Earthquakes and mitigation of predictable damage?

[davejjj]

It is often said that each nuclear plant is only designed to handle up to a certain rated earthquake intensity -- but I would like to know if they are designed to degrade gracefully if they are subjected to larger earthquakes?

It is certainly possible to make some guesses regarding the effects of a larger earthquake and have design features which could help to mitigate these failures. For example, if a rupture of the reactor primary plumbing would be an expected result, are there design features which allow this be dealt without proceeding to an out-of-control situation?

 

[Dmytry]

Well, if this
http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr0933/sec3/082r3.html
and similar NRC resolutions (the ones cited by this one give a good starter) are anything to judge by, the standard approach to beyond design issues is to ignore as much as possible (and impossible, e.g. I never thought that cascading failures could be neglected) to obtain extremely small probability of the event, such that no money have to be spent on solution. The best you can hope for is the plant owner protecting his property, but even that may fail if the owner is not sufficiently competent or likes to take undue risk - and there is not a lot of incentive for degrading gracefully if the reactor has to be scraped anyway.

 

[NUCENG]

It is often said that each nuclear plant is only designed to handle up to a certain rated earthquake intensity -- but I would like to know if they are designed to degrade gracefully if they are subjected to larger earthquakes?

It is certainly possible to make some guesses regarding the effects of a larger earthquake and have design features which could help to mitigate these failures. For example, if a rupture of the reactor primary plumbing would be an expected result, are there design features which allow this be dealt without proceeding to an out-of-control situation?

Remember the first hour post earthquake at Fukushima. It was struck by a beyond design basis earthquake. Offsite power was lost. Emergency diesels started as designed and ran for about an hour until flooded out by a beyond design basis tsunami. This then resulted in a loss of all onsite AC and when batteries ran down a loss of all residual heat removal from three reactors and four spent fuel pools. Consequences are three men dead from drowning and physical damage in the earthquake, 15 others injured, compensation and relocation of a large number of people, at least four reactors at over $1B each Long term costs of monitoring and healthcare, major expenses for cleanup and or entombment of the plant. It took two beyond design basis initiators, counting four spent fuel pools and three reactors to produce 7 INES scale events on one site with no immediate deaths or radiological overdoses. I wouldn't use the word graceful, but this event really doesn't tell us anything new about earthquake design, yet.

If this event had not included the tsunami we probably wouldn't be here. because the ECCS systems at Fukushima survived the earthquake. The weakness at Fukushima was inadequate defense against external flooding. Information I have found indicates that although Japanese regulatory groups are working on/considering/discussing risk-informed regulation, they haven't made risk analysis a requirement for plants. Further they do not periodically review the siting analysis for existing plants unless they are going to build a new plant. They don't require plants to defend design basis during inspections.

In the US, NRC team inspections start with design basis and concentrate on risk significant systems, procedures, analysis, and maintenance. That apparently doesn't happen in Japan unless a utility does it voluntarily. I find it nearly impossible to believe (given that the word tsunami IS Japanese) that this would not have been identified, if anyone was looking and if they had similar tools as US plants.

Dmytry has pointed out that two US plants (Vermont Yankee and H.B. Robinson) reviewed for the Generic Safety Issue about Spent Fuel Pools had event probabilities on the order of 1E-6. He argues that the Japanese plants are similar to the US plants and the event at Fukushima proves that those numbers are deceptive, either deliberately or due to incompetence. If Japan doesn't use PRA we will never be able to know if it would have prevented this event.

I have been reading everything critical of Probabilistic Risk Assessment to determine if Dmytry is right about PRA. So far the following criticisms exist:

• It can't predict risk from an unanticipated initiator (tsunami unexpected in Japan?)
• It doesn't do a good job for comon mode failures (if you ask about flooding from internal or external sources wouldn't you look closely at emergency diesels and switchgear in the TB Basement?)
• It has a hard time forecasting the future for random or historical threats (earthquakes, they were still trying to get another plant back on line from an earthquake).
• It may not catch complex interractions in complex systems or consequences. (Hydrogen explosion debris impact on spent fuel pools)
• PRA really doesn't prove anythig is SAFE.

