Accident Management in VVER-1000

The present paper deals with the investigation study on accident management in VVER-1000 reactor type conducted in the framework of a European Commission funded project. The mentioned study involved both experimental and computational fields. The purpose of this paper is to summarize the main findings from the execution of a wide-range analysis focused on AM in VVER-1000 with main regard to the qualification of computational tools and the proposal for an optimal AM strategy for this kind of NPP.


INTRODUCTION
Accident management, as well as the related terms "procedures" and "strategies" (instead of management), constitutes a branch of the nuclear reactor safety. The understanding of the meaning and the objectives of the AM branch requires the knowledge of the safety/licensing concepts like design basis accident (DBA), beyond DBA (BDBA), and severe accident (SA), as well as probabilistic safety assessment (PSA) and role of human factors (HFs) within nuclear reactor safety. Based on this terminology, the AM branch occupies a virtual region before or upstream the SA area and aims at forming an additional boundary to the progression of accidents that eventually escaped the DBA boundary. This is done consistently with findings and requirements of the PSA branch, taking into account the HF, the available NPP components and systems, and their actual status.
The words "procedure" and "strategy" should be distinguished based on their meaning on the AM terminology. The word strategy is normally used at the level of AM investigation; rather procedure is typically connected to the AM implementation process. In the following, a set of AM strategies will be presented based on available plants equipments.

KEY DEFINITIONS AND BACKGROUND
The following key definitions are at the basis of the AM activity performed within the project [1].
(1) AM: the taking of a set of actions during the evolution of an event sequence to a BDBA to (a) prevent the escalation of the event into a severe accident (preventive accident management measures), (b) mitigate the consequences of a severe accident (SAMG), and (c) return the plant to a long term safe stable state (accident termination procedures (ATP)).
(2) EOP: a set of documents describing the detailed actions to be taken by response personnel during an emergency. The plant specific procedures contain instructions to operating staff for implementing preventive accident management measures for both DBA and BDBA.
(3) SAMG: a set of guidelines containing instructions for actions in the framework of severe accident management (SAM), where SAM is a subset of AM measures that (a) terminate core damage once it has started, (b) maintain the capability of the containment as long as is possible, (c) minimize on-site and off-site releases, and (d) return the plant to a controlled safe state.
Furthermore, it is considered that suitable EOP is part of any NPP operator book. Deviations from the EOP lines (e.g., failures outside the DBA boundaries or multiple failures) established in the operator book bring the system constituted by the NPP, the operators, and by whatever connected (e.g., control room, logics of actuation, etc.) into the AM. In particular, the preventive AM procedures, measures, or strategies aim at avoiding the loss of structural integrity for the core as an ensemble (i.e., preventing the extraction 2 Science and Technology of Nuclear Installations of fuel bundles or the insertion of control rods) and the damage of a significant number of fuel rods (typically >10% of the total number in the core). The above core status is also referred as "in a BDBA situation before extended degradation." The terms "preventive AM strategies" better identify and characterize the activities of concern in this paper even though it is recognized that the term accident management is used as a synonymous of preventive AM.
The background preparation for the AM study, other than the state-of-the-art analysis for AM, implied the availability of computational tools (codes, nodalizations, boundary conditions), the design and the execution of experiments, the demonstration of code-nodalization quality, the availability of reference PSA studies (though PSA was not a primary interest for the project), and the availability of reference NPP information.
The AM study starts from the observation that the investigation area is very broad: a large number of actions can be taken by operators utilizing several components and systems ranging from the main coolant pumps (MCPs) to the boron tanks to the pressurizer heaters and the spray lines; to the gas removal system to the fire-work pumps; to the water stored in the FW lines; to the BRU-A and BRU-K discharge. In order to limit the scope of the investigation, the attention was focused toward station blackout situations and the use of nonenergized (at least non large-energy consuming) equipments. Therefore, the depressurization was selected as main strategy to be pursued following a multiple failure event to bring the NPP to low pressure keeping the core geometric integrity. When at low pressure, that is, below the set-point for actuation of the low-pressure injection system (LPIS), two alternative targets were fixed depending upon the availability or less of suitable LPIS flow rate; (a) in the former case, the target is to show that primary system pressure remains at low values notwithstanding the injection and that stable cooling conditions (including nonrising pressure) are established; (b) in the latter case, the target is to delay the time of occurrence of significant core degradation.
The final step of the activity consisted in optimizing the strategy including the definition of key-operator actions and building up an AM strategy suitable for implementation in NPP after having demonstrated the effectiveness. Secondary system depressurization followed by primary system depressurization constituted the skeleton of the selected AM strategy. The availability of the coolant in the feedwater lines including the deaerator tanks was assumed. The demonstration of capability of computational tools to deal with expected phenomena, including data availability, was achieved. The step was completed through performing the following activities: (i) developing a procedure to optimize the design of an AM strategy; (ii) optimizing the selected strategy that typically includes (a) steam generator depressurization, (b) passive injection of coolant from the feedwater lines, (c) primary system depressurization owing to heat removal from steam generators, (d) continued primary system depressurization caused by delivering of accumulator water, (e) continued primary system depressurization caused by the opening of pressurizer relief valve (PORV) till the LPIS set point, and (f) achieving the targets (a) or (b) of the previous paragraph; (iii) applying the procedure with minor variants to the analysis of three BDBA scenarios assumed in Balakovo Unit 3 VVER-1000 NPP also establishing the basis for passing from an accident management strategy to a procedure.
The designed strategy and the related AM procedure outline are well accepted by Balakovo 3 NPP.

