Show more...
1 Introduction
The Belarusian NPP Astravets includes two units which of 1,200 MWe nominal output; they are currently under construction. The Belarusian NPP construction site is located in the North-East of Grodno region, in the Astravets district, 19 km North-East of Astravets town. The distances to the closest neigh-boring states are: 23 km to the Republic of Lithuania, 110 km to the Republic of Latvia, the Republic of Poland’s border is 200 km away, the Russian Federation 150 km and Ukraine is 320 km.
In July 2012, a turnkey contract to supply the units worth $10bn was concluded with Russia’s state nuclear energy corporation Rosatom. Russia is providing most of the finance through a soft loan. In December 2012, Belarus approved a draft intergovernmental agreement on cooperation in the area of nuclear safety with Russia. First concrete was poured in 2013 for unit 1 and in 2014 for unit two.
It is estimated that the power unit 1 of the Belarusian NPP will become critical for the first time in 2019. Unit 2 is scheduled for start-up in 2020.
On March 11, 2011 a serious accident at Fukushima-1 NPP (Japan) was triggered by an earthquake and followed by a tsunami. In consequence operating utilities and regulatory bodies faced the need for a detailed analysis of the causes and lessons learned. They had to develop and implement actions to prevent serious accidents caused by extreme events with low probability and to mitigate negative impact for people and environment.
On March 25, 2011 the European Council announced that safety at European nuclear power plants should be reviewed on the basis of a comprehensive and transparent risk assessment (stress tests).
On May 13, 2011 the European Nuclear Safety Regulatory Group (ENSREG) and the European Commission agreed upon the technical requirements for stress tests of European nuclear power plants. In accordance with ENSREG, the technical requirements of these stress tests are an objective reassessment of nuclear power plants in the light of the events at Fukushima-1.
In June 2011, the Republic of Belarus acceded to the Joint Declaration of the European Union and neigh-boring states on comprehensive risk and safety assessments of nuclear plants (stress tests) and committed to itself to implement them.
Although Belarus is not a European Union (EU) member states, Belarus participates in the EU’s Eastern Partnership, which allows for discussions of trade and other issues. The EC has played an observer role in the construction of Astravets NPP. But in 2009 the European Parliament concluded in an all-party preliminary meeting before construction start, „that internationally-agreed regulatory steps had not been satisfactorily incorporated into the national licensing process“. In June 2016, members of the European Parliament (MEPs) used a plenary debate to ask the European Commission (EC) whether the twin-unit plant complied with EU nuclear safety rules and how the EC plans to ensure the plant conducts stress tests to assess the safety and robustness of the plant.1
In 2017 Belarus submitted its national stress tests report on the plant2 to the European Commission for review. The European Commission will summarize EU member states‘ comments and questions and submit them to Belarus. The EU’s executive body will make its final assessment only after it receives Belarus‘ answers to the questions asked. The stress tests were performed by Atomprojekt, a subsidiary of Russia’s Rosatom, the Astravets project’s main contractor, in 2016. 3
- http://www.neimagazine.com/news/newseuropean-stress-tests-for-belarus-npp-4930468/
- National Report of the Republic of Belarus on the Belarusian NPP objective safety reassessment (Stress tests) –http://www.ensreg.eu/sites/default/files/attachments/belarus_stress_test_national_report-
- https://www.baltictimes.com/belarus__n-plant_stress_tests_fail_to_answer_lithuania_s_key_questions_-_watchdog/
The independent nuclear experts Oda Becker and Patricia Lorenz were commissioned by Greenpeace to prepare an Expert Statement on this stress tests report. The objective of the assessment was to investigate whether the information presented in this report is reliable and sufficient to determine the potential risks of this NPP and prepare questions asking for lacking information and not addressed issues.
We presume that the EU Stress Test peer review process to be conducted in Belarus in the coming months will not deviate from past stress test exercises and will be performed in full transparency according to the „principle for openness and transparency“ as adopted by ENSREG in February 2011.
According to this principle, the Belarus national stress test report, core element of the upcoming peer review, was published on the ENSREG website and is open for public consultation from 13 November 2017 to 13 January 2018.4 This expert statement will be submitted in the framework of this procedure.
Although this evaluation does not claim to be exhaustive, it comes to the following conclusion: A high amount and wide range of additional information is necessary to assess the possibility of accidents and their consequences. However, the information at hand indicates that a severe accident at the Belarusian NPP with a major release and consequences cannot be excluded.
http://www.ensreg.eu/EU-Stress-Tests/Country-Specific-Reports/EU-Neighbouring- Countries/Belarus
2 Reactor type
For the Belarusian NPP the AES 2006 design was chosen, a VVER -1200. The VVER-1200 is an improved version of the VVER-1000 unit with a longer design life-time, higher built-in capacity and higher thermal efficiency. According to the STRESS TESTS REPORT (2017, p. 16), the design life-time for the unit is 50 years, for the reactor 60 years.
Development of the reactor design
The development of the AES-2006 design started after the year 2000 and was finalized in 2006. On top of the increased power output to 1,200 MWe, the AES-2006 plant has additional safety features compared to the advanced VVER-1000 plants.
There were two early post-Chernobyl designs, AES-91/V-428 (Saint Petersburg)—exported to China— and AES-92/V-412 (Moscow)—exported to India. The reactors were essentially the same as their predecessor, the VVER-1000/V-320, but with added safety systems including a core-catcher and some passive safety systems. Figure 1 shows the evolution of the VVER-1000 types5 :
Figure 1: VVER Technology Evolution
The VVER-1200 design is to be developed as a serial design for construction both in Russia and abroad. There are two design modifications which differ in structure and layout of safety systems. The basic characteristics are the same: the V-392M (now VVER-1200M) tends to rely more on passive safety systems and the V-491 (now VVER-1200E) more on active safety systems.
Two units of the AES-2006/V-392M are being built at Novovoronezh in Russia, the first unit started commercial operation in 2017. It is the first of two units at Novovoronezh II – the lead project for the deployment of the AES-2006 design incorporating a Gidropress-designed PWR. The construction of Novovoronezh II, units 1 and 2 (or Novovoronezh units 6 and 7) began in June 2008 and July 2009, respectively. The VVER-1200M design is also being implemented at NPP Rooppur in Bangladesh.
2010 GIDROPRESS (2010): Review of VVER-1000 and AES-2006; I.F. Akbashev, I.F.; Piminov, V.A.; et al.; Presentation; IAEA Technical Meeting on Irradiation embrittlement and life management of reactor pressure vessels; Znojmo (Czech Republic); 18–22 October 2010;
The VVER-1200/V-491 design (now: VVER-1200E) is being implemented at Leningrad (LNPP-2), at Astravets NPP in Belarus, at Hanhikivi-1 NPP in Finland, at Paks-II NPP in Hungary. The VVER-1200E design was developed by “Atomenergoproekt” St. Petersburg (SPbAEP).
Stage of VVER-1200/V491 design development
Today, no nuclear power plant with the AES-2006 reactor type VVER-1200 (V-491) is in operation. In addition to the units in Belarus, two units are under construction in Russia. They have been subject to several delays.
Actually, the VVER-1200/V491 is an as-yet untested design and the known incidents and deficiencies during operation and construction of Russian-built NPPs provide evidence that Rosatom and its structures have serious problems which are of systemic nature and cannot guarantee sufficient quality management at their NPP construction sites.
At the Leningrad II site two units of reactor type VVER-1200/V-491 are under construction. The construction of unit 1 started in October 2008, and should have been commissioned in October 2013. However, a part of the outer containment collapsed in 2011 and led to a delay of the schedule. Commissioning is now expected to take place during 2018. The construction of the second unit started in April 2010, commissioning start is envisaged for 2020.6
Delays during construction can be an indication that the detail design of the plant has been not completed before start of construction works, and was partly continued in parallel with the construction works. If the detailed design process does not advance as smoothly as planned, this can result in delays. This was illustrated by the EPR project Olkiluoto-3, for which startup has so far been delayed from 2009 to 2019 or even later, mainly due to problems connected to the design of the I&C system. It is unclear to which degree this is also valid for Leningrad-II.
When plants of the same type are built at sites in other countries, it is necessary in any case to adapt the design to the characteristics of the site as well as to the regulations of the country in question.
Other types of Generation III reactors have undergone or are still undergoing extensive design review processes in other countries, most notably the UK Generic Design Assessment (e.g. EPR, AP1000). As part of this process, comprehensive technical documents are made public, increasing transparency and improving the opportunities for independent review of reactor types. The VVER-1200/V491 has not yet undergone a procedure of this kind. The stress tests report does not explain to which degree the Belarus NPP will be identical with the Leningrad-II NPP.
Regulations and Certification
There is no statement on the compliance of the design with the EUR requirements. According to the EIA-Report for the new NPP Bohunice III, this reactor type has not yet received EUR certification yet.7
The design currently does undergo scrutiny with the nuclear regulator STUK in Finland for the Hanhikivi project.
