Rev3-IAEA-Paper on AssessmentApproach_MELS Kuzmina
advertisement
Nordic PSA Conference – Castle Meeting 2011 / 5-6 September 2011, Stockholm, Sweden An Approach for Systematic Review of the Nuclear Facilities Protection against the Impact of Extreme Events I. Kuzmina, A. Lyubarskiy, M. El-Shanawany International Atomic Energy Agency Wagramer Strasse 5, PO Box 100, 1400 Vienna, Austria I.Kuzmina@iaea.org, M.El-Shanawany@iaea.org, A.Lyubarskiy@iaea.org Abstract The International Atomic Energy Agency (IAEA) through an extra-budgetary project funded by Norway aimed at building competence and capacity for nuclear safety is also reviewing the impact of extreme events on plant response. The emphasis is currently placed on development of a methodology for a systematic review of the protection provided at a nuclear facility against the impact of extreme events. The methodology may be utilized through the existing IAEA’s Design and Safety Assessment Review Services. The scope of the methodology encompasses the principles of the ‘stress test’ being performed within the European Union; it will focus on the design and safety assessment aspects of the protection against extreme events including defence-in-depth, safety margins, robustness of the design, cliff edge effects, multiple failures, and the prolonged loss of support systems. The methodology will also focus on the evaluation of whether the emergency procedures, including severe accident management guidelines, provide sufficient guidance for the operator actions that need to be carried out for the extreme event damage states identified. The extra-budgetary project is also evaluating the means for dissemination and sharing the information relating to the lessons learned amongst Member States. The paper highlights some preliminary outcomes of the IAEA activities and encourages further discussion and development of the assessment methodology internationally. 1. BACKGROUND The accident that occurred in Japan at Fukushima nuclear power plant (NPP) on 11th March 2011 highlighted the need to examine the impact of extreme events for extended design basis conditions on the level of protection provided at nuclear facilities and to identify possible vulnerabilities that the protection systems may have to extreme events. The latter include not only external events (natural and human-induced), but also internal hazards and all credible combinations, for which protection may not be explicitly envisaged in the design basis. After the accident in Japan it became evident that further effort should be pursued worldwide to build and enhance competence and capacity for comprehensive safety assessment of NPPs and specifically for the analysis of an impact and sufficiency of protection in terms of systems, structures, and components (SSCs) and emergency procedures against extreme events. The extra-budgetary project funded by Norway is focused on building competence and capacity for nuclear safety and is being utilized by the IAEA to promote the development of competence and capacity to review plant protection against extreme events. A consultants’ meeting of a small group of experts was held at the end of June 2011 to identify priority areas where further work is needed and provide suggestions for specific activities. Specifically, it was found relevant to concentrate efforts on: 1 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 1) Enhancement of the existing IAEA’s Design and Safety Assessment Review Services to address extreme events; 2) Development of a methodology for a systematic assessment of the protection in terms of sufficiency and adequacy of safety provisions from the defence-in-depth perspective provided in a nuclear facility against the impact of extreme events including severe accident management guidelines (SAMGs); the methodology should encompass the principles of the ‘stress test’ being performed within the EU; and 3) Development of an approach for conducting peer reviews of plant protection on the basis of the existing IAEA safety review services and the methodology mentioned in Item (2). For Item (2), the work has been already started, and the paper provides information on the developments taken place. 2. OVERVIEW OF THE FRAMEWORK OF ‘STRESS TEST’ In response to the challenges posed by the Fukushima accident, the European Commission (EC) and European Nuclear Safety Regulators Group (ENSREG) in its ‘Declaration of ENSREG’ [1] announced that all 143 NPPs within the European Union (EU) will undergo a safety examination named ‘stress test’. The latter is defined in Ref. [1] as a ‘comprehensive and transparent risk assessment’ focused on ‘targeted reassessment of the safety margins of NPPs in the light of the events which occurred at Fukushima: extreme natural events challenging the plant safety functions and leading to a severe accident’. The scope and modalities of ‘stress test’ are specified in Ref. [1]. Two major analysis areas will be covered: (a) evaluation of the response of an NPP to the postulated extreme events, and (b) verification of the preventive and mitigative measures from the perspective of defence-in-depth. The technical scope includes the consideration of external hazards