THE QUALIFICATION METHODS AND THE ROLE OF UNCERTAINTY
A key feature of the activities performed in nuclear reactor safety technology is constituted by the necessity to demonstrate the qualification level of each tool adopted within an assigned process and of each step of the concerned process [2]. Computational tools are used within the present context that includes (numerical) codes, nodalizations, and procedures. Furthermore, the users of those computational tools are part of the play and need suitable demonstration of qualification.
The "global" qualification approach proposed by the University of Pisa, based on the UMAE methodology, has been adopted including the tool (fast Fourier transformbased method (FFTBM)) "to measure" or to quantify the quality of a calculation in specified situations. The demonstration of code qualification implies the availability of qualified nodalizations (and qualified users). Criteria and thresholds of acceptability for calculation results at steadystate and at "on-transient" level are introduced to this aim [3]. Code-user effect [4] and scaling issue are relevant in this connection [2,5].
The application of this methodology guarantees a suitable qualification level of all the tools invoked in the AM strategy investigation. As stated before, to study a complex system like an NPP a set of tools is necessary that at the end constitutes the main instrument of the safety analysts. All those parts should be qualified following a method able to ensure the reliability of the obtained results.
The code have been qualified against experiments performed in a test facility, PSB-VVER, which its correct scaling has been addressed (e.g., [6]) and demonstrated by the comparison between experimental evidences. It should be mentioned that also the experimental database against which the codes are usually validated needs to be qualified. Within the mentioned EC funded project, the qualification of the experimental data has been proven following among the other things a quality assurance program. Emphasis should be put to the steps that brought to the definition of the test matrix. A top-level scientists brainstorming is at the basis of the design of all experiments trying to define suitable tests for the code qualification and experiments of major interest for the AM point of view. The uncertainty (i.e., the process needed to associate errors to the prediction of best estimate codes engaged in accident analysis) and its evaluation (i.e., the capability to establish those errors) play a crucial role when a BE approach in code application is followed. The BE approach means use of a BE code (relap in the present contest) and use of BE boundary and initial conditions. At University of Pisa, a specific tool for the uncertainty evaluation named CIAU has been developed (i.e., [2]). The CIAU is based on the accuracy extrapolation from a database which contains a large number of code runs. Such code calculations have been validated against experimental data and used to "fix" the error expected when an NPP transient scenario is calculated.
A necessary condition for the estimation of uncertainty by the use of CIAU is constituted by the availability of qualified experimental data.

