«Item 7b Severe Accidents Related Issues Preliminary Monitoring Report Report to the Federal Ministry of Agriculture, Forestry, Environment and Water ...»
Additionally to MELCOR analyses, based on modelling the containment with only a limited number of volumes, a 3-D analysis with GASFLOW has been performed to show a different picture of hydrogen distribution in the Temelín containment, here subdivided into a fine mesh of 52,080 volumes. The results of this analysis are discussed below in Section 4.3.2 and 5.5.
ETE Road Map - Preliminary Monitoring Report – Item 7b: Severe Accidents Related Issues 85
4.2 Discussion of selected accident sequences 4.2.1 PRISE Sequences PRImary to SEcondary leakages (PRISE) are those occurring due to Steam Generator tube ruptures (SGTR) or in WWER units due to primary collector leakages to the secondary side of SG. They are potentially dangerous events, because due to leakages in steam generators two barriers preventing fission products releases – namely RCS boundary and reactor containment – are lost at the start of the accident, and the two other barriers – fuel pellet matrix and fuel cladding – can be lost in the course of the accident, unless it is effectively mitigated.
Moreover, in this accident fission products are released together with steam, which results in their long range carry-over, with maximum deposition densities in the distances of 30÷50 km [SONS 01]. In order to gain the necessary insights concerning strategies to be followed after PRISE a set of calculations was undertaken within PN7.
Two variants of the PRISE sequence were calculated. In the first case, the scenario was modeled assuming that the BRU-A valve performs without failure. The Czech experts claim BRU-A qualification for two-phase and water flow, although questions have been raised in this regard in an earlier Roadmap project [UBA 2003]. As a result, a second calculation was done assuming that the BRU-A valve fails open after it passes water flow. The results of these two calculations are markedly different, thus emphasising the importance of BRU-A qualification for water and two-phase flow.
It is worth noting that even if the valve is assumed to be qualified, the valve is demanded to be opened and closed many dozens of times during the course of the transient. Even if fully qualified, the valve has a demand failure rate for opening and closing which, if applied dozens of times in the course of a transient results in a non-negligible conditional probability that the valve will fail. A typical failure-to-close rate is about 5×10-3 per demand, so if the valve is demanded a few dozen times, the failure rate for the entire scenario is quickly above 10%.
Thus, even if - as asserted by the Czech experts - the BRU-A is fully environmentally qualified, due to the large number of opening and closing demands during the PRISE accident, there is a significant chance that the valve will fail open anyway.
The base case calculation, with the BRU-A assumed to perform correctly, results in an extremely long accident progression. Assuming no actions to either depressurise the reactor coolant system or provide additional water to the sump to assure extended high pressure injection (there are three 400 m3 tanks of borated water which can be pumped at 50 m3/h to the containment sump to provide for additional HPI water supply) [Czech 01], the MELCOR 1.8.5 calculations indicate that approximately five days are available for recovery actions before the core starts to heatup leading to severe accident conditions.
During such an extended period of time (five days, compared with a number of other severe accident sequences which go to core damage between one and twenty hours), it is nearly inconceivable that there would be a failure to depressurise the reactor coolant system and provide makeup water to the containment sump. Even if the plant staff develops a fixed mindset about what is going on – and bear in mind that the symptom-oriented EOPs and SAMGs are designed to avoid such a condition – with five days available it is hard to imagine that assistance would not be forthcoming from the regulatory authority, from the Czech research center (NRI Rez), and from international entities (e.g., Westinghouse, EU research and regulatory organisations, the OECD Nuclear Energy Agency partners of the Czech Republic, and the International Atomic Energy Agency partners of the Czech Republic) that would allow the overcoming of this mindset and the termination of the accident scenario well short of core damage within five days.
86 ETE Road Map - Preliminary Monitoring Report – Item 7b: Severe Accidents Related Issues Thus, it is concluded that the PRISE accident with nominal performance of the BRU-A valve on the main steam line of the affected steam generator would be very unlikely to result in core damage.
When the BRU-A is assumed to stick open when first challenged with a water discharge, the calculation resulted in a severe accident with reactor vessel failure occurring between 18 and 19 hours after the start of the accident assuming failure of the operating staff to implement EOP provisions to depressurize the primary coolant system. This outcome shows the sensitivity of the progression of the scenario to the status of the BRU-A valve.
The updated Temelín PSA estimated the frequency of the base case scenario at 3,09×10-6 [1/a] [Mlady 03 a]. However, as noted above, it is considered very unlikely for the base case scenario to result in core damage due to the extremely long period of time (over five days) before core heatup leading to severe accident conditions occurs.
Thus, the PRISE sequence leading to core damage would have frequency of the updated Temelín PSA value times the conditional probability of BRU-A failure (i.e. 3,09×10-6 [1/a] times 0,1 for a frequency of 3,09×10-7 [1/a]). Even for this frequency, it is not clear that the full measure of SAMG actions has been considered in the updated PSA. Several SAMG strategies appear to provide means for either terminating the PRISE accident progression outright (SAG-2, "Depressurize the RCS"), extending the time available for recovery (SAG-3, "Inject Into the RCS", or SAG-4, "Inject Into the Containment"), or at the least mitigating the accident consequences (SAG-1, "Inject Into Steam Generators").
It is recommended that the scenario quantification in the PSA be revisited by ČEZ to consider: (a) the thermal-hydraulic accident progression calculations for the sequence, (b) the conditional probability of BRU-A failure to close given numerous actuations (as indicated by the thermal-hydraulic calculations), and (c) the influence on scenario frequency resulting from implementation of the SAMGs.