There are probably more.

As terrible as it may be I still have one question. Does anyone have another method, peer reviewed, publically accepted that has better performance? (PRA methods were used during the BP Gulf Oil Spill. NASA has used it and learned the consequences of ignoring the safety significance of a lowly O-ring at low temperature).

I am not a PRA expert. I have used PRA results prepared by other engineers. PRA methods have oten quoted a safety factor of about 20 in seismic design. That would explain why systems would have survived a quake beyond the design at Fukushima. I am trying to find the reasoning or basis for that assumed margin. Again, even if I find that for US plants it may not apply to Fukushima.

 

[Dmytry]

No, I have pointed out that NRC grossly under estimates accident probabilities by neglecting cascading failures, considering only a few unlikely scenarios, ignoring possibility of incomplete geophysical knowledge (e.g. consider a 10% probability of yet-unknown once-in-5000 years event that can destroy the SFP and you get order of magnitude worse failure rate), etc. The consequence of this under-estimation is the conclusion that safety features are not worth implementing. The under-estimation is by order of magnitude or more.
The reason I think so is because I have read the report. This has nothing to do with specific plants or specific deficiencies in the input data, but with how NRC does the analysis when deciding that improvements to robustness are not required. The report is about multiple accident scenarios, including turbine fragment hitting the fuel pool, and cask drop accident. The process at NRC is broken in the same way as it was in Japan and with such broken process it is inevitable that accident scenarios would be overlooked and the general safety features that could help protect against overlooked scenarios would not be required. (the reason Japan suffered first is that in geologically active region, failure of process would become apparent more often)

The only way Fukushima comes into play is that if not for Fukushima I would never have looked into how NRC does cost benefit analysis when deciding whenever a safety feature should or should not be implemented.

 

[Astronuc]

No, I have pointed out that NRC grossly under estimates accident probabilities by neglecting cascading failures, considering only a few unlikely scenarios, ignoring possibility of incomplete geophysical knowledge (e.g. consider a 10% probability of yet-unknown once-in-5000 years event that can destroy the SFP and you get order of magnitude worse failure rate), etc. The consequence of this under-estimation is the conclusion that safety features are not worth implementing. The under-estimation is by order of magnitude or more.
The reason I think so is because I have read the report. This has nothing to do with specific plants or specific deficiencies in the input data, but with how NRC does the analysis when deciding that improvements to robustness are not required. The report is about multiple accident scenarios, including turbine fragment hitting the fuel pool, and cask drop accident. The process at NRC is broken in the same way as it was in Japan and with such broken process it is inevitable that accident scenarios would be overlooked and the general safety features that could help protect against overlooked scenarios would not be required. (the reason Japan suffered first is that in geologically active region, failure of process would become apparent more often)

The only way Fukushima comes into play is that if not for Fukushima I would never have looked into how NRC does cost benefit analysis when deciding whenever a safety feature should or should not be implemented.

Please cite the report to which you are referring.

It does have to with each specific plant btw.

Please cite the evidence from which one concludes 'process at NRC is broken in the same way as it was in Japan'.

Can one site a specific plant site for which there is an overlooked scenario? If so, please provide the scenario.

