Present Day EOPs and SAMG –

Where do we go from here?

George Vayssier, NSC Netherlands george.vayssier@nsc-nl.com

Reviewed: dr. M. El-Shanawany, IAEA

IAEA International Experts Meeting in the Light of the Accident at the Fukushima-Daiichi NPP

19 – 22 March 2012, Vienna, Austria

LWR Example of Role and Place of AOP, EOP, SAMG (W)

Characteristics of LWR EOP

AOP and EOP cover area of (largely) intact

core, are directed to ‘save’ the core:

– Should reach a final stable and safe situation

after LBLOCA, some core damage (ballooning, clad rupture)

may have occurred

– Restart of plant may be possible, after repair of

damage (if any)

– AOPs and EOPs to be followed (mostly) verbatim

From EOP to SAMG

Before TMI-accident, many EOPs were

dependent on recognition of the accident

scenario and focussed on DBA

After TMI, also scenario-independent EOPs were

developed, preserving ‘critical safety functions’

(see next slide), included also BDBA

After Chernobyl, SAMG was initiated, included

full core melt accidents

Typical LWR EOP-actions

Preserve ‘critical safety functions’:

• Sub-criticality

• Preserve vital support functions (Comb. Engineering)

• Core cooling

• Heat sink

• RPV integrity

• Containment integrity (control pressure,

temperature; clean up of containment atmosphere

Characteristics of SAMG

SAMG covers area of damaged core, is NOT

directed to save the core, but to protect fission

product (FP) boundaries

– Plant is lost !! Jobs gone, extensive economic

damage by loss of plant and contamination off-site

– SAMG is guidance, i.e. not followed verbatim, includes

balancing positive and negative consequences

If negative consequences prevail, deviation is allowed, or

guideline even not executed

Typical LWR SAMG actions

• Prevent SG tube creep rupture (PWR only)

• Prevent High Pressure Melt Ejection (HPME) • e.g. prevent Direct Containment Heating (DCH)

• Preserve suppression pool function (BWR only)

• Prevent RPV melt-through • e.g. by cooling the RPV from inside and outside

• Mitigate RPV melt-through (water on the ‘floor’)

• Prevent / mitigate H2 combustion

• Prevent containment overpressure • and also containment sub-atmospheric pressure (long term)

• Mitigate any ongoing releases (may be high priority)

Transition EOP - SAMG

Imminent or actual core damage

– For PWR: failure of most drastic EOP for core cooling; ATWS

Basis: e.g. CET > 650 °C and all EOP-actions failed (approaches differ)

– For BWR: very low level in RPV, ATWS

Change in organisation: TSC responsible for evaluation and

decision making, operators for implementation

– large organisation becomes involved

Many SAMG approaches: exit EOPs, enter SAMG

– what is useful in EOPs is repeated in SAMG

Others keep EOPs open in parallel, with priority for SAMG

Recall: EOPs have been designed for an intact core

Application of SAMG

Use all equipment there is

– Not just safety systems

Heritage from TMI: many systems will still be

available, we just lost insight in what happened

– TMI-operators shut down ECCS – but ECCS (and all

other equipment) was still available

Weak point in this concept: EOPs and SAMG

use largely the same systems!

– Both depend on I&C, power, cooling water; i.e., both

depend on DC, AC and cooling water

Examples of SAMG weaknesses (1 of 2)

Westinghouse Owners Group SAG-1: inject into the SG – (to mitigate the risk of a SG tube creep rupture)

Combustion Engineering Owners Group SAG-1 for BD/CH (badly damaged core, containment integrity challenged): inject into the RCS

But why are we here in a severe accident? Probably because we had no water for long time – can we expect to have water back just after transition into SAMG??? The SAGs will follow in minutes after the transition into SAMG – we still will have no water!!

Examples of SAMG weaknesses (2 of 2)

In SAMG, we use all there is – but systems to mitigate severe accidents are (usually) not classified for safety –

will they operate???

We have lots to mitigate DBA (LBLOCA, SBLOCA, SGTR, rod ejection, other DBA):

– ECCS, RHR, redundancy, separation, safety-related classification (in DS 367: class 1 and 2), ASME III design, seismic class I, etc.

None of this required for systems to mitigate BDBA incl. severe accidents!!