with emphasis on earthquake, flooding, and combination of the two, accident sequences involving loss of power sources and ultimate heat sink, and mitigatory measures, including design provisions in terms of available equipment, emergency operating procedures (EOPs) and SAMGs. The process of conducting EU stress tests will include the stages of self-assessment, regulatory review, and peer review. Technical reports will be produced at each stage and made available to the public. Full transparency is promoted throughout the whole process. Ultimately, the evaluation will provide indications of robustness of NPP designs being operated within the EU and highlight the measures to further enhance nuclear safety in response to extreme events. The methodology being developed by the IAEA is aimed to encompass the scope and modalities of the EU stress test specified in Ref. [1]. 2 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 3. DEVELOPMENT OF A METHODOLOGY FOR THE ASSESSMENT OF PLANT PROTECTION AGAINST EXTREME EVENTS This section summarizes preliminary outcomes of the IAEA activities on development of a methodology for the assessment of plant protection against extreme events from the defencein-depth perspective. 3.1 Definitions Several terms that are widely used in connection with the discussion of plant response and protection in accident conditions need to be clearly defined. In this paper, the definitions provided below are used. Design Safety Margins There is no single definition of the term ‘design safety margins’ (or just ‘safety margins’). The review of different IAEA Safety Standards [Refs. 2, 3, 4] publications shows that the term ‘safety margins’ is primarily used in three different meanings reflecting different aspects of NPP design safety. Accordingly, for the purpose of the paper the following definitions are applicable: 1. Hazard/Fragility-Related Safety Margin – can be split into two parts: 1a. Design Hazard Safety Margin: the difference between the magnitude of the design basis hazard and a higher magnitude hazard that structures and components can factually withstand due to their internal inherent properties. Means of assessment: load assessment, hydrological studies, structural analysis etc. 1b. Site Hazard Safety Margin: the difference between the magnitude of the hazard credible for the site and the magnitude that the plant can factually withstand. Means of assessment: statistical analysis of event occurrence data; load assessment, hydrological studies, structural analysis etc. 2. Plant Parameters-Related Safety Margin: the difference between the values of design parameters for operation of components in accident conditions (including the reactor core) and the limiting values of the parameters, at which components fail. These are primarily pressure and temperature parameters. Means of assessment: thermal hydraulic, neutronic, thermal physics calculations 3. Plant Response-Related Safety Margin: the difference (in terms of components/ systems) between the configuration of components survived after the accident and the minimal configuration of components needed to cope with the accident (both by the design and design extension provisions). Required human actions are also considered. These margins are assessed sequentially; firstly, for core damage scenarios, and then for containment failure scenarios. 3 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA Means of assessment: engineering analysis (deterministic and probabilistic) of sufficiency and adequacy of the design provisions in terms of equipment/ components and procedures from the perspective of defence-in-depth. Correlated Hazards Correlated hazards are characterized by simultaneous occurrence of a causal combination of external and/or internal hazards that are not statistically independent. Frequency of simultaneous occurrence of correlated hazards is higher than the frequency estimated under the assumption of their full independence. The examples of correlated hazards include: Source correlated hazards: seismic hazard and tsunami; Phenomenologically correlated hazards: strong winds and heavy rain; Duration correlated hazards: any external hazards occurred during the prolonged hot summer temperature period; Induced hazards: seismic hazards and seismically induced fire, etc. Extreme Event Extreme event is an event involving widespread damage to the systems, structures and components at a nuclear facility caused by an external or internal hazard or correlated hazards that is more severe than the postulated initiating events and component failures considered in the design of the plant. Such an event would provide a severe challenge to the ability of the plant to carry out the fundamental safety functions of criticality control, removal of residual heat and confinement of radioactive material. However, even for an extreme event, the plant may be capable to withstand the damage due to the existing plant response safety margins. Limiting Extreme Event Limiting extreme event is an extreme event of a very low probability, for which there are no plant response safety margins to prevent core damage. For the limiting extreme events caused by external hazards, the magnitude of the hazards is of specific interest as it characterises the threshold, beyond which the core damage is unavoidable. 