Abstract

The safety behaviors of a nuclear power plant (NPP) after an external hazard-initiated event, as well as after a small break (SB) loss of coolant accident (LOCA), are already well known as part of the analyses made for standard license application. The coincidence of both events leads to a beyond-design basis consideration. Such a combination of both event categories is investigated by means of the thermohydraulic system code ATHLET. The scenario assumes an external event with a LOCA caused by induced vibrations on a small pipe attached to the primary circuit, although all pipes are designed to withstand the loads created by such an external event. Furthermore, in the context of both robustness and enveloping analyses, both a loss of offsite power (LOOP) and an unavailability of the emergency diesel power supply are postulated. The NPP in the scenario considered only has access to the passive accumulators and to systems supplied via the safeguard emergency diesel engines (second quartet of emergency diesel engines), which are housed in the bunkered emergency feed building. The dedicated type of external event itself is not in focus, but rather the thermohydraulic behavior of the NPP is considered. Apart from the model's assumptions, the accident sequence is explained in detail. The remaining systems for emergency core cooling are capable of handling the LOCA under such demanding boundary conditions. Long-term cooling can be ensured. Furthermore, heat removal out of the core is always sufficient. Eventually, all safety protection objectives have been complied for this beyond-design basis scenario.

Introduction

The scenario investigated here is an evaluation of the robustness of the safety system of a German Siemens Kraftwerk Union (KWU)-type pressurized water reactor (PWR), considering the impact on the nuclear power plant if an external event should coincide with an internal “loss of coolant accident” (LOCA). According to “Safety Requirements for Nuclear Power Plants” [1], external hazard-initiated events are very rare. The scenario is a theoretical consideration of robustness far beyond-design basis.

The basis of the safety protection concept for external events demands that the reactor cooling system is not affected. By means of appropriate measures, such as structural protection and consideration of all occurring loads, a LOCA as a consequence must not be considered [2]. Vibrations caused by an external impact must be taken into account in accordance with the German Reactor Safety Commission (RSK) guidelines [3]. The mechanical, electrical, and instrumentation and control (I&C) facilities in the reactor building and bunkered emergency feed building, which are required especially for residual heat removal, are designed to withstand these induced vibrations [2].

Nevertheless, in the scenario considered here, a small pipe attached to the primary circuit fails due to the induced vibrations, precipitating the external event coinciding with a small break (SB) LOCA.

Because of the beyond-design considerations, the increased safety requirements of the defense in depth level 3 have been relaxed. This means that some mandatory malfunctions, such as single failure or maintenance case, are not taken into account during the event. In addition, a margin is not considered, neither for the core power nor for the decay heat.

It is assumed that the control room will be alerted and the reactor shutdown (SCRAM) triggered manually before the external hazard reaches the nuclear power plant (NPP). With the alert, the occupation of the emergency control station in the bunkered emergency feed building is initiated. To investigate the thermohydraulic behavior of the NPP, the analysis does not credit further manual actions from the emergency control station in order to evaluate the automatic measures of the reactor protection system (RPS). The thermohydraulic system code ATHLET Mod 3.0 Cycle A (analysis of the thermohydraulics of leaks and transients), developed by the Gesellschaft für Anlagen- und Reaktorsicherheit (GRS, Garching bei München, Germany), was applied for the current analysis [4].

For an enveloping analysis, it is postulated that a loss of offsite power (LOOP) occurs and that the switchgear building including the control room, the emergency power generating building (four diesel engines of the 10 kV-busbar, the so-called D1-busbar), and the turbine building are destroyed.

The postulate of a LOOP, combined with the unavailability of the four main emergency diesel engines, will surely cause severe problems in most of the NPPs around the world with regard to handling the scenario and the prevention of core damage. From an international point of view, a LOOP and loss of the four main emergency diesel engines are equivalent to a station blackout (SBO) scenario for most of the NPPs.

In comparison to the world-wide NPP fleet, the Siemens KWU-type PWR (Siemens KWU, Mülheim an der Ruhr, Germany) contains not only one quartet of emergency diesels—one for each redundancy—as is standard for the power supply of a 10 kV-busbar, but also a second quartet of diverse and redundant emergency diesel engines. As a special design feature of the Siemens KWU-type PWR, the so-called safeguard emergency diesel engines (which operate with lower voltage level and, therefore, are dedicated to power supply the 400 V-busbar, or D2-busbar) are also extant.