- http://www.world-nuclear.org/information-library/country-profiles/countries-o-s/russia-nuclear- power.aspx
- http://www.umweltbundesamt.at/fileadmin/site/umweltthemen/umweltpolitische/ESPOOverfah ren/UVP-EBO3/uve/JESS_UVP_Bericht_NJZ_An02.pdf
The following questions should be answered:
- Which life-time is envisaged for the Belarusian NPP? Is a life-time extension envisaged?
- Are there any differences between the design of the units of the Belarusian NPP and the design of Leningrad II?
- Are there any differences between the design of the units of the Belarussian NPP and the design of Hanhikivi?
- What is the status of EUR certification of the reactor type of the Belarusian NPP?
3 Radioactive waste and spent fuel
Spent fuel which will be produced during the operation of the new power plant will be stored for 10 years in the spent fuel pool located close to the reactors. The capacity of the spent fuel pool is based on the following assumptions: storage of spent fuel for ten years; arrangement of the spent fuel removed from the reactor core under emergency conditions and arrangement of leak-tight bottles for damaged spent fuel. (STRESS TESTS REPORT 2017, p. 26)
High-level radwaste (HLW) is stored in steel capsules for the entire lifetime of the power unit at the nuclear power plant site. (STRESS TESTS REPORT 2017, p. 31)
Capacity of the storage facility is designed to store: very low-level, low-level and intermediate-level waste (SRW in drums, solidified LRW in non-returnable containers) generated during 10 years of the power unit operation; conditioned very low-level, low-level and intermediate-level radwaste is stored in the storage facility during 10 years. When the period of interim storage is over very low-level, low- level and intermediate-level radwaste is transported to the disposal site for long-term storage and/or disposal. (STRESS TESTS REPORT 2017, p. 31)
The container car for the spent fuel transportation to the fuel recycling plant provides accommodation, fastening and transportation of the SNF transportation container in accordance with the regulations for SNF transportation.(STRESS TESTS REPORT 2017, p. 29)
Assessment
It is not mentioned where the HLW will be stored and how the residual heat generated by this waste will be removed. According to the international standards and practices, HLW has to be stored in a similar way as SF.8
The Joint Institute for Power and Nuclear Research in Belarus is conducting studies on the best methods for storage and treatment of nuclear waste generated by the Belarusian NPP. Belarus is planning to build a storage facility at the plant for low-, very low- and intermediate level nuclear waste.
During 60 years of operation, Astravets will generate about 960 cubic meters of very low-level waste (VLLW), 3,840 cubic meters of low-level waste (LLW), 600 cubic meters of intermediate-level waste (ILW) and 60 cubic meters of high-level waste (HLW). On top Belarus expects that 3,960 cubic meters of solidified liquid waste will be generated during the plant’s lifetime.
The document envisages that high-level waste would be stored at the Astravets plant during its service life and that very low-, low- and intermediate-level waste would be stored in 200-liter casks in a near-surface facility constructed somewhere in Belarus, not at the plant site. The site for the storage facility is to be chosen by 2023.
The report estimated that the storage facility for very low-, low- and intermediate-level waste will cost $10 million.
The first phase of the storage facility would be capable of storing 1,560 cubic meters of waste and must be completed by 2028 so that waste generated during the first 10 years of Astravets’ operation can be stored there, according to Belarus’ national strategy for managing nuclear waste.
In 2013, Anatoly Bondar, the chief engineer for the plant’s construction, suggested that after the initial 10 years, the service time of the planned storage facility might be extended, or the waste might be transported to a new storage facility to be built by 2038. However, there has not been any new public discussions on this issue.
www.umweltbundesamt.at/fileadmin/site/umweltthemen/umweltpolitische/ESPOOverfahren/U VP_paksII/REP0533_PAKSII.pdf
The strategy report does not contain any information on spent nuclear fuel management, because spent fuel will be returned to Russia for reprocessing according to intergovernmental agreements between Russia and Belarus.9 According to Russian legislation, resulting waste will have to be repatriated to Belarus, because Russia is not allowed to import radioactive waste for final storage.
Belarus is planning to return spent nuclear fuel from its planned NPP Astravets-1 and -2 to Russia for reprocessing. For the management of the spent fuel is the so-called “closed” fuel cycle10 envisaged, with reprocessing the spent fuel and recycling of the recovered plutonium and uranium.
Reprocessing and transportation of spent fuel and radioactive waste carry additional risks for people and the environment. Thus, it would be seen as a good decision if Belarus will cancel the option of reprocessing abroad.
According to WNA, a radioactive waste management strategy based on IAEA principles was adopted in June 2015. It builds on regulations for nuclear and radiation safety approved by the Ministry of Emergency Situations in September 2010. The strategy also considers construction of a Deep Geological Depository for the disposal of HLW following decommissioning of the plant.11
A Deep Geological Repository will have to be built in Belarus for the final disposal of HLW and long- lived LILW.
Accidents concerning RW and SF
The quantities of the RW that could be produced during a severe accident are not given.
Accidents affecting the RW management facilities to be established on site should be evaluated and their impact on the environment considered. The impacts of a possible accident have to be analyzed despite its low probability.
The following questions should be answered:
- Does a national strategy / program for the management of spent fuel exist in Belarus?
- Where will the high-level waste (HLW) be stored and how will residual heat be removed from the high level waste?
- Is reprocessing abroad the only envisaged option for the management of spent fuel? If yes, are there any intentions to abandon this option?
- Which types and quantities of RW following severe accidents are expected?
- Are radiological consequences of accidents affecting the RW management facilities to be established at the Belarusian NPP site evaluated?
- Are there any plans to transport the high-level waste from reprocessing of the spent fuel in Russia back to Belarus?
- Are the costs for the management (including storage and disposal) of radioactive waste and spent fuel included in the calculated energy production costs?
- At what stage are the plans for the preparation and construction of a final disposal of HLW, long-lived LILW a Deep Geological Repository in Belarus?
- Nuclear Fuel, Global Platts, July 17, 2017
- This fuel cycle is not really closed, because long-lived radionuclides remain after reprocessing and also must be stored. http://www.world-nuclear.org/information-library/country-profiles/countries-a-f/belarus.aspx
4 Load-following operation
It is not clear to which extent load-following operation is envisaged for the Belarusian NPP. According to the published documents load-following operation is envisaged for the Paks II NPP, which is the same reactor type as the Belarusian NPP.
NPPs in Europe are mainly used in base load operation. Their flexibility is limited to a few percent of nominal power. For new plants (under construction and planned) load following is supposed to be fully implemented. But there is very little experience from operation practice. Investigations into the possible impacts of load following operation are limited and do not allow conclusions on the impacts in future.
Plants being built today, e.g. according to European Utility Requirements (EUR), are supposed to have load-following capacity as a design feature. Even if a high flexibility is promised for the new reactors, some more research will be necessary until load following with the necessary capacity can be implemented.
Controlling the reactor core during load-following is challenging and difficult also for advanced reactors and in particular for reactors with large cores. The reactor has to perform the load changes while maintaining the core limitations for local power peaking and safety margins.
Operating NPPs in load-following mode causes technical disadvantages, because plant components are exposed to numerous thermal stress cycles; this leads to faster aging and requires more sophisticated systems for reactor monitoring and control.
Also, an economic disadvantage of load-following operation of NPP in a larger power range occurs if the plants are operated on reduced power.
The following questions have to be answered:
- What is the expected extent of the load-following operation for the Belarusian NPP?
- Are there any experiences with load-operation for the AES-2006 design?
- Which other AES-2006 plants will operate in load-following mode?
- Which is the possible impact of the load-following operation on the Belarusian NPP?
- How could any envisaged load-following operation threaten the safety of the Belarusian NPP?
- What is the impact of load-following operations on the economic efficiency of the Belarusian NPP?
10
5 Protection against airplane crash and terror attacks
According to the developer of the VVER-1200/V491, the design basis aircraft crash corresponds to the following load: Crash of an airplane with a mass of 5.7 t, at a speed of 100 m/sec.12It is noteworthy that this aircraft crash represents a considerably smaller load than those assumed for many newer Generation II plants. For example, for German plants in operation since the 1980s 20 tons and 215 m/s are assumed, corresponding to the crash of a Phantom fighter-bomber.13The possibility of a Belarusian military aircraft crash was left out. The probability of a Lithuanian military aircraft crash is 4.2х10-12 per year.14
The double containment consists of an outer protective concrete containment with a thickness of 800 mm in the cylindrical part and of 600 mm in the spherical dome and an inner leak-tight reinforced concrete containment with a thickness of 1,200 mm in the cylindrical part and 1,000 mm in the spherical dome. (STRESS TESTS REPORT 2017, p. 19)
The structural design of the reactor building appears to be well in line with the general standard of Gen III plants. A design on the basis of such loads also provides a certain degree of protection against the crash of a large commercial airliner. It is plausible that it provides good protection against the mechanical impact of the crash of a commercial airplane. It is not mentioned whether it is also a measure against the effects of impact induced vibrations.
However, structural protection against the impact of a large commercial airplane focuses on the outer containment and the fresh fuel storage. It has to be noted that the safety–relevant buildings are not designed to withstand the impact of a large airplane. The building sections of the four redundant trains of the safety systems are located side-by-side; they are separated, but directly adjacent without any physical distance, and hence several or all of them could be impaired by mechanical impacts. The same applies to the four diesel generators15.