3.2 Objectives, General Framework, and Scope of the Assessment Methodology The methodology for the assessment of plant protection against extreme events being developed by the IAEA focuses on the assessment of the plant response safety margins from the perspective of defence-in-depth in accordance with the definitions given above. It is currently envisaged that the assessment methodology will include five stages as follows: (1) Examination of accident scenarios leading to core damage (CD) in the reactor (2) Examination of accident progression after the core is damaged and associated severe accident management programmes (SAMP) (3) Examination of accident scenarios involving other sources of radioactivity such as spent fuel pool (SPF), radioactive waste treatment facilities, etc. focusing on fuel damage scenarios 4 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA (4) Examination of interactions between plant units at multi-unit sites and the accident scenarios involving simultaneous failures of containments (5) Integral evaluation of the results of the assessments accomplished in the previous four stages and drawing attention for potential safety improvement as appropriate. The first two stages form the basis of the assessment methodology. The first stage will be focused on prevention of severe accidents with core damage, and the second stage will be dealing with mitigation of the consequences of core damage and prevention of containment failure. The methodology for Stages #3 and #4 will be based on the methodologies for Stages #1 and #2 with necessary adjustments. Stage #5 will focus on holistic consideration of all the results obtained in the previous four assessment stages for all plant units located at the site. The range of nuclear installations, for which the methodology is applicable, is currently restricted to NPPs only, although the principles and concepts can be applied to other nuclear installations as well. 3.3 General Approach Systematic assessment of the NPPs response to extreme events, with focus on long term development of the accident and identification of cliff edges in provision of important support functions (AC, DC power, essential service water, etc.) and safety functions, is usually beyond the scope of the licensing basis. Plant systems – normal operation as well as safety classified – have usually been assessed only against design basis accidents. Comprehensive assessment of an overall NPP response would necessitate a large set of analyses performed for different initial conditions affected by extreme events. Generally, the assessment approach is aimed to estimate the robustness of the relevant safety systems, civil structures and the continued presence of the defence-in-depth principle for load cases that exceed the design basis. The overall approach is based on the IAEA Safety Standards. The assessment is focused on determining whether the SSCs that remain available in the NPP following an extreme event are sufficient to carry out the fundamental safety functions of: Criticality control; Residual heat removal; and Confining radioactive material (focus on providing containment integrity which requires heat removal from the containment, prevention of containment overpressure, prevention of containment bypass through interfacing systems, and containment isolation). In order to achieve the three fundamental safety functions, different safety-related aspects need to be addressed, such as provisions for redundancy, diversity, spatial separation, absence of cliff edges – that is, there is no sudden aggravation of the situation. The first stage assessment specified above in Section 3.2 is dealing with the first two fundamental safety functions. Currently, the first stage assessment methodology (i.e. examination of accident scenarios leading to core damage in the reactor) is under development; details are provided further in the paper. 5 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 3.4 Overview of the Methods for the First Stage Assessment Specific objectives The specific objectives of the first stage assessment for NPPs are the following: To identify all credible limiting extreme events and the associated accident scenarios (leading to core damage) in terms of initiating events accompanied by component failures and identify possible technical measures that could be implemented to prevent core damage. To perform a bounding assessment of the frequency of limiting extreme events, for which no reasonable measures could be suggested. For the extreme events of the magnitude lower than the respective limiting extreme event, to evaluate the sufficiency of the existing plant response safety margins from the perspective of defence-in-depth and to identify practical measures that could be implemented to reduce plant vulnerability, if found appropriate. Methods Two practical methods are proposed for the first stage assessment to address the fundamental safety functions of criticality control and residual heat removal. 