EXPERT MISSION. Bulgaria

Size: px
Start display at page:

Download "EXPERT MISSION. Bulgaria"

Transcription

1 NSNI/Expert mission ORIGINAL: English Report for the EXPERT MISSION to Review the additional safety assessment report stress test of the Belene NPP in line with the new IAEA Requirements Bulgaria December 2011 DIVISION OF NUCLEAR INSTALLATION SAFETY OPERATIONAL SAFETY REVIEW MISSION IAEA-NSNI/Expert mission 1

2 2

3 CONTENT INTRODUCTION AND MAIN CONCLUSIONS BASIC INFORMATION ABOUT THE BELENE NPP (BNPP) LEGISLATION OF NUCLEAR REGULATORY AGENCY FOR COMMISSIONING EXTERNAL HAZARDS AND SAFETY MARGINS LOSS OF ELECTRICAL POWER AND LOSS OF ULTIMATE HEAT SINK SEVERE ACCIDENT MANAGEMENT LIST OF IAEA REFERENCES (BASIS) TEAM COMPOSITION OF THE EXPERT MISSION

4 INTRODUCTION AND MAIN CONCLUSIONS INTRODUCTION At the request of the Nuclear Regulatory Agency of the Republic of Bulgaria, an IAEA Expert Review Team of international experts visited the Nuclear Regulatory Agency (NRA) from December The purpose of the mission was to review the preparation of the Belene NPP (BNPP) in line with the new requirements related to the commissioning and accident management as set out in the new Specific Safety Requirements document, Safety of Nuclear Power Plants: Commissioning and Operation (SSR-2/2). In addition issues related to the Fukushima accident were reviewed following the process described in the EU Stress-test specifications and the requirements of the Bulgarian Nuclear Regulatory Agency for the re-assessment of plant safety margins against natural disasters. The team was composed of experts from the Czech Republic, France, Germany and an IAEA staff member. Before visiting the plant, the team studied information provided by the NRA including Final Report on the Additional Safety Assessment for Belene NPP to familiarize themselves with the plant's main safety features, relevant NRA legislation and additional safety assessment in the light of Fukushima accident. During the mission, the team reviewed the plant's safety assessment and NRA legislation in depth, and held in-depth discussions with NRA, the National Electric Company (NEC, operating organization), the designer of the plant, technical support organizations of designer and architect engineer personnel. Throughout the review, the exchange of information between the IAEA experts and counterparts was very open, professional and productive. The conclusions of the expert team were based on the IAEA Safety Standards. The BNPP site is situated in the north of Bulgaria on the right bank of the Belene branch of the Danube river between the 567 and the 571 km, opposite Belene (Persin) island, about 7,5 km to the south of Bulgaria s national border with Romania. The site is located within the territory of the Pleven District of Bulgaria, 55 km away from the regional centre (town of Pleven). The Belene site was approved according to the Safe Use of Nuclear Energy Act and to the Regulation for the procedure for issuing licenses and permits for safe use of nuclear energy by Order No. RD / , issued by the Nuclear Regulation Agency, after extensive review including IAEA review missions. The operating organization NEC submitted an application for design approval in April NRA is currently reviewing and assessing this submission as a basis for issuing a construction license. Two units with pressurized water reactors and all main and auxiliary buildings, structures, systems and components needed for units commissioning and operation are planned to be built at the Belene site. 4

5 The report is based on information provided in the Complementary Safety Assessment Report Stress Tests for Belene NPP, as well as discussions with representatives of Bulgaria and Russian Federation organizations during the mission. MAIN CONCLUSIONS The IAEA team concluded that the NRA legislation is in very good compliance with the newly published IAEA Specific Safety Requirements No. SSR-2/2 Safety of Nuclear Power Plants: Commissioning and Operation, Section 6, Requirement 25: Commissioning programme. In addition, in some cases, the legislation is even more detailed and stringent that the IAEA Safety Standards. However the team made two suggestions in this area. Aircraft crash hazard: Based on detailed exchanges with counterparts, the opinion of the IAEA expert is that the BNPP has an adequate robustness against large commercial aircraft crashes and in addition that extra mechanical margins are still available. Seismic hazard: Regarding seismic hazard assessment, in the line of the conclusions of the IAEA 1997 site safety review, and with reference to the IAEA Safety Standards on seismic hazard, the plant has properly supplemented the site documentation regarding different scales. A major output is that the previous assumption of a possible fault along the Danube River, as well as on active fault in the near region of the site, can now be rejected. Recent developments (since the previous IAEA mission in 1997) of the BNPP site PSHA (Probabilistic Seismic Hazard Assessment) were carried out as per the state-of-the-art on the subject. In particular, attention was paid to attenuation relationships for sedimentary sites. PSHA output is consistent with the seismic hazard assessment established at the scale of the Bulgarian territory. A significant output is that the Beyond Design Basis Earthquake (BDBE) (specified in accordance with European Utilities Requirements (EUR)) as 1.4 x Design Basis Earthquake (DBE) in the terms of reference for the plant), is estimated as corresponding to the median value of seismic input motions with an annual probability of exceedance of the order of Seismic design: Regarding seismic design, it is clear that, due to the original design provision that the plant should be safe under a BDBE that exceeds the DBE by 40%, the BNPP has an intrinsic significant robustness against earthquakes. It has to be pointed out that the 40% margin in the seismic input motion was not consumed by the verification process of the equipment (keeping in mind that some components are not yet selected) because this verification process was conducted as per the design procedure and criteria. Of course, such a prudent approach is only possible for a new NPP and could not be implemented on an existing plant. Flooding: Natural floods with return periods of 1000 years and years were taken into account by the counterpart, as well as consequences of dam ruptures and effects of extreme meteorological events on the Danube River water level. Combinations of these different causes were fully considered. The conclusion is that, even in the worst case, there is still a margin of 70 cm between the site platform level and the water level. The team made one suggestion in the area of external hazards. 5