The concept of spatial separation is also realized. Although assumed to be destroyed in the studied scenario, the first quartet is housed in the (un-bunkered) emergency power generating building located on one side of the reactor building. The second quartet, housed in the bunkered emergency feed building from the construction of the NPP, is located on opposite site of the reactor building.

From a Siemens KWU reactor's point of view, the above mentioned SBO scenario in most of the NPPs around the world is “only” a “loss of the first quartet after LOOP” scenario. The remaining second quartet in the bunkered building assures steam generator feed and power supply to fundamental safety functions.

As a consequence of the 2011 Fukushima nuclear accident, risk and safety assessments (“stress tests”) were carried out on all EU nuclear power plants. In the National Report of Germany [5], it was concluded that the electrical power supply of the Siemens KWU NPPs was very robust compared to the majority of the other plants worldwide. Hence, the Siemens KWU-type PWR fulfills a high-level robustness criteria with respect to external hazards

Due to the special design feature of having additional and bunkered safeguard emergency diesel engines, not many publications exist, which treat similar postulated scenarios for other PWR types to make a comparative assessment.

In the context of applying severe accident management (SAM) measures, several investigations have been carried out with a Siemens KWU-type PWR. Wilhelm et al. [6] considered SAM measures during a complete SBO event (an extended2 SBO from an international point of view) but without SB LOCA apart from the intentional loss of coolant by opening the pressurizer valves for the mandatory primary side depressurization in the later accident sequence. Jobst et al. [7] investigated SAM measures during an SB LOCA in a Siemens KWU-type PWR but—in comparison to the investigation here—with in-principle available emergency diesel engines (D1-busbar) to supply power to the high pressure (HP) and low pressure (LP) injection pumps; hence, the active components of the emergency core cooling system were available. In a postulated subsequent event requiring SAM measures to be adopted, the alternating current (AC) power was still available, but the switch to the containment sump suction after the depletion of the flooding pools failed for the sump recirculation mode. Both Wilhelm et al. [6] and Jobst et al. [7] applied a generic Siemens KWU-type PWR model in the system code ATHLET-CD, an extended version of the system code ATHLET, which takes into account core degradation (CD).

A similar investigation with an SB LOCA in a Siemens KWU-type PWR was carried out by Gómez-García-Toraño et al. [8] using the severe accident code ASTEC V2.0. The transition to the sump recirculation mode during the accident also failed in this scenario. An SBO as a subsequent event at differing times was also considered employing SAM measures. Additionally, Gómez-García-Toraño et al. performed an investigation of an SBO event using ASTEC V2.0 in the context of SAM measures [9].

The commonality shared by the previously mentioned investigations, which assumed an SBO in the accident sequence, is that they do not describe in which sequence or by which events the bunkered and spatially separated second quartet of safeguard emergency diesel engines become unavailable, coinciding with both a LOOP and failure of the first quartet of emergency diesel engines. These scenarios can therefore be understood as theoretical considerations of robustness. The focus of these publications has primarily been on applying SAM measures and understanding their effectiveness. Malfunctions were hypothetically assumed to initiate a severe accident state for evaluating robustness. The scenario investigated in our research combines an SB LOCA with a malfunction of the AC power supply, taking into account the particular design of having a bunkered second quartet of AC power supply (in the form of safeguard diesel engines). As noted earlier, it is a theoretical consideration of robustness far beyond-design basis.

Overview of the Postulated Scenario

Due to the external hazard and its induced vibration, the assumption was made that one of the four connection pipes to the volume control system—each attached to a different cold leg—was ruptured 60 s after SCRAM was triggered manually. The rupture is located in the cold leg of loop 20, which contains the pressurizer. The cross section area of the leak is 20 cm2.

The power supply layout of a typical Siemens KWU-type PWR and the postulated losses of voltage rails are shown in Fig. 1. During the accident sequence, the RPS triggers the four safeguard emergency diesel engines to supply power to the D2-busbar. The RPS and the four safeguard emergency diesel engines are housed in the bunkered emergency feed building.

