Anticipated Operational Occurrences
Anticipated operational occurrences, AOOs, are conditions of normal operation that are expected to occur one or more times during the life of the nuclear power unit and include but are not limited to loss of power to all recirculation pumps, tripping of the turbine generator set, isolation of the main condenser, and loss of all offsite power. AOOs are also known as Condition II and III events, but in this case, we are not talking about accidents.
Postulated accidents are unanticipated conditions of operation (i.e., not expected to occur during the life of the nuclear power unit). Postulated accidents are also known as Condition III or IV events.
Nuclear safety of anticipated operational occurrences constitute the second level of defense and incorporates inherent plant features, such as core stability and thermal inertia, and systems to control abnormal operation (anticipated operational occurrences), with account taken of phenomena capable of causing further deterioration in the plant status. This includes automatic functions and control systems that can return the facility to its normal operating mode as soon as possible. The systems to mitigate the consequences of such operating occurrences are designed according to specific criteria (such as redundancy, layout and qualification).
To demonstrate that the fundamental safety objective is achieved in the design of a nuclear power plant, a comprehensive safety assessment of the design is required to be carried out. In case of anticipated operational occurrences, its objective is to demonstrate that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and to demonstrate that all barriers remained intact.
Current developments for ensuring the stable, safe and competitive operation of nuclear reactors are closely related to the advances that are being made in safety analysis. Deterministic safety analyses for anticipated operational occurrences, design basis accidents (DBAs) and beyond design basis accidents (BDBAs) are essential instruments for confirming the adequacy of safety provisions.
Postulated Initiating Event
A postulated initiating event, or PIE, is defined as an “identified event that leads to anticipated operational occurrences or accident conditions and its consequential failure effect”.
For certain plant design, the postulated initiating events shall be identified on the basis of engineering judgement and a combination of deterministic assessment and probabilistic assessment
Postulated initiating events shall be identified and shall be grouped on the basis of their frequency of occurrence at the nuclear power plant. Therefore, there are two groups of PIEs:
- Anticipated operational occurrences. Anticipated operational occurrences, AOOs, refer to the events that are categorized in Regulatory Guide 1.70 and in Regulatory Guide 1.206 as incidents of moderate frequency (i.e., events that are expected to occur several times during the plant’s lifetime) and infrequent events (i.e., events that may occur during the lifetime of the plant). In case of anticipated operational occurrences, the objective is to demonstrate that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and to demonstrate that all barriers remained intact after the event. AOOs are also known as Condition II and III events, respectively, in the commonly used, oftcited but unofficial American Nuclear Society (ANS) standards.
- Postulated accidents (or design basis accidents). Postulated accidents are unanticipated conditions of operation (i.e., not expected to occur during the life of the nuclear power unit), but they cannot be excluded. Postulated accidents are also known as Condition III and IV events. Design bases accident is a postulated accident that a nuclear facility must be designed and built to withstand without loss to the systems, structures, and components necessary to ensure public health and safety.
An analysis of the postulated initiating events for the plant shall be made to establish the preventive measures and protective measures that are necessary to ensure that the required safety functions will be performed.
Categorization of Postulated Initiating Events
AOOs and postulated accidents are also categorized according to type. The type of AOO or postulated accident is defined by its effect on the plant. For example, one type of AOO or postulated accident will cause the RCS to pressurize and possibly jeopardize RCS integrity. Another type will cause the RCS to depressurize and possibly jeopardize fuel cladding integrity. It is useful to categorize and organize analyses of AOOs and postulated accidents according to type, so that analysts can compare them on common bases, effects, and safety limits. Such comparisons can help to identify limiting events and cases for detailed examination and eliminate nonlimiting cases from further consideration.
AOOs and design bases accidents can be grouped into the following seven types:
- Increase in heat removal by the secondary system
- e.g., inadvertent moderator cooldown (PWR and BWR – AOO)
- e.g., steam line break event (PWR – DBA)
- Decrease in heat removal by the secondary system
- e.g., loss of normal feedwater (PWR – AOO)
- e.g., reactor-turbine load mismatch, including loss of load and turbine trip (PWR and BWR – AOO)
- Decrease in RCS flow rate
- e.g., loss or interruption of core coolant flow, excluding reactor coolant pump locked rotor (PWR – AOO)
- e.g., single reactor coolant pump locked rotor (PWR – DBA)
- e.g., seizure of one recirculation pump (BWR – DBA)
- Reactivity and power distribution anomalies (i.e., RIA)
- e.g., control rod drop (PWR – AOO)
- e.g., inadvertent chemical shim dilution (PWR – AOO)
- e.g., ejection of a control rod assembly (PWR – DBA)
- e.g., control rod drop accident (BWR – DBA)
- Increase in reactor coolant inventory
- e.inadvertent operation of emergency core cooling
- Decrease in reactor coolant inventory
- e.g., minor reactor coolant system (RCS) leak or loss of reactor coolant such as from a small ruptured pipe or from a crack in a large pipe (PWR and BWR)
- e.g., loss-of-coolant accident (LOCA – DBA)
- Radioactive release from a subsystem or component
Safety analyses of these AOOs and postulated accident analyses can (and should) encompass a variety of cases, each designed to produce effects or results that challenge designated safety limits. For example, one case study of the turbine trip event is usually designed (by initial and boundary conditions) to yield a high peak RCS pressure, and another case study of the same AOO can be designed to yield a low, minimum thermal margin.
