Present Day EOPs and SAMG Where do we go from here?

George Vayssier, NSC Netherlands

george.vayssier@nsc-nl.com Reviewed: dr. M. El-Shanawany, IAEA IAEA International Experts Meeting in the Light of the Accident at the Fukushima-Daiichi NPP 19 22 March 2012, Vienna, Austria

LWR Example of Role and Place of AOP, EOP, SAMG (W)

Characteristics of LWR EOP

AOP and EOP cover area of (largely) intact core, are directed to save the core:

Should reach a final stable and safe situation

after LBLOCA, some core damage (ballooning, clad rupture) may have occurred

Restart of plant may be possible, after repair of damage (if any) AOPs and EOPs to be followed (mostly) verbatim

From EOP to SAMG

Before TMI-accident, many EOPs were dependent on recognition of the accident scenario and focussed on DBA After TMI, also scenario-independent EOPs were developed, preserving critical safety functions (see next slide), included also BDBA After Chernobyl, SAMG was initiated, included full core melt accidents

Typical LWR EOP-actions

Preserve critical safety functions:

Sub-criticality Preserve vital support functions (Comb. Engineering) Core cooling Heat sink RPV integrity Containment integrity (control pressure,
temperature; clean up of containment atmosphere

Characteristics of SAMG

SAMG covers area of damaged core, is NOT directed to save the core, but to protect fission product (FP) boundaries

Plant is lost !! Jobs gone, extensive economic damage by loss of plant and contamination off-site SAMG is guidance, i.e. not followed verbatim, includes balancing positive and negative consequences

If negative consequences prevail, deviation is allowed, or guideline even not executed

Typical LWR SAMG actions

Prevent SG tube creep rupture (PWR only) Prevent High Pressure Melt Ejection (HPME)
e.g. prevent Direct Containment Heating (DCH)

Preserve suppression pool function (BWR only) Prevent RPV melt-through

e.g. by cooling the RPV from inside and outside

Mitigate RPV melt-through (water on the floor) Prevent / mitigate H2 combustion Prevent containment overpressure
and also containment sub-atmospheric pressure (long term)

Mitigate any ongoing releases (may be high priority)

Transition EOP - SAMG

Imminent or actual core damage

For PWR: failure of most drastic EOP for core cooling; ATWS

Basis: e.g. CET > 650 C and all EOP-actions failed (approaches differ)

For BWR: very low level in RPV, ATWS

Change in organisation: TSC responsible for evaluation and decision making, operators for implementation

large organisation becomes involved

what is useful in EOPs is repeated in SAMG

Many SAMG approaches: exit EOPs, enter SAMG

Others keep EOPs open in parallel, with priority for SAMG

Recall: EOPs have been designed for an intact core

Application of SAMG

Use all equipment there is

Not just safety systems

Heritage from TMI: many systems will still be available, we just lost insight in what happened

TMI-operators shut down ECCS but ECCS (and all other equipment) was still available

Weak point in this concept: EOPs and SAMG use largely the same systems!

Both depend on I&C, power, cooling water; i.e., both depend on DC, AC and cooling water

Examples of SAMG weaknesses (1 of 2)

Westinghouse Owners Group SAG-1: inject into the SG

(to mitigate the risk of a SG tube creep rupture)

Combustion Engineering Owners Group SAG-1 for BD/CH (badly damaged core, containment integrity challenged): inject into the RCS

But why are we here in a severe accident? Probably because we had no water for long time can we expect to have water back just after transition into SAMG??? The SAGs will follow in minutes after the transition into SAMG we still will have no water!!

Examples of SAMG weaknesses (2 of 2)

In SAMG, we use all there is but systems to mitigate severe accidents are (usually) not classified for safety will they operate??? We have lots to mitigate DBA (LBLOCA, SBLOCA, SGTR, rod ejection, other DBA):

ECCS, RHR, redundancy, separation, safety-related classification (in DS 367: class 1 and 2), ASME III design, seismic class I, etc.

None of this required for systems to mitigate BDBA incl. severe accidents!!

