Atucha II: insights from the accident analysis

The Atucha II nuclear power plant, designed to produce 745 MW of electrical power, is equipped with a pressurized heavy water cooled and moderated reactor (PHWR). The Atucha II Construction License was issued on July 14, 1981, upon issuance of a previously submitted preliminary safety analysis report (PSAR) [1], basically fulfilling the requirements of Safety Analysis Reports established by IAEA standard [2], despite its format being prepared in accordance with a largely adopted United States standard [3]. In order to establish the list of accident scenarios, the effects of anticipated process disturbances and postulated component failures are considered hereafter (part of chapter 15 of FSAR); then their consequences are determined and the capability built into the plant design to control, prevent, or mitigate the effects of failures and of envisaged scenarios or situations is evaluated. In previous chapters of FSAR, the structures, systems, and components important to safety were evaluated for their susceptibility to malfunctions and failures. The objective here is to discuss the rationale that supports chapter 15 of the FSAR concerning the Atucha II nuclear power plant (NPP). This includes examination of: 1. the methodology adopted for the accident analyses 2. the evaluation procedures and their calculation results 3. the computational tools adopted and key aspects of their qualification Namely, the best estimate plus uncertainty (BEPU, see Chapter 2 of the Atucha II Book) approach has been adopted as the methodology for accident analyses covering the established spectrum of Postulated Initiating Events (PIE). Atucha II: insights from the accident analysis 207 Procedures have been applied to derive the list of PIE and to identify applicable acceptance criteria. Finally, the application of computational tools including nodalizations, also requiring suitable boundary and initial conditions values, produced results related to the Atucha II transient scenarios originated by the PIE. The proposed BEPU approach follows current practices on deterministic accident analyses, but includes some key features to address particular needs of the application. The approach makes use of the concept of evaluation models (EM), comprising three possible modules, their use depending on the application purposes: a module for the performance of safety system countermeasures (EM/CSA) a module for the evaluation of radiological consequences (EM/RCA) a module for the review of components structural design loadings (EM/CBA) The selection of contents for the present introductory remarks section has been made on the basis of the United States NRC Regulatory Guide 1.70, Ref. [1]; the United States NRC Standard Review Plan, Ref. [2]; the so-called “Bordihn reports,” Refs. [35]; the FSAR of recently licensed NPP; and the BEPU report, Ref. [6]. The evaluation of the safety of nuclear power plant Atucha II does include required analyses of the response of the plant to postulated disturbances in process variables and to postulated malfunctions or failures of equipment. For these purposes, two complementary methodologies for safety analysis are applicable: socalled deterministic safety analysis (DSA) and probabilistic safety analysis (PSA). The scope of accident analysis discussed hereafter comprises only DSA. Insights from the deterministic safety analyses covering a sufficiently broad spectrum of transients and accidents, or PIE, are described in the present Chapter of the Atucha II Book. The complete analyses aimed at demonstrating that the plant can be safely operated within the established regulatory limits related to the integrity of the components, to the preservation of the safety functions and the barriers against radioactivity releases, and to the related radiological impact. Furthermore, in order to confirm that the plant transient and accident analyses represent a sufficiently broad spectrum of initiating events, the transients and accidents are categorized according their expected frequency of occurrence and grouped in nine families according to the type of challenge to the fundamental safety functions. The results of these safety analyses provided a contribution to the selection of limiting conditions for operation, limiting safety systems settings, and design specifications for components and systems to protect public health and safety of the installations (this topic constitutes chapter 16 of the FSAR). Among the general attributes of a methodology to perform accident analysis of a nuclear power plant for licensing purposes, the very first should be compliance with the established regulatory requirements. In the case of Atucha II, this means the requirements issued or adopted by the autoridad regulatoria nuclear (ARN) of Argentina, particularly Ref. [7]. According to internationally accepted design requirements standards, Ref. [8], the objective of the safety approach should be to provide adequate means to maintain the plant in normal operation state; to ensure the proper short-term response 208 Pressurized Heavy Water Reactors immediately following a PIE; and to facilitate the management of the plant in and following any design basis accident (DBA), and in those selected accidents beyond design basis. Consistently, to ensure safety in all design basis conditions, and to the extent practicable in those selected conditions beyond design basis, the accomplishment of the following fundamental safety functions should be demonstrated: safe shutdown and long-term subcriticality of the reactor residual heat removal (RHR) limitation of radioactive releases Derived from the terms of the “Protocol of Common Understanding on the Basic Licensing Concept and Some Safety Subjects,” Ref. [9], the design of Atucha II incorporates the worldwide-accepted concept of defense in depth, by providing multiple physical barriers to the uncontrolled release of radioactive materials to the environment. The application of this concept provided a series of levels of defense —inherent features, equipment, and procedures, etc.—aiming at preventing accidents and ensuring appropriate protection in case prevention fails. For the prevention of abnormal operation and failures, regulatory safety requirements are fulfilled by Level 1 of the defense in depth of the Atucha II design, for example, Ref. [10], by careful design and construction, and suitable layout stringent quality assurance and control regular examinations and inspections avoidance of malfunction by a high degree of automation In order to early detect failures and control abnormal operations, Level 2 of defense in depth of the design comprises monitoring instrumentation, control features, and limitation systems. For keeping event consequences within authorized limits, at Level 3 of defense in depth of the design, specially engineered safeguards are provided so that for the established set of DBA the general safety objectives are met. For controlling such events, the basic safety requirement of redundancy is applied through multiply constructed safety systems. It is a basic assumption for the design that, when an event demands a safety system actuation, there will be a single failure (random failure) in one of the safety devices. On the basis of such safety considerations and to improve operational availability, the reactor protection system and the most active engineered safety features (ESFs) directly necessary for controlling accidents are constructed in quadruplicate: two systems (i.e., n52 in the statement below) are sufficient for positive control of an accident. Thus functional reliability is assumed even if one subsystem is being repaired and a single failure (random failure) occurs simultaneously in another subsystem having the same function. In order to make the safety consistent, the power supply and the necessary auxiliary equipment are also constructed in quadruplicate. Basically (n12) are required for a safety system. However, (n11) systems may be used provided that whenever a line is out of order, checking time is improved in order to assure the original reliability. Atucha II: insights from the accident analysis 209 A set of fault conditions that are beyond design basis were not explicitly addressed in the original design (Levels 13) because of their very low probabilities. Such plant conditions may be caused, for instance, by multiple failures of safety systems. For some accident scenarios, even though the plant has not been designed for them, they can be managed by available margins on the safety performance. Finally, some very unlikely scenarios may lead to significant release of radioactivity materials. Usually, the thermal inertia of the plant provides time to deal with such extreme conditions by means of some specific measures and procedures. The so-called Level 4 of defense in depth has the most important objective of protecting the containment. Such severe accident scenarios are out of the scope of this chapter.