Professional Documents
Culture Documents
Version: 1
Version: 1
TABLE OF CONTENTS
FOREWORD ...............................................................................................................................4 1. 1.1 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.2 1.2.1 1.2.2 1.2.3 1.2.4 1.3 2. 2.1 2.2 2.3 2.4 2.5 2.6 3. THE SITE AND MAIN CHARACTERISTICS OF THE PLANT ........................................................7 BASIC INFORMATION ...................................................................................................7 Location and surroundings .................................................................................7 Number of units .................................................................................................8 Licence holder ...................................................................................................9 Type and power of reactors ................................................................................9 Dates of commissioning .....................................................................................9 Characteristics of the spent fuel pools ................................................................9 External electrical connections ......................................................................... 11 Differences between the units relevant to safety and the review ....................... 12 SITE-SPECIFIC EXTERNAL NATURAL HAZARDS ............................................................ 14 Earthquakes ..................................................................................................... 14 Flooding .......................................................................................................... 16 Low level of the River Danube......................................................................... 16 Extreme weather conditions ............................................................................. 17 FINDINGS OF EARLIER PROBABILISTIC SAFETY ASSESSMENTS ...................................... 17 REVIEW RESULTS ............................................................................................................ 20 LONG-DURATION TOTAL LOSS OF THE ELECTRICAL POWER SUPPLY ............................. 21 LOSS OF THE ULTIMATE HEAT SINK ............................................................................ 22 VULNERABILITY OF THE CONTAINMENT FUNCTION TO EXTERNAL EVENTS THAT EXCEED THOSE IN THE DESIGN BASIS .......................................................................... 24 SEVERE ACCIDENT SEQUENCES LEADING TO SIGNIFICANT RADIOACTIVE RELEASES ...... 25 ACCIDENT MANAGEMENT MITIGATING THE CONSEQUENCES OF UNCONTROLLED KEY EVENTS ..................................................................................................................... 26 SITE EMERGENCY PROCEDURES FOR MANAGING THE CONSEQUENCES OF UNCONTROLLED KEY EVENTS .................................................................................... 27 EXECUTIVE SUMMARY .................................................................................................... 29
CBF_EJ_Eng
2011
Page 2 of 31
Version: 1
TABLES
Table 1.1-1: Table 1.1-2: Main process parameters..................................................................9 Status of plant modifications for severe accident management and the schedule for implementation .................................................... 13
FIGURES
Fig. 1.1-1: Fig. 1.1-2: Fig. 1.1-3: Fig. 1.1-4: Fig. 1.1-5: Fig. 1.1-6: Fig. 1.1-7: Fig. 1.2.1-1: Location of Paks nuclear power plant...............................................7 General view of the site ...................................................................8 General view of Paks NPP ...............................................................8 The operational and spare storage racks of the spent fuel pool........ 10 The 400 kV substation ................................................................... 11 The Hungarian national grid .......................................................... 12 The Ukrainian and Hungarian diesel generators ............................. 13 The seismic hazard curves ............................................................. 14
CBF_EJ_Eng
2011
Page 3 of 31
Version: 1
Foreword
A severe reactor accident took place in March 2011 at the Fukushima Dai-ichi nuclear power plant in Japan, caused by an extremely large tsunami that followed the largest earthquake in Japans written history. The earthquake, of magnitude 9 on the Richter scale, occurred in the seabed about 130 km from the shore, at a depth of 24 km. Ground level acceleration at the plant exceeded the limits set in the plants design basis1. As a consequence, the units in operation were shut down. The electrical grid was seriously damaged by the earthquake and the outside electricity supply to the plant ceased. The emergency supply was taken over automatically by the plants diesel generators, cooling the shut-down reactors and the spent fuel storage pools. About 50 minutes after the earthquake, a tsunami reached the plant site and the water level significantly exceeded the maximum planned for in the design basis. The surroundings of the site were completely destroyed. Equipment was flooded and the diesel generators became inoperable. The electricity supply to the units was completely lost. Since the heat production of the units was still significant but lacked the necessary cooling, the cooling water boiled away and the fuel assemblies dried out and partially melted down. The hydrogen generated by the overheated fuel assemblies was removed to the reactor halls of Units 1, 2 and 3 in the course of depressurization, and later it exploded there. The reactor buildings of Units 1, 2, 3 and 4 were severely damaged, leading to the release of a significant amount of radioactive material into the environment. Later, the loss of cooling for the spent fuel storage pools led to damage of the fuel assemblies. The contamination resulted in high local radioactive dose rates at the site that made accident management and civil defence activities very difficult. In order to minimize health effects to the population, the Japanese authorities ordered the evacuation of the region within a distance of 3 km from the plant, later 10 km, before the significant releases into the environment. The evacuated area was increased to a 30 km circle and civilians, even now, have only limited access to this area. Due to the huge, disciplined and self-sacrificing effort of the staff, the situation in the reactor units and storage pools was finally stabilised when the electricity supply was restored and the necessary equipment became available, significantly reducing the danger of further large radioactive releases. However, the reactors of Units 1 to 4 have been lost forever. Decontamination of the site and its surroundings will probably take years or even decades. The accident had a severe effect on the Japanese economy and eroded trust in the safety of nuclear power plants worldwide, which had gradually been increasing in recent years. European countries initially reacted in various ways to the Fukushima accident, but while the struggle of the Fukushima staff to prevent the accident and mitigate its consequences was still in full sway, a debate had already started on developing a uniform European response.
The design basis is the range of conditions and events taken explicitly into account in the design of a facility so that it is able to withstand them through the planned operation of its safety systems without exceeding authorized limits. The conditions and events in the design basis are chosen in accordance with established criteria. Events of very low probability are excluded from the design basis, but they still have to be considered and analysed.