See also NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition.
Acceptance Criteria for AOOs
For evaluation of deterministic safety analyses, a specific set of rules and acceptance criteria is applied. Acceptance criteria are used in deterministic safety analysis to assist in judging the acceptability of the results of the analysis as a demonstration of the safety of the nuclear power plant. Typically, these should focus on neutronic, thermohydraulic, radiological, thermomechanical and structural aspects, which are often analysed with different computational tools.
The following are the specific criteria necessary to meet the requirements of GDC for AOOs:
- Pressure in the reactor coolant and main steam systems should be maintained below specific value (usually below 110% of the design pressure).
- Fuel cladding integrity shall be maintained by ensuring that the minimum departure from nucleate boiling ratio (DNBR) remains above the 95/95 DNBR limit for PWRs (a 95% probability at a 95% confidence level) and that the critical power ratio (CPR) remains above the minimum critical power ratio (MCPR) safety limit for BWRs. If the minimum DNBR or MCPR does not meet these limits, then the fuel is assumed to have failed.
- According to 10 CFR 50.59, an AOO should not generate a postulated accident without other faults occurring independently or result in a consequential loss of function of the RCS or reactor containment barriers.
By meeting these criteria, it can be demonstrated that automatic functions and control systems can return the facility to its normal operating mode as soon as possible and it can be demonstrated that all barriers remained intact after the event.
Example: Partial Loss of Coolant Flow – PWR
A partial loss of coolant flow may be caused by a mechanical or electrical failure in a pump motor, a fault in the power supply to the pump motor, a pump motor trip caused by such anomalies as over-current or phase imbalance. This postulated initiating event is also known as “single main coolant pump trip”. Typically, 1-out-of-4 MCPs or 2-out-of-4 MCPs are included in the Safety Analysis Report. A sequential loss of forced flow and a complete loss of forced coolant flow are the design basis accidents.
In case of partial loss of flow, reduction of the primary flow leads to an imbalance between the heat produced by the fuel and the heat removed from the core, potentially exceeding core thermal limits. Thermal imbalance also leads to an overall pressure–temperature transient, typically resulting in a short term pressurization of both the primary and the secondary circuit. For all loss of forced coolant flow transients, the reactor must be tripped before the departure from nucleate boiling ratio falls under the safety analysis limit and this should be demonstrated in the SAR. For all loss of forced coolant flow transients, the reactor must be tripped before the pressures (primary and secondary side) exceed their limits.
Key Safety Systems
Reactor Protection System
As was written, the reactor must be tripped before the departure from nucleate boiling ratio falls under the safety analysis limit. The Reactor Protection System, RPS, provides this safety function. The RPS automatically initiates a rapid reactor shutdown (scram) by inserting control rods to preserve the integrity of the fuel cladding and reactor coolant pressure boundary.
Over-pressure relief system and safety valves system
In this case, automatic spray valves regulate the pressurizer spray to provide overpressure control. If this system is not sufficient, there is an over-pressure relief system. In the event that pressurizer pressure exceeds a certain maximum, there is a relief valve called the pilot-operated relief valve (PORV) on top of the pressurizer which opens to allow steam from the steam bubble to leave the pressurizer in order to reduce the pressure in the pressurizer, thus leads to reduction of pressure in the whole system.
The pressurizer is equipped also with a safety valves system (“safety system”), which are also routed to the relief tank. The pressurizer safety valves are spring loaded and self-actuating, with back pressure compensation. The safety valves system is used for emergency pressure reduction during emergency conditions.
Example: Control Rod Drop
A control rod drop event is one of possible control rod malfunction events and it belongs to reactivity initiated events usually described in Chapter 15.4. of the Safety Analysis Report (according to the NUREG-0800).
As a consequence of any of these events, there is a distortion in the core power distribution with potential reduction of DNBR. For a CR withdrawal, there is also a global reactor power increase, which is reduced later by the reactor power control. A potentially relevant safety aspect comes from the case when a rod drops into the core and the control system is in automatic mode. If the dropped control rod does not result in actuation of the reactor trip, then the reactor power may be reestablished by the control system. In this case, the rods will be moved out to compensate for the sudden power decrease. Before achieving a new equilibrium power, a transient overshoot on nuclear power can be expected, coincident with a significant distortion in radial power distribution caused by the dropped rod. High local peaking factors together with an overshoot in power may violate the limits on fuel power density.
The magnitude of power deviation is primarily a function of the control rod worth, reactivity coefficients and core characteristics. In this event, it must be shown that the fuel and the fuel clad integrity are not challenged.