Last week in an article in the Los Angeles Times a spokesman for the Union of Concerned Scientists (UCS) stated:
"The North Anna plant is designed to withstand a 5.9 to 6.1 quake. Last week, it came “uncomfortably close” to that maximum, said Edwin Lyman, a senior scientist at the Union of Concerned Scientists, a group that advocates stronger regulation of nuclear power."
This alarming statement implies that if an earthquake approached or exceeded the design basis earthquake level that there was imminent danger to the public. Wrong! I'd like to take a closer look at what a design basis earthquake at a nuclear power plant actually means - and what it doesn't mean.
What is a Design Bases Earthquake - How Does it Relate to Actual Risk?
As a part of the original licensing process of a nuclear power plant the applicant prepares a safety analysis report which identifies and characterizes all the potential hazards (both internal and external) that the proposed facility would be exposed to over it's operational life. This is covered by Title 10 Code of Federal Regulations Part 50, Appendix A - General Design Criteria for Nuclear Power Plants, Criterion 2: "Design Bases for Protection Against Natural Phenomena". It includes: severe weather such as hurricanes, tornadoes, flooding, earthquakes, gas pipeline failures, oil refinery explosions, etc. There are numerous NRC regulatory guides [References1, 2, 3] which identify the preferred methods to establish what level of seismic acceleration should be used for establishing the Design Bases Earthquake. The considerations include: historical records of earthquake locations and magnitudes, geological investigations of the site (digging "bore holes" looking for evidence of ancient fault lines, characterization of the underlying rock strata and the foundations. A value would be established based upon reviews performed by the licensee and typically with some adjustments made by the NRC staff reviewers - before they would "sign-off" on its conservatism.
The resultant Design Bases Earthquake (DBE) amounts to a specified value that an applicant must be able to conservatively demonstrate the reactor can be safely shutdown. Conservatively demonstrate means there are design margins or safety factors between the DBE and the point of actual failure. Typical values for DBEs for central and eastern United States earthquakes were in the range of: 0.10 - 0.17g (where "g" is the acceleration equivalent to the earth's gravitational acceleration ~32 ft/sec2).
The DBE becomes a design requirement which is used in all design activities for establishing loads on buildings, required supports, anchorage. A general misconception about engineering practice is that engineers calculate everything associated with allowable stresses and design limits. This is not exactly correct. They evaluate requirements and apply "standard solutions" which have large safety margins built in. Professional societies such as the American Society of Mechanical Engineers (ASME), and the American Society of Civil Engineers (ASCE) develop standardized conservative solutions to design problems that are widely reviewed and accepted. This simplifies creating the design as all that must be checked is that the specifications were understood and the correct "code solution" applied to the problem. The codes specify the details of : "how thick", "how many reinforcements are needed", "pre-tensioning", "what kind of materials are needed to achieve certain strength". This is effectively what is meant when we say designing it according to the "code" -- anything else is characterized as "sub-standard". These design codes are recognized to have safety margins built into them to account for aging and unexpected loads. It is not uncommon to see safety factors of two or more over the bare minimum of what is required.
Thus there is a standard expectation that when a nuclear power plant has a DBE of 0.15g - that there are significant built-in safety margins. The reality is that there are typically much larger design margins available by factoring in actual earthquake experience (in which objects deform but do not fail) - and the results of qualification tests which demonstrate actual seismic capability of major components (pumps, major valves, circuit breakers) by testing. Testing is often an option for components which because of their geometry are sometimes too difficult to analyze and much easier to test.
What becomes really important is not the DBE which is a licensing and design concept -- but the level of ground acceleration at which the plant actually does fail and release radioactive matrerial. This can only be determined by performing a Seismic Probabilistic Risk Assessment (PRA) which factors in the frequency (per year) of a specific size earthquake and the probability that a combination of seismic induced failure occurs given the earthquake. [Reference 4]
Analysis to produce the probability of seismic induced failures occurs given the earthquake is called a "Fragility Analysis". A typical fragility response curve is shown below and includes a "best-estimate" of failure and the effects of uncertainties which results in a more conservative projection. The concept displayed in such a curve is that at low acceleration levels there is effectively "0" probability of failure. With higher ground accelerations for a component there is an increasing likelihood of failure and at some acceleration level there is pretty much guaranteed failure of a component.