According to STUK ́s assessment, not all parts of the design objectives and principles of the AES-2006 plant are consistent with Finnish safety requirements; the structural protection against airplane crashes is of particular concern.16
Also, there is no discussion in the documents at hand on the possible effects of combustion and/or explosion of aircraft fuel on structures and systems which are required to bring and maintain the plant in a safe state after the crash. This issue is addressed in the WENRA requirements for new reactors. It is stated that buildings or the parts of buildings containing nuclear fuel and housing key safety functions should be designed to prevent airplane fuel from entering them. Fires caused by aircraft fuel shall be assessed as different combinations of fire ball and pool fire; also, consequential fires shall be addressed.17
It has to be assumed that the Belarusian NPP is also vulnerable against other terror attacks.
Given the long life time of the proposed project (at least 50 years) and the needed cooling down period before final decommissioning, it is not possible to guarantee political stability in Belarus for
- ASE 2015: Provision of containment integrity at Russian VVER NPPs under BDBA conditions; Atomstroyexport; IAEA Technical Meeting; Severe Accident Mitigation through Improvements in Filtered Containment Venting for Water Cooled Reactors; 31 August -3 September 2015
- http://www.umweltbundesamt.at/fileadmin/site/publikationen/REP0291.pdf
- https://www.iaea.org/sites/default/files/documents/review-missions/seed_mission_report_belarus_2017.pdf
- St. Petersburg Research and Design Institute ATOMENERGOPROEKT (2011): Design AES-2006, concept solutions by the example of Leningrad NPP -2. Saint Petersburg, 2011
- Finnish Radiation and Nuclear Safety Authority (2009): Preliminary Safety Assessment of the Loviisa 3 Nuclear Power Plant Project; Assessment Report; 2009
- http://www.wenra.org/media/filer_public/2013/08/23/rhwg_safety_of_new_npp_designs.pdf An analysis of potential environmental impacts after malevolent acts or acts of war against the project is therefore a vital aspect of a nuclear project.
The following information has to be provided:
- Is there any assessment of the possible radiological consequences of a large commercial airliner crash on the Belarusian NPP? Does this assessment also include possible effects of impact induced vibration and effects of combustion and/or explosion of aircraft fuel?
- What are the possible radiological consequences of a deliberate crash with a large commercial aircraft?
- Against which types of commercial aircraft is the Belarusian NPP protected by the design?
- Are back-fitting measures concerning aircraft crashes possible?
- Are the current WENRA recommendations18 for the protection of nuclear power stations against the crash of a large commercial airliner applied at the Belarus NPP?
- What are the international requirements on which the physical protection of the Belarusian NPP is based? http://www.wenra.org/media/filer_public/2013/08/23/rhwg_safety_of_new_npp_designs.pdf
6 Natural hazards
On January 16-20, 2017, an IAEA mission for the safety assessment of the Belarusian NPP (SEED- mission) was held in the Republic of Belarus. In the course of the mission, both natural and man- caused external impacts were analyzed and characterized, the design parameters of the construction site were examined, the site and the environment were monitored and lessons learned at the Fukushima NPP accident were taken into account.
According to the STRESS TESTS REPORT (2017, p. 147), based on the results of the mission, IAEA experts noted that the NPP design parameters take into account external threats typical for the site such as earthquakes, floods and extreme weather conditions, as well as man-caused events. The international experts noted that the threat monitoring programs to be implemented throughout the life cycle of the Belarusian NPP are sufficient and properly provided in the NPP design. It was also noted that the Belarusian side took additional measures related to external events in view of the lessons of the Fukushima NPP accident.
Assessment
The Review Team offered the following suggestions19, which indicate the need for improvement:
- the section documenting electro-magnetic interference and lightning should be improved in the Chapter 2 of the final SAR;
- the site-specific seismic ground motion response spectrum should be properly documented in the final SAR, taking into account soil conditions and international practice (IAEA Safety Standard Series SSG-9); and
- consideration should be given to future developments of safety improvements related to challenges highlighted in the IAEA Fukushima Daiichi Accident Report following completion of the stress test and PSA Level 1 and 2.
The following information has to be provided:
What are the follow-up measures in response to the 3 suggestions by the IAEA SEED mission? In which timeframe will these measures be implemented?
https://www.iaea.org/sites/default/files/documents/review- missions/seed_mission_report_belarus_2017.pdf
7 Extreme weather conditions
Several extreme weather conditions are assessed in the STRESS TESTS REPORT (2017). For example strong winds based on the period analyzed, from 1961 to 2000.
Additionally, various combinations of these weather conditions were considered during the stress tests. Calculation of structures is performed taking into account unfavorable combinations of loads or their corresponding effects.
Table 5.1.2.1 presents an analysis of possible combinations of external effects. A detailed analysis will be given in the scope of PSA-1. STRESS TESTS REPORT 2017, p. 78)
Assessment:
Some extreme weather conditions, e.g. strong winds are analysed based on an outdated date base. Climate change trends still have to be taken into account.
According to the Intergovernmental Panel on Climate Change (IPCC), the type, frequency and intensity of extreme weather events are expected to change as the Earth’s climate. These changes could occur even with relatively small average changes to the climate. Changes in some types of extreme events have already been observed, for example, increases in the frequency and intensity of heat waves and heavy precipitation. Precipitation extremes are forecast to increase more than the average values. The frequency of extreme precipitation events is forecast to increase almost everywhere.
Many of the NPP design standards were based on an understanding of a climate system that is now 40 years out of date. Today, it is known that climate change is causing floods, droughts, and hurricanes to become stronger and more frequent. This means that the safety standards, even when fulfilled perfectly, are probably not sufficient to prevent disaster. Large and destructive floods once thought likely to happen only once in 100 years on average are now expected to happen every 20 years.
Sometimes, what is being thought to be a “worst case” scenario is not really the worst case. Just because there is uncertainty about how climate and weather will affect the reactors does not imply that ignoring the issue would be acceptable. Rather the opposite is the case: It would be negligent to ignore this uncertainty.
The following questions have to be answered:
- Are climate change trends increasing the frequency and intensity of extreme events taken into consideration for the evaluation for extreme weather conditions?
- Has the mentioned detailed analysis concerning possible combinations of external effects to be used as input for determining the scope of PSA-1 already been completed? If yes, are there any new results?
8 Earthquakes
According to the STRESS TESTS REPORT (2017, p. 40) the area of the Belarusian NPP site belongs to the Belarusian-Baltic seismo-tectonic region which is characterized by a relatively low seismic activity.
According to the GSZ-97-D map the Belarusian NPP site belongs to the 7-points zone. This assessment corresponds to the level of safe shutdown earthquake, SSE. For assessment of the design basis earthquake, DBE, the value of 6 points respectively is accepted (the frequency period is 1000 years with 5% exceedance probability for 50 years).
Buildings and structures as well as process pipelines, other communications and engineering structures of the Belarusian NPP are designed based on the following seismic impacts:
– Maximum horizontal acceleration of the SSE level – 0.12 g (7 points as per the MSK-64scale)
– Maximum horizontal acceleration of the DBE level – 0.06 g (6 points as per the MSK-64scale).
In the design bases of this reactor type,the value PGA=0.12g with a reserve 0.01g, i.e. 0.13g is accepted. (STRESS TESTS REPORT 2017, p. 41)
According to the data of integrated seismological and geodynamic researches of the NPP site location area (scale 1:500 000) and the neighboring area (scale 1:50 000), the values of intensity of DBE (SL1) and SSE (SL2) equal to 6 and 7 points of MSK-64 scale, respectively, are obtained for average soils.
To determine the DBE and SSE levels several analysis were performed and listed in the stress tests report.
All NPP equipment which when damaged can affect operation of the safety-related equipment either belongs to seismic category I or is physically separated from the safety-related equipment. The protection level during earthquakes with intensities up to the SSE level guarantees that safety-related equipment does not fail.
However, fire-fighting systems belong to seismic category II and III. Only the fire-fighting water tanks belong to seismic category I, maintaining water-supply under an earthquake with intensity from the DBE level to the SSE level. (STRESS TESTS REPORT 2017, p. 53)
The analysis has shown than the main RP equipment – reactor, SG, RCPU, RCP, pressurizer, ECB and connecting pipeline are provided with the required margin to withstand loads under an earthquake with 8-points intensity.
Resistance conditions under an 8-point earthquake are not provided for the emergency core cooling system (ECCS), injection and discharge pipelines and pressurizer system, metalwork of the reactor upper unit, spent fuel pool, RCPU anti-seismic fixation rod. The ECCS tank support shell, the ECCS pipelines and their fasteners are also not provided with the sufficient margin to withstand loads from the 8-point SSE. (STRESS TESTS REPORT 2017, p.61)
According the STRESS TESTS REPORT (2017, p. 148), in order to improve the seismic resistance, the following measures can be taken:
1. Seismic resistance of the ECCS and pressurizer system, as well as pipeline systems of small diameter, can be improved by installing additional anti-seismic supports along the length of the pipelines.
