes for each plant unit within a 10-year period, sample checks are performed on different tubes at each inspection. If a particular type of defect is detected, the sampling ratio can be increased or all tubes in a specific area can be checked. With this procedure, there is obviously little hope of detecting an isolated fast-developing defect, which is why loose part detection is important. During the 10-yearly inspection, all tubes must be re-inspected. However, it is considered acceptable to omit tubes which have been inspected during the last two or three annual inspections.

25.3.4. Procedure when a delect is detected When a defect is detected, the following procedure enables determination of the measures to be taken: • characterization of the degradation causes • determination of defect instability risks under normal or accident conditions liable to result in a tube break without previous leaking • capacity of the surveillance methods to detect and characterize the degradation

25 - Preventive maintenance and in-service surveillance

387

• extent and frequency of inspections required to prevent tube breaks • tube plugging criteria. This approach is illustrated by a few examples.

25.3.4.1 Tube wear due to a loose part In cases where a tube is evenly worn over a length of several centimeters, there is a risk of it breaking without previous leaking. Two examples of tube breaks in the United States confirm this (Prairie Island in 1979 and Ginna in 1982). The axial probe is usually well suited to detection of this type of defect, but accurate assessment of the degree of wear may be difficult. Surveillance consists in a detailed visual examination of the tube bundle outer rows at each plant unit annual shutdown. If an object which could cause wear is observed, all the tubes in the outer rows of the bundle are examined with the axial probe. Tubes where wear exceeds 40% in thickness are plugged. Attempts are systematically made to remove the loose part. If this is not possible, all tubes liable to come into contact with it are plugged, even if no traces of wear have been found on them.

25.3.4.2. Tube wear due to contact with the anti-vibration bar Tube wear due to rubbing against the anti-vibration bar is limited in length to the bar thickness. In this case, it can be shown that tube wearthrough is stable, even under accident conditions and could not give rise to a sudden tube break. The axial probe is an efficient tool for the detection of these types of defect and wear depth can be determined by interpretation of the signals, using the calibration data now available. Surveillance covers tubes in steam generator zones where such phenomena have been observed, generally after the plant unit has been operating for at least 6 years. All tubes where the wear factor exceeds 40% in thickness are plugged, which takes account of: • wear factors able to result in defect opening (85% under normal conditions and 75% under accident conditions) • wear kinetics observed, which are below or equal to 11% per cycle • inspection frequency.

388

Elements of nuclear safety

Each tube left as it is, after wear detection, is inspected at each refueling outage as are half the tubes in the steam generator zones potentially concerned.

25.3.4.3. Small U-bend cracking This type of degradation, considered due to stress corrosion, currently affects certain first and second row tubes in some of the oldest 900 MWe unit steam generators. It concerns the tubes with the smallest U-bend, which received neither heat treatment on the site nor stress relieving after bending at the supplier's works. The actual morphology of the defects is not well known and may depend on the tube supplier and the bending process. It cannot be demonstrated that a detectable leak will occur before there is a tube break risk. The helium leak tests performed during the 10-yearly inspections* obviously only detect through-wall cracks and the eddy current axial probe may be off-center during the U-bend recordings, which will impair result accuracy. Two types of measures have been adopted: • preventive plugging of first or first and second row tubes • application of stress relieving heat treatment, after which the U-bends are again inspected with the axial probe at each refueling outage. So far, no new defects have been detected on treated tubes.

25.3.4.4. Tube deformation and cracking A leak occurred on a steam generator tube during the first operating cycle of Nogent-1. The subsequent inspections revealed a new type of degradation affecting only 1300 MWe units. It was attributed to the presence of iron-based metal residue from grinding or shot peening operations, which had collected in the center of the tube plate after the secondary water had started circulating. These particles had then oxidized with the rise in temperature and had agglomerated. The resulting swelling caused tube deformation in the roll transition zone, liable to give rise to circumferential stress corrosion cracking in a primary water environment. This new phenomenon led to an extensive EDF investigation program involving: * Helium tests are also used to identify which tube or tubes are leaking when an overall signal has been detected.

25 - Preventive maintenance and in-service surveillance

389

• examination of steam generator secondary side deposits, determination of their location, level and composition • special examination of tubes surrounded by deposits • attempts to reproduce the phenomenon in the laboratory and determination of the swelling kinetics • cleaning of the affected tube plates • tube plugging in cases of significant swelling, even without cracking • lowering of the primary-to-secondary leak limit value tripping the reactor at the detection threshold (3 1/h). Operating feedback has confirmed the laboratory findings showing that deposit swelling is fast, but limited in time to a few months, thus to the first operating cycle.

25.3.5. Steam generator replacement Steam generator design and manufacture has gradually improved between the first and last 900 MWe units. In particular, the initial round perforated holes in the tube support plates are now quadrifoliated and pinned. The plates themselves are made of chromium steel and a flow distribution baffle has been added. Steam generator replacement strategy is aimed at: • limitation of the steam generator tube break risk • reduction of worker exposure due to frequent inspections on deteriorated steam generators • improvement of operating conditions at plant units comprising a significant number of plugged tubes. The design of the new steam generators will, of course, integrate the improvements mentioned. In addition, the tubes of the new components will be made of Inconel 690 instead of Inconel 600 with a view to preventing primary side cracking hazards. An initial experimental replacement operation was carried out at Dampierre-1 in 1990, followed by replacement of the Bugey-5 steam generators in 1993 and those of Gravelines-1 in 1994. With the experience thus acquired, the accumulated dose associated with such operations has been significantly lowered. The collective doses involved were 2.2 m.Sv, 1.5 m.Sv and 1.4 m.Sv respectively. The Gravelines operation was devised and prepared like a standard operation which could be reproduced with minor adaptations for subsequent replacements, at a rate of about two units per year. On this basis, the Saint Laurent-Bl and Dampierre-3 steam generators were replaced in 1995, Gravelines-2 is scheduled for 1996 and Tricastin-2 for 1997.

390

Elements of nuclear safety

25.3.6. Provisional results To date, a steam generator tube clean break has never occurred in France, despite many difficulties and a significant number of primary-to-secondary leaks. But this does not mean that leakage will always precede breaks. It must be remembered, in particular, that weakened tubes have never been required to withstand loads resulting from accident situations such as a steam line break. Finally, the mean steam generator tube break frequency observed worldwide is 4 10-3 significant breaks per reactor year, which could have led us to expect two or three breaks in France, although this figure is not statistically very significant. The measures taken by EDF to control these problems, sometimes at the instigation of the safety organizations, doubtless contributed to this good result.

25.4. Steam line defects Steam line inspections have revealed, from 1990, weld cracking in PWR main steam lines. These defects were discovered on valve nozzles on piping in the 900 MWe units (Fig. 25.2.) and certain 1300 MWe units (Fig. 25.3.). For the Fessenheim and Bugey units, the problem was mainly steel cracking or weakening in the immediate vicinity of the welds. The defects had been caused by welding operations and were due to quality deficiencies in the materials used for secondary system manufacture. Lamellar tearing cracking had spread through the steel, starting from numerous inclusions in the base metal which were laminated during the manufacturing processes. The initial piping at these units was manufactured using the "roll-weld" technique. A large defect of a special type (11 cm in length and 3.5 cm in depth along the nozzle side weld) was discovered in 1991 at Fessenheim-1. It was apparently not due to mechanical fatigue or corrosion, but to a single large load applied during a cold shutdown maintenance operation, which enlarged one or several existing small defects. However, this explanation has not been confirmed. On the other 900 MWe reactors, cracks a few millimeters deep and a few dozen centimeters long have been noted on tube inner surfaces at weld roots. These were cold cracks probably due to inappropriate welding conditions.

25 - Preventive maintenance and in-service surveillance

391

Fig. 25.2. 900 MWe unit secondary system.

On the first generation 1300 MWe reactors (P4), welding defects, such as inclusions and incomplete fusion, and hot cracking were observed. They were also due to inappropriate welding conditions. On these 900 MWe and 1300 MWe units, there can be no lamellar tearing, since main piping was forged. The analyses and examinations carried out showed that the defects observed, except for the very large one at Fessenheim-1, probably dated back to the piping manufacturing period but were not identified before startup of the units concerned. The increased inspection efficiency requested by the safety organizations and better operator training enabled identification of these defects. Inspections were also carried out on the main and auxiliary feedwater supply piping. Defects where dimensions exceeded acceptance criteria were repaired or the piping section concerned was replaced. Improvement of inspection methods is obviously commendable but the discovery of cracks the size of which exceeded repair criteria calls into question the validity of the implementation of final acceptance vendor inspections, the most recent of which, concerning the 1300 MWe units, were presented as reliable.

392

Elements of nuclear safety

Fig. 25.3.1300 MWe unit secondary system.

25.5. Closure head adapter cracking On September 23, 1991, a small leak was detected at one of the Bugey-3 closure head penetrations. The operating utility carried out the primary system hydrotest for this unit in the context of a scheduled 10-yearly inspection. The 900 MWe unit was commissioned in 1979 and had been operating for about 80,000 hours. The hydrotest is performed, after fuel unloading, at a pressure of 207 bar and a temperature in the vicinity of 80 °C, the normal primary system operating pressure being 155 bar. The leak detected, with a leak rate of about 1 1/h, was on one of the 65 leaktight adapters enabling insertion of the CRDM rods or core temperature measurements through the closure head. The affected adapter, located on the outer edge of the closure head, was made, like the others, of Inconel 600 (Fig. 25.4.). The nondestructive tests performed on it evidenced about ten axial cracks, with a maximum length of 8 cm. All the adapters in the unit concerned were examined, together with those of two other units of the same design (Fessenheim-1 and Bugey-4), which were shut down. Cracks were discovered on the closure heads at all three units. These radially localized defects were attributed to adapter metal stress corrosion cracking which had developed during reactor operation.

25 - Preventive maintenance and in-service surveillance

393

Fig. 25.4. CRDM latch housing.

The following conditions were considered as likely to have caused the cracks: • Inconel 600 sensitivity to stress corrosion phenomena • residual stresses resulting from the out-of-roundness of the adapters when they are welded to the closure head • the operating temperature beneath the closure head (about 315 °C). Available data on stress corrosion propagation kinetics show widely scattered results. At 315 °C, and depending on the degree of sensitivity of the Inconel 600 used, propagation rates were estimated at between a few dozen millimeters per year and a few millimeters per year.

394

Elements of nuclear safety

25.5.1. Situation regarding other reactors Apart from very slight variations, the adapter design for all French PWR's is identical. Analysis of parameters able to affect stress corrosion in these devices involved, first of all, classification of the different standardized series of French reactors, with regard to this damage hazard: • the six Fessenheim and Bugey reactors, commissioned between 1977 and 1979, where the operating temperature beneath the closure head is about 315 °C • the twenty 1300 MWe reactors, commissioned between 1984 and 1992, where, in some cases, the operating temperature beneath the closure head is higher (between 315 °C and 320 °C) • the other twenty-eight 900 MWe reactors, where the oldest is 11 years old but where the operating temperature beneath the closure head is only about 290 °C The safety authorities nevertheless requested that spot checks be carried out on all plant types. In November 1992, cracks were found in three of the 65 adapters at Blayais-1 (900 MWe), showing that the deficiency could affect any French reactors. An extensive inspection program was defined for implementation on all reactor types. Inspections were carried out on all plants, except for the two last 1300 MWe units, using first manual methods, requiring disassembly of the control rod drive mechanisms and thermal sleeves, and then robots, involving less disassembly operations and staff exposure. Broadly speaking, the cracks detected only concern outer edge adapters, but are liable to affect any units. The vent pipes are not cracked, although they were initially considered as precursors of cracking in other closure head penetrations. The reasons why the temperature beneath the closure head was not in fact a critical factor have not yet been clearly explained.

25.5.2. Examination of through-wall cracking The Bugey-3 adapter was removed for expert examination. The metallographic examinations revealed intergranular cracking characteristic of Inconel 600 stress corrosion in a primary water environment, with two cracks at the adapter-closure head weld. Initiated in the weld root zone, they propagated symmetrically towards the top and bottom of the adapter. The longest crack ends at the adapter outer wall and examination of this area shows that the crack gradually went through the wall during unit operation and propagated in the deposited weld metal.

25 - Preventive maintenance and in-service surveillance

395

The examination also revealed circumferential cracking on the outside of the adapter. These cracks, starting at the weld root, had propagated through the adapter base metal and the deposited metal. They are probably due to the fact that the interstice between the adapter and the closure head had remained wetted by primary water further to perforation of the adapter. Crack depth does not exceed 2 mm in the adapter and up to 3.5 mm in the weld. Cracking in the weld may have started from a manufacturing defect, such as hot cracking.

25.5.3. Safety impact The longitudinal defects observed could not jeopardize the mechanical strength of the adapter in the absence of leakage. However, it should be noted that a borated primary water leak could result in ferritic steel corrosion, as observed in the United States during a different type of incident. In the specific case of the adapters, ferritic steel corrosion could even be accelerated by a boric acid concentration in the interstice between the adapter and the closure head, following evaporation of the primary water. In the absence of elements disproving this theory, it was deemed wiser to aim at the prevention of leakage through adapters. This argument was reinforced by the Bugey-3 penetration findings, indicating the possibility of circumferential cracking starting at the outer surface, with kinetics liable to be accelerated by a concentrated boric acid medium. In addition, in compliance with defense in-depth procedure, the most severe credible accident was analyzed. It consisted of adapter severance, resulting notably in control rod ejection and primary system depressurization. The rod ejection accident considered in the safety analysis reports corresponds to a reactivity insertion causing a prompt power excursion. This phenomenon is accompanied by substantial deformation of the radial power distribution in the vicinity of the rod concerned. The power excursion is limited by the Doppler effect and terminated by tripping the reactor. The corresponding calculations are made using a conventional series of penalizing assumptions. Two phenomena are apprehended: fuel pellet bursting, resulting in a reaction between the dispersed fuel and the water, and primary system overpressure resulting from the water heating caused by the power excursion. The postulated initiator is ejection of the control rod drive shaft housing plug (40.6 mm), but the resulting pressure reduction is disregarded for assessment of the maximum pressure reached in the primary system, which is obviously pessimistic. The limit value adopted is 190 bar, which is well below the hydrotest pressure.

396

Elements of nuclear safety

In the event of an adapter failure, there is no reason to disregard the opening resulting from ejection of an entire control rod drive mechanism (diameter: 101.6 mm). Analysis shows that this reduces the maximum power and pressure levels reached as compared with the case considered in the safety analysis reports. The calculations also show that, in the event of adapter ejection, thermal hydraulic stressing of the control rod guide tubes and upper core plate are well below the design basis loads. It is nevertheless important that such an accident should remain exceptional. On the other hand, it is impossible to demonstrate that adapter ejection could not cause rupture of an adjoining adapter affected by defects. But the simultaneous ejection of two black rods previously fully inserted (which is contrary to the technical operating specifications) would cause fuel damage. Special precautions in this respect are consequently indispensable.

25.5.4. Prevention, surveillance and limitation of consequences Various steps have been taken to improve crack prevention and detection and limit their consequences. Implementation of a modification lowering the temperature beneath all 1300 MWe closure heads to around 290 °C has been proceeding since the beginning of 1992 during annual shutdowns. It was not interrupted following the discovery of the 900 MWe unit defects, since it would certainly alleviate this problem also.

25.5.4.1. Development of inspection equipment Automated inspection devices have been developed to augment adapter inspection possibilities, at the same time reducing the doses received by the workers concerned. The methods used are eddy current and ultrasonic testing, together with televisual inspection, or liquid penetrant testing: • as regards televisual inspection, the operating utility has two devices, one for inspection of the outer surface of the closure head to detect any traces of boron, and the other for examination of its inner surface to detect cracking in the adapter-closure head welds or on the inside of adapters not fitted with thermal sleeves • tooling for remote liquid penetrant testing of welds was developed to supplement the televisual inspections. Tests performed on several closure head welds at the Bugey-3 and Bugey-4 units evidenced no cracking • for these nondestructive tests, the operating utility has been using since 1992, automated devices which did not require prior removal of the ther-

25 - Preventive maintenance and in-service surveillance

397

mal sleeves. These methods employ eddy current contact probes, enabling detection of longitudinal or circumferential cracking in the weld zone. The probes are inserted in the adapter, between the thermal sleeve and the adapter itself. Crack depth is then determined, using ultrasonic tests on the cracking detected in the weld zone, which still requires removal of the thermal sleeve. An inspection program was thus proposed by the operating utility with a view to more accurately assessing the extent of the anomaly and its rate of progression. According to the results obtained, a progression of 4 mm per cycle would appear to cover all cases, with allowance for measurement inaccuracies.

25.5.4.2. Repairs In addition to the Bugey-3 cracked adapter, which was replaced using a procedure which took much time to develop and involved significant worker exposure, the closure heads at Bugey-4, Paluel-4 and Flamanville-1 were also repaired in 1992. Further to analysis of the documents presented by the operating authorities at the beginning of 1993, the DSIN, after consulting the Standing Nuclear Section and the Standing Group for Reactors adopted and gave notice of a provisional repair criterion for the cracked penetrations. It provided for repair of through-wall cracks or those liable to reach this stage during the next operating cycle. The thickness of the adapters is about 15 mm. A crack in the weld zone between adapter and closure head or above the closure head must be repaired in all cases where the sound metal thickness behind the crack is less than 4 mm. But the program for replacement of affected closure heads limits the repair program.

25.5.4.3. Leak detection

As leaks have to be rapidly detected, provisions have been developed in this respect using Nitrogen 13 detection and measurement. The corresponding devices were first installed in the most affected units and subsequently in units where an exhaustive inspection of adapters has not yet taken place. Nitrogen 13 is produced in the core cooling water and its radioactive decay leads to the emission of two 511 keV gamma radiations, with a halflife of 10 minutes. In the event of primary water leakage, Nitrogen 13 is to be found under the closure head casing, where a continuous gas sampler is installed. A

398

Elements of nuclear safety

counting channel comprising two sensors measures the corresponding activity. Leaks below 1 kg/h can thus be detected. 25.5.4.4. Anti-ejection devices At the suggestion of the operating utility, anti-ejection devices were installed at the Fessenheim and Bugey units to ensure adapter hold-down in the event of a broken adapter. Whether the 1300 MWe missile shield could fulfill the same function is presently being verified. Considering the planned program of tests, repairs and closure head replacements, it was deemed unnecessary to request EDF to equip the other 900 MWe units with anti-ejection systems. 25.5.4.5. Closure head replacement EDF opted for the gradual but systematic replacement of the affected closure heads, which satisfies requirements as to the definitive solution to the problem. By the end of 1995, twelve closure heads had been replaced. The program provides for seven further replacements in 1996, six in 1997 and possibly three in 1998.

26

Some French precursors

French PWR operation has so far given rise to no incidents involving significant radioactive release. There have however been instances of involuntary release, notably further to valve malfunction on radwaste storage tanks. None of these cases led to release levels exceeding the annual authorized limits. They are classified as incidents because they were involuntary. The only example of severe degradation of PWR fuel rods, several of which ruptured at Bugey-2 in June 1981, resulted from the particular initial configuration of the internal structures supporting and surrounding the reactor core at the Fessenheim and Bugey units. Provisional arrangements followed by definitive modification of these internal structures and the water circulation patterns within them prevented recurrence of these incidents. On the other hand, a fair number of significant incidents occurring in France must be considered as precursors of more serious situations, although not necessarily severe accidents characterized by substantial core damage. On the basis of the criterion given in Chapter 23, about 20 such incidents occur every year, some of which will be presented in this chapter. A distinction is made between actual incidents and latent nonconformances detected during inspections, although they are often classified under the same heading. For each category, the presentation is in mainly chronological order. The description of these nonconformances, which in no way disturbed smooth operation in the units concerned, confirms the interest of detecting and closely analyzing them. Certain precursors have been extensively described in previous chapters, notably: • those corresponding to risks of residual heat removal interruption (Chapter 23.3) • pressurizer heater damage (Chapter 24) • defects affecting steam lines (Chapter 25.3) • vessel closure head adapter cracking (Chapter 25.4). They will not be rediscussed in what follows.

400

Elements of nuclear safety

26.1. Incidents 26.1.1. Seal failures on reactor building access hatches When most of the 900 MWe units started operating, reactor building access hatch tightness was assured by compressed air inflatable seals. The first of these incidents occurred in August 1982 at Tricastin-1. The inadvertent failure of a pressure regulator plug on the sole compressed air line interrupted the air supply to the seals on the level zero access hatch, where check valves failed to maintain the required pressure (Fig. 26.1.). Containment integrity was lost for 45 minutes, but as the containment atmosphere was not contaminated, no radioactive release ensued.

Fig. 26.1. Schematic air supply to the seals on the reactor building acces hatch.

An accident affecting the primary system and the core under these conditions could have shaken the reactor building structure and ruptured the already weakened plug. The accident would then have caused both release of radioactive products in the containment and loss of containment integrity. The loss of integrity could also be postulated in a long term post-accident phase.

26 - Some French precursors

401

A compressed air system modification program was implemented. However, renewal of this type of incident was not entirely excluded. So the problem was reconsidered and it was decided to generalize the use of flush sealing joints, as adopted from the outset for Fessenheim and the 1300 MWe plants.

26.1.2. Risk of common mode failures due to internal flooding In October 1983, a significant water leak on a heat exchanger in a chilling unit ventilating the electrical equipment rooms caused flooding in the room concerned at Blayais-1 (Fig. 26.2.). Owing to immediate operator action, the flooding was limited to about 12 m3 of water.

Fig. 26.2. Partial diagram of the Blayais-1 electrical rooms.

Since the capacity of the disposal system associated with the floor drain provided in the room was inadequate, the water accumulated in the room. Some of it reached, via the drain system, the train A ventilation compartment located in the same room, was then picked up by the fans, transported to other rooms and sprayed over the train A switchboards. However, the quantities of water involved were sufficiently small for short-circuiting to be avoided.

402

Elements of nuclear safety

The water also infiltrated to the floor below through passageways round a ventilation duct and a cable chase and via openings for cables which had not been closed. Water was found on the ground near the train B switchboards, without consequences for this equipment. So the incident had no actual safety consequences. The in-depth analysis of this incident revealed notably: • that in 900 MWe twinned units, the ventilation compartments for both trains are in the same room, not far apart, and that the same floor drain is routed through both of them. So the water could have been transported by the ventilation systems of both trains, causing total loss of power by failure of the redundant switchboards • that a switchboard becomes unavailable when the water level in the room exceeds 10 cm • that switchboards can also be put out of order by water running down cables inserted from above. More generally, this analysis drew attention to internal flooding hazards and the difficulty of foreseeing the paths which will be taken by water when it is not piped. A program was gradually implemented, providing for checks on cable opening plugging, resizing of floor drain systems and associated water removal equipment and the provision of raised structures round passageways which cannot be sealed. The consequences of two similar events in 1984 and 1986 were strictly limited by the provisions already made.

26.1.3. Loss of three out of four power sources In April 1984, the voltage of a control and instrumentation DC source at Bugey-5 began to drop slowly, due to a battery bank supply fuse failure. The associated alarm, grouped with other frequent alarms*, went unnoticed by the control room operators. The power deficiency caused the scram switches to open, tripping the reactor. Switchover of the power sources, controlled by the same deficient voltage, was ineffective, so that the reactor was powered neither by the power transmission line nor the auxiliary line. A diesel generator startup order was received. Since the generator for the defective train had no energization voltage, no current could be supplied. * The other alarms were signalling insulation defects on cables used for the construction of this unit. These defects were known and their consequences slight. No action was required on the part of the operators pending replacement of these cables.

26 - Some French precursors

403

Only the other diesel functioned normally, emergency-supplying the equipment of the corresponding train, which is so designed as to suffice for residual heat removal. Malfunction of the pressurizer relief devices, deprived of their power supply, caused a significant rise in primary system pressure. Other defects, induced by the initial failure, disturbed signals sent to the control room, some of which were erroneous but not inconceivable. The situation thus involves failure of three out of four power sources, which is an obvious precursor of a total power loss, affecting a unit not yet equipped with the instrumentation and procedures required to contend with such conditions, further compounded by control and instrumentation power source failures. It is also a situation for which the operators had not been prepared and for which they had no adequate operating documents. The situation was nevertheless brought under control, thanks to the professional know-how of the operating team. The case of a gradual voltage drop had been overlooked in the design basis studies, focused on total power failures. Equipment to deal with a total power loss was still under development at the time, but has now been installed at all French units. In addition, this incident prompted EDF to accelerate studies and work on alarm modifications, to analyze protection against gradual DC voltage drops and, more generally, against power failures under low voltage conditions. Finally, the first state-oriented procedures, especially procedure Ul associated with a procedure to check the condition of control and instrumentation power sources, enable complex situations to be dealt with, without improvisation. This is also the case for 1300 MWe unit state-oriented procedures. This incident is considered to be the most serious to have occurred to date on a French PWR. There is no need for a detailed analysis to realize that plant safety depended for a time on the satisfactory behavior of the only diesel generator which operated, although the main and auxiliary power networks were available. But it is known that the rate of failures to start when actuated is not far below 10'2 for this type of equipment. In the event of failure to start or sudden failure of this generator, under the conditions at the time, core degradation hazards would have been significant.

26.1.4. Incidents related to unusually cold periods The Winters of 1985, 1986 and 1987 were marked in France by cold periods, involving unusually low temperatures over exceptionally long periods. In

404

Elements of nuclear safety

several open country regions, temperatures of -15 °C or less were observed for several days during each of these years, frequently accompanied by sustained high winds. However, the frequency of such meteorological conditions would not appear to be below 10-2 per year. In fact, in certain regions they were observed over three consecutive years. The wide range of different phenomena thus incurred at the plant units and the particular character of one incident justify a fairly detailed description.

26.1.4.1. Overview of the incidents Many sites and systems were affected, some over several consecutive years: • in 1985, Fessenheim, Tricastin, Gravelines, Dampierre, Cruas, Chinon and Saint Laurent-des-Eaux • in 1986, only Saint Laurent-des-Eaux and Cruas • in 1987, Saint Laurent-des-Eaux, Chinon, Belleville, Flamanville, Cattenom and Saint Alban. The systems affected were naturally those most sensitive to the outside temperature, resulting in: • several highly significant reductions in the water supply for plant cooling, due to the formation of ice-banks or piles of ice blocks in front of the water intake structures of plants on the banks of the Loire river • national power grid deficiencies, causing switch to house load or shutdown at certain plants • freezing of Feedwater Flow Control System flow meters • freezing of Auxiliary Feedwater System make-up lines, limiting the cooling capacity of this system after an emergency shutdown • interruptions on the Nuclear Auxiliary Building Ventilation System • diesel generator or gas turbine outages due to excessively low lubrication oil temperatures • freezing of the level sensors on the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System reserve tanks, used for safety injection • several partial openings of steam line protection valves, due to freezing of sensors or operating aid devices. This can cause a transient tripping the safety injection system and requires availability of the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System water reserves. This accumulation of difficulties of varying degrees of gravity led to the implementation of local corrective measures, followed by a national program and finally a more general analysis concerning improvement of preventive measures and the corresponding operating instructions with a view to precluding this type of failure.

26 - Some French precursors

405

General design basis provisions allowed for an outside temperature of15 °C, the probability of occurrence of which varies according to the sites, but is nevertheless fairly high. In addition, protective provisions against low temperature effects cannot be tested since these conditions cannot be simulated. The final protective measure program takes these difficulties into account. It was, of course, not restricted to PWR's but was applied to all types of plants. It comprises many specific actions, such as improving thermal insulation on exposed devices or installing heat-tracing*, providing for the closure of certain rooms, together with temperature and heating surveillance. Protection of water intake structures against freezing was also improved where required by modification or provision of hot water circulation systems, water stirring in low flow areas, etc.

26.1.4.2. Multiple unavailabilities at Chinon-B3 The cold spell in 1987 caused an incident at Chinon-B3, which is worth describing as a precursor of a more serious situation. On January 12, 1987, electricity consumption in France was extremely high owing to the weather conditions. Three of the four units at the thermal plant of Cordemais, near the Loire river mouth, tripped simultaneously, due to the freezing conditions. The considerable voltage drop on the 400 kV plant distribution system in Western France, resulting from the stoppage of these three units in a peak consumption period, tripped seven nuclear units and two other fossil-fired units. This was notably the case at Chinon-B3 due to a protection action against excess current in the generator rotor. Power supply to the unit automatically switched to the auxiliary 225 kV line, which was also below its rated value. Reactor shutdown induced startup of the Auxiliary Feedwater System. The voltage supplied by the redundant switchboards dropped, but the diesel generators failed to start automatically because their coupling setting was too low. So the diesels were started manually by the operators. The two auxiliary feedwater supply motor-driven pumps tripped due to overcurrent (compensating the low voltage). The four Component Cooling System pumps then followed suit, one after the other. Various contactors were damaged and proved inoperable, interrupting the heat-tracing on certain cabinets and piping.

* Installation round certain equipment of heating resistors designed to start operating when the temperature drops below a fixed point

406

Elements of nuclear safety

The diesel generators and pumps were successively put back into service by the operators before the main power supply was restored, after a 15 minute interruption. An hour before this incident, the operators discovered that the outside temperature (-10 °C) together with continuous wind had frozen the piping used to refill the auxiliary feedwater supply water reserve. Depletion of this reserve, in use since the beginning of the emergency shutdown, was to continue for four hours. Pressure and temperature conditions compatible with switchover to the residual heat removal system were then obtained. At the same time, two level sensors on the Reactor Cavity and Spent Fuel Pit Cooling and Treatment System tank were found to be frozen. They were repaired in a few hours as was the auxiliary feedwater supply refill pipe. The following day, the operators noticed that two steam line protection valves were leaking. Here again, the cold weather was responsible, together with interruption of the heat-tracing. Appropriate repair work again brought the situation back to normal. During the same period, work had to be done on the water intake structures which were in danger of being iced up. This accumulation of failures had a single source, the weather conditions throughout the region considered. The fact that they did not all occur at exactly the same time is purely fortuitous. There were two initiators, emergency shutdown and the steam line leaks, compounded by degradation of the systems provided to control the associated transients, the auxiliary feedwater supply system and the safety injection water reserve level monitoring system. The various actions undertaken were such as to preclude a situation which could lead directly to the dispersion of radioactive products, but the situation was not much better than that described previously, when the Bugey-5 power supply failed.