After appropriate criteria have been met in the RPS, a smooth secondary side cool down is automatically performed by a “feeding, evaporating and controlled discharge” procedure in all four steam generators separately, the so-called “100 K/h-cool down” with a corresponding gradient of 100 K/h. Initially, only an evaporating and controlled discharge procedure is performed; the D2-busbar-secured emergency feed water (EFW) system is triggered if the steam generator levels fall below the threshold value.

Because the D1-busbar is inoperable, neither the HP safety injection pumps nor the LP residual heat removal (RHR) pumps can contribute to emergency core cooling. Consequently, these pumps do not apply pressure on the primary circuit. The coolant pressure can therefore be reduced with the secondary side 100 K/h-cool down procedure as well because of the thermal coupling in the steam generators. The objective is to lower the coolant pressure below the zero flow pump head of the fuel pool cooling pumps. They are powered by the available bunkered D2-busbar. Long-term heat removal can thereby be ensured.

The inventory of coolant water will be stabilized by injecting borated water into the primary system during the ongoing accident sequence. Once triggered by a low pressurizer level, the pumps of the extra borating system, also supplied by the D2-busbar, soon start to inject water. Later, once the response primary pressure is reached, the four passive accumulators attached to each hot leg also inject borated water.

An overview of the availability of relevant systems can be seen in Table 1. Figure 2 shows the rough timeline of the accident sequence (not drawn to scale).

The electrical drive mechanisms of the safety systems are protected against the same external events as the process-engineering system to which they are assigned (corresponding to the requirement of safety standard 3504 of the German reactor safety commission (KTA) [10]). Initially, the required actuators are battery-backed for a short time. After the expiration of system-dependent delay times (waiting period and ramp-up time of the safeguard emergency diesel engines), they are powered by the D2-busbar.

Apart from SCRAM at the beginning, no further manual actions are credited. All further measures during the event sequence, such as the opening and closing of valves and the starting of pumps, are automatically carried out by triggering threshold values in the RPS.

Applied Model

For this analysis, the applied model reflects a current four-loop Siemens KWU-type PWR. The nodalization schema of the primary side as well as that of the steam generator is presented in Fig. 3.

The core has a thermal power of 3900 MW and is subdivided into four parallel channels: hot channel, hot fuel assembly channel, surrounding channel, and average core channel. The axial power distribution is an upper peak profile. All relevant control systems are modeled.

The U-tubes of each steam generator are subdivided and grouped into three bundles, with vertices slightly differing in height. Natural circulation can thus form in a more realistic manner. In the shorter U-tube-bundle with geodetically lower vertex, the liquid may already overflow into the declining part of the U-tube and drive natural circulation, while the overflow occurs later in the longer U-tube-bundles with geodetically higher vertex, or even no overflow is carried out. The overflow over the different vertices thus dampens the intensity of the slug flow from one side of the U-tubes to the other. This is noticeable in natural circulation and during the injection of the accumulators.

The downcomer in the reactor pressure vessel (RPV) is subdivided into four parallel channels, each assigned to the cold legs and again merged in the lower plenum. Cross connection objects are implemented in order to permit cross-flow between the channels. Cross connections only exist between adjacent channels in the annulus, not between opposite channels.

A detailed description of the general modeling in ATHLET can be found in the relevant documentation delivered with the program [11,12]. The limitations of the model and the scope of the simulation have already been discussed in GRS reports for the qualification of the database [13,14]. For a closer look, reference is made to these reports.

Accident Sequence and Results

For a quick overview of the accident sequence, the timeline of the scenario including actions triggered by the RPS is shown in Table 2.

Short-Term Consideration.

After triggering the manual SCRAM, 60 s will pass until the external hazard occurs, accompanied by the destruction of the switchgear building, including the control room, the emergency power generating building and the turbine building. Due to the postulated LOCA in the cold leg (Fig. 4), a quick depressurization of the primary system is carried out (Fig. 5).

With primary pressure dropping below 13.2 MPa, the 100 K/h-cool down procedure is initiated via all four secondary side controlled discharge valves (CDV) 96 s after SCRAM (the AND relation signal “containment pressure high” having been triggered earlier). The cross section area of the CDV is shown in Fig. 6. The leak mass flow (Fig. 4) decreases with the continuous reduction of the driving pressure gradient between primary circuit and containment.

