Method of the Safety Margins Management of Nuclear Power Plants

Background. Nowadays, there is widely used only one methodology that allows numerically measure NPP safety level and ensures safety optimization. This is Probabilistic Safety Assessment. Therefore, NPP safety is still justified using deterministic approach. As a main tool for deterministic approach Design Basis Accident Analysis is used for NPP designing and safety justification. It has widely recognized and sustainable methodology, procedure and experience of application. Thus, there is contradiction between safety measurement and safety justification. Objective. Article provides concept of the method that on a basis of deterministic approach allows evaluate and manage safety margins for Nuclear Power Plant for safety and expenses optimization purposes. Methods. As a main tool for deterministic approach and safety margins calculation the Design Basis Accident (DBA) Analysis was applied. The main objective of DBA analysis is to demonstrate based on conservative approach exceeding or non-exceeding of so called acceptance criteria that are established and justified in the NPP design. Since, acceptance criteria have different physical background, dimensions and numerical values it is proposed to transform them into dimensionless form by dividing value of corresponded calculated parameter on value of acceptance criterion. The result of ratio is the dimensionless safety deficit while difference between the dimensionless acceptance criterion (that is always equal to 1) and safety deficit is the dimensionless safety margin. Also, it is proposed to establish for each acceptance criterion a 10% zone (its lower boundary corresponds to 0.9 — value of limiting safety deficit) as a deterministic safety criterion and apply it in the nuclear regulations. If calculated value of safety deficit is within this zone than it is proposed to use time limitation and recognize necessity to develop and apply safety measures on decreasing of a safety deficit. Such method allows reveal as safety deficiencies so excessive safety margins. Results. The proposed method was applied for DBA Analysis of Zaporizhzhya NPP unit 5. Safety deficits were evaluated for each initiating event and corresponding safety profiles were drawn for each acceptance criterion. Conclusions. Methodol is recommended for usage in regulatory activity, during the NPP designing and operation, and, for justification of the safety systems maintenance and repair activity at reactor power operation.


Introduction
At present time, the nuclear industry is under big constant pressure, especially, after the Fukusima accident. This leads to highly cost requirements that are demanded to be applied as by traditional international organizations like IAEA, so by public organizations like Greenpeace. Meanwhile, Ukrainian nuclear law [1] and IAEA [2] policy still state that there should be no any unduly limiting of nuclear power utilization.
Such situation requires establishing of the balance between high safety level of Nuclear Power Plants (NPPs) and expenses needed for its support. Currently, the most applicable approach for establishing of the balance is the Integrated Risk-Informed Decision Making (IRIDM) [3]. IRIDM is widely applied at US NPPs and IAEA encourage its application by other countries, for example, in publication INSAG-25 [4]. This approach is based on evaluation of multiple safety factors like de-fense-in-depth, safety culture, risk, deterministic safety margin, nuclear security, etc. Meanwhile, all these factors are qualitative except of probabilistic one. This creates cases when safety decisions are made based mainly on risk considerations. Therefore, it is generally accepted to justify safety using deterministic approaches that is complemented by probabilistic safety assessment. Other words, there is a lack of quantitative deterministic factor in IRIDM that is capable to provide numerical measurement of safety level and allows manage the safety and thus, establishing more justified and balanced decision making on NPPs safe and reliable operation.

Problem Statement
As it is demonstrated above there is a need in development of deterministic method and criteria that capable as complement existing NPP safety management approach, so for standalone application.
Thus, the purpose of the article is to demonstrate deterministic method that on a basis of existing methodology of deterministic safety analysis allows numerically evaluate safety and safety level as for Nuclear Power Plant (NPP), so for each physical safety barrier. It should satisfy provisions of the fundamental safety principle -"Optimization of Protection" [2]. Above capabilities could be realized as by independent implementation of the method or in the framework of Integrated Risk-Informed Decision Making.
Such method would allow eliminate contradiction between the deterministic safety justification of NPPs and safety improvement that currently is based entirely on Probabilistic Safety Assessment (PSA).