2. To improve the seismic resistance of the ECCS hydro accumulators and the racks of the spent fuel pool, the support design can be modified. For the racks of the spent fuel pool, stops can be installed to limit the rack movement in the horizontal plane. To improve the seismic resistance of the spent fuel pool metal structure, additional anti-seismic fixation can be applied. It is planned to install the fixation on the metal structure of the electrical connection block to limit the structure movement.
3. To improve the seismic resistance of the RCPS anti-seismic fixation rods at high earthquake level (8- point SSE, 7-point DBE) for combination of loads NO + DBE + DBA, the rods need to be strengthened.
4. For the safety systems and the safety-related systems, additional measures to improve the seismic resistance can be determined by the operating organization after the NPP start-up, based on the SMA methodology. When applying this methodology to the process flow diagram, the components critical for safe shutdown of an operated NPP are identified and estimated. The analysis is performed on the basis of engineering experience using the results of the NPP walk-down inspections for seismic stability, data on the actual state of the equipment fixation, etc. The necessity to improve the NPP seismic stability level will be determined by the operating organization based on expert findings of national or international organizations for supervision of atomic energy safe use.
Based on the calculations made in 1972 by the Central Research Institute for Complex Use of Water Resources and the Institute of Hydrodynamics the maximum water levels due to break of the Vileisk water basin dam located upstream do not exceed the level mark with 1% probability as the break wave from the dam location to the supposed water intake point is mainly quiet. It happens due to considerable remoteness of the water intake point from the dam location (140km) as well as due to the excising structures (roads, bridges, etc.) in the section between the dam and the water intake point which are the natural barrier for the break wave and accumulate considerable amount of water in the upstream territories.(STRESS TESTS REPORT 2017, p. 65)
According to the STRESS TEST REPORT (2017, p.66), it is proposed to reassess seismic margins for the equipment and pipelines referred to seismic category I by the results of the Belarusian NPP finished construction and commissioning using the SMA method specified in EPRI-NP-6041 and NS-G-2.13.
Assessment
The information provided could not clarify that the seismic hazard assessment is sufficient yet. Some information seems to be outdated.
The following questions have to be answered:
- When was the seismic hazard assessment performed? Are all investigations completed yet?
- Which IAEA recommendations were used for the seismic hazard assessment?
- Are the current WENRA recommendations on the assessment of natural hazards for the seismic hazard assessment used?
- Which of the measures to improve the seismic resistance (Stress Tests Report 2017, p. 148), will be implemented? And if, in which time frame?
- Because the calculation about the consequences of break of the Vileyka water basin dam is about 45 years old, are any new calculations done or planned?
9 Flooding
According to the STRESS TESTS REPORT (2017, p. 70) the Belarusian NPP site is not subject to flooding, as the design elevation of the site is 179.4 m BES, that is 51.5 m higher than the water elevation level at 0.01% confidence; ground waters and heavy precipitation have no effect on NPP safety.
It is explained that maximum water levels are conditioned by the wave after the break of the Vileyka reservoir which is located higher, based on the calculations made in 1972 by the Central Research Institute for Complex Use of Water Resources and the Institute of Hydrodynamics (Siberian department of the USSR Academy of Science, Novosibirsk) will not exceed the level elevation with 1% confidence as the break wave from the dam location to the supposed water intake point will mostly have calmed out. This will happen due to considerable remoteness of the water intake point (Malye Sviryanki) from the dam location (150 km), as well as due to the existing structures (roads, bridges, etc.) in the area between the dam and the water intake point which would be the natural barrier for the break wave and will accumulate a considerable amount of water in the higher-level territories. (STRESS TESTS REPORT 2017, p. 72)
The storm water treatment system and drainage systems at the industrial site of the Belarusian NPP are designed for normal operation conditions. In case of electric power failure, the storm water treatment system and drainage systems will not operate. The maximum daily volume of storm water calculated is 61804 m3. (STRESS TESTS REPORT 2017, p. 72)
Inspections are initiated by the licensee following stress-tests of the Belarusian NPP and initiation by the IAEA SEED mission for siting the Belarusian NPP.(STRESS TESTS REPORT 2017, p.73)
To assess safety margins, though there is no design basis flood threat foreseen in the design, this section conservatively applies a deterministic approach and considers the flooding of all NPP buildings located below 0.00 level. This flood affects safety systems critical for heat transfer from the reactor unit and spent nuclear fuel. A conservative analysis of the flood regime with affected SS and SCS systems and elements located below the 0.00 level has shown that flooding results in the loss of the following major functions which are critical for NPP safety (STRESS TESTS REPORT 2017, p. 74):
- heat transfer from spent nuclear fuel (FAK and JMN systems are not operating),
- heat transfer from the primary circuit (JNG, JNA, KAA, KAB systems are not operating),
- coolant inventory maintenance (JND system is not operating),
- the primary circuit feed (JND system is not operating). Assessment Despite the fact that no flooding threat exists for the Belarusian NPP site, the threat should be calculated carefully and renewed at least every 5 years. As mentioned above in case of flooding a lot of (safety) systems will fail.
The following question has to be answered:
Is there a new assessment of the flooding threat envisaged?
10 Loss of power supply and heat removal
In case of loss of power supply to the normal operation systems and safety systems (failure of all DGs), functioning of the normal operation systems ensuring the residual heat removal to the ultimate heat sink and cooling of the spent fuel pool stops. At the same time the active safety systems fail. (Stress Tests Report 2017, p. 87)
According to the STRESS TEST REPORT (2017, p. 87), the condition of the Unit at the initial stage of the accident is characterized by:
- complete unavailability of AC power supply (external and internal);
- availability of power supply from the EPSS UPS for some valves (isolating valves of the sealed enclosure, BRU-A, MSIV) and I&C. Power supply from the UPS is designed for 2 hours of operation without battery recharge;
- subcritical state of the reactor;
- primary circuit leaks – 2.15 m3/h, which corresponds to the maximum possible leakage during operation at the rated power;
- tight secondary circuit;
- full reserve of cooling water for the BDBA management systems in four SG PHRS (passive heat removal system) tanks;
- water level in the fuel pool – 8.7 m (level at fuel storage).
As a result of the blackout, the RCPS (reactor coolant pump sets) are tripped, the turbogenerator stop valves are closed, feed water supply to the steam generators is stopped, the primary circuit makeup- blow-down is tripped, the pressurizer heating elements, injection to the pressurizer, BRU-K are out of operation. As a result of the DG startup failure (initiating event), ECCS and EFWEP pumps are out of operation. Heat is removed to the ultimate heat sink – the environment – through the following chain: reactor – steam generator – SG PHRS – atmospheric air. Heat is removed to the atmosphere by evaporation of water from the SG PHRS tanks. (STRESS TESTS REPORT2017, p.88)
Removal of residual heat and cool-down of the reactor plant in the BDBA mode with blackout are performed using the system of passive heat removal through the steam generators (SG PHRS)
The system consists of four independent channels – one for each steam generator. The efficiency of one channel is 33.3%.
Putting a mobile DG set into operation to ensure water supply to the PHRS tanks and spent fuel pool (STRESS TESTS REPORT 2017, p.93)
To prevent fuel damage in the reactor in case of an accident involving the loss of all AC sources at the NPP at power operation of the reactor plant it is required to take measures not later than within 72 hours from the beginning of the accident to restore and maintain water reserve in the emergency heat removal tanks for ensuring PHRS operation (with all the emergency heat removal tanks involved).
To prevent fuel damage in the spent fuel pool in case of an accident involving the loss of all AC sources at the NPP at power operation of the reactor plant, it is necessary to supply water to the spent fuel pool at a flow rate of min. 4.5 kg/s within 89 hours.