About 110 s after SCRAM, the pressurizer level drops below the threshold value (Fig. 7) to initiate the emergency core cooling procedure. The emergency core cooling signal is a logical two of three selection between the threshold values for “pressurizer level low,” “primary pressure low,” and “containment pressure high.” The first signal is triggered at about 110 s, while the third is triggered slightly earlier. The signal path for initiating the emergency core cooling is cleared. However, it is suspended due to the postulated unavailability of the HP safety injection pumps. The extra borating systems are switched on by the RPS at the same time. In each of four redundancies, the extra borating system and the volume control system share the same connection pipe to the corresponding cold leg of the primary loop. Three of four extra borating pumps inject borated water into the primary system; one extra borating pump feeds the postulated ruptured pipe of the volume control system and has no contribution for core cooling. The injected water of this pump goes directly into the containment. The leak mass flow will not be compensated. Not yet.

The start of injection of the extra borating system contributes to the slowing down of the initial, very strong decrease of the pressurizer level. Due to the lack of the D1-power supplied HP safety injection pumps for active emergency core cooling injection, the pressurizer level does not recover, but its initial sharp drop resolves to a slight decrease (Fig. 7).

Bubbles first appear at the leakage once primary pressure has fallen below the corresponding saturation pressure of the coolant temperature in the cold leg. The leak mass flow converts from a single phase to a two-phase flow with a lower average density, thus the loss of coolant will be reduced (Fig. 4). Concerning the small break LOCA, the cross section area of the leakage is too small to obtain sufficient depressurization of the primary circuit. Pumps for emergency core cooling have not been started due to the lack of power supply. As a consequence, they do not apply pressure on the primary side, and the depressurization will follow the gradient of the 100 K/h-cool down procedure specified by the secondary side. With assumed LOOP as well as loss of the emergency power supply (D1-busbar), neither the main feed water pump nor the start-up and shut down pumps will be available. Therefore, the steam generator levels decrease until the threshold values for emergency feeding are attained between 1714s and 2031s after SCRAM (each steam generator separately), when the RPS initiates each EFW pump separately (Fig. 8). The injection of cold EFW leads to a reduced rate of steam generation because part of the heat provided by the primary side, the decay heat, is used as sensible heat to heat up the cold water to saturation conditions. The controller of the CDV reacts by reducing the cross section area for steam discharge (Fig. 6). The steam generators are refilled again at about 2800 s after SCRAM, and the level control of the EFW system intervenes by reducing the EFW mass flow.

About 2876 s after SCRAM, the primary pressure is reduced to the response pressure of the accumulators (2.6 MPa) (upper dashed line in Fig. 5), the four hot leg-accumulators automatically inject their coolant inventory into the hot legs3 of the primary system (Fig. 9). The injection path will be closed again by the RPS when the level falls below a certain value to avoid the injection of the nitrogen buffer. In accordance with the design, the cold leg-accumulators have already been closed by the RPS and do not inject their inventory into the cold legs. They are retained as “ultima ratio” option, to be triggered manually, which is not the case in this scenario.

The abrupt injections of the four hot leg accumulators into the hot legs cause large pulsations in the primary circuit (Fig. 9). Coolant will not only be pushed into the core but also toward the steam generator U-tubes. As a consequence, pulsating overflow takes place from the ascending part over the vertex to the declining part of the U-tubes. It can be observed by means of the leak mass flow rate. The displacement of coolant leads to intermittent density changes directly at the leak, so that a leak mass flow of pure vapor and liquid almost alternate.

The injection of comparatively cold borated water from the four hot leg accumulators into the primary system leads to a reduced heat removal from the primary side toward the steam generator secondary side, which partly interrupts the steam generation. As a result, the CDV even close completely for a short time to maintain the gradient of the 100 K/h-cool down procedure (Fig. 6).

Initially, the collapsed level4 in the RPV decreases continuously, but does not drop below the top of the core (Fig. 10). Later, the collapsed level in the RPV shows similar behavior during the pulsating accumulator injections. Overall, the collapsed level in the RPV remains above the top of the core throughout the entire accident sequence, even if the level begins to fluctuate as a result of accumulator injection.

The uppermost part of the core is covered with a two-phase mixture of water and vapor. The cooling of the core, particularly of the upper section of the fuel rods, takes place by the latent heat of the evaporating fluid, which has hardly any temperature differences along the core length (Fig. 11).

