Abstract

Within the licensing process of the KWU Atucha II PHWR (Pressurized Heavy Water Reactor), the BEPU (Best Estimate Plus Uncertainty) approach has been selected for issuing of the Chapter 15 on FSAR (Final Safety Analysis Report). The key steps of the entire process are basically two: (a) the selection of PIE (Postulated Initiating Events) and (b) the analysis by best estimate models supported by uncertainty evaluation. Otherwise, key elements of the approach are (1) availability of qualified computational tools including suitable uncertainty method, (2) demonstration of quality, and (3) acceptability and endorsement by the licensing authority. The effort of issuing Chapter 15 is terminated at the time of issuing of the present paper, and the safety margins available for the operation of the concerned NPP (Nuclear Power Plant) have been quantified.

1. Introduction

Among the general attributes of a methodology to perform accident analysis of a nuclear power plant for licensing purposes, the very first one should be the compliance with the established regulatory requirements.

A second attribute deals with the adequacy and the completeness of the selected spectrum of events which should consider the combined contributions of deterministic and probabilistic methods.

The third attribute is connected with the availability of qualified tools and analytical procedures suitable for the analysis of accident conditions envisaged in the concerned Nuclear Power Plant. Thus, a modern and technically consistent approach has been built upon best estimate methods including an evaluation of the uncertainty in the calculated results (Best Estimate Plus Uncertainties or BEPU approach).

The complexity of an NPP and of the accident scenarios may put a challenge for a conservative analysis and may justify the choice for a BEPU approach in the licensing process. This implies two main needs: the need to adopt and to prove (to the regulatory authority) an adequate quality for the computational tools and the need for the uncertainty.

The purpose of the present paper is to outline key aspects of the BEPU process aimed at the licensing of the Atucha II NPP in Argentina. The Atucha II is a heavy-water cooled heavy-water moderated, vessel-type, pressurized reactor. The moderator fluid has the same pressure as the coolant fluid, but temperature is lower. Fuel channels, which do not withstand pressure difference during nominal operation, separate the coolant from the moderator. The thermal power in the moderator is used to preheat the feed-water.

A direct link with the bases of nuclear reactor safety shall be ensured by the “BEPU-description document”. In the present case, this is formed by the following main elements or steps.(1)Evaluation of the possibility to use a BE estimate within the context of the current national (i.e., of the country where the NPP is installed) Regulatory Authority (RA) requirements. A preapplication document was submitted to the national RA. This included the consideration of past interactions between the RA and the applicant as well as the analysis of the licensing practice in the country where the NPP was designed.(2)Outline of international practices relevant for the proposed approach. The experiences acquired in the use of Best Estimate analyses for licensing purposes are reviewed: this is true for probabilistic and deterministic analyses and specifically for the determination of radiological consequences.(3)Structure of the BEPU: (a) categorization of PIE, (b) grouping of events, (c) identification of analysis purposes, (d) identification of applicable acceptance criteria, (e) setting up of the “general scope” Evaluation Model (EM) and of related requirements starting from the identification of scenario-related phenomena, (f) selection of qualified computational tools including assumed initial and boundary conditions, (g) characterization of assumptions for the Design Basis Spectrum, (h) performing the analyses, and (i) adopting a suitable uncertainty method.(4)Under the item (3g): the roadmap pursued for the analysis foresaw the use of nominal conditions for the NPP parameters and the failure of the most influential system. The implementation of such roadmap implied the execution of preparatory code run per each scenario where all NPP systems were simulated. This also required the simulation of the control and the limitations systems other than the protection systems. Once the “nominal system performance in accident conditions (following each PIE)” was determined, it was possible to select the worst failures and calculate a new (i.e., the “binding one”) accident scenario. (5)Under the general scope of item (3e): several computer codes and about two dozen nodalizations have been used, developed and, in a number of cases, interconnected among each other. (6)Qualification was necessary for the computational tools mentioned under item (5), within the framework depicted under item (3). The issue constituted by qualification of code-nodalization user was dealt with in the same context. Specific methods or procedures including acceptability thresholds have been developed and adopted.(7)Under the scope of item (3i): the uncertainty method based on the extrapolation of accuracy, developed at University of Pisa since the end of 80s, was used to create the CIAU (Code with capability of Internal Assessment of Uncertainty) and directly used for quantifying the errors in the calculations, as needed.