To prevent fuel damage in the spent fuel pool in case of an accident involving the loss of all AC sources at the NPP under conditions of the complete core unloading, it is necessary to supply water to the spent fuel pool at a flow rate of min. 7 kg/s within 41 hours
In accordance with the recommendations resulting from development of the Stress Test Report (target reassessment of safety) for Belarusian NPP, two mobile DG sets (one per NPP unit) with a power of 500 kW will be provided, which presumably will be located outdoors at the NPP site.(STRESS TESTS REPORT 2017, p.93)
Within 24 hours a mobile DG set is delivered to the point of its connection and prepared for operation. According to the design documentation, the location and design of the connection points for the mobile DG set as power supplies ensures protection from flooding, extreme precipitation and other unfavorable weather conditions. (STRESS TESTS REPORT 2017, p.94)
In terms of removal of residual heat from the spent fuel pool:
- arrange for making-up of the spent fuel pool after 41 hours. This measure can be implemented by connecting non-standard facilities (a fire engine with a pump unit having a capacity of 40 liters/s and a head of 100 m) to two process connectors of the JNB50 system located on the outside of building UJE (at elevations +0.690 and +0.730, with water intake from LCU tanks through the pump unit of the fire engine and further through the pipelines of system JNB50, the water is supplied to the spent fuel pool) having flanges with plugs installed on them;
- modify the process flow diagram of JNB50 system by adding tie-in of a check-valve bypass to the make-up line for the emergency heat removal tanks. This solution will allow for making- up of the spent fuel pool by the operating personnel after 41 hours. (STRESS TESTS REPORT 2017, p.95) The passive heat removal systems SG PHRS and Containment PHRS are technical means of BDBA management.(STRESS TESTS REPORT 2017, p.97) The system of passive heat removal from the containment (JMP) reduces and maintains the pressure inside the containment within the design limits and removes the heat released under the containment in case of BDBA, including accidents with severe core damage, to the ultimate heat sink. Heat is removed to the ultimate heat sink by evaporation of water from the four emergency heat removal tanks, which are a single storage of cooling water of the SG PHRS and Containment PHRS. The tanks are reinforced concrete structures lined with stainless steel located in separate rooms of the ring structure of the reactor building, the total water volume in each of the four emergency heat removal tanks being not less than 540 m3. The capacity of the SG PHRS and Containment PHRS was selected taking into account the principle of redundancy, based on the conditions of the most probable BDBA scenarios considered in the design. Each of the systems consists of 4 channels totally independent of each other with a capacity of 4×33.3%. (Three operable channels of the SG PHRS and Containment PHRS are sufficient for the systems to perform their functions in full scope in any mode requiring their operation.) (STRESS TESTS REPORT 2017, p.97) In case of failure of all BRU-A, which is an unlikely event, SG PHRS tanks (JNB10-40) may be regarded as an additional emergency ultimate heat sink for cooling of nuclear fuel in the reactor. According to the calculations, the SG PHRS can remove residual heat of the reactor plant in the self-sufficient mode for 72 hours from the beginning of the accident, provided that the water reserves of the 4 emergency heat removal tanks are used. If 3 out of the 4 emergency heat removal tanks are used, the self-sufficient operation for not less than 24 hours is provided. Further operation of the SG PHRS is ensured by making-up of the emergency heat removal tanks with JNB50 pump from the demineralized water tanks (LCU tanks).(STRESS TESTS REPORT 2017, p.99) In accordance with the recommendations based on the results of the development of the Stress Test Report for the Belarusian nuclear power plant consisting of two power units the design shall provide two mobile DG sets (one DG set per each power unit) with a capacity of 500 kW. Within 24 hours the mobile DG set shall be delivered to the place of its connection and get ready for operation. (STRESS TESTS REPORT 2017, p.107)
Assessment
This publication20, pointed out the constraints of the capacity of the passive safety systems. It is emphasized that the analysis is is based on a “realistic” scenario, i.e.:
- Initial plant conditions correspond to normal operation at rated power without accounting for possible uncertainties in plant parameters.
- Core characteristics are assumed in accordance with the design without accounting for the calculation of uncertainties and errors.
- Failures of equipment (other than assumed in scenarios) and operator errors are not taken into account. The assumptions of the analysis show potential limitations of the passive safety systems, because during an accident additional equipment failures or operator errors cannot be excluded. Thus, the capability of these safety systems under real accident conditions could be limited. The is also valid for the Belarusian NPP: the seven assumptions for the situation (See STRESS TEST REPORT 2017, p. 87) before the passive systems are required seem to reflect an unrealistic situation, and not to be conservative at all. Thus, the capability of these safety systems under real accident conditions could be limited. For the Finnish NPP Hanhikivi, comprehensive design changes are made to the VVER-1200/V491 design trying to avoid total loss of power (Station Black-Out) situations. This was also required to meet the Finnish regulations as well as the current WENRA recommendations. Until now the only “improvement” for the Belarusian NPP is the use of two mobile DG.
The following questions have to be answered:
- Which are the most probable BDBA scenarios (Stress Tests Report 2017, p.97)? What is the meaning of “most probable” BDBA scenarios? To which quantitative value does this phrase correspond? Are there other possible BDBA scenarios?
- What is the probability for the failure of all BRU-A (mean value and 95% quantile)? How will it be ensured that water reserves of the 4 emergency heat removal tanks are available under severe accident conditions? What is the calculated failure probability of one or two of these tanks?
- Where are the mobile DG being stored?
- For the Finnish NPP Hanhikivi, comprehensive design changes are made in the design of the VVER1200/V491 to try to avoid total loss of power (Station Black-Out) situations. They were also required to meet the Finnish regulations as well as the current WENRA recommendations. Are there similar regulations in Belarus? Are there any design changes envisaged?
- Is it possible to implement the measures for the removal of residual heat from the spent fuel pool (See Stress Tests Report 2017, p.95) under severe accident conditions?
20 Bukin, N.V. et al (Gidropress): Effect of HA-2 and SPOT systems on severe accident prevention in WWER-1000/392 design; IAEA 3rd Research Coordination Meeting on Natural Circulation Phenomena; Cadarache; September 11–15, 2006
11 Severe accident management
According to STRESS TEST REPORT(2017, p. 105), destruction or failure of the containment is a serious hazard in terms of a large emission of fission substances. This radioactive emission requires immediate measures to protect the health and safety of the population and NPP personnel.
Makeup of SG PHRS tanks and the spent fuel pool is provided by a high-pressure pump of the PHRS tank makeup system. The pump unit is located in the steam chamber and connected to desalinated water tanks of system LCU.
The emergency heat removal tanks must be replenished from LCU tanks before depletion of water (72 hours from the beginning of the emergency process). After this, the SGPHRS tanks are re-emptied and the desalinized water tanks of system LCU are refilled with water. In order to further maintain the stable and safe state of the reactor plant, maintaining also operability of SG PHRS, it is necessary to be able to temporary fill makeup tanks LCU from any sources of water available at the NPP site using off-site mobile equipment (for example, from firewater storage tanks).
Supply of water for fire-fighting purposes of NPP buildings and facilities is provided by the internal and external fire-fighting water supply systems (internal and external fire water pipelines, spray pools, etc.). The NPP site has a circular network of external fire-fighting water supply, consisting of 60 fire hydrants. (STRESS TESTS REPORT 2017, p.108)
The instructions for accident mitigation and the guidelines on management of beyond design basis and severe accidents are under development.(STRESS TESTS REPORT 2017, p.116)
In order to improve measures of beyond design basis accidents management, a number of actions is recommended, for example:
- – organizational measures for a more effective usage of available capabilities or determination of additional measures
- – so-called crisis plans – their material and staff support for management of unforeseen situations, which, nevertheless, can hypothetically arise at NPP. More detailed organizational and technical measures will be considered and presented in BDBA Management Guidelines, Severe Accident Management Guidelines. (STRESS TESTS REPORT 2017, p.121) In the subchapter “Releases of Radioactive Substances in Case of Loss of the Containment Integrity” of the STRESS TESTS REPORT (2017, p. 143) it is explained, that the design provides for measures to prevent loss of the containment integrity. With additional failures in implementation of the BDBA management measures in case of a severe accident, loss of the containment integrity and localizing properties can occur due to pressure increase in the containment above 0.7 MPa, steam explosions or hydrogen explosions(with water boil-off in the spent fuel pool), which will lead to releases to the environment of a significant part of the radioactive substances accumulated in the reactor core and the spent fuel pool (probability is much lower than 10-7/year). Loss of integrity of the containment – the last protective barrier of the defense-in-depth, leads to uncontrolled propagation of radioactive substances released during the accident from the damaged fuel. As a result of such an accident, urgent measures will be required to protect the personnel and the population in the Belarusian NPP area. Further measures to eliminate the consequences of the accident are developed (STRESS TESTS REPORT 2017, p. 144) Efficiency of the measures to limit emergency releases will be confirmed within the framework of implementation of PSA-2 (based on the results of full-scale PSA-1), where the probability of large radiation releases leading to global contamination of the area around the NPP set as the target criteria is not more than 10-7 (/reactor year). (STRESS TESTS REPORT 2017, p. 144)
Contamination of vast areas with radionuclides is excluded and mandatory introduction of protective measures affecting significantly the social and economic conditions and vital activity of the population (evacuation, resettlement) is not required. Protective measures for the population are limited to temporary sheltering, preventive iodine intake and restricted of consumption of local contaminated food in the NPP surrounding area.(STRESS TESTS REPORT 2017, p. 145)
Assessment
The information provided in the STRESS TESTS REPORT (2017) leads to the conclusion that measures to cope with a loss of containment integrity do not exist (yet).
The following questions have to be answered:
- What is the capacity of the LCU tanks? In which frequency do they a temporary makeup from any water source? Are these water sources (e.g. the fire hydrants) protected against severe external hazards?
- Was the development of instructions for accident mitigation and the guidelines on management of beyond design basis and severe accidents completed? Are there any new important results?
- Were the detailed organizational and technical measures already considered and presented in BDBA Management Guidelines and Severe Accident Management Guidelines (See Stress Tests Report 2017, p.121)? Are there any new important results?
- Are any sufficient measures to cope with a loss of containment already in place?
12 Compliance with state of the art
The Western European Nuclear Regulators’ Association (WENRA) defined and expressed a common position on the safety objectives for new nuclear power plants in November 2010.21 The safety objectives were based on a report by the Reactor Harmonization Working Group of WENRA22, also considering comments received from stakeholders. The WENRA safety objectives should ensure that the NPP which will be licensed in future will fulfill higher safety standards across Europe compared to the existing plants especially through improvement of the design. The safety objectives reflect the current state of the art in nuclear safety and can be implemented in the design using the latest available technology.