Apart from the strong fluctuations in the RPV, which are to be understood as instantaneous values, the accumulator injection tends to stop the decrease of the RPV filling level. Once the accumulator injection has finished about 4900 s after SCRAM, the pulsations disappear. Along with the rather low injection rate of the three extra borating pumps, the filling level undergoes a recovery. The coolant inventory has been increased in this manner that natural circulation sets in again. The leak mass flow increases slightly (Fig. 4). The filling level in the RPV stabilizes significantly above the top of the reactor core. The cross section area of the CDV first turns back to values before accumulator injection but increases successively in the ongoing accident sequence (Fig. 6) since the pressure difference to the environment as driving force for the discharge of steam decreases continuously with the 100 K/h-cool down procedure.

The peak cladding temperature, as well as the coolant temperature in the hot core channel, is below the full power operating temperature throughout the entire accident sequence. The temperature graphs in Fig. 11 show a steady decline appropriate to the gradient of the 100 K/h-cool down procedure, which is still in operation and furthermore reduces the primary pressure.

About 6220 s after SCRAM, the pressure has reached the final value of 0.2 MPa on the secondary side. The gradient of the 100 K/h-cool down is set to zero. In the long term, the controller holds the secondary pressure constant at 0.2 MPa, and the corresponding saturation temperature remains at about 120 °C.

Long-Term Consideration.

The primary pressure is lowered to about 0.3 MPa and remains there in the long-term accident sequence (Fig. 12). It is slightly above the secondary pressure due to the thermal coupling in the steam generator and the necessary temperature difference for heat removal.

Because of the absent cool down gradient, both the coolant and the peak cladding temperature turn into a steady-state in the ongoing accident sequence (Fig. 13). The driving force and the natural circulation decrease slightly.

With lowered primary pressure, the pressure gradient between primary pressure and containment is minimal so that the leak mass flow rate is reduced as well (Fig. 14). In the intact loops, the natural circulation still exists in the short U-tube-bundles with geodetically lower vertices until about 2.5 h after SCRAM, before it turns unstable there as well.

After the continuous natural circulation has collapsed, the heat removal from the reactor core into the steam generator takes place through reflux condenser operation, where steam from the reactor core condenses in the ascending part of the U-tubes and flows back to the RPV.

The core cooling remains ensured by the latent heat removal of the evaporating coolant. The more the coolant evaporates, the lower the average density in the core, and the resulting higher density in the colder downcomer of the RPV provides a short boost for the natural circulation. The density in the core increases and the driving force for the natural circulation decreases again. This leads to fluctuations in the filling level of the RPV in long-term behavior (Fig. 15). Changes in the coolant density occur repeatedly not only in the three intact loops, but also in the leak concerned loop, so that the leak mass flow fluctuates as well (Fig. 14).

In the long-term consideration, it can be observed that the RPV filling level (collapsed level) can be stabilized at approximately 8 m, whereas short-term fluctuations can occur repeatedly downwards. In the ongoing accident sequence, the leak mass flow is completely compensated by the contribution of the extra borating system. Figure 16 shows the integral masses of the leak mass flow and emergency core cooling injection. While the extra borating pumps constantly inject borated water from about 2 min after SCRAM, the accumulators contribute to emergency core cooling between 0.8 and 1.4 h after SCRAM. About 3.5 h after SCRAM, the integral leakage has approximately the same gradient as the integral emergency core cooling injection so that the filling level in the RPV remains constant. This kind of equilibrium between leakage and injection can also be demonstrated by means of the pressurizer level (Fig. 17), which has been completely leveled out at about 3.5 h after SCRAM.

The steam generator levels each are controlled by the EFW system. After refilling has finished, the levels remain stable (Fig. 8). Each steam generator removes approximately one quarter of the decay heat—the contribution of the leak mass flow to the heat removal is negligible—of the core in terms of releasing steam via the controlled discharge valves. To maintain the steam generator level, the EFW system has to compensate the released steam mass. Figure 18 shows the continuously decreasing inventory of the EFW tanks. Approximately 75% have been fed into the steam generators after 10 h. Manual actions are required to refill the tanks or provide other continuously operating supply of water about 14 h after SCRAM.