6 The Belene NPP design provides significant technical solutions to cope with the whole variety of accidents to be considered for Generation III+ NPPs. With reference to the ENSREG specification developed for the EU stress tests and to the IAEA Safety Standards, thanks to diverse principles applied for safety systems, big water reserves stored inside the confinement and other features, for all relevant accidents considered in the EU stress tests sufficient robustness and time margins were demonstrated. The team made four suggestions in the area loss of electrical power and loss of heat sink. The design of Belene NPP explicitly includes features both for prevention as well as for mitigation of severe accidents. This was convincingly demonstrated both by the stress test report as well as in the discussion that the Belene design is extremely robust in dealing with prevention and mitigation of severe accidents, since consideration of severe accidents is embedded in the design. This covers both the preventive part of accident management, which is very strong due to the exceptional combination of redundant active systems backed-up by passive systems, as well as dedicated systems for severe accident mitigation. The experimental and analytical demonstration of efficiency of passive systems was extensively discussed during the meeting. According the available analyses, CDF is about 5.11E-7/reactor/year and LERF 2.17E- 7/reactor/year, taking into account all events occurring at power and shutdown modes, internal fires and relevant external hazards. These values indicate a very high level of safety. The contribution of external hazards represents about 1.6 % of the total CDF. The team made six suggestions in the area of severe accident management. 6

7 1. BASIC INFORMATION ABOUT THE BELENE NPP (BNPP) The Belene NPP is designed with a pressurized water reactor per unit, WWER-1000/V466 type with four coolant loops, based on WWER AES-92 plant design which in 2006 successfully passed all the steps of the analysis of compliance with the European Utility Requirements endorsed by the major European utility companies for the next generation of LWR nuclear power plants. Basic parameters are as follow: Plant Design A-92 Reactor Coolant System PWR/WWER-1000/V 466 Service Life Thermal Power Rate Turbine Generator Electric Power Rate 60 years 3012 MW K /3000 (HP+4LP) TVV UZ (24kV 50Hz) 1060 MW Availability Factor 90 % The safety systems comprise: protective, localizing, supporting and control safety systems. The protective systems perform functions of emergency cooling and residual heat removal from the reactor core. They have active and passive parts. Each safety system has four independent trains, the efficiency of the trains is chosen based on the single failure principle and the trains of the safety systems are physically separated. The active systems comprise: High Pressure Emergency Injection System; Emergency Boron Injection System ; System for Emergency and Scheduled Cooling down of the Primary Circuit and Fuel Storage Pool Cooling ; Steam Generator Emergency Cooling and Blowdown System; Primary Overpressure Safety System; Secondary Overpressure Safety System; Emergency Steam and Gas Removal System; 7

8 Main Steam Pipe System Isolation System. The passive systems comprise: 1st Stage Hydro Accumulator System (Passive ECCS); 2nd Stage Hydro Accumulator System (Passive CFS); Passive Heat Removal System; Fast Boron Injection System. The localizing safety systems comprise active and passive systems and components. The active systems comprise: Spray System; Isolation of the Protective Containment System; The passive systems comprise: Containment System Emergency Hydrogen Removal and Control System in Containment; Annulus Passive Filtering System; Molten Core Localization and Cooling System (Core catcher). The support systems comprise: Component Cooling System; Cooling Water System for Safety Systems; Emergency Power Supply System; Firefighting System; Ventilation and Air-conditioning Support Systems. There are three main safety functions which are necessary for achieving the overall safety objective of protecting people and the environment from harmful effects of ionizing radiation: Reactivity control Fuel cooling; and Containment of radioactive material. 8

9 In order to ensure a contemporary level of safety the Belene NPP design uses for the safety systems required for maintaining the main safety functions both active and passive safety systems. The passive systems are backing the active systems so that they ensure fulfillment of the safety functions independently from the active safety systems. The safety systems are designed to withstand failures, including common cause failures and are capable of performing their functions in cases of loss of power. The spent fuel pool is located in the inner containment of each unit, within immediate proximity to the reactor cavity and is connected with the reactor cavity via a refueling channel for handling one fuel assembly (FA). The channel is closed by two hydraulic locks. The spent fuel pool racks design (boron steel) ensures an effective neutron multiplication factor lower than 0,95 in cases of decrease in the concentration of boric acid down to zero and in cases of boiling of the water. The residual heat removal from the spent fuel assemblies is ensured by the System for Emergency and Standard Cooling of the primary circuit and spent fuel pool cooling (JNA). 9

