A CONSOLIDATED APPROACH FOR FUTURE REACTORS

Given the feedback on operating experience related to natural hazards, in particular the Fukushima accident, it is essential to re-examine, for future reactors, the way such events are taken into account at the design stage.

FIG. 3. Implementation of a “Hardened Safety Core” to reinforce the Defence-in-Depth regarding natural hazards on existing reactors.

62

In this perspective, the comparison between probabilities of internal events and probabilities of “design basis hazards” taken into account in the safety case for existing NPPs shows that the risk associated with external hazards may be higher, if not much higher, than the risk associated with internal events: the probability to have hazards that go beyond the

“design basis hazards” (up to ~ 10^-2 to 10^-4/y depending on the hazard) and the internal events probabilities considered in the safety case are not consistent (see Figure 4). In any case, there is no formal demonstration that respective risks are in the same order of magnitude, even for generation III reactors despite the fact that requirements were expressed in this way (“external hazards must not constitute a large part of the risk associated to nuclear power plant of the next generation” [1], [2])).

As seen in Section 2, it has always been considered that a natural hazard could not induce core damage. After the Fukushima accident, it is of course necessary to reconsider this position and evaluate the probability of core damage due to beyond design natural hazards.

Taking into account the exceeding probability associated with “design basis hazards” on one hand, rules used to design and qualify SSCs or protective measures and resulting safety margins on the other hand, it is not obvious to conclude on the probability of resulting plant configurations and then to take position on the sufficiency of provisions against natural hazards, especially if one refers to the objective fixed in terms of global core damage frequency.

Generally, escalation will be sought for the protection of facilities against natural hazards (see Figure 5):

Natural hazards considered in the design of the facility must not lead to accident sequences, in particular core damage [2] (“Natural hazards reference design”

domain);

Beyond design natural hazards should not lead to a cliff-edge effect in terms of releases in the environment (“Natural hazards design extension” domain). It means that if core damage could not be avoided, consequences to the environment should be compatible on-site interventions and do not necessitate the implementation of off-site countermeasures in large areas.

At the end, the sufficiency of the provisions set up to protect the plant against hazards should be assessed regarding the general plant safety objectives fixed in terms of global core damage frequency for the design and of limitation of consequences for a severe accident situation.

The list of SSCs that need to be protected against natural hazards should include, in addition to SSC that fulfil the three fundamental safety functions, SSC needed to monitor the situation in order to: (i) operate the plant in accidental conditions, (ii) diagnose the plant configuration, in particular the state of the containment barriers, and (iii) assess current and potential releases outside the site and consequences for the population.

63

FIG.4. Situations considered to design/protect provisions.

FIG. 5. Approach proposed to reinforce the Defence-in-Depth for new reactors regarding natural hazards.

5.1. Natural hazards reference design: prevention of accidents, in particular core damage

Preliminary discussions in France for future reactors led to propose an approach including the following steps:

Prevention of natural events: the only way is to choose a site with low risks of natural hazards;

Definition of the list of hazards to take into account in the design and detailed characterization (maximum accelerations for earthquakes, water levels and durations for flood…);

Limitation of the impact of natural hazards in the installation: important for safety SSCs should be designed or protected against hazards, considering that hazards may affect at the same time several units of a given site; accident long-term management;

due combination of hazards, eventually with internal events, should be examined (in particular for hazards with a lower “intensity” than “design basis hazards”, but which have a higher frequency);

64

Definition of provisions to take into account the failure of design protective measures: conventional rules on the way to consider the failure of protection measures defined in the preceding step should be determined.

All NPP operating states should be considered. As far as possible, passive protections against natural hazards, i.e. not requiring human actions or energy supply should be implemented.

The definition of “design basis hazards” is challenging in a context of limited data and safety assessment exploratory methods. It may be difficult to determine hazards with a very low exceeding probability with a high level of confidence (high percentile). Nevertheless, it is essential to have a safety level well-balanced between internal and external events. Then, objective defined in terms of global core damage frequency for the plant, including uncertainties, should be taken into account as an input for the definition of the “design basis hazards”.

5.2. Natural hazards design extension: limitation of consequences

The list of hazards and hazard combinations to be considered in the “natural hazards design extension” must be established on the basis of the analysis of potential cliff-edge effects in terms of releases into the environment, when going beyond load cases considered for the design of reference. Hazards considered should correspond to exceeding probabilities significantly lower than probabilities used for reference design, with a high level of confidence.

For this domain, a specific demonstration of the capability of the plant to face hazards without important releases should be required.

In order to limit the risk of common cause failure and to reduce the risk of induced effects on “hazards design extension”, provisions should be as far as possible independent from the other plant equipment.

Moreover, to take into account long-term situations after such natural hazard, additional provisions should be defined for repairing equipment, connecting off-site mobile means to extend site autonomy (with predefined on-site hook-up points). In this frame, off-site provisions should be defined to complete on-site ones, considering possible difficulties to access the site.

6. CONCLUSIONS

The review of current approaches to deal with natural hazards in the safety case pointed out many issues that need to be better addressed, despite all improvements set in place since the initial design of operating plants, concerning hazards identification and characterization and protective measures.

Further improvements are necessary in order to get more consistency with the

“Defence-in-Depth” approach used for internal events and to demonstrate that provisions taken regarding natural hazards are sufficient to fulfil plant general safety objectives.

In France, the definition and the implementation of a post-Fukushima “Hardened Safety Core” for operating NPPs should compensate for some weaknesses in the current approach and improve significantly the robustness of the installations against natural hazards. For future reactors, a new approach based on the definition of two domains for natural hazards,

“design basis” and “design extension”, is examined.

65 The question of developing an equivalent approach for other external hazards, e.g. those induced by human activities and malevolent acts should be examined as well.

It turns out that safety assessments related to natural hazards raise some challenges and difficulties, especially to characterize events with very low frequencies in a context of limited data, to define combinations of hazards (eventually with internal events) and to consider events that go beyond the design basis. For these issues, international guidance and discussions may be fruitful.

REFERENCES

[1] Technical Guidelines for the Design and Construction of the Next Generation of Nuclear Power Plants with PWRs, GPR/German experts plenary meetings, 19-26 October (2000).

[2] WESTERN EUROPEAN NUCLEAR REGULATORS ASSOCIATION (WENRA), Reactor Harmonization Working Group Report on Safety of New NPP Designs (2013).

66

APPLICATION OF THE DEFENSE-IN-DEPTH CONCEPT IN THE PROJECTS