Based on these safety objectives, WENRA-RHWG developed positions on selected key issues of particular relevance considering the expectations for new reactors compared to existing ones. These positions are more detailed than the safety objectives and are intended to clarify their meaning. Together with these positions, considerations concerning the major lessons learned from the Fukushima Dai-ichi accident were published in a report in 2013.23
Among other issues, the positions concern the defense-in-depth approach for new nuclear power plants. This approach was developed further, with a refined structure including introducing two sub- levels in DiD level 3: level 3a for single initiating events, level 3b for multiple failures. Also, expectations on the independence between different levels of DiD were formulated. Other positions concern the practical elimination of severe accidents with large or early releases.
The stress test report does not discuss the fulfillment of the WENRA safety objectives (SO) for new nuclear power plants. WENRA is not mentioned at all.
In an Expert Statement on the Finnish NPP Hanhikivi in 2014, the WENRA safety objectives were applied to the reactor type VVER-1200/V491.24 The following points were assessed, with a focus on design aspects:
- What can be asserted regarding complying with the safety objectives, on the basis of available information?
- Which issues remain unclear regarding compliance?
- Are there potential challenges which could make complying with the WENRA safety objectives difficult or impossible? Important issues of this evaluation focused on the Belarusian NPP are presented in the following section. SO 1 – Normal operation, abnormal events Objectives:
Reducing the frequencies of abnormal events by enhancing plant capability to stay within normal operation
Western European Nuclear Regulator’s Association (2010): Statement on Safety Objectives for New Nuclear Power Plants. November 2010; www.wenra.org
WENRA-RHWG–Reactor Harmonization Working Group (2009): Safety Objectives for New Power Reactors. Western European Nuclear Regulator’s Association. December 2009 (Published in the final wording in November 2010; www.wenra.org
Western European Nuclear Regulator’s Association (2013): Safety of New NPP Designs. A report by RHWG – Reactor Harmonization Working Group. March 2013; www.wenra.org www.umweltbundesamt.at/fileadmin/site/umweltthemen/umweltpolitische/ESPOOverfahren/uv p_fennovoima2014/REP_0479_Hanhikivi_EIA.pdf
Reducing the potential for escalation to accident situations by enhancing plant capability to control abnormal events ——————————————————————————————————————————
Among the basic principles and approaches of the design, the following items are mentioned by the developer25:
- Improving system and equipment characteristics by abandoning excessive conservatism and optimizing design margins
- Reducing capital and operating expenditures It seems plausible that considerable efforts have been undertaken to improve the design of the VVER- 1200 compared to the forerunner types. However, there appears to be a challenge consisting in the potentially conflicting goals of improving safety on the one hand and improving economics on the other. Another challenge is the embrittlement behavior of the reactor pressure vessel material, given a planned service life of 50 or 60 years. In spite of extensive experiences with material behavior in the forerunner types, it appears that this is still a problem which needs monitoring. SO 2 – Accidents without core melt Objectives: Ensuring that accidents without core melt induce no off-site radiological impact or only minor radiological impact (in particular, no necessity of iodine prophylaxis, sheltering or evacuation).
Reducing, as far as reasonably achievable, o the core damage frequency taking into account all types of credible hazards and
failures and credible combinations of events; o the releases of radioactive material from all sources.
Providing due consideration to siting and design to reduce the impact of external hazards and malevolent acts.
———————————
Internal hazards
Controlling internal hazards could be a challenge as far as the safety building is concerned: The safety building’s structural elements containing the four parallel, redundant subsystems are physically separated, but placed side by side, connected by service corridors and channels for AC systems. Connections are separated by doors and dampers, calling into question the adequate realization of physical separation.
Furthermore, in the safety building each sub-system’s low- and high-head pressure injection pumps and related equipment and pipelines have been placed in the same room without physical separation.
According to the Finnish nuclear authority (STUK), Finnish safety requirements concerning protection from internal hazards, such as floods and fires, have not yet been demonstrated for the VVER 1200/491 design.26
St. Petersburg Research and Design Institute ATOMENERGOPROEKT (2011): Design AES-2006, concept Solutions by the example of Leningrad NPP -2. Saint Petersburg, 2011
Finnish Radiation and Nuclear Safety Authority (2009): Preliminary Safety Assessment of the Loviisa 3 Nuclear Power Plant Project; Assessment Report; 2009
Multiple failures
No systematic discussion and consideration of multiple failures (level of DiD 3b, according to WENRA) could be found in the available documents.
Electrical system
AC emergency power is provided by diesel generators (4 x 100%).
Requirements and results for Core Damage Frequency (CDF)
According to the STRESS TESTS REPORT (2017, p. 40), to assess the Belarusian NPP safety, a probabilistic safety analysis (PSA) of the 1st and 2nd level is applied. For the Belarusian NPP, comprehensive PSA-1 (for internal initiating events, internal fires and flooding, seismic PSA and PSA for external impacts) and comprehensive PSA-2 based on PSA-1 are developed.
The average value of frequency of nuclear fuel damage in the reactor obtained from PSA-1 for internal initiating events is as follows:
- at power operation: 7.7×10-7 /year;
- in standby modes: 2.42×10-7 /year. The average value of total frequency of nuclear fuel damage in the spent fuel pool is as follows:
- at power operation: 3.32×10-10 /year;
- in standby modes: 3.19×10-8 /year. Assessment The published results of PSA/PRA27 studies seem to confirm that the limit of 10E-6/year for the core damage frequency is exceeded. External effects are not included yet. Furthermore only an average value was given plus no information on the uncertainty of the results. The published values suggest that at least the 95%-quantile of the CDF could be considerably higher than the limit, even if only the factors which can be included in a PSA/PRA are taken into account. Regarding core damage frequency, average values are reported for the Belarusian NPP without any indication as to the uncertainty of these values. It is commendable if quantile values are specified additionally to the mean or median values, to provide some indication of the uncertainty involved in the probabilistic analysis. However, it should be noted that not all uncertainties of a PSA/PRA can be quantified, and furthermore, that there are factors (for example safety culture, malicious human acts, and ageing phenomena) which cannot be taken into account in a PSA/PRA, or can be taken into account only in an insufficient manner. Therefore, PSA/PRAs provide interesting indicators for plant hazards, but the numerical results cannot be taken at face value and should not be interpreted as reliable absolute measures for the frequency of severe accidents and large releases. The value of PSA/PRA results when discussing different plant types is thus limited. From the overview on all the information from Belarus and from EIA reports of Russian NPPs it is clear that there is a cut-off value for the probability of severe accidents: Only beyond design basis accidents are considered with a probability of occurrence > 10-7 per reactor and year (the limit for the probability of a core damage accident is 10-6/yr). Accidents with a risk < 10-7 per reactor and year are classified as practically impossible. In the opinion of Austrian experts. such accidents are not to be
27 PSA – Probabilistic Safety Analysis; PRA – Probabilistic Risk Analysis. These two terms are used interchangable. Because the analysis does not give conclusions about safety (the lack of risk) but rather the risk itself, we prefer using the term PRA.
25
excluded in principle. Due to the limits and shortcomings of probabilistic analyses, accidents should not be excluded from consideration on the basis of probabilistic arguments alone.28
Most importantly: the numerical results of PRA studies should not be taken at face value. PRAs are beset with uncertainties, and cannot completely capture reality. The following factors cannot be taken into account in a PRA at all or not adequately: unexpected loads from internal events, low safety culture, ageing-related common cause failures, problems at the interface between civil engineering and systems engineering, unexpected external events and acts of terror and sabotage.
The following questions have to be answered:
- Which uncertainty is associated with the PSA/PRA results? In particular, can the 95% quantiles of CDF and LRF be provided and conclusions drawn from those?
- Are results available from preliminary safety reports of the NPPs Leningrad 2 under construction? Does a level 2 PSA/PRA exist for these reactors? Similar for the Hanhikivi NPP.
- Are the functioning and reliability of passive safety systems and features demonstrated?
- Which BDBA scenarios have been analyzed?
- Are there any plans to include the WENRA recommendations in the regulations of Belarus?
- Is there any conflict between safety and economics regarding the goals of larger operational margins for reducing the frequency of abnormal events and reducing capital and operating expenditures?
- How will the embrittlement behavior of reactor pressure vessels be monitored?
- What are the measures to avoid mistakes by manufacture?
- Are internal hazards being systematically analyzed and controlled?
- Are multiple failures being systematically analyzed and controlled?
SO 3 – Accidents with core melt (DiD level 4)
Objectives:
Reducing the potential of radioactive releases to the environment from accidents with core melt, also in the long term, by following the qualitative criteria below:
Accidents with core melt which would lead to early or large releases have to be practically eliminated.
For accidents with core melt that have not been practically eliminated, design provisions have to be taken so that only limited protective measures in area and time are needed for the public (no permanent relocation, no need for emergency evacuation outside the immediate vicinity of the plant, limited sheltering, no long term restrictions in food consumption) and that sufficient time is available to implement these measures.
