Appendix B: Defense in Depth

Some examples of the concept of Defense in Depth are:

At the nuclear power plant level

• Plants are designed to prevent accidents from occurring (Prevention), are provided with Engineered Safety Features (ESFs) to mitigate the consequences of an accident, should one occur (Mitigation), and have Emergency Plans to evacuate people and interdict food stuffs, should there be a release of radioactive material (Emergency Planning).

• Plants are designed with Multiple Barriers to prevent or mitigate fission product

release: the ceramic fuel matrix, the metallic fuel clad, the primary system (vessel and piping) and the containment building.

At the structural, system and component (SSC) level

• Single Failure Criterion: A single failure means an occurrence that results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions [36].

• Redundancy and Diversity: One of the keys to satisfying the single failure cri-

terion. It might mean a power operated valve in series with a check valve, or an electric driven pump in parallel with a steam driven pump.

At the phenomenological level

• Safety Margins: Design with large difference between estimates of capacity and load. Examples include: 10 CFR 50—Appendix K–ECCS Evaluation Criterion; Licensing Basis Accidents; 10 CFR 100 Appendix A—Seismic and Geologic Siting Criteria for Nuclear Power Plants

Appendix C: The Accident Sequence at Fukushima Daiichi

In both WASH-1400 (1975) and NUREG 1150 (1990), a risk assessment was carried out for Unit 2 of the Peach Bottom Nuclear Power Plant, a General Electric boiling water reactor (BWR-4) unit of 1065 MWe capacity housed in a Mark 1 containment. It began commercial operation in July 1974. This is basically the same as the nuclear reactor systems at Fukushima, Units 1–4. The dominant internally and externally (seismic) initiated accident sequences leading to core-melt for Peach Bottom in NUREG-1150 consists of three station-blackout scenarios, where the timing of two of them matches the sequence of events at Fukushima (the spent-fuel pools notwithstanding). They are summarized as follows:

• Loss of onsite and offsite ac power results in the loss of all core cooling systems (except high-pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC), both of which are ac independent in the short term) and all containment heat removal systems. HPCI or RCIC (or both) systems function but ultimately fail at approximately 10 h because of battery depletion or other late failure modes (e.g., loss of room cooling effects). Core damage results in approximately 13 h as a result of coolant boil-off.

• Loss of offsite power occurs followed by a subsequent failure of all onsite ac

power. The diesel generators fail to start because of failure of all the vital batteries. Without ac and dc power, all core-cooling systems (including HPCI and RCIC) and all containment heat removal systems fail. Core damage begins in approximately 1 h as a result of coolant boil-off.

Given the vulnerability to station blackout, how is it that the Fukushima Units were not adequately protected against a station blackout, regardless of the severity of the earthquake, and the tsunami following? Part of a “healthy” safety culture, is to go meta to the aggregate of accident sequences, which means that the philosophy of “defense in depth” must be extended to the level of “safety function.” Active or passive safety systems or operator actions are required to provide the necessary functions to bring a reactor to “cold-shutdown.” Said another way, there are basically four functions needed in case of an accident:

1. Stop the chain reaction or “scramming” the reactor: this means redundant and diverse methods for bringing a critical reactor to a sub-critical state.

2. Insure adequate cooling to remove decay heat: this means providing passive or active, redundant and diverse systems to maintain coolant under a range of accident scenarios and conditions.

3. Insure the integrity of the primary system: this means maintaining a coolant path from the reactor to the “ultimate” heat sink, maintaining primary pressure and

4. Insure an “ultimate” heat sink.

< Prev   CONTENTS   Next >