CBF_EJ_Eng
2011
Page 4 of 31
Version: 1
The national nuclear authorities responsible for decisions related to licensing nuclear power plants (NPPs) agreed unanimously to test the reactors under their auspices in a uniform manner. (This process was given the misleading name stress test, taken from the banking business, but in this report it is referred to as a targeted safety review.) The uniform European viewpoint is based on an agreement that the nuclear authorities prepare national reports on the basis of reports from each of their NPPs. The national reports should review the status of the plants and determine any necessary measures to be taken. To provide a uniform framework for this evaluation, its content was specified and it was decided there should be a peer review process for the national reports. The nuclear industry investigates in detail any unexpected event or accident to prevent similar events or decrease their frequency. As a result, the safety level of NPPs has reached a very high level. This is why the severe consequences of the Fukushima accident came as such a surprise. The accident called attention to the following weaknesses: failure to update the design basis regarding natural events, catastrophic consequences of natural events that exceeded those planned for in the design basis, long-term loss of the electricity supply, long-term loss of the ultimate heat sink, hydrogen explosions during the severe accident in the reactors, damage to the spent fuel stored in the storage pool, initial problems with the functioning of the emergency response teams. It is important to ask what would happen in a similar situation at other NPPs. The targeted safety review has therefore to answer the following questions: Was the plants design basis properly specified with respect to potential natural events at the given site? How would the plant react to external natural events that exceed those planned for in the design bases? Could a long-term loss of the electricity supply occur and what would be its consequences? Could a long-term loss of the ultimate heat sink occur and what would be its consequences? Is the plant properly prepared to prevent a severe accident of the reactors and storage pools, and to mitigate such an accident should it happen? Is the emergency response organisation of the plant properly prepared to manage such events, occurring singly or in combination, and for accidents that could propagate to every reactor and storage pool at the site? The reference date for the targeted safety review is June 30, 2011, and the report should contain recommendations to address any deficiencies found. In accordance with the agreement, on May 2, 2011 the Hungarian Atomic Energy Authority (HAEA) gave instructions for a targeted safety review of Paks NPP. Paks NPP was required to submit a progress report by August 15, 2011, and the final report must be completed by October 31.
CBF_EJ_Eng
2011
Page 5 of 31
Version: 1
The progress report has been completed (in Hungarian), and its contents are summarised in this document. Taking account of the plants report, HAEA will evaluate the targeted safety review, its findings and any statements made. If required, HAEA will determine any necessary safety enhancement measures. On the basis of the plants review, HAEA will prepare the national report to be submitted by the Hungarian government to the European Commission.
CBF_EJ_Eng
2011
Page 6 of 31
Version: 1
Fig. 1.1-1:
The area within a radius of 3 km directly around the site comprises the operational site itself with a spare area, fishing lakes, forests, and connecting roads. The wider area around the plant, with a radius of 30 km, is mostly agricultural fields with scattered villages and towns. Fig. 1.1-2 shows the general layout of the site.
CBF_EJ_Eng
2011
Page 7 of 31
Version: 1
Exiisttiing Ex s ng uniitts un s
Fig. 1.1-2:
1.1.2
Number of units
The site accommodates four reactor units. The individual reactors are installed in twin-unit buildings, each with two reactors. A general view of the plant can be seen in Fig. 1.1-3.
Fig. 1.1-3:
CBF_EJ_Eng
2011
Page 8 of 31
Version: 1
1.1.3
Licence holder
The licence holder is the Paks NPP Joint Stock Company (Paks NPP Ltd), which has been operating in its current legal form since April 14, 2006. The majority owner of the company is the state owned Hungarian Power Companies Ltd with a total equity of more than 99.99%.
1.1.4
Each of the four units is a VVER-440/V-213 power reactor, cooled and moderated with light water, and each has a thermal output power of 1,485 MW. The individual electrical capacity of each reactor unit is 500 MW, giving a total electrical capacity of approximately 2,000 MW. The nominal power of 500 MW was reached after two major steps of power uprating from the original 440 MW. Table 1.1-1 gives the nominal values of the main process parameters. Table 1.1-1: Main process parameters
Parameter Reactor thermal power Primary coolant flow rate Primary circuit pressure Primary cold leg temperature Primary hot leg temperature Shut-down boric acid concentration Fresh steam pressure Fresh steam mass flow Fresh steam temperature Value 1,485 MW 40,800 m3/h 123 bar 267 C 297 C 13.5 g/kg 46 bar 1,467 t/h 260 C
1.1.5
Dates of commissioning
Unit 1: Unit 2: Unit 3: Unit 4: December 28, September 6, September 28, August 16, 1982 1984 1986 1987
The individual units were first connected to grid between 1982 and 1987 as follows:
1.1.6
To store spent fuel, a spent fuel pool is provided in each unit directly beside the reactor pit. The pool, which is open during refuelling, is connected through a transport passage to the refuelling pool (the area above the open reactor). Outside of fuel manipulation periods, the top of the spent fuel pool is covered and it is isolated from the refuelling pool by a slide gate that blocks
CBF_EJ_Eng
2011
Page 9 of 31
Version: 1
the transport passage. This gate forms part of the hermetic confinement boundary during operation. The spent fuel pool allows storage of fuel assemblies at two different heights. The normal operational storage rack is located at the bottom of the pool with a capacity of 650 fuel assemblies and 56 hermetic casings. For short periods, a spare storage rack is positioned on top of this on the rare occasions when it becomes necessary to unload the reactor vessel completely. At other times the spare rack is stored in the reactor hall. The capacity of the spare rack is 350 fuel assemblies. The operational and spare storage racks are shown in Fig. 1.1-4.