THE EXPERIMENTAL DATABASE
In the area of system thermalhydraulics the PSB-VVER is one of the largest facilities (integral test facility (ITF)) put into operation with a power and volume scaling factor equal to 1/300 [7]. Data from ITF are necessary to identify phenomena expected in case of accidents in water-cooled nuclear reactors and to demonstrate the qualification level of system codes. In addition, the PSB-VVER is the most qualified facility for the study of the VVER-1000 and the only one in operation. The created experimental database, applied to the AM study, consists of four key parts: (a) the ITF description including test specific configuration and description of components added for the execution of individual experiments, (b) the results from the characterization or shake-down tests (pressure drops, heat losses, volume versus height, etc.), (c) the logic of imposed events in each experiment, and (d) the resulting sequence of main events and the time trends of a significant number of quantities.
Sixteen experiments are part of the database. The actual quality of the database should be evaluated considering that for each experiment at least one pretest and one posttest analysis have been performed and are documented. In connection with the number of time trends, about forty quantities are considered sufficient to identify any scenario in ITF and more than two-hundred time trends have been recorded and are available for each PSB-VVER experiment. An outline of the database can be derived from Table 1 [8].
The detailed description of all the tests is beyond the purposes of the paper however it should be noted the various types of initiating event taken into account. The experimental set includes loss of feedwater (LOFW), small break loca (SBLOCA), PORV stuck open, primary to secondary leak (PRISE), steam line (SL) break, and station blackout (SBO). The operator actions tested to cope with such kind of accidents are almost based on depressurization either secondary side or primary side. Different set point to initiate such operations is also experimentally considered. Finally, the repeatability issue has been also accounted for, performing two times the same experiment [9].

THE KEY RESULTS
The proposed strategy suitable for implementation in existing VVER-1000 NPP is based upon (i) depressurization of the steam generators through the BRU-A and BRU-K, if needed, (ii) delivery of the coolant stored in the deaerator tanks to the steam generator(s) exploiting the driving force constituted by the vaporization subsequent to the depressurization, (iii) depressurization of the primary system through the PORV and the gas removal system, (iv) cooling of primary system ensured (for a period) by accumulators.
All of this implies no hardware changes in NPP and only introduction of suitable control logic for the involved components (BRU-A, BRU-K, PORV, gas removal system, and FW line valves). Therefore, assumed as 1 MEURO the daily operational cost of the NPP, the cost for the implementation of the procedure are negligible. The result of PSA studies performed in relation to PWR demonstrates that the consideration of "passive" depressurization has the potential to reduce the risk of core melt for a factor ten. However, the uncertainties for evaluating the risk will be considered, and specific PSA analyses for VVER-1000 should be completed (both of these activities are outside the project boundaries).
Within the project activities, [8,10,11], it has been demonstrated that the "grace period" (i.e., the time period between the start of the accident and before a substantial core degradation occurs) following a station blackout, including the failure of diesel generators, for the selected VVER-1000 Balakovo NPP changes from about two hours to more than ten hours if the considered AM strategy is implemented.
The key results from the application of the procedure are illustrated in Figure 1: the time when loss of geometric integrity occurs for the core is reported as a function of the pressure at which the event happens. Each of the dots in Figure 1 is the result of an "AM" optimization calculation performed with reference to the Balakovo Unit 3 VVER-1000 NPP.
Following a station blackout event including failure of emergency feedwater, any NPP has a "survival period" that is typical of the order of two hours. This corresponds to the yellow-region in the left part of Figure 1. When AM procedures are applied, the grace period (i.e., the survival time for the core) moves toward the right part of the diagram. Furthermore, the failure may occur at low or at high pressure, with the former situation being the preferable one from the safety stand point.
Therefore the scenarios that are identified by bullets in the bottom right part of the diagram are the preferable ones and imply the demonstration of optimization for the selected AM strategy. Additional information available from Figure 1 includes the following. (a) uncertainty in predicting failure time is represented by leaning violet bars; (b) time   The final result can be summarized as follows.
(i) NPP failure time is expected at about 10000 seconds, that is, a bit less than three hours without AM. (ii) The use of AM (without any energy needed, apart for proper actuation of valves) "moves" the NPP failure time at about 45000 seconds, that is, at about 13 hours. (iii) The maximum theoretical failure time is estimated at about 65000 seconds, that is, about 18 hours.

CONCLUSIONS
Various AM strategies were investigated. However, the reference strategy for the project is constituted by the depressurization of the steam generators followed by the primary system depressurization that is actuated at an optimized time when the conditions of "maximum subcooling" in the loop are achieved. In those conditions, coolant loss from the primary system and depressurization rate are, respectively, minimized and maximized. In between and as a consequence of the two AM depressurisation actions, "passive bleed" of steam generators and of primary loop occurs from deaerator tanks and from accumulators that is sufficient to keep the core cooled with a suitable margin to DNB.
The objective of the selected AM strategy is two-fold: (a) to keep cooled the core for the longest time without the availability of external energy sources, (b) to keep the primary system pressure at the lowest level consistent with the first objective and with the overall strategy to minimize the risk of primary system failure at high pressure. The optimized AM strategy has been applied to the analysis of SBO resulting in a large increase of the plant grace time.