26.1.5. Confusion between equipment, systems or units This type of incident occurs periodically, despite efforts made to improve control room ergonomics and identification of equipment, rooms and units. Consequences have rarely gone beyond automatic shutdown of reactors. These confusions, which always surprise outsiders, occur in plants worldwide. Although design provisions are such that a single error cannot induce more than an automatic shutdown, this type of unpredictable action

26 - Some French precursors

407

could occur randomly in the context of any unit configuration. This confirms the soundness of the safety approach whereby accident scenarios are analyzed postulating an additional failure or penalizing condition.

26.1.6. Common modes related to maintenance and work on redundant systems In 1989, several significant maintenance-related incidents occurred, resulting in degraded operating conditions for redundant equipment. Only one resulted in equipment deterioration, that concerning the Flamanville-2 pressurizer heaters, described in Chapter 24. The other incidents concerned: • the system for recombination of the hydrogen present in the reactor building in the event of a large break on the primary system. Both trains were blocked by cover plates inside the containment for a whole operating cycle (Dampierre-1) • the Gravelines-1 primary system protection valves, into which had been inserted plugs, intended for use during primary system degassing but which had not been subsequently removed. These could have hindered the operation of the valves had they been required. In both these cases, since the inoperable systems had not been required during the abnormal condition, there were no effective consequences. The situations involved were nonetheless abnormal. Inoperability of the hydrogen recombination system after a loss of coolant accident would have increased the risk of explosion in the containment in the long term. Loss of the normal characteristics of primary system automatic protection against overpressures would have delayed protection actions until a manual opening order was given by the operators. The manual order had remained effective but could only have been used by the operators after identification of the problem. The precursory nature of these nonconformances is mainly related to the doubts they engender as to the permanent availability of all redundant safety systems on standby during normal operation. The measures taken to preclude maintenance errors and safety system requalification principles have been discussed in Chapter 24.

26.1.7. Introduction of non-borated secondary water into the primary system In March 1990, at the end of a refueling shutdown at Blayais-4, with the primary system water at mid-loop conditions, inadvertent dilution was caused by a non-borated water leak from the secondary side of a steam generator.

408

Elements of nuclear safety

Mismanagement of lockout sequencing had resulted in the secondary side of the steam generators being filled too soon, with overspilling of water into a steam generator channel head and then onto the ground. One end of a tube which had just been removed had not been plugged. The corresponding channel head was closed with an inflatable cover, in compliance with instructions for dealing with a channel head cover plate leak. The technician also alerted the control room. The channel head was filled and pressurized by the secondary water column. The cover plate installed between the channel head and the corresponding primary loop, required to withstand pressure from the wrong direction, gradually lost its tightness. The introduction of non-borated water was only stopped by draining the steam generator. The minimum boron concentration in the primary water defined by the Technical Operating Specifications was consistently respected, owing to operator action. The quantity of non-borated water introduced into the core remained compatible with safety analysis report postulated situations. But the incident showed that non-borated water from the secondary system could accumulate in a reactor loop. Had the cover plate failed suddenly, most of the 4 m3 of water contained in the channel head could have flowed swiftly into the core, causing a far more significant transient. In addition, if the incident had occurred with the channel head already closed, with the cover plate removed, identification of the nonconformance would have been far less straightforward. During primary system venting, pump startup on the loop concerned could have resulted in the pure water contained in the cold and intermediate legs flowing swiftly into the core, since water in this loop is not kept in motion by the residual heat removal system. The consequences for the core would have been similar to the prompt criticality conditions described in Chapter 16. The fact that the operators were well acquainted with these problems contributed to the satisfactory management of the situation by the operating team.

26.1.8. Introduction Into the primary system of non-borated water from an accumulator After the hydrotesting of a Belleville-2 accumulator, EDF was testing the corresponding isolation valve exercisability. The reactor vessel was open and water-filled to closure head seal level. Core cooling was provided by the two residual heat removal pumps. During the hydrotest, one month before, the accumulator had been filled with non-borated demineralized water, which should have been completely drained out after the hydrotest, before the valve exercising tests

26 - Some French precursors

409

began. In fact, 16 m3 had remained in the accumulator, which was not indicated by the level metering device. When the isolation valve was opened, about 10 m3 of non-borated water flowed down into the primary system. There it mixed immediately with the water circulated by the residual heat removal system, but the overall boron concentration, which dropped below the value indicated in the technical operating specifications, remained consistently at a sufficient level to prevent any criticality hazards. The operator was made aware of the situation by the water overflowing from the primary system and closed the accumulator valve. The accumulator vent pipe should have been open during this test. The fact that it had remained closed limited the water transfer rate and quantity. With the vent pipe open, the isolation valve blocked open and a lower residual heat removal system flowrate, there could have been a much faster injection of less homogeneous water, creating a critical excursion risk. This is an example of introduction of non-borated water into the reactor core due to maintenance operations. Further to this incident, it was decided by the operating utility that hydrotesting of vessels connected to the primary system should be carried out using borated water, with the same boron concentration as used for the primary system at cold shutdown.

26.1.9. Risk of common mode failures affecting switchboards We have already mentioned in Chapter 20 the incident at Cruas-4 in October 1990. Arc initiation on one of the poles of the contactor supplying an essential service water system pump caused the cell to explode, followed by an outbreak of fire and the destruction of the main train B emergency switchboard, resulting in the unavailability of all train B safeguard equipment. This incident was caused by wear on shock absorbing washers inside the contactor. The situation was brought under control without radioactive release problems arising. However, this incident illustrated the possibility of a common mode failure affecting both emergency switchboards, due to wear on the washers which are identical in both cases. This aging problem had already been identified, but the corresponding corrective measures had not been fully defined. It also showed that an incident affecting equipment downstream from a switchboard could cause the latter to fail, which had not been included in the safety analysis scenarios, since protection against electrical faults was considered highly efficient.

410

Elements of nuclear safety

The washers were quickly replaced on all switchboards equipped with them in the many plant units concerned.

26.1.10. Excessive primary cooling after inhibition of automatic actions Paluel-2 was restarting after refueling in January 1993. The surveillance program included a test on the automatic startup of the Auxiliary Feedwater System to be used in the event of failure of the Main Feedwater System. This test had to be performed at a reactor power level compatible with the heat removal capacity of the Auxiliary Feedwater System (2% of rated power). The test was mistakenly undertaken when the reactor power was three times higher, but the error was rapidly identified. The operating team then inserted the control rods to shut down the reactor without scram and supplied additional borated water to obtain the boron concentration required for the core under shutdown conditions. During the test, a condenser steam dump valve remained partially open, although a complete closure order had been received. This accelerated primary system cooling, which took place at a rate of 70 °C/h instead of the 56 °C/h authorized by the technical operating specifications during an incident (under normal operating conditions, the limit is 26 °C/h). There were two control room displays concerning the position of this valve: • valve position data indicating, for this valve, "not closed", but this information was not considered reliable • the automatic control actuating signal, indicating "100% closed". When the operators realized that the primary system cooling rate was excessive, they concluded that this was due to the low residual heat of the reactor at restartup and an excessive Auxiliary Feedwater System flowrate. To prevent core cooling from being even further accelerated, the operators requested authorization from the chief reactor operator to inhibit safety injection for "very low cold leg temperature". This protective action is provided to deal with situations resulting from the inadvertent opening of a steam dump valve, which corresponded to reality. The protective action activates both the safety injection system and the auxiliary feedwater system at full flow, which would have caused even faster cooling. It also closes the main steam isolation valves, which would have brought the situation to an end by isolating the secondary system upstream from the leak. The chief reactor operator, busy with other problems, gave his consent, knowing that the boron concentration in the primary water was not far from that required under cold shutdown conditions. He also asked the operators to identify the causes of steam consumption in the system.

26 - Some French precursors

411

Since the fast cooling continued, the operating team inhibited a second safety injection actuation order for "very low pressurizer pressure". To do this, they used a procedure which is valid under normal operating conditions but not during an incident transient. It took 50 minutes to identify the non-closure of the bypass valve, which was closed 30 minutes later. At no point was the safety engineer, who was on the site, called to the control room, because the signals indicating that his assistance must be requested had not appeared (scram notably). The initial incident (failure to close of a condenser steam dump valve) is covered by those presented in the safety analysis reports. The possible consequences are reverting to criticality accompanied by boiling in the primary system water near the fuel element associated with the most reactive control rod assumed to be jammed in fully withdrawn position. The actual occurrence was less penalizing than that considered in the safety studies, since both the steam dumping flowrate through the valve and the residual heat were lower. In addition, at the beginning of the cycle, the reactivity coefficient related to the moderator temperature is much lower than at the end. So fuel degradation hazards were slight. The main significance of this incident resides in the inhibition of safety devices under conditions where this should not have been authorized and, more generally, in the real time mismanagement of the situation, without consultation between the operating team, the chief reactor operator and the safety engineer. The loss of time before it was reported is a further indication of problems in this respect. Apart from repair of the faulty valve, corrective measures in this case were more concerned with plant organization, working methods and responsibility sharing.

26.2. Latent nonconformancesrevealed by inspections 26.2.1. Containment sump nonconformances The containment sumps collect water from the primary system in the event of a piping break or following use of the containment spray system. The water collected is then reused by the containment spray system, which cools it, and by the safety injection system which returns it to the core for fuel

412

Elements of nuclear safety

cooling purposes. Two types of sump nonconformances have been identified (Fig. 26.3.).

Fig. 26.3. Containment sump filter nonconformances.

The first concerns the filters screening solid particles of a size liable to cause damage to the different water circulating pumps. Misassembly of most of the 1300 MWe unit sump filters had resulted in failure to remove this type of particle. This was discovered entirely by chance. In addition, the time required to deal with this nonconformance at all plants evidenced serious shortcomings in the implementation of operating feedback procedures. The second concerns the paint on the sump walls, which tended to flake. These paint flakes could obstruct the containment spray nozzles and the safety injection system filters. The filters concerned were modified, the sump walls were repainted. However, these nonconformances were significant since they indicated possibilities of safety injection and containment spray system failures able to affect both trains of these systems simultaneously.

26 - Some French precursors

413

26.2.2. Risk of common mode failures related to equipment lubrication Many incidents or faults identified during periodic tests reveal possibilities of simultaneous failure of safety system redundant train equipment due to lubrication problems. An example of such problems is the case in 1991 where incompatible lubricant greases were used at Gravelines-1, causing the successive unavailability of both pumps on the residual heat removal system, which was operating at the time. At Saint Alban-2, an abnormal noise, due to the same cause, was observed on a low head safety injection pump during periodic testing. Investigation evidenced a mixture of incompatible greases on a pump bearing. Examination of these pumps on both safety injection system trains at the two St. Alban units revealed the same lubrication error. Another lubrication problem was identified when three liters of oil were sampled from each LHSI pump lubricant pan at Bugey-2 in 1991. The periodic oil quality check made by the pump manufacturer required sampling of three liters of oil, whatever the pan capacity. For the two pumps concerned, three liters were removed from a total of five liters and the corresponding work sheet made no provision for replacement of the oil removed. The technician consulted the competent department and added the requisite lubricant, despite the omission in the work sheet. These documents were then modified accordingly for all pumps concerned.

26.2.3. Site endurance tests Further to vibrations observed on the containment spray system pumps at startup of the first 1300 MWe units, a 2000 hour endurance test was performed on a pump of this system at St. Alban-2 in 1985 (Fig. 26.4.). Endurance tests are performed on prototype equipment at the supplier's works, but are not always representative of actual layout and operating conditions. For protection purposes, the elements of this vertical pump were installed at two different levels, more than four meters apart. The tests revealed a phenomenon which could jeopardize the long term reliability of these pumps: uplift of the electric motor rotor caused by the thermal expansion of the pump body upon intake of hot water. But in the event of a loss of coolant accident, the sump water temperature can reach 120 °C. The problem was solved by design modification, implemented on all sites concerned.

414

Elements of nuclear safety

Fig. 26.4. Containment spray system pump.

In 1992, low pressure suction tests were performed on the Fessenheim-2 LHSI pumps. These tests, requested in the context of the periodic safety review of these units, were scheduled to last longer than the periodic inspection tests (30 minutes). They revealed vibrations exceeding the amplitudes requiring pump shutdown after a 5-hour period to reach thermal equilibrium. The longer test period was necessary to evidence the vibrations, which were not apparent during the 30-minute periodic tests. This equipment would of course be required to operate for much longer times in the event of a primary piping break. Operating conditions for these pumps in other 900 MWe units are similar. The tests failed to corroborate EDF's explanatory assumptions but confirmed the satisfactory behavior of the motors under degraded vibratory conditions. This example highlights the importance of sufficiently long site test periods, which has long been a subject of concern at the IPSN. For the first N4 units, EDF accordingly ran 1,500 hour tests on the safety injection and containment spray pumps and 1000 hour tests on a diesel generator.

26 - Some French precursors

415

26.2.4. Primary pump thermal barrier failure hazards Since 1990, a systematic inspection program has been implemented to check for defects reported on plants abroad. It revealed cracking on both inner and outer surfaces of protective casings on the 900 MWe primary pump shaft thermal barriers (Fig. 26.5.). These casings protect the pump shaft cooling coils, which are supplied with water from the Component Cooling System and limit heat exchanges with the primary system water. The water in the Component Cooling System circulates under a pressure of 7 bar and the cooling coil is designed to withstand the pressure in the primary system, but this is not the case for the rest of the system. Failure of a protective casing could result in damage to the cooling unit within, resulting in circulation of water at 155 bar to the Component Cooling System. However, it was by no means certain that the Component Cooling System isolation valves would function correctly under these beyond design basis conditions. At the request of the safety authorities, these isolation valves were tested. Generic defects were observed on some check valves which remained jammed open. So failure of a protective casing could result in a primary system pipe break with a maximum leak rate of 72 m3/h.

Fig. 26.5. Primary system pump thermal barrier.

416

Elements of nuclear safety

It is important to note that the primary system break would have occurred outside the containment, creating a containment bypass. Complementary surveillance and modification programs for these devices were implemented accordingly.

26.2.5. Vessel level sensor requalification nonconformances Devices measuring the water level in the reactor vessel and the margin to boiling are essential for application of the state-oriented procedures gradually introduced on the 1300 MWe units. There is no way of mitigating consequences for reactor control if these data are inaccurate or unavailable. For the 1300 MWe units where event-oriented procedures are used, supplemented by the SPI and Ul procedures, these measurements are still indispensable for application of the latter two procedures. During the restartup tests after each refueling outage, these two measuring devices, grouped under the name of "core cooling monitor", have to be requalified. This takes place in four stages: • testing the thermocouples measuring the reactor core water temperature at 60 °C, 180 °C and 297 °C • checking calibration of the six level sensors in four level, temperature and pressure configurations • recording data supplied for normal cold shutdown at 25 bar and hot shutdown at 155 bar for all possible operating configurations of the reactor coolant pumps (16 configurations) • insertion of the corresponding parameters in the core cooling monitor software after manual transposition calculations. Two nonconformances concerning this equipment were reported as significant incidents. The first concerned Paluel-2 in 1993. A calculation error and insertion of erroneous parameters was only discovered after 25 days by a second level check performed by Framatome. In addition, fallback conditions were only obtained two weeks later. So application of the SPI and Ul procedures could have resulted in inappropriate actions during a period of 40 days. The second concerned Cattenom-3, where straps used for certain measurement sequences remained installed for 6 hours. They had not been listed as special devices and resources. They were discovered by chance when their presence hindered another manipulation. During a surveillance inspection at Penly, the core cooling monitor requalification conditions were examined. This operation was systematically performed by Framatome.

26 - Some French precursors

417

As a servicing contractor, Framatome has the highest qualification level because of its quality organization. It was in fact this company which detected the errors at Paluel during a second level internal inspection. EDF had then made no provision for a real time test on the work performed by this company but had simply requested an administrative follow-up and sample testing. In fact, the operating utility is still not very well equipped for site operations in this delicate area. This type of nonconformance prompts both technical analysis of the resources available for measuring device requalification and discussion of the organizational modifications to be made by the operating utility to enable it to assume full responsibility with regard to site work performed by its subcontractors at all levels.

This page intentionally left blank

27

Periodic safety review

As far back as 1978, EDF and the French safety authorities had undertaken a safety review* of all nuclear power reactors which had been operating for more than 10 years. This work corresponded, not to compliance with regulatory requirements, but to a policy implemented by the safety authorities, formalized in a decree in 1990, amending the 1963 decree concerning nuclear installations. This document sets out for the first time a precise regulatory basis for "safety reviews": "The ministers in charge of industry and the prevention of major technological risks may jointly request the operating utility to proceed to a plant safety review at any time."

The Chinon A2 and A3 units, the Ardennes plant (Chooz A), together with the Saint-Laurent-Al, Saint-Laurent-A2, Bugey-1 and Phenix units were successively reviewed between 1978 and 1988 (Table 27.1.). This is a series of fairly different types of plant, listed in Appendix C and connected to the grid between 1965 and 1973. Except for the Phenix reactor, all these installations have since become economically obsolete and are now decommissioned. Table 27.1. First French reactor safety reviews. Reactor

Type

Startup

Review

Decommissioning

Chinon-A2 Chinon- A3 Chooz-A St Laurent-Al St Laurent- A2 Bugey-1 Phenix

GCR GCR PWR GCR GCR GCR FBR

1965 1966 1967 1969 1971 1972 1973

1978 1983-1984 1983 1984 1985-1986 1984-1988 1986

1985 1990 1991 1990 1992 1994

* The term "reassessment" is still often used in this context. In current usage, the term reassessment is only used in cases involving new elements, whereas review designates more systematic measures.

420

Elements of nuclear safety

Certain safety aspects of these plants had, of course, already been reviewed, notably further to incidents. But these examinations lacked the overall character of the process under discussion. Chooz A was the first PWR unit to undergo a safety review. Owing to the considerable differences between the original design basis of this unit and current criteria, the review focussed mainly on the engineered safety systems and post-accident operating resources. It resulted in substantial improvements to operating documents and to installation of a new auxiliary steam generator feedwater system.

27.1. Safety review methodology Application of this practice to the first six 900 MWe PWR units at the Fessenheim and Bugey plants, sometimes referred to as the CPO standardized series, was on a totally different scale. These plants are more recent than those previously mentioned and are similar to the other 900 MWe units, the last of which were commissioned in 1987. They have still a long life span before them, since they went critical between 1977 and 1979. The Fessenheim and Bugey plant safety review represents a vast amount of work undertaken over a period of nearly 5 years, which does not include the actual implementation of decisions made towards the end of the period. It began with a discussion of the aims and limits of the practice, providing useful guidelines for subsequent reviews.

27.1.1. Aims of safety reviews As we have seen in previous chapters, plant safety assessment is a continuous process. The changes in safety approach related to the consideration of complementary operating conditions and the integration of severe accident procedures and resources have led to modification of all plants. Operating feedback from France and abroad and analysis of incidents reported have also resulted in the continuous adaptation of French plants. In this connection, we have only to look at the lessons learned from the Three Mile Island accident or the definition of technical operating specifications for shutdown conditions. A plant safety review is consequently complementary to the continuous safety enhancement process. It provides an opportunity to identify aspects not dealt with in the latter context. The idea of a plant safety review after about 10 years of service life has much in common with that underlying the regulatory 10-yearly complete

27 - Periodic safety review

421

overhaul of the main primary system, required by the regulations specific to these components. The main aims are as follows: • obtain a complete operating record covering a significant period, integrating in-service inspection results and accounting for the various transients undergone by the main primary system ("situations"), enabling notably comparisons with the design basis data; • compare the current safety level with the anticipated design basis level. This would be a qualitative appraisal; • make sure that the operating feedback process is systematically applied; • ensure that general know-how advances have been put to good use and that the continuous analysis and follow-up of plant safety has been effectively carried out; • identify aging factors which could justify surveillance program modifications or even curtail plant lifetime; • identify significant design differences adopted for more recent units with respect to a reference model; • estimate the safety feasibility and interest of any modifications to plants or operating procedures, derived from the above comparison. An additional objective of EDF was to stabilize the plant safety reference as at the end of each review in order to prevent a continuous process, involving numerous modifications, from having a negative safety impact. The safety review of an old plant does not mean requiring it to comply systematically with the most recent safety practices, but implies determining under what conditions it could continue to operate. The safety characteristics of the most recent 900 MWe units, modified as provided for at the beginning of the review (Chinon-B4, end of series unit, with the batch 93 modifications) were selected as the reference basis for review of the earliest 900 MWe units.

27.1.2. Elements likely to have changed The plants under review had all been subjected to the regulatory authorization procedures in force at the relevant periods and had consequently undergone a safety assessment. The purpose of the review is to identify factors liable to modify the conclusions of these assessments. This leads us to the five areas discussed below.

27.1.2.1. Regulations and regulatory practice In most cases, changes to regulations or in regulatory practice explicitly exclude systematic retroaction, but there is nothing to prevent assessment of the discrepancies with respect to the new texts in force.

422

Elements of nuclear safety

27.1.2.2. Safety objectives and options Many changes have been seen in specific safety objectives and options as the successive standardized plant series were defined. In particular, the list of external hazards and the ways of dealing with them differ from those defined for the first 900 MWe PWR units. Also worth noting are the inclusion of complementary operating conditions, the introduction of a state-oriented approach or the preparation for severe accident management. We have also drawn attention in previous chapters to the reclassification of equipment or the qualification of certain items for operation during or after an accident situation.

27.1.2.3. Operating feedback and enhancement of know-how It would, of course, be superfluous to dwell on the merits of operating feedback, but it is worth noting that safety study advances do not necessarily lead to larger safety margins but often simply clarify their demonstration. As tools are perfected, these margins may even, in some cases, be reduced. A characteristic example would be the changes which have taken place in reinforced concrete structure design methods, where substituting the elastoplastic for the elastic structural design field enables reduction of the real margins, which were also better understood. As regards aging, the main difficulty is to ensure that phenomena are accurately identified and monitored. Feedback on simulator training for operators also provides much useful information, since the difficulties evidenced during accident situation simulation have, fortunately, not been experienced on the sites themselves.

27.1.2.4. Plant modifications Many safety policy changes have, of course, led to plant modifications. In harmony with the underlying homogeneous plant population approach, this modification program resulted in definition of an "end of series condition" for the CP1 and CP2 series of 900 MWe units, aimed at limiting but not precluding subsequent modifications. For the Fessenheim and Bugey plants, the modification program was aimed at upgrading, adapted to the specific characteristics of these plants. These programs have already resulted in considerable changes to the plants, but without obliterating the main design differences between the first 900 MWe plants (Fessenheim and Bugey) and the 28 units which followed (CP1 and CP2 standardized series).

27 - Periodic safety review

423

27.1.2.5. Plant environments We have discussed the revised approach to dealing with external hazards and the accompanying new investigations. Apart from these changes in practice, it is also important to appraise changes in the environment itself and in our knowledge of them. This may concern a wide range of topics, from air traffic density, to transport of explosive substances and seismic hazards.

27.2. Fessenheim and Bugey plant safety reviews It was theoretically possible to undertake an entirely new safety analysis for these units, as if for a new standard series. But the results would doubtless not have justified the means deployed. On the other hand, it was essential that no important topic be overlooked. An overall approach had consequently to be adopted. So the review started with a fairly wide range of topics, followed by gradual pruning where justified and using the CP1, CP2 standardized 900 MWe unit "end of series condition" as the reference model. Twelve main topics were initially selected by EDF after discussion with the IPSN: • general principles • accident analyses • external hazards • internal hazards • engineered safety systems • main primary system • secondary system • auxiliary systems • containment • instrumentation and control • reactor vessel internals • general operating rules. On the other hand, it was not deemed appropriate to change the accepted analysis procedure for "generic" problems affecting all plants. This is the case, for example, for the technical operating specifications, where the periodic revisions concerning Fessenheim and Bugey are adapted to those of the other 900 MWe units and regularly analyzed prior to approval by the DSIN, and for the Internal Emergency Plans or the aging monitoring procedures dealt with in the context of the Life Span Project.

424

Elements of nuclear safety

27.2.1. Methods and means Initially, no summary report was issued on the 900 MWe plant probabilistic safety assessment, which in fact only partially applied to Fessenheim and Bugey. Probabilistic assessment methods were consequently little used for the safety reviewing of these plants. The 10-yearly outage, on the other hand, used to obtain a health check on the main pressure vessels and the reactor containment, also provided an opportunity to rerun and supplement certain overall functional tests. This is a source of more exhaustive data and a way of ensuring consistency between modifications made at different times. These tests also facilitate cross-checking between overall plant dynamics tests and system requalification tests, together with the smaller scale periodic tests. So the approach is mainly based on the deterministic design strategy and comparison with a specific CP1, CP2 900 MWe series plant condition, assisted where necessary by assessment of probability-consequence pairs for certain specific problems. Some safety problems of which the authorities had been aware since initial startup of the plants were only dealt with in the context of the Fessenheim and Bugey safety reviews rather than in that of operating feedback. The most characteristic example is the direct Rhone or Rhine water supply to the containment spray system exchangers, with no intermediate system. No incident occurred to call attention to this point and the primary fluid's cooling function following a primary system break had never been invoked. This configuration nevertheless implies a possibility of direct transfer of radioactive substances to rivers in the event of loss of exchanger integrity in certain accident situations. This also applies to reassessment of seismic hazards and ways of dealing with them in plants built more than 15 years ago.

27.2.2. Scope of the review and examples of corrective measures It is obvious that fundamental structural transformations, significantly modifying the civil works or restructuring major systems are out of the question. Problems revealed by safety reviews tend to be solved by local or generalized palliative measures. It should be borne in mind that this approach had already been adopted for loss of redundant system situations. For example, the complementary H4 and U3* procedure resources enabling mutual backup between safety injection and containment spray * See Section 11.4.

27 - Periodic safety review

425

pumps or water injection in the core by external devices had been permanently installed at the units concerned prior to the review under discussion. This is not so for the CP1 and CP2 standardized 900 MWe units, where mobile devices are used. This emergency core cooling scheme could offset various types of engineered safety system inadequacy. In what follows, we discuss the main implemented or planned transformations. They derive from the EDF analysis, possibly supplemented by IPSN requests, which may have been either directly accepted by the operating utility or transmitted via the DSIN after discussion during the many meetings held by the Standing Group for reactors on the subject of the Fessenheim and Bugey safety review.

27.2.2.1. Protection against external and internal hazards Reassessment of seismic hazards The Maximum Historically Probable Earthquakes (MHPE) for the Fessenheim and Bugey sites were reassessed in the light of the new seismotectonic map of France and earthquakes previously disregarded because of inadequate available data (notably the 1356 earthquake at Basel in Switzerland), in compliance with the procedure proposed in Basic Safety Rule I.2.c. For the Bugey site and deep earthquakes affecting the Fessenheim site, the bounding case resonator response spectra for characteristic MHPE's fall within the corresponding spectrum range for Safe Shutdown Earthquakes (SSE) adopted for plant design. But Section 2.1.3 of Basic Safety Rule 1.2.c stipulates that a margin of one unit in intensity (MSK) (MSK) between between the the MHPE MHPE and and the the SSE SSEof ofaa site site "can, "can, inin cercertain cases, cover reassessment of the MPHE or its spectrum, in the light of new methodological or local historical data which may become available during the plant construction or operation. Should this occur, the administrative authorities reserve the right to request as the need arises all complementary assessments deemed necessary of the available safety margins and possibly the installation of certain complementary devices". With regard to Fessenheim nearby earth tremors, the possibility of the design basis spectrum being exceeded for frequencies higher than 5 Hz was investigated in 1976 for the electrical building and resulted in local reinforcements. The MHPE spectrum corresponding to earthquakes near this site is amply bounded by the spectrum, abundant in high frequencies, used for these investigations. Discussion and assessment of available documentation is continuing for the other buildings. On the other hand, considering an earthquake as a credible event and not a load combination implies examining the possibilities of safety classi-

426

Elements of nuclear safety

fied equipment (designed to withstand the relevant design basis earthquakes) being damaged by non-classified equipment. This led to a number of further measures. As indicated in Chapter 7, inclusion in design basis data of earthquakes as incident or accident initiators was not formally requested until the 1400 MWe standardized series. Examples of precautions taken are the instructions given to operators to interlock handling equipment in parked position when not in use. Checks on the seismic resistance of certain non-classified equipment supporting elements also led to reinforcements. Protection against off site flooding hazards The Fessenheim site is located below the Alsace Canal where the water level is 9.5 m higher than the site ground level. This is therefore an exceptional case, resulting from incomplete investigation of site related hazards when the plant was designed. Procedure H5*, intended to protect plants on the banks of the Loire river against offsite flood levels exceeding design provisions, stipulates notably that, in such circumstances, the plant units should be shut down and leaktight blank-off devices installed in all places where water could enter the buildings. The procedure allows for normal periods of time for flood water swelling or arrival of a flood wave after failure of a dam located at a sufficient distance upstream from the site, but does not apply to the Fessenheim units. Failure of the nearest dike upstream from the site is not included in the design basis data. Its mechanical strength is consequently crucial and must be checked, taking into consideration the reassessment of seismic hazards, the aging of the dike structures and any modifications they have undergone. Its seismic resistance has been checked during previous safety inspections. However, the consequences of water infiltration in the earth lifts between the surveillance points must be checked under nearby earth tremor conditions, as also must certain specific areas where piping runs have been added. Fire protection Further to generic fire hazard studies, an extensive program was implemented aimed at improving protection in this respect at the Fessenheim and Bugey plants. It comprised: • redefinition of the fire areas to improve the separation of redundant train equipment

*Cf. Section 10.4 and 11.4

27 - Periodic safety review

427

• identification and handling of cabling common point problems, after compiling a cable file, indicating cable routing through the installation • renovation of passive and active protection devices, such as doors, wall and floor openings, fire stop panelling and seals, together with the water spraying equipment. Protection against onsite flooding hazards Whatever the origin of onsite flooding, provisions as to surveillance, exhaust systems, retention pits, raised mounting bases should be such that the reactor can be shut down and held in a safe configuration and that any radiological consequences can be limited. Examination of the Fessenheim and Bugey plants led to corrective actions, such as the reworking or repair of flange seal faces and cladding and the clearing of floor drains. Certain sills were raised and additional alarms were installed for sump water detection.

27.2.2.2. Equipment and structure classifications A comparison between the classifications adopted for the Fessenheim and Bugey equipment and structures and those of other 900 MWe plants allowed EDF to identify discrepancies, the most significant of which concern the residual heat removal system and the component cooling system. The first of these systems is designed to withstand an SSE and the second 50% of SSE loads. The component cooling system is moreover located in a building which is not seismic classified. The result is that a priori the residual heat removal system cannot be considered capable of fulfilling its function after occurrence of a moderate earthquake. Corrective measures could be required.