10 2. LEGISLATION OF NUCLEAR REGULATORY AGENCY FOR COMMISSIONING 2.1 Status of national legislation in the area of commissioning The NRA has well developed and strong legislation based on the IAEA Safety Standards. The legislation for commissioning is comprehensive and, in addition, there is also legislation for the construction of NPPs. The IAEA is in the process of developing a Safety Guide for Construction. On the top of the legislation pyramid is the Act on the Safe Use of Nuclear Energy. This Act was issued in 2002 and most recently amended in Chapter 3 of the Act describes the authorization process for site selection, construction, commissioning and operation of nuclear facilities including NPPs. Article 15 states that licences and permits shall be issued, amended, suspended, and revoked by the NRA Chairman under conditions of legal equality and transparency. A licence shall be issued for operation of a nuclear facility. A permit shall be issued for siting, design, construction and commissioning of a nuclear facility; activities leading to modification of structures, systems and components important to the safety of the nuclear facility and operating limits and conditions. More details are described in Articles 33, 34, 35, 36, 37 and 38. If the commissioning of the nuclear facility is a multistage process, the NRA Chairman may issue a separate permit for each stage. Two regulations under the Act on the Safe Use of Nuclear Energy describe requirements for construction and commissioning: Regulation on the procedure for issuing licences and permits for the safe use of nuclear energy, issued 2004 and amended in 2005 Regulation on ensuring the safety of nuclear power plants issued in 2004 and most recently amended in 2008 Both regulations are clear, comprehensive and based on the IAEA Safety Standards. In some cases these regulations are even more detailed and stringent that the IAEA Safety Standards. The regulation on the procedure for issuing licences and permits for the safe use of nuclear energy has several sections dealing with licensing and authorization during construction and commissioning, including the necessary conditions for each stage. Section IV, in Articles 41 and 42, sets up the conditions necessary for Permit for Construction. Section V, in Articles 43, 44, 45 and 46 sets up the conditions necessary for a Permit for Commissioning. Both sections are comprehensive cover all IAEA requirements regarding commissioning. The regulation on ensuring the safety of nuclear power plants deals with construction, commissioning and the operation of NPPs in Chapter 5. Section I sets up requirements for the operating organization, Section II for the construction, Section III for commissioning and Section IV for operation of NNPs. The team performed a detailed assessment of Section III against the IAEA Specific Safety Requirements No. SSR-2/2 Safety of Nuclear Power Plants: Commissioning and Operation in Section 6, Requirement 25: Commissioning Programme. The Requirements were published recently in Almost all IAEA requirements (see bullets below) are addressed in the regulation on Ensuring the Safety of Nuclear Power Plants, some of 10

11 them are addressed in the regulation on the procedure for issuing licences and permits for the safe use of nuclear energy. The team concluded that both regulations adequately reflect the IAEA requirements for the commissioning Three requirements are not specifically and directly stated in the NRA regulations, namely: 6.10 From the commencement of commissioning, reviewed and approved arrangements for work control, modification control and plant configuration control shall be in place to meet the conditions of the commissioning tests The operating organization shall ensure that interfaces and the communication lines between different groups (i.e. for design, for construction, contractors, for commissioning and for the operation) shall be clearly specified and controlled During construction and commissioning, the plant shall be monitored, preserved and maintained so as to protect plant equipment, to support the testing stage and to maintain consistency with the safety analysis report. 2.2 Conclusion and suggestions. The NRA legislation is in very good compliance with the recently published IAEA Specific Safety Requirements No. SSR-2/2 Safety of Nuclear Power Plants: Commissioning and Operation, Section 6, Requirement 25: Commissioning Programme. In addition, in some cases, the Bulgarian requirements are even more detailed and stringent that the IAEA Safety Requirements. It should be noted that the IAEA is currently developing a Safety Guide for construction of nuclear installations and revising a Safety Guide for the commissioning of NPPs. Suggestion 2(1): The NRA should consider including the following IAEA requirements into the planned revision of the NRA regulation for ensuring the safety of nuclear power plants: 6.10 From the commencement of commissioning, reviewed and approved arrangements for work control, modification control and plant configuration control shall be in place to meet the conditions of the commissioning tests The operating organization shall ensure that interfaces and the communication lines between different groups (i.e. for design, for construction, contractors, for commissioning and for the operation) shall be clearly specified and controlled During construction and commissioning, the plant shall be monitored, preserved and maintained so as to protect plant equipment, to support the testing stage and to maintain consistency with the safety analysis report.; Suggestion 2(2): The NRA should consider developing a Safety Guide for the Construction and Commissioning of Nuclear Power Plants using the finalized IAEA Safety Guides Construction of nuclear installations and Commissioning for nuclear power plants as a basis. 11