The main purpose of this work is, basically, to outline the BEPU approach. By now, a first edition of Chapter 15 of the Atucha II FSAR has been issued. However, results are under a preliminary scrutiny before being submitted to the Regulatory Authority. Owing to this, no final results from the BE analysis of transients shall be expected in the paper.

2. Aspects for the Application of the BEPU Approach

The BEPU approach has been adopted as the methodology for accident analyses covering the established spectrum of PIE. Procedures have been applied to derive the list of PIE and to identify applicable acceptance criteria. Finally, the application of computational tools including nodalizations required suitable boundary and initial conditions and produced results related to the Atucha II transient scenarios originated by the PIE.

The proposed BEPU approach follows current practices on deterministic accident analyses but includes some key features to address particular needs of the application. The approach takes credit of the concept of Evaluation Models (EM), and comprising three separate possible modules depending on the application purposes:(i)for the performance of safety system countermeasures (EM/CSA),(ii)for the evaluation of radiological consequences (EM/RCA),(iii)for the review of components structural design loadings (EM/CBA),

where the acronyms CSA, RCA, and CBA stand for “Core Safety Analysis”, “Radiological Consequence Analysis”, and “Component Behaviour Analysis”. It may be noted that structural resistance of Containment as well as mechanical loads on RPV (Reactor Pressure Vessel) internals is calculated in the frame of CBA.

The selection of contents for the present section has been derived based on the US NRC Regulatory Guide 1.70, [1], the US NRC Standard Review Plan, [2], design industry safety documents, for example, [3, 4] the FSAR of recently licensed NPP and the so-called (Atucha II specific) BEPU report, already endorsed by the involved Licensing Authority, [5].

The evaluation of the safety of nuclear power plant Atucha II does include required analyses of the response of the plant to postulated disturbances in process variables and to postulated malfunctions, failures of equipment, or loss of I&C signals. For these purposes, two complementary methodologies for safety analysis are applicable. The scope of accident analyses presented in Chapter 15 of the FSAR, however, comprises only deterministic safety analyses. Probabilistic safety analyses are presented in a separate document.

Chapter 15 sections document the results of the performed deterministic safety analysis covering a sufficiently broad spectrum of transients and accidents (i.e., PIE), aiming at demonstrating that the plant can be safely operated within the established regulatory limits related to the integrity of the components, to the preservation of the safety functions and the barriers against radioactivity releases and to the related radiological impact.

In order to confirm that the plant transient and accident analyses represent a sufficiently broad spectrum of initiating events, the transients and accidents are categorized according their expected frequency of occurrence and grouped in nine families according to the type of challenge to the fundamental safety functions. The results of these safety analyses also provide a contribution to the selection of limiting conditions for operation, limiting safety systems settings, and design specifications for components and systems to protect public health and safety of the installations.

2.1. The Basis for BEPU

A simplified flowchart of the rationale that brought to the planning and the application of the BEPU approach is given in Figure 1; additional details can be found in [5]. The steps followed by the proposed approach can also be derived from the analysis of the diagram.

In the first step, as a function of the selected scenario and of the purpose of the analysis, the complexity of the evaluation model may range from a simplified qualitative evaluation (EM/QA) to a complete combination of the three possible modules (EM/CSA + EM/RCA + EM/CBA).

In order to evaluate the plant safety performance, acceptance criteria are properly selected according to established international practice.

The two main aspects which have been considered for developing the evaluation model with the ability of adequately predicting plant response to postulated initiating events are intrinsic plant features and event-related phenomena characteristics.

For the two modules EM/CSA and EM/CBA, the first set of requirements for the evaluation model is imposed by the design characteristics of the nuclear power plant, its systems and components. Requirements on the capability of simulating automatic systems are of particular importance for anticipated operational occurrences, in which control and limitation systems play a key role in the dynamic response of the plant.

It shall be noted that the concerned modeling features are consistent with the requirements that impose the design of the limitation system according to the same standard as the reactor protection system. However, this rule does not apply to control systems. Nevertheless, the best response of the plant cannot be calculated without the detailed modeling of the control system. This has been considered in the present framework.

The second set of requirements is derived from the expected evolution of the main plant process variables and the associated physical phenomena. For the proposed approach, this is performed through the process of identifying the Phenomenological Windows (Ph.W) and the Relevant Thermal-hydraulic Aspects (RTA). The relevant timeframe for the event is divided into well-defined intervals when the behaviour of relevant safety parameters is representative of the physical phenomena.