Fig. 1.1-4:
The operational and spare storage racks of the spent fuel pool
The cooling system of the spent fuel pool consists of two loops (for built-in redundancy) with a pump and a heat exchanger in each line. During normal operation, one loop is operational and the other is on standby. The two loops can be connected with each other at both the suction and the discharge sides of the pumps. This enhances the reliability of pool cooling as the cooling function can continue during any combination of failures of one pump and one heat exchanger. Recently introduced improvements to preventive accident management measures and emergency operating procedures mean that damage to the fuel stored in the spent fuel store is highly unlikely. If there were an accident in the pool, radioactivity would be released directly to the reactor hall and from there to the environment. As a result, the effects of the release could be significant although the environmental consequences would be less severe than for a reactor accident, due to the elapsed repose period of the fuel. At the time of this report, the damaged fuel assemblies from the April 2003 fuel accident are in temporary storage in hermetic casings in the Unit 2 spent fuel pool.
CBF_EJ_Eng
2011
Page 10 of 31
Version: 1
1.1.7
The electrical power generated by the plant is connected to the national power grid at 400 kV and 120 kV voltage levels. The two main transformers belonging to one unit are connected to the 400 kV substation (Fig. 1.1-5), which constitutes a nodal point of the national grid. The substation is connected to other nodal points of the national grid via 400 kV transmission lines. The reliability of the substation is a key element of plant operational safety. The primary side of the main transformers and the house-load transformers are connected directly to the circuit breakers of the generators at 15.75 kV. This makes it possible to provide house-load electrical power backwards from the national grid via the substation (e.g. for unit start-up).
Fig. 1.1-5:
The 400 kV system powers the 120 kV substation via two booster transformers. As well as outputting the generated electricity to the national main distribution grid, the 120 kV substation is connected to the plants reserve start-up transformers, which allows the possibility of also supplying in-house consumers from the 120 kV national grid. The Paks substation is connected to the national grid (400 kV) via transmission lines heading in five different directions, and to the main distribution grid (120 kV) through the two booster transformers and then seven transmission lines. This arrangement of multiple electrical connections yields sufficient operational safety should any single transmission line fail. A map of the national grid is shown in Fig. 1.1-6.
CBF_EJ_Eng
2011
Page 11 of 31
Version: 1
Fig. 1.1-6:
1.1.8 Differences between the units relevant to safety and the review
1. Differences in the diesel generators The diesel generators installed in the first twin unit differ from those in the second. In Units 1 and 2 there are three 15D100, 10 twin-cylinder, two-stroke, Soviet-made (Ukrainian) diesel generators installed in each unit with a nominal capacity of 1.6 MW. These can be loaded for 10 hours up to 1.8 MW. Their nominal rotation speed is 750/min, and the run-up time is 15 sec. In Units 3 and 4 there are three Ganz SEMT-Pielstik, 18-cylinder, four-stroke, four-valve, Hungarian-made diesel generators installed in each unit with a nominal capacity of 2.1 MW. Their nominal rotation speed is 1500/min, and the run-up time is 15 sec. Fig. 1.1-7 shows these diesel generators.
CBF_EJ_Eng
2011
Page 12 of 31
Version: 1
Fig. 1.1-7: 2.
The status of plant modifications for severe accident management A comprehensive severe accident analysis and management program was initiated at the plant in 2008 to mitigate potential consequences of any low-probability, high-severity reactor accidents caused by circumstances not planned for in the design bases. Several design changes required for the introduction of severe accident management have already been implemented in the individual units; but, at the time of this report, the modifications have not been completed to the same extent in every unit. Table 1.1-2 gives the current status of these design changes. Table 1.1-2: Status of plant modifications for severe accident management and the schedule for implementation
Measure Plant changes for flooding the reactor vessel cavity Provision of an autonomous power supply to designated consumers Installation of passive hydrogen re-combiners Reinforcement of the spent fuel pool cooling system against loss of coolant Installation of a severe accident monitoring system Unit 1 Completed Completed Completed Nov-Dec 2011 Completed Unit 2 2012 overhaul Completed Completed Nov-Dec 2012 Jun-Aug 2012 Unit 3 2013 overhaul 2011 overhaul 2011 overhaul Feb-Mar 2013 Sep-Oct 2013 Unit 4 2014 overhaul Completed Completed Jan-Feb 2012 May-Jun 2013
3.
Location of the demineralised water storage tanks in Units 3 and 4 The demineralised water storage tanks (three 900 m3 tanks per twin unit) have an important role in maintaining the demineralised water supply required by important plant systems for cooling purposes. The tanks for Units 3 and 4 are situated directly alongside a laboratory building that is not reinforced or qualified for seismic events. The collapse of the building wall could potentially have an impact on the demineralised water storage tanks.
CBF_EJ_Eng
2011
Page 13 of 31
Version: 1
4.
Restoration of the essential service water systems Restoring the operation of the essential service water systems after a total system loss differs between the units. In Units 1 and 2 the systems are capable of filling themselves up after the restart of their pumps, but in Units 3 and 4 additional systems are needed to fill the systems before the pumps are allowed to be started.