12 3. EXTERNAL HAZARDS AND SAFETY MARGINS 3.1 Regulation applicable in Bulgaria and ENSREG terms of reference Regulatory requirements on external initiating events taken in view of ensuring the safety of NPPs are referenced as follows: Published Regulation, No. 66 of 30 July 2004, amended Regulation No. 46 of 12 June 2007, and amended SG No. 53 of 10 June Excerpts of these documents that pertain to the protection against external hazards are presented in the appendix A- 3-1 of this report. Basically the Belene NPP should be designed against the possible consequences of 1. extreme weather conditions; 2. earthquakes; 3. external flooding; 4. aircraft crashes; 5. hazards arising from nearby transportation and industrial activities; 6. sabotage; 7. electromagnetic interference. However it is reminded that, regarding external hazards, the initiating events considered in the ENSREG terms of reference are limited to earthquakes and flooding. 3.2 Content of the Final Report on stress tests and exchanges on the subject Scope In the Final Report on the Additional Safety Assessment for Belene NPP provided by NRA, the following three external hazards are considered: earthquake, floods and extreme climate conditions. Due to the site specificity, the seismic hazard assessment received special attention, its treatment being extensively developed in Attachment 4 of the Final Report. It has to be mentioned that the Belene site seismic hazard assessment had been already reviewed by the IAEA in 1997, as a follow-up of a previous mission conducted in 1990 with intermediary missions in 1993 and During this review mission, the results of the seismic and flooding hazard assessments were presented in detail. It was also stated that, due to the lack of industrial facilities in the vicinity of the Belene site, there is no requirement to assess hazards arising from nearby transportation and industrial activities and for revision of the original design provisions against a blast. 12

13 Aircraft crashes, sabotage and electromagnetic interferences were not in the terms of reference of the ENSREG stress tests and therefore not covered by the Final Report. However, the aircraft crash hazard and its treatment was presented in a detailed manner. Discussions with the counterpart were dedicated to aircraft crash, seismic hazard and flooding Aircraft crash The following items were discussed with the counterpart: a) Riera load function There were exchanges about the Riera load function. In particular the effect of liquid mass was discussed, as well as a realistic method accounting for actual design of fuel tanks as compared to some experimental configurations, such as the VTT experiments carried out in Finland. The Riera function is highly dependent on the aircraft velocity, not only in its magnitude but also in the time domain. An envelope function corresponding to a large range of velocities was retained for structural robustness assessment while a series of load functions from small to large velocities was considered for the floor response spectra (FRS) generation. b) Robustness of structures The above mentioned envelope function provides substantial margins in the input loading conditions, which were reflected in the design of the NPP by: increasing the structural gap between the protective structure and the containment, increasing shear and flexural reinforcements, and increasing areas of flexural reinforcement at different places. c) Floor response spectra generation Assumptions relating to modelling of structures were discussed (damping values retained in the analysis, parts of the structure regarded as exhibiting linear/ non-linear behaviour), as well as their effects on floor response spectra (frequency content, cut-off frequency, amplification). There were exchanges about sharpness of the Riera load function and its consequences on the frequency content of the signal transmitted to floors. d) Equipment qualification Regarding mechanical equipment, a four step procedure was implemented as presented during the mission. A key feature is that it uses CAV (Cumulative Absolute Velocity), although the input under consideration is not a seismic input motion. This approach was already presented by the counterpart to the Scientific Committee of the IAEA ISSC (International Seismic Safety Centre). The conclusion of the analysis is that the BNPP equipment exhibits sufficient margins to sustain a large commercial aircraft crash. The counterpart is aware about the significance of induced fire, fire ball and the provisions of the ventilation system to cope with the consequences of such a situation. According to counterpart statement, corresponding analyses were carried out, but they were out of the scope of the mission and were not discussed further. 13

14 3.2.3 Seismic hazard and seismic design Basic concept of BNPP seismic safety reassessment Basically the additional assessment of the BNPP seismic margins is based on the fact that, in compliance with the European Utilities Requirements, a Beyond Design Basis Earthquake (BDBE) was taken into account in the original design of the plant: The BNPP design basis earthquake (DBE) was set-up at 0.24g, and additionally, it was required in the design procedure that the safety of the plant is proved for seismic excitation 40% higher than the DBE Seismic hazard a) Investigations at different scales The IAEA safety guide on seismic hazard assessment recommends that geological geophysical and geotechnical investigations are carried out at 4 scales from regional investigations to site area investigation. In this regard, recommendations of the IAEA in 1997 were that the documentation related to the findings for fault investigations should be completed relating to: Dulovo source zone Fore-Balkanides (the Gorna Orjahovitza source) Near Region of Belene (~25 km radius), especially the Novachene fault. As is visible for instance in Fig. III-5 of the Appendix 4 of the Final Report, both Dulovo and Gorna Orjahovitza sources are now characterized in terms of magnitudes of possible earthquakes. Regarding the near region investigations, additional geological investigations were conducted in with various methodologies on both banks of the Danube River with the main achievement that a possible fault along the river was excluded as well as the possibility of any active fault in the near region of the site. b) Attenuation relationships The point under discussion was regarding the use of attenuation relationships that are published in literature for sedimentary sites. Such relationships intrinsically include (or are polluted by) some site effects, which could consequently be double-counted when computing the site response. The question was then to know whether a procedure was used in order to eliminate or to mitigate such effects. In this regard, according to the state-of-the-art at the moment the best practice is that surface ground motion should be deconvoluted down to a certain depth and reconvoluted for the purpose of site specific response studies or soil-structure interactions studies. In spite of the current state-of-the-art, this practice is not satisfactory for the following reason: as they are obtained from averaging data from different sites, UHRS (Uniform Hazard Response Spectra) are smooth spectra. Consequently the deconvolution procedure creates a valley in the frequency content of the in-depth response spectrum, which is physically meaningless. As a matter of fact, this type of site specific response spectra are not site specific and should therefore be handled with care. 14

