550 likes | 750 Views
FULL POWER AND SHUTDOWN LEVEL 2 PSA STUDY FOR UNIT 1 OF J. BOHUNICE V1 NPP by Zoltan Kovacs and Helena Novakova RELKO Ltd, Engineering and Consulting Services Bratislava, Slovak Republic. CONTENTS. Introduction and overview of the Level 2 PSA methodology Description of the Confinement
E N D
FULL POWER AND SHUTDOWN LEVEL 2 PSA STUDY FOR UNIT 1 OF J. BOHUNICE V1 NPP by Zoltan Kovacs and Helena Novakova RELKO Ltd, Engineering and Consulting Services Bratislava, Slovak Republic
CONTENTS • Introduction and overview of the Level 2 PSA methodology • Description of the Confinement • The interface between the level 1 and 2 PSA • Description of the accident progression analyses • Evaluation of the confinement failure modes and construction of the confinement event trees • Definition of release categories • Discussion of the source term analysis • The results and sensitivity studies • Conclusions
INTRODUCTION • Within the gradual reconstruction of J. Bohunice V1 NPP the upgrading of the confinement was performed and new accident localisation system was installed. • The level 2 PSA (for full power, low power and shutdown operating modes) was developed with the following objectives: • to identify the ways in which radioactive releases from the plant can occur following the core damage, • to calculate the magnitudes and frequency of the release, • to provide insights into the plant behaviour during a severe accident, • to provide a framework for understanding containment failure modes, the impact of the phenomena that could occur during and following core damage and have the potential to challenge the integrity of the confinement, • to support the severe accident management and development of SAMGs.
INTRODUCTION • The level 2 PSA model of the J. Bohunice V1 NPP was developed in the RISK SPECTRUM Professional code. • This model calculates the frequency of the individual release categories generating minimal cut sets which involve the initiating event of the accident, component failures and human errors. • The magnitudes of release categories are calculated using: the MAAP4/VVER for reactor operation and shutdown mode with closed reactor vessel and the MELCOR code for shutdown mode with open reactor vessel. • Although the level 1 PSA mission time is 24 h, the level 2 PSA simulated accident sequences 48 h to provide greater understanding of confinement performance during the later stages of a scenario. So, both the level 2 PSA mission time and the deterministic analyses time are 48 h.
OVERVIEW OF THE LEVEL 2 PSA METHODOLOGY • Project management:Definition of objectives and scope of level 2 PSA study, project management, team selection and organisation, quality assurance of the project. • Familiarisation with the plant: Familiarisation with the plant and identification of design aspects importance to severe accidents, description of the confinement and accident localisation system of the plant after the safety upgrading. • Interfacing of level 1 and 2 PSA: Development of extended event trees, definition of plant damage states as initiating events for CETs. • Accident progression analyses: Analyses of progression of severe accidents, computer codes used for the analyses, treatment of the accident phenomena, input data, calculation results.
OVERVIEW OF THE LEVEL 2 PSA METHODOLOGY • Confinement performance analyses: Structural response, confinement bypass and confinement isolation analyses. • Construction of CETs: Construction of confinement event trees, quantification of confinement event tree events, uncertainties in the event probability quantification. • Source term analyses: Definition of release categories (sources terms), grouping of fission products, fission product release calculations, treatment of uncertainties in the estimated source terms. • Quantification of frequencies for release categories: Calculation of frequencies of release categories using the integrated full power and shutdown model developed in RISK SPECTRUM Professional code. • Presentation and interpretation of the results
OVERVIEW OF THE LEVEL 2 PSA METHODOLOGY -main events of the severe accident
CONFINEMENT DESCRIPTION - the main issues of the confinement • The confinement leak-tightness • The accident localisation system • The confinement spray system • The confinement isolation • The confinement data as input to the deterministic codes • Structural analyses of the confinement
CONFINEMENT DESCRIPTIONLeakage from the confinement: volume % / 24 h
THE INTERFACE OF LEVEL 1 AND 2 PSA • Development of the level 2 probabilistic model is started with the construction of the extended event trees (EETs). • This is complementary level 1 modelling before the plant damage state grouping (PDSs). • It allows credit for the core damage recovery. Construction of EET is performed for each core damage sequences of the level 1 PSA model. • The next step is a definition of PDSs and assignment to consequences of the EETs. • Then, the confinement event tree (CET) is developed for each PDS as part of level 2 probabilistic model. • Consequences of the CETs are the release categories. Their frequency represents the results of the level 2 PSA.