CBF_EJ_Eng
2011
Page 14 of 31
Version: 1
The horizontal and vertical peak ground accelerations (PGAs) are equal to 0.25g and 0.2g, respectively. This approach complies with the Hungarian regulations and international practice. The 25-30 m thick saturated young soft soil (~300m/s shear-wave velocity) that covers the eroded Pannonian surface at the site is prone to liquefaction at a depth of 10-15 m. The safety factor to liquefaction is rather low. Seismic safety provisions at the plant Paks NPP was originally not designed and qualified for earthquakes, so the safety upgrading was aimed to demonstrate plant safety at a newly defined design basis. The seismic upgrading project, which lasted from the mid 90s up until 2003, was the most extensive performed in the history of the plant. The safety level achieved was quantified by seismic probabilistic safety assessments (PSAs). The seismic upgrading project covered the identification and implementation of upgrading and qualification measures, the installation of seismic instrumentation, and the development and introduction of procedures for pre-earthquake preparedness and post-event action. The project resulted in assurance of the basic safety functions: shutdown of the reactor and maintaining it in a subcritical condition, cool-down and continuous cooling of the reactor (without time limit), and retention of radioactivity within the systems and buildings for the protection of the public and the environment. If there is an earthquake, the reactor would be shut down either by the reactor protection system due to process system malfunctions, or manually by the operator if the earthquake exceeds set criteria regarding the maximum strength permitted for safe operation. The cool-down is ensured by secondary-side bleed and feed. Continuous cooling is maintained by the heat removal system. In all redundant trains of equipment, the systems, structures and components needed for these safety functions are reinforced and qualified for a safe shutdown earthquake (SSE, i.e. the maximum strength of earthquake for which the various safety systems are reinforced to provide a safe reactor shutdown and continued reactor cooling). The systems not required for the safety functions are isolated automatically from those that are seismically qualified. The cooling technology for a potential SSE was developed assuming that the plant would be in normal operation when the event occurred, and that the outside energy supply (the grid) and make-up water source would then not be available for 72 hours. In accordance with the Nuclear Safety Regulations, all redundant safety trains have been upgraded and qualified for an SSE, including the emergency core cooling systems. Consequently, post-earthquake scenarios with loss of coolant can also be managed, even though these are beyond the design basis scenarios according to safety philosophy. The systems for heat removal from the spent fuel and refuelling pools are also reinforced and qualified for an SSE. In an emergency, the active systems cooling the pools are supplied with electrical power from diesel generators. The possibility of fires and flooding resulting from an earthquake is also avoided through the reinforcement of the relevant systems. Ongoing review activities and preliminary actions A critical aspect that requires further investigation remains the liquefaction hazard at the site, including analyses of the settlement of the buildings (with and without liquefaction), underground connections, etc. This issue is discussed further in Section 2.
CBF_EJ_Eng
2011
Page 15 of 31
Version: 1
The feasibility of implementing an automatic reactor shutdown function during the planned modernisation of seismic instrumentation is under consideration. The fire brigade plays a vital role after earthquakes, but their base building is not seismically reinforced. This issue is being investigated further. There is room for improving seismic housekeeping. The fixing of tools in place and maintenance appliances stored at the units, and the fixing of heavy tools and furniture at the maintenance shops and offices, need to be evaluated as further corrective actions.
1.2.2
Flooding
Evaluation of the hazard of flooding is based on a statistical evaluation of data collected from local water level measurement gauges. On this basis, the level of icy flooding with a frequency of 10-4 /year in the vicinity of the site would be 96.07 m above the level of the Baltic Sea, and the level of ice-free flooding would be 95.51 m. The level of the dyke protecting the site from flooding is 96.60 m, and the filling level of the site is 97.00 m. These are higher than the potential flooding levels, and so flooding need not form part of the design basis. A conservative extension of the statistics of the water levels beyond the design basis case suggests the estimated water level might potentially exceed the filling level of the site at a frequency of less than 10-4 /year. However, the dyke is lower upstream to the site and also on the eastern bank of the Danube (96.6 m), and so the river would flood the areas to the north and to the east of the site; consequently, the extreme flooding would not endanger the plant site. Flooding can therefore be excluded from the natural sources of hazard even when considering beyond design basis conditions. Ongoing review activities The review so far has covered static, slow changes in water level. Flooding due to dynamic, rapid processes also needs to be analysed. This is ongoing and the findings will be included in the final report.
1.2.3
To investigate the security of the cooling water supply by determining the potential extreme low levels of the river, a statistical evaluation of the collected data from the water gauges was used. According to the statistical evaluation, the low level that occurs with a frequency of 10-4 /year would be 84.65 m above the level of the Baltic Sea, incorporated in the design basis. Even lower water levels may potentially occur. The statistical evaluation gives 84.48 m at a frequency of 10-7 /year. Oscillation of the Danubes water level should be considered a natural hazard, since the loss of the essential service water system cannot be tolerated in the long term even when the reactors are shut down. The pumps for this system have to be sufficiently far below the lowest potential level of the Danube to ensure cavitation-free operation even in this extreme case. To meet these conditions, the impellers of the pumps were replaced and now the pumps can be used until the level drops to 83.50 m.
CBF_EJ_Eng
2011
Page 16 of 31
Version: 1
Ongoing review activities The statements above were based on static calculations and on the previous analyses of low water levels and drought in the Paks drainage basin. Complementary analyses are ongoing and the findings will be included in the final report.
1.2.4
The following weather conditions were identified at the site as potential dangerous natural events: high strength gusts of wind, extreme high and low temperatures, extreme rain, extreme snow, lightning.