 

[NUCENG]

No, I have pointed out that NRC grossly under estimates accident probabilities by neglecting cascading failures, considering only a few unlikely scenarios, ignoring possibility of incomplete geophysical knowledge (e.g. consider a 10% probability of yet-unknown once-in-5000 years event that can destroy the SFP and you get order of magnitude worse failure rate), etc. The consequence of this under-estimation is the conclusion that safety features are not worth implementing. The under-estimation is by order of magnitude or more.
The reason I think so is because I have read the report. This has nothing to do with specific plants or specific deficiencies in the input data, but with how NRC does the analysis when deciding that improvements to robustness are not required. The report is about multiple accident scenarios, including turbine fragment hitting the fuel pool, and cask drop accident. The process at NRC is broken in the same way as it was in Japan and with such broken process it is inevitable that accident scenarios would be overlooked and the general safety features that could help protect against overlooked scenarios would not be required. (the reason Japan suffered first is that in geologically active region, failure of process would become apparent more often)

The only way Fukushima comes into play is that if not for Fukushima I would never have looked into how NRC does cost benefit analysis when deciding whenever a safety feature should or should not be implemented.

Just a taste for now. Dmytry has been saying how he thought Ignalina was a pretty good safe plant when it was powering his computer. He has frequently intimated that Europeans do it better. PRA is being misused by NRC in performing cost benefit analysis with PRA, according to Dmytry.

Perhaps as he looks for specific references he should start here:

http://www.rivm.nl/bibliotheek/rapporten/481505013.pdf

Dogone it, those pesky Europeans are using PRA. And their numbers are in the same ballpark as NRC. Is the whole world conspiring to make Dmytry look bad.

 

[Dmytry]

Please cite the report to which you are referring.

It does have to with each specific plant btw.

Please cite the evidence from which one concludes 'process at NRC is broken in the same way as it was in Japan'.

Can one site a specific plant site for which there is an overlooked scenario? If so, please provide the scenario.

read the report I linked to earlier in that thread. The resolution covers the spent fuel pool fire in a re-racked pool and arrives at decision not to do anything for spent fuel pool fire propagation prevention as the risk of breach (from several events such as cask drop accident once every 4 million years, unexpected quake, etc) was deemed extremely low and it was deemed not worth it to do anything about it. Nothing was done about cascading failures such as when reactor is damaged, hydrogen blows up, roof falls into the pool, blocks convection, etc. There's a lot of low probability scenarios adding up.
Precisely what OP was asking about - design to degrade gracefully - not done.

How sure do you feel that this 'analysis' did not miss some non-obvious one-in-2000 years or worse failure? 99% sure? 99.9% sure?

Ultimately, there's some things we can't estimate even to the correct order of magnitude. Low risks - resulting from thousands unlikely scenarios adding up, including the risk of getting the analysis itself wrong - are one of those things. The designs normally reflect that - for example the pools are most commonly found at the ground level, where the risks are not so uncertain - for another example, the original low density pools are supposed to have density low enough as to make fire propagation not happen. Normally, the PRA clearly can not trusted so much as to make decision that spent fuel pool on top floor is OK or fire propagation is OK - but nuclear industry is indeed different - or was, before Chernobyl, and still is in some places.

 

[SmalltownNuke]

PRA assessments at nuclear power plants are just beginning to include external events (flood, seismic, wind etc) into their models. Currently approximately half of the utilities are implementing fire risk into the models, see NFPA 805 below

http://www.nrc.gov/reactors/operating/ops-experience/fire-protection/protection-rule.html

I believe the first two pilot plants submitted their license amendments late last year, and I know the utility I worked at will submit theirs this summer.

The NRC was drafting a Generic Letter already last summer about seismic risk and I assume that it will be put on the front burner now given the political pressure.

Concerning flooding at the plant, I was involved during my co-op with an NRC finding for external flooding (plant uses a river as ultimate heat sink) and very detailed analysis was performed on which equipment will fail at a given river level. This can get very complicated when considering the number of penetrations in a given room for cables, piping etc. and not having the plant modeled in CAD.

While it wasn't specifically mentioned here, one of the reasons some plants locate vital equipment in the basement is due to tornado missiles.

My background: I am a senior in mechanical/nuclear engineering and was a co-op at a nuclear power plant in the PRA department. I am certainly not an expert, but I was able to pick the brains of the PRA engineers for knowledge.