THE INTERFACE OF LEVEL 1 AND 2 PSA • In same cases the level 1 event trees are changed before starting of EET construction. The reason is in the definition of the event tree top events. • The following example clarifies the problem. Given loss of the primary to secondary side heat removal, failure of the primary bleed and feed (top event in the level 1 event trees) via the pressurizer safety valve leads to the core damage. • The reason of a failure (operator error or hardware failure) is evaluated in the fault tree under the top event. However, different plant damage states occurs if operator fails to initiate bleed or bleed and feed is initiated but the losses are not compensated by at least a HPSI pump.
THE INTERFACE OF LEVEL 1 AND 2 PSA • Development of the level 2 model of the Bohunice V1 plant was performed using the RISK SPECTRUM PSA Professional code. The level 1 PSA model was developed also in this code. • After an evaluation of the software capabilities for level 2 applications, it was decided to streamline the sequence quantification process by: 1) adding the EET top events directly to the core damage sequences of the level 1 event trees, 2) defining the PDSs as the initiating events of the CETs and 3) assign the release categories to the CET sequences. • In principle, this allows the explicit consideration also of all level 1 events in the overall model. The level 2 calculation may therefore be based on the complete plant model without any intermediate results.
THE INTERFACE OF LEVEL 1 AND 2 PSA • The top events of the extended event trees: • confinement isolation • HPSI • LPSI • Confinement spray system • Other events
THE INTERFACE OF LEVEL 1 AND 2 PSA: PDS • The plant damage states (PDS) represent a functional groupings of level 1 core damage sequences. • The criteria for binning the level 1 sequences into the plant damage states are based on the following five characteristics of each sequence: • Initiator (Large LOCA, Small LOCA, Transient, Confinement bypass) • Time to core melt (early < 1 h, late > 1 h) • ECCS status (A - water injected into the RPV or reactor cavity, core damage recovery possible, D - no water injected) • Confinement spray system (Y - available, N -unavailable) • Confinement status (I - isolated, A - not isolated, B - bypassed) Example of PDS: TLDNI - transient, late CD, no CD recovery, no spray system, confinement isolated
ACCIDENT PROGRESSION ANALYSES • The J. Bohunice V1 level 2 PSA is accomplished by coupling a probabilistic model of the confinement response to the postulated initiating events with a deterministic physical model to examine the plant response. • This process also incorporates the evaluation of the impact of the phenomenological uncertainties. • The probabilistic model is embodied in EETs and CETs developed in the RISK SPECTRUM PSA code. The plant physical model is defined in the MAAP4/VVER and MELCOR parameter files (more detailed description is in presentation of Mr. M. Cvan from VUJE).
ACCIDENT PROGRESSION ANALYSES • The deterministic codes provide information required to perform the calculations of the plant specific fission product transport and thermal hydraulic response to the postulated accident sequences. • They are also used to study the sensitivity of the source term to the phenomenological uncertainties. • The source term analysis used a default values for the model parameters. The sensitivity analysis identifies any variations from this approach. • The deterministic analyses are supplemented with the phenomenological evaluation summaries to provide a complete physical representation of the plant.
CONFINEMENT FAILURE MODES • Phenomenological evaluations have been performed in support of the plant level 2 PSA project to determine the likelihood of all postulated confinement failure modes and mechanisms. • These evaluations were performed systematically to address the controlling physical processes or events specific to the plant configuration. The confinement failure modes of the plant considered unlikely are: over-pressure, direct confinement heating, steam explosions, thermal attack of the confinement penetrations, vessel thrust forces and melt through the induced failure of the reactor cavity floor. • Failure modes more likely to occur are: hydrogen combustion, confinement isolation failure, and confinement bypass.
CONFINEMENT FAILURE MODES - Cofinement structural analyses • A plant specific structural analysis of the J. Bohunice V1 confinement (SG compartment) has been performed to determine the ultimate internal temperature and pressure capacity and the most likely failure locations for BDBA (break of the cold leg of a RCS loop with double ended discharge of primary coolant; no ECCS and no spray system is considered). • The BDBA present the maximum temperature and pressure load for the confinement. For all initiators within the DBA lower values of these parameters were calculated by the MAAP4/VVER code.
CONFINEMENT FAILURE MODES - Cofinement structural analyses - Temperature loading: The temperature in the hermetic zone did not increase during the LOCA 160°C in accordance to MAAP4/VVER analysis. The effect of this temperature on the confinement integrity is minimal during the accident. The results of analyses of the concrete structures under the accident temperature loads present that the structure resistance is sufficient for the BDBA loads condition.