27.2.2.3. System modifications Containment spray system heat exchangers In the design adopted for the plants built in France, the containment spray system heat exchangers remove residual heat in the event of a major primary break. At the Fessenheim and Bugey plants, these heat exchangers are directly cooled by Rhine or Rhone water. They thus form the only barrier between the river water and water which, after a loss of coolant accident, would be carrying substantial quantities of radioactive products from the containment

428

Elements of nuclear safety

spray system. In all later plants, the containment spray system is cooled by the component cooling system, itself cooled by offsite raw water. The Fessenheim and Bugey plants are also equipped with a similar system, but isolation with respect to the river water is only assured for systems used under normal operating conditions. The installation of such a system could have been recommended for the containment spray system heat exchangers, but owing to the technical difficulties involved, EDF preferred a solution which was less satisfactory as regards principle, but nevertheless deemed acceptable. It consisted in using heat exchangers where raw water circulates in 1 mm thick titanium tubes. These exchangers are so designed that, in an accident situation, leakage risks would be diminished by the slight lengthwise compression of the tubes. They can be entirely eddy current inspected and are easy to clean on the raw water side. In addition, raw water activity monitoring downstream from each exchanger has been improved, so that leaks would be detected and the contaminated train isolated. After a fairly short period, a single heat exchanger is sufficient to remove reactor core residual heat which rapidly decays. The advisability of automatic isolation of the polluted train was discussed, but the risk induced by inadvertent isolation of a safeguard system was deemed to exceed the benefit to be gained by automation. Automatic switchover to recirculation In the event of a major primary break, core cooling is first assured by injection of water from the reactor cavity and spent fuel pit cooling and treatment tank. When the low point in this tank is reached, the safety injection and containment spray pumps it is supplying must take suction in the containment sumps which collect water leaking from the primary system or resulting from containment spraying. At Fessenheim and Bugey, this pump suction switchover was actuated by the operating team. However, owing to the possibility of human error in this context, it was decided to automate this action, bringing it into line with the other PWR plants. Application of the single failure criterion When the Fessenheim and Bugey plants were designed, the principle of redundancy of safety related systems was not so stringently applied as for subsequent plants. When the Fessenheim and Bugey plant structural features were examined in relation to application of the single failure criterion as defined in Basic Safety Rule I.3.a, released in 1980, the following modifications were

27 - Periodic safety review

429

made: the containment atmosphere monitoring system fans were duplicated, as also was the low head safety injection system suction line. On the other hand, it was considered acceptable to have only one valve regulating suction for the residual heat removal system because it is possible to offset refusal of this valve to open by maintaining cooling via the steam generators. As is clear from the previous examples, appraisal of the degree of risk influences decisions, which are not solely based on strict application of regulatory or para-regulatory texts. Other system modifications The engineered safeguard systems comprise a certain number of manuallyoperated valves which, if held in closed position, can render these systems unavailable. Those valves which were not required for operating purposes were consequently eliminated and the others were equipped with position indicators with control room display. In addition, operating feedback on the Bugey turbine-driven auxiliary feedwater pumps led to their replacement by pumps identical to those equipping the other 900 MWe plants.

27.2.2.4. Preparation for severe accident management We have already mentioned that the Fessenheim and Bugey plants are permanently equipped to implement the complementary ultimate H4-U3 provisions for core cooling in highly disturbed situations. Another specific feature of the two Fessenheim units is the shallower base mat. A survey is proceeding to investigate the possibility of installing refractory materials in the reactor pits of these units to delay base mat penetration in the event of a core melt accident.

27.2.3. Expected final result The various changes implemented further to the Fessenheim and Bugey plant safety reviews should bring their safety level closer to that of the other 900 MWe units. This should facilitate subsequent inspections and simplify the introduction of any further changes which could be adopted during safety reviews on other 900 MWe plants.

430

Elements of nuclear safety

27.3. Safety review of the CP1 and CP2 standardized 900 MWe plant series Safety review of these plants started in 1993, covering 28 units, the oldest of which went critical in 1980 and the most recent in 1987. The main difference between the CP1 and CP2 series is the plot plan. In the 18 CP1 units, the turbogenerator is tangential to the nuclear island and in the 10 CP2 units, it is perpendicular.* As in the Fessenheim and Bugey plants, the units are in pairs with certain ancillary equipment in common. For this safety review, good use is made of experience acquired during the previously implemented Fessenheim and Bugey review, which is in its final stages. Relevant data has also been provided by the probabilistic safety assessment which directly concerns them. From the safety standpoint, the design of these units was more advanced than that of the Fessenheim and Bugey plants, implying a narrower gap between the design objectives considered and current practice. In addition, all the CP1 and CP2 units have been extensively upgraded and the reference model for the generic part of the review is the last pair of units to be commissioned.

27.3.1. Organization of the review The review procedure adopted comprises three stages, providing appropriately accurate answers to the following three questions: • what was the intended design basis safety level for the CP1 and CP2 900 MWe plants? • what is the actual safety level of each of these units as compared with the intended level and what has to be done to bring these two factors into line? • how should the intended safety level for these plants be upgraded? The answer to the first question constitutes the "safety requirement system of reference". The second question will be answered by a "conformity review". The improvements to be made will be determined on the basis of "assessment of the safety requirement system of reference". However, this separation into three stages is somewhat theoretical and it is already obvious that in the work procedures implemented to obtain clear-cut answers, these questions may be intermingled.

Cf. Chapter 9 and Appendix C.

27 - Periodic safety review

431

27.3.1.1. Definition of the "safety requirement system of reference" The safety requirement system of reference proposed by EDF was submitted to the DSIN in 1994. It comprises several different kinds of text: • regulatory texts (decrees, orders, circulars) • basic safety rules • safety analysis reports and general operating rules • the sets of design and construction rules for PWR plants • documents complementing the safety analysis report. It is, of course, of prime importance to identify the version of each document submitted in this context. The part of the system of reference concerning plant design comprises the following main headings: • regulatory texts concerning release, radiological protection and quality • regulatory texts and associated documents • natural external hazards (earthquakes, offsite floods, exceptional weather conditions, etc.) • other external hazards (plane crashes, missiles which could result from accidents affecting the turbogenerator, industrial environment, communication routes) • internal hazards (possible internal missiles in the reactor building, pipe breaks, onsite flooding) • fire protection • equipment qualification • operating condition studies (study rules and postulates, main primary system "situations", assessment of radiological consequences) • overall system design • system by system design • equipment classification • waste and effluents • radiological protection • probabilistic studies • severe accidents. The part of the system of reference concerning plant operation comprises the following headings: • regulatory texts concerning release, radiological protection and quality • that part of the general operating rules which may not be modified without the prior approval of the DSIN (technical operating specifications, incident or accident procedures, inspection and periodic test program for safety related equipment) • the internal emergency plan

432

Elements of nuclear safety

All these reference documents are currently being assessed by the IPSN analysts, who are already well acquainted with many of them. So the first step consists in checking that they cover the entire field required for the constitution of an exhaustive system of reference, including notably all data on manufacture, assembly, initial inspections, startup tests, modifications and operating feedback. This also provides an opportunity to check that all requests notified by the safety authority and applicable to all the plant units considered have been duly taken into account in the reference documents drawn up by EDF. With the set of reference documents defined, EDF encloses a "reference installation condition" description corresponding to the "end of series condition", together with a set of common additional modifications, known as "batch 93".

27.3.1.2. Conformity review EDF intends to proceed to the conformity review of the various CP1 and CP2 units from two complementary angles: • pursuance of the safety demonstration in fields where the principles laid down in the reference documents still have to be supplemented by a detailed analysis of the application of these principles • issue of a bill of health and conformity for the entire plant population concerned and for each separate unit. Pursuance of the safety demonstration Listed below are a few characteristic examples of work planned in this connection: • a detailed study of equipment classifications notably defining the limits of safety related systems, resulting in an exhaustive document on all safety related equipment • reassessment of seismic hazards for certain sites in the light of new data and, in certain cases, of offsite flood risks with consideration of large new reservoirs recently built upstream from the site • demonstration of the adequacy of provisions with respect to possible water infiltration paths in the event of internal flooding in certain nuclear auxiliary building rooms or between the turbine building and the nuclear island • revision of the operating condition studies to include the long term management phase, the complementary operating conditions, with calculation of the associated radiological consequences • updating of the present level 1 (core meltdown) probabilistic safety assessment by inclusion of the modifications corresponding to the reference

27 - Periodic safety review

433

condition and of a more exhaustive description of shutdown states, together with a revision of the most sensitive reliability data based on the bill of health and conformity. This phase can give rise to further updating of standard safety analysis reports and documents specific to each unit and consequently also the system of reference. Bill of health and conformity Under this heading are to be found data which, in some cases, is specific to a given unit. The bill of health and conformity can provide an opportunity for updating reliability data for certain equipment used in the probabilistic safety assessment. It will also result in an overall review of operating feedback over a long period, whereas the present periodical examinations involve assessing an endresult over successive periods of 2 to 3 years. This would clarify certain misunderstood repetitive problems. These new result reports would also result in improvement of the biennial safety reports already established by EDF. Other questions, such as safety improvement in shutdown situations, for example, are dealt with elsewhere and are the subject of assessments carried out in parallel with the CP1 and CP2 plant safety reviews. In addition to certain more frequent but more limited examinations, the purpose of the 10-yearly outage programs is to check the soundness of major systems, such as the main primary system and reactor containment of each plant unit. The conditions of the 10-yearly outages also enable performance of functional tests, much resembling certain startup tests. These tests are used to confirm that the various parameters remain within the bounds of the design basis postulates. End-result reports on the temperature and pressure transients to which primary system components have been subjected (the "situations") also provides a basis for comparing forecasts with reality over several hundred reactor-years. However, although the overall result is of interest, all cases specific to a plant unit obviously have to be dealt with separately. This is also the case for radiological reports.

27.3.1.3. Assessment of the safety requirement system of reference The 900 MWe plant safety requirement system of reference will be compared with the design and construction rules for the 1400 MWe plants

434

Elements of nuclear safety

(series RCCP 1400) in the fields covered by this document and with the associated complementary or clarification tests. However, certain important issues are not raised. These include notably provisions for severe accident management and for risks specifically related to shutdown periods, and the general operating rules. The documents sent by the DSIN on these subjects will be used, in this case, to complete the comparison.

27.3.2. Use of probabilistic safety studies As decided at the outset, the two probabilistic safety assessments carried out respectively by the IPSN for the 900 MWe plants and by EDF for the 1300 MWe plants were exchanged so that the two organizations could make use of both assessments for their own purposes. EDF can thus use the 900 MWe plant assessment to corroborate its safety demonstration.

27.3.2.1. Using the probabilistic assessment for conformity reviews The following procedure was proposed by EDF whereby the 900 MWe plant probabilistic safety assessment would be used in the context of the CP1 and CP2 plant safety review: • use 5 10"5/reactor/yr as the reference value, being the core meltdown probability computed in 1990, under the conditions adopted at that time (therefore excluding internal and external hazards) • check that this value is not exceeded after updating and inclusion of all reactor shutdown states • use a value ten times lower (5 10-6/reactor/year) to assess scenarios liable to result in significant release to the environment requiring emergency action for population protection.lt has to be borne in mind that no probability reference was determined at the design stage and that the safety authority requests formulated in 1977 and 1978* applied to well defined scenarios. The references proposed by EDF are consistent with the INSAG 3 document** values.

*Cf. Chapter 11. ** N. 75-INSAG 3. Basic safety principles for nuclear power plants. Report by the International Atomic Energy Agency international consultative group for nuclear safety, 1990.

27 - Periodic safety review

435

The updated 900 MWe plant probabilistic safety assessment shall take into account: • changes in plant unit condition, using the reference condition defined for the safety review of these plants • operating feedback for definition of updated figures on the frequency of observable initiators, the duration of the different operating states and the updated reliability data for the most sensitive equipment • new data concerning phenomena liable to occur during shutdown states • the most recent modifications related to heterogeneous dilution hazards and failure of the residual heat removal system with the water level in the vicinity of primary piping mid-height (mid-loop operation). EDF also intends to try and lower the annual core meltdown probability in the latter configuration to a value of about 10'6 per reactor.

27.3.2.2. Use of the probabilistic studies to assess the system of reference EDF is planning to use the probabilistic studies as guidelines in discussions on situations which could result in extensive radioactive release to the environment and has undertaken accordingly a level 2 probabilistic safety assessment, which could facilitate appraisal of certain modifications. EDF has already proposed that the existing studies be used to re-examine all accident sequences culminating in core meltdown where the approximate annual probability of occurrence exceeds 10-6. These sequences will, of course, be examined in the light of their possible consequences. Attention will be particularly focussed on breaks leading to release outside the containment, core meltdowns under pressurized conditions, or reactivity excursions. Consideration will also be given to the uncertainties associated with the different sequences (human errors, models). Examination of probabilities, consequences, uncertainties will provide a basis for the safety classification of the different sequences. This will enable more quantitative assessment of the advantages procured by design or operating improvements. The updated probabilistic survey will also be used to confirm or redefine the fallback configurations to be reached in the event of equipment unavailability, taking into account the computed core meltdown probability in these configurations. The general operating rules and notably the fallback times or test or maintenance frequencies for certain equipment shall be considered in the light of the weighting factors defined in Chapter 20.

436

Elements of nuclear safety

27.3.2.3. IPSN proposals The IPSN, on the other hand, is not of the opinion that the approach proposed by EDF is such as to derive maximum benefit from all the data provided by the existing or updated probabilistic safety assessment. As indicated in Chapter 20, dividing the survey into a large number of sequences could be a disadvantage, since the computed probability of many individual sequences could be low enough for them to be considered negligible. Grouping sequences leading to equivalent consequences, such as core meltdowns under pressurized conditions, could provide a larger quantity of data and evidence the true importance of a particular item of equipment or an operator action occurring in several sequences. As examples, we would mention the following sequences, some of which require operator implementation of feed and bleed techniques: • loss of the auxiliary feedwater supply during an intermediate shutdown • loss of the same system after failure of the main feedwater supply • main feedwater pipe break • steam line break • steam generator tube break • emergency shutdown failure during a transient where this should normally occur (ATWS). The annual probability of occurrence of most of these sequences is less than 10-6 per reactor. They could be disregarded in the approach proposed by EDF, whereas their annual probabilities combined amount to about 2.10"6 per reactor per year. In addition, some of them can culminate in core meltdown under pressurized conditions or direct release to the environment. Grouping according to different criteria could be useful, particularly according to possible consequences for the containment (meltdown under pressurized conditions, direct outside release). Even from the standpoint of the EDF proposals, the threshold above which these sequences would be examined would have to be lowered by a factor of about 10. Grouping sequences with points in common also shows that attributing importance factors to systems, components or human actions can convey a more comprehensive picture and influence examination priorities. It should not be forgotten that achieving theoretical absolute reliability for about ten functions, systems or main components would reduce, in each case, the computed core meltdown probability from 19 to 5%*. *Cf. Chapter 21.

27 - Periodic safety review

437

The use of weighting factors also enables preference to be given to an approach featuring technical characteristics conducive to improvements which could be reasonably implemented instead of limiting efforts to the attainment of preset targets. The former approach would be much closer to the general safety policy adopted in France. So the realism of the postulates used to analyze loss of the safety injection and containment spray pump motor room ventilation system fans in the existing probabilistic safety assessment is worth re-examining in the light of complementary test data. For the other systems, there is no reason to call into question their design in general, but to seek efficient specific improvements, some of which are in fact under investigation or even ready for application, or operating procedure adjustments. In the case of the pressurizer valves and the automatic switch to a feed and bleed configuration, the main concern is to weigh up the feasibility, advantages and drawbacks of automating a delicate operation, which currently depends solely on the operators.

This page intentionally left blank

28

The international dimension

It is by no means our intention, under this heading, to discuss at length all the various implications of safety on an international scale. An overview of the status of research in this respect is given in Chapter 18. Other noteworthy aspects are discussed in the present chapter, including certain safety contingencies inherent to the Eastern European LWR's. At the outset, the implementation of nuclear programs in certain countries was basically autarkic, often coupling research into domestic nuclear power generation with various military objectives. Secrecy was consequently a necessity for strategic, political and commercial reasons. The prime aims of the International Atomic Energy Agency, IAEA, founded in 1957 by the United Nations Organization, were to promote the use of nuclear energy for peaceful purposes and to ensure that the aid provided was not misappropriated for military ends. As regards safety, in 1974 the IAEA began producing a set of basic standards and guides for the design and operation of thermal neutron nuclear power plants. This involved the provision of structures enabling plant designers and operators to work in close cooperation with safety authority representatives. As previously mentioned, the Three Mile Island 2 accident in 1979 considerably widened the scope of incident analysis and evidenced the advisability of determining which incidents were liable to give rise to more serious accidents. Further to this accident, the Nuclear Energy Agency (NEA), a department of the Organization for Economic Cooperation and Development* since 1958, decided to set up a system for the collection, analysis and circulation among members of information on particularly significant incidents affecting the nuclear installations of the countries concerned. This system has since been extended by the IAEA to all countries using nuclear power who wish to participate. * The OECD currently groups all Western European countries, together with, notably, the United States, Canada, Australia, Korea and Japan.

440

Elements of nuclear safety

More detailed safety exchanges have gradually developed between countries, on a one-to-one basis or in a wider context. For example, in 1972, France established contacts with the German safety organizations, since certain nuclear plants in each country were close to the common boundary. In 1976, a standing committee was set up comprising members from the safety authorities of both countries. Its first undertaking was a safety comparison between two nuclear installations of the same generation, Fessenheim in France and Neckarwestheim in Germany. This was followed by a safety comparison between the Cattenom and Philippsburg units, of more recent design and with a higher power rating. These joint efforts enabled each country to better understand the safety approach of the other and evidenced the equivalence of the overall safety levels adopted, despite the fact that targets were often achieved by different methods. Towards the mid-eighties, the IAEA decided to widen its scope by offering, notably to nuclear developing countries, services more directly focussed on the plants themselves, involving the setting up of international teams trained not simply to examine documents, but ready to undertake onsite safety reviews under operating conditions when so requested by various countries. The first such services were provided by the OSARTs (Operational SAfety Review Team), covering all components involved in plant safety under operating conditions, and the ASSETs (Assessment of Safety Significant Events Team), concerning incident analysis. Other services have since been developed. In 1986, the Chernobyl disaster raised acute anxiety as to the safety of nuclear installations in the former Communist block. The political transformations which took place in these countries in the nineties enabled plants to be visited. Initial concerns were in most cases confirmed and programs set up to provide assistance and the transfer of methodology or technology from the Western countries (including Japan). Finally, further to the international conference "The safety of nuclear energy - Strategy for the future", held in 1991 at the IAEA headquarters in Vienna (Austria), an international safety convention was drawn up. It has currently been signed by about sixty countries, which amply suffices for it to come into force. Its effective application in France dates from its ratification by the French parliament on June 26,1995. This convention has been so devised as to ensure that the various states fully assume their responsibilities as regards safety. Surveillance is assured by a conference of the parties held at regular intervals to examine the cases submitted by the various countries in the context of this convention. Of course, these international developments in no way lessen the responsibilities of national operators and safety authorities.

28 - The international dimension

441

We shall not discuss the activities of the various nuclear power plant operator associations, such as INPO (Institute for Nuclear Power Operation) in the United States, UNIPEDE (Union Internationale des Producteurs et Distributeurs d'Electricite) and WANO (World Association of Nuclear Operators). The latter, founded following the Chernobyl accident, is a statutory association of all nuclear operators worldwide. These organizations naturally deal with plant availability and efficiency, but also, to a considerable extent, with safety and facilitate mutual assistance between operators.

28.1. The IAEA standards and guides program In order to be able to promote the use of nuclear energy for peaceful ends under good safety conditions, the IAEA produced in the mid-seventies a series of safety documents intended to serve as a world reference. The legal status of the IAEA is such that it is not in a position to impose application of these texts (except in exchange for its assistance). If this were otherwise, of course, it would imply a mitigation of the liability of the States concerned which would be contrary to basic safety principles. The organization of the IAEA documents is pyramidal. The most important concern the Safety Fundamentals. The first text, issued in 1993 as an introduction to the NUSS (NUclear Safety Standards) safety program guides and standards, deals with the safety of nuclear installations. Further texts, concerning radioactive waste management and the safety of radioactive sources are under discussion. Next come the Safety Standards, written previously and covering five important topics: • government provisions (reference 50 C-G) • siting (50 C-S) • design (50 C-D) • operation (50 C-O) • quality assurance (50 C-QA). Each Safety Standard text is then explained in detail in between ten or so Safety Guides by topic. Other documents give practical examples and advice on implementing the guides. These Safety Practices are more recent but few are so far available. These texts concern explicitly only permanent land-based plants comprising a thermal neutron reactor. However, the drafting of these documents was complicated by the wide range of reactor types (pressurized or

442

Elements of nuclear safety

boiling light water, heavy water, graphite-moderated/gas-cooled, etc.) and the varied designs adopted by plant builders throughout the world. It was of course important that these texts published under the auspices of an international organization should not be simply descriptions of solutions adopted for a selected type of plant deemed satisfactory. Such an approach would obviously have distorted industrial and commercial interplay and could have created a difficult situation for installations differing from the standard selected. So France, like other countries, accepted full involvement to ensure acknowledgment of its own technical solutions. A stringent drafting and approval procedure was set up for the Safety Fundamentals and Safety Standards, involving notably an official consultation of Member States prior to approval of these texts by the Board of Governors of the IAEA. Most of the first texts submitted concerned plant unit design, whilst those dealing with plant operation betrayed the lack of experience prevailing at the corresponding period. So in 1986, the IAEA decided to revise the guides, bringing them up to date. The NUSSAG (Nuclear Safety Standard Advisory Group, which is a standing group of senior representatives of the regulatory authorities) gives the director-general of the IAEA an advisory opinion on questions concerning safety regulations for power or experimental civil reactors. Mention must also be made of another series of IAEA texts, drafted in a rather different context. In the aftermath of the Chernobyl accident, the director-general of the Agency set up another high level advisory group of experts, INSAG (International Nuclear Safety Advisory Group). It comprises about 15 members, who do not represent their countries of origin in this context, and publishes its discussion papers under its own responsibility. To date, INSAG has published ten reports, the most widely acknowledged of which are INSAG-3, "Fundamental Safety Principles for Nuclear Power Plants" and INSAG-4, "Safety Culture". Much of the material used to present the defense in depth principle in Chapter 3 of the present document was drawn from INSAG-10.

28.2. The Incident Reporting System In 1980, further to the Three Mile Island accident, the OECD Nuclear Energy Agency set up the Incident Reporting System (IRS) for the collection and circulation of data on incidents occurring in nuclear reactors in member states and liable to interest the international nuclear community. The OECD countries in fact operate 75% of the reactors in service worldwide, comprising over 300 plants. The AEN groups safety authority representatives and works with different plant operator organizations. Its activities are supervised by two committees, the CSNI (Committee for the Safety of Nuclear

28 - The international dimension

443

Installations) and the CNRA (Committee for Nuclear Regulatory Activities). This scheme does not of course entail forwarding to the OECD-NEA all "significant incidents" reported to the French safety authorities and receiving and processing all equivalent data from other countries. This would simply result in everybody being swamped in a mass of information, much of which has little safety relevance. Each country designates a national IRS representative, who selects incidents constituting constructive examples which could be beneficial to other countries. A selection scale devised jointly by the national representatives channels selection criteria. The incident reports selected describe the circumstances of the event, its causes, its consequences and above all the safety lessons derived from it. Generic studies can also be included, concerning families of incidents which are minor when considered individually but taken as a whole can provide a vast amount of information on equipment. Fast notification by telex is used to ensure that no time is lost in informing the nuclear community of potentially serious difficulties or malfunctions liable to reoccur at other plant units worldwide. When a complete analysis is available, more detailed reports are sent. All the documents are transmitted in English, where necessary after translation by the NEA. Over the last few years, the IAEA has set up a very similar system for incidents affecting plants in non-OECD countries. Reports are currently exchanged and discussions are underway between the OECD and the IAEA aimed at creating a single data bank which would also cover incidents on experimental reactors. At the present time, the OECD is still the official data source for member countries and the center for in-depth discussion of safety issues. At the end of 1995, the NEA-IRS data bank comprised about 1,558 reports, to which must be added 380 reports received from non-OECD countries via the IAEA. If we include the updating of these different reports, we arrive at a total of about 2,425 documents. 237 of these documents originated in France, which is a rather small proportion considering the size of the French plant population. This is partly due to the time required for the drafting of summary analysis papers usable by other countries, 880 documents were sent in by the United States, 188 by Japan, 138 by Canada, 88 by Germany. To date, 189 documents have also been received, bearing the reference "Soviet Union". The development of the system is supervised by periodical meetings of the national representatives to check the quality of data transmitted and the technical upgrading of the computer systems used. These meetings also provide opportunities to discuss lessons learned by each country from difficulties encountered elsewhere. Examples of this are that dealing with the following problems in France was initiated or extended via this exchange procedure:

444

• • • •

Elements of nuclear safety

inspection of the functional capacity of motor-operated valves sump filter plugging hazards leakage and corrosion hazards on safety injection piping thermal barrier cracking hazards in reactor coolant pumps.

More generally, the IRS data bank is consulted for each in-depth analysis of incidents or groups of incidents in order to widen the analysis scope. Working groups are organized, bringing together specialists from NEA member countries to study matters of general interest on the basis of series of incident reports, calling into question both technical aspects and human factors. Several studies were performed, for instance, from this standpoint on incidents occurring during refueling and maintenance outages. The confidence patiently built up between the NEA member countries has led to extremely frank exchanges, even on delicate subjects. This is not yet the case in the much wider context of IAEA meetings, although some progress is apparent in this respect. These exchanges confirm that where plants and operating modes are equivalent, much the same difficulties are encountered in the different countries concerned.

28.3. French-German comparisons Relations between the German and French safety organizations began in 1972, soon after ratification of the decision to build the Fessenheim power plant on the French bank of the Rhine. These ties have continuously strengthened and since 1993 a representative of the German safety organizations is permanently invited to attend meetings of the French standing group for reactor safety (GPR) and since 1994, a French expert has been appointed to attend meetings of the equivalent German advisory group, the Reactor Sicherheits Kommission (RSK). They also gave rise in 1992 to the formation of a European consortium, RISKAUDIT, offering services in the safety field, provided by the head offices of the organizations concerned, the GRS (Gesellschaft fur Anlagenund Reaktorsicherheit) and the IPSN (Institut de Protection et de Surete Nucleaire), and to the joint preparation of the safety options for a new power reactor series to be built in the near future and presented in the next chapter. It is of course the outcome of much time and effort, briefly summarized in the present document. The conclusions of the joint working group on the comparison between Fessenheim-1 and Neckarwestheim-1 were published in 1977, before Neckarwestheim-1 was put into service and just after the startup of Fessenheim-1.

28 - The international dimension

445

They reveal both the novelty, at that time, and the difficulty of such undertakings: "The deliberations evidence the difficulty of performing a detailed, point-by-point, comprehensive safety comparison when the systems themselves or their design bases are different. Generally speaking, similar goals are set in both countries to guarantee a high degree of safety in nuclear power plants. Safety is assured in a nuclear power plant by a vast number of technical and organizational measures, together with guaranteed quality of construction and control. In conclusion, the technical safety requirements for the two plants may be considered comparable, but the methods of dealing with the problems involved sometimes differ. The means used to attain similar objectives may justifiably vary whilst remaining equally valid". A report with similar conclusions on the Cattenom and Philippsburg plants was released in 1982. This opportunity was also taken to confirm the durability of the French-German safety committee (DFK) and its working groups. It is in the framework of such working groups that were examined topics such as the guaranteeing of safety function reliability by high redundancy levels, functional diversifications or the detailed design assumptions used in France and Germany to calculate reference accident radiological consequences. Safety systems in current French plants comprise two trains, each of which is designed to maintain alone the corresponding function. We have seen in Chapter 11 why and how total failures of these systems are dealt with. We have also mentioned in Chapter 4 that this option implies operating constraints for maintenance and in the event of unavailability of one of the trains. The German plants are equipped with four-train systems, where two suffice to maintain the corresponding function. Some plants are also equipped with second level "bunkerized" systems. In these circumstances, considering total failure of redundant systems may not be indispensable. The notion of fallback time is less stringent, since in the event of unavailability of a train, it suffices to ensure that another train is not out of service for maintenance to dispose of an acceptable system pending repair work, which must however be carried out without too much delay. Similarly, we have noted in Chapter 4 that operating condition grading and indications of the order of magnitude of maximum permissible radiological consequences are only relevant in the context of the defined rules applied in the studies concerned. In the mid-seventies, following the example of the United States, France had adopted fairly large orders of magnitude for maximum permissible radiological consequences. Since then, no particular efforts have been made

446

Elements of nuclear safety

to assess the consequences of the reference accidents more accurately and the considerable uncertainties as to fission product behavior in the fuel-toenvironment interval have been very conservatively analyzed. The table corresponding to the Table 4.1. (Operating condition classification) comprises in Germany only one class of accident. The order of magnitude of the maximum permissible radiological consequences is 5 mSv, which is the figure adopted in France for category 3 events. On the other hand, fission product transfer calculations use more realistic, although still circumspect postulates. A comparison shows that, under equivalent conditions, the German results are always lower than the French results for the same accident. There is a difference of at least a factor of 30, which can amount to several orders of magnitude.

28.4. Services proposed by the IAEA Among the services offered by the International Atomic Energy Agency (IAEA), we shall discuss those concerning all aspects of safety under operating conditions and operating feedback. We are referring to the Operational SAfety Review Teams (OSARTs), responsible for safety audits at operating plants, and the Analysis of Safety Significant Event Teams (ASSETs), responsible for analyzing significant events. These international teams constituted for each specific assignment receive their instructions from the Agency and only undertake assignments at the request of the safety authority of the country concerned and with the consent of the operator. Of course, this principle by no means excludes a little political pressure to induce an invitation.

28.4.1. The OSARTs An OSART team usually comprises 10 to 15 experienced members. Twothirds of them are outside consultants, executives from nuclear power plants or safety organizations, some of whom may have already taken part in a similar assignment. The others are members of the IAEA permanent staff. A few observers from developing nuclear countries are also invited. On principle, experts from the country visited are excluded from the OSART teams. The outside consultants are selected for their knowledge (reactor type, specialized professional area) and experience. Generally speaking, the outside consultants selected vary from one assignment to another. The Agency staff members taking part in these assignments have similar professional experience. They ensure the consistency of objectives, criteria and results.