Theoretical Basis of the Method
The main objective of DBA analysis is to demonstrate based on conservative approach exceeding or non-exceeding of so called acceptance criteria (or safety limits) that are established in the NPP design or in the norms, rules and standards on nuclear and radiation safety. In general, acceptance criteria are characterized by a certain reactor parameters and established to protect physical safety barriers (fuel, fuel rod cladding, boundaries of reactor coolant system, containment). These parameters are calculated in DBA and characterize effectiveness of the safety systems. Relations between safety barrier, acceptance criteria and calculated conservative parameter are demonstrated on Fig. 1.
It is evident that, then larger is safety margin then safer is the reactor facility. Given that, it is proposed do not limit the efforts by calculation of exceeding or non-exceeding of acceptance criteria. It is proposed to go further: to calculate differences between the acceptance criteria and calculated value in DBA that is to evaluate the margin or other wordssafety margin. Therefore, acceptance criteria have different physical background, dimensions and numerical values and cannot be manipulated in such form. It is proposed to transform them into dimensionless form by dividing value of corresponded calculated parameter on value of acceptance criterion in order to establish the basis for the possibility of comparative analysis. The result of ratio is the dimensionless safety deficit while difference between the dimensionless acceptance criterion (that is always equal to 1) and safety deficit is the dimensionless safety margin.
Mathematically, safety deficit can be expressed like: where D i -safety deficit for acceptance criterion number i; R i -calculated conservative value of a parameter for acceptance criterion number i; K ivalue of acceptance criterion number i. As it follows from the above definition dimensionless acceptance criterion is always equal to 1. Dimensionless safety margin is calculated as:  Introducing of dimensionless approach allows develop a method for safety margin management since it is possible now to compare impact of dif-ferent initiating events, safety barriers, reactor facilities on safety margins as well as to establish new regulatory requirement in a form of dimensionless deterministic 10% safety criterion. Some additional definition might be also useful and are provided below.
Average Value of Safety Deficit could be defined for an initiating event, safety barrier or acceptance criterion: where ij Nnumber of initiation event for which iacceptance criterion index; jinitiating event index. Safety profilesafety deficit values reflected on a single scale. It allows perform visual evaluation of safety deficits and dimensionless safety margins that are subject of the lack of the safety or demonstrate excessive safety.
Deterministic Safety Criterionminimal margin to acceptance criterion that is established in the norms, rules and standards on nuclear and radia- tion safety. It is proposed to use 10 % margin (see Fig. 3). If conservative calculated value is within the 10 % margin then special safety measures should be undertaken.