—————————————————————————————————
Containment integrity
According to the STRESS TESTS REPORT (2017, p. 127), there are several potential hazards leading to the containment destruction by high pressure: steam explosions at the in- and ex-vessel stage of the severe accident; loading of the containment due to mass and energy release at the in- and ex-vessel stage of the severe accident. http://www.umweltbundesamt.at/fileadmin/site/publikationen/REP0291.pdf
The main threat from the containment destruction and failure is high release of the fission products. High release of the fission products requires immediate actions to ensure health protection and safety of the population and NPP personnel.
A steam explosion within the reactor vessel can result in damaging the containment through its penetration with flying objects, which may be classified as an early radioactive emission to the atmosphere. A steam explosion hazard may arise as a result of core degradation due to interaction of heated fuel fragments and coolant residues in the reactor vessel. (STRESS TESTS REPORT 2017, p. 127)
The design and organizational measures adopted in the design are aimed at minimizing the possibility of intensive interaction of the molten core material with water and preventing the possibility of the molten material dispersion after it comes out of the reactor vessel.
The minimization of the intensive interaction arising from the contact of the molten core material with water is achieved by the design features of the reactor vessel and the prohibition for water supply to the core when the onset of the accident severe phase is diagnosed.
To prevent ex-vessel steam explosions, no water shall be present inside the molten core catcher when the first portions of the molten core material enter the catcher. This is ensured by the design of the safety membrane on the vessel of the molten core catcher. (STRESS TESTS REPORT 2017, p. 127)
The results of the design analysis have shown that the absolute pressure in the containment does not exceed 0.5 MPa, which corresponds to the maximum permissible pressure for the containment under severe accident conditions. (STRESS TEST REPORT 2017, p.127)
In case of beyond design basis accidents the design provides for application of special instrumentation and implementation of organizational measures. The containment integrity during BDBA is monitored from the MCR. The information from the instruments characterizing the containment integrity is displayed by the indicating instruments of the segmented panel CWL01, which is located in the MCR. There is no such panel in the ECR. (STRESS TESTS REPORT 2017, p. 137)
There are 44 re-combiners in the containment rooms. In order to ensure maximum efficiency of the system, the re-combiners are installed in places where the hydrogen concentration during the accident can reach maximum values, as well as on the ways of the steam-gas medium movement. (STRESS TESTS REPORT 2017, p.138)
The containment integrity can be assessed through radiation monitoring at site. If the radiation background exceeds the design values, it is assumed that a threat to the containment integrity is created or implemented, and this threat requires immediate measures to limit the release and propagation of the fission products at site. (STRESS TESTS REPORT 2017, p.142)
Assessment
According to the developer, physical phenomena related to severe accidents that might endanger the containment integrity are avoided as per the NPP design, namely29:
- Steam explosion in the reactor pressure vessel
- Hydrogen detonation
- Re-criticality of the core or the core melt
- Steam explosion beyond the reactor pressure vessel
- Direct heating of the containment
- Missiles St. Petersburg Research and Design Institute ATOMENERGOPROEKT (2011): Design AES-2006, concept solutions by the example of Leningrad NPP -2. Saint Petersburg, 2011
Interaction between the melt and the under-reactor compartment floor and walls
It can be assumed that the formulation “avoided as per the NPP design” means that these phenomena do not have to be considered further; i.e., that they are practically eliminated by design measures.
It appears that a number of physical phenomena which could lead to large and/or early releases in case of a severe accident are regarded as practically eliminated by the designers of VVER-1200/V491. However, the concept of practical elimination is not explicitly addressed in the documents at hand.
The concept of practical elimination has been introduced by IAEA. An accident sequence can be considered to have been practically eliminated if it is physically impossible for the sequence to occur, or if the sequence can be considered with a high degree of confidence to be extremely unlikely to occur.30
In the above-mentioned report on safety expectations for the design of new NPPs, the Reactor Harmonization Working Group of WENRA has elaborated this concept, discussing among other issues means for practical elimination, and the demonstration of practical elimination. In this report, it is stated that in order to increase the robustness of a plant’s safety case, demonstration should preferably rely on physical impossibility. In any case, practical elimination cannot be claimed solely based on compliance with a probabilistic cut-off value. Analyses need to be supported by adequate experimental results. Uncertainties have to be taken into account, and sensitivity studies performed. All codes and calculations must be validated against the specific phenomena in question, and verified. Also, it must be ensured that the relevant provisions remain in place and valid throughout the lifetime of the plant.
It could be a challenge to demonstrate practical elimination for the Belarusian NPP for all phenomena in question, taking into account these principles. According to the available information it is not assured yet.31
The following questions have to be answered:
- Has the practical elimination for steam explosion in the reactor pressure vessel, hydrogen detonation and other phenomena been demonstrated?
- What concept of practical elimination was applied? Is the concept of practical elimination of WENRA applied?
- Where will the containment integrity during BDBA be monitored in case the MCR is not available?
Core catcher
The most conservative scenario in terms of the early destruction of the reactor vessel is „Double- ended break of the reactor coolant circuit (DN 850) with failure of the ECCS active part“. For this scenario, the time of the core top uncovering is 860 sec., the time of the reactor vessel destruction and release of the first portion of the molten core material into the molten core catcher is 6330 sec. Thus, the time reserve from the moment of the core top uncovering till the molten core material release beyond the reactor vessel is 5470 sec. (See STRESS TESTS REPORT 2017, p.125)
International Atomic Energy Agency (2012): Safety of Nuclear Power Plants: Design. IAEA Safety Standards Series No. SSR – 2/1. Vienna, 2012 www.umweltbundesamt.at/fileadmin/site/umweltthemen/umweltpolitische/ESPOOverfahren/uvp_fennovoima2014/REP_0479_Hanhikivi_EIA.pdf
The vertical section of the passive water supply valve is located in a cylindrical channel with cooling water from the shaft of the molten core catcher. The passive water supply valve is located below the minimum water level in the concrete reactor cavity, which ensures reliable cooling water supply to the surface of the molten core material after its actuation.
The calculation results show that at a present melting temperature of the valve solder plug, water is supplied to the melt mirror under the following conditions, when 90% of the molten core material have entered the molten core catcher. (See STRESS TESTS REPORT 2017, p.136)
Assessment
An important feature of the AES-2006 is the core melt localization device (or core catcher). If functioning as planned, this new feature would have the potential to reduce the probability of large releases in case of a severe accident. However, the functioning of a core catcher is beset with a number of problems which have not been sufficiently clarified (for example: interaction between the molten core and concrete, considerable uncertainties regarding heat transfer between the materials involved; occurrence of cracks in the concrete of the device; hydrogen formation).
The core catcher of the VVER-1000/V466, which can be assumed to be similar to that of the VVER- 1200, is placed in a concrete shaft below the reactor pressure vessel. It is filled with sacrificial material. The molten reactor core falls into this device after it has penetrated the pressure vessel bottom, and is cooled from above with water. The water from a building sump and the fuel pool is destined for this task.
The steam explosions constitute a severe problem for the core catcher design selected for the VVER- 1000/V466. It is not guaranteed that the molten core will reach the core catcher all at once, as a whole. If, at first, only a part gets into the concrete shaft, it is likely that this will trigger flooding. Further molten core material then falls into water and the melt can fragment into small particles. In this way, heat transfer to the water is very fast, with abrupt vaporization as a result. For those steam explosions it is not possible today to predict the level of potential damage.
The core catcher is characterized by complex chemical reactions as well as complex physical processes. Adequate confirmation of the functioning by experiments and analysis thus constitutes significant challenges. Not least among those is the demonstration of transferability from experiment to the real component in the plant, i.e. the transferability from experiments with induction heated, small amounts of melts to a situation with a molten core.
There are open questions regarding the reliable functioning of the “core catcher” regarding the description of accident scenarios, timing of core flooding to avoid steam explosion etc. The proof of functioning of this device (test, computer simulations), including the prevention of steam explosions, shall be answered.
The basic design of the core catcher is beset with a fundamental disadvantage – the molten core stays in a very compact form, which results in an unfavourable surface-to-volume ratio for cooling. It is not foreseeable that the disadvantage outlined above will be remedied since this would require far- reaching changes in the reactor design.32
According to the description of the core catcher in the STRESS TESTS REPORT (2017) of the Belarusian NPP the above mentioned problems are not solved.
The following question has to be answered:
Is the functioning of the core catcher confirmed with experiments and analysis?
http://www.umweltbundesamt.at/fileadmin/site/publikationen/REP0291.pdf
Filtered venting system
A filtered containment venting system is not included in the AES-2006 design. It has to be mentioned that the Finnish requirements call for nuclear power plants to be equipped with a filtered containment venting system to mitigate the consequences of severe accidents.
Limit for large radioactive release
The published results of PSA/PRA studies appear to confirm that the limit of 10-7/yr for the large release frequency is not exceeded; they lay well below this limit (1.8 . 10-8/yr). However, this value includes full-power operation and internal initiating events only. Low-power and shutdown states considerably contribute to CDF. The contribution of external events can also be significant, depending on the site.