28 - The international dimension

447

The working language is English, which implies that all participants must be fluent in this language. Interpreters using the language of the country visited are often necessary to enable a sufficient number of staff members of the plant concerned to be interviewed. The team is led by an IAEA agent, who is responsible for overall coordination, outside links with the media for instance, the introduction of group members to the method used and the overall approach to be adopted. An OSART team usually spends three weeks at a plant. The normal inspection program is subdivided into several fields to be investigated in parallel: • management, organization, administration • staff training, qualification and licensing • reactor control and operation • maintenance • operating feedback, periodic tests, fuel management and handling, etc. • radiation protection • chemistry • emergency preparedness. The technical exchanges between the OSART team members and their counterparts at the plant inspected provided opportunities not only for identifying and examining certain problems, but also for considering examples of different safety practices from other countries. It is a procedure which promotes the dissemination of experience and safety culture. The reports issued by the Agency following an OSART inspection are sent to the authorities of the country concerned and are generally made public by the host country. A follow-up inspection may be organized one or two years later to assess the extent to which the OSART recommendations have been adhered to. The first reviews of this type took place in 1983 and in 13 years, 86 such assignments have taken place in 28 countries, together with 31 follow-up missions. In 1985, the first OSART assignment in a nuclear developed country took place at Tricastin-1 in France. For this prototype experiment, France had insisted on inclusion in the OSART team of six French experts. Another OSART review took place in 1988 at the Saint Alban-Saint Maurice plant and the corresponding report was made public in 1989. After a few initial reservations, EDF was quick to realize the highly positive impact of these reviews, due not only to the audit results themselves and the beneficial effects of seeing French practice through foreign eyes but also to the mobilization of all staff during the preparatory stages, which proved particularly favorable to the inculcation of safety culture principles.

448

Elements of nuclear safety

From the outset, the DSIN was resolutely in favor of this practice, in keeping with its conviction that the national system for nuclear safety inspection should be both open and transparent. Despite the size of the French nuclear program, the number of those responsible for it is limited. So critical expert appraisal from outside can sometimes usefully challenge established custom. It has now been decided that about one OSART review per year will take place at a French plant (Fessenheim in 1992, after the tenyearly outage, Gravelines in 1993, Cattenom in 1994, Flamanville in 1995 and Dampierre in 1996). Follow-up missions took place at Gravelines in 1994, at Cattenom in 1995 and at Flamanville in 1996. The overall conclusions have consistently been highly favorable, which has nevertheless not excluded a number of questions, remarks or suggestions. The question most frequently asked concerns the relatively centralized structure of EDF and the sharing of responsibilities and resources between power plants and headquarters. It is partly due to the fact that nowhere else in the world is there an operating utility equipped with such a vast installed capacity. OSART experts are often surprised by the EDF organizational structures because they are inspecting one plant unit. However, the topic is in fact the subject of much discussion within EDF, including trends towards greater decentralization. Suggested improvements in the following areas are also worth noting: • communication between supervisory staff and plant operators and maintenance teams and the presence of managerial staff at the sites • refresher courses and training course assessment procedures • plant unit involvement in operating feedback • follow-up on maintenance activities and their results. French engineers, generally from EDF or the IPSN, also take part as experts in OSART reviews in other countries, which again contributes to the sharing of experience and promotes discussion on safety problems. Such assignments are both stimulating and formative owing to the exchanges which take place with the staff of the plant inspected and within the review team itself, but a very good acquaintance with the English language is indispensable.

28.4.2. The ASSETS The Assessment of Safety Significant Event Teams (ASSET) were set up to promote in-depth analysis of safety significant events and incidents in

28 - The international dimension

449

nuclear power plants. The prime aim is to identify the root causes of incidents, whether the failures observed concern equipment, procedures or staff. This is a way of highlighting questions concerning the thoroughness and representativeness of the periodic tests, the validation and updating of operating and maintenance documents, the training of operating, maintenance or managerial staff. Importance is also attached to the appropriateness of the corrective measures recommended and the speed with which they are implemented, followed by communication to the nuclear community of the lessons drawn. The first ASSET assignment took place in 1986 and in recent years, many have been organized in Eastern Europe. An ASSET team came to Gravelines 1 in 1990, following the maintenance anomaly which occurred there in 1989*. Another one came to Fessenheim in 1992 to appraise operating feedback efficiency after ten years of plant operation. Yet another came to Paluel in 1993, further to an incident which gave rise to diagnosis and reporting difficulties**. There are less ASSET than OSART teams and ASSET inquiries last only two weeks. The two types of team are similar in composition. The IAEA also offers training courses in incident analysis. The corresponding assignments are shorter and are conducted by Agency staff. The overall conclusions of the ASSET inquiries organized in France were also highly favorable although certain remarks and suggestions were made on much the same lines as those made during the OSARTs. The following suggestions are worth noting: • definition of a long term policy to maintain stimulation of a questioning attitude on the part of teams and individuals • greater involvement of plant managerial staff in the definition of modification priorities • revision of training programs with a view to developing staff acquaintance with plant design features and their implications for operating decisions • more assistance for inexperienced staff with better individual monitoring of professional abilities • need to focus more efforts on determining the root causes of incidents • extension of site resources so that certain recurrent difficulties can be quickly dealt with.

*Cf. Section 26.1.6. **Cf. Section 26.1.10.

450

Elements of nuclear safety

28.4.3. Other IAEA services On the same peer review footing, the Agency also offers various other services. One of them directly concerns the safety regulatory authorities. It comprises an examination of the legal and regulatory situation and of practices adopted for authorizations, technical examinations, inspections, preparation for crisis management, etc. The reference is here again all international practices. This service is known as the International Regulatory Review Team (IRRT). IRRT reviews have taken place in Brazil, Romania, Bulgaria and China. The Commission of the European Communities (CEC), which conducts international actions providing assistance to Eastern European countries in the nuclear field, has suggested that, at the request of the countries concerned, IRRT reviews could be carried out to assess the effectiveness of such actions with regard to the safety organizations of these countries. Attention is also drawn to an IAEA service concerning safety culture and its assessment and known as ASCOT (Assessment of Safety Culture in Organizations Team). The INSAG 4 report on safety culture provided a basis for the drafting of a detailed guide for assessment of the establishment of safety culture and corresponding attitudes in the various organizations concerned (IAEATEDOC-743). Such assessments can be made by teams dispatched by the Agency. However, in view of the delicate nature of the subject, present practice tends to favor provision by the Agency of training courses on how to use the guide and how to self-assess safety culture.

28.5. Plants of soviet design We have no intention at this point to recount the various stages in our realization of the safety problems affecting the power plants in Eastern Europe, but simply to summarize the characteristics of these installations and show how their specific equilibrium tended to complicate appraisal of their safety. In this chapter, we shall deal only with the pressurized water reactors, as the RMBK type reactors have already been discussed in Chapter 21 There is a fairly wide range of Soviet-designed pressurized water reactors, but they can be grouped in families according to electrical output. These are the VVER* 440, of entirely Soviet design, and the VVER 1000, also

PeaKTOP, Vodo-Vodianyi Energe* Initials of tichesky Reactor, pressurized water power reactor.

28 - The international dimension

451

of Soviet design but clearly influenced by certain main options characterizing nuclear power plants in Western Europe.

28.5.1. The VVER 440 The 440 MWe reactors are generally built in pairs housed in a single building. Each reactor comprises six long primary loops, with 500 mm i.d. piping. The six steam generators are horizontal. The primary loops are equipped with isolation valves, originally intended to enable in-service maintenance and also isolation of downstream leaks, but in fact, little used (Fig. 28.1.). The core comprises fuel assemblies consisting of housings containing 9.1 mm o.d. fuel rods. The mean linear heat generation rate under rated operating conditions is low, ~130 W/cm, as is the mean water temperature in the core, 285 °C. The rated pressure in the primary system is 123 bars. Reactivity control is obtained by means of mobile fuel assemblies which are withdrawn beneath the core and are topped with borated steel tubes. This necessitates a particularly deep reactor vessel (14 meters). The mobile assembly insertion time is between 8 and 13 seconds. Under normal operating conditions, the fissile part of most of these assemblies is inserted in the core. Residual heat removal is by natural convective water circulation to one or two water-filled steam generators.

Fig. 28.1. Primary loops of a VVER-440.

452

Elements of nuclear safety

The VVER 440s are thus not high performance reactors and the large masses of water in the primary and secondary loops ensure a very high degree of thermal inertia. This prevents fuel degradation during normal operating transients, as is confirmed by operating feedback evidencing the reliability of the fuel. In addition, in the event of a total power loss, no action need be taken before 5 or 6 hours. The vessel, on the other hand, has to withstand a high neutron flux which embrittles the weld metal. This is notably the case for certain units in the first series (440-230), owing in particular to the much higher proportion of impurities involved (especially copper and phosphorous) than in Western pressurized water reactors. Moreover, seismic stresses are generally not included in the design basis data. Surveillance, whether in the control room or via non-destructive testing is not very efficient. Equipment is not "qualified" to fulfill its function under accident conditions. On the basis of a description of the buildings and engineered safety systems, the VVER 440s can be divided into two main families.

28.5.1.1. VVER 440-230 The first of these families, the VVER 440-230, comprises no real containment building, but instead a number of small (10,000 cu.m.) concrete compartments, equipped with a spray system and protected against internal overpressures by relief valves opening directly to the outside in the event of overpressures of 0.6 to 0.8 bar. The safety injection system is redundant, but as is the case for all the safety systems, no precautions have been taken to prevent common mode failures due to fire, floods or hostile interaction. In addition, it is only sized to withstand a primary break equivalent in diameter to 32 mm. A number of other safety systems, such as the spray system or the storage batteries, are not systematically redundant. In 1995, there were ten VVER 440-230 units operating: • Kola 1 and 2 and Novovoronezh 3 and 4 in Russia • Kozloduy 1 to 4 in Bulgaria (but units 3 and 4 had been upgraded at the construction stage) • Bohunice 1 and 2 in Slovakia. The two Armenian units Oktemberyan or Medzamor 1 and 2 were shut down in 1989 after the major earthquake which occurred in this country, but

28 - The international dimension

453

owing to the scarcity of energy the government decided to restart one unit in 1995. VVER 440-230 design is characterized by limited defense in depth provisions, since the design basis breaks adopted are very small, as is also the containment capacity. Stress relieving heat treatment (annealing) has been applied to certain vessels in an attempt to obliterate irradiation-induced defects in the weld metals, but for some of them, the treatment will shortly have to be repeated, although little is yet known about the advantages to be gained from a second heat treatment. Removing the outer rows of fuel elements will not systematically suffice to reduce the radiation level and in some cases has been applied too late. The primary system is not protected against cold overpressures, since there is no residual heat removal system. The pressurizer relief valves have not been qualified to close again once water has gone through them and are not isolatable. The number and types of transients undergone by the primary system were not systematically monitored prior to 1990. Reactor vessel fast fracture risks are consequently a source of concern for the VVER 440-230. Finally, the leak rate of the loaded containment compartments is often high, even at the low rated pressure of these reactors. On the other hand, it is important to note the considerable thermal inertia conferred by the large masses of primary and secondary water, the low fuel linear power generation rate and the possibility to isolate the primary loops manually in the event of a steam generator tube break. These are fault-tolerant characteristics which, at least in certain cases, allow the operators an appreciable period of time before conditions deteriorate into a more serious situation. If what are considered as shortcomings were rapidly identified by the experts from Western Europe, the benefit of positive characteristics was only included later in their assessments.

28.5.1.2. VVER 440-213 The second family of reactors, the WER 440-213, more recent than the VVER 440-230 despite is type numbering, differs from the latter by a more advanced containment system and a safety injection system designed to contend with a double-ended guillotine break on a main primary pipe (i.d. 500 mm). Safety system redundancy in some instances is as high as three 100% unit capacity trains, but no precautions have been taken to prevent common mode failures by fire, floods or hostile interaction.

454

Elements of nuclear safety

The containment building housing the reactor has a free volume of 52,000 cu.m. (Fig. 28.2.) It is designed to withstand a 1.5 bar internal overpressure, which is consistent with this free volume. It comprises a sparging system which, in the event of a pipe break, would ensure the condensation of fission gases and water vapor enclosed in the containment compartments and the trapping of incondensable gases in a tower built for this purpose. Reduced scale tests have been carried out. A full scale experiment is scheduled to take place shortly, sponsored by the European Union, to complete validation of this system. In 1995, there were 14 VVER 440-213 type reactors in service: • Kola 3 and 4 in Russia • Rovno 1 and 2 in Ukraine • Paks 1 to 4 in Hungary • Dukovany 1 to 4 in the Czech Republic • Bohunice 3 and 4 in Slovakia. The two reactors at Loviisa in Finland, of the same design, are equipped with a containment building and Western type instrumentation and control systems. Other problems inherent to this type of plant, such as the separation of redundant trains, remain.

Fig. 28.2. Cross-section diagram of a VVER 440-213.

The design of the 440-213 units differs from that of the 440-230 units by a much larger containment, with a more satisfactory overall design with regard to leak rates. However, this containment could be affected by local-

28 - The international dimension

455

ized weaknesses and the efficiency of the sparging system requires further qualification. The vessel and vessel weld metals at mid-core height level contain less impurities than in the 440-213 reactors. This, together with a lower radiation level, should slow down embrittlement phenomena. The design based safety of these units, where the thermal inertia is the same as in the 440-230 reactors, is consequently less problematic, even if significant improvements and verifications are indispensable to obtain a satisfactory safety level.

25.5.2. VVER 1000 The electrical output of each reactor in this series is 1000 MWe. They are installed in leaktight containments comparable to those of our 900 MWe units (single-walled containment with metal liner) designed for a relative pressure of 4.1 bar. The primary system comprises four loops and consequently four horizontal steam generators. The fuel is not installed in housings. The mean linear heat generation rate is 166 W/cm, which is comparable to that of PWR's in Western Europe. Reactivity is controlled by boron dissolved in the primary coolant and control rod clusters lowered into fixed fuel elements. The neutron absorber is boron carbide. Since the fuel elements are not withdrawn beneath the core, the vessel is shallower than for the 440 reactors. The safety injection system is designed to contend with a double-ended guillotine break in 850 mm i.d. primary piping. The high and low head safety injection systems comprise three trains, each able to assure the corresponding function alone (three 100% trains). We are consequently here considering installations where the characteristics and performances are close to those of Western European installations. The thermal inertia, which was an outstanding characteristic of the VVER 440, is much lower in the VVER 1000, although it is still slightly higher than in comparable French units, for example. In 1995, there were 20 VVER 1000 type reactors in service (Fig. 28.3.): • Balakovo 1 to 3, Kalinin 1 and 2 and Novovoronezh 5 in Russia • Rovno 3, Khmelnitsky 1, Nikolaev (S. Ukraine) 1 to 3 and Zaporozhe 1 to 5 in Ukraine • Kozloduy 5 and 6 in Bulgaria. The construction of other units has been halted, at least temporarily.

Elements of nuclear safety

456

Table 28.1. Comparison of VVER characteristics with those of French 900 MWe units

Number of loops

VVER 400-213

VVER 1000

PWR 900 MWe

6

4

3

1000 MWe 1 generator 3000 MWth 50,856 9.1 mm 3.53 m 166 W/cm

920 MWe 1 generator 2775 MWth 41,448 9.5 mm 3.66 m 178 W/cm

304.5 °C

304.6 °C

440 MWe Electrical output 2 generators 1375 MWth Core thermal output 41,880 Fuel rods 9.1 mm Fuel rod outside diameter 2.42m Active fuel length Mean linear heat generation rate 125 W/cm Mean primary coolant 285 °C temperature Volume of primary coolant 0.17m3/MWth Volume of water 0.54 m 3 /MWth in the steam generators Metal-lined compartments. Spray and Type of containment sparging systems. Free volume in the containment 38 m3/MWth Design basis relative pressure 1.5 bar up to 13% per day Corresponding leak rate depending on circumstances

0.12 m /MWth

0.07 m3/MWth

Overall single-walled, metal-lined containment. Spray system. 23 m3/MWth 4.1 bar 0.3% per day

0.10 m 3 /MWt Overall single-walled, metal-lined containment. Spray system. 18 m3/MWth 4 bar 0.3% per day

3

Since core, reactor-containment and engineered safety system design was similar to that of Western reactors, the VVER 1000 reactors were immediately favorably considered in Western Europe. However, a detailed examination yields a more qualified assessment. As on the WER 440 reactors, common mode failure prevention is inadequate, since there is often insufficient separation between redundant train components. This is confirmed by the fire which affected both the main switchboards at Kozloduy 5. Control rod jamming incidents have also been reported in the last few years. The pressurizer relief valves are neither qualified nor isolatable and provide no satisfactory protection against cold overpressures. The core is characterized by neutronic instabilities due to its height to diameter ratio which is less favorable than in the VVER 440 reactors. The control system efficiency is not outstanding. Finally, doubts persist as to the quality of the metals used for certain vessels and the corresponding welds. The design-based safety of the VVER 1000 reactors is less problematic than that of the VVER 440-230 units, but significant improvements and verifications nevertheless seem necessary.

28 - The international dimension

457

Fig. 28.3. Nuclear power plants in the former USSR and in Eastern Europe.

28.5.3. Other aspects of VVER safety The design and construction quality of the different units is similar for the three families of reactors presented above, in all the countries concerned (except Hungary and the Czech and Slovak Republics, where quality surveillance is more efficient). On the other hand, documents justifying design postulates and their detailed application to equipment and structures, together with the corresponding quality assurances, are rarely available. Operating practice also differs fairly markedly from one country to another.

458

Elements of nuclear safety

28.5.3.1. VVER construction quality and subsequent surveillance This is a particularly important field, since it ensures as elsewhere consistency between designer intentions and results achieved and defines the specific characteristics of the different plants. But in this case, very few plant managers possess data concerning the construction of their plants. These documents are usually kept by the Russian manufacturers who apparently only accept to transfer them, insofar as they are still available, in return for sums deemed prohibitive by the operators. These problems are compounded by doubts concerning the quality and exhaustiveness of manufacturing process inspections, since for many years compliance with schedules took precedence over other requirements. This remark applies to the civil works, the mechanical and electrical equipment and the control and instrumentation systems. The same questions are also often raised regarding the non-destructive tests performed since these plants were first put into service.

28.5.3.2. VVER operating safety In all plant units, the operating staff in the control room are engineers, which differs significantly from French practice. Generally speaking, these engineers have received very thorough theoretical training in all aspects of VVER design basis situations. Their good knowledge of physics could, in some cases, enable them to respond correctly to certain unexpected situations. On the other hand, full scope simulators are rare and recent and when they are available, the simulation scope is limited to design basis conditions. Operating documents are meagre and limited. So all depends on operator know-how and responses. However, frequent examinations and fear of losing their jobs (as observed recently in Bulgaria, for instance) contribute to keeping the standard high. It is also known that, in many cases, plant maintenance is highly inadequate, which means that the equipment reliability level is likely to fall. Deficiencies in this respect are due as much to organizational problems as to the unavailability of spare parts. The plant operating teams comprise many members, but responsibilities are shared between too many. There is then little room for individual initiative. The transformation of the Russian ruble into a reputedly hard foreign currency when the Soviet Union became the Community of Independent States created procurement problems for some countries.

28 - The international dimension

459

28.5.3.3. Methodology transfers The Western European nuclear countries gradually organized action to improve the safety conditions in Eastern European power plants, both individually and in the context of international initiatives and funding. The first expert assessments took place on the East German plants (Greifswald (VVER 440 213) then Stendal (VVER 1000)) which Germany finally decided to shut down after reunification. It was next decided to assist Bulgaria, further to an IAEA mission revealing the unsatisfactory conditions under which the Kozloduy plant was operated, so that the oldest units could be kept in service for a few more years. This life extension was considered indispensable by the Bulgarian government to the economic and social survival of the country. France was deeply involved in this action. The IPSN headed a European consortium assisting the Bulgarian safety authority, with funding from the European Community, whilst EDF provided support for the operating utility in the framework of the WANO association, organizing in addition the twinning of Kozloduy with Bugey. The aid programs were then extended to other Eastern European countries, based on assessment of the priorities of the different countries concerned. The actions undertaken concern safety authority organization, safety assessment methods and practices, preparation for crisis management and the use of computational resources for safety analysis. Other longer term actions concern safety-related research and development. In parallel with other organizations for the assistance of operators in Eastern Europe, the PHARE project (Poland Hungary Assistance for the Reconstruction of the Economy), later extended to all central European countries of the former communist bloc, and the TACIS project (Technical Assistance to the Commonwealth of Independent States), the European Union founded the RAMG (Regulatory Assistance Management Group) to coordinate and partially fund actions to assist the safety authorities of these countries. 28.5.3.4. The future of these plants It is difficult to give an overall picture of the situation, because conditions vary considerably from one country to another. It is to be noted that the technical situation much depends on the level of independence and competence and the power invested in the safety authority concerned. The plants in Hungary and the Czech or Slovak Republics and the capacity of their safety authorities are generally speaking less worrying than those elsewhere.

460

Elements of nuclear safety

As regards acceptability, a valid reference can be found in the ideas underlying the INSAG-8 text on the safety assessment of plants built according to earlier standards. It would notably be unacceptable that a credible single event could defeat all levels of defense in depth or affect all containment barriers. Considering the WER 440-230 design, the only realistic possibilities for improvement as regards large primary breaks are related to in-service surveillance (specifically, more tests and inspections). However, Russia is considering re-sizing the safety injection systems for larger breaks and using resins to make the concrete compartments leaktight. An overall analysis of these modifications has to be made before implementation of this work to ensure notably that with higher safety injection flowrates and a leaktight containment, there would be no risk of destruction of the latter in the event of a large leak. But as this would be unlikely to lead to a really satisfactory situation, it would still be advisable to shut down these reactors fairly soon, despite the improvements achieved by the operators in the last few years. Naturally, the energy problem which would arise has to be considered on an equal footing with the safety problems by the competent authorities. The situation of the other families of reactors is a lesser source of concern, even if the preclusion of vessel fast fracture hazards obviously requires close attention. Short term improvements are nevertheless required, some of which are under way. These include, for instance, improvements in the fields of fire protection, maintenance, control and instrumentation, as also to operating procedures and operator training efficiency, notably by the installation and use of simulators representative of control rooms. The lower thermal inertia of the 1000 MWe plants makes operator actions more crucial, often requiring quick decisions despite the absence of detailed procedures. Providing full safety documents, covering all fields related to the "safety requirement referential" described in the previous chapter, remains a priority. It would enable the safety organizations of these countries to assess plant safety more thoroughly. This could then provide a basis for the issue of valid operating permits. The surveillance efficiency of the regulatory organizations could be enhanced by better definition of the role of resident inspectors, with special reference to their greater autonomy as compared with the operating staff.

29

The next generation of reactors

The notion of safety changes under the impetus of gradually acquired new knowledge and modifications to the level of safety considered acceptable. Lack of confidence on the part of the general public in the feasibility of using nuclear energy to generate electricity under satisfactory safety conditions has halted implementation of further construction programs in many countries. This dates, notably for the United States, from the Three Mile Island accident. The Chernobyl accident caused a number of countries, particularly in Europe, to adopt the same position or even to close existing plants. In France, provisions have to be made for the gradual replacement of the first 900 MWe reactors, which will have completed a 30 year life span before 2010. But a period of more than 10 years is required for the design and construction of the first model of a new series of reactors. So, as far back as the end of the eighties, the safety organizations started discussions on the safety objectives of the next generation of reactors. The plant builders, for their part, also organized discussions on the basic design principles of new projects featuring significantly enhanced safety characteristics. Various types of project were defined by the manufacturers in this context, differing significantly from the technical standpoint, especially as regards the unit power rating and the lead time. They can be classified in two main groups. For the first group, the basic option is to upgrade the design of current units by incorporating improvements derived from operating feedback and progress made in the relevant areas of research. In this case, the aim is to prioritize the use of proven technologies, although without rejecting pertinent new ideas. The unit power of the corresponding reactor projects is 1000 to 1500 MWe. The reactors in this first group are termed "evolutionary", in opposition to the more "revolutionary" second group. The use of well known technical solutions renders demonstration prototypes unnecessary.

462

Elements of nuclear safety

For the second group, the aim, on the contrary, is to find radically different technical solutions, resorting whenever possible to the use of "passive" systems, i.e. systems not requiring an external energy source. The unit capacity of projects defined so far in this category is lower, around 600 MWe. The novelty of the solutions proposed obviously implies longer time requirements to complete the necessary demonstrations. It is by no means our intention to present a critical analysis of the different projects developed by the plant builders. We simply wish to evidence: • how safety requirements, which are now broadly speaking common to all countries, have changed for the reactors of the future • the way in which France and Germany are jointly moving towards definition of an evolutionary project satisfying these new requirements.

29.1. Setting up of French-German safety options In 1989, the French and German manufacturers Framatome and Siemens founded a common subsidiary, Nuclear Power International (NPI) with a view to offering jointly produced goods for export. The advisability of these products being openly approved by the French and German safety authorities rapidly became apparent. This pooling of industrial interests reinforced the direct links between the safety authorities in the two countries, discussed in the previous chapter. In 1990, a restricted committee, known as the DFD (Deutsche Franzosische Direktion) was set up composed of the Director of the DSIN and his German counterpart from the Ministerium fur Umwelt, Naturschutz und Reaktorsicherheit (BMU), assisted by the Director of the IPSN and the Director of the Gesellschaft fur Anlagen- und Reaktorsicherheit (GRS), the technical assistance structures of the French and German safety authorities respectively. In 1992, EDF, the German utility and NPI joined forces for the development of a pressurized water reactor, known as EPR (European Pressurized water Reactor), on a schedule providing for construction of the first unit to start in 1998. For their part, the French and German safety authorities have been discussing the nuclear power plants of the future for several years now, on a national basis. In France, for instance, in May 1991, the DSIN released a letter, based on IPSN proposals, stating the general pattern of safety changes deemed advisable for the PWR plants of the future as compared with those currently in service. The definition of a joint French-German project obviously required that the corresponding discussions should take place in a French-German framework.

29 - The next generation of reactors

463

The DFD then decided, at the end of 1992, that the French and German safety authorities should make a joint statement defining the EPR main safety options, based on the common positions reached by the groups of experts from the two countries (GPR and RSK), themselves grounded on the joint deliberations of the IPSN and the GRS. The DFD moreover decided that before the manufacturers officially submitted the EPR main safety options, a common safety approach for future PWR plants should be defined. A draft text was prepared at the beginning of 1993 by the IPSN and the GRS. After a few amendments, it was submitted, at the request of the DFD, to mutual examination by the GRP and the RSK. These two groups of experts then adopted a joint proposal which was communicated to the French and German safety authorities in May 1993. The latter approved the joint GPR-RSK proposal in June 1993 and decided on its separate publication in the two countries concerned.

29.2. Changes in safety objectives The Chernobyl disaster highlighted the fact that the impact of large scale radioactive release to the environment is not confined to the direct effects of the radiation but also involves a major social and psychological upheaval. So for future reactors, it is essential to seek solutions best able to preclude release levels liable to totally disrupt large sections of populations. All countries interested in pursuing nuclear power programs are carefully considering these issues. This is also the case for international organizations, like the OECD and IAEA. For example, the International Nuclear Safety Advisory Group (INSAG), which advises the Director General of the IAEA has published a document on the defense in depth concept and its application to present and future plants (INSAG-10). What follows is drawn rather from discussions which took place in the French-German context and which go beyond what was finally adopted for the INSAG text. There are two different ways of achieving the required safety level: • the first consists in limiting even further the possibility of occurrence of accidents resulting in severe core degradation • the second consists in developing resources to limit the consequences of such accidents. Reinforcing containment of the radioactivity released further to core degradation is an important element. Accident prevention obviously remains the absolute priority. It now appears technically possible to achieve a computed annual overall probability of core meltdown of below 10-5 per plant unit for pressurized water reactors, whatever the initiators considered. On the other hand, a credible demonstration of much lower probabilities would be difficult with current methods and available data. So enhancing ways of limiting the conse-

464

Elements of nuclear safety

quences of accidents involving major core degradation is still an indispensable complementary objective. If we now apply these considerations to the case of the large "evolutionary" pressurized water power reactors, we obtain: • prevention improved by reinforcement of the first levels of defense in depth and greater independence of measures taken at various levels • reinforcement of the containment of radioactive products, even in cases of core meltdown under low pressure conditions • reduced worker exposure hazards. Improving the independence of the different defense in depth levels implies renewed efforts to preclude events and phenomena liable to affect several levels. This involves, in particular, precluding direct release to the atmosphere via containment bypassing (steam generator tube break causing the atmospheric steam dump valves to open, for instance). This could require improvement of the overall design and the manmachine interface, higher thermal inertia, the use of intrinsically safe systems and design basis provision for the management of severe accidents. Accident situations not involving core meltdown should require no special provisions for the protection of populations in the immediate vicinity of the site (neither evacuation, nor confinement indoors). Accident conditions rapidly leading to extensive radioactive release should be "practically precluded" by plant design provisions. This applies notably to high reactivity accidents, core meltdown under high pressure conditions, generalized hydrogen detonation or major steam explosions. Core meltdown under low pressure conditions should involve release levels requiring only minor provisions for population protection, limited in both time and space. There would, in particular, be no necessity for permanent displacements of populations nor emergency evacuation beyond the immediate vicinity of the site, confinement would be of short duration and there would be no long term restrictions on the consumption of local foodstuffs. This implies considerable improvement of the containment function. In the context of the S3 source term presented in Chapter 15, this would require release levels to be reduced by a factor of between 100 and 1000. Individual and collective doses to workers are mainly due to maintenance and inservice inspection activities. They can also result from repair work in aggressive media, such as those undertaken to bring disturbed situations under control. Reducing these doses also implies newly designed built-in provisions (permanently positioned protective devices, layouts facilitating access for repair, space available round equipment, etc.). The new ICRP (International Commission on Radiological Protection) recommendations obviously constitute a reference. The limitation of

29 - The next generation of reactors

465

radioactive release under normal operating conditions is a complementary objective, but care must be taken to ensure that it does not involve undue increases in worker exposure. The radiological consequences of accidents will be assessed under far more realistic conditions than at the present time, which means that maximum benefit can be derived from our better acquaintance with radioactive product transfer mechanisms. On the other hand, the short and long term effects of accidents should all be assessed, including those for core meltdown under low pressure. All environmental transfer pathways (air, surface water, ground water) and all human exposure pathways (irradiation, ingestion, inhalation) must be considered. From the design stage, the new projects will include probabilistic safety assessments. These will serve to confirm certain design options, notably the safety system redundancy and diversification rules, and will enable a more quantitative assessment of improvements achieved with respect to present plants.