Results of earlier reviews were used to evaluate the meteorological hazards. The statistical characterisation of the various events was based on adjusting theoretical (mostly Gumbel) distributions to the various datasets. Based on these adjustments, the values of the meteorological extremes that potentially occur with a frequency of 10-4 /year were identified. The extreme meteorological characteristics were estimated for frequencies down to 10-7 /year. Obviously, the estimates of meteorological characteristics for such low frequencies, based on data collected only over 50-60 years, have a significant statistical error. However, these extreme levels could significantly exceed the design basis values, and so the consequences of very low frequency events have to be considered in the review. The extreme values of the relevant meteorological parameters are as follows: extreme wind velocity: 48.8 m/s, extreme environmental temperatures: -39.6 C, and 43.0 C, extreme rainfall: 38 mm in 10 minutes, 68 mm in 60 minutes, and 320.5 mm in 24 hours, extreme snow load: 1.5 kPa, extreme lightning current: 200 kA.
CBF_EJ_Eng
2011
Page 17 of 31
Version: 1
The deterministic analyses are well complemented by the probabilistic safety analyses (PSAs). In principle, these cover the full set of possible adverse events and processes. Their aim is to determine the frequency (probability of occurrence per year) of fuel damage (Level 1 PSA), and the frequency of a large radioactive release (Level 2 PSA). Results of the PSAs have to satisfy certain regulatory requirements. They are also useful in determining safety enhancement measures. The safety enhancement measures arising from the PSA results should increase the efficiency of defence in depth against extremely rare events beyond the scope of the deterministic analyses. The Fukushima accident called into question the completeness of PSAs. This is why the targeted safety review includes a review of PSA studies of the plant. Additionally, by definition, the targeted safety review will also cover extremely rare events and processes that have not been investigated earlier. The following statements can be made based on the results of the Level 1 PSA in Paks: The total core damage frequencies (CDFs) representing the scope of the available PSA studies for the individual units of Paks NPP are lower than the target value specified in state-of-the-art international guidance, i.e. the quantitative criterion for CDF has been met. No single system, structure or component can be identified as making a dominant contribution to the CDF value, i.e. the risk can be considered to be balanced over the underlying contributors. The quantitative results indicate that, of the initiating events, earthquakes make the largest contribution to risk, and human error is the most important basic event from the point of view of core damage frequency. A number of safety upgrading measures have been implemented to reduce the effect of the most important contributors to risk. These measures include extensions to the scope of seismically qualified electrical and instrumentation and control components, the development of new procedures and operator guidelines to support emergency operations, etc. The following statements can be made based on the results of the Level 2 PSA in Paks: The frequency of a large off-site radioactivity release due to internal events, fire or internal flooding at full power operation corresponds closely with the risk figures estimated internationally for pressurised water reactors of the same vintage. Early containment failure was found to be a relatively important contributor to the frequency of off-site release. Measures have therefore been implemented for hydrogen treatment in the event of a severe accident. In order to arrest the core meltdown process within the reactor and to prevent base mat melt-through, a new accident management procedure is being implemented for cooling the reactor vessel externally by means of flooding the reactor cavity. Much attention has been paid to the management of accidents in the shutdown state when the reactor vessel is open for refuelling. The emergency operating procedures have been extended to low power and shutdown conditions, and the severe accident management guidelines address severe accidents in these conditions. The risk of off-site release due to a seismic event is reduced mainly by reducing the frequency of severe accidents and containment isolation failures. Accident mitigation is also important for seismic accidents, especially hydrogen treatment in severe accident conditions.
CBF_EJ_Eng
2011
Page 18 of 31
Version: 1
From the results of the spent fuel pool PSA it can be stated that the frequency of fuel damage is acceptably low. Despite the low risk estimates, a number of measures have been taken to prevent fuel damage in the spent fuel pool as the open pool directly communicates with the atmosphere of the reactor hall. These measures are aimed mostly at improving the reliability of the cooling circuits connected to the spent fuel pool. Some further actions are seen as necessary in relation to the plant PSA: the scope of the PSA studies should be broadened to include external events other than earthquakes, the PSAs should be updated to reflect the effect of measures taken and guidelines introduced for severe accident management.
CBF_EJ_Eng
2011
Page 19 of 31
Version: 1
2. Review results
The Hungarian Atomic Energy Authority required the review of two key potential events: long-term (several-day) loss of the electricity power supply, loss of the ultimate heat sink. For both areas, five main topics needed to be reviewed: overview of relevant plant systems, their adequacy and their compliance with the design basis, potential internal causes of the key events, potential external causes of the key events, robustness, margins and protection against external events that exceed the design basis, accident prevention activities for each key event. Neither the total loss of electrical power supply nor the loss of the ultimate heat sink were taken into account in the design basis due to their very low likelihood. Nevertheless, we needed to assess these two key events in the targeted safety review as without electrical power or cooling water it is not possible to maintain the reactor and spent fuel pool cooling. These events are interrelated. The operation of the emergency electrical power supply sources (the diesel generators) cannot be maintained for long periods without essential service water, but the water pumps are powered from the diesel generators under emergency situations. Again, it should be emphasised that the likelihood of losing any one these systems is extremely small, far below the design basis limits. (Potential corrective actions to resolve the issue are detailed later.) As review activities for the two main key events are very similar, some common statements can be made before considering each individually. Ongoing review activities common to the two key events In the review of potential internal causes of the key events, the root causes deriving from operations, maintenance, human, documentation and organisational errors, and the effects of these, are still being investigated. Regarding external causes, we identified that the effects of some potential meteorological conditions (taken into account in the design basis) had not been considered sufficiently in the previous analyses. Although we had identified these extreme events, the plant systems, structures and components (SSCs) potentially affected by them had not been investigated to the required level of detail. A systematic review that will list the affected SSCs and define the effects of the extreme external events on them was therefore initiated in the last periodic safety review. This comprehensive system review is ongoing and cannot be finished by the conclusion of the targeted safety review. As a consequence, the final report will describe the results achieved by that time and will set out future tasks for this area. The building settlement analyses performed recently show large uncertainty in their prediction of building settlement in the case of an earthquake (with and without soil liquefaction). The settlement caused by an earthquake can affect the underground connections (service water piping and emergency power supply cables) due to relative displacements. A new analysis has to be performed for the proper assessment of the issue and to identify any corrective measures (additional qualifications or modifications).