There is no information concerning the uncertainty of the value given for LRF; it is not clear whether it refers to the mean or the median value. All in all, it is not clear from the PSA/PRA results whether the limit for LRF could not in fact be exceeded, even if only the factors which can be included in a PSA/PRA are taken into account.
WSO 4 – Independence of levels of DiD (DiD levels 1 – 4)
Objectives:
Enhancing the effectiveness of the independence between all levels of defense-in-depth, in particular through diversity provisions (in addition to the strengthening of each of these levels separately as addressed in the previous three objectives), to provide as far as reasonably achievable an overall reinforcement of defense-in-depth.
——————————
According to the STRESS TESTS REPORT (2017, p.123), to manage severe accidents, the design provides for a set of technical and organizational measures aimed at transferring the NPP to a controlled state. The means applied are, as far as possible, independent of the means applied at levels 1-3 of the defense-in-depth.
Assessment:
The independence of the levels of DiD is an important and fundamental element of the defense-in- depth concept. WENRA expects independence between different levels of DiD to the extent reasonably practicable, so that failure of one level of DiD does not impair the defense in depth ensured by the other levels. The adequacy of the achieved independence shall be justified by deterministic and probabilistic risk analysis, and engineering judgment. Appropriate attention shall be paid to the design of I&C and other cross-cutting systems. The design of these systems shall be such as not to unduly compromise the independence of the SSCs they support.
However, the design of the VVER-1200/V491 appears to understand the concept of defense-in-depth as a generally underlying philosophy and not as a principle to be consistently followed through the
The following questions have to be answered:
- What is the reason that a filtered venting system will not be implemented?
- Will Belarus follow the Finnish requirements?
whole design. The importance of independence of the levels of DiD is emphasized in a general manner, but is not consistently realized in the details of the design.
Furthermore, there is a number of features provided for severe accidents (DiD level 4) which are also used on lower levels of DiD: The two passive heat removal systems are not for exclusive use in case of a severe accident; they are also to be employed at safety level 3. Also, there is only one set of valves for primary circuit depressurization for DiD levels 3 and 4. Primary depressurization is highly important for severe accident management, to avoid core melt at high primary pressure with high pressure melt ejection and possible containment damage. It has to be noted that Finnish safety requirements are not met, because of the call for independence of primary circuit depressurization during severe accidents from the systems designed for the plant’s operating stages and postulated accidents.
Also, separation of I&C systems supporting different levels of defense-in-depth has not been clarified in the available documents.33
The following questions have to be answered:
- For which systems was the independence between levels of defense-in-depth, to the extent reasonably practicable, not implemented – in particular regarding levels of DiD 3 (with sub- levels 3a and 3b) and 4
- To which degree was the separation of I&C-systems supporting different levels of defense-in- depth realized?
- Are there any improvements envisaged concerning the independence of the DiD levels?
www.umweltbundesamt.at/fileadmin/site/umweltthemen/umweltpolitische/ESPOOverfahren/uv p_fennovoima2014/REP_0479_Hanhikivi_EIA.pdf
13 Severe accident consequences
Safety Analysis Report on the Belarusian NPP shows that concerning implementation of the above measures for BDBA management with the containment integrity maintained, severe accident radiation effects do not exceed level 5 of the INES scale: The estimated release to the environment is as follows: iodine-131: 100 TBq; cesium-137: 10 TBq. (STRESS TESTS REPORT 2017, p.143)
Assessment
Even if the probability for Beyond Design Basis Accidents (BDBA) is very low, they should be assessed. For the assessment of a potential risk the evaluation of possibly severe accidents including the maximum source term are of the highest interest.
In 2012, the Norwegian Radiation Protection Authority published a report concerning the potential consequences in Norway after a hypothetical accident at the NPP Leningrad II (Russia).34 The calculation was based on the most serious radiological consequences that could occur after a ‘credible’ accident in a VVER-1200 (AES-2006/V491). The definition of the release categories and the associated source term data were based on simulations conducted as a part of Level 2 PSA for a VVER-1000/V320 plant. The radionuclide inventory of the core was based on Russian data derived for the original Soviet fuel. The source term was calculated to 2800 TBq Cs-137.
Based on guidance RG 1.109, RG 1.111 published by United States Nuclear Regulatory Commission (USNRC) Nguyen Tuan Khai and Le Dinh Cuong of the Institute for Nuclear Science and Technology (INST) concentrate on assessing radiation doses caused by radioactive substances released from the NinhThuan 1 nuclear power plant (NPP) to the environment. The Ninh Thuan 1 NPP is assumed to use the VVER-1200 technology. The input data for the model calculations are built based on the accident scenario and the technical parameters of VVER-1200 technology. The magnitude of the accident was evaluated at level 7 which is the highest on the International Nuclear Event Scale (INES). The scenario of the accident was based on two incidents: Station Black Out (SBO) and Loss of Coolant Accident (LOCA). The latter is induced by a large break in the Reactor Coolant System (RCS). The accident leads to severe consequences, starting with the damage of the reactor core to containment failure and eventually the release of radioactive substances to the environment. For the NPP accident scenario the RASCAL4.3 calculations give two main results: (1) the source term for radioactive nuclides released to the atmosphere, and (2) maximum dose distribution (mSv) up to 80 km. The calculation results show that consequences of the accident are very serious. In total the radioactivity of a radiological equivalence of 225,000 TBq of 131I is released to the atmosphere. Within 20 km the Total Effective Dose Equivalence (TEDE) values are very high, about several ten times higher than the dose limit. It is requested to establish a National Steering Board for Accident Response to direct the relevant authorities in response for the accident consequences and ensure security in the area of NPP.35
It is unjustified to exclude accidents in the Belarusian NPP from further consideration solely on the basis of PSA/PRA results. Taking into account the open issues and challenges identified regarding the safety of this reactor type, and in particular the lack of evidence that accidents with large releases are extremely unlikely with a high degree of confidence, severe accidents with large releases cannot be excluded for the VVER-1200/V491 based on information available today. According to evaluations of Statens strålevern: Potential consequences in Norway after a hypothetical accident at Leningrad nuclear power plant; Potential release, fallout and predicted impacts on the environment; Norwegian Radiation Protection Authority; June 2012
Assessment of Radioactive Gaseous Effluent released from NINH THUAN 1 Nuclear power plant under Scenario INES-Level-7 Nuclear accident; Nguyen Tuan Khai, Le Dinh Cuong; Institute for Nuclear Science and Technology (INST), Communications in Physics, Vol. 25, No. 4 (2015), pp. 375- 382 the chosen reactor type VVER-1200/V491 it has to be stated that severe accidents with large releases cannot be excluded.
Moreover, the stress test does consider the risk and potential impacts of sabotage, terrorist attack and acts of war.
To estimate the possible consequences of a severe accident at the Belarusian NPP the results of the research project flexRISK could be used.36
Additional information is necessary to evaluate the possible consequences of a severe accident.
The following questions have to be answered:
- Why are higher source terms not presented in the Stress Tests Report?
- Which source terms have to be associated with the worst- case scenarios for the Belarusian NPP?
- What are the justifications for the source term used in the Stress Test Report?
- What are the results of PSA/PRA (Level 1 and 2) in particular the probabilities/frequency of core damages (CDF) and severe accidents with (early) large releases (LRF and LERF) including probability distribution (quantiles) and source terms for the most important release categories?
36 FLEXRISK (2013): The Project “flexRISK“: Flexible Tools for Assessment of Nuclear Risk in Europe; http://flexrisk.boku.ac.at/en/projekt.htm
Show less
The Guardian, 16th March 2018
for Settlement of Investment Disputes“ (ICSID) im Rahmen der Energiecharta entscheiden, ob der Vattenfall-Konzern für die Stilllegung seiner bereits seit 2007 weitgehend abgeschalteten maroden Atomreaktoren Brunsbüttel und Krümmel Schadensersatz von inzwischen über fünf Milliarden Euro von den deutschen SteuerzahlerInnen erhält. Das meldet die 
Es sei nicht mehr die Frage, ob ein schwerer Unfall in Frankreich möglich sei, sondern vielmehr wann er passieren werde, meinen die beiden Autoren Thierry Gadault und Hugues Demeude. Die Gefahr eines schweren Unfalls sei noch nie so groß gewesen wie heute, warnen die Journalisten. Das, was sie während ihrer Recherchen gesehen hätten, sei katastrophal und beunruhigend. Immerhin wohnten zwei Drittel der französischen Bevölkerung weniger als 75 Kilometer von einem Atomkraftwerk entfernt.
Das Thema beherrscht die Schlagzeilen, seit die Sonntagszeitung „JDD“ vorab aus dem Buch von Gadault und Demeude zitierte. Es ist auch deshalb heikel, weil Kraftwerksbetreiber EDF (Electricité de France) eine Verlängerung der Laufzeiten der französischen Reaktoren auf bis zu 60 Jahre anstrebt. https://www.welt.de/wirtschaft/article173279982/Atomkraft-Enthuellungsbuch-bezweifelt-Zustand-von-franzoesischen-AKW.htm