29.3. Application of the defense in depth concept In order to achieve the goals set out above, the various levels of defense in depth must be reinforced in order both to improve accident prevention and more efficiently curtail the consequences of any accidents which nevertheless occur. The notions of safety culture and quality, historically linked with the first level in the INSAG 3 document, are in fact pertinent at all levels of the strategy. First level: prevention of malfunctions and system failures Prevention by design should encompass a wider range of situations, covering notably the difficulties and degradations revealed by operating feedback from all parts of the world or highlighted by safety studies. The aim is to reduce the expected frequency of the different initiators under all operating conditions, even shutdown. Second level: keeping the plant within the authorized range Plant surveillance system design should also take into account worldwide operating feedback and the development of new technologies. Use on a larger scale of diagnosis aid software could improve the man-machine interface without lessening staff awareness of their responsibilities.

466

Elements of nuclear safety

Favorable conditions for the repair and maintenance of equipment would enhance plant safety. Third level: control of design basis accidents The list of design basis incidents and accidents should be extended, notably to cover shutdown conditions. Accident conditions induced by multiple failures are dealt with according to appropriate rules. Fourth level: prevention of accident condition degradation and limitation of severe accident consequences This level should comprise the means provided to ensure sufficient control of accidents involving severe core degradation. In particular, the containment building should be designed to withstand deflagration of the maximum amount of hydrogen which could be enclosed there and to prevent basemat attack and melt-through by the corium. This level could also subsequently cover provisions for the management and limitation of the consequences of situations not included in the new design bases. Fifth level: limitation of radiological consequences for populations in the event of substantial release Although the purpose of the measures listed above is to make the fifth level less necessary, the very concept of defense in depth requires that it be maintained.

29.4. Preliminary characteristics of the EPR project The EPR project (European Pressurized water Reactor), launched jointly by Framatome, Siemens, EDF and certain German utilities to meet the requirements defined above, is of course not yet finalized. However, a number of options are sufficiently clearly defined to give a fairly good idea of the design. The description below, derived from presentations made by the designers, is incomplete and could be made obsolete by other innovations. We are not here discussing the result of the detailed analysis of the project by the safety organizations. In addition, the solutions to the specific problems raised by shutdown conditions have not yet been defined. The EPR is a 1400 to 1500 MWe PWR, comprising four loops, housed in a double-walled containment building (no decision has yet been reached by the designers as to the advantages which would be afforded by a liner), with leakoff recovery between the two containments and filtering prior to dis-

29 - The next generation of reactors

467

charge to the stack (Fig. 29.1.). The fuel will be of the same type as that used in current plants, but there will be a larger number of assemblies. This means that the linear heat generation rate can be lowered and offers greater flexibility with regard to fuel options.

29.4.1. Main prevention options The prevention of incidents and accidents including core meltdown is enhanced by a certain simplification of the installation, an increase in the times available before operator action is required, the provision of ample redundancies (four 50% trains) and diversified equipment for certain safety systems. The main diesel-generator sets are of two different types (2 x 2). The auxiliary feedwater supply is provided by four motor-driven pumps supplied by diversified diesel-generator sets. Each pump supplies one steam generator. A special system is used during startup and shutdown periods. The mass of water contained in the steam generators is sufficient to prevent their dryout for a period of 30 minutes in the event of total loss of feedwater. No action by operators in the control room will be necessary for a period of 30 minutes after the onset of an incident or accident situation. No on-thespot action will be necessary for one hour. Complementary heavy equipment will not have to be brought in before a time lapse of three days. With a view to simplifying the circuits, each train corresponds to one primary loop and is installed in a specific peripheral building, in the vicinity of the loop concerned. In this way, common mode failures due to internal hazards (fire, floods, etc.) can be minimized. The containment building, the fuel building and two safeguard buildings are protected against plane crashes. Internal walls, unconnected with the protective walls of these buildings, hinder propagation to equipment of the destructuring effects of a plane crash or explosion. The design and manufacture of the forged primary piping should guarantee very high quality, low sensitivity to aging and inspection efficiency. Associated with appropriate primary system leak surveillance, these characteristics are compatible with application of the concept of preclusion of primary pipe breaks. The main result of this is that the mechanical effects associated with such pipe breaks need no longer be considered, rendering whip restraint devices unnecessary, since the safety injection system and reactor containment are still designed to withstand a sudden double-ended guillotine break on this piping.

468

Elements of nuclear safety

Fig. 29.1. EPR project layout diagram.

The pool water reserve tank - which also supplies the safety injection system - is installed in the containment building. This new layout constitutes a significant simplification: in the event of safety injection, there is no longer a distinction between the direct injection phase, when the water injected into the core comes from an outside tank in current plants, and the recirculation phase, when the water comes from the sump. This means that valve configurations no longer have to be modified. Safety injection at low pressure is applied simultaneously to hot and cold legs, so that configuration changes are no longer necessary. The low head safety injection system is equipped with heat exchangers. The containment spray system is consequently no longer required for residual heat removal. The design pressure in the secondary part of the steam generators exceeds 90 bars, whereas the maximum discharge pressure of the safety injection system at medium pressure is below 90 bars. In the event of a steam generator break, there would consequently be no risk of steam or water release by secondary system letdown valves after the first transient

29 - The next generation of reactors

469

phase when the primary pressure decreases from 155 bars to the safety injection pressure level.

29.4.2. Functional redundancies In the present project, provision is made for functional redundancies for various safety functions, notably fuel cooling even in extremely degraded situations. In the event of small breaks which do not induce a significant drop in primary pressure, fuel cooling can be assured by the secondary cooling system. These loops could thus provide a backup supply for the medium head safety injection system to allow primary system depressurization, after which the accumulators and the low head safety injection system could be used. The medium head safety injection system associated with two of the four trains of the residual heat removal system can provide an emergency supply for the low head safety injection system. The residual heat removal system can be emergency-supplied by the secondary cooling system when the primary system is closed. This is not an innovation. On the other hand, provisions are made whereby two of the low head safety injection system trains can assure core cooling when the primary system is open. Finally, total loss of secondary system cooling can be offset by switching the primary system to a "feed and bleed" configuration associating the low head safety injection system with the pressurizer relief system, suitably equipped for this purpose. The water would be directly discharged to the reserve tank located inside the containment building.

29.4.3. Preservation of containment integrity In accordance with the objectives listed, provision is made in the EPR project for significant improvement of the containment function. Hydrogen concentrations in the containment building will be reduced by recombiner units, thereby limiting the quantities liable to deflagrate and preventing transitions between deflagration and detonation. The free volume within the inner containment is very large, about 90,000 m3. This structure is designed to withstand an overpressure corresponding to deflagration of the maximum amount of hydrogen which could accumulate in the containment building during an accident sequence. Owing to the

470

Elements of nuclear safety

action of the recombiner units, the quantity of hydrogen involved would be 50% of that resulting from a reaction between all fuel clads and steam. The pressure corresponding to this situation is 6.5 bar abs., which is greater than that resulting from the double-ended break of a main primary pipe. A 2-train containment spray system is provided for core meltdown situations. It would cool the atmosphere in the containment building and keep internal pressure under control. No containment venting system is consequently planned. Special provisions are also made to preclude base slab penetration by the corium. The lower part of the reactor pit is lined with refractory materials and slopes towards a 150 m2 spreading cell, also lined with refractory materials (Fig. 29.2.). Under normal operating conditions, the reactor pit is isolated from the spreading cell by a leakproof wall. It is the heat from the corium which would melt this wall, providing access to the spreading cell. The upper part of this cell connects with the safety injection water reserve tank. This connection is also sealed off under normal operating conditions by a fusible wall. After a certain time, the heat radiating from the corium would melt this wall, allowing corium cooling by flooding. Under these conditions, the basemat, which is in addition equipped with a liner embedded in the concrete, should remain leaktight. Moreover, the corium flooding procedures are also designed to obviate major steam explosion hazards. Steam produced in the spreading cell in the containment building is removed via a stack, thereby limiting overpressures. After condensation, the steam returns to the water reserve tank supplying the corium flooding process.

Fig. 29.2. Corium spreading system.

29 - The next generation of reactors

471

It is to be noted that several of the devices mentioned in the EPR context have also been adopted for other projects. Examples of these are the locating of the safety injection water reserve in the containment building or the provision of systems to prevent basemat melt-through by the corium. However, the EPR objectives in this respect are particularly stringent, since all penetration is to be precluded.

29.5. Illustration of defense in depth provisions The table below compares certain technical measures implemented on the French 900 MWe PWRs with the corresponding provisions adopted for the European Power water Reactor, for different defense in depth levels. To avoid having to enter into the design details of the plants, the first level aspects considered will mainly concern primary break hazards. 900

Primary piping made of extruded austenitic stainless steel. Internal operating pressure: 155 bars. Test pressure: 228 bars. Designed to withstand a Safe Shutdown Earthquake.

First level

EPR

Primary piping made of forged steel, which improves quality and inspection efficiency.

Equivalent provisions.

Application of the concept of preclusion of primary pipe breaks for the design of the vessel internals and supporting structures. 900

Definition of technical specifications protecting the primary system. Non-destructive tests ensure enduring quality.

Second level

EPR

Equivalent provisions. Non-destructive tests ensure enduring quality more easily and more efficiently. Primary system leak detection devices consistent with application of the concept of preclusion of primary pipe breaks.

472

Elements of nuclear safety

900

Third level

EPR

Design basis data encompasses breaks including a double-ended guillotine break on main primary piping

Safety injection system design basis data covers breaks including a double-ended guillotine break on main primary piping.

The high and low head safety injection systems and the containment spray system comprise two 100% trains, with cooling by the spray system.

The medium and low head safety injection systems comprise four 50% trains, with cooling by the low head safety injection system.

The containment building is designed to withstand this accident.

The containment building is designed to withstand a more severe accident. Containment spraying is unnecessary in the event of primary piping breaks. Provision is made for functional redundancies between safety injection system and other systems.

900

Fourth level

EPR

Prevention of core meltdown

Prevention of core meltdown Mutual backup between the available mean term pumping resources of the low head safety injection system and the containment spray system. Possibilities of connection in due time to external mobile pumping, water supply and cooling equipment.

Covered by third level provisions.

In the event of core meltdown

In the event of core meltdown

Limitation of containment building pressure by means of a filtered venting system retaining at least 90% of the aerosols. Severe accident guidelines.

Containment building kept leaktight by: • provision of recombiners • sizing to withstand a hydrogen deflagration • provisions for corium spreading and cooling and the prevention of base slab penetration.

900 Preparation of population protection measures.

Fifth level

EPR

Preparation of population protection measures.

30

Safety considerations on other nuclear installations

The pressurized water power reactors are not the only French nuclear installations considered as Basic Nuclear Installations*. These other installations are consequently required to comply with the same procedures. Two other power reactors are in service, the fast breeder reactors Phenix and Creys-Malville. The basic nuclear installations also include a certain number of fuel cycle facilities concerning, upstream from the reactors, uranium enrichment and fuel fabrication, and downstream, interim storage, spent fuel reprocessing, packaging and storage of reprocessing products and waste. Various different facilities, such as experimental reactors, research laboratories, large ionization plants and particle accelerators also come under this heading. The basic nuclear installations grouped by type of activity are listed in Appendix D. The numbers indicated on the maps (Fig. 30.1. and 30.2.) correspond to the serial numbers of the installations in the relevant official equipment list. Only installations which were still operating at the beginning of 1995 are mentioned. The safety approach adopted for the two fast breeders in service differs little from that described throughout this document. It obviously takes account of the specific characteristics of these reactors: the fuel is not in its most reactive configuration and a supercritical condition can be reached even without a moderator. In addition, coolant boiling can have a positive reactivity effect, whilst the other temperature-related reactivity coefficients remain negative. The use of a sodium coolant also entails special precautions. These various aspects have been considered since the design stage. COGEMA (COmpagnie GEnerale des MAtieres nucleaires) is responsible for most of the fuel cycle industrial plants, notably the reprocessing plants. * The Basic Nuclear Installations are defined in the amended decree of December 11, 1963 by a list of the categories of installations concerned. Minimum characteristics for some of them are then specified in application orders.

474

Elements of nuclear safety

Fig. 30.1. CEA civil basic nuclear installations.

The front end of the fuel cycle involves exposure and contamination hazards for staff. Criticality incidents can result in high doses to staff, although radioactive release to the outside environment would remain extremely limited. At most of the other installations mentioned in this chapter, the most probable cause of substantial dispersion of radioactive products able to reach the general public is, in fact, a fire outbreak. However, the stage where the fuel is in powder-form can entail dissemination hazards within and beyond the plant. In uranium derived from reprocessing, the proportion of radioactive products is greater, although the authorized limit values are only 20 000 Bq/g for the B and y emitters and 250 Bq/g for the a emitters. Special radio-

30 - Safety considerations on other nuclear installations

475

logical protection measures are necessary, notably under normal working conditions. The high chemical toxicity of the hydrofluoric acid which can appear during the enrichment process obviously also requires precautions. The bulk of the spent fuel reprocessing installations are now grouped on the La Hague site, at the northwest tip of the Cotentin. These are very large plants, most of which are recent. There are still a few older installations on the Marcoule site. They contain considerable quantities of radioactive substances but only take fuel elements which have been "cooled" for at least a year in the spent fuel pool of the reactor where they were irradiated. There are consequently no radioactive products with a half-life of less than about a month, such as iodine 131, for instance. There are, on the other hand, a emitters, which have particularly severe biological effects if dispersed and absorbed, especially by inhalation. The safety analysis of these installations was developed methodically but, for historical reasons, was entrusted to groups other than those dealing with reactors. This results in approaches which may not be identical and differences of vocabulary. In particular, the defense in depth approach is not always referred to as such, although it is, on the whole, applied. For radioactive waste management, a special approach is adopted based on a combination of sorting procedures and barriers. The sorting process separates a emitters from the other substances and isolates low level radioactive products and those where the decay time is below or equal to 20 or 30 years. The purpose of the successive barrier system is to guarantee the containment of these products for what may be very long periods and prevent all contact with water. These facilities are managed by ANDRA (Agence Nationale pour la gestion des Dechets RAdioactifs). After the waste has been packaged in the plants where it is produced, the containers can be stored for more or less long periods pending final disposal. The experimental reactors are operated by the CEA, except for the Strasbourg University reactor (similar to Ulysse at Saclay) and the high flux reactor at the Laue-Langevin Institute at Grenoble. All these reactors were designed and constructed under CEA supervision, in compliance with the safety concerns prevailing at the time. The most powerful particle accelerators are also basic nuclear installations. The activities of these facilities can involve very high accidental exposure of staff but could not lead to substantial release to the environment. So the main problems are related to access control. For its research and development activities, the CEA uses a wide variety of radioactive product treatment and storage facilities, such as the "hot laboratories", where spent fuel is examined or reprocessing techniques investigated, and the different plutonium workshops, where fuel elements are produced notably.

476

Elements of nuclear safety

Fig. 30.2. Other basic nuclear installations.

There are also industrial facilities, which include ionizers used, for instance, to sterilize surgical instruments or foodstuffs. It is because of the level of the radioactive sources they contain that they are classified as basic nuclear installations and not as plants classified on environmental protection grounds. Finally, the CEA and COGEMA have a certain number of basic nuclear installations classified on defense grounds. Their activities differ little from those of other laboratories, apart from the characteristics of the substances involved, and they are subjected to technical safety analysis in exactly the same way as civil plants. However, the decision and authorization bodies and channels are different. So the number of French nuclear installation operators is limited.

30 - Safety considerations on other nuclear installations

477

The research activities of many of these plants are such as to entail periodic changes in the configuration of certain parts of the plants. These may be minor alterations or more far-reaching modifications, depending on the new program planned and the necessary experimental conditions. A safety review by the operator and safety authorities is nevertheless required. In the rest of this chapter, we shall focus particularly on the CEA laboratories and workshops, even if many of these considerations are much wider in scope. Our intention is simply to give a few characteristic indications, since a detailed presentation of the safety approaches of such a variety of installations would need several volumes equivalent to the present one.

30.1. Safety organization changes at the CEA The CEA safety organization structures were modified and more closely defined in recent years, at the same time as the government asserted its wish to further emphasize IPSN independence. The appointment of a General Inspector for Nuclear Safety at the CEA in 1990 and the inauguration of a Nuclear Safety Mission and a body of inspectors attached to the General Inspector for Nuclear Safety in 1991 clearly indicate the determination of the CEA to equip itself to fulfill its responsibilities as a nuclear operator, without reference to the IPSN. The setting up of nuclear safety cells with the directors of the center and in the departments concerned stem from the same approach. These innovations were accompanied by a more precise definition of responsibilities within the CEA, a vast internal program for the assessment of operating practices and the discrepancies between principle and practice, the gradual drafting of internal policy documents and recommendations for operators. Two extensive training schemes were set up. One for plant managers and safety cell engineers, concerning safety engineer training, and the other for all ranks of the relevant CEA staff members, concerning the circulation of basic safety culture elements, inducing the corresponding attitudes.

30.2. General safety approach The aim of nuclear safety, which is to protect people and property against hazards related to the use of radioactive materials, must obviously be adhered to by all basic nuclear installations. Conventional hazards, such as chemical or electrical risks have also to be included but are not considered in this document, except insofar as they can induce radioactivity-related

478

Elements of nuclear safety

risks. In this type of installation, these risks can have a far greater impact than in power reactors, since many of them deal with chemical transformations of substances which are in fact radioactive. Sound chemical training is consequently most important for operators in these plants. This is also the case for the IPSN analysts who have to carry out safety assessments. In most of these plants, the workers are much closer to the radioactive substances than in power reactors. So it is these categories of personnel who are in danger of being the first and often the only victims of any incidents or accidents. The worker protection aspect is consequently far more extensively considered in the corresponding safety analyses. In addition, many actions are not automated but depend directly on staff know-how. So the qualification of such workers is particularly important. It must be remembered that, if the Chernobyl accident caused 31 deaths in a short time, smaller experimental reactors have also caused deaths among operators. Moreover, the chemical explosion in a radioactive waste storage tank at Kyshtym, in the Ural, in 1957, resulted in substantial release necessitating the setting up of a 700 km2 exclusion zone. There have also been deaths by exposure due to mismanagement of access control systems to certain irradiators or accelerators. A consistent safety level cannot be obtained for different types of installation by enforced, mechanical generalization of the rules applicable to power reactors. The basic elements of this safety approach and especially the defense in depth concept must be carefully explained if the fundamentals of the approach (not necessarily the conclusions) are to be replicated for each specific installation, with suitable weighting and adaptation. The few elements presented in this chapter can under no circumstances be considered as analysis guidelines which must simply be methodically followed to deal with all the safety problems of any given installation. Their purpose is to show the wide variety of questions which have to be asked to stimulate the imagination of the analysts and indicate a few unavoidable encounters. The tables in Appendix D show that very many of these plants are old and that a large number have already undergone safety reviews. Various incidents have resulted in examination of the operating conditions of some of these plants from the viewpoint of their general operating rules and then of the rules themselves. Guidelines for the definition of general operating rules for basic nuclear installations other than nuclear reactors were issued by the DSIN in 1992, after discussion with the operators. Guidelines for the revision of safety analysis reports on basic nuclear installations other than nuclear reactors and long term radioactive waste repositories are under discussion.

30 - Safety considerations on other nuclear installations

479

The account below follows more conventional lines, starting from design analysis before discussing operating conditions.

30.3. Safety objectives, notion of acceptability Staff in fuel cycle laboratories and workshops often work in the immediate vicinity of radioactive substances. So radiological protection on a day-to-day basis is extremely important. This situation also necessitates detailed assessment of radiological conditions within these plants in the event of an incident or accident. Radiological protection under normal conditions is based on the ALARA principle together with that of regulatory limits. It is considered that the principle of justification is satified, which is the first element in the International Commission on Radiological Protection's code of conduct. Potential exposures resulting from accident conditions have to be examined to ensure that the operator's provisions are acceptable. This is based on an appraisal rather than on compliance with limit value regulations*. The potential exposure discussions conducted by the ICRP over recent years come up against the fact that individual risks involve a severity term and a probability term, whereas both these terms can only be calculated with a substantial degree of uncertainty. The probability of release of a quantity of radioactive products which could have consequences for surrounding populations can only be assessed with considerable uncertainty because it depends on the probability associated with the initiator, with the various events constituting the scenario and with the behavior of retention and containment systems. The uncertainty in such cases can reach several powers of 10. Moreover, since the Chernobyl accident, it is obvious that individual risks (probability that death by cancer will ensue) are not an adequate basis for measuring the consequences of a nuclear accident. The number of people involved, the upheavals in individual and collective life and the economic impact of countermeasures can themselves be deemed unacceptable without it being possible to link a proportionality factor with an exposure level in this context. In addition, such an approach disregards changes in the notion of acceptability which, as we have seen in the case of reactors, is by no means immutable.

Cf. Chapter 1.

480

Elements of nuclear safety

For many years, tables such as Table 4.1. were used as a reference for pressurized water power reactors. The maximum values given in this table for category 4 accidents (150 mSv whole body dose, 450 mSv thyroid dose) would now be considered excessive, despite the estimated initiator frequencies and the extremely pessimistic radiological impact calculations. Current trends favor more realistic methods for impact calculations, with inclusion of problems related to soil and foodstuff contamination. The lowering of acceptability levels can be partly offset by the more realistic assessment of what can be released, thereby reducing the discrepancy between plant safety demonstrations and the preparation of emergency plans. For reactors in particular, on the other hand, the range of situations considered has been extended to include conditions more severe than those initially adopted as the design basis. This is clearly shown in the description in Chapter 29 of the next generation reactor project. For the most recent spent fuel reprocessing plants (authorization decree of 1981), the operator proposed a graph presenting equivalent data to that given in the above-mentioned table. This method highlights assessment of the estimated frequency of a scenario rather than the notion of a bounding case accident representative of groups of incidents or accidents. Since this approach is basically probabilistic, the scenarios do not consistently feature conventional penalizing circumstances, such as application of the single failure criterion or a total power loss. Human failures are not generally included in determination of the estimated frequencies. This can lead to underestimated values, even if the phenomena considered are very slow-moving, which limits their impact. The limit population exposure values for the most severe accidents considered for plant design are the same as those imposed for power reactors. They obviously raise the same reserves and have never been formally approved by the standing group of experts assigned to these installations. Studies had enabled determination of the quantities of radioactive substances which would produce these exposure levels. These values can be used to obtain rough estimates in this context. We thus obtain a 150 mSv dose at a distance of 2500 m from release occurring 30 m above ground level, in a period of a few hours and involving each of the following elements: • 40 TBq (1000 Ci) of a mixture of long-lived fission products awaiting vitrification • 10 g of plutonium • 150 TBq (4000 Ci) of ruthenium 106 • 4 TBq (100 Ci) of iodine 129. For more recent plants or during safety reviews, some of these values can give a preliminary indication, but instead of applying to design basis

30 - Safety considerations on other nuclear installations

481

accidents, they apply to the extreme scenarios used to define the emergency plans. In 1990, COGEMA filed an application for authorization to construct the MELOX plant where MOX fuel elements are fabricated, using a mixture of uranium and plutonium oxides. The operator presented a bounding case accident scenario resulting in release to the environment of 4 g of plutonium. After discussion with IPSN and then with the standing group of experts competent to consider the scenarios envisaged, the means of controlling the sequence of events and the conservatism of the assessments, the potential consequences were reassessed at a release of 0.4 g. The authorization was then granted. These examples obviously fail to cover all the cases of laboratories and plants which can contain a wide variety of radioactive materials. Since it is not possible to define fixed methods for radioactive substance transfer calculations, valid for all installations, as was initially done for the PWRs, caseby-case appraisal of the pessimism of transfer assessments is an essential element in decisions as to the acceptability of installations. However, more conservative assessments can be used to determine qualification requirements for certain components or the measuring range of certain instruments. All accident scenarios are not assessed in terms of probability and consequences expressed in terms of release. Some have to be "precluded" on deterministic grounds, as in the case of criticality accidents or direct release into the ground. Similarly, demonstrating the very low probability of certain fires does not imply that the installation of fire detectors and extinguishers need not be examined. For example, division into fire sectors and very low initiator probability were deemed inadequate provisions for certain La Hague cells containing solvents with a high radioactive content. Certain plants are nearing the end of their life span. It may be felt that the provisions to be made for a few years, for example, with regard to protection against external hazards or other design basis elements (redundancy, emergency powering, etc.) could be more limited than for plants where the remaining lifetime is ten times longer. Such decisions are never applicable to operating conditions. The CEA was founded to develop and promote various applications of nuclear energy. Its credibility resides in the demonstration that safety in its own installations is entirely under control. This is an extremely demanding objective, especially for operating personnel. It implies reducing failure probabilities rather than limiting release, since conceivable release levels are, in most cases, low.

482

Elements of nuclear safety

It is clear that, as in the case of the reactors, the current practice of assessing provisions made to limit incident or accident consequences is a step towards more realistic assessments coupled with a case-by-case acceptance basis. This trend highlights the dynamic character of safety and encourages those concerned to strive for the best reasonably achievable. On the other hand, this could complicate the task of designers and operators, who have no explicit pre-established references. It would also imply care on the part of the safety authorities to clearly prioritize the safety importance of all questions raised with the operators.

30.4. Risk potentials Systematic safety appraisal begins with the identification of potential risks, which vary considerably from one plant or part of a plant to another. As can be seen from the following example, the quantity of radioactive material concerned is only one of the characteristic elements involved. The physical or chemical state of these materials must also be considered, together with phenomena liable to dislocate them which include possible energy reactions, characteristics of transfer paths to man and the environment and the biological effect of the different substances. Here is an example. A storage tank for concentrated fission product solutions can contain 120 m3 of a highly radioactive solution (75 TBq/1 or 90 103 TBq per tank). These tanks are installed in sealed, no-access cells. The heat produced by the radioactivity can reach 1 MW per tank and has to be removed to prevent the solutions from boiling and release to the environment. The hydrogen concentration resulting from radiolysis must also be limited to prevent risks of explosion. The formation of deposits is prevented by a stirring system. All these functions may only be briefly interrupted, which implies standby equipment and power sources, which must retain their full capacity, even under seismic conditions. Let us now consider a container filled with vitrified waste resulting from the calcination of 1 m3 of these solutions in a 150 liter glass matrix (400 kg). The dose rate in the vicinity of the containers is extremely high without protective shields (14 000 Sv/h on contact, 420 Sv/h at 1 meter). Handling these containers requires special protective equipment and access to the storage zones is prohibited. Cooling is necessary (a maximum of 4 kW per container) The storage unit may contain several hundred containers, i.e. the contents of a large number of the tanks mentioned above. It is so designed that natural air circulation keeps the temperature inside the containers below 510 °C to prevent degradation of the encapsulation material. Safety requirements are satisfied without emergency or permanent heat removal if the heat produced by the radioactivity can be naturally removed. Seismic

30 - Safety considerations on other nuclear installations

483

design, for example, is only concerned with providing for and maintaining natural circulation and not with normal ventilation and cooling systems.

30.4.1. Source characteristics A wide variety of products are used in the installations considered in this chapter. These may be metals (uranium or plutonium), sintered oxide especially in fuel elements, sources (cobalt 60, cesium 137), solutions (uranium nitrates, plutonium nitrate, etc.), uranium or plutonium oxide powders, gases such as uranium hexafluoride used for enrichment, solutions, even glass. The physical and chemical transformation processes often involve dispersion risks. Most of these installations, on the other hand, do not produce radioactive nuclei, except via radioactive decay chains or in the event of criticality accidents. The materials used are well known, so that acceptable limits together with the means of monitoring them can be clearly defined. It is better, at the design stage, to maximize postulated quantities and types of substances involved in order to preserve safety margins and enable developing programs to remain consistent with authorized range requirements. Finally, radiation from these different substances will reach man by different paths.

30.4.1.1. Physical state of radioactive products Radioactive products may be in solid form, in which case they will not be easily dispersible without direct intervention. Safety and radiological protection will consist in shielding from direct radiation and clear indication of where these products are located. Those in powder, liquid, gaseous or volatile forms are more easily dispersed and require additional precautions.

30.4.1.2. Dispersion risks Static containment, where necessary supplemented by dynamic containment, plays a special role in limiting dispersion hazards. This question is fully discussed in 30.5.1. On the other hand, inefficient ventilation or a containment defect can lead to dispersion of products in powder or gaseous form, but other dispersion phenomena have also to be considered. These include notably the chemical reactivity of products used for treatment or storage purposes, their solubility, fusibility and inflammability, the energy they have accumulated during treatment, the residual power due to radioactivity or the effects of a fire outbreak.

484

Elements of nuclear safety

Fire is one of the main causes of release to the environment. Experience shows that fire frequency is about 10-3 per room per year if there are both major initiators (especially electrical equipment) and easily inflammable materials. This particular hazard is discussed in 30.5.2. There are chemical risks in many fuel cycle plants and associated research laboratories. The use of inflammable solvents and the possibilities of hydrogen release (notably by radiolysis of highly radioactive solutions) are major potential sources of explosion. In plants dealing with substantial quantities of fissile materials, there are, in addition, criticality risks. But the context, in this case, is very different from that of the reactors, which are designed to control critical reactions. Although a criticality accident entails a major exposure hazard for workers in the immediate vicinity owing to the y and neutron radiation, it more rarely gives rise to dispersion phenomena. The prevention of criticality hazards is discussed in detail in 30.5.3. The proportion of radioactive products liable to be dispersed during an accident situation can vary considerably, depending on the initial state of the material. Figure 5.1. summarizes the kinetics of fission product release from an irradiated uranium oxide pellet subjected to very high temperatures. But this is just a particular example and a fire outbreak can disperse products which are in a less refractory form. The consequences of dispersion are moreover significantly influenced by the grain size of the particles released. Transfer of these products inside the installations is contingent on ventilation provisions, the importance of which is evident in this context, together with the leaktightness of the various buildings. Environmental release conditions are discussed in Chapters 5 and 17. They naturally also apply to these installations.