Practical Demonstration of the Method
According to the DBA methodology [5] acceptance criteria are established separately for transients (frequency of these Initiating Events (IE) is more than once per 100 years) with and postulated accident (frequency of these IEs is less than once per 100 years). Totally, there are 7 acceptance criteria that are established in the Design of NPP and in the norms, rules and standards on nuclear and radiation safety for WWER-1000: 1. Departure from Nuclear Boiling Ratio should be more than 1.
2. Maximum fresh fuel temperature should be less than 2840 С and -2570 С for spent fuel.
3. Maximal fresh fuel enthalpy should be less than 963 kDj/kg and -840 kDj/kg for spent fuel.
4. Pressure in equipment and piping should not exceed operational one on 15 %:  for reactor coolant system it is 207 kg/cm 2 ;  for steam generators -92 kg/cm 2 .  Maximal containment pressure and temperature should be less than:  150 С;  5 kg/cm 2 . 6. Maximal design limit should be less than:  fuel cladding temperature 1200 С.  depth of cladding oxidation 18 %;  portion of 1 % of the reacted zirconium of its mass in the fuel claddings.
7. Maximal value of radioactive releases should be limited by:  0.3 Zv on на thyroid gland due to inhalation;  0.1 Zv for all body due to external irradiation. The first acceptance criterion is valid only for transients. The forth acceptance criterion is applied for both transients and postulated accident. The rest ones are used for postulated accidents only. It should be noted that acceptance criteria for transients are stricter than for postulated accident (PA) since prevention of accidents is of more concern than mitigation.
Based on documentation of Design Basis Accident Analysis for Zaporizhzhya NPP Unit 5 [6] with the WWER-1000/320 reactor (totally, there are 11 such reactors in Ukraine) calculated values of parameters that correspond to relevant acceptance criteria were transferred to dimensionless form using equation (1). Equations (2) and (3) were used to quantify average values for Safety Deficits (SD). These data were used to draw diagrams for each acceptance criterion and each initiating events. Results of this effort are provided on Figs. 4 -13.
Also, it should be noted that in DBA analysis different sets of acceptance criteria are applied for different initiating events.  Figs. 4, 5 and 6 demonstrate significant safety margins for acceptance criteria #1, 2 and 3 calculated for transients (acceptance criterion #1) and postulated accidents (acceptance criteria #2 and 3). That is there are excessive safety margins. This fact shows significant potential for expenses optimization dealt with the systems involved into these initiating events while preserving high level of the safety.
As it can be seen from Figs. 7 and 8 for the acceptance criterion #4 on primary and secondary pressures the deterministic safety criterion (10 % zone) is violated for a number of initiating events both transients and postulated accidents. This means that initially hidden safety deficits are revealed and corresponded safety measures shall be developed and implemented in this respect. This involves an analysis of the reasons resulted in such results and search of effective measures that are able to decrease level of safety deficits.
For acceptance criteria on containment boundaries violation of deterministic criterion is also observed (see Figs. 9 and 10). Comparing with the violation of acceptance criterion #4 it can be seen that safety margins for containment boundaries are larger. Meanwhile, relevant safety measures shall be developed and implemented too.
Significant safety margins are observed for acceptance criterion on radioactive exposure. This does not explicitly means that excessive safety margins allow implement measures on decrease of associated expenses, since the relevant initiating events are dealt with the containment bypass via failed steam generator. This is a good example of the fact that any methodology should be applied very carefully and any decision based on a methodology should be well justified.

Conclusions
Developed method allows evaluate for each initiating event (transient or anticipated accident) the safety deficits and excessive safety margins for each acceptance criterion. Introduction of the average and integrated safety deficit makes possible to perform comparative analysis between different initiating events, acceptance criteria, physical protection barriers and types of nuclear reactors.
Also, it is proposed to establish for each acceptance criterion a 10 % zone (corresponds to 0.9 value limiting safety deficit) as a deterministic safety criterion and apply it in the norms, rules and standards on nuclear and radiation safety.
Graphical representation of safety deficits evaluated for the initiating events, acceptance criteria, and physical protection barriers reflects the safety profile and demonstrate violation of the deterministic safety criterion and deviation from the average value of safety deficit. This allows reveal as safety deficiencies so excessive safety margins. If the first one requires development of the corresponded safety measures then the second oneestablishes the basis on implementation of "Optimi-zation of protection" fundamental safety principle and develop measures aimed on decrease of expenses on reliable and safe NPP operation along with keeping established high level of safety. Process of the achievement of the both purposes establishes basis of the safety margin management.
The method proposed was applied using Design Basis Accident Analysis of Zaporizhzhya NPP unit 5. Safety deficits were evaluated for each initiating event and corresponded safety profiles were draw for each acceptance criterion. As a result, the violation of acceptance criteria on primary, secondary and containment pressure were revealed. Also, excessive safety margins were revealed that ensures possibilities for justified decrease of expenses spent on safety.
Method is recommended for usage in regulatory activity, during the NPP designing and operation, and, for optimization of the safety systems maintenance and repair activity and its fulfillment on operating at power reactor.
Also, method has a good potential for further development into the complete methodology and procedure which can be used as for independent application, so as part of the IRIDM approach.