For the adequate simulation of the identified phenomena, computational tools were selected from those which have previous qualification using an appropriate experimental data base. Satisfactory qualification targets provide basis for acceptability of the postulated application.

Within the framework of the present FSAR chapter, the expression “computational tools” comprises:(i)the best estimate computer codes,(ii)the qualified detailed nodalizations for the adopted codes including the procedures for the development and the qualification,(iii)the established computational methods for uncertainty quantification including the procedure for the qualification,(iv)the computational platforms for coupling and interfacing inputs and outputs from the concerned codes and nodalizations.

3. Categorization of PIE

The design philosophy of Atucha II incorporates the principle that plant states that could result in high radiation doses or radioactive releases are of very low probability of occurrence, and plant states with significant probability of occurrence have only minor or no radiological consequences.

Accordingly, for design purposes, postulated initiating events are divided into the event categories by their anticipated probability of occurrence, consistently with Probabilistic Safety Analysis (PSA) performed for the same NPP (see Table 1).

Accident conditions which stand out of these ranges of probabilities or that are not included in the SBDBA category may also involve significant core degradation. These are out of the scope of this chapter and are treated separately within the frame of PSA studies.

The third event category (SBDBA) appears to be specific of the Atucha II FSAR and addresses large break LOCA and ATWS. The rationale for introducing this category derives from the design characteristics of the NPP and from previously agreed licensing steps (see also [5]).

The categorization of large break LOCA as SBDBA is due to the exclusion of the maximum credible accident from the range of the design basis spectrum for Atucha II, and the adoption of the break size of ten percent on reactor coolant pipe (0.1 A) as the basis for fulfilling traditional regulatory requirements. So far, the double-ended guillotine break is considered as a beyond design basis scenario.

Nevertheless, the demonstration of the design capability to overcome this event has still a relevant role in the safety performance evaluation. For this aim, however, currently used conservative approach for safety analysis may not be sufficient to guarantee that safety margins still exist. The use of best estimate methods is acceptable when a scenario is categorized as beyond design basis.

Regarding ATWS, similarly to some modern or evolutionary nuclear power plants, Atucha II design does present a diverse scram system (Fast Boron Injection System). In this sense, the original safety issue related to ATWS does not constitute a safety concern applicable to its design.

All selected scenarios are grouped in the nine families of events: each family covers events with similar phenomena, or events in each family are characterized by similarity of challenges in relation to the fundamental safety functions. The nine families are(1)increase in heat removal by the secondary system,(2)decrease in heat removal by the secondary system,(3)decrease in heat removal by the primary system,(4)reactivity and power distribution anomalies,(5)increase in reactor coolant inventory,(6)decrease in reactor coolant inventory,(7)radioactive release from a subsystem or component,(8)disturbance in the refueling system and fuel storage system,(9)anticipated transients without scram (ATWS).

An excerpt of the list including the description of 83 events is provided in Table 2. This also includes the type of analysis to be performed in relation to each transient. In this connection, three possible types of general evaluation purposes are foreseen for each scenario.(RCA) those scenarios whose radiological impacts have to be calculated.(CSA) those scenarios which are used for the design of safeguards or countermeasures (systems performance associated with the integrity limits for the barriers against radioactive releases).(CBA) those scenarios which are used for reviewing the design of components or structures for stability or integrity (mechanical design loadings).

In relation to anticipated operational occurrences (AOO), it has to be proved that they do not propagate into accidents. Additionally, the analysis shall demonstrate that the systems actuated by operational instrumentation and control systems and by limitation and reactor trip systems are sufficiently effective to.(i)maintain the integrity of the barriers against radioactivity release, as no fuel centerline melting, unrestricted continued operation of fuel assemblies, and ensured integrity of the reactor coolant pressure boundary (CSA related evaluation purposes),(ii)maintain component loadings within the allowable limits for this category of events as it is addressed in the FSAR Chapters 4 to 6 (CBA-related evaluation purposes),(iii)prevent radioactive releases to the environment in excess of the allowable limits for this category of events (RCA-related evaluation purposes).