15 This state-of-the-art practice was implemented for the Belene site, the deconvolution being carried out down to a depth corresponding to a 700m/s shear wave velocity. This is a rather low velocity but still reasonable. c) Epistemic uncertainties Epistemic uncertainties were taken into account through a logic tree, presented in the Fig. VI-3 of Appendix 4 of the Final Report, resulting in a total of close to 8000 hazard curves. This logic tree, which was peer-reviewed by international independent experts, was not discussed further. d) Consistency of site specific hazard assessment with hazard assessment at the scale of the Bulgarian territory The official map of seismic hazard in Bulgaria, issued in application of the Eurocode 8 is presented in the Appendix A-3-3. The Bulgarian government decision was to issue a map corresponding to a 1000 years return period. It appears from this map that the Belene site is located in a region where the hazard to be taken into account is ranked at 0.15g. According to the hazard curve presented by the counterpart in the Appendix A-3-2, the PGA median value for a 1000y return period on the Belene site is 0.14g, which is consistent. Consistency of seismic hazard at the borders of Bulgaria was examined by the counterpart. For this purpose an independent evaluation was requested from the Federal Institute for Geosciences and Natural resources, Hannover. The conclusion is that the Bulgarian evaluation at the scale of the national territory is consistent with an estimate carried out at the scale of the Balkan area Seismic design a) Soil profile and liquefaction In the Appendix 4 of the Final Report, a soil profile of the Belene site is presented (Table VII-7), which exhibits an 8m deep upper layer of hydraulic sand fill, with shear wave velocities from 160 to 230 m/s, lying on clay layers with a little more than 300m/s shear wave velocities. The top of this upper layer corresponds to the site platform that was elevated up to the altitude of 28.5 m for the purpose of protection against flooding. The BNPP reactor building is founded at the level m on an artificial compacted gravel-sand bed. (The natural soil was removed and replaced when the site was selected for a new NPP construction 30 years ago) At the altitude of 9.30 m, this artificial layer lies on a natural gravel layer, the shear wave velocity of which is at least 700m/s. The periphery of this foundation layer is made of sandy soil, which is not susceptible to liquefaction under BDBE conditions (soils possibly susceptible to liquefaction under BDBE conditions are not located under the nuclear island). However in order to provide additional confidence in the foundation system of the nuclear island, the decision was made to improve these sandy soils by a systematic jet grouting campaign. b) Soil-structure interaction and consequences on FRS generation BDBE floor response spectra (FRS) should be available in order to evaluate the equipment robustness under BDBE condition. An option could have been to inclusively multiply the DBE response spectra by a 1.4 factor (and possibly to enlarge them in order to account for some non linear behaviours). The decision made by the Russian designer was to recompute the FRS, taking 15

16 into account consequences of the increased input motion level on the degradation of soil stiffness and amplification of soil damping and structural damping. c) Equipment A key point for the BNPP seismic safety is that the practical implementation of the BDBE requirement was addressed by encompassing the entire seismic category 1 SSCs and by considering the above mentioned BDBE FRS as input loads in the design process in a similar manner as the DBE FRS. In the spirit of margin assessment, a conventional SMA (Seismic Margin Assessment) would also have been possible, meaning that a limited equipment list (the Safe Shutdown Equipment List in the conventional terminology) would have been considered and evaluated on the basis of revised criteria. Such an approach would have been regarded as acceptable according to the IAEA policy. However, as compared to this conventional SMA, both the scope of considered equipment and the engineering approach retained for the BNPP provide additional confidence in the plant robustness Flooding a) Natural flood The counterpart has presented two cases of natural flooding situation years return period leading to a water level of m, years return period leading to a water level of m, to be compared to the site platform level is 28.50m. The point under discussion was about the combination of the natural flood with other possible causes of flood; mainly dam breaks upstream of the plant and extreme weather conditions. b) Considerations about dams on the Danube River There are two major dams existing upstream on the Danube River, Iron Gate 1, 370 km, and Iron Gate 2, 290 km from the site. There are also projects of new dams, the Nikopol-Turnu Magurele dam, to be constructed 14 km upstream and the Silistra-Calaraci dam, to be implemented approximately 180 km downstream. These two non-existing dams were considered by the counterpart as if they were already implemented. The counterpart has considered 4 variants of broken/ non broken dams, the more conservative variant being of course the case when the 3 upstream dams are broken and the downstream dam is not (Variant4). c) Combination with natural flood The wave induced by a dam break is highly dependent on the head at the moment when the dam breaks. The head itself is depending on the river flow. For instance at the Iron Gate 1 dam, the operational head is 70 m for a Danube River flow of m3/s (corresponding to normal operation) while, for operational considerations, it is only 63 m when the water flow is 15000m3/s, which corresponds to a 100y return period situation. The table hereunder summarizes outputs on analyses that were carried out accordingly for two combinations of Variant 4 with natural flow of the Danube River 16