CBF_EJ_Eng
2011
Page 20 of 31
Version: 1
It is also necessary to characterise safety margins for weather conditions that may cause extreme loads on plant structures and systems beyond those taken into account in the design basis. This analysis is part of the risk assessment for natural external events currently in progress. The analysis is due to be completed by December 2012.
CBF_EJ_Eng
2011
Page 21 of 31
Version: 1
lasting loss of internal and external electrical power supply sources. These would be primarily to avoid core damage or to halt extensive core melt processes and to prevent containment damage. Preliminary findings and ongoing review activities An increase in the quantity of diesel fuel stored at the site may be recommended to increase the current 120-hour operating time of the emergency diesel generators. The installation of additional, full function emergency/maintenance diesel generators should be considered. The concept, already accepted, of installing a full function maintenance diesel generator should be reassessed and the generators planned function should be extended to emergency situations. The concept should take into account the occurrence of severe accidents simultaneously in several units and several cooling pools. Installation of these severe accident diesel generators in each twin unit or even each unit should be investigated. Appropriate protection should be provided for these machines against external hazards, earthquakes and flooding. They should be totally independent from the plant cooling water systems. Regarding available on-site connections between the units at 6 kV AC, the possibilities for alternative, unused power supply routes are much better than previously thought. It is necessary to draw up operational procedures for testing and then using these connections. The high-voltage substations are not safety systems and, therefore, the applied redundancy is only twofold. As they may play an important role in powering the plant in-house systems from the national grid and in providing electricity via crossconnections from one unit to another, seismic qualification and/or reinforcement of the substations may be considered. It is recommended that a black-start capability to the Litr gas turbine (an off-site gas turbine located remotely) is created, which can provide external electrical power to Paks NPP via a dedicated transmission line if the national grid collapses.
The design of these systems followed the concept of defence in depth. The principles of redundancy, independence and self-diagnosis that were applied ensure the required high level of availability. Depending on the importance of the system, the redundancy is either two- or threefold. Because of this redundancy and separation, a single failure in a single branch, or in
CBF_EJ_Eng
2011
Page 22 of 31
Version: 1
any connected auxiliary system, cannot lead to the loss of the safety function, regardless of the initiating event. The seismic safety of the SSCs required for removing heat from the reactor and spent fuel pool and transferring the heat to the ultimate heat sink has been reviewed. For completeness, the functioning of the SSCs in the whole heat transfer path were considered and were found to be adequate. Certain parts of the system do not need to function after an earthquake. These are not reinforced and are isolated from the seismic-proof parts with fast shutdown valves should the acceleration level measured in the base mat of the plant exceed the trigger level (0.05g in any direction). The buildings that house the cooling systems, piping and all other relevant system components are reinforced for an SSE. The functions of the supporting systems, such as the emergency power supply, are also ensured as described in Section 2.1. Cooling of the spent fuel pool is ensured by two cooling loops and the essential service water system. The reactor hall and its roof, the reinforced concrete structures of the main building surrounding the pools, and the structure of the pools (including hatches and liners) have sufficient capacity to sustain the SSE loads. As described in Section 1.2.2, flooding need not be considered as a potential external hazard for the ultimate heat sink functions. An appropriate action plan is in force for low water levels of the River Danube. This issue was addressed in Section 1.2.3. For extreme weather conditions, the results required will be provided by the ongoing system review described in the introductory part of Section 2. The safety margins of the ultimate heat sink function in withstanding earthquakes that exceed those planned for in the design basis have been assessed. From this, it can be concluded that such an earthquake would not necessarily lead to the loss of systems necessary to ensure heat removal towards the ultimate heat sink. However, the probability of ultimate heat sink failure naturally increases with earthquake intensity. For the lower seismic acceleration ranges, the dominant form of seismic damage is the massive liquefaction causing subsidence of the main building complex. The safety margins against beyond design basis earthquakes can be improved substantially by establishing or upgrading protection against the consequences of liquefaction. This issue is covered in Section 1.2.1 and in the introductory part of Section 2. In accordance with the targets of the review, we have assessed and evaluated all preventive accident management possibilities that might be used in Paks NPP if the ultimate heat sink function were lost. These would be primarily to avoid core damage or to halt extensive core melt processes and to prevent containment damage. Preliminary findings and ongoing review activities If there is a loss of off-site power and a shutdown of all four reactors, the drum filters on the Danube water intake would stop as they are powered from non-safety electricity supply systems. After a considerably long period, these filters may become clogged and may endanger the supply of essential service water (and demineralised water). This should be avoided and the appropriate corrective action is being investigated. The demineralised water tanks in Units 3 and 4 are sited alongside a laboratory and service building. This building is not safety related and is not reinforced for an SSE. Damage to this building could impact the tanks. The necessary protective action is currently under review.
CBF_EJ_Eng
2011
Page 23 of 31
Version: 1
There is a diesel generator-driven firewater pump station at the plant. This could provide additional cooling water at a quantity of ~ 2x2,000 m3 from the fully closed discharge water canals of Units 3 and 4. For this, the removal of the retention edge of a pit and the installation of a closing valve are needed. A specific solution is being investigated. There are nine high-diameter, 30 m-deep coastal filtration wells equipped with submersible pumps in the Danubes bank with a practically unlimited water supply. This pump-station is connected to the essential service water system. The capacity of the pump station (500-700 m3/h) might be sufficient for the required minimum cooling water demand of all four units. However, this pump station receives its electrical power from non-safety sources, and it becomes inoperable during a total blackout. The installation of a fixed or mobile diesel generator to supply the ~ 400 kW electricity directly is under review. How other water sources around the plant could be used for additional water supply is being investigated. An appropriate solution might be the creation of mobile water extraction from the River Danube or from the fishing lakes located in the vicinity. The length of the mobile pipelines and how many pumps will be required in order to achieve the necessary delivery head are also being assessed, as are the potential connection points. The way to install pipelines between connection points in the plant yard area and the containment (possibly connecting inside to the emergency feedwater system) is under consideration. This would create the possibility of supplying cooling water to the steam generators when they are at low pressure. A potential source of water is also being investigated. A system for the secondary side blow-down of the steam generators to the containment is now installed, and this new system can serve as a line to feed cooling water into the containment. The method for powering and opening the new steam generator blowdown valves must be established and controlled by appropriate procedures. This method would also require a solution for borating the water supplied to the containment. The loss of the essential service water system would result in the loss of cooling of the spent fuel pool. Possible ways of supplying external water to the cooling pools is under investigation. The new water supply route must be protected from the external hazards that caused the severe accident. The system will have to remain operable under harsh radiation conditions. Boration of the water supplied to the cooling pool via the new pipeline will also have to be resolved. Specific tasks will be assigned in the final report.
2.3 Vulnerability of the containment function to external events that exceed those in the design basis
This section which will be completed for the final report in October 2011 will present the risk of losing containment integrity due to various levels of external events that exceed those planned for in the design basis. The margins of the systems and structures that ensure the containment function during such events are currently under thorough review. The margins are determined in the same manner as in Sections 2.1 and 2.2.
CBF_EJ_Eng
2011
Page 24 of 31
Version: 1
CBF_EJ_Eng
2011
Page 25 of 31
Version: 1
Preliminary findings and ongoing review activities The spent fuel pools are situated in the reactor hall. Since the reactor hall is not a confined volume, any accident involving spent fuel damage could result in significant radioactive releases. However, based on analyses, the timeframe of development of a severe accident in the spent fuel pool is very long due to the available water supply and relatively low decay power in it. A broad range of accident management measures are therefore available to recover spent fuel cooling. The severe accident mitigation procedures after the occurrence of an accident in the pool have not yet been established. In earlier analyses the calculation of the total hydrogen concentration in the reactor hall was based on an accident in only one single reactor or one single spent fuel pool. It was determined that the concentration of the accumulated hydrogen definitely did not reach the ignition level. In the ongoing review, the analysis is extended to identify the quantity of hydrogen and its spatial distribution during an accident involving two spent fuel pools, one open and one closed reactor simultaneously. The previous analyses showed no significant radioactivity release in the case of a failure of or an accident in the radioactive waste storage systems. This issue is currently being analysed further.
The implementation of the strategy includes two key elements: on the one hand the installation of hardware components for performing severe accident management, and on the other the implementation of severe accident management guidance. Hardware components put in place for severe accident management include: External cooling of the reactor vessel through flooding the reactor cavity with the coolant drained from the localisation tower; Installation of passive autocatalytic recombiners for severe accident hydrogen management;
CBF_EJ_Eng
2011
Page 26 of 31
Version: 1
A dedicated instrumentation system for severe accident monitoring; A dedicated diesel generator for the energy supply of severe accident management hardware components; Reinforcement of the spent fuel pool cooling system against loss of coolant. These systems have been installed in Unit 1 and their installation is underway in the other units. Table 1.1-2 provides a summary of the current status of implementation. The other key element of the strategy is the development of accident management guidelines to provide the plant crew with appropriate guidance for mitigating the consequences of severe accidents that impact the reactor or the spent fuel pool and lead to large releases. The overall goal of the guidance is to return the plant into a controlled, stable condition with termination or significant reduction of the levels of radioactive material release. These guidelines have now been developed and they are expected to be introduced into plant operation at the beginning of 2012. Preliminary findings and ongoing review activities The consequences of slow over-pressurisation of the containment after a severe accident have now been analyzed further and countermeasures identified. Currently two concepts seem realistic: Filtered venting of the containment (the basic technical concept has already been elaborated for this option); Long-term cooling of the containment (optionally with an external cooling water feed).
managing
the
The aim of this review task is to assess the adequacy of measures related to the management of site emergencies in connection with severe accident management. The review had to cover: organisational preparedness, potential access to off-site support, the operability of mobile equipment, possibilities for re-supply (of fuel, drinking water, food, etc.), the adequacy of internal and external communication and information systems.
The assessment had to consider special emergencies where the infrastructure and communications were severely damaged or destroyed due to external events. The scope also covers situations where the working conditions at the site seriously deteriorate due to radiation/contamination or destruction, and long-term defence is needed. The assessment had to consider situations where several units and auxiliary buildings used by the emergency response team were damaged. The efficiency of decision-making, the operability of the emergency response organisation, and the possibilities of involving external resources had also to be reviewed. As a preliminary result, it has been concluded that the necessary personal and material prerequisites and resources for managing nuclear and traditional emergencies are basically at the disposal of Paks NPP.
CBF_EJ_Eng
2011
Page 27 of 31
Version: 1
The plants intervention capabilities during severe accidents and other emergencies correspond with international recommendations and the Hungarian regulations. Emergency preparedness has been adequately designed and tested. The preparedness covers both nuclear and other emergencies. The alarm system for activating the emergency response organisation has been properly designed. Education, training and tests ensure the maintenance of intervention capability during normal periods. For managing emergencies, Paks NPP established an Emergency Response Organisation. This organisation is activated whenever an emergency situation is declared and works in accordance with predefined rules and control. The buildings and equipment needed for efficient emergency management are at the disposal of the plant and are continuously maintained and modernised. Analyses for estimating radioactive releases during various accidents are available. The availability of certain buildings and equipment during emergencies is being investigated further. Conditions for long-term intervention capabilities are well designed and ensured; however, some details require further investigation. The protected buildings and systems needed for emergency management have their own energy resources. The critical equipment have uninterruptible power supplies (UPSs) and so the devices needed for emergency management can continue to be used when the electricity supply is lost. If the Protected Management Centre is lost, control should revert to the Reserve Management Centre. Here the conditions for control and communication are limited but the basic activities can be maintained. In order to review the potential use of external resources, further information has been requested from the National Directorate for Disaster Management, the Hungarian Army, companies providing communication services. The review process is currently ongoing in various ways and will be completed by the time of the final report.
CBF_EJ_Eng
2011
Page 28 of 31
Version: 1
3. Executive summary
Following the accident that occurred in the Fukushima NPP in Japan on March 11, 2011, European countries decided to carry out targeted safety reviews in their NPPs. On May 2, 2011, the Hungarian Atomic Energy Authority (HAEA) initiated a targeted safety review of Paks NPP and issued a document on the requirements of the investigation. The reference date of the investigation is June 30, 2011. Proposals have to be set out for addressing any eventual deficiencies found during the investigation. Paks NPP started the review on this basis. A Progress Report had to be prepared (in Hungarian) by August 15, 2011, the contents of which are summarised in this report. Section 1 presents the most important characteristics of the site and the plant, covering a basic description of relevant plant characteristics, external hazards of natural origin and a summary of the results of earlier probabilistic safety assessments (PSAs). The following conclusions can be drawn from Section 1: With respect to external events of a natural origin: The earthquake risk has been explored in detail and is well established. The plant is properly protected against earthquakes by the establishment and introduction of a comprehensive seismic protection concept and corresponding reinforcements; Soil liquefaction and the potential settlement of buildings need to be investigated further; Flooding of the site need not be considered for the review scope due to the specificities of the site; An extreme low level of the River Danube would be managed safely by the measures introduced; The evaluation of extreme events from other external causes is ongoing, but these are unlikely to endanger the safety of the plant. Following an extremely large earthquake, the long-term loss of the electricity supply and/or the ultimate heat sink cannot be excluded, but other external hazards are highly unlikely to lead to such events. The extreme external conditions experienced in Fukushima and the accident sequences they caused are unlikely at the Paks site. With respect to the probabilistic safety assessments (PSAs): The basic technical background for licensing nuclear power plants is provided by deterministic safety analyses. These prove that the safety of the plant satisfies all the regulatory requirements and specifications. The probabilistic assessments provide further useful information which can be used complementarily for improving safety. These assessments have led to many safety improvement measures in recent decades, including the preventive and mitigative management of accidents. In the current state of the plant, PSAs present a favourable picture. The safety improvements related to mitigative accident management have been completed for Unit 1 and are ongoing in the other units. As with any other NPP, the scope of PSAs can be continuously extended to safety components not previously considered, based on operational experience and new scientific results.
CBF_EJ_Eng
2011
Page 29 of 31
Version: 1
Section 2 presents the aims, scope and preliminary conclusions of the targeted safety review. HAEA required the investigation of two key events: long-term (several-day) loss of the electricity supply, loss of the ultimate heat sink. Since the severe accidents that lead to significant radioactive releases and their management at the site are essentially identical for these two key events, the related consequences (including the development of accidents with significant radioactive releases) are presented together. Section 2 consists of six sections: 2.1 Long-duration loss of the electrical power supply; 2.2 Loss of the ultimate heat sink; 2.3 Vulnerability of the containment function due to external events that exceed those planned in the design basis; 2.4 Severe accident sequences leading to large radioactive releases; 2.5 Accident management mitigating the consequences of uncontrolled key events; 2.6 Site emergency procedures for managing the consequences of uncontrolled key events. Sections 2.1 and 2.2 are devoted to the two important key events that were the direct causes of the Fukushima severe accident. These two sections have an identical structure. After reviewing the design basis, the internal and external causes of the key event are discussed, and then protection against external events that exceed the design basis and accident prevention activities are presented. In Section 2.3 (under development in the present phase) it will be considered whether the containment function preventing the release of radioactive materials into the environment would remain intact following external events that exceed the design basis and eventually result in the release of radioactive materials from the reactor. The key events may eventually lead to severe accidents (in circumstances presented in Sections 2.1 and 2.2), which are discussed in Section 2.4. In the case of a severe accident, the plant aims to control the event sequences through mitigative accident management (Section 2.5), and tries to prevent catastrophic consequences through emergency response measures (Section 2.6). The basic statements of the performed review are given together with the preliminary recommendations in every section. The analyses and investigations to be completed by the finalization of the targeted safety review or later are also listed at the end of the corresponding section.
CBF_EJ_Eng
2011
Page 30 of 31
Version: 1
List of abbreviations
Abbreviation CDF HAEA IAEA NPP PGA PSA PSHA SSCs SSE VVER Meaning Core damage frequency Hungarian Atomic Energy Authority International Atomic Energy Agency Nuclear power plant Peak ground acceleration Probabilistic safety assessment Probabilistic seismic hazard assessment Systems, structures and components Safe shutdown earthquake Pressurized water reactor of Russian design
CBF_EJ_Eng
2011
Page 31 of 31