4.2.2 Station Blackout
This scenario is due to loss of AC power from internal and external sources, and failure to start at least one of the three Diesel Generators. This loss of power leads to the failure of Emergency Feedwater System (EFW), High Pressure and Low Pressure Injection System (HPIS, LPIS), Containment Spray system (CSS). Passive safety features are available (Safety Injection Tanks (SITs), Safety Valves (SV) on the pressurizer (PRZ) and on Steam Generators (SGs) and systems that receive power from accumulator batteries (BRU-A, the emergency gas removal system (EGR), the containment isolation valves) remain available.
The time for battery discharge determines how long the operators can monitor plant status with their instrumentation and perform some limited actions, which require only battery power (but no AC power). When the batteries are run out, the control over the plant is lost. Therefore, the battery capacity is of high importance for severe accident management. In the MELCOR 1.8.5 calculation in PN7 reported below, the design value of 1 hour was used as the time of battery depletion (information presented at the Prague Workshop indicates that with proper operator response to conserve battery power, a time of 3÷4 hours can be achieved).
During blackout in a WWER 1000 NPP the heat from the core is removed by natural circulation of the coolant to the SG and then by evaporation of water in SG and steam release through BRU-A to the environment. It is worth to be noted that failure of secondary depressurization capabilities is unlikely (should the BRU-A fail closed in a main steamline the main steam line safety valves, two per steam line, would lift at a somewhat higher pressure to release steam to the environment.) ETE Road Map - Preliminary Monitoring Report – Item 7b: Severe Accidents Related Issues 87 The MELCOR calculation indicates that the first BRU-A opening occurs within 200 seconds of the loss of power. The loss of water from the secondary circuit during its depressurization through the BRU-As (which open at 7,3 MPa) and the absence of feedwater injection to the SGs leads eventually to full dry-out of the SGs at 7100 seconds (118 minutes). This sharply decreases heat removal from the RCS. Then the heat is removed by primary coolant heatup that leads to primary pressure increase above 17,6 MPa and steam dump into containment through pressurizer relief or safety valve. The pressuriser fills and begins water relief at about 8300 seconds (138 minutes) after the loss of power. As the pressurizer relief ("barbotage") tank fills up, the tank membrane fails, leading to the first significant release of water and steam into the containment.
After about 10 000 seconds (166 minutes), core uncovery begins. The start of metal/water reaction between the hot zircaloy fuel cladding and steam begins at about 14 700 seconds (4 hours). Core slump to the lower head occurs at about 19 800 seconds and RPV failure occurs soon after at 20590 seconds (5,7 hours). RPV failure occurs at high pressure due to the unavailability of means by which to depressurise the reactor coolant system below the pressure of 1÷2 MPa at which pressure melt ejection and direct containment heating can occur.
At the time of RPV failure by melt-through, the sudden reactor pressure drop causes the SITs to discharge their fluid to the reactor vessel, and part of corium is cooled with water causing it to remain within the reactor vessel. After vessel failure, any remaining water from the SITs enters the reactor cavity through lower head failure area, together with molten corium. Corium remaining in the reactor vessel is heated up again and after repeated melting at high temperature reaches the reactor cavity in the form of low pressure "pours" through the RPV failure location.
At the time of RPV failure, the pressure in the reactor cavity was estimated to rise to somewhat less than 0,8 MPa. As the containment (and internal structures) are designed for the design basis accident (large LOCA) pressure of 0,49 MPa, this pressure rise should not (considering normal conservatism in design) present a threat to the structural integrity of the reactor cavity. Also at the time of RPV failure, the average containment pressure rises sharply to about 0,45 MPa as a result of melt ejection and direct containment heating. This pressure is below the design pressure of the containment, and would not be associated with a potential for containment failure. However, without heat removal from the containment, containment pressure starts a slow rising trend until about 32 hours when the containment pressure would rise above 1 MPa, which is close to the estimated median failure pressure of the containment. At around this time or soon after, containment failure would be expected to occur due to overpressure resulting from the lack of containment heat removal.
The calculation above assumed unrecovered loss of AC power. The sequence frequency estimated in the updated Temelín PSA implies that the station blackout condition lasts long enough for core melt and RPV failure to occur (i.e., between 5 and 6 hours). Continued station blackout conditions in the time after this would in reality be at a lower frequency of occurrence. Nearly all station blackout conditions would be expected be recovered within 32 hours (indeed, the 1995 PSA indicated that 98% of offsite power losses are recovered within 10 hours).
Only very extended grid failure, owing perhaps to an external hazard or a large area grid failure, would extend a loss of offsite power to a duration approaching 32 hours. In addition, a failed diesel generator would be expected be repaired within such a long time frame. Note that each Temelín unit has three diesel generators of its own, and in addition there are two shared non-safety diesels, which can be aligned to provide power at a safety bus in either unit (only one of these five diesels needs to be recovered in order to provide power to one train of safety systems).
Thus, it is likely that power recovery would occur in the time frame between RPV failure in the 5÷6 hours time frame and containment overpressure failure in the 32-hour time frame.
88 ETE Road Map - Preliminary Monitoring Report – Item 7b: Severe Accidents Related Issues The question then becomes what happens when the power is recovered. If the containment spray pumps are not disabled before power is recovered, the containment spray pumps will start on a high containment pressure signal. At times after about 3 hours, the containment is steam inerted in the station blackout scenario. Startup of the containment sprays will rapidly "de-inert" the containment atmosphere due to steam condensation, which will rapidly increase the percentage concentration of hydrogen and oxygen. The outcome of such a situation depends on how much oxygen and hydrogen remains in the containment atmosphere (allowing for accident progression and hydrogen recombination by the PARs, which depletes both hydrogen and oxygen from the containment atmosphere).