Recall: prevent SG tube creep rupture, prevent HPME, flood cavity, remove H2, relief containment pressure In DS 367: safety class 3 With exception of some new designs (e.g., EPR, AP1000, ESBWR)

IAEA DS 367 Safety Classification (here mitigatory systems only, draft)

Requirements Safety Class-1 Quality Assurance Nuclear Grade Mitigatory Safety Functions Safety Class-2 Nuclear Grade Safety Class-3 Commercial Grade or Specific Requirements Harsh or Mild

Environmental qualification

Harsh or Mild

Harsh or Mild

Pressure Retaining Components (example codes)

High Pressure: C2 Low Pressure: C3

C3

C4

Electrical (IEEE)

1E

1E

Non 1E

I&C (IEC 61226 Category)

Seismic

Seismic Category 1

Seismic Category 1

Specific Requirements

Civil Structures (External Events)

Class 1

Class 1

Class 1

Traditional safety regulation (1)

Design Basis Accidents

Usually type LB LOCA, rod ejection, see RG 1.70 Strict regulation in terms of release limits (e.g., 10 CFR 100) Strict regulation in terms of safety classification, seismic classification, ASME III & XI, QA Some countries: EOPs are limited to these accidents (Germany)

Traditional safety regulation (2)

Beyond Design Basis Accidents

E.g., ATWS, SBO, Loss of UHS

ATWS: hardware modifications plus procedures

PWRs: Diverse turbine trip and start of AFW, MTC BWRs: ARI, RCP trip, SLC, EOPs ATWS < 1.E-5 /ry safety goal USNRC

PHWRS have per design already two shutdown systems SBO: 10 CFR 50.63, RG 1.155 ( EDG reliability targets)

No fixed minimum SBO time required

Regulation exists, but is limited

No requirement for safety classification No demonstration to stay within predefined release limits

Traditional safety regulation (3)

Severe Accidents (core melt & possible releases)

Limited regulation

Mitigative systems not classified, no single failure, etc.

US: so far minor modifications, but SAMG

SAMG was industry initiative, no USNRC oversight

SAMG was late, sometimes quite limited Safety classification in DS 367 Mitigatory systems DBA in class 1 & 2, sev. acc. in class 3.

Europe: extensive modifications, SAMG moderate

IAEA SSR 2/1: Design Extension Conditions

Possible next step: Rethink traditional safety concepts

Extend DBAs, as accidents beyond DBA do happen

Include them in regulations and regulatory oversight How to do: e.g., follow IAEA Design Extension Conditions But upgrade criteria, such as safety classification As said, we have lots for LBLOCA, etc., but which systems mitigate severe accidents?? (some countries have some, e.g. Sweden). Examples exist: AP1000, EPR, ESBWR, AES2006 (Russian design)

Design systems to cope with severe accidents

Advanced core catchers in EPR and AES2006

Severe accidents have enormous economic and societal consequences: develop safety criteria Redesign EOPs and SAMG, and outside support Regulation: require sound demonstration of effectiveness

No small scale tests with intelligent upscaling

SAMG lessons from Fukushima (1 of 4)

Many present SAMG has shortcomings, does not include: Loss of AC, DC and cooling water, loss of UHS

instruments cannot be read, pumps cannot run, water tanks unavailable extend mission times (SBO 24 hrs.?; cont. integrity > 24 hours) consider dedicated auxiliary equipment (e.g. bunkered decay heat removal systems) consider portable equipment, stored separately make sure communication tools (telephones) remain available

Shutdown states (with few exceptions) Survival of needed SSC for SAMG

assume you have Passive Autocatalytic Recombiners (PARs), but they are ripped off from the containment wall by a seismic event

SAMG lessons from Fukushima (2 of 4)

Damage at all units on a site (so far only damage at one plant on a site considered, with benefit from the other plants) Spent Fuel Pool (SFP)
- Additional complication: SFP often outside containment

Cooling with unborated water / dirty water / seawater

- E.g., what will be the consequence of seawater in the core?

Protection of compartments adjacent to containment against danger of leakages from containment (e.g. H2 !!)
- E.g., containment vent line is damaged by seismic, so gases from containment may be vented to other compartments

SAMG lessons from Fukushima (3 of 4)

Recent severe accident research insights present Technical Basis of SAMG for many plants is 20 years old Quantitative methods to estimate potential negative consequences of SAMG actions Develop tool to estimate major events and their possible consequences

Time to core overheat, time to RPV meltthrough, time to containment overpressure, timing and magnitude of potential releases Used at the site? Maybe better at dedicated institutes

Organise high-level support from competent institutes

SAMG lessons from Fukushima (4 of 4)

Extensive damage on- and off-site

Shifts cannot be replaced Support material cannot be brought to the site (e.g. diesel fuel) Plant staff worries about relatives, friends

Organise off-site support

Do not count on good will, make contracts

Prepare for basemat failure

Make preparations to protect groundwater - E.g., prepare for steel dam around the plant, or pouring additional concrete under the reactor

Conclusions

Severe accidents like Fukushima are wholly unacceptable for their catastrophic societal and economical consequences, even if no casualties. The concept of DBA should be revisited: plants should have demonstrated capability to mitigate severe accidents. SAMG needs extension, upgrading. Work ahead: for industry, regulators, research.