CONFINEMENT FAILURE MODES - Cofinement structural analyses - Pressure loading: The structural analysis carried out for BDBA under the high internal over-pressure corresponding to the mean strengths and non-linearity behaviour of the concrete structures. The evaluation of the structural integrity was performed for the critical places, which were defined from the previous non-linear analysis for various loads of BDBA and DBA. The non-linear analysis takes into account the concrete cracking and crushing, layered approximation of the shell elements with various material properties, etc. The maximum pressure in the confinement in case of large LOCA is 223 kPa. Probability of loss of confinement integrity for this pressure is less than 0.0001.
CONFINEMENT FAILURE MODES -unlikely failure modes • Direct confinement heating (DCH) is the process of directly heating the confinement atmosphere by the molten core debris should it be hydro-dynamically forced out of the reactor cavity due to the primary system blowdown. A phenomenological evaluation was performed to examine the likelihood of the plant confinement failure due to DCH. The evaluation excluded this event. • Thermal attack of confinement penetrations. The mechanical and electrical penetrations or seals are not susceptible to thermal degradation due to the confinement gas temperatures. Those penetrations can withstand the confinement temperatures up to and beyond 500 C. However, such elevated temperatures are not predicted for the confinement for sustained periods of time. • Ex-vessel steam explosion. Unlikely event because the reactor cavity is dry.
CONFINEMENT FAILURE MODES - unlikely failure modes • Vessel thrust force: The maximum jet thrust force could not lift the vessel and its internals, even without considering the ability of the vessel support structure to withstand the thrust load. If the coolant loop piping and shield wall are considered, a much larger force would be required to dislodge the reactor vessel. Even if the vessel could shirt, the confinement is configured in such a manner that the reaction forces cannot be transmitted to the confinement wall. Therefore, this postulated failure mode is prevented by the plant design.
CONFINEMENT FAILURE MODES - unlikely failure modes • Confinement failure by melt through: If the basemat melt through occurs, the atmospheric release will be limited to that resulting from the design-basis leakage and a filtered release of radionuclides through the soil. Because of the presence of the water on the confinement floor, it was our judgement that this event is precluded. However, if all water pathways are plugged, a melt through could eventually occur after tens of hours. A probability of 10- 4 with an error factor of 10 was assigned to this event for all PDS and sequences on the basis of engineering judgement. Later it was removed from the CETs because the risk associated with this event would not affect the total risk.
CONFINEMENT FAILURE MODES - Hydrogen detonation (considered event) • From the analyses it was considered that the main contributor to the failure of the confinement is from the ignition of the combustible gas mixtures. • A best-estimate assessment of the in-vessel and ex-vessel hydrogen production is possible using the MAAP4/VVER code. The code calculates the hydrogen, oxygen and steam inventory in the confinement and identifies the time periods when the hydrogen is combustible or invent. • The potential confinement pressurization resulting from the hydrogen combustion is bounded by the calculating the adiabatic isochoric complete combustion (AICC) of this assumed hydrogen inventory. It is hand calculated on the basis of the outputs from the MAAP4/VVER code.
CONFINEMENT FAILURE MODES - Hydrogen detonation (considered event) • The analyses identified three phases of possible hydrogen burn: before the reactor vessel failure, at the reactor vessel failure and after the reactor vessel failure. • However, hydrogen detonation is precluded if the confinement is not isolated. • In the level 2 PSA of western plants the likelihood of hydrogen detonation is set 0 for PDS with the confinement spray system fails to operate for reduce the steam concentrations. However, for the J. Bohunice V1 plant the MAAP4/VVER analyses have shown that the hydrogen detonation is possible also if the spray system fails to operate. • This hydrogen detonation concentration exists in the BWST which is part of the confinement boundary (the steam is condensated but the hydrogen is accumulated above the water level). In other areas of the confinement (in the SG boxes) the hydrogen detonation is not possible if the spray system fails to operate.
CONFINEMENT FAILURE MODES - Confinement isolation failure (considered event) • The confinement isolation system is designed to preserve the ability of the confinement boundary to prevent or limit the escape of fission products that may result from postulated accidents. • In the event of a possible radiation release from the confinement through the process lines, the confinement isolation system automatically isolates all lines penetrating the confinement which do not serve an accident mitigating function. • For the Bohunice V1 plant the confinement ventilation system and the BWST blow- down line must be isolated in case of the accident. Fault tree was developed and involved into the level 2 PSA model.