For design basis accidents, even though they are not expected to occur, only limited consequences are accepted. For DBA, it has to be demonstrated that the safety system countermeasures actuated by the reactor protection system are sufficiently effective to(i)maintain adequate integrity of the barriers against radioactivity release, as limited fuel centerline melting, limited loss of integrity of fuel cladding, or integrity of the containment (CSA-related evaluation purposes),(ii)maintain component loadings within the allowable limits for accident conditions, and may be addressed in the FSAR Chapters 3 to 6 (CBA-related evaluation purposes),(iii)prevent radioactive releases to the environment in excess of the allowable limits for accident conditions (RCA-related evaluation purposes).

For the SBDBA, the aim of the analyses is to demonstrate that measures for mitigation of consequences are sufficient and effective to (i)ensure residual heat removal, maintaining sufficient integrity of the barriers against radioactivity release (CSA-related evaluation purposes),(ii)prevent radioactive releases to the environment in excess of the allowable limits for accident conditions (RCA-related evaluation purposes).

In order to complete the set of targets for the analyses, event specific purposes are added, considering scenario-related safety system countermeasures or performance, as well as challenged component structural limits. To assess plant safety performance, figures of merit are derived for each purpose of the considered event.

4. Adopted Computational Tools

The computational tools include (a) the best estimate computer codes, (b) the nodalizations including the procedures for the development and the qualification, (c) the uncertainty methodology including the procedure for the qualification, and (d) the computational platforms for coupling and interfacing inputs and outputs from the concerned codes and nodalizations.

An idea of the interaction among the considered computational tools can be derived from Figure 2 and Table 3, both dealing with codes, category (a) above. The following is to be noted.(i)A chain of codes is needed for exploiting the three-dimensional neutron kinetics capability of the Nestle code.(ii)MCNP code has the role of providing “reliable-reference” results at the steady state condition.(iii)Melcor is used as a back-up code to support the application of the Relap5-3D when modeling the containment.(iv)The “ultimate” code for calculating the PTS risk, deterministic analysis, is Ansys.(v)Dynetz is “intimately” coupled with Relap5/3D: however, the entire control, limitation, and protection systems of Atucha II are modeled and interaction with the thermal-hydraulic code is foreseen at each time step.

4.1. The Qualification

A key issue for the BEPU is represented by the qualification. This shall be demonstrated for each of the four categories of computational tools discussed above. It is out of the scope of the present paper to provide details adopted to show the achievement of a suitable level of qualification. However, an idea can be derived from the section below dealing with UMAE, that is, Uncertainty Method based upon Accuracy Extrapolation (here used to demonstrate the qualification of the thermal-hydraulic nodalizations).

4.2. The Uncertainty Method

In principle, whenever a best estimate method is applied for licensing purposes, uncertainty quantification is needed. Therefore, the UMAE-CIAU procedure, or even the CIAU having UMAE as “informatics engine”, is used in the present context, [5].

The UMAE is the prototype method for the consideration of “the propagation of code output errors” approach for uncertainty evaluation. The method focuses not on the evaluation of individual parameter uncertainties but on the propagation of errors from a suitable database calculating the final uncertainty by extrapolating the accuracy from relevant integral experiments to full-scale NPP.

Considering integral test facilities which are simulators of water cooled reactors and qualified computer codes based on advanced models, the method relies on code capability, qualified by application to facilities of increasing scale. Direct data extrapolation from small scale experiments to reactor scale is difficult due to the imperfect scaling criteria adopted in the design of each scaled down facility. The direct code application to different scaled facilities (i.e., without the availability of experimental data) and to the corresponding NPP can be biased or affected by systematic errors. So the only possible solution to ensure the best use of the code in predicting NPP behavior is the extrapolation of accuracy (i.e., the difference between measured and calculated quantities). Experimental and calculated data in differently scaled (relevant) facilities are used to demonstrate that physical phenomena and code predictive capabilities of important phenomena do not change when increasing the dimensions of the facilities.

The flow-sheet of UMAE is given in Figure 3. The following can be added.(i)The red line loop on the right of the diagram constitutes the way to qualify the code, the nodalization, and the code-user in relation to the capability to model an assigned transient.(ii)In case the conditions (thresholds of acceptability) in the rhomboidal block “g” are fulfilled, the NPP nodalization can be built-up having in mind the experience gained in setting-up ITF nodalizations.(iii)The NPP nodalization (left of the diagram) will undergo a series of qualification steps including the so-called “Kv-scaled” calculation.(iv)Additional acceptability thresholds must be met under the block “k”. In case of adequate fulfillment of criteria, a qualified nodalization is available for NPP analyses (so-called Analytical Simulation Model—ASM).(v)The FFTBM (Fast Fourier Transform-Based Method), to quantify the accuracy, is used at the level of the block “g” and, if requested, of the block “k”. (vi)The results of the ASM may benefit of the extrapolation of the accuracy to characterize the uncertainty.