17 Combination Flow in m 3 /s Return Period Absolute level of Danube River at the Belene site in m Normal operation y Combinations of natural Danube River flow with the most unfavourable case of dam break (Variant4) Combination 2, corresponding to the most unfavourable dam rupture cumulated to the 100y return period of natural flow is a good safety practice. However it appears that, for the case of the Belene site Combination 1 is more conservative on the view point of flood hazard. d) Combination with extreme meteorological events Additionally to the above mentioned combination 1, extreme meteorological events were taken into account, including wave effect induced by extreme winds and impact of extreme rains on the river level, leading to an additional inclusive 0.5 m, on the basis of expert assessment. Finally the higher level of the Danube River in front of the site was calculated at 27.81m, which is 70 cm below the site platform level. e) Other considerations It has to be mentioned that in case of variant 1, the maximum induced wave level will appear at the sites after a little more than 2 days, which provides time for the operator to take appropriate actions. Also it should be noted that all the analyses were carried out assuming the Romanian bank of the Danube River is equipped with a dike as high as it is on the Bulgarian side. At the moment there is no such dike on the Romanian side. 3.3 Conclusions and Suggestion Aircraft crash It is not possible to disclose, in this report, all information which was exchanged during the discussions with the counterpart. Based on these exchanges, the opinion of the IAEA team is that the BNPP has an adequate robustness against large commercial aircraft crashes and that in addition, extra mechanical margins are still available Seismic hazard Regarding seismic hazard assessment, in the line of the conclusions of the IAEA 1997 site safety review, and with reference to the IAEA Safety Standards on seismic hazard, the counterpart has properly supplemented the site documentation with the requested different scales. A major output is that the assumption of a possible fault along the Danube River as well as a possible active fault 17

18 in the near region of the site can now be rejected, along with the possibility of any active fault in the near region of the site. Recent developments (since the previous IAEA mission in 1997) of the BNPP site PSHA were carried out as per the state-of-the-art on the subject. In particular, attention was paid to attenuation relationships for sedimentary sites. Generally speaking, and independently of the BNPP case, uniform hazard response spectra derived from such relationships should be considered with care because of their lack of actual physical meaning in terms of site specific response spectra. PSHA output is consistent with the seismic hazard assessment established at the scale of the Bulgarian territory. A significant output is that the BDBE (1.4 x DBE), is estimated as corresponding to the median value of seismic input motions with an annual probability of exceeding of the order of Seismic design Regarding seismic design, it is clear that, due to the original design provision that the plant should be safe under a BDBE that exceeds the DBE by 40%, the BNPP has an intrinsic significant robustness against earthquakes. It has to be pointed out that the 40% margin in the seismic input motion was not consumed by the verification process of the equipment (keeping in mind that some components are not yet selected) because this verification process was conducted as per the design procedure and criteria. Of course such a prudent approach is only possible for a new NPP and could not be implemented on an existing plant Equipment qualification There are components that are subjected to qualification by test both for aircraft crash and earthquake excitation. For these components, it is recommendable that some margins are taken in the qualification procedure and that equipment implementation is carried out with due care so as to achieve similar levels of margins as obtained by analysis Flooding Natural flood with return periods of 1000 years and years were taken into account by the counterpart, as well as consequences of dam ruptures and effects of extreme meteorological events on the Danube River water level. Combinations of these different causes were properly considered. The conclusion is that even in the worst case, there is still a margin of 70 cm between the site platform level and the water level. Suggestion 3.(1) The operating organization should consider taking some margins during the qualification of components to be qualified by test and that equipment implementation is carried out with due care to achieve a similar level of margins as obtained by analysis. 18

19 4. LOSS OF ELECTRICAL POWER AND LOSS OF ULTIMATE HEAT SINK 4.1 Status of national legislation in the area of design safety Design safety is mainly covered by existing Bulgarian legislation, in particular the Regulation on Ensuring the Safety of Nuclear Power Plants. Here, Chapter 2 Design Basis and Safety Assessment, and Chapter 4 Safety Requirements for Design of NPP and Plant Systems, with following Subchapters are relevant: I General Requirements to NPP II Reactor Core-Structure and Characteristics III Reactor Shutdown Systems IV Reactor Coolant System V Heat Removal System VI Control of the Technological Processes VII Protection Safety Systems VIII Localization Safety Systems IX Supporting Safety Systems 4.2 The Belene NPP design The Belene NPP design represents a combination of proven WWER-1000/V-320 design, and new systems and components, and also of 4x100% redundancy of active safety systems instead of 3x100% as in previous designs. In addition to the big water reserves in the secondary circuit, this reactor type is equipped with 8 additional stage 2 hydro-accumulators with a water volume of 120 m³ each, and an enlarged Spent Fuel Pool what gives significant additional fuel cooling time margins in case of accidents. A WWER-specific design feature is the location of the spent fuel pool (SFP) inside the containment. A significant improvement has been made for the containment, forming the ultimate barrier to the radioactive products release into the environment. It is designed as a double-shell structure with an internal shell of pre-stressed reinforced concrete with a hermetic metal liner and an external shell made of non-pre-stressed reinforced concrete. The external shell is designed to withstand external impact loads such as large passenger and military aircraft crash, external air-blast waves, extreme winds, snow, temperature and seismic impact. The internal shell is designed to withstand design basis accidents and simultaneous seismic impact. All safety systems are accordingly seismically qualified. 19