When specialists do a Seismic PRA what is typically found to be the dominant source of risk is a combination of the following:
The resultant Design Bases Earthquake (DBE) amounts to a specified value that an applicant must be able to conservatively demonstrate the reactor can be safely shutdown. Conservatively demonstrate means there are design margins or safety factors between the DBE and the point of actual failure. Typical values for DBEs for central and eastern United States earthquakes were in the range of: 0.10 - 0.17g (where "g" is the acceleration equivalent to the earth's gravitational acceleration ~32 ft/sec2).
The DBE becomes a design requirement which is used in all design activities for establishing loads on buildings, required supports, anchorage. A general misconception about engineering practice is that engineers calculate everything associated with allowable stresses and design limits. This is not exactly correct. They evaluate requirements and apply "standard solutions" which have large safety margins built in. Professional societies such as the American Society of Mechanical Engineers (ASME), and the American Society of Civil Engineers (ASCE) develop standardized conservative solutions to design problems that are widely reviewed and accepted. This simplifies creating the design as all that must be checked is that the specifications were understood and the correct "code solution" applied to the problem. The codes specify the details of : "how thick", "how many reinforcements are needed", "pre-tensioning", "what kind of materials are needed to achieve certain strength". This is effectively what is meant when we say designing it according to the "code" -- anything else is characterized as "sub-standard". These design codes are recognized to have safety margins built into them to account for aging and unexpected loads. It is not uncommon to see safety factors of two or more over the bare minimum of what is required.
Thus there is a standard expectation that when a nuclear power plant has a DBE of 0.15g - that there are significant built-in safety margins. The reality is that there are typically much larger design margins available by factoring in actual earthquake experience (in which objects deform but do not fail) - and the results of qualification tests which demonstrate actual seismic capability of major components (pumps, major valves, circuit breakers) by testing. Testing is often an option for components which because of their geometry are sometimes too difficult to analyze and much easier to test.
What becomes really important is not the DBE which is a licensing and design concept -- but the level of ground acceleration at which the plant actually does fail and release radioactive matrerial. This can only be determined by performing a Seismic Probabilistic Risk Assessment (PRA) which factors in the frequency (per year) of a specific size earthquake and the probability that a combination of seismic induced failure occurs given the earthquake. [Reference 4]
Analysis to produce the probability of seismic induced failures occurs given the earthquake is called a "Fragility Analysis". A typical fragility response curve is shown below and includes a "best-estimate" of failure and the effects of uncertainties which results in a more conservative projection. The concept displayed in such a curve is that at low acceleration levels there is effectively "0" probability of failure. With higher ground accelerations for a component there is an increasing likelihood of failure and at some acceleration level there is pretty much guaranteed failure of a component.
When specialists do a Seismic PRA what is typically found to be the dominant source of risk is a combination of the following:
- An earthquake damages incoming power lines by failing the ceramic insulators associated with high voltage power lines.
- Onsite emergency diesels fail due to provide power (typical causes include anchorage of diesel engine coolers, disruption of fuel oil supplies, etc)
- Inability to restore power from downed transmission lines or bring in a large portable generator eventually results in loss of battery power, instrumentation, and the ability to cool the reactor.
What these curves show is that failure of offsite power connections is pretty likely. That's bad - but the plant is designed to cope with this. [Last week's Blog covers how a PWR shuts down in a loss of offsite power.] Failure of the emergency diesel generators is not very likely and requires a significantly bigger and thus less likely earthquake. Reading the second curve there is high confidence of less than 5% chance of failure for acceleration levels up to 0.5g which is roughly three times the DBE. There is thus significant safety margin in the design of the diesels against the DBE for the plant in question. If there were a large earthquake the most likely scenario would be an extended loss of offsite power - which the plant is designed for.
So What Has Changed in the Perception of Seismic Risks?
Its not only that an actual earthquake happened in Mineral Virginia and caused the North Anna nuclear power plant to shut down. Joint research efforts by the US Geological Survey (USGS) and the utility-sponsored Electric Power Research Institute (EPRI) have been reviewing the hazard curves for central and eastern US. Preliminary results started becoming publicly available for comment about a year ago. The hazard curves are basically a characterization of frequency of experiencing an earthquake of a particular magnitude. Not surprisingly: small earthquakes are relatively frequent. The larger the earthquake, the less likely its frequency of occurrence. The figure below shows some of the preliminary results (which will not be finalized until December 2011) for a particular site. (NOTE: To get the actual acceleration at a particular site one would need to take the actual fault location and adjust it to address site attenuation and various other ground and structural factors.)