All of the uncertainty evaluation methods, including UMAE, are affected by two main limitations:(i)the resources needed for their application may be very demanding, ranging to up to several man-years;(ii)the achieved results may be method/user dependent.

The last item should be considered together with the code-user effect, widely studied in the past as mentioned in [5], and may threaten the usefulness or the practical applicability of the results achieved by an uncertainty method. Therefore, the Internal Assessment of Uncertainty (IAU) was requested as the followup of an international conference jointly organized by OECD and U.S. NRC and held in Annapolis in 1996, for example, see [5]. The CIAU method, [6], has been developed with the objective of eliminating/reducing the above limitations.

The basic idea of the CIAU can be summarized in two parts, as per Figure 4.(i)Consideration of plant status: each status is characterized by the value of six relevant quantities (i.e., a hypercube) and by the value of the time since the transient start.(ii)Association of an “extrapolated error” or uncertainty with each plant status.

Six driving quantities are used to characterize any hypercube. In the case of a PWR, the six quantities are (1) the upper plenum pressure, (2) the primary loop mass inventory, (3) the steam generator pressure, (4) the cladding surface temperature at 2/3 of core active length, (5) the core power, and (6) the steam generator down-comer collapsed liquid level.

A hypercube and a time interval characterize a unique plant status to the aim of uncertainty evaluation. All plant statuses are characterized by a matrix of hypercubes and by a vector of time intervals. Let us define Y as a generic thermal-hydraulic code output plotted versus time. Each point of the curve is affected by a quantity uncertainty (Uq) and by a time uncertainty (Ut). Owing to the uncertainty, each point may take any value within the rectangle identified by the quantity and the time uncertainty. The value of uncertainty, corresponding to each edge of the rectangle, can be defined in probabilistic terms. This satisfies the requirement of a 95% probability level, for example, acceptable by US NRC.

In Atucha II, no phenomena are expected which are different from those at the basis of the CIAU error database. The same consideration is valid in the range of variation of quantities which represent the phenomena.

5. Conclusions

An outline has been given of relevant features of the BEPU approach pursued for Chapter 15 of the FSAR of Atucha II NPP.

The execution of the overall analysis and the evaluation of results in relation to slightly less than one-hundred PIE revealed the wide safety margins available for the concerned NPP that were designed in the 1980s.

Key issues for a BEPU-based Chapter 15 of any FSAR are(a) proper selection of PIE, (b)simulation of I & C system response,(c)availability of proper computational tools,(d)qualification and quality assurance,(e)last but not least: endorsement and acceptability by the Licensing Authority.

Acronyms

AOO:Anticipated operational occurrences
ASM:Analytical Simulation Model
ATWS:Anticipated Transients Without Scram
BE:Best estimate
BEPU:Best Estimate Plus Uncertainty
CBA:Component Behaviour Analysis
CIAU:Code with capability of Internal Assessment of Uncertainty
CSA:Core Safety Analysis
DBA:Design Basis Accidents
EM:Evaluation Model
FFTBM:Fast Fourier Transform-Based Method
FSAR:Final Safety Analysis Report
IAEA:International Atomic Energy Agency
IAU:Internal Assessment of Uncertainty
I&C:Instrumentation and control
KWU:KraftWerkeUnion
LOCA:Loss of Coolant Accident
NPP:Nuclear power plant
OECD:Organization for the Economic Cooperation and Development
PHWR:Pressurized Heavy Water Reactor
PIE:Postulated initiating events
PTS:Pressurized Thermal Shock
QA:Qualitative evaluation
RA:Regulatory authority
RCA:Radiological Consequences Analysis
RPV:Reactor pressure vessel
RTA:Relevant Thermal-hydraulic Aspects
SBDBA:Selected Beyond Design Basis Accidents
UMAE:Uncertainty Method based upon Accuracy Extrapolation.

Acknowledgments

The work leading to the issue of BEPU Chapter 15 of Atucha II FSAR lasted more than two years and involved more than thirty scientists, including recognized international experts, working at NA-SA and at University of Pisa. The current authors coordinated the group and acknowledge the contribution of any individual.