Alternative Accident Sequence.

In the Short-Term Consideration and Long-Term Consideration sections, the accident sequence was explained without crediting any manual actions other than the manual SCRAM at the very beginning, in order to evaluate the automatic measures of the RPS. About 5045 s after SCRAM, the primary pressure reaches 0.7 MPa (lower dashed line in Fig. 5) and has been dropped below the zero flow pump head of the fuel pool cooling pumps.

Siemens KWU-type PWRs contain two independent fuel pool cooling pumps. Each is powered by the D2-busbar, which corresponds to the appropriate redundancy. In accordance with the design of the NPP, the fuel pool cooling pumps have been automatically switched off in this scenario by the RPS. This happened quite early after triggering the safeguard emergency diesel engines to reduce the load of consumers at the start-up procedure. The fuel pool cooling pumps would also have been switched off after triggering the emergency core cooling signal (at about 110 s after SCRAM as mentioned above). The fuel pool is designed such that the heat removal can be interrupted at least 10 h without exceeding the limiting temperature in the fuel pool.

The D2-busbar secured fuel pool cooling pumps can be manually started via the emergency control station. Additionally, the path toward core cooling can be cleared via the emergency control station, too. If the primary pressure drops below 0.7 MPa, the fuel pool cooling pump would be capable of injecting already about 50 kg/s of borated emergency cooling water from the flood tank into the primary system.

If the fuel pool cooling pump has not been switched on, then about 5758 s after SCRAM, a coolant temperature below 150 °C is reached by means of the 100 K/h-cool down procedure. With appropriate measures, the cool down procedure via the secondary side could be substituted by the residual heat removal system which contains the fuel pool cooling pumps.

In long term, when primary pressure dropped down to about 0.3 MPa, the fuel pool cooling pump would be capable of injecting more than 180 kg/s if it is switched on via the emergency control station.

Conclusion

In case of an external hazard coinciding with a small break LOCA and loss of both offsite power and emergency diesel engines, the heat removal out of the core can be ensured during the entire event sequence. The remaining systems for emergency cooling (RPS, second quartet of emergency diesel engines, extra borating system, hot leg-accumulators, and heat removal via the steam generators) are capable of handling the scenario and preventing core damage. All these systems are housed in the reactor building, in the emergency feed building, or in the auxiliary service water building. Each of them is a bunkered building.

The actuators required for the handling of the accident are continuously power supplied, either battery-backed at the beginning or power-supplied by the D2-busbar after ramp-up time of the safeguard emergency diesel engines. Additionally, they are driven by the RPS through automatic measures if appropriate criteria have been met regarding threshold values. The extra borating system and (later) the accumulator inject borated water into the reactor cooling system by automatic measures as well.

By means of the 100 K/h-cool down procedure via all four steam generators, the primary pressure can be lowered below the zero flow pump head of the pool cooling pumps about 1.4 h after SCRAM. The fuel pool cooling pump would already be capable of injecting borated water if it is switched on manually in the emergency control station. They are secured via the D2-busbar and part of the residual heat removal system, which is capable of substituting the heat removal operation of the steam generators. A long-term feeding of the reactor cooling system with the pool cooling pumps as well as the permanent heat removal is guaranteed. The cold-side accumulators are still available but were not needed here to achieve the goals.

Even without the injection of borated water by the fuel pool cooling pump, the RPV filling level is raised by the accumulator injection to approximately 8 m in the long term. Thus, it is considerably above the top of the core. The filling level can be kept constant in the ongoing accident sequence. The leak mass flow can be completely compensated in the later course by the small but continuous feeding of the extra borating system. At the latest, the first manual measures are required approximately 14 h after the external hazard happened, once the last EFW tank has been completely emptied.

All safety protection objectives for a design basis accident have been achieved although the scenario is beyond-design basis.

Acknowledgment

The reported analysis has been carried out with an improved so-called input deck for ATHLET. It is mainly based on an input deck, which was kindly provided and originally developed by the GRS for a Siemens KWU-type PWR of the NPP fleet of PreussenElektra (Hannover, Germany).

Furthermore, the development and validation of ATHLET by the GRS is sponsored by the German Federal Ministry for Economic Affairs and Energy (BMWi).