30.4.2. Transfers to man and biological efficiency The number of becquerels involved is not an adequate basis for assessment of the corresponding danger. The types of radiation and their energies will depend on the substances concerned. The notion of dose conversion factors is presented and illustrated in Chapters 5 and 6, but the numerical values indicated pertain to noble gases and iodines. Protection from a and (3 radiation external exposure risks is easy, but (3 emitters deposited on the skin can cause severe burns (as was the case for the Chernobyl fire-fighters). Protection from X, y and neutron radiation is more difficult.

30 - Safety considerations on other nuclear installations

485

The biological effects of radiation depend on its nature and energy and, in the case of inhalation or ingestion, the organs in which these products accumulate. The ICRP publications provide full information in this respect. In the event of whole body external exposure, the effect of a 10 MeV neutron is 100 times greater than that of a neutron where the energy is 1 keV or less. The effect of cobalt 60 y radiation is double that of cesium 137. In the case of intake via the respiratory or digestive tracts, widely differing effects can also be observed*. The product absorption factors have to be considered and then the biological effect of the quantities absorbed. For example, digestive absorption factors vary between 10-5 and 5 10-4 for plutonium, americium, neptunium or thorium, depending on the chemical compound solubility and grain size. For cobalt or tellurium, these factors are much higher, varying between 0.05 and 0.1. The dose commitments per unit of intake (DPUI expressed in Sv/Bq) take into account the type of radiation emitted by each isotope, but also its behavior inside the organism and the sensitivity of organs where it is likely to concentrate. For an adult, the dose commitment per unit of intake varies considerably, ranging from 1.8 lO-11 Sv/Bq for tritiated water to 1.2 10-6 Sv/Bq for polonium 210, with in between 3.4 10-9 Sv/Bq for cobalt 60, 1.4 lO3-8 Sv/Bq for cesium 137, 2.2 10-8 Sv/Bq for iodine 131, but 1.1 10-7 Sv/Bq for iodine 129 and 2.3 10-7 Sv/Bq for plutonium 238**. The becquerels emitted by the various radioactive substances are thus by no means equivalent. In addition, a emitters, like neptunium, plutonium or americium are potentially far more harmful when ingested than in external exposure. For each radionuclide is defined an annual limit of intake by inhalation (ALI), which corresponds to activity inhaled resulting in exposure at the level of the annual exposure limit for workers. The derived concentration limit for a radionuclide in air is the annual mean activity concentration of this radionuclide in the air inhaled, resulting in an inhaled activity equal to ALI for 2000 working hours. Table 30.1. shows that for the same number of becquerels of different substances, the quantity by weight to be found in the organism is proportional to the biological half-life which reflects both the radioactive decay period of the substance and its retention time in the organism. The last column in the table gives the ALI inhalation values for workers, as reassessed by the ICRP. They are taken from publication 68 (1995), the application of which is not yet mandatory in France. * ICRP 67 -1994, ICRP 68 -1995, ICRP 69 -1995. ** ICRP 30 -1979.

Elements of nuclear safety

486

Table 30.1. Annual limits of intake by inhalation. Radionuclide Substance

H3 Sr 90 Tc 99 Ru l06 Sb l25 I 129 Cs l37 U 238 Np 237 Pu 239 Am 241

Chemical form

tritiated water insoluble various forms oxide, hydroxide various forms any forms any forms UO2, U3O8 any forms PuO2 any forms

Annual limit of intake by inhalation for workers Becquerel (ICRP 30)

ugram (ICRP 30)

Becquerel (ICRP 68)

3109 1 105 2107 4105 2107 3105 6106 2103 2102 5102 2102

8 0.02 3000 0.003 0.5 500000 2 4000 8 0.2 0.003

1.1 109 2.6 105 6.9 108 5.5 105 5.9 106 3.9 105 3106 3.3 103 1.3103 2.4 103 7.4 102

30.5. Design bases Without entering into details, it will be helpful at this point to describe certain basic design elements common to many of the new plants discussed in this chapter. In addition to provisions for the prevention of specific risks related to the process used, the plants usually comprise protective provisions with respect to hazards related to external exposure, containment, fire protection and control and, where necessary, the prevention of criticality risks.

30.5.1. Containment principles The prevention of risks involving the uncontrolled dispersion of radioactive substances in the atmosphere and work premises is a major element in the safety of fuel cycle laboratories and plants. It usually involves two successive containment systems, each comprising one or several containment enclosures or barriers: • the first containment system is intended to prevent, under normal operating conditions, dispersal of the radioactive materials used in the process to areas accessible to staff. It comprises the process equipment, surrounded by glove boxes when little or no penetrating radiation is emitted, or by hot cells when this is not the case,

30 - Safety considerations on other nuclear installations

487

• a second containment system, installed around the first one, is intended to limit the quantities of radioactive substances which could be released outside the workshops in the event of failure of the first system. It consists of the walls of rooms and buildings. Each containment system comprises, in addition, ventilation devices ensuring air circulation from areas accessible to staff, which should not be contaminated, to the areas where the process apparatus is installed. These devices thus assure dynamic containment, supplementing the static containment represented by the containment enclosures. As a rule, the process equipment and glove boxes are connected to special ventilation networks.

30.5.1.1. Static containment The degree of leaktightness of a containment depends on the level of danger represented by the radioactive materials it contains and the capacity of the process itself to constitute an efficient barrier. This level is estimated on the basis of the ratio of the activity of each radionuclide potentially involved to the annual limit of intake by inhalation (ALI) of this radionuclide. It is in fact this intake path which is considered the most penalizing for the health of workers in this type of plant. Glove boxes are classified according to tightness level (standard NF M62200), characterized by the hourly leak rate, which is the ratio of the hourly leak rate under normal conditions to the volume of the containment: • class 1 corresponds to an hourly leak rate of 5 10-4 • class 2 corresponds to an hourly leak rate of 1 10-2 • class 3 corresponds to an hourly leak rate of 0.1 • class 4 corresponds to an hourly leak rate of 10. A fifth class of containment is defined by an hourly renewal rate, which is the ratio of the ventilation flowrate under normal conditions to the containment volume, equal to 1. In this case, the air intake speed must exceed, at all points, 0.5 m/s to prevent turbulence or discontinuities from reversing the direction of circulation. Special care must be taken to maintain containment during the transfer operations between the various enclosures occurring at different stages in the process and during maintenance or waste removal operations.

30.5.1.2. Dynamic containment Since containment enclosures are not perfectly leaktight, ventilation systems are used to set up series of decreasing pressure areas, where the more harm-

488

Elements of nuclear safety

ful the radioactive materials in an enclosure, the lower will be the enclosure pressure. So enclosures featuring similar detrimental effects are grouped in one area of the workshop, the enclosures containing the process equipment are installed in a central zone and these different areas are linked by a cascade of decreasing pressures from outer to inner zones, the outer zone itself being generally at a lower pressure than the environment. In this way, air leaks through the enclosures will be normally streamed to the central zone, thereby preventing the dissemination of radioactive substances to workshop areas normally accessible to staff, with all release to the environment being previously filtered. The ventilation systems of each zone are generally interconnected, forming low, medium or high subatmospheric pressure networks. The rated characteristics of the various ventilation systems will depend on the impact of their failure on workers and the environment. Redundancy and emergency powering requirements, for example, will be determined on this basis. It is also important to note that the ventilation network design must be such as to avoid creating weak points liable to facilitate fire propagation.

30.5.2. Protection against fire hazards Fire protection has already been covered in 9.5 but, owing to the particular gravity of the risks involved in laboratories and manufacturing plants, it will be useful to discuss this aspect in the present context. A special basic safety rule was published in 1985 on this subject (RFS I.4.a). Protecting a workshop against all types of fires implies provisions for prevention, detection, intervention and limitation of consequences, in compliance with defense in depth requirements. Fire prevention and limitation precautions include selecting materials used and present in a facility in such a way as to limit the quantity of combustible substances. This entails limiting the fire load per unit surface area represented by the structural materials and fixed and movable equipment. Choosing non-flammable materials, such as steel, stone, plaster or concrete (class MO materials) or materials which only burn on contact with an outside flame, like fireproofed PVC (class Ml materials) is obviously advantageous. Whenever possible, materials brought into the facilities should not increase the fire load to a mean level exceeding 400 MJ/m 2 nor involve local levels exceeding 600 MJ/m2. Special precautions must be taken if these fire load density limits are not respected. Conventionally, the energy potential of 1 kg of wood is 17 MJ, which means that only 24 kg of wood are needed to reach 400 MJ.

30 - Safety considerations on other nuclear installations

489

Precise instructions should contribute to keeping the fire loads in each room within the prescribed limits, but deviations are always possible (unscheduled storage of solvents or packaging). So adequate margins must be taken in assessing the fire loads. The process control system should prevent risks associated with the ignition of gases, inflammable liquids or pyrophoric solids. This may entail inertization of the corresponding volume with a neutral gas, such as nitrogen or argon. Separating fire risk rooms from the rest of the workshop limits safety consequences and material damage. Separating safety related equipment rooms from the rest of the workshop reduces risks of damage to this specific equipment. Obviously, redundant equipment, wherever possible, should be in separate rooms. If this is not the case in some of the older plants, compensatory measures may have to be taken. The separation itself is based on the definition of fire areas. The characteristics of the materials partitioning these areas will depend on the potential fire load density of the rooms concerned and consequently on the possible duration of fires which could occur there and the temperatures reached. Figure 30.3., taken from RFS.I.4.a, is used to estimate the fire duration and temperature reached in a room from the heat load density data. Temperature (°C)

Surface calorific potential (MJ/m2)

Fig. 30.3. Estimation of fire duration and temperature.

490

Elements of nuclear safety

The fire area ventilation and containment systems must be so designed, that, despite fire hazards, they will constantly maintain an adequate filtration capacity for all gases removed from these areas and will under no circumstances contribute to their propagation. The pressure and temperature increases together with the smoke produced by a fire can disorganize air circulation in the workshop and possibly destroy the ventilation duct filters. Release to the environment could then ensue. A suitable automatic fire detection network must be provided, taking account of the fire risks involved, the potential consequences for safety and the presence of staff. Finally, fire-fighting apparatus must be to hand in order to be able to efficiently contain a fire before there are significant consequences. Extinguishers may be fixed or mobile. Fixed devices, such as water sprays or halon or CO2 injectors are notably used in areas where access is difficult. However, the use of water may be prohibited when there is a criticality risk, in which case non-hydrogenated extinguishing agents are used. Provision must also be made for the retention of liquid extinguishing agents which could be contaminated. Attention must also be given to explosion risks due to combustible vapors which may have remained after the fire has been extinguished. As in the case of power reactors, fire risk control must not be limited to probable risk areas but must also cover areas where a highly improbable fire would have severe safety consequences.

30.5.3. Criticality risk prevention In both power and experimental reactors, reactivity control is an intrinsic part of the reactor process, which requires critical state operating conditions and the possibility of controlled divergences. It is one of the safety functions of these installations. However, this has not prevented the occurrence of a certain number of criticality accidents on experimental reactors or at Chernobyl. In the fuel cycle plants, on the other hand, a critical state situation is to be avoided. However, it can be reached under certain conditions if there is a sufficient quantity of fissile materials. This will give rise to exposure hazards and possibly to mechanical effects in a plant which is not suitably equipped with radiological shielding, with all the consequences that this could have, especially for the workers involved. The quantity of fissile materials is consequently an important parameter in the definition of criticality hazards at these installations. It should be borne in mind that, since the onset of the nuclear era, about twenty criticality accidents have occurred in fuel cycle plants, causing the

30 - Safety considerations on other nuclear installations

491

death of several operators and about twenty cases of severe exposure (seven in the United States, one in Great Britain and about twelve known in the former USSR). They are discussed in 30.7.3. Release to the environment has always been slight. The main fissile isotopes are uranium 235 and plutonium 239. Other, less common, isotopes are also fissile: uranium 233, plutonium 241, plutonium 238 neptunium 237, americium 242 and californium 251. Their handling consequently requires special precautions. The conditions for a chain reaction are, of course, basically the same as in the case of the reactors. They entail: • a sufficient quantity of fissile materials • a sufficiently low quantity of neutron absorbing materials • favorable geometrical features, restricting neutron out-leakage from the fissile medium • possibly, a moderator material, reducing the energy of fast neutrons resulting from fissions, thereby increasing the probability of further fissions.

30.5.3.1. Provention of criticality risks A plant is held in a sub-critical state by acting on these same conditions, or in other words, on one or several terms of the neutron balance: those limiting neutron production, those assuring their capture and those facilitating their out-leakage. It has to be ensured with adequate margins that in no conceivable configurations could critical conditions be reached. Neutron production control Neutron production is low if the number of fissile nuclei involved, i.e. the mass of fissile material, is small. Safety in this case is assured by controlling the mass. For example, there can be no criticality risk if the mass of plutonium 239 is below 510 g or if that of uranium 235 is below 820 g. The production of fissioning neutrons will also be slight if they are in an under-moderated medium. In this case, the likelihood of their leaving the medium without having fissioned is greater. The most effective moderator is hydrogen, in any chemical form (water, oil, solvent, plastic, etc.). But it is not the only one. Graphite and beryllium are also good moderators. For example, criticality will be reached in the following cases: • more than 100 kg of uranium with a 93.5% isotope 235 enrichment for UO2F2 dry salt, but only 0.87 kg for the same salt in solution with the optimum concentration

492

Elements of nuclear safety

• 27 kg of plutonium 239 for PuO2 oxide dry powder, but only 510 g for the same oxide dispersed in water under the same conditions • about 10 g of californium 251 and about 23 g of americium 242 in aqueous solution. Moreover, uranium in UO2 oxide form cannot be critical without hydrogen if the uranium 235 enrichment is below 6.6%. Neutron leakage Neutron out-leakage from the fissile medium is increased by adopting geometrical shapes such that the surface is large with respect to the volume. So small diameter, long, cylindrical recipients will be used rather than orthocylindrical recipients, or parallelepedic, narrow recipients rather than cubic or spherical tanks. Reflector materials placed round the apparatus can limit out-leakage of neutrons by reflecting them back to the fissile medium. Water and hydrogenated materials are excellent reflectors, but beryllium, lead and graphite are even more efficient. Finally, several adjoining apparatus containing fissile materials can exchange neutrons which leave one to produce fission reactions in another. These interactions can be limited by installing the apparatus sufficiently far apart or insulating them with reflectors or neutron-absorbing screens. Neutron capture Neutron capture by non-fissile materials is facilitated by use of nuclei which behave like neutron poisons. These are often boron, cadmium, gadolinium or hafnium. Other often encountered nuclei with a significant capture cross section are iron, nickel, chromium, copper, but also nitrogen, hydrogen, uranium 238, plutonium 240. On the other hand, some nuclei, such as beryllium, zirconium, lead have a negligible capture cross section. Neutron poisons can be used in the form of fixed solid screens, made of borated steel or hafnium plates, sheets of cadmium or borosilicate glass. They can also be used in the form of aqueous solutions of boric acid, potassium tetraborate, gadolinium nitrate, cadmium nitrate, etc. Hydrogen is an excellent moderator but also captures some neutrons. A certain proportion of water has to be mixed with the fissile material to achieve optimum moderation (Fig. 30.5.). Beyond this proportion, only the capture rate increases and the overall multiplication coefficient decreases and departs from critical conditions (Keff = 1). Advantage can be taken of this effect by using highly diluted aqueous solutions which are consequently fairly absorbent and moreover have a slight fissile material concentration. For example, there are no criticality risks with aqueous solutions where the plutonium 239 concentration is below 7.2 g/1 or the uranium 235 concentra-

30 - Safety considerations on other nuclear installations

493

tion below 12.7 g/1, whatever the quantity and geometry used, but the solution must be and remain homogeneous. Any precipitation risk can lead to more favorable criticality conditions.

Fig. 30.4. Critical mass of U235 or Pu in aqueous solution.

Criticality risks must only be considered for plants using isotope 235enriched uranium, plutonium or, in some cases, transplutonians. This risk can be considered as null in the case of natural uranium since considerable quantities of uranium have to be carefully arranged in an environment containing graphite or heavy water before critical conditions can be reached. The Oklo phenomenon ("natural" reactor) could only have occurred in a geological age when natural uranium comprised about 3.6% of uranium 235, 2 billion years ago. Further to radioactive decay, the uranium 235 content of natural uranium is today known to be only 0.72%. Fuel cycle installations involving criticality hazards are thus mainly uranium enrichment plants, fuel fabrication workshops, spent fuel reprocessing plants and reactor spent fuel pits. But the numerous auxiliary installations must not be forgotten, such as the fissile material warehouses, the spent fuel examination laboratories, the workshops treating waste containing uranium or plutonium, the experimental process design workshops, fissile material transport packing.

494

Elements of nuclear safety

At both design and operating stages, any basic nuclear installation using quantities of fissile materials exceeding 600 g of uranium with U235 enrichment of more than 1 % or 350 g of plutonium must be the subject of a criticality risk assessment presented in the plant's safety analysis report. The operator must demonstrate that each unit concerned will remain sub-critical despite process dysfunction and possible risks of interaction between different apparatus. To ensure sub-criticality, the operator can refer to the principles adopted in basic safety rule I.3.C for design studies and modifications which may have to be made to existing plants. Detailed neutronic and technical studies, based on these principles, have then to be undertaken. Each modification of apparatus involved, whether its location, its environment or its operating conditions be concerned, shall only be implemented after examination of the consequences of these modifications on criticality hazards. This examination has to be implemented with the assistance of specialists of the risks incurred. Both the designers and operators have trained criticality experts. In addition, provision is made for special training in this respect for operating staff. The IPSN has made organizational provisions ensuring that its relevant research and advisory structures (the Critical Investigation Section of the Accident Prevention and Analysis Department) remain apart from those responsible for the opinions addressed to the safety authorities (the Criticality Assessment Office of the Safety Assessment Section for plants and laboratories of the Safety Assessment Department).

30.5.3.2. Choice of design principles Depending on the plant or the part of the plant concerned, the control method may be based on limitation of the quantities of fissile materials concerned, the geometry of the recipients, the control of hydrogen in any form and its concentration or the presence of absorbents. The cases below give only a few specific examples. When control based on quantity is adopted, the boundaries of the parts of the installation concerned must be defined, where the mass of fissile materials must be controlled. Accounting systems and procedures must be set up at each boundary. This accounting system may be independent of that relating to the control of nuclear substances. For example, in a laboratory performing fissile product measurements and analysis, there may be an "in" compartment for products pending examination and an "out" compartment for products after examination awaiting removal. Quantity control can be performed in several ways. The simplest consists in limiting the total quantity of material inside the plant so that the critical mass is never reached, wherever a product is located, even in the event of an error. A new load can only enter after removal of

30 - Safety considerations on other nuclear installations

495

the previous load in its entirety. In this case, no internal transfer monitoring would be necessary to prevent criticality hazards. If this method is too rigid, it would be possible to schedule two or three simultaneous loads, each located in a different compartment. This would require a transfer accounting system within the plant to ensure that the maximum admissible quantity could never be exceeded in any compartment. In plants where quantities are controlled by the size of the recipients (control by geometry), analysis and feedback show that difficulties arise in link elements between the geometrically safe components and the other parts of the plant, where the control system may be different (based on concentration, in particular). Valves on link elements between these different recipients or vacuum relief valves are especially important and need adequate design and monitoring provisions (double locking, double checking). Elsewhere, fissile materials must be in dry storage. So control of flooding and spraying hazards is particularly important. Surveillance of the entry of liquids into these storage areas by human error can also be based on well defined, stringently applied operating rules. On principle, a criticality accident should only be due to a two-fold failure, each element of which is deemed highly improbable, whence the extreme importance of detecting latent defects.

30.6. Safety analysis of an installation Once potential risks have been identified, the relevant successive defenses in the plant examined have to be determined, including the provisions for mitigation of the consequences of credible failures. Providing a suitable number of static or dynamic (ventilation) barriers is a major element in the prevention of radioactive substance dissemination in this type of plant. After examination of the impact of internal hazards, such as fires and floods, and external hazards, such as earthquakes or aircraft crashes, safety related functions can be determined and the requisite characteristics of the corresponding systems, structures and equipment can be defined accordingly. If the safety functions are expressed in the same way as for power reactors, the containment of radioactive products will be covered, but also, explicitly, worker and possibly environment protection against direct or indirect exposure. Certain plants are concerned by issues such as the control of criticality risks or of residual heat removal. Control of the physico-chemical process characterizing each plant is necessary to prevent dispersion phenomena. It is specific since the processes used are extremely varied.

496

Elements of nuclear safety

30.6.1. Analysis of failure modes The operating principle of power reactors may be considered as relatively simple. In addition, an overall functional analysis of PWRs was completed at the end of the 1960s, when this reactor type was adopted in France. A list of design basis accidents was available, even if the probability of certain initiators, such as steam generator tube breaks, proved to have been underestimated. New scenarios were added much later, derived notably from probabilistic studies and operating feedback and including situations leading to the possibility of sudden injection of unborated water into the reactor core, as a reminder that vigilance must be constant. All the plants considered in this chapter are covered by safety analysis reports, but their diversity is such that they have not all benefitted from systematic investigation follow-through, especially the older installations. This type of research is obviously a requirement for new projects. Its extent, in all cases, will depend on the potential risk level. Many CEA plants other than reactors use processes which are not remote-controlled from a control room. Workers are in the immediate vicinity of radioactive substances. It is consequently even more important for these plants than for reactors to finalize an approach based on analysis of the physical system involved and its operating safety as derived from examination of the main activities and the associated reliability level. Certain designers and, in recent years, the engineers responsible for safety in the CEA plants, use analysis methods developed for industrial plants, including notably AMDEC* (Analyse des Modes de Defaillance et de leur Criticite) and MOSAR (Methode Organisee et Systematique d'Analyse des Risques), also used for training purposes. These methods, basically designed to study workstation safety rather than environmental protection, are nevertheless compatible with a systematic approach, despite the fact that interaction between different parts of a plant are not taken into account. They moreover do not restrain initiative on the part of those who use them. They are generally not presented in detail in plant safety documents. These methods also constitute the first stage in reliability studies, where they are often used to show that the probability of certain scenarios is low enough for them to be disregarded. The validity of the failure rates used for the equipment must then be checked, together with the method of dealing with common mode failures and human actions.

* AMDEC, in nuclear safety circles, is known as "analyse des modes de defaillance et de leur consequences" to avoid confusion with the specific risk of criticality.

30 - Safety considerations on other nuclear installations

497

Applying these methods by no means exempts operators from compliance with defense in depth requirements, involving a certain number of postulated failures with definition of mitigating measures with regard to the consequences.

30.6.1.1. Direct internal failures The study of failure modes should enable determination of a plant's normal operating range, allowing adequate margins with respect to the wider safety range. For plants with changing activities, an operating condition envelope is advisable to accommodate operator requirements. This study leads to definition of a list of conceivable internal failures from which bounding case scenarios will be selected for the safety demonstration based on a limited number of representative incident and accident sequences. Appraisal of the acceptability of the corresponding consequences is assisted by classification in descending order of probability, where the most likely incidents and least probable accidents are clearly distinguished. The systems for plant surveillance and protection and for the mitigation of consequences can then be defined. Phenomena kinetics constitute an essential element, used to determine what should be entrusted to staff and what should be automatic. This element considered in conjunction with the severity of postulated failure consequences is then used in determination of redundancy and emergency powering requirements. In accordance with defense in depth principles, scenarios deliberately excluded on improbability grounds but which could theoretically result in significant release levels, must also be examined at this stage to check that adequate provisions have been made.

30.6.1.2. Internal hazards The assessment of risks related to fires (cf. 30.5.2), floods, load dropping are obviously necessary to determine preventive measures and suitable methods of limiting the consequences. In many plants, there is much handling activity. Related risks concern the dispersion of products being transferred, breaks in biological shielding or damage to structures and equipment allowing the dispersion of radioactive products. Reliability justification data for handling equipment is sometimes not very convincing.

498

Elements of nuclear safety

30.6.1.3. External hazards Basic safety rule I.l.b proposes that each workshop be so designed that the overall probability of it giving rise to unacceptable release would remain below 10-6 per year. So each family of hazards liable to contribute to onetenth of this value must be considered. This concerns notably aircraft crashes and external explosions. These probability values are approximations for guidance. For a preliminary analysis, the average overall assessments of aircraft crashes on French territory, as mentioned in 10.2.1 (a few 10-10 per year and per m2 for general aviation) give an idea of the probability of impact. This must be considered in conjunction with the virtual area of the buildings the destruction of which would lead to unacceptable consequences, which refers back to the safety objectives defined in the basic safety rule. Dividing a plant into sufficiently small units that the result would be consistently below 10-7 per year would, on the other hand, be a misuse of the method. Protection against external explosions requires an inventory of explosion possibilities, whether these be related to transport of explosive products, ductwork, adjoining installations, together with corresponding distances and thereby credible overpressures. Results can then be compared with the estimated overpressure resistance of the buildings concerned. Wave reflection possibilities must not be overlooked. In addition, it must be remembered that the first meteorological statistics date back only about a hundred years and that the Snow and Wind Rules do not cover truly exceptional conditions. So suitable safety coefficients must be used. Finally, seismic hazards cannot be accurately assessed in terms of probabilities for contexts involving values below 10-4 per year. So a deterministic method is used. Plant seismic protection entails sizing both the equipment concerned and the structures containing and supporting them to withstand the corresponding stresses. It is also important to ensure that equipment or structures the failure of which would not directly cause release could not damage equipment the destruction of which could result, for instance, in substantial release or a criticality risk. For plants with a low risk potential, the direct radiological consequences of their failure in the event of an earthquake could be "negligible", considering the probability of occurrence of the event. But care must be taken to consider food chain and soil contamination hazards when appraising the acceptability of provisions made. The same considerations are also valid for external flooding.

30 - Safety considerations on other nuclear installations

499

30.6.2. Determination of safety related elements Analysis of failures related to processes or hazards, due to human error or equipment malfunction, provides a basis for definition of safety related elements. In reactor safety vocabulary, the expression "safety class" is used. It implies the existence of several safety levels. The distinction is not systematically appropriate, but is a way of prioritizing efforts, which is always more realistic. Article 1 of the ministerial order on quality* which is included in the regulations applicable to all basic nuclear installations is as follows: "The owner (operating organization) of a basic nuclear facility shall see to it that a quality consistent with the importance of its functions for safety, in the sense of the aforesaid decree of March 13, 1973, is defined, achieved and maintained for the following items: • structures and equipment • assemblies thereof • operating conditions of the facility. To this end, the owner shall see that a system is implemented to define, achieve and maintain the quality of these items, to control its achievement and maintenance and to analyze and correct any deviations."

It is the plant safety analysis which enables determination of the structures, components, equipment and interconnecting assemblies which are safety related elements, with each of which can then be associated a specified quality level. The plant operating conditions influencing safety are included in the quality related activities, which go well beyond the operating field, since they also cover design, construction and maintenance, for example. Specified requirements are associated with these activities.

30.6.3. Specified quality Plant safety analysis enables identification of safety related elements by considering the possibilities of failure of the installation itself, the possibilities of internal or external hazards, the preventive provisions and measures for the mitigation of consequences. This analysis should result in definition of the requirements to be respected in each case. The equipment safety importance principles discussed in 7.1.3 apply in this context with the requisite adaptations to take into account the character-

*Cf. Appendix B.

500

Elements of nuclear safety

istics of each installation and the overall analysis conclusions. In particular, if all safety class equipment in a PWR is redundant, emergency-powered and designed to withstand an SSE with suitable criteria, this may not be necessary for certain safety related components in other plants. The kinetics of phenomena liable to cause release are a particularly important factor in assessing redundancy or emergency powering requirements.

30.6.3.1. Functional and qualification characteristics Here again, the considerations in 7.1.4, 5 and 6 can provide guidelines for application of design codes for civil works, mechanical and electrical equipment, taking possible load combinations into account. In many plants, seismic damage could be tolerated provided overall containment is satisfactorily guaranteed. Special rules, such as those concerning ventilation, for example, are particularly important for a large number of installations.

30.6.3.2. Other deterministic assumptions Experience shows that, in the case of very large plants, certain chemical phenomena related, for example, to impurities, may not come to light in the prototype. These impurities, which would have no effect in a small installation, can, with the same concentrations, reach significant quantities by weight liable to cause unexpected phenomena and induce unfavorable situations. An example is the isotopic enrichment plant where the fluorination agent can react with very low leakage from a large number of compressors. This reaction produces fluorocarbonated elements which condense at the only bleed point and are explosive in liquid form when a sufficient quantity has accumulated. This is another case of the possibility of occurrence of situations which were not identified at the design stage, justifying precautions for extreme bounding case situations, characteristic of the fourth defense in depth level.

30.7. Operating safety It is only in very exceptional cases that design provisions for the installations discussed in this chapter guarantee intrinsic safety. So the safety aspects of operating conditions also require very careful attention, especially in plants where reliance on human intervention far exceeds the utilization of automated systems, which is the case in many laboratories.

30 - Safety considerations on other nuclear installations

501

30.7.1. General Operating Rules The general operating rules and resulting operating instructions and procedures are designed to organize compliance with defense in depth principles in operating activities, using a form and language directly accessible to operating personnel. Many detailed documents may not be included in the general operating rules themselves, but mention must be made of how these documents are drafted and approved, together with their references. The rules must contain the operating elements enabling prevention of incidents and accidents and limitation of their consequences pertaining to plant operation organization, the responsibilities and training of staff at the various levels, definition of the authorized operating range, the normal operating documents with the corresponding instructions. Also included will be the general safety instructions for the prevention of non-radiological incidents or accidents, some of which however, could cause radiological incidents, particularly fire and explosion hazards and handling operation risks. General instructions for the prevention of criticality risks should be comprised in all cases where the installation could contain fissile materials. General radiological protection instructions are systematically included. Provisions for plant control and surveillance, aimed at ensuring that it remains within its authorized operating range shall be defined in this document, together with the periodic test and maintenance schedules for the corresponding elements. Instructions will also be given relevant to operation under incident or degraded conditions. Guidelines for the elaboration of general operating rules for basic nuclear installations other than nuclear reactors were proposed by the DSIN in 1992. They constitute a reference for the drafting and updating of the corresponding documents for existing plants. The CEA Nuclear Safety Mission proposed a scheme to CEA plant managers, comprising detailed organizational instructions regarding the data to be presented, taking acquired experience into account, with a view to constituting an unequivocal contract with the safety authorities, without undue complexity of application. Special care is needed for definition of the authorized range for plants with little automation and of the procedures derived from the general operating rules. These procedures must be drafted in collaboration with the users themselves, taking into account the training they have received to prevent the gap between practice and reference documents from widening. Several workstation and procedure studies carried out by human factor specialists have shown that operators implement provisions other than those defined in the procedures with a view to reducing fatigue or condensing slack periods. If no safety impairment is involved, these practices should be

502

Elements of nuclear safety

preferred. It is in any case important that operator free intervals be sufficiently explicit.