CONFINEMENT FAILURE MODES - Confinement bypass (considered event) • Confinement bypass is considered as an accident initiator that can lead to the core damage because the loss of cooling fluid to a location outside the confinement disables the ECCS for long-term core cooling. • The most likely mechanisms for this failure mode, identified for the plant as being significant in terms of the potential consequences, are SG collector rupture (SGTM), SG tube rupture (SGTR) or interfacing LOCA. • Note, however, that the SGTM sequences during the full power operation contribute about 36% to the total core damage frequency. Contribution to the full power core damage frequency from SGTR is 3.4% and from interfacing LOCA is less than 1%. These initiators are not dominant from the risk point of view during the reactor shutdown.
CETs The general guidelines used for the development of the CETs are summarised below: - the initiating event of a CET is a PDS, - the CET top events and structure provide the details necessary to characterise the fission product source term releases, - the CET considers factors which dominate the confinement response; thus, the top events consider broad categories of the confinement behaviour, -the CET considers early confinement failure timing (i.e., confinement failure at or shortly after vessel failure) and late confinement failure; the results indicate significant impact from early and late hydrogen detonation.
CETs - Main assumptions • The following main assumptions are used in the CET construction: • .For core damage recovery only the HPSI and LPSI pumps of unit 1 are considered; HPSI pumps of unit 2 are not taken into consideration due to the limited water sources; external water sources are also not considered for this purpose. • It is possibility to supply the RCS also by the spray system pumps. However, using a spray system pump for the core damage recovery is not considered in the model because these pumps must perform other safety functions. • If the core damage recovery for PDS with early CD is not performed before the vessel failure, recovery after the vessel failure is considered not to be possible. • .After successful core damage recovery no hydrogen detonation is considered.
CET: Large LOCA, early core damage, ECCS available, spray system available, confinement isolated
RELEASE CATEGORIES • Four general classes of the containment-failure modes were involved into the RC: • Isolation failure • Hydrogen detonation • Design leakage • Confinement bypass (SGTM, SGTR, interfacing LOCA) • These general classes represent different source term magnitudes because they represent different leakage rates: leakage via not isolated piping, gross structural failure, low gradual release via confinement normal leakage and confinement bypass with different rates.
RELEASE CATEGORIES - leakage rate • The blow-off line of 1 200 mm diameter (installed from the borated water storage tank to the reactor hall) is the most dominant leakage path, if it is not isolated. • Hydrogen detonation in the confinement is defined as increased leakage with gross structural failure leading to a puff release of radionuclides followed by leakage through an open path to the environment. • The design leakage involves releases via COFs and normal leakage of the confinement (the leakage rate is 48 volume percent per day). • The confinement bypass occurs after SGTM, SGTR and interfacing LOCA
RELEASE CATEGORIES • In addition, the following issues were integrated into the RCs: • Release mechanism (core overheating, in-vessel and ex-vessel core damage recovery) • Effects of the spray system operation • Time to core damage and time to vessel failure • Time to confinement failure • Plant operating modes
RELEASE CATEGORIES - times to core damage and vessel failure
RELEASE CATEGORIES • NR - no release • RC0.1 - confinement survives with spray, in-vessel core damage recovery • RC0.2 - confinement survives with spray, ex-vessel core damage recovery • RC1 - confinement survives with spray, no core damage recovery • RC2 - confinement survives with spray, no core damage recovery • RC3 - early confinement failure at vessel failure • RC4.1 - late confinement failure at vessel failure • RC4.2 - late confinement failure after vessel failure • RC5.1 - confinement isolation failure with spray, reactor vessel closed • RC5.2 - confinement isolation failure with spray, reactor vessel open • RC6.1 - confinement isolation failure without spray, reactor vessel closed • RC6.2 - confinement isolation failure without spray, reactor vessel open
RELEASE CATEGORIES • RC7.1 - confinement bypass after SGTM, steam dump station to the atmosphere re-closed • RC7.2 - confinement bypass after SGTM, steam dump station to the atmosphere fails to re-close • RC8.1 - confinement bypass after SGTR, steam dump station to the atmosphere re-closed • RC8.2 - confinement bypass after SGTR, steam dump station to the atmosphere fails to re-close • RC9 - confinement bypass after interfacing LOCA
SOURCE TERMS CHARACTERISATION • The purpose of the source term analysis is to quantitatively describe the magnitude and composition of radionuclide releases to the environment resulting from the core damage accidents. • Before the source term calculations were actually performed, the sequences with similar source term characteristics were grouped into the release categories to reduce the total number of the sequences to be analysed. • Source term quantification was then performed by the analysing a single, representative accident sequence for each release category by the MAAP4/ VVER code resp. MELCOR code.