1) Fault Sequence Analysis (FSA) Method The method uses linked event trees and fault trees developed for an NPP under consideration in the course of an internal initiating events Level-1 PSA. Specifically, the method focuses on the analysis of minimal cutsets (MCSs) generated in PSA. A minimum prerequisite for the use of the FSA method is the availability of a Level-1 internal initiating events PSA of reasonable technical quality/level of detail. In case a more comprehensive PSA is available (e.g. internal and external hazards PSA), then a more comprehensive fault sequence analysis can be performed. 2) Configuration Matrix (CM) Method The CM method is based on the application of defence-in-depth concept, Level 3 and 4, for NPP in beyond design basis conditions due to extreme events. The method requires development of a dedicated tool - database - allowing for a systematic treatment and assessment of the availability of all combinations of SSCs under different conditions evolving as a consequence of an extreme event. It can be employed if a Level 1 PSA of reasonable technical quality/level of detail is not available. The two methods are aimed to examine minimal combinations of components and human actions needed to assess the plant protection against extreme events: the FSA method analyses critical failure configurations; and the CM method is dealing with the analysis of the success configurations. 6 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA The major difference between the methods is that the first method requires the availability of a Level-1 PSA for internal initiators (as a minimum, in terms of minimal cut sets for the Loss of Off-site Power (LOOP) initiating event) of a reasonable quality, and the second method can be applied even when only deterministic analyses are available, but it requires substantial efforts to prepare information needed for the analysis. Discussion on common features of FSA and CM methods In both methods, the assessment of vulnerability of the complete NPP has been transformed into the assessment of specific vulnerabilities of all individual plant systems (operational and safety related), which can be used and operator actions (including accident management) that can be performed, under specific conditions caused by the extreme event, for maintaining the fundamental safety functions. That means that the consequences of the extreme event are to be analysed from all points of view (safety functions, operational regimes, recovery actions, cliff edges, timing, etc.) important for long term provision of subcriticality and residual heat removal. The following specific common features of the two methods could be listed: 1) The methods use a stepwise approach, when the magnitude of the extreme event and associated loads are gradually increased until a limiting extreme event is identified. Steps are defined according to the nature of the hazard, for example, for flood, one step magnitude increase could be a flood which is 1 meter higher for tidal water or river flow is the factor of 1.5 bigger. 2) Both methods need data on location of plant components in plant compartments, equipment qualification and elevations, where electrical parts of components are located. 3) Methods apply the same set of basic assumptions: Prolonged loss of off-site power (non-recoverable) and all external power sources (except for emergency power) are not available; SSCs fail if loads (acceleration, vibration, humidity, temperature) exceed design loads; SSCs remain operational if loads are below design loads; All equipment located inside damaged buildings/structures or close to the failed structures are inoperable; Human actions are successful if: - They are performed remotely from the Main Control Room (MCR) and it is not affected by the extreme event; - They are performed locally and the hazard does not affect the location and the pathways to the location. Otherwise human actions are assumed to be impossible. In addition, the assessment initially assumes the adequacy of the existing design basis and the appropriateness of existing procedures/ guidelines. 7 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 4) Both methods are of iterative: after a limiting extreme event is identified and no technical measures to increase safety margins are available, attempts are to be made to revise the assumptions and to assess them more realistically. 3.5 Fault Sequence Analysis Method The logical models constructed in Level-1 PSA identify the fault sequences that start from a potential initiating event and proceed to core damage through possible failures of components needed to mitigate the accident. These logical models in Level-1 PSA take account of: The safety functions of criticality control and residual heat removal; Combinations of safety systems and other equipment that could operate to perform these safety functions; Support systems that are required for operation of front line systems; and Required operator actions. These logical models can be used to carry out an analysis of the fault sequences that could occur following an extreme event and they form a basis of the FSA method. The framework of the FSA method is illustrated in Fig. 1. It includes four major steps: STEP 1: Information collection STEP 2: Identification of components susceptible to damage STEP 3: Identification of critical combinations of components failures/human errors STEP 4: Identification of possible measures Step 1: Information collection At this step, all information needed to perform the analysis is gathered and analysed. The information that needs to be collected and information sources are shown in Table 1. The outcomes from Step 1 are the following: Compiled list of extreme events with parameters and magnitudes to be analyzed, including single and correlated hazards with indication of the hazards beyond the design basis; Information on component elevations and locations in buildings/ compartments, design operation limits, etc. (i.e. characteristics needed for assessment of vulnerabilities towards extreme events for the SSCs and human actions); List of components and human actions included in the accident sequences; List of minimal combinations (i.e. MCSs) of component failures and/or human errors that having occurred simultaneously would lead to CD. The initiating event to be considered in most cases will be LOOP or LOCA in LOOP conditions. 8 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA STEP 1 Information collection Data source 1 SAR, hazard assessment studies, lists of extreme events Compiled list of extreme events with parameters and magnitudes to be analyzed Data source 2 Data source 3 PSA SAR, plant layout drawings, TecSpec Information on component elevations and locations in buildings/ compartments, design operation limits List of components and human actions included in accident sequences List of minimal combinations of component failures and/or human errors that having occurred simultaneously would lead to CD STEP 2 Identification of components susceptible to damage Analysis of susceptibility of components included in accident sequences for the damage due to the specified extreme events of various magnitudes List of components and human actions with indication of the potential to damage due to the specified extreme events of various magnitudes STEP 3 Identification of critical combinations of components failures/human errors Identification of critical combinations of component failures and/or human errors that could occur simultaneously due to the damage imposed by the specified extreme event associated limiting extreme events (including their magnitudes) are to be identified this process is repeated for all specified extreme events of various magnitudes List of critical combinations of components and/or human errors with indication of the associated limiting extreme events STEP 4 Identification of possible measures Analysis of possible feedback measures and their implementation in the plant REPORTING ON THE RESULTS OF THE ASSESSMENT OF PLANT RESPONSE Fig. 1 Steps of the Fault Sequences Analysis Method 9 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA Table 1 Example of Information Required for FSA Method Information to be Collected Information Source Comments 1) List of hazards with parameters and magnitudes to be analysed. The list of hazards is compiled based on: - List of hazards considered in the safety analysis report - Generic list of hazards recommended by the IAEA Safety Guide SSG-3 [5] - External and internal hazards considered in PSAs for similar units and units located in the region. PSR, hazard assessment studies, SSG-3 [5], plant walkdowns Correlated hazards are included in the list of hazards. 2) Information on characteristics needed for the assessment of vulnerabilities against extreme events for the components and human actions identified in Level-1 PSA: - Location (building, floor, room) - Elevations - Qualification (against acceleration, humidity, direct water impact, vibration, temperature, electromagnetic disturbance, other environmental conditions, etc.) - Control (e.g. main control room, reserve control room, control cabinets room, local) - Supporting function needed for operation (component cooling, air cooling, oil, pressurized air) - Electrical power supply, other support systems, etc. - Time windows for operator actions - Location of the place where the action is performed. PSA, PSR, plant layout drawings, Technical Specifications, fragility studies, system drawings, system operational manuals, EOPs, SAMGs, etc. Additional human actions (not included in the Level-1 PSA) that can be performed to control systems/component operation are identified based on the information from system operational manuals, EOPs, SAMGs. 3) List of components and human actions that are needed to prevent core damage or radioactive releases for the most severe initiating events included in the Level-1 internal initiating events PSA model that can be caused by the extreme event under consideration. Level-1 internal initiating events PSA The most severe initiating event is defined as follows: - LOCA with LOOP conditions (when extreme event has a potential to cause LOCA); - LOOP in all other cases. 