30.7.2. Incident detection and analysis Significant incident and accident detection and analysis are the responsibility of the operators, but a set of criteria in this respect has been defined by the DSIN further to consultation with the operators and the IPSN.

30.7.2.1. Reporting criteria Significant incident and accident reporting criteria were issued in 1983, formulated for the basic nuclear installations operated by the CEA, thus now covering the COGEMA plants. These criteria are as follows: • the moving of dangerous substances, whether radioactive or not, thereby creating a situation which diminishes the plant safety condition or entails significant risks for workers, the public or the environment • incidents or accidents, whatever their severity, in all cases where they could give rise to erroneous or malicious interpretations on the part of the media or the general public • malevolent acts or threats thereof liable to affect plant safety • internal or external hazards, involving either natural phenomena or human activities, which have actually affected or could potentially affect plant safety to a significant degree • accidents or incidents, whether nuclear or otherwise, which have caused death or serious injury • noteworthy incidents or accidents which have resulted in loss of the functions of all barriers separating dangerous substances from people and in dispersion of these substances • incidents or accidents which, although they have not affected all barriers, have or could have resulted in significant dispersion of dangerous substances or significant exposure of people to ionizing radiation, inside or outside the plant • defects, degradations or failures having affected an essential safety function which had, or could have had, significant consequences, whether these were detected during plant operation or at shutdown. This applies notably to significant defects, degradations or failures affecting one of the barriers, one of the systems associated with the barriers or one of the protection or emergency systems such as the back-up power supplies • incidents which have resulted in the overstepping of one or several safety limits, as defined in the technical instructions or in a common mode failure affecting safety related systems

30 - Safety considerations on other nuclear installations

503

• even minor incidents, which affect a safety related function, which tend to be repetitive and the cause of which has not been identified or which could be accident precursors • any other incident or accident considered significant by the operator and reported as such. The tenour of this list is similar to that given in Chapter 23. Reporting should be immediate in the event of fatal accidents, significant exposure to ionizing radiation, noteworthy levels of unscheduled release or risks of misinterpretation. In othe cases, reports should be telexed within 24 working hours, depending on the contents. A detailed account should then be sent within one month, extended in most cases to two months.

30.7.2.2. Incident analysis reports The same DSIN document provides general information as to the contents of incident analysis reports to be prepared by the operators. The training sessions organized over the last few years by the CEA nuclear safety mission have inculcated certain systematic analysis methods, resulting in a significant improvement of the analyses made by plant supervisors, resulting in clearer reports.

30.7.2.3. Incident analysis by IPSN Considering the wide variety of plants, it is more difficult to group incidents than in the case of nuclear power plants. So IPSN prioritizes checking that the root causes of each significant incident have been dealt with and that adequate corrective measures have been taken or provided for by the operators within reasonable periods of time. However, there is an IPSN-maintained database grouping significant incidents which have occurred since 1970 in French basic nuclear installations other than power reactors. It now contains about 1000 items.

30.7.3. Elements of world operating feedback For many years, a number of fuel cycle plants, especially those dealing with reprocessing, were classified on military grounds. However, information on accidents concerning them has gradually become available.

504

Elements of nuclear safety

In this context, we would mention the following eight criticality accidents which caused death or severe injury: • Oak Ridge USA 1958, transfer of a uranium solution to a vessel of unspecified geometry, followed by injection of water during a leak test. • Los Alamos USA 1958, plutonium solution remains from three tanks were transferred to a single tank. Criticality was reached when a mixer was set in motion. • Idaho Falls USA 1959, inadvertent siphoning of a highly enriched uranium solution from a safe geometry vessel to a liquid waste tank. • Idaho Falls USA 1961, transfer by air bubble of a highly enriched uranium solution from a safe geometry evaporator to a large diameter cylinder. • Hanford USA 1962, overflow of concentrated plutonium solution from a safe tank to a recipient 45.7 cm in diameter. • Rhode Island USA 1964, inadvertent transfer of an enriched uranium solution to a recipient of unspecified geometry. • Windscale GB 1970, introduction of an organic solvent of unknown origin into a transfer tank; floating over an aqueous plutonium solution, the emulsion zone in contact with both liquids reached critical conditions. • Idaho Falls USA 1978, increase in the uranium concentration by gradual lowering of the alumina nitrate concentration. In Western countries, there have been no more recent examples of criticality accidents, which may be due to more systematic consideration of this risk at the design and construction stages. On the other hand, precursors have been identified, all resulting from analysis shortcomings rather than criticality study computation errors.

30.8. Plant end of life It is customary to include dismantling in the list of regulatory stages for basic nuclear installations. Provision is in fact made for special authorization applications for dismantling, with remittance of specific safety analysis reports. The problems raised are very different from those covered by the previous authorizations, since the fuel elements or most of the radioactive material deliberately installed in the plant will have been removed. For plants where there have been no particular accidents, there will remain contamination and possibly radioactivity induced in structures subjected to neutron irradiation, thus concerning mainly the reactor vessel in light water reactors. Three Mile Island 2 could be restored to an equivalent condition after ten years of work. Chernobyl 4, on the other hand, is in a far more difficult situation.

30 - Safety considerations on other nuclear installations

505

French experience concerns a certain number of reactors, including one PWR (Chooz A) and various laboratories (Elan IIB, AT.l). None of them had undergone a significant accident. It is known, on the other hand, that chemical decontamination processes can lead to dissemination due to explosion in circumstances which may not have existed in the operating plants.

30.8.1. End of life stages The end of life of a basic nuclear installation is marked by administrative proceedings (decommissioning), followed by dismantling, which is a series of technical operations, usually performed in stages. Decommissioning modifies the status of the installation. It may imply simply closure of the plant with continued surveillance by the operator until all radioactivity has been eliminated, so that, theoretically, the site can be reused with no particular constraints. The IAEA specifies three different dismantling stages: 1 - Storage with surveillance follows decommissioning and corresponds to removal of radioactive materials, such as fuel elements. At this stage, most of the radioactivity is removed. This is stage 1. Buildings comprising radioactive materials or equipment are isolated and surrounded by a containment shell. Radioactivity is monitored inside and outside the plant, since certain degradations could result in the dissemination of radioactive products. Dismantling a limited part of the plant leads to stage 1 "reinforced". 2 - Restricted site release (stage 2) corresponds to reinforced containment of radioactive equipment and smaller containment areas. All equipment which can easily be dismantled is decontaminated and removed but what remains still constitutes a basic nuclear installation. Reactor primary systems are the subject of special containment provisions. Periodic inspections continue. 3 - Unrestricted site use (stage 3) corresponds to the complete dismantling of the plant and the refurbishing of the site for other uses. This can take 40 to 50 years if large metal components like the reactor vessel have been severely irradiated, leading to an accumulation of cobalt 60. If the site is to be reused for nuclear purposes, the interim storage there of certain heavy, radioactive components is possible. This implies continued periodic inspections. Theoretically, the nuclear character of the site could be annulled if it can be demonstrated that all radioactive elements have been removed to a suitably equipped interim storage center and that there is no particular soil con-

506

Elements of nuclear safety

tamination (the level in this case is not yet defined). The site could then be considered as having reverted to its natural condition, where no specific site surveillance is required.

30.8.2. Dismantling and safety The safety problems raised by the dismantling of plants are highly specific and are often remote from those raised during operation. The risk of accidents liable to cause harm to populations and the environment due to radioactive products can be practically excluded when there is neither residual power nor pressure. On the other hand, dismantling often involves chemical operations. So provision must be made for the risks of recirculating radioactive substances which had become immobile and the resulting fire and explosion risks to which workers would be exposed, justifying the preservation of certain ventilations and continued surveillance. Even the dismantling and disjointing of piping and tanks can disperse radioactive dust. Radioactive waste management must also be closely considered. It is currently the subject of extensive discussion, notably with regard to very low level waste. Contaminated pipes can be melted down to reduce their volume and obtain a degree of radioactive product separation. Concrete structures can also be destroyed, but the resulting waste must be stored in centers with monitoring provisions. In both cases, the best solution would be to use them as basic construction materials for new nuclear plants, which would keep them inside installations necessarily equipped for radiological surveillance.

30.9. Conclusion of this chapter The different examples mentioned in this chapter give an idea of the diversity of nuclear installations with regard to radioactivity related risks. The quantities and harmfulness of the substances involved vary considerably as do the possible sources of dispersion of these materials. A methodical safety analysis approach is indispensable if the provisions made are to match the real hazards involved.

Conclusion Nuclear safety is a difficult subject where there are doubtless no limits to the search for improvements. But once overall objectives and their fields of application have been defined, efforts must be proportional to the risks involved. The difficulty lies in the fact that technical risk appraisal depends on a continuous process and can consequently never be considered as exhaustive. A brief time history will make this clearer. At the beginning of the 1970s, plant design was based on a three-level defense in depth concept: good design, good surveillance provisions and engineered safeguard systems to limit the consequences of postulated accidents. Duplicating safety related systems was considered sufficient. In the mid-1970s, probability studies of total failure of these systems and the associated consequences showed that duplication was not an entirely satisfactory solution, with the result that provision was made for complementary measures to contend with these multiple failures. In 1979, the Three Mile Island accident demonstrated that cumulated failures could lead to far more serious consequences than those considered at the design stage, without calling the overall approach into question. Operating procedures were then reviewed and vastly modified. This was followed by the development and integration of systems capable of limiting the probability and consequences of severe accidents. In 1986, the Chernobyl disaster, although it occurred in a reactor of totally different design to those used in Western Countries, nevertheless highlighted the organizational difficulties raised by a severe accident situation. Moreover, this accident led to a review of reactivity accident provisions, with the gradual discovery of several significant scenarios which had not been previously identified and the subsequent implementation of requisite preventive measures. Meanwhile, the publication of probabilistic safety studies evidenced risks related to outage situations, seeming thus to confirm trends suggested by operating feedback.

508

Elements of nuclear safety

Moreover, throughout almost twenty years of operating experience, incidents with systematically limited consequences revealed other actual or potential difficulties. Equipment or operating condition adaptations were made accordingly. However, neither the Three Mile Island accident nor the Chernobyl accident, nor daily operating feedback has brought to light safety aspects inaccessible to cool-headed prior analysis. But the engineers contemplating their plants and manuals are no match for "nature", always one step ahead in inventing the unforeseen. As regards the role of man and the associated man-machine interfaces, things have changed on the same scale. It took the Three Mile Island accident to bring home the full "weight" of human factors in safety problems. The Chernobyl accident resulted in development of the safety culture notion and showed that not only operators are concerned by it. Deep discussion leads to changes in certain organizational structures where these are necessary to clarify responsibilities and motivate the teams concerned. It is easier to characterize the stages in technical progress than the efforts made by and for men. This is clear from the disproportion between these two aspects in both this chronological overview and throughout the document. But this disproportion is not representative of reality. One of the underlying purposes of this document was to provide incentive, showing that by refusing complacency in all circumstances, difficult situations can be prevented rather than controlled once they have arisen. With a few adaptations, the nuclear safety approach could be applied to most potentially dangerous industrial plants and, more generally, to the control of a large number of hazards. He who asks no questions receives no unpleasant answers. It is both the honor and the obligation of those who play a role in nuclear safety to accept to be called into question, which is simply applied safety culture. A lull in these commitments could bring, sooner or later, here or there, a rude awakening.

A

Appendix A. Basic safety rules

A.1 Rules concerning pressurized water reactors (June 1995) I-2-a

Hazards related to aircraft crashes

(August 5, 1980)

I-2-b

Risks of emission of missiles following bursting of turbogenerator sets

(August 5, 1980)

Calculation of seismic motions to be considered in safety analysis

(October 1, 1981)

I-2-c

I-2-d

Hazards presented by the industrial environment and transportation routes

I-2-e

Hazards related to external flooding

I-3-a

Application of the single failure criterion in safety analyses

I-3-b

Seismic instrumentation

I-3-c

Site geological and geotechnical studies, determination of ground characteristics and soil response studies

II-2-2-a

Design of the containment spray system, revision 1

II-3-8

Construction and operation of the main secondary system

IV-l-a

Classification of mechanical components, electrical systems and civil works structures

(May 7, 1982) (April 12, 1984) (August 5, 1980) (June 8, 1984)

(August 1, 1985) (December 31, 1985) (June 8, 1990)

(December 21, 1984)

IV-2-a

Requirements to be taken into account when designing safety-related mechanical components conveying or containing pressurized fluid and classified as level 2 or 3 (December 21, 1984)

IV-2-b

Requirements to be taken into account in the design, qualification, startup and operation of electrical equipment for safety-related electrical systems

(July 31, 1985)

510

Elements of nuclear safety

V-l-a

Determination of radioactivity released from fuel to be considered in accident safety analysis (January 18, 1982)

V-l-b

Meteorological instrumentation

(June 10, 1982)

V-2-b

General rules applicable to civil works (RCC-G)

(July 30, 1981)

V-2-c

General rules applicable to the construction of mechanical equipment (RCC-M), revision 1 (September 12, 1986)

V-2-d

General rules applicable to the construction of electrical equipment (RCC-E), revision 1 (September 23, 1986)

V-2-e

General rules applicable to the construction of fuel assemblies (RCC-C), revision 1

(October 25, 1985)

V-2-f

General rules applicable to fire protection (RCC-I)

(December 28, 1982)

V-2-g

Seismic design for civil works

(December 31, 1985)

V-2-h

General rules applicable to civil works (RCC-G)

V-2-j

General rules applicable to fire protection

(June 4, 1986) (November 20, 1988)

Report SIN 3130/84, dated June 13, 1984 concerning the conclusions reached after examination of the document entitled "Design and Construction Rules for PWR nuclear power plants (rules concerning 900 MWe unit (RCCP 900) procedures (ref. code RCC-P).

Appendix A - Basic safety rules

511

A.2 Rules concerning basic nuclear installations other than reactors (June 1995) I-l-a

Hazards related to aircraft crashes

(October 7, 1992)

I-l-b

Hazards presented by the industrial environment and transportation routes

(October 7, 1992)

I-l-c

Calculation of seismic motions to be considered in safety analysis

(October 7, 1992)

1-2

Safety aims and design bases for surface installations intended for the long term storage of short or medium half-life solid radioactive waste, of low or medium specific activity (November 8, 1982, revision 1) (June 19, 1984)

I-2-b

Ionizer design bases

I-3-c

Prevention of criticality hazards

I-4-a

Fire protection

II-2

Design and operation of ventilation systems in basic nuclear installations other than reactors

(December 20, 1991)

General provisions applicable to the production, surveillance, processing, packaging and storage of various types of waste resulting from pressurized water reactor fuel reprocessing

(September 24, 1982)

III-2-a

(May 18, 1992) (October 18, 1984) (February 28, 1985)

III-2-b

Special provisions applicable to the production, surveillance, processing, packaging and storage of high activity vitrified waste, (November 12, 1982) resulting from pressurized water reactor fuel reprocessing

III-2-c

Special provisions applicable to the production, surveillance, processing, packaging and storage of low or medium activity bitumen-solidified waste resulting from pressurized water reactor fuel reprocessing

III-2-d

III-2-e

Special provisions applicable to the production, surveillance, processing, packaging and storage of cement-solidified waste resulting from pressurized water reactor fuel reprocessing

(Aprils, 1984)

(February 1, 1985)

Prerequisites for acceptance of batches of encapsulated solid radioactive (May 29, 1995) waste for surface storage

Definition of design and construction objectives for the disposal of radioactive waste in deep geological formations, with a view to ensuring safety beyond the operating period of the repository (June 10, 1991) RULE SIN N. C-12308/86 (R.R.I). Purification device equipping research reactor ventilation systems (August 4, 1986) RULE SIN N. A-4212/83. Meteorological instrumentation (August 12, 1983) RULE SIN N. C-12670/91 (R.R.2). Fire protection in nuclear research reactors (July 1, 1991) III-2-f

This page intentionally left blank

B B.1.

Appendix B. Regulatory texts related to quality Order of August, 10,1984

relative to the quality of the design, construction and operation of basic nuclear facilities The Minister for Industrial Redeployment and Foreign Trade, Considering Decree 63-1228 of December 11, 1963 relative to nuclear facilities, as amended by Decree 73-405 of March 27,1973, especially article 10A thereof; Considering amended Decree 73-278 of March 13, 1973 relative in particular to the establishment of a Central Service for the Safety of Nuclear Installations (Service Central de Surete des Installations Nucleaires - SCSIN); Considering the opinion expressed by the Interministerial Commission for Basic Nuclear Installations (Commission Interministerielle des Installations Nucleaires de Base) at its meeting on July 2,1984; On recommendation of the General Director of Industry, Orders:

CHAPTER 1 General provisions Article 1 The owner (operating organization) of a basic nuclear facility shall see to it that a quality consistent with the importance of its functions for safety, in the sense of the aforesaid decree of March 13, 1973, is defined, achieved and maintained for the following items: • structures and equipment • assemblies thereof • operating conditions of the facility. To this end, the owner shall see that a system is implemented to define, achieve and maintain the quality of these items, to control its achievement and maintenance and to analyze and correct any deviations. Such a system involves a controlled set of planned and systematic program of actions based on written procedures and entailing the preparation of filed documents.

514

Elements of nuclear safety

It shall provide the objective evidence that the required quality is achieved and maintained for the involved items. It shall be implemented since the beginning of the design phase throughout the life of the basic nuclear facility. Article 2 2.1. Taking into account the specificity of this basic nuclear facility, the owner shall identify the activities performed by himself or by suppliers which affect the quality of the safety-relevant items mentioned in article 1. Such activities are called "quality-relevant activities" in this Order. 2.2. The provisions of Articles 6 to 10.1, 11.2, 12, 13.1, 13.3, 14 and 15.1 of this Order apply to the quality-relevant activities. The steps to apply such provisions are determined and taken by the owner or his suppliers. Article 3 For purposes of this Order, any person covered by Article 1 of the above-mentioned decree of December 11, 1963 or any natural person or legal entity filing an application for authorization to construct a basic nuclear facility is an "owner". For purposes of this Order, the holder of a contract with the owner or another supplier is a "supplier" when such a contract provides for the supply of goods or services constituting one or more quality-relevant activities. CHAPTER 2 Owner's overall responsibility Article 4 Being responsible for the safety of the facility, the owner shall be thereby responsible for enforcement of this Order's provisions relative to quality-relevant activities. In regard to quality-relevant activities of suppliers, the owner shall see to it that the contracts include notice to such suppliers of the provisions for enforcement of this Order. The owner shall supervise all the suppliers or shall have them supervised in order to make sure that they apply the provisions so notified. In particular, he shall see that the items or services supplied are subject to control to ensure conformity with the procurement documents. Article 5 The owner shall prepare and shall keep up to date a file summarizing the measures and means planned for complying with this Order, including in particular the principles for the surveillance of suppliers. He shall transmit this file and its subsequent revisions to the SCSIN except for the temporary provisions of article 17 below. In the case of a basic nuclear facility to be constructed, this file shall be transmitted when applying for the authorization for construction.

Appendix B - Regulatory texts related to quality

515

The owner shall keep all data evidencing enforcement of this order or shall have them kept available to the Head of the SCSIN and his basic nuclear facility inspectors. The owner shall be able to report to the Head of the SCSIN on the compliance with this Order and particularly on the identification of the quality-relevant activities. He shall supply the Head of that Service, on request, with all data and evidence on those scores. Depending thereon, the Minister in charge of industry may require the owner to take all measures deemed necessary for compliance with this Order. CHAPTER 3 General principles Article 6 The requirements necessary to achieve and maintain the quality mentioned in Article 1 shall be defined for each quality-relevant activity taking into account its importance for safety. Such requirements are called "definite requirements" in this Order. Article 7 The human and technical resources and the organization implemented for a qualityrelevant activity shall be tailored to this activity and enable the definite requirements to be met. In particular, only individuals having the required proficiency may be assigned to a quality-relevant activity; such individual proficiency is determined inter alia on the basis of their training and experience. The quality-relevant activities, for which individuals shall be qualified or cleared in advance or for which technical resources shall be qualified, shall be identified, with account taken of their nature and their importance for safety. The organizational structure shall enable the responsibilities and duties of the individuals or organizations concerned and the relations between them to be identified for each quality-relevant activity. Article 8 An organizational structure is defined and implemented for an appropriate technical control of each quality-relevant activity. It shall enable a determination to be made that: • each quality-relevant activity has been executed according to the definite requirements, • the result meets the definite quality, • appropriate corrective and preventive action relative to any anomalies and incidents mentioned in Article 12 below has been defined and implemented. The individuals responsible for technical control of a quality-relevant activity shall be different from the individuals who have executed it.

516

Elements of nuclear safety Article 9

An organization in charge of verifying the satisfactory compliance with Articles 6, 7 and 8 of this Order shall be defined and implemented. The individuals and organizations performing verification functions shall: • have adequate technical qualifications, • be independent of the individuals performing the quality-relevant activity, • report directly to an individual having authority in regard to the achievement of the quality-relevant activity. They shall evaluate periodically the effectiveness and adequacy of the measures taken to comply with this Order, inter alia by means of appropriate audits and, insofar as need be, programmed spot checks; such an evaluation covers the organization established and the technical aspect of the quality-relevant activity. This organization shall see to it that steps are taken to evaluate abnormal situations and to implement the necessary corrective actions. CHAPTER 4 Documenting quality-relevant activities Article 10

10.1. For each quality-relevant activity the following documents are prepared and appropriately updated and used: a) Before initiation of this activity, description of the general measures taken to comply with this Order. This document may cover several quality relevant activities; b) Preliminary description of the definite requirements, conditions of performance and control, and conditions of handling any possible anomalies or incidents; c) Record of the progress of this activity providing with sufficient details information as to, and for evaluation of, its performance, control and results; d) Actions plan of verification including audits provided for in Article 9; e) Documents providing evidence that planned verification actions have been carried out and showing the results thereof, and reporting on the periodic audits; f) Documents providing evidence of the surveillance program under Article 4 in regard to each supplier and containing any comments. 10.2. The owner shall prepare a synthesis document which is an overall evaluation of the quality achieved before the facility commissioning. Thereafter, he shall evaluate periodically the achievement and maintenance of the quality of the items important for safety mentioned in Article 1. Article 11

11.1. The owner shall take, or shall see to the taking of, all requisite measures so that the documents necessary for quality assessment, including those describing the facility itself, are: • stored for an appropriate duration; • protected;

Appendix B - Regulatory texts related to quality

517

• properly preserved; • readily accessible. 11.2. All the measures taken for storing the documents relative to a quality-relevant activity are described in an updated written document. CHAPTER 5 Anomalies and incidents Article 12 Any deviation from a definite requirement for the accomplishment or result of a quality-relevant activity, any situation liable to interfere with the definite quality or any situation calling for a corrective action in regard to safety, are called an "anomaly or incident" in this Order. A corrective action of an anomaly or incident is a quality-relevant activity. A list of anomalies and incidents is kept up to date. Article 13 13.1. Anomalies or incidents which are particularly important for safety shall be identified. Such anomalies or incidents are called "significant anomalies or incidents" in this Order. To this end, for each quality-relevant activity, a procedure shall provide a determination of the anomalies or incidents which are considered as significant, determination based on established criteria insofar as possible. The procedure shall specify the functions of the individuals in charge of this identification. 13.2. The owner shall report the significant anomalies and incidents to the SCSIN as promptly as possible. He shall take appropriate measures for that purpose with his suppliers. The report describes the measures taken or planned to limit the extension of the anomaly or incident and, if need be, to attenuate the effects thereof. If the facility is in operation, the report specifies the measures taken or planned for continuation or resumption of operations under satisfactory safety conditions. 13.3. In-depth analysis is made of significant anomalies and incidents: • to determine precisely their causes and their direct or potential effects on safety • to draw a useful lesson for the quality-relevant activity involved and, if need be, for other quality-relevant activities. A file is established and kept up to date for each significant anomaly or incident containing inter alia the data from such an analysis. 13.4. The owner shall periodically report to the Head of the SCSIN on the status of this file.

518

Elements of nuclear safety CHAPTER 6 Special provisions Article 14

The result of thought leading up to elaborate one or more technical documents required for a quality-relevant activity is called "study" in this Order. A study is a quality-relevant activity Without prejudice to compliance with the other provisions of this Order, studies are subject to the following provisions: 14.1. For a study, the document mentioned in paragraph a) of Article 10.1 shall include appropriate rules for: • identification and consultation of the individuals and organizations concerned • taking the comments made into account • preparation of further revision of the documents relative to this study. These rules shall also ensure that the organizations or individuals concerned with a study are familiar with the other studies or documents, such as design bases, codes, standards and regulatory provisions, which are helpful for this study. 14.2. Subject to justified exceptions, each study shall be subjected to control as required by Article 8. The nature of such control depends on the importance of the study for safety; such control is performed by means of reviews conducted by individuals who did not directly participate in the study. 14.3. Subject to justified exceptions, the individuals and organizations in charge of verifications required by Article 9 shall be informed of the progress of the studies and the relevant documents are kept at their disposal. 14.4. Critical examinations relative to the design of the whole facility or of major subassemblies are made in order to verify the consistency of the relevant studies. Article 15 15.1. The provisions of this Order also apply to those activities initiated before filing of the application for authorization to construct a basic nuclear facility and which, when such application is filed, are identified as quality-relevant activities. 15.2. With his application for construction authorization, the owner shall transmit to the SCSIN a report on the initiation of such quality-relevant activities and the measures he has taken for compliance with the provisions of this Order. Article 16 Research and development or training activities carried out in a research or training basic nuclear facility are not subject to the provisions of Article 2.2 and Article 4.15. In any event, the owner shall be able to report to the Head of the SCSIN on the measures taken pursuant to Article 1.

Appendix B - Regulatory texts related to quality

519

CHAPTER 7 Enforcement Article 17 Temporarily, every owner and everyone becoming an owner within one year of publication of this Order in the French Official Gazette shall have not more than one year after such publication to submit the file prescribed in Article 5 and to comply with this Order subject to the following provisions. For construction and operating activities already initiated or to be initiated within one year of such publication, the owner may within 10 months of such publication date apply to the Minister for Industrial Redeployment and Foreign Trade (SCSIN) for extension of the one-year period, which application shall include a proposed schedule for and a description of the measures to be taken for compliance with this Order. The Minister for Industrial Redeployment and Foreign Trade may allow longer time on terms he may prescribe, provided that the time from said publication may not exceed three years, subject to Article 18. Article 18 Waivers of this Order are granted by the Minister for Industrial Redeployment and Foreign Trade on terms he may prescribe. Article 19 The Head of the SCSIN is responsible for enforcing this Order, which shall be published in the French Official Gazette. Signed in Paris, on the 10th of August, 1984.

520

Elements of nuclear safety

B.2. Circular of August, 10,1984 relative to enforcement of the basic nuclear facility design construction and operating quality regulations The purpose of this circular is to clarify the prescriptions of an Order dated this day relative to the quality of design, construction and operation of basic nuclear facilities. This regulation defines the scope of measures the owner (operating organization) of any basic nuclear facility shall take in order to achieve and maintain the quality of his facility and of the operating conditions, as necessary to ensure safety. The required quality of an activity is achieved and maintained on the one hand by the efforts of those to whom the activity is assigned and, on the other hand, through appropriate organization and control measures. Most of the technical provisions of the Order are codifications, in a regulatory form, of the nuclear industry practice. Notice thereof had already been given to certain basic nuclear facility owners in the form of "Basic Safety Rules" (BSR) ("Regies Fondamentales de Surete" - RFS) which are documents published by the Service Central de Surete des Installations Nucleaires (SCSIN) (Central Service for the Safety of Nuclear Installations) to explain French regulatory practice on certain subjects as it appears from the preliminary technical examinations of applications for authorization to construct or commission basic nuclear facilities. Similar regulations have been enforced in other countries, particularly in the United States of America in the "Code of Federal Regulations", title 10, part 50, Appendix B, applying to nuclear and reprocessing plants, and in the Federal Republic of Germany in the form of a "Kerntechnischer Ausschuss" guide ref. KTA 1401 applying to nuclear power plants. Moreover, to facilitate dissemination of the practice to be adopted in nuclear plant design, construction and operation, the International Atomic Energy Agency has published Code of Practice 50-C-QA relative to "quality assurance for safety in nuclear power plants", which contributes to enforcement of the Order in the field thereof. Finally, it should be noted that two French Standardization Association quality standards - NFX 50-111 and NFX 50-112 - have been registered.

The technical provisions of the Order were developed by a working group of engineers specialized in basic nuclear facility design, construction and operating quality. They were reviewed by the standing groups of experts responsible for studying the technical aspects of basic nuclear facility safety. Moreover, they were submitted to the Commission Interministerielle des Installations Nucleaires de Base (CIINB) (Interministerial Commission for Basic Nuclear Installations) pursuant to Article 8 of the amended decree of December 11,1963. The scope of the Order should be emphasized: it is designed to ensure quality of all of the items listed in Article 1 consistent with their importance for safety; by no means may it obviate enforcement of the other applicable regulations, including specific ones such as the regulation relative to the main primary system of water-cooled nuclear steam supply systems.