SOURCE TERMS CHARACTERISATION - sequence selection • A representative systemic sequence for each release category was selected for the source term analysis. • The analysed sequence was chosen because it had the highest frequency of occurrence of any sequence within the release category or because it was expected to bound all other sequences of these category. • Selection of a sequence other than that with the highest frequency occurred when that sequence could result in earlier core damage and vessel failure or it was not a full power sequence. To be conservative, always a full power sequence is selected for the plant operating modes with the closed reactor vessel.
RESULTS - power operation - LERF • The large early release frequency is calculated from the release categories, where more than 10% volatiles is released and the release is initiated within 2 h after initiating events. So, the large early release frequency (LERF) is given as a sum of the following frequencies: • LERF = RC3 + RC5.1 + RC6.1 + RC7.1 + RC7.2 + RC8.1 + RC8.2 + RC9 = 1.22E-5/y • Conditional probability of large early release given core damage is 0.44.
RESULTS - shutdown - LERF • So, the large early release frequency (LERF) is given as a sum of the following frequencies: LERF = RC3 + RC5.1 + RC6.1 + RC7.1 + RC7.2 + RC8.1 + RC8.2 + RC9 = 1.15E-5/y • Conditional probability of large early release given core damage is 0.21.
Sensitivity analyses • Sensitivity analyses were performed to address the factors which can have impact on the release category frequency and magnitude. Sensitivity analyses were also performed to address the questions concerning equipment operation during a severe accident. • The factors: - Large confinement bypass (recovery action) - Hydrogen recombiners • After implementation of changes the large early release frequency will be 3.75E-6/y for power operation. • No impact of changes on the shutdown risk, due to the high CDF (symptom based procedures have to be implemented)
Sensitivity analyses -equipment survivability inside confinement • After reviewing the environmental parameters of a severe accident and the critical components located inside the confinement, it is concluded that the issues associated with the equipment operability inside the confinement are: aerosol accumulation on the spray nozzles and high temperature, plugging and radiation. • The engineered safety features are expected to survive the pressure, temperature, radiation, debris and steam conditions expected during a severe accident. This evaluation covers critical equipment located inside the confinement and the safety equipment building.
Sensitivity analyses -equipment survivability outside confinement • If the HPSI, LPSI pumps and confinement spray pumps are not lost in a severe accident, then the critical components of these pumps can be adequately cooled and maintain operability in the recirculation mode. • This conclusion is based on a review of the BWST water temperature, temperature of critical pump components and the pump motor cooling. • In addition, a review of environmental qualification results of the pump power cables indicated that these cables will remain operable at the elevated room temperature. A pump room equipment inventory survey shows that there is no other heat sensitive equipment inside the room.
CONCLUSIONS • For the full power operation it can be concluded that: • The results indicate that, given core damage, there is an 25% probability that the confinement will successfully maintain its integrity and prevent an uncontrolled fission product release. After the implementation of the recovery actions for SGTM and installation of hydrogen recombiners in the confinement this probability will be increased to 74%. For comparison: a western PWR plant has the probability of 84%. • The most likely mode of release from the confinement is a confinement bypass after SGTM with conditional probability of 30%. Late confinement failure (after 6 h) at the vessel failure, with a conditional probability of 22%, is the next most likely mode of the fission product release. Finally, the confinement survives with the spray is expected to occur with a conditional probability of 5% per core damage event. The conditional probability for the confinement isolation failure probability without spray is 5%, for early confinement failure at the vessel failure is 4%, for other categories 1% or less.
CONCLUSIONS • .The overall conditional confinement failure probability of 75% by the proposed modifications can be decreased to 26%. For a western plant this value is 16%. • The results of the level 2 PSA indicate that there are vulnerabilities in the area of the protection against hydrogen detonation. It requires immediate attention to improve the plant risk profile. In addition, attention must be paid to development of SAMGs in coincidence with the conclusions of this study. • Vulnerability screening was performed based on the screening criteria provided for US plants in “Criteria for Selecting Important Severe Accident Sequences”. The criteria states as follows: “Any functional sequence that has a core damage frequency greater than or equal to 1.0E-6 per year and that leads to containment failure which results in a radioactive release magnitude greater than or equal to PWR-4 release category of WASH-1400”. The PWR-4 release category was estimated as 10% of the volatile fission products. For the full power operation two such release sequences exits for category RC4.1, one sequence for RC6.1 and one sequence for RC7.1. However, the proposed modifications will remove the sequences from the list of the important sequences in case of RC4.1 and RC7.1.