tec-sim.de

Defence in Depth

Strange understanding of the Defence-in-Depth principle in the new German
"BMU Safety Criteria for Nuclear Power Plants - Revision D (2009)"

Text:
2.1 Defence-in-depth concept
2.1 (1) Confinement of the radioactive materials present in the nuclear power plant is ensured.
In order to achieve this objective, a safety concept is implemented in which measures and installations are allocated to different levels of defence which are characterised by the following plant states:
- Level of defence 1: normal operation (specified normal operation)
- Level of defence 2: abnormal operation (specified normal operation)
- Level of defence 3: accidents
- Level of defence 4a: very rare events
- Level of defence 4b: events with multiple failure of safety installations
- Level of defence 4c: accidents involving severe core damage (here, the goal is to maintain the confinement of the radioactive materials as far as possible).

 Comments:
In the general understanding level 4 is the level of defence against severe accidents. So it should be called "severe accidents". Severe accidents are defined as beyond design basis accidents in which a substantial core meltdown occurs (not only some fuel rod failures as in a design basis LOCA).

If a scenario exceeding level 3 does not lead to substantial core damage but is limited by inherent safety margins, what is the use of defining a sublevel 4a or 4b? If four safety installations are available, three fail but the fourth does the job, where is the problem or the need to define an extra sublevel?

The main objective behind these subdivisions is to introduce a systematic generalized approach in the safety concept of the nuclear plant. This is not possible because the safety concept is goal-oriented and different goals require a different specific technical solution.

Many times, nuclear safety experts explained to the admin that the design of their nuclear plant was particularly safe because all safety installations have a redundancy of four: there are four loops of the emergency decay heat removal etc…. The admin always asks back: so you have four containments?

One of the ideas of the subdivision is the playing around with the concept of "common mode failures" and "multiple failures". Basically all safety installations are not completely independent as required by the theory used in the probabilistic safety analysis. But engineers try to find a work-around in order to apply a mathematical theory though the prerequisites for the application are not given. They just assume that this violation does not make the theory completely inapplicable. They build up a complicated argumentation about the applicability. The way they deal with common mode failure and multiple failures is part of this attempt to disguise that only in specific scenarios the failure of one system will not coincide with the failure of all systems of the same making: Fukushima showed all emergency diesels failed in all units = the ultimate common mode and multiple failure.

 Text:

2.1 (2) Furthermore, measures for supporting disaster control are planned for accidents involving severe core damage in which considerable releases of radioactive materials to the environment cannot be prevented or limited by accident management measures, level of defence 5.
Comments:
This is a very strange understanding of defence-in-depth. All barriers have broken and everybody is running away and this panic situation is sold to the public as level-of-defence no. 5?  So maybe, they should also introduce the "end of the world" as level of defence no. 6.
 

Text:

2.3 (2) On levels of defence 1 to 4a, the following criteria are met:
for reactivity control:
- reactivity changes are restricted to values that have been demonstrated as being admissible,
- the reactor core can be shut down safely and can be kept subcritical in the long term ,
- upon the handling of fuel elements and in the storage for fresh fuel elements as well as in the fuel element storage pool, subcriticality is ensured;

for fuel cooling:
- coolant and heat sinks are always sufficiently available,
- heat transfer from fuel to heat sink is ensured,
- heat removal from the fuel element storage pool is ensured;

for the confinement of the radioactive materials:
- the mechanical, thermal, chemical and radiation-induced impacts resulting on the different levels of defence are limited such that the radiological safety objectives according to Section 2.4 are achieved and that fuel cooling is ensured.

2.3 (3) On level of defence 4b, the aim is to reach long-term compliance with the protection goals by accident management measures
2.3 (4) On level of defence 4c, the aim is to maintain by accident management measures the integrity of the containment for as long as possible, to retain the radioactive materials to the furthest possible extent and to reach a long-term controllable condition.

Comments:
The same argument as before. They are trying to bring some systematic approach in a philosophy which is based on a different concept. This ends up in complete nonsense.
On level 1 to 4a, … the reactor core .. be kept subcritical in the long term, on level 4b to 5 this is not required? Do the authors of this text really want to permit re-criticality on level 4b, 4c and 5?

Text:

On level 1 to 4a, …. for the confinement of the radioactive materials:
- the mechanical, thermal, chemical and radiation-induced impacts resulting on the different levels of defence are limited such that the radiological safety objectives according to Section 2.4 are achieved and that fuel cooling is ensured.
On level of defence 4b, the aim is to reach long-term compliance with the protection goals by accident management measures
On level of defence 4c, the aim is to maintain by accident management measures the integrity of the containment for as long as possible …

Comments:
Question 1:
Is fuel cooling not required on level 4b, 4c and 5? So no effort has to be made on these levels to cool the fuel? So what are the Japanese doing in Fukushima spending money and manpower on cooling the fuel? Not required in Germany!

Question 2:
To maintain the containment integrity as long as possible is required on level 4c and not on level 1 to 4b and level 5?
On level 1 to 4b you may accept a breach in the containment as long as you are trying to reach the radiological safety objectives or the long term compliance?

No, as soon as core melt is imminent you have to depressurize the primary circuit and use controlled containment venting. This means you have to choose the lesser evil and this is exactly the situation where the principle of priority to safety should be applied. The criteria for precautionary application of these measures should be laid down in the Design Criteria and exactly here at this location in the text, where the rules of defence-in-depth have to be specified.

Botton LIne:
This is only one small example. The complete text of the Design Criteria is poorly written and the admin could go on like this filling many pages, but this means hard work and the admin is not going to do it without being paid.