Previously, for this hypothetical site one would expect to see an earthquake exceeding 0.1g about once every 10,000 years (a probability of 1E-4/yr). Newer information from geological surveys and other sources indicates it could occur with a frequency of 9E-4/yr or every 1100 years. That's obviously an increase. For very large and substantially less frequent earthquakes the historical data is harder to find -- a one in a million year earthquake is beyond all human records and thus can only rely upon geological investigations and conservative judgements.
What is the True Risk Significance of Large Eastern Earthquakes?
If I were doing this in "great engineering detail" I'd obviously consider a wider spectrum of failure mode combinations (although these are far less likely and contribute less to the risks). To do it quick and dirty: if I take the new hazard curve (or something like it) and my dominant accident sequence is the loss of offsite power and failure of the diesels at greater than 0.5g, the likelihood of the earthquake with such a ground acceleration is on the order of once every 100,000 years. It used to be once every 1,000,000 years. I don't know about all my readers out there -- but given the daily risks of just about everything else out there I think I can live with this increased risk. I am guessing that this is why the NRC is concluding that there is need to do some further analysis but that the seismic safety of existing nuclear power plants on the east coast is acceptably safe for the time being. I do expect there will be a lot of safety analysis engineers doing a lot of work to go through this exercise as I have attempted to illustrate -- but obviously in greater detail.
References
So What Has Changed in the Perception of Seismic Risks?
Its not only that an actual earthquake happened in Mineral Virginia and caused the North Anna nuclear power plant to shut down. Joint research efforts by the US Geological Survey (USGS) and the utility-sponsored Electric Power Research Institute (EPRI) have been reviewing the hazard curves for central and eastern US. Preliminary results started becoming publicly available for comment about a year ago. The hazard curves are basically a characterization of frequency of experiencing an earthquake of a particular magnitude. Not surprisingly: small earthquakes are relatively frequent. The larger the earthquake, the less likely its frequency of occurrence. The figure below shows some of the preliminary results (which will not be finalized until December 2011) for a particular site. (NOTE: To get the actual acceleration at a particular site one would need to take the actual fault location and adjust it to address site attenuation and various other ground and structural factors.)
Previously, for this hypothetical site one would expect to see an earthquake exceeding 0.1g about once every 10,000 years (a probability of 1E-4/yr). Newer information from geological surveys and other sources indicates it could occur with a frequency of 9E-4/yr or every 1100 years. That's obviously an increase. For very large and substantially less frequent earthquakes the historical data is harder to find -- a one in a million year earthquake is beyond all human records and thus can only rely upon geological investigations and conservative judgements.
What is the True Risk Significance of Large Eastern Earthquakes?
If I were doing this in "great engineering detail" I'd obviously consider a wider spectrum of failure mode combinations (although these are far less likely and contribute less to the risks). To do it quick and dirty: if I take the new hazard curve (or something like it) and my dominant accident sequence is the loss of offsite power and failure of the diesels at greater than 0.5g, the likelihood of the earthquake with such a ground acceleration is on the order of once every 100,000 years. It used to be once every 1,000,000 years. I don't know about all my readers out there -- but given the daily risks of just about everything else out there I think I can live with this increased risk. I am guessing that this is why the NRC is concluding that there is need to do some further analysis but that the seismic safety of existing nuclear power plants on the east coast is acceptably safe for the time being. I do expect there will be a lot of safety analysis engineers doing a lot of work to go through this exercise as I have attempted to illustrate -- but obviously in greater detail.
References
- Design Response Spectra for Seismic Design of Nuclear Power Plants, USNRC Regulatory Guide 1.60, Rev 1, December 1973.
- Damping Values for Seismic Design of Nuclear Power Plants, USNRC Regulatory Guide 1.61, October 1973
- Combining Modal Responses and Spatial Components in Seismic Response Analysis, USNRC Regulatory Guide 1.92 Rev 1, February 1976.
- R.P. Kennedy et al, "Probabilistic Seismic Safety Study of an Existing Nuclear Power Plant", Nuclear Engineering and Design, Vol.59, No.2, pp. 315-338.
- D.A. Wesley et al,, "Seismic Fragilities of Structures and Components at the Millstone 3 Nuclear Power Station", Structural Mechanics Associates Report SMA 20601.01-R1-0, March 1984.
No comments:
Post a Comment