20 In case of LOCA, containment pressure is reduced by an effective spray system which also washes out radioactivity from the containment atmosphere. Hydrogen explosion hazard is excluded by the use of passive autocatalytic re-combiners. Defense-in-depth is further improved by applying the principle of designing the protective safety systems in such a way that all main safety functions are performed both by active and a full set of passive systems, which are able to ensure safety independently. They do not replace the existing active safety systems, but complement them. Thus, each safety function is ensured at least by two independent design principles, which results in significantly higher reliability. Each train of safety systems is fed from a category I DC power supply including two accumulator battery types with a capacity for 2 hours (active systems) and for 24 hours (passive systems). No operator action is required for mitigating design basis events for at least 30 minutes after the initiation of the event. The passive safety systems are designed to bring and to keep the plant in a safe condition for at least 24 hours. It is assumed that during this time the power supply and active systems can be restored. In cases that electrical power is needed for instrumentation or valves operation, these systems are equipped with batteries of 24 hours capacity at least. Following the Fukushima accident and in accordance with the EU stress test conditions, the potentiality for sufficiently longer time periods needed for restoration of AC emergency power have been investigated and demonstrated in the Complimentary Safety Assessment Report Stress Tests for Belene NPP. For reactor emergency control, the active system is the reactor SCRAM system using an increased number of control rods in comparison to earlier WWER-1000 designs, able to keep the core under subcritical conditions during cooldown up to 60 C considering also the replenishment by borated water to compensate to volume reduction. According to information given by the plant designer during the meeting, this value is related to the first core loading only, but would further decrease below 20 C for the equilibrium cycles. The passive equivalent is the quick boron injection system, situated in the cold legs of each of the four coolant loops and available during ATWS in parallel to the active high pressure emergency boron injection system. This becomes active also in case of primary circuit leakage through steam generators. Together with the emergency core cooling system it provides the active part to cope with LOCA; the complementary passive systems are the 1st and 2nd stage hydro-accumulator systems. Another specific feature of this reactor design is the combination of the function of systems for normal operation and of safety systems, in order to increase their functional reliability. Between those one can mention the system for emergency and scheduled cooling down of the primary circuit, combined with Spent Fuel Storage Pool Cooling, as well as the Steam Generator Emergency Cooldown System, combined with the steam generator Blowdown System. The complementary passive system to the latter is the Passive Heat Removal System providing the possibility to either keep the reactor in hot standby conditions following a Station Blackout (SBO) (assumed to be of short duration), or to perform cooldown with permissible speed, up to cold subcritical conditions in interaction with other passive safety systems. The heat exchangers of this system are situated outside the containment and the cooling medium is air. It is demonstrated in the Intermediate Safety Analysis Report (ISAR) that the Passive Heat Removal System excludes the need of the Emergency Feedwater System, typical for other reactor types. Extensive safety demonstration and justification is provided in the Interim Safety Analysis Report, currently under review at BNRA. It was however not the aim of the current mission to review the depth and sufficiency of such justifications. 20

21 The Russian Federation experts have presented some additional information from recent tests performed at test facilities and at Kudankulam NPP during the commissioning phase. Regarding the question, if the isolation valves of the PHRS could be interlocked by mistake, the following statement was made: The valves installed for isolation of the PHRS heat exchangers from the SG are located inside the containment and foreseen mainly for the purpose of repair, and therefore not interlocked. They can be operated manually (in site) or remotely from the Main Control Room (MCR). A wrong (closed) position of any train of the PHRS during plant operation is evident in the MCR. The existing system at Belene NPP Automatic check of safety systems readiness for operation is permanently monitoring and analyzing the status of all safety systems, depending on the current plant status. This confirms the correct position of all valves, independently if they are interlocked or not. Therefore, the wrong positions of any PHRS isolation valves are indicated in the MCR. Regarding the question of system failure (potential that non-condensable gases could block the circulation inside the heat exchangers), it was explained that non condensable gases from the secondary water cannot be expected, as the water has passed the deaerator. Potential ingress from the primary circuit (leakages through defect SG bundles) can be excluded, because this is monitored by N16 measurements in the main steam system during normal operation.the system s parts at the outside shell are protected from external hazards. by protective concrete housings 4.3 Loss of electrical power supply In case of Loss of Offsite (AC) Power, each unit has four emergency diesel generators (DG), dedicated to each safety train and cooled by water from two spray pools. For DG long term operation, the design foresees the following on-site fuel reserves: 2 storage tanks for 72 hours of operation of each DG (one train has 100% capacity), on-site fuel storage for two units has reserve capacity for 21 days (for all 8 emergency DG), or 16.9 days including needs for the two additional unit dedicated SBO DG s. The fuel could be supplied to the DG buildings by a pipeline or tankers. For the loss of all AC power supply sources (Station Blackout), when all active safety systems become inoperable it is considered in the design and demonstrated, that within 24 hours the safety limits of the reactor unit are not violated. Maintaining the reactor installation in a hot subcritical state with the primary circuit in natural circulation is ensured without active systems operation by the passive secondary side heat removal system (PHRS) for at least 24 hours from the beginning of the accident. This duration is assumed in the design as the time period available to restore the AC power supply sources. If necessary, the PHRS can be brought by the operator to a mode of reactor cooldown by opening of a control device, supplied from the emergency power supply system, first category. In case of Station Blackout (SBO) this power supply is ensured by DC accumulator batteries, which are foreseen for management of beyond design basis and severe accidents as having a capacity for 24 hours. Once activated and switched into cooling mode, the PHRS system does not need additional electrical supply to bring and keep the primary circuit in safe cold conditions. Corresponding analyses are part of the utilities demonstration. According to the EU stress test conditions the utility has analyzed the time margins in case of SBO duration beyond 24 hours, until fuel damage would occur. In this condition, the plant safety 21