Nomenclature

     
  • AC =

    alternating current

  •  
  • Acc =

    accumulator

  •  
  • ATHLET =

    analysis of the thermohydraulics of Leaks and Transients

  •  
  • ATHLET-CD =

    analysis of the thermohydraulics of leaks and transients-core degradation

  •  
  • BMWi =

    German Federal Ministry for Economic Affairs and Energy

  •  
  • CD =

    core degradation

  •  
  • CDV =

    controlled discharge valve (secondary side)

  •  
  • D1 =

    busbar power supplied by first quartet of emergency diesel engines

  •  
  • D2 =

    busbar power supplied by second quartet of emergency diesel engines (safeguard emergency diesel engines)

  •  
  • EFW =

    emergency feed water

  •  
  • EU =

    European Union

  •  
  • GRS =

    Gesellschaft für Anlagen- und Reaktorsicherheit, Germany (Company)

  •  
  • HP =

    high pressure

  •  
  • I&C =

    instrumentation and control

  •  
  • KTA =

    Kerntechnischer Ausschuss (German Nuclear Safety Standards Commission)

  •  
  • KWU =

    Kraftwerk Union AG (company)

  •  
  • LAcc =

    level in accumulator

  •  
  • LOCA =

    loss of coolant accident

  •  
  • LOOP =

    loss of offsite power

  •  
  • LP =

    low pressure

  •  
  • LPZR =

    pressurizer coolant level

  •  
  • LSG =

    level steam generator

  •  
  • NPP =

    nuclear power plant

  •  
  • pCoolant =

    primary/coolant pressure

  •  
  • pSG =

    secondary pressure/pressure steam generator

  •  
  • PWR =

    pressurized water reactor

  •  
  • PZR =

    pressurizer

  •  
  • RHR =

    residual heat removal

  •  
  • RPS =

    reactor protection system

  •  
  • RPV =

    reactor pressure vessel

  •  
  • RSK =

    Reaktorsicherheitskommission (German reactor safety commission)

  •  
  • SAM =

    severe accident management

  •  
  • SB =

    small break

  •  
  • SBO =

    station blackout

  •  
  • SCRAM =

    emergency reactor shutdown (safety cut rope ax man)

  •  
  • TCoolant =

    coolant temperature

  •  
  • Δpcont =

    containment pressure excess above atmospheric

  •  
  • 10 =

    assigned to redundancy 1

  •  
  • 20 =

    assigned to redundancy 2

  •  
  • 30 =

    assigned to redundancy 3

  •  
  • 40 =

    assigned to redundancy 4

Footnotes

2

An SBO is already a kind of superlative. The severity of the event cannot be outdone.

3

A design feature of the 4-loop Siemens KWU-type PWRs is the existence of eight accumulators in total, four attached to each cold leg and other four to each hot leg of the primary system. The here described injection of the four hot leg-accumulators into the hot legs leads to a partial condensation of vapor. Thus, the pressure difference between hot and cold leg as driving force for a possible loop seal clearance will be reduced such that the loop seal clearance finally does not occur during this scenario.

4

The collapsed level is simply calculated from the void fraction of a sequence of vertically staggered control volumes inside the core. The liquid inventory of each control volume of the sequence is summed up and will be represented as the elevation of a collapsed level under the assumption of total separation of liquid and vapor. It has been considered here instead of the mixture level. The mixture level indicates the top of the two-phase area in the core which range from somewhat below to somewhat above the collapsed level. If vapor appears, the collapsed level will always be below the mixture level so that it is the more conservative approach to show the collapsed level.

