i M i< m >est -2 < m >'st = ykst
r -2 7 (14)
+ fa
The following estimator does always lead to meaning-full results:
= y~~\aes,,< m >'est). (15)
3.3.3. Fraction of impacts leading to immediate failure
The last parameter to be estimated is the fraction of events that lead to failure of all impacted components immediately, Winst. It can - in some cases - be derived from the event reports in a straightforward manner. A quantity sensitive to this parameter is the ratio of the number of events Nf in which all impacted components failed to the number of all events Ntotal
f = Nf/N Mal . (16)
For the mean value of this parameter holds
< f >= Winst + (l — Winst ) * Fcont,
(17)
Fcont denotes the probability that in case of a non-instantaneous failure event all impacted components fail. This quantity obviously depends on the time of CCF detection. The identity serves as motivation for the following estimator
Wn. = max{(l /2 * N Ota,), (f - Fcont )/(l - Fcont)}. (18)
The estimation procedure described here is easier to handle than the approach described in [4] which is based on minimization of Kullback's information measure [11].
The rationale for the estimation procedure is rather of heuristic nature and not supported by rigorous proof. It is therefore necessary to assess its appropriateness using a simulation test outlined in the following.
3.4. Test for the estimation procedure
The estimation procedure is seen as a practical approach that is not underpinned by sophisticated mathematics but rather by direct testing. The latter is possible because the POS model can be used to generate fictitious failure data which can than be subjected to parameter estimation. Comparing the estimated parameters with the "true" parameters used in the simulation will display the balance of the strengths and weaknesses of the estimation procedure. The possibility to carry out such a test is a further advantage of simulation modelling.
3.4.1. Failure data and comparison to estimated parameters
From the data given Table 2, a set of 30 simulated CCF event data sets was produced, comprising on average some three CCF events each.
Table 2. 'True' parameters and derived CCF failure multiplicities (assuming CCF rate of 0,075 a-1) used for the model test
Parameters a = 0,5 c = 2,0 Winst = 0,1
Failure
multiplicities 2-out-of-4 3-out-of-4 4-out-of-4
Failure
probabilities 1,3 10-4 a-1 8,3 10-5 a-1 9,7-10-5 a-1
This exercise representing a straightforward test of principle, all simulated failure events were supposed to affect CCCG of size r = 4. The low number of simulated events corresponds to the well-known fact that CCF events as such are rather scarce. For the parameter estimation, only the number of CCF events, the number of failed and the number of affected - but not failed - components in each event were used, together with the supposed observation time, given in component group years. To assess the predictive power of the model, the parameters estimated for each of the 30 data sets were used to predict a 4-out-of-4 failure probability which was compared to the 'fictitious reality' as given in Table 2.
10
"3 it 8
& 6 .s
tt 4 «
J 2
s
W o
■ 111
-0,5 -0,3 -0,1 0,1 0,3
log [Estimate / 'True' Val.]
0,5
Figure 1. 'True' vs. estimated CCF probabilities for 4-out-of-4 failures
The result is shown in Figure 1 above. In all cases, a CCF-detection time of 1.5 months has been assumed. Obviously, the estimation procedure gives rather satisfactory results. The conservatism introduced by the heuristic assumption of eqn. (18) results in a very moderate overestimation of the true value.
3.4.2. Data base and quality of prediction
In order to test the POS model's performance in case of a scarce data base, the estimation procedure as detailed above was repeated, this time using a data set of simulated CCF events based on a CCF impact rate corresponding, on the average, to one event in the observation period. Obviously, a data set with zero events does not make sense; therefore, in such cases the fictitious observation time was extended until an event was simulated.
£ 1,0E+01
5
.2
>
tz C
1,0E+00
I 1,0E-01
Figure 2. Comparison of predicted vs. 'true' unavailability's for 4-out-of-4 CCF on the basis of, on average, one or three events per database. Medians and standard error bars are given based on ten data sets for each
case.
As can be expected, the conservative assumption implicit in equation (18) takes more effect in this case. Figure 2 gives a comparison of predicted vs. 'true' failure rates for 4-out-of-4 CCF. As is evident from the comparison, the predictions based on scarce data tend somewhat to the conservative side.
1 3
Av. No. of Events per Observation Period in Data Base
On the other hand, it is demonstrated in Figure 3 how the estimation is improved if more events are included in the database for a representative example. The parameter Winst being rather sensitive to failure of all components is overestimated in the upper part of figure 3 based on 3 events in the average in the data set. In the lower part of figure 3, it can be seen how the enhanced number of events improves the estimate.
3 -----
2 ■ -
1 ■ --
0 -------1-1-1
0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9
Q3 Events on Avg. per Data Set □ 10 Events on Avg. per Data Set
3 -
2 ' ---
1 ' -
0 -------1-1-
Figure 3. Dependency of parameter estimation quality on the number of events in the database. Estimated parameter: Winst; true value: Winst = 0.1 (cf. Table 2).
Upper diagram corresponds to 3 events on average, lower diagram corresponds to 10 events on average, showing improved estimation.
4. Analysis of a highly redundant system with the POS model
Hauptmanns [8] has published a challenging case study on a highly redundant CCCG. It concerns the combined impulse pilot valves which in German nuclear power plants govern the function of pilot operated safety or relief valves. For German Boiling Water Reactors (BWR), there are up to 22 such impulse pilot valves governing the function of the automatic depressurisation system (ADS).
CF quantification for such highly redundant systems is demanding, due to the sparse base of observed events, which, in addition, will mostly consist of events with only a limited number of failed components. Even in Hauptmanns' case, where the database consists of twelve events, there are only two cases with more than half of the CCCG actually failed (cf. Table 3 below).
In [8], Hauptmanns compares CCF rates predicted for 1-out-of-22 through 22-out-of 22 failure multiplicities using the classical binomial failure rate (BFR) model to those predicted with his improved multi-class binomial failure rate (MCBFR) model. For the latter, the events in the database are sorted into different classes according to engineering judgement, and attempts to estimate individual coupling factors p for all of the defined event classes. Detailed information on the models and the calculation method are in [8].
Table 3. Observed CCF and degradations for combined impulse pilot valves (failure mode: does not open); adapted* from [8]_
Event No. failed No. degraded CCCG Operation No. components components size r time TB [a]
1 2 0 9 9
2 6 2 8 10
3 2 0 22 7
5* 1 15 16 9
6
7
8 9 11* 12
5 10 1
13a
6 0
16 12 8 14 12 4
7 6 10 9 6 9
* H's events # 4 and 10 were omitted because with 1 failed and 0 degraded but not failed components they do not correspond to the definition of a CCF used in this paper, which is based on at least two components impacted by the common cause. a In H's event # 9, one of the 14 components found degraded is assumed failed, because the analyses with the POS model presented here do not handle 'zero failure' events.
In case there is at least one CCF event in the database where all or nearly all components of the CCCG were failed, the MCBFR model can be expected to yield less unrealistic failure rates for high failure multiplicities than the classical BFR model.
Using the raw data as given in [8] with the exception of omitting events #4 and #10 and assigning event #9 one failed and 13 affected components instead of 0 failed and 14 affected, cf. table 3 - the CCF rates for a CCCG of size 22 were calculated. Total operation time of 165 component group years was used in estimating the CCF rate.
The results obtained with the POS model do not exhibit the unrealistic low failure rates for higher multiplicities. They do not coincide with the MCBFR results but are comparable especially in the range of higher failure multiplicities. Key difference to the MCBFR approach is that for the POS application no decomposition of the event base had to be performed. The approach is integral. It can be concluded that the POS model is a candidate for CCF analyses of highly redundant systems.
1,E-05
3? 1,E-06
« 1,E-07
ai '
u_
O
O 1,E-08
1,E-09
■POS model
CCF Multiplicity [k-out-of-22] ^^BFR model ^^HMCBFR model
Figure 4. CCF-rates for pilot valves in German NPP according to Hauptmanns for the (BFR) and the (MCBFR) model. The results with the POS model have been obtained with the parameter estimation
procedure described in this paper.
5. Calculating alpha-factors with the POS model
In [13], approaches to CCF quantification are outlined, especially the use of parametric models. In the report [12], common cause failure parameter estimations have been provided for some 40 different component types, various failure modes and common cause component group sizes from two up to six. One of the models for which parameter distributions have been derived is the Alpha-Factor Model. From the point of view of demonstrating the usefulness of the POS model, this large amount of systematically derived information was seen as a possibility to apply POS and compare to results obtained with established methods.
As pointed out before, for the POS parameter estimation information is required on the number of components, which are affected by the event. This kind of information is not available in [12]. Therefore, for this exercise a simplified approach has been selected [5].
The alpha factor a(k,l) is by definition the probability that in a CCF component group of size l exactly k components have failed as consequence of a CCF basic event. Hence, the quantities are normalized with respect to the failure multiplicity k = 1,2, ...l. The first simplifying assumption is that the failures with k equal to 2 and greater are determined by dependent failures only. The conditional probabilities w(k,l) for these events are calculated with the POS model. In [7], the numbers of independent and dependent events are given and thus the ratio q of dependent to total number of events is at hand. The alpha factors than can be calculated as follows:
a(k,l) = w(k,l) • q + (1 - q) • 5(k,1) (19)
5(k,1) = 0 for k > 1 and 5(1,1) = 1 (20)
The selection of POS-parameters is - as pointed out before - simplified. The values of Winst = 0.1 and of r0 = 3 are taken as default values throughout the exercise. These values are typical values based on other applications. Parameter a is the fitted such that a(4,4) is equal to the value tabulated in [12] for the component type and failure mode under consideration.
This program has been carried out for six different combinations of components and failure modes. These were selected primarily based on large numbers of dependent failures to make sure that the comparison has a solid statistical basis. Furthermore, a mix of technically different components has been chosen. Furthermore, only those components were included for which CCF group sizes up to 6 are covered in [12].
For the comparison with the empirical data from [12] a metric for the deviation of the quantities is required. In [12], the mean, but also the 5-, the 50- and the 95-percentile of the alpha factor distributions are displayed. This suggested to use the logarithm of the ratio of the alpha factor derived from the POS model to the 50-percentile from [12], divided by logarithm of the ratio of the values of the 95-percentile to the 50-percentile. This means a deviation X = 1 if the calculated value equals the value of the 95-percentile
X = log ( apos / a5o) / log ( a95 / a5o). (21)
Eq. (21) holds for values of aPOS larger than the median of the distribution, the analogous measure is used for aPOS smaller than the median. In that case, the deviation X = -1 is obtained if the calculated value equals the value of the 5-percentile.
A similar picture is obtained by considering complete CCFs (failure of all components). This is displayed in Figure 5. It is not surprising that the agreement is better for a(5,5) and a(3,3) than for a(2,2) as the parameter adjustment was done for a(4,4). For small sizes of the component group the deviations are larger. The assumption that the failure multiplicities > 1 are due to dependent failures only might here be wrong and thus lead to greater deviations.
Considering the severe simplifications that were made in the exercise, the results obtained with the POS model adjusting only one of three possible parameters are satisfactory especially for high failure multiplicities.
X 5,0E-01
c
O
01
Q -5,0E-01
Deviation X of the alfa factors a(k,k)
n 1 [-1
1. T.lr □
'i
BWR RHR Emergency Emergency PWR AFW DC Power SG Injection
MOV / fail to Water Service Water Service Check Battery Flow Control
close Pumps/fail to Pumps/fail to Valves/fail to Chargers/no Valves/fail to
start remain closed voltage open
|g(5,5) Ea(4,4) □ a(3,3) ■ a(2,2)
Component/Failure Mode
Figure 5. Deviation X of the alfa factors a(k,k) calculated with the POS-model from values tabled in [13].
6. Summary, conclusions and outlook
The POS model for CCF quantification is based on the following model structure:
• Time of CCF impact, simulated with a constant CCF impact rate,
• Number of components of the CCCG affected by the impact and subsequently failing immediately or time-delayed,
• Times of failure of the impacted components, and
• Time of detection of the CCF process by inspection or functional testing.
As a last step to prepare practical application of the model, a procedure for estimating the four free model parameters - rate of CCF impact, parameters a and c determining the probabilities of the number of impacted components and fraction of instantaneous failures - has been suggested and tested.
The POS model can be used to generate fictitious failure data which can than be subjected to parameter estimation. Comparing the estimated parameters with the "true" parameters used in the simulation gave a good agreement with a slightly conservative tendency. The low number of events - roughly three on the average - on which the estimation has been based, makes this observation remarkable. In situations with even less events the conservative overestimate of the unavailability becomes more visible but still results are not totally out of bounds.
CCF analyses for pilot valves in German nuclear power plants present a real challenge as component group seizes range up to 22. The POS application has no problem whatsoever with this situation. It does not show the totally unrealistic behaviour predicted by the BFR-model. The results show some agreement with a multi-class-BFR approach suggested by Hauptmanns without the need to decompose the observed events into different technical classes.
As a bottom line, the results obtained increase the confidence into the model and the parameter estimation procedure. The next steps will be directed towards enhancing the number of applications. This work will be directed to areas of application where CCF failure data covering many component types and a larger range of component group sizes have been produced with well established models, [12] cf. e. g. In such cases, parameter estimates can be obtained from data derived from events in component group sizes up to 4 and extrapolated to higher degrees of redundancy. This will constitute a real test of the model and the parameter estimation procedure.
References
[1] Berg, H.-P. et al. (1996). Status of Common Cause Failure Analyses in PSA in Germany. Proc. International Topical Meet Probabilistic Safety Assessment, PSA '96, Park City, Sept 29 - Oct 3, La Grange Park: ANS, 777 - 782.
[2] Berg, HP. & Görtz, R. (1998). Regulatory Guidance on PSA in Germany, Kerntechnik Vol. 63 (No. 5-6): 278-281.
[3] Berg, H.-P. & Görtz, R. (2001). A Model for Common Cause Failures in systems of redundant components. Proc KONBiN'Ol, Szczyrk, May, 22 - 25, 2001. Warszawa: Wydaw. Inst. Tech. Wojsk Lotn. Vol. 3: 7- 15.
[4] Berg, H.-P., Görtz, R. & Schimetschka, E. (2004). Parameter Estimation for the Process Oriented Simulation (POS) Model for Common Cause Failures. Proc. PSAM 7 - ESREL '04, Berlin, June, 14 - 18, 2004. London: Springer: 837 - 842.
[5] Berg, H.-P., et al. (2006). Calculating Alpha-Factors with the Process-oriented Simulation Model. Proceedings PSAM8, New Orleans 2006.
[6] Bundesministerium für Umwelt, Naturschutz und Reaktorsicherheit (BMU) (2005). Safety Review for NPP According to § 19a of the Atomic Energy Act - Probabilistic Safety Assessment Guide (Sicherheitsüberprüfung für Kernkraftwerke gemäß §19a des Atomgesetzes - Leitfaden Probabilistische Sicherheitsanalyse, 31. Januar 2005, Bekanntmachung vom 30. August 2005), Bundesanzeiger Nr. 207a vom 03. November 2005.
[7] Facharbeitskreis Probabilistische Sicherheits-analyse für Kernkraftwerke (2005). Methods for PSA for NPPs, (Methoden zur probabilistischen Sicherheitsanalyse für Kernkraftwerke, Stand: August 2005), BfS-SCHR - 37/05, Salzgitter, Oktober 2005.
[8] Hauptmanns, U. (1996). The Multi-Class Binomial Failure Rate Model. Reliability Eng and Syst Safety Vol. 53 (No. 1): 85 - 90.
[9] Knips, K. & Kreuser, A. (1997). GVA-Benchmark. Schriftenreihe Reaktorsicherheit und Strahlenschutz BMU-1998-514. Bonn: Der Bundesminister für Umwelt, Naturschutz und Reaktorsicherheit.
[10] Kreuser, A. & Peschke, J. (2001). Coupling Model: a Common Cause Failures Model with Consideration of Interpretation Uncertainties, Nuclear Technology, Vol. 136, 255 - 260, December 2001.
[11] Kullback, S. (1951). Annals of Math Statist, Vol. 22: 79 - 84.
[12] Marshall, F. M., Rasmuson, D. M. & Mosleh, A. (1998). Common-Cause Failure Parameter Estimations, Washington DC: US Nuclear Regulatory Commission, NUREG/CR-5497.
[13] Mosleh, A. Rasmuson, D.M. & Marshall, F.M. (1998). Common - Cause Failures in Probabilistic Risk Assessment. NUREG/CR - 5485 (INEEL/ EXT-97-01327), US Nuclear Regulatory Commission, Washington DC.
ANALYSIS OF THE IMPACT OF EXTERNAL FLOODING TO
NUCLEAR INSTALLATIONS
Berg Heinz-Peter, Fröhmel Thomas
Bundesamt für Strahlenschutz, Salzgitter, Germany Winter Christian Universität Bremen, Bremen, Germany
Keywords
nuclear power plant, probabilistic safety analysis, external flooding, protection, tsunami Abstract
The German regulatory body has issued probabilistic safety assessment guidelines, elaborated for a comprehensive integrated safety review of all NPP in operation and containing a newly developed graded approach for the probabilistic assessment of external flooding. Main aspects are explained such as the underlying probabilistic considerations and the mathematical procedures for the calculation of exceedance frequencies. Exemplarily it has been investigated if extreme events such as tsunami waves could be a hazard for NPP at coastal sites in Germany.
1. Introduction
Knowledge of high-water discharge levels in small and large basins is a prerequisite for the optimal protection of humans and animals, landscape and infrastructure. In order to deal with many safety-related issues it is important to have information about discharge volumes at peak waters, the risk of these high waters, as well as the course and volumes of discharged water.
Along many large rivers, monitoring stations have been set up, which have observation records at their disposal that go back many years. Based on these sets of measurements, the required high-water discharge parameters, as well as statistical high-water values, can be assessed.
However, not all the monitoring stations on small rivers and rivulets have extensive sets of measurements at their disposal, while, in some cases, there are no sets of measurements at all. This makes it more difficult to retrieve the necessary high-water information. In accordance with the varying situations relating to hydrological data, topography, geology, soil conditions and the objectives, numerous models have been designed for the formation and concentration of discharge.
Thus, an international consistent methodology for flood risk analysis is necessary.
2. External flooding in the safety assessment for German nuclear power plants
The effects of flooding on a nuclear power plant site may have a major bearing on the safety of the plant and may lead to a postulated initiating event that is to be included in the plant safety analysis. The presence of water in many areas of the plant may be a common cause failure for safety related systems, such as the emergency power supply systems or the electric switchyard, with the associated possibility of loosing the external connection to the electrical power grid, the decay heat removal system and other vital systems [8].
Considerable damage can also be caused to safety related structures, systems and components by the infiltration of water into internal areas of the plant, induced by high flood levels caused by the rise of the water table. Water pressure on walls and foundations may challenge their structural capacity. Deficiencies in the site drainage systems and in non-waterproof structures may also cause flooding on the site. This has
happened in many cases in the past, with consequent large-scale damage documented, and the possibility should be considered in the hazard evaluation and in the design of measures for site protection.
In principle methods to systematically analyse existing nuclear facilities regarding the adequacy of their existing protection equipment against external flooding can be of deterministic as well as probabilistic nature.
The German Incident Guidelines require a determination of a sufficient water level as design-basis and appropriate structural protection measures against this hazard in the design of the plants to avoid radiological consequences for the environment. The adequacy of the protection measures have been shown in the past only on a deterministic basis. New probabilistic safety assessment guidelines (PSA) recently issued by the German regulatory body now prescribe also probabilistic analyses of external hazards [2].
This assessment can be very comprehen-sively and inadequately. Additionally, as explained in [1], the collective experience with probabilistