Академический Документы
Профессиональный Документы
Культура Документы
AOP and EOP cover area of (largely) intact core, are directed to save the core:
after LBLOCA, some core damage (ballooning, clad rupture) may have occurred
Restart of plant may be possible, after repair of damage (if any) AOPs and EOPs to be followed (mostly) verbatim
Before TMI-accident, many EOPs were dependent on recognition of the accident scenario and focussed on DBA After TMI, also scenario-independent EOPs were developed, preserving critical safety functions (see next slide), included also BDBA After Chernobyl, SAMG was initiated, included full core melt accidents
Sub-criticality Preserve vital support functions (Comb. Engineering) Core cooling Heat sink RPV integrity Containment integrity (control pressure,
temperature; clean up of containment atmosphere
Characteristics of SAMG
SAMG covers area of damaged core, is NOT directed to save the core, but to protect fission product (FP) boundaries
Plant is lost !! Jobs gone, extensive economic damage by loss of plant and contamination off-site SAMG is guidance, i.e. not followed verbatim, includes balancing positive and negative consequences
Mitigate RPV melt-through (water on the floor) Prevent / mitigate H2 combustion Prevent containment overpressure
and also containment sub-atmospheric pressure (long term)
For PWR: failure of most drastic EOP for core cooling; ATWS
Basis: e.g. CET > 650 C and all EOP-actions failed (approaches differ)
Change in organisation: TSC responsible for evaluation and decision making, operators for implementation
Application of SAMG
Heritage from TMI: many systems will still be available, we just lost insight in what happened
TMI-operators shut down ECCS but ECCS (and all other equipment) was still available
Weak point in this concept: EOPs and SAMG use largely the same systems!
Both depend on I&C, power, cooling water; i.e., both depend on DC, AC and cooling water
Combustion Engineering Owners Group SAG-1 for BD/CH (badly damaged core, containment integrity challenged): inject into the RCS
But why are we here in a severe accident? Probably because we had no water for long time can we expect to have water back just after transition into SAMG??? The SAGs will follow in minutes after the transition into SAMG we still will have no water!!
In SAMG, we use all there is but systems to mitigate severe accidents are (usually) not classified for safety will they operate??? We have lots to mitigate DBA (LBLOCA, SBLOCA, SGTR, rod ejection, other DBA):
ECCS, RHR, redundancy, separation, safety-related classification (in DS 367: class 1 and 2), ASME III design, seismic class I, etc.
None of this required for systems to mitigate BDBA incl. severe accidents!!
Recall: prevent SG tube creep rupture, prevent HPME, flood cavity, remove H2, relief containment pressure In DS 367: safety class 3 With exception of some new designs (e.g., EPR, AP1000, ESBWR)
Environmental qualification
Harsh or Mild
Harsh or Mild
C3
C4
Electrical (IEEE)
1E
1E
Non 1E
Seismic
Seismic Category 1
Seismic Category 1
Specific Requirements
Class 1
Class 1
Class 1
Usually type LB LOCA, rod ejection, see RG 1.70 Strict regulation in terms of release limits (e.g., 10 CFR 100) Strict regulation in terms of safety classification, seismic classification, ASME III & XI, QA Some countries: EOPs are limited to these accidents (Germany)
PWRs: Diverse turbine trip and start of AFW, MTC BWRs: ARI, RCP trip, SLC, EOPs ATWS < 1.E-5 /ry safety goal USNRC
PHWRS have per design already two shutdown systems SBO: 10 CFR 50.63, RG 1.155 ( EDG reliability targets)
No requirement for safety classification No demonstration to stay within predefined release limits
Limited regulation
Include them in regulations and regulatory oversight How to do: e.g., follow IAEA Design Extension Conditions But upgrade criteria, such as safety classification As said, we have lots for LBLOCA, etc., but which systems mitigate severe accidents?? (some countries have some, e.g. Sweden). Examples exist: AP1000, EPR, ESBWR, AES2006 (Russian design)
Severe accidents have enormous economic and societal consequences: develop safety criteria Redesign EOPs and SAMG, and outside support Regulation: require sound demonstration of effectiveness
instruments cannot be read, pumps cannot run, water tanks unavailable extend mission times (SBO 24 hrs.?; cont. integrity > 24 hours) consider dedicated auxiliary equipment (e.g. bunkered decay heat removal systems) consider portable equipment, stored separately make sure communication tools (telephones) remain available
Shutdown states (with few exceptions) Survival of needed SSC for SAMG
assume you have Passive Autocatalytic Recombiners (PARs), but they are ripped off from the containment wall by a seismic event
Protection of compartments adjacent to containment against danger of leakages from containment (e.g. H2 !!)
- E.g., containment vent line is damaged by seismic, so gases from containment may be vented to other compartments
Recent severe accident research insights present Technical Basis of SAMG for many plants is 20 years old Quantitative methods to estimate potential negative consequences of SAMG actions Develop tool to estimate major events and their possible consequences
Time to core overheat, time to RPV meltthrough, time to containment overpressure, timing and magnitude of potential releases Used at the site? Maybe better at dedicated institutes
Conclusions
Severe accidents like Fukushima are wholly unacceptable for their catastrophic societal and economical consequences, even if no casualties. The concept of DBA should be revisited: plants should have demonstrated capability to mitigate severe accidents. SAMG needs extension, upgrading. Work ahead: for industry, regulators, research.