– Recall: prevent SG tube creep rupture, prevent HPME, flood cavity, remove H2, relief containment pressure

– In DS 367: safety class 3

– With exception of some new designs (e.g., EPR, AP1000, ESBWR)

IAEA DS 367 Safety Classification (here mitigatory systems only, draft)

Requirements Mitigatory Safety Functions

Safety Class-1 Safety Class-2 Safety Class-3

Quality Assurance Nuclear Grade Nuclear Grade Commercial Grade or Specific Requirements

Environmental qualification Harsh or Mild

Harsh or Mild

Harsh or Mild

Pressure Retaining Components (example codes)

High Pressure: C2 Low Pressure: C3

C3

C4

Electrical (IEEE)

1E 1E Non 1E

I&C (IEC 61226 Category)

A B C

Seismic

Seismic Category 1 Seismic Category 1 Specific Requirements

Civil Structures (External Events)

Class 1 Class 1 Class 1

Traditional safety regulation (1)

Design Basis Accidents

– Usually type LB LOCA, rod ejection, see RG 1.70

– Strict regulation in terms of release limits (e.g., 10

CFR 100)

– Strict regulation in terms of safety classification,

seismic classification, ASME III & XI, QA

– Some countries: EOPs are limited to these accidents

(Germany)

Traditional safety regulation (2)

Beyond Design Basis Accidents – E.g., ATWS, SBO, Loss of UHS

ATWS: hardware modifications plus procedures

– PWRs: Diverse turbine trip and start of AFW, MTC

– BWRs: ARI, RCP trip, SLC, EOPs

– ATWS < 1.E-5 /ry safety goal USNRC

PHWRS have per design already two shutdown systems

SBO: 10 CFR 50.63, RG 1.155 ( EDG reliability targets)

– No fixed minimum SBO time required…

– Regulation exists, but is limited No requirement for safety classification

No demonstration to stay within predefined release limits

Traditional safety regulation (3)

Severe Accidents (core melt & possible releases)

– Limited regulation

Mitigative systems not classified, no single failure, etc.

– US: so far minor modifications, but SAMG

SAMG was industry initiative, no USNRC oversight

– Europe: extensive modifications, SAMG moderate

SAMG was late, sometimes quite limited

– IAEA SSR 2/1: Design Extension Conditions

Safety classification in DS 367

Mitigatory systems DBA in class 1 & 2, sev. acc. in class 3.

Possible next step: Rethink traditional safety concepts…

Extend DBAs, as accidents beyond DBA do happen – Include them in regulations and regulatory oversight

– How to do: e.g., follow IAEA Design Extension Conditions

– But upgrade criteria, such as safety classification

Design systems to cope with severe accidents – As said, we have lots for LBLOCA, etc., but which systems mitigate

severe accidents?? (some countries have some, e.g. Sweden).

– Examples exist: AP1000, EPR, ESBWR, AES2006 (Russian design) Advanced core catchers in EPR and AES2006

Severe accidents have enormous economic and societal consequences: develop safety criteria

Redesign EOPs and SAMG, and outside support

Regulation: require sound demonstration of effectiveness – No small scale tests with ‘intelligent’ upscaling

SAMG lessons from Fukushima (1 of 4)

Many present SAMG has shortcomings, does not include:

Loss of AC, DC and cooling water, loss of UHS – instruments cannot be read, pumps cannot run, water tanks

unavailable

– extend mission times (SBO 24 hrs.?; cont. integrity > 24 hours)

– consider dedicated auxiliary equipment (e.g. bunkered decay heat removal systems)

– consider portable equipment, stored separately

– make sure communication tools (telephones) remain available

Shutdown states (with few exceptions)

Survival of needed SSC for SAMG – assume you have Passive Autocatalytic Recombiners (PARs), but

they are ripped off from the containment wall by a seismic event

SAMG lessons from Fukushima (2 of 4)

• Damage at all units on a site (so far only damage at one

plant on a site considered, with benefit from the other plants)

• Spent Fuel Pool (SFP) - Additional complication: SFP often outside containment

• Cooling with unborated water / dirty water / seawater - E.g., what will be the consequence of seawater in the core?

• Protection of compartments adjacent to containment against danger of leakages from containment (e.g. H2 !!) - E.g., containment vent line is damaged by seismic, so gases from

containment may be vented to other compartments

SAMG lessons from Fukushima (3 of 4)

• Recent severe accident research insights – present Technical Basis of SAMG for many plants is 20 years old

• Quantitative methods to estimate potential negative consequences of SAMG actions

• Develop tool to estimate major events and their possible consequences

– Time to core overheat, time to RPV meltthrough, time to contain-ment overpressure, timing and magnitude of potential releases

– Used at the site? Maybe better at dedicated institutes

• Organise high-level support from competent institutes

SAMG lessons from Fukushima (4 of 4)

• Extensive damage on- and off-site – Shifts cannot be replaced

– Support material cannot be brought to the site (e.g. diesel fuel)

– Plant staff worries about relatives, friends

• Organise off-site support – Do not count on good will, make contracts

• Prepare for basemat failure – Make preparations to protect groundwater

- E.g., prepare for steel dam around the plant, or pouring additional concrete under the reactor

Conclusions

Severe accidents like Fukushima are wholly

unacceptable for their catastrophic societal and

economical consequences, even if no casualties.

The concept of DBA should be revisited: plants

should have demonstrated capability to mitigate

severe accidents.

SAMG needs extension, upgrading.

Work ahead: for industry, regulators, research.