Appendix B - Regulatory texts related to quality

521

As a rule, the quality of any industrial project is necessary to ensure adequate safety thereof. In the case of basic nuclear facilities, the required quality shall be suited to the special nuclear safety needs. The Order requires basic nuclear facility owners to adopt a system suited to the required quality for accomplishment of all the quality-relevant activities and for the controls and verifications of such activities, or to have it adopted; the system shall provide assurance that the necessary action has been taken to achieve the required quality and provide useful information to rectify, if need be, an activity or its result. The quality of a basic nuclear facility involves special problems justifying specific regulations. This specificity shall not lead to a misunderstanding as to the scope of the Order: the authorities, in prescribing a consistent but not necessarily sufficient set of measures relative inter alia to the quality organization to be established, do not intend to supersede the owner or to assume his responsibilities. The articles of the Order are commented below, in their proper order, as needed: Article 1 The quality of an item important to safety is its fitness to fulfil its function satisfactorily from the standpoint of the facility's safety. Achievement of an appropriate quality is obviously essential for a basic nuclear facility. Of course, this requirement is extended to the maintenance of such a quality throughout the facility's life. The importance to safety mentioned in this article is assessed inter alia by means of studies and evaluations of the facility's safety in light of the direct or potential consequences of one or more failures of the items concerned by this article. The facility's safety is evaluated in particular in the course of the regulatory procedures under the amended decree of December 11,1963. A system, for purposes of this article, is a coordinated set of practices leading to a result. Article 2 The scope of the Order defined in this article includes all the quality-relevant activities which the owner identifies as his responsibility, subject to possible additional provisions prescribed by the Head of the SCSIN. A methodology may be used to identify them. In the case of a basic nuclear facility which is a complex unit, the owner may assign certain quality-relevant activities to other natural persons or legal entities called suppliers. In such a case obviously, while the owner is responsible for identifying the quality-relevant activities, such activities may be identifiable only after a dialogue and studies with one or more suppliers in the light of their experience and their knowledge of their own activities. In some cases, especially if principal suppliers are involved, such a dialogue may lead the latter to develop a methodology for identifying quality-relevant activities. A quality-relevant activity may itself consist of several quality-relevant activities subject to the Order.

522

Elements of nuclear safety

There are cases in which the quality of the result of a partial activity in a qualityrelevant activity may form the subject of assurance equivalent to that of the systems mentioned in the Order. The decree need not be fully applied to this type of partial activity, provided that the owner can, at the request of the Head of the SCSIN, provide evidence relative to specification of and compliance with the Article 6 requirements and subject to proper controls of the end quality of the result of this partial activity (as an example, acceptance tests on raw materials or certain semimanufactured products). These provisions relative to such partial activities enable to cut the chain of suppliers mentioned in the comments on Article 3. Certain control operations not directly relating to a production or repair qualityrelevant activity can be treated themselves as quality-relevant activities. Hereinafter the terms "activity" and "quality-relevant activity" are used with the same meaning. Article 3 The suppliers, to which an owner contracts an activity, may in turn subcontract part of such an activity. The subcontractor in turn is a supplier, regardless of his position in the chain of suppliers. The chain of suppliers for an activity may be limited as regards the implementation of the provisions of the Order as a whole as outlined in the comments on Article 2. The word contract is used in the general sense of a written agreement between the supplier and his customer. Article 4 The measures that the owner or a supplier notifies to his suppliers are, if necessary, detailed in order to be adapted to the activity in question. The surveillance consists of operations enabling the owner or a supplier to make sure that his suppliers are applying to an activity provisions appropriate to the required quality. Under this article and the definition of supplier given in Article 3, the owner shall supervise the suppliers at all points of the chain of suppliers, or have them supervised. The Order does not require surveillance by suppliers of their own suppliers, but only control of conformity of their supplies with the contract. Conformity with the contract means conformity with the technical contractual provisions between the owner or a supplier and his supplier. It is however desirable for suppliers to supervise their own suppliers in the way described below in connection with the owner's surveillance of his suppliers. In this case, the owner may rely on the effectiveness of such surveillance for purposes of his own surveillance. This article authorizes an owner to sub-contract his surveillance. The contractor may be a specialist or a supplier responsible for an activity. The owner shall then make sure of the efficiency of the supplier's surveillance.

Appendix B - Regulatory texts related to quality

523

The surveillance of the suppliers shall start as soon as they are selected. This selection is made on the basis inter alia of an evaluation of ability to supply items or services meeting the requirements of the customer, whether this is an owner himself or another supplier, pursuant to the Order's provisions. Such an evaluation is based on: • the supplier's technical capability • the organization set up to achieve and maintain the quality of his services • plus, if possible: a) data relative to the quality obtained in past similar services b) product samples. As a rule, the selected supplier shall be able to carry out an activity in compliance with the provisions of the Order. The owner or a supplier may nonetheless contract all or part of a quality-relevant activity to a supplier unable to comply with the Order; he shall then comply himself with the provisions with which this supplier cannot comply. Aside from application of the provisions relative to partial activities, which enable the chain of suppliers to be cut according to the comment on Article 2, such situations are permissible only in special cases and only if evidence concerning compliance with the Order in such circumstances can be provided on request of the Head of the SCSIN. Surveillance shall extend inter alia to the supplier's compliance with the contract and to the existence of the document mentioned in paragraph a) of Article 10.1 and of a system designed to meet the requirements of Articles 6, 9 of the Order. The Article 10.1 documents are kept available to the persons responsible for such surveillance. In such surveillance, special attention shall be paid to the handling of anomalies and incidents. The surveillance performed on all suppliers by or on behalf of the owner is based on programmed verifications, at random, which cover both the organization set up and the technical aspect of the activity involved; it includes, insofar as need be, the specification of stages or operations for which the information or presence of his representatives is necessary. In such cases, the owner specifies the responsibilities, duties and authority of these representatives. In such surveillance, the owner makes or contracts for appropriate general investigations and draws all useful conclusions. The term "surveillance" is used in reference to two entirely different actions: on the one hand, surveillance of the owner by the authorities under Article 11 of the amended decree of December 11, 1963, and, on the other hand, surveillance of the suppliers by the owner under this article. The Order uses the term in the latter sense except when it refers to the amended decree of December 16,1963. Article 5 The document mentioned in this article applies to the activities to be accomplished. For new basic nuclear facilities, the owner's first document can be included in the

524

Elements of nuclear safety

preliminary safety report. It summarizes the measures and means planned to comply with the Order during design, construction and first tests. The updated document can be included, as the case may be, either in the provisional safety report, in the definitive safety report, in the supplemental files prescribed by the construction authorization decrees or in the general operating rules. The document then summarizes the measures and means planned pursuant to the Order in the commissioning tests, the maintenance, repair and modification operations and the actual operation. The owner also mentions in the definitive safety report the changes planned to be made during operation, in the initially planned measures and means. The owner shall, of course, be able to make the suppliers agree to keep available to the Head of the SCSIN the documents concerned by this article and to make the suppliers report on their compliance with the Order. This article provides that the Head of the SCSIN may request information and evidence of the owner and that the Minister may lay down requirements to him. Such requests and requirements may result inter alia from the surveillance prescribed in Article 11 of the amended decree of December 11,1963, and from the technical safety reviews which the Head of the SCSIN shall make under the regulations. Article 6 The importance of the thought given to the determination of the requirements should be emphasized; the choice of requirements based on such thought essentially conditions the achievement and maintenance of the required quality. The requirements must be revised in the light of acquired experience and take account of the measures resulting from examination of anomalies or incidents. The importance of an activity for safety, which importance conditions the relevant requirements, is assessed as mentioned in the comment on Article 1 on the basis of the direct or potential effects of inappropriate performance of the activity. The supplier responsible for the activity may specify the requirements mentioned in this article, if necessary by reference to preestablished rules. The definition of such requirements shall then be appropriately supervised. The requirements may concern the organization of the activity. Article 7 The quality of an activity results inter alia from the work of the people assigned to it, taking into account the technical resources placed at their disposal and the organization of the activity. The quality objectives are thus attained first by those who have been assigned responsible for a task; the performance of a task begins with a phase of definition and organization. Each activity is performed with appropriate human and technical resources; this may include examination of the work done by individuals performing the task.

Appendix B - Regulatory texts related to quality

525

Human resources It is essential that the personnel assigned to a quality-relevant activity should be aware of the importance of their tasks to safety. In case of qualification or clearance of personnel, the conditions of recognition of the qualification or of issuance and renewal of the clearance are adapted to the tasks the personnel are to accomplish. Clearance of an individual for an activity is granted by the owner for the activities he accomplishes himself or by the supplier for the activities concerning him, which clearance attests to a person's qualification for specified tasks and responsibilities. These provisions shall apply without prejudice to those of the current regulations, including the amended order of March 21, 1978 regulating welding in construction and repair of pressure vessels. Technical resources The technical resources corresponding to an activity consist of equipment, processes and documents used and of the conditions under which the activity is accomplished. The technical resources corresponding to quality-relevant activities shall be adapted to such activities and inter alia enable the personnel to do their work within the scope of their skills. If equipment and processes need to be qualified, the owner shall make sure in particular that the qualification means and conditions are specified. Organization If an activity or set of activities simultaneously or successively involve several organizations or units of the owner or of one or more suppliers, the specification of the responsibilities and duties of each, of the boundaries of their actions and of the coordination between these organizations shall be part of the requirements. Article 8 The technical control consists of operations carried out according to a systematic method, in order to ensure that each activity has been performed according to the definite requirements, that the quality of the result has been achieved and, if necessary, that corrective and preventive measures have been defined and implemented in case of anomalies or incidents. The nature and methods of these controls and, if need be, the associated rates and criteria shall be defined. The controls may be made by individuals from the organization responsible for the activity, but not by those who accomplished it. However,it is important that they should be made by qualified personnel familiar with quality problems using appropriate technical measures. If abnormalities are found, the control report is sent to people having sufficient authority to have such an activity or any other activity liable to be affected by the abnormality rectified or suspended at any time.

526

Elements of nuclear safety Article 9

The verifications consist of actions performed to ensure that the system established to achieve and maintain the quality of an activity according to Articles 6, 7 and 8 is effectively and permanently implemented and to assess the effectiveness and adequacy of this system. The individuals in charge of these verifications shall be clearly identified; their responsibilities and duties shall be clearly defined; proper technical and human resources shall be made available to them. Au audit, as contemplated by the Order, is an operation making it possible to check the adequacy and the effectiveness of the measures taken pursuant to the Order, inter alia by evaluation of the documents relative to the quality-relevant activities. Such audits must be performed by individuals having no direct responsibility for the tasks to be audited. The audit reports shall be sent through direct hierarchical channels within the organization prescribed by this article to the person specified in the same article. The number and scope of these audits depend on the importance of the audited activity for safety; the audit scheduling shall be consistent with the actual time schedule of these activities.

The organizational structure set up shall enable the individuals or organizations responsible for controls or verifications under article 8 or 9 to act under conditions respecting their independence of action and judgment when they perform their task. For a given activity, the actions taken under Articles 6 to 9 are generally carried out by individuals belonging to the same organization. In special cases, some of these actions may be performed by individuals outside the organization, particularly when a supplier cannot perform an activity according to the Order (see comment on Article 4). Article 10 10.1. For all quality-relevant activities, objective evidence shall be provided that the required quality has been appropriately specified, that these activities have been accomplished satisfactorily and that a quality consistent with the required quality has been achieved. The documents mentioned in this article on one hand constitute a record of the reflections which shall precede every activity and, on the other hand, provide assurance that the activities have been accomplished satisfactorily. To enable the documents to be used properly, their distribution conditions shall be carefully defined in each case and form part of the requirements.

The document mentioned in paragraph a) shall specify the structure of the organization and clearly delineate the responsibilities and duties of the individuals and organizations involved in one or more quality-relevant activities.

Appendix B - Regulatory texts related to quality

527

If the owner uses a supplier or if a supplier subcontracts to another supplier, the documents prepared by the former shall provide measures to ensure that: • the regulatory provisions, including especially those of the Order, • the design bases and the standards, • the definite requirements for achievement of the required quality, • the measures providing access to the facilities and files of the production units for purposes of the actions mentioned in Article 4, are taken up or referenced in the appropriate documents relative to the services and that these measures are implemented by the supplier. The adequacy of the document required in paragraph a) to perform the activity shall be evaluated and the document updated periodically. If an activity consists itself of a set of activities, a document shall specify the coordination of these activities and, if need be, of the control and verification procedures and actions. All of the measures established pursuant to Article 7 relative to human and technical resources necessary to perform an activity and to the qualifications and clearances concerning them are described in principle and actual functioning in the documents prescribed by this article. In the preliminary descriptions mentioned in paragraph b), account shall be taken inter alia of the stages of an activity which essentially condition its result. The report documents mentioned in paragraphs c) and e) are prepared as the corresponding actions progress by the persons who actually accomplished them. In case of an activity relative to equipment, these documents, usually grouped, and the preliminary descriptions mentioned under paragraph b), enable, if need be, further identification of activities which may have been affected by generic anomalies. They may provide aid in repeating the activity (manufacture of spare equipment for instance). Documents containing trade secrets may not be subjected to the access measures provided for above and to the storage measures recommended in the comments on Article 11, provided that special measures are agreed on by all the parties involved. 10.2. The recapitulative document mentioned in this article shall refer to the main anomalies or significant incidents which have occurred prior to commissioning of the facility and to the corrective actions taken. It describes the special measures to be taken in operation in the light of the assessment of the quality actually achieved. Article 11 The documents mentioned in this article include the descriptive files and the plans, the test and operating reports, the documents relative to the controls such as reports, and X-rays, magnetic or graphic recordings, original micrographs and macrographs. The retention time shall be appropriate to the potential use of the documents mentioned in Article 10 of the Order. For instance, the documents mentioned in paragraphs b) and c) of Article 10.1, in view of their direct connection with the activi-

528

Elements of nuclear safety

ty, shall be kept at least, and without prejudice to any other regulations, as long as the document might have to be consulted, for example to maintain the facility or to repair or replace deficient parts under good conditions. The other documents such as revisions of the document mentioned in paragraph a) of Article 10.1, periodic audit reports, schedules of verifications and audits may be kept for a shorter time - say five years - depending on the importance of the activities to safety. To ensure proper preservation of the documents involved, it is advisable to have them stored by the owner himself. If an activity is accomplished by a foreign supplier, such documents should be kept in France to remain easily accessible. If the nature of a basic nuclear facility changes, certain documents may have to be included in records of the new basic nuclear facility. These provisions shall be applied without prejudice to those provided for, in particular, by the amended Order of February 26,1974 extending the pressure vessel regulations to nuclear steam supply systems and the amended Order of March 21, 1978 regulating welding in pressure vessel manufacture and maintenance. The protection prescribed by this article includes appropriate protection against fire, theft and floods. Appropriate storage conditions include protection against ageing due to temperature, humidity and light. Article 12 Each deviation mentioned in this article may be an anomaly or an incident, the distinction between the two concepts being defined by each owner or supplier. It did not seem necessary to draw a distinction between the two concepts for the purposes of the Order, as Articles 12 and 13 apply to both. Appropriate measures shall be taken to note and demonstrate the existence of anomalies or incidents, to take all the necessary steps for safety and thus to prevent the use or installation of the items concerned or inadvertent continuation of the activity concerned. It is important that all the useful inferences should be drawn from such anomalies or incidents so as to improve, if need be, the quality of the activities concerned. If anomalies or incidents are so noted and demonstrated, the items or actions involved shall be examined in order to determine and implement the preventive and corrective actions mentioned in Article 8. The individuals responsible for the examination and those authorized to deal with the anomalies or incidents shall be specified. All general measures established pursuant to Articles 12 and 13 are described in the document mentioned in paragraph a) of Article 10.1 and the actual implementation thereof is mentioned in the other documents provided for in Article 10.1. Article 13 Some of the anomalies or incidents mentioned in Article 12 require special attention in view of their importance to safety. Examination of such anomalies or incidents is an essential factor in the assessment of the safety of the basic nuclear facilities involved. The file relative to each significant anomaly or incident containing the results of such an analysis consists inter alia of: • the detailed description of the anomaly or incident, • the analysis of the cause of the anomaly or incident and the investigation of

Appendix B - Regulatory texts related to quality

• • • •

529

lessons that can be drawn therefrom in regard to the activity and, as the case may be, to other activities, the evaluation of the possible harmfulness of the anomaly or incident, the description and justification of any measures which may be necessary: additional control, repair or modification of operating conditions, the description and justification of the additional inspection resources that may be necessary in operation of the facility, the examination, in connection with the considered anomaly or incident, of the adequacy and implementation of the general measures taken pursuant to the Order and the lessons drawn; insofar as need be, reconsideration of the qualification of the technical and human resources involved.

This file is prepared on a schedule consistent on the one hand with the program for construction or operation of the facilities and, on the other hand, with the importance to safety of the anomaly or incident. The first report on the file status shall be made to the SCSIN about one month after the report of the anomaly or incident, due cause for delay excepted. This report shall list also the available documents and the places where the surveillance provided for in Article 11 of the amended decree of December 11,1963 can be performed in order to ensure that the aforesaid documents have been properly prepared, that they are valid and that the corresponding actions progress satisfactorily.

The report to the Head of the SCSIN is without prejudice to the other information supplied by the owner to the locally relevant Commissioner of the Republic, inter alia in connection with incidents or accidents, pursuant to the Prime Minister's directives. Article 14 It seemed advisable to adopt special provisions in regard to the studies which essentially condition other subsequent activities; only persons capable of making all or part of a study may supervise it. The studies mentioned in this article lead to technical documents which may be themselves documents leading to other studies or execution documents. The studies cover activities performed in all phases of a basic nuclear facility lifetime. The Article 14.1 rules, pursuant to Article 7, shall ensure a correct identification of the persons who participate in each study. If related studies are carried out by different persons or organizations, appropriate rules provide for the coherence of the jurisdiction boundaries of each of these persons or organizations pursuant to the comments on Article 7.

The control measures provided for in Article 14.2 include critical examinations relative inter alia to the validity of the basic documents used, the conformity with the definite requirements and the adequacy of the study. To confirm the results of the calculations, a different or simplified method can be used. The control measures may also be based on timely appropriate tests. Partial implementation of these measures is possible only in the following cases:

530

Elements of nuclear safety

• Other experience (operating experience of basic nuclear facilities, "standard practice") has enabled the processes or codes used to be validated; in such event, it shall be systematically determined that the assumptions are correct and fall within the scope of such processes or codes. • Insofar as it is possible to make properly any necessary changes, the facility commissioning tests may be sufficient to confirm the achieved results; the number of cases in this category shall remain sufficiently limited so that possible changes necessary at an advanced stage of construction remain limited. • The studies for which there are no technical control means independent of those used and a list of which is included as such with all necessary support in the safety report. In these three cases, the procedures for the follow up of the studies provide evidence, with all necessary support, of the extent of the areas in which the special control measures are not implemented. Finally, studies aiming only at improving assessment of the available tolerances with respect to situations not allowed for in the design are subject to adapted procedures; in such event, the use of simplified confirmation calculations is no longer required but they shall be used insofar as possible. Article 15 For certain activities initiated before filing of the basic nuclear facility construction permit application, and in particular for preliminary plan activities, the Order's provisions may be adapted or not applied entirely insofar as no action difficult to reverse under the decisions made for the safety of the future facility can result therefrom. Article 16 (mentioned as a reminder). Article 17 This article takes into account the diversity of basic nuclear facilities (power reactors, research reactors, fuel enrichment, manufacturing and reprocessing plants, waste storage centers, accelerators, irradiators, laboratories, etc.), the diversity of the phases in which they now stand and the time necessary for the establishment, if need be, of new measures. The Order is obviously not applicable to activities completed on the date of publication of the Order in the Official Journal. It applies however as provided in this article to future and continuing activities. Article 18 Requests for waiver of the Order will be handled by the Head of the SCSIN who will consult, insofar as need be, the competent experts or groups of experts, in particular the standing groups responsible for studying the technical aspects of the safety of nuclear facilities.

Appendix B - Regulatory texts related to quality

531

Article 19 Like the other provisions of the regulation covering basic nuclear facilities, the order applies in the strict sense only to the basic nuclear facilities operated or to be operated in France. However, a supplier may happen to perform, or make others perform, in France, a significant part of the activities devoted to design or construction of a nuclear facility located or to be located abroad. If the involved supplier so requests, measures will be taken to enable provisions of the order enforceable in France to be applied under the same conditions as if the nuclear facility were to be installed in France, considering the supplier as an owner, as defined in the Order, during the design and construction period. The Head of the SCSIN shall then be instructed to enforce the Order.

This page intentionally left blank

c

Appendix C, French nuclear power plants

The French nuclear power program comprises several types of plants, the majority and most recent of which are PWRs (Fig. C.I.). The oldest plants have been decommissioned.

C.1.

Graphite-moderated,Gas-Cooled Reactors (GCR)

With their graphite moderator and magnesium clads, these reactors can be fuelled with natural uranium in metal form. Refueling takes place during reactor operation. However, higher rated power levels require considerable increases in plant size. This was one of the reasons for the decision to abandon this reactor type at the end of the 1960s. Table C.I. The GCR type reactors in France. Name Chinon-Al Chinon-A2 Chinon-A3 St Laurent-Al St Laurent- A2 Bugey-1

Rated power (MWe) 80 230 500 500 420 540

Criticality

Decommissioned

1962 1965 1966 1969 1971 1972

1973 1985 1990 1990 1992 1994

Elements of nuclear safety

534

Natural uranium-gas-graphite reactor 300 MWe open circuit PWR reactor 900 MWe open circuit PWR reactor 900 MWe closed circuit PWR reactor 1300 MWe or 1400 MWe open circuit PWR reactor

1300 MWe or 1400 MWe closed circuit PWR reactor Fast breeder reactor Heavy water reactor Decommissioned unit

Fig. C.I. French nuclear power plant sites.

C.2. Heavy Water Reactor (HWR) France investigated the feasibility of power reactors moderated by heavy water and cooled by carbon dioxide circulating in pressure tubes. Owing to failure to find a suitable low-absorption clad solution compatible with the use of natural uranium, only one reactor of this type was built. This was the 75 MWe Monts d'Arree plant, also called the EL4, which started operating in 1967 and was decommissioned in 1985.

Appendix C - French nuclear power plants

535

C.3. Fast Breeder Reactors (FBR) In a context where fast growth of the world uranium demand was anticipated, France developed, first alone and then jointly with Germany and Italy, the elements of a fast breeder reactor line. The 250 MWe FBR Phenix went critical in 1973. The 1200 MWe FBR Superphenix went critical in 1985, but its operation was hampered by several damaging incidents. Use of this reactor as a plutonium incinerator is currently being considered. This would imply a total alteration of its purpose.

C.4. Pressurized Water Reactor (PWR) The first PWR unit, Chooz A, 320 MWe, was built in cooperation with Westinghouse. It started operating in 1967 and was decommissioned in 1991. Its design is representative of know-how available in 1960. Operating experience on this plant is not directly applicable to the following PWR units, the first of which were ordered ten years later.

Standardized series of plants The 900 MWe units are twinned and share certain auxiliary systems. The reactors are housed in prestressed concrete containment buildings with metal liners, also containing the main primary system, the reactor vessel, the three reactor coolant pumps, the three steam generators with their interconnection pipes. The electricity generating turbogenerator set may be tangential to the reactor building (CPO and CP1) or perpendicular to it. The 1300 and 1400 MWe units are individualized. There are four primary loops and the containment building is of the double-walled type, without a metal liner. The annulus depressurization system which also filters iodine prior release to the environment is considered as an engineered safety feature. The turbogenerator layout is radial. The first criticality dates for these reactors are listed below (Fig. C.2.).

First group (CPO) - 900 MWe Fessenheim-l Fessenheim-2 Bugey-2 Bugey-3 Bugey-4 Bugey-5

March 1977 June 1977 April 1978 August 1978 February 1979 July 1979

536

Elements of nuclear safety

First multiannual contract (CP1) - 900 MWe Tricastin-l Tricastin-2 Tricastin-3 Tricastin-4 Gravelines-1 Gravelines-2 Gravelines-3 Gravelines-4 Gravelines-5 Gravelines-6 Dampierre-1 Dampierre-2 Dampierre-3 Dampierre-4 Le Blayais-1 Le Blayais-2 Le Blayais-3 Le Blayais-4

February 1980 July 1980 November 1980 May 1981 February 1980 August 1980 November 1980 May 1981 August 1984 July 1985 March 1980 December 1980 January 1981 August 1981 May 1981 June 1982 July 1983 May 1983

Second multiannual contract (CP2) - 900 MWe St Laurent-Bl St Laurent-B2 Chinon-Bl Chinon-B2 Chinon-B3 Chinon-B4 Cruas-1 Cruas-2 Cruas-3 Cruas-4

January 1981 May 1981 October 1982 November 1983 September 1986 October 1987 April 1983 August 1984 April 1984 October 1984

P4 type 1300 MWe units Paluel-l Paluel-2 Paluel-3 Paluel-4 Flarnanville-1 Flamanville-2 Saint Alban-1 Saint Alban-2

May 1984 August 1984 August 1985 March 1986 September 1985 June 1986 August 1985 June 1986

537

Appendix C - French nuclear power plants P'4 type 1300 MWe units Cattenom-l Cattenom-2 Cattenom-3 Cattenom-4 Belleville-1 Belleville-2 Nogent-1 Nogent-2 Penly-1 Penly-2 Golfech-1 Golfech-2

October 1986 August 1987 February 1990 May 1991 September 1987 May 1988 September 1987 October 1988 April 1990 January 1992 April 1990 November 1992

A/4 type 1400 MWe units Chooz-Bl Chooz-B2 Civaux-1 Civaux-2

scheduled in 1996 scheduled in 1996 scheduled in 1997 scheduled in 1998

Fig. C.2. Number of units coming on stream each year.

This page intentionally left blank

D

Appendix D. Basic nuclear installations

Appendix C gives the layout and certain characteristics of the French nuclear power reactors. Appendix D lists the main basic nuclear installations other than power reactors, grouped by type of activity. The reference numbers correspond to those used on the siting maps in Chapter 30.

D.1. Experimental reactors in service N.

Site

Name

Operator

Declared authorized in

018

Saclay

Ulysse

CEA

1964

020

Grenoble

Siloe

CEA

1964

021

Grenoble

Siloette

CEA

1964

024

Cadarache

Cabri-Scarabee

CEA

1964

039

Cadarache

Masurca

CEA

1966

040

Saclay

Isis-Osiris

CEA

1965

041

Cadarache

Harmonie

CEA

1965

042

Cadarache

Hole

CEA

1965

044

Strasbourg

University reactor

IN2P3

1965

067

Grenoble

High flux reactor

ILL

1969

092

Cadarache

Phebus

CEA

1977

095

Cadarache

Minerve

CEA

1977

101

Saclay

Orphee

CEA

1978

Elements of nuclear safety

540

D.2. Fuel cycle basic nuclear installations N.

Site

Name

Operator

Type

038

La Hague

STE

063

Romans

Fuel fabrication plant

065

Veurey-V.

Fuel fabrication plant

066

La Hague

Radwaste storage plant

080

La Hague

HAO

090

Veurey-V

Pellet fabrication shop

SICN

093

Pierrelatte

U isotopic separation plant

Eurodif

098

Romans

Fuel production unit

FBFC

105

Tricastin

Comurhex U-hexa-fluoride preparation plant

Transformation

Declared/ authorized in

Solid waste treatment

1964

FBFC

Fuel fabrication

1967

SICN

Fuel fabrication

1967

ANDRA

Solid waste storage

1969

Cogema

Fuel reprocessing

1974

Fuel fabrication

1977

Enrichment

1977

Fuel fabrication

1978

Cogema

116

La Hague

UP3-A

Cogema

Fuel reprocessing

1981

117

La Hague

UP2-800

Cogema

Fuel reprocessing

1981

118

La Hague

STE 3

Cogema

Solid waste treatment

1981

131

Pierrelatte

Fuel fabrication plant

Fuel fabrication

1982

134

Miramas

Uranium storage

Cogema

New fuel storage

1983

138

Tricastin

IARU

SOCATRI

Uranium purification and recovery

1984

149

Soulaines

CSA

ANDRA

Solid waste storage

1989

150

Tricastin

AC 25

Comurhex

Transformation

1989

151

Marcoule

Melox

Cogema

Fuel fabrication

1990

155

Pierrelatte

TU 5

Cogema

Transformation

1992

FBFC

541

Appendix D - Basic nuclear installations

D.3. Other CEA basic nuclear installations Type

Declared/ authorized in

N.

Site

Name

022

Cadarache

Pegase

Spent fuel storage

1980

029

Saclay

ORIS

Artificial radionuclide fabrication

1964

032

Cadarache

ATPU

Fuel fabrication

1964

034

Fontenay

STE

Waste treatment

1964

035

Saclay

STE

Waste treatment

1964

036

Grenoble

STE

Waste treatment

1964

037

Cadarache

STE

Waste treatment

1964

049

Saclay

LHA

Hot laboratories

1968

050

Saclay

LECI

Hot laboratories

1968

052

Cadarache

ATUe

Transformation

1968

053

Cadarache

MagU-PU

Storage

1968

054

Cadarache

Chemical purification laboratory

Transformation

1968

055

Cadarache

LECA

Hot laboratories

1968

056

Cadarache

Waste storage unit

Storage

1968

057

Fontenay

Pu chemistry laboratory

Hot laboratories

1968

061

Grenoble

LAMA

Hot laboratories

1968

072

Saclay

Waste management

Storage

1971

073

Fontenay

Waste management

Storage

1971

077

Saclay

Poseidon-Capri

Irradiator

1972

121

Cadarache

IRCA

Irradiator

1972

123

Cadarache

LEFCA

Hot laboratories

1981

148

Marcoule

Atalante

Hot laboratories

1989

156

Cadarache

CHICADE

Solid waste characterization

1993

Elements of nuclear safety

542

D.4. Other nuclear installations N.

Site

Name

Operator

068

Dagneux

Irradiator

Conservatome

Ionization plant

1971

074

St Laurent

Irradiated graphite storage unit

EDF

Storage

1971

094

Chinon

AMI

EDF

Nuclear maintenance

1985

099

Chinon

EDF

Fresh fuel

1978

102

Bugey

Interregional warehouse Interregional warehouse

EDF

Fresh fuel

1978

141

Creys-Maleville

APEC

EDF

Fuel storage

1985

143

Maubeuge

Maintenance shop

Somanu

Nuclear maintenance

1985

145

Beaugency

Irradiator

Conservatome

Ionization plant

1986

146

Pouzauges

Amphytrion

Amphytrion

Ionization plant

1989

147

Marseille

Gammaster

Gammaster

Ionization plant

1989

152

Isigny

SNCS

SNCS

Ilonization plant

1990

154

Sable sur Sarthe

IONIQUEST

Conservatome

Ionization plant

1992

157

Tricastin

BCOT

EDF

Nuclear maintenance

1993

Type

Declared/ authorized in

D.5. Particle accelerators considered as basic nuclear installations N.

Site

43

Saclay

Linear accelerator

48

Saclay

Synchrotron Saturne

1967

106

Orsay

Orsay linear accelerator

1979

113

Caen

GANIL (National heavy ion accelerator)

1981

Name

Declared/ authorized in

1965

This page intentionally left blank

Impression : EUROPE MEDIA DUPLICATION S.A F 531 10 Lassay-les-Chateaux N° 4692 - Depot legal : Octobre 1996