References

References
1.
German Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety (BMUB)
,
2015
, “
Safety Requirements for Nuclear Power Plants
,” German Federal Gazette (Bundesanzeiger), Berlin, Germany.
2.
E.ON Kernkraft GmbH, and NPP Grohnde
,
2010
, “
(Decennial) Periodic Safety Assessment 2010, Safety Status Analysis
,” E.ON Kernkraft, Hannover, Germany, Chap. 3.3.5.2.1.
3.
Reaktor-Sicherheitskommission (German Reactor Safety Commission)
,
1996
, “
RSK-Guidelines for PWR
,” German Federal Gazette (Bundesanzeiger), Berlin, Germany, Report No. 214.
4.
Austregesilo
,
H.
,
Bals
,
C.
,
Hora
,
A.
,
Lerchl
,
G.
,
Romstedt
,
P.
,
Schöffel
,
P.
,
von der Cron
,
D.
, and
Weyermann
,
F.
,
2012
, “
ATHLET Mod 3.0—Cycle A. Models and Methods
,” Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) gGmbH, Garching bei München, Germany, Report No. GRS-P-1/Vol. 3 Rev. 3.
5.
Federal Ministry for the Environment, Nature Conservation and Nuclear Safety
,
2011
, “
EU Stresstest—National Report of Germany, Progress Report of September 15
,” Federal Ministry for the Environment, Nature Conservation and Nuclear Safety, Berlin, Germany, accessed Oct. 10, 2019, https://www.bmu.de/fileadmin/bmu-import/files/english/pdf/application/pdf/progress_report_bf.pdf
6.
Wilhelm
,
P.
,
Jobst
,
M.
,
Kozmenkov
,
Y.
,
Schäfer
,
F.
, and
Kliem
,
S.
,
2018
, “
Severe Accident Management Measures for a Generic German PWR—Part I: Station Blackout
,”
Ann. Nucl. Energy
,
122
, pp.
217
228
.10.1016/j.anucene.2018.08.016
7.
Jobst
,
M.
,
Wilhelm
,
P.
,
Kozmenkov
,
Y.
, and
Kliem
,
S.
,
2018
, “
Severe Accident Management Measures for a Generic German PWR—Part II: Small-Break Loss-of-Coolant Accident
,”
Ann. Nucl. Energy
,
122
, pp.
280
296
.10.1016/j.anucene.2018.08.017
8.
Gómez-García-Toraño
,
I.
,
Sánchez-Espinoza
,
V. H.
,
Stieglitz
,
R.
, and
Queral
,
C.
,
2017
, “
Analysis of Primary Bleed and Feed Strategies for Selected SBLOCA Sequences in a German Konvoi PWR Using ASTEC V2.0
,”
Ann. Nucl. Energy
,
110
, pp.
818
832
.10.1016/j.anucene.2017.08.003
9.
Gómez-García-Toraño
,
I.
,
Sánchez-Espinoza
,
V.-H.
,
Stieglitz
,
R.
,
Queral
,
C.
, and
Rebollo
,
M.-J.
,
2018
, “
Assessment of Primary and Secondary Bleed and Feed Procedures During a Station Blackout in a German Konvoi PWR Using ASTECV2.0
,”
Ann. Nucl. Energy
,
113
, pp.
476
492
.10.1016/j.anucene.2017.11.053
10.
KTA
,
2016
, “
Electrical Drive Mechanisms of the Safety System in Nuclear Power Plants, Version 2015-11
,” German Federal Gazette (Bundesanzeiger), Berlin, Germany, KTA Safety Standard, Standard No. 3504.
11.
Lerchl
,
G.
,
Austregesilo
,
H.
,
Schöffel
,
P.
,
von der Cron
,
D.
, and
Weyermann
,
F.
,
2012
, “
ATHLET Mod 3.0—Cycle A. User's Manual
,” Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) gGmbH, Garching bei München, Germany, Report No. GRS-P-1/Vol. 1 Rev. 6.
12.
Lerchl
,
G.
,
Austregesilo
,
H.
,
Glaeser
,
H.
,
Hrubisko
,
M.
, and
Luther
,
W.
,
2012
, “
ATHLET Mod 3.0—Cycle A. Validation
,” Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) gGmbH, Garching bei München, Germany, Report No. GRS-P-1/Vol. 3 Rev. 3.
13.
Dräger
,
P.
,
Horche
,
W.
,
Jakubowski
,
Z.
, and
Pointner
,
W.
,
2000
, “
Störfallsimulator Unterweser, Qualifikation der Datenbasis (Accident Simulator NPP Unterweser, Qualification of Database)
,” Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching bei München, Germany, Report No. GRS-A-2802.
14.
Horche
,
W.
,
Kauer
,
W.
,
Lehnart
,
T.
, and
Roßner
,
L.
,
1995
, “
Qualifikation der Datenbasis für das KKW Brokdorf mit dem Programmsystem ATLAS (Qualification of Database of NPP Brokdorf With ATLAS)
,” Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching bei München, Germany, Report No. GRS-A-2323.