4) List of minimal combinations of components failures and/or human errors that being failed simultaneously would lead to core damage. The minimal combinations are extracted from the existing PSA as a list of MCSs for LOOP event (no recoveries are applied) or has to be redefined, if needed, by the quantification of LOCA event tree with assigned LOOP conditions. Step 2: Identification of components susceptible to damage At this step, an analysis of susceptibility of components and/or human actions included in the accident sequences for damage due to the specified extreme events of various magnitudes is made based on the information collected. The following is checked: Design resistance of the components and their cables1; Resistance of structures housing the components; and Feasibility of human actions. ___________________________________________________________________________ 1 Generally in Level-1 PSA cables are not included in the model; therefore it is important to extend the consideration of the components to the cables associated with it (power, control and instrumentation). 10 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA The impact of extreme events is analyzed starting from the ‘initial magnitude’, for which the plant is designed. It is expected that for this magnitude, no induced damages will occur. The magnitude of the event is increased up to the physically impossible or when all components and human actions are disabled or when the frequency of the extreme event is proved to be below 1.E-7 per year based on reliable analysis. When design resistance is higher than the loads caused by the considered extreme event, the component is assumed to be operable; otherwise it is assumed failed. Similarly, human actions are assumed failed when the considered extreme event significantly affects the possibility to perform them. The process stops when all extreme events (including those caused by correlated hazards) are considered. The analysis may be documented in the form of susceptibility matrix presented in Table 2. Table 2 Example of Susceptibility Matrix Extreme Event and Magnitudes Components and Human Actions Extreme Event 1 … Magnitude 1 Magnitude 2 Magnitude N Component #1 O O … O Component #2 …. Component N O … F F … X … X … X … … F X … X …. Human Action # 1 Human Action # 1 …. Human Action M O O … O O F … F …. Component #1 Component #2 …. Magnitude 1 O O … Magnitude 2 O F … Extreme Event i … … … Magnitude N O X …. Legend: O – operable; F – failed; X – failed at a lower magnitude of the extreme event The outcome of this step is a list of components and/or human actions with indication of the potential to damage due to the specified extreme events of various magnitudes. Step 3: Identification of critical combinations of component failures and/or human errors At this step all SSCs and human actions included in MCSs for the selected initiating event (e.g. LOOP or LOCA with LOOP) are analysed for the potential to be disabled simultaneously by the conditions caused by the extreme events identified. The analysis is done based on the results of the previous step and the list of MCSs by means of the impact matrix presented in Table 3. 11 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA Table 3 Example of Impact Matrix Combinations of SSCs and Human Actions Extreme Event/ Magnitude Minimal Cut Set #1 Component 1 Component 2 … Component N …. Human Action 1 Human Human … Action 2 Action M Extreme Event 1 Magnitude 1 Magnitude 2 …. Magnitude N F F … F O F … F … … O O … … O O O F … … O O … F …. … F F … F Extreme Event i Magnitude 1 Magnitude 2 …. Magnitude M F F … F O F … F … … O O … … O O O F … … O O … F …. … F F … F Minimal Cut Set #2 …. Legend: O – operable; F – failed If an element in the MCS is disabled, the corresponding cell is marked by ‘F’ (failure), when not – it is marked by ‘O’ (operable). Rows of the impact matrix represent impact vectors characterizing the status of the elements in respective MCSs. The whole analysis is conducted starting from lower orders of MCSs (i.e. lower number of elements in MCSs) proceeding to higher orders. More MCSs are considered, more comprehensive analysis is done. The output of this step is a list of critical combinations of components and/or human errors with indication of associated limiting extreme events. Step 4: Identification of possible measures At this step, an analysis of possible feedback measures and their implementation in the plant is performed. For the critical failures identified at the previous step, it is seen whether EOPs and SAMGs not credited in the PSA are available and adequate to prevent core damage. It is also considered whether any practically reasonable technical measures can be suggested to prevent critical components from failure and promote feasibility of human actions. If no technical measures could be proposed for the limiting extreme event, a bounding assessment of its frequency should be performed and this should be considered in the final decision. The results of the analysis are documented in detail for the reporting purposes and decision making. 12 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 3.6 Configuration Matrix Method The CM method allows consideration of the stepwise increase of the ‘magnitude’ of the extreme events until the ultimate consequential loss of all safety functions will be indicated. All potential impacts of extreme events on the operability of relevant SSCs – environmental parameters, seismic impact, power supply and cooling means, other supporting systems, required operator actions, etc. – are taken into account and considered either quantitatively or qualitatively. The method includes the development of a database tool and proceeds along the following route: Preparation for the assessment (database development) 1. Identification of all configurations of SSCs which can provide for the specific safety function in a specific operational regime. Configurations can be presented in a matrix form (therefore a ‘Configuration Matrix’ approach). 2. Grouping of the identified ‘configurations’ into sets respective to a specific safety function and operational regime of the NPP and compilation of the list of all relevant SSCs (i.e. SSCs used in at least one configuration). 3. Definition for all SSCs of the representative quantitative characteristics which are relevant from the perspective of extreme events. These quantitative characteristics represent the margins of the SSCs against the consequences of extreme events and allow assessing the vulnerability of the SSCs. The SSCs characteristics needed for assessment of vulnerabilities against extreme events and addressed in the database are shown in Table 1. 4. Storage of all information (identified and verified ‘configurations’, collected SSC characteristics) in the dedicated database (e.g. simple MS Excel sheets or a dedicated database with user-friendly interface and controls of inputs). Assessment After the dedicated database is completed, the assessment is performed in the following steps: 5. Identification of the extreme event (single and correlated). 6. Definition of the ‘initial’ severity of the extreme event. 7. Estimation of impact of the extreme event on the SSCs and introduction it as an input (or several inputs) into the database. 8. Assessment of the availability of SSCs based on the estimated impact and assignment of the ‘failed’ states to those SSCs in which the design limits have been exceeded, support functions affected/lost, etc. The assessment is performed according to the specific methodologies capable to account for different impacts of the extreme events (e.g. submergence, humidity spray impact, direct water loads for floods). 9. Identification of the remaining operable configurations and of potentially recoverable configurations (e.g. those with only one component unavailable). Analyses of potential recovery actions (under specific environmental conditions on site) with account for necessary resources and their availability. 13 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA 10. Analysis of the potential cliff edges. This information is available in the database as all configurations are characterized by their different ‘capacities’, which include time window for availability e.g. due to media resources, power resources, etc. 11. Increase of the severity of the extreme event (single or correlated) and Steps #7 – 10 are repeated until all configurations needed for a specific safety function are lost. This severity will be the limiting extreme event when the capability to maintain a specific safety function is lost. 12. Analysis of measures and their implementation in the plant (similar to Step 4 in the FSA method). 4. CONCLUSIONS The IAEA through an extra-budgetary project funded by Norway aimed at building competence and capacity for nuclear safety is also reviewing the impact of extreme events on plant response and evaluating the means for dissemination and sharing the information relating to the lessons learned amongst Member States. The paper contributes to these activities. The methodology for assessment of plant protection against the impact of extreme events presented in the paper is currently in an initial development stage; the overall approach and ideas were elaborated during the consultants’ meeting held in June 2011. The methodology is seen to be a useful tool to facilitate the review of plant protection against extreme events; it may be used either as an analysis tool or a review tool, or both. The methodology is open for discussion and further development. 5. ACKNOWLEDGEMENTS The IAEA would like to thank the invited experts, Mr. Charles Shepherd, UK, Mr. Jozef Misak, Czech Republic, and Mr. George Vayssier, Netherlands, for their contribution to the outcome of the consultants’ meeting held in June 2011 and active collaboration on the development of the assessment methodology. 6. REFERENCES [1] Declaration of ENSREG http://www.ensreg.eu/node/286. EU "Stress Tests" specifications, May 2011, [2] INTERNATIONAL ATOMIC ENERGY AGENCY, Fundamental Safety Principles, IAEA Safety Standards Series No. SF-1, IAEA, Vienna, 2006. [3] International Atomic Energy Agency, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4, IAEA, Vienna, 2009. [4] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, Specific Safety Requirements 2.1, Revision of NS-R-1, Final Draft DS414, IAEA, Vienna, June 2011. [5] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards, Specific Safety Guide SSG-3, IAEA, Vienna, 2010. 14 ‘Approach for Review of Protection against Extreme Events’ by I. Kuzmina, A. Lyubarskiy, M. El-Shanawany, IAEA