22 relies on continued operation of the PHRS. For demonstration, two scenarios were chosen: availability of only two PHRS trains (scenario A1), and parallel operation of all four trains of PHRS. The system becomes operational within 30 seconds after loss of AC power, and automatically starts to operate in pressure maintaining mode. This is according the design, to keep the reactor in hot standby, assuming that AC power could be restored within reasonable time. To start the cooldown process, the operator manually switches the system to the cooling mode. In the analyses presented, it was conservatively assumed that this step would be done 1.9 h after beginning of the SBO. The only existing primary leakages to be considered are those from the main cooling pumps seals, the value being taken from the manufacturer s data, but this was increased by a factor 10 commencing 24 hours after beginning of SBO. It was demonstrated that the PHRS system is effective in performing the cooldown in the unfavorable case within 24 hours and that water reserves in the primary circuit, including the hydro-accumulators stage 1 and stage 2, are sufficient for long term cooling. In SBO of the unit (without LOCA) the time margin up to uncovering of the nuclear fuel, while maintaining the mass flow of the leakage through the MCP sealing, is 159 days and 231 days for the scenario with operation of 2 PHRS trains and four PHRS trains respectively. Accumulator batteries supply is not needed in this mode of operation. The possibility to stop all the primary leakages by closing valves in the corresponding lines of pump sealing system exists, but was not conservatively considered in the analyses. The analyses performed and their results have been discussed during the expert mission and found satisfactory. It was demonstrated that even under conservative assumptions the time margins are sufficient. Reliable operation of the Passive Heat Removal System is a basic precondition in all cases to cope with this BDBA. The technical possibilities to use the unit s SBO Diesel Generator (DG) for Accident Management measures and the use of a mobile DG for recharging the accumulator batteries were also discussed. The team conclusion is that the Belene design provides good features to cope with SBO conditions during the long term without the need for additional means. The availability of sufficient time margins before uncovery of the fuel in the reactor is based on significant water reserves for passive supply into the primary circuit (Hydro-accumulators stage 2 have 960 m³) and the efficiency of the PHRS Loss of ultimate heat sink As a next step, the utility has investigated the unit s conditions after loss of the ultimate heat sink (water in spray pools). It concluded that the reaction of the unit to the initiating event Complete loss of ultimate heat sink is the same as for the initiating event SBO. This is justified as follows: the loss of alternative ultimate heat sink leads to loss of safety systems, including DG, because of loss of their cooling, and thus in consequence to total loss of AC power supply (station blackout); all initiating events leading to loss of ultimate heat sink eliminate the active safety systems and actuate the passive safety systems; 22

23 the analyses that have been performed and the results reported for SBO are fully valid also for the initiating event Loss of ultimate heat sink. However, also in this case the performance of the main safety functions of the passive safety systems, in particular the PHRS actuation, does not depend on the loss of ultimate heat sink. The available time margins are therefore similar to SBO: At least 159 days (more than 5 months) are available without uncovering of the fuel under the conservative conditions that Only two of four PHRS trains are available all of the time Primary (isolable) leakages were not isolated by the operator Electrical energy supply was not restored Hydro-accumulators stage 2 were not refilled. The following issues were discussed during the expert mission: -The possibility to supply the spray pools with artesian water for an unlimited time (through pumps, supplied by the reliable power supply sections). -The team agreed with the conclusion that SBO and Loss of Ultimate Heat Sink lead to the same plant conditions. The time margins determined on the basis of analyses are sufficient to take extraordinary measures when necessary. Active and passive systems are adequate to reach the required level of safety Combination of loss of ultimate heat sink with station blackout In a final step the utility has presented results of investigation of combination of loss of ultimate heat sink with Station Blackout with the conclusion that also here the results are the same: The demonstrated time margins are 159 days at least before uncovery of the fuel elements in the reactor at the same conservative conditions as discussed in part Estimation of time margins in case of shutdown reactor In addition to the analyses discussed before, it was also assessed regarding the time margins until fuel damage in case of SBO for the fuel in the reactor in shutdown states. The assessments were made for the following modes of the units: Cold state (N=17.24 MW, 24 hours after shutdown), reactor coolant system sealed and SG drained on the secondary side, water level in the pressure vessel 400 mm under the main reactor flange; Cold state (N=13.69 MW, 48 hours after shutdown), unsealed primary circuit, Cooling water level 400 mm under the main reactor flange; Cold state (N=12.05 MW, 72 hours after shutdown), unsealed primary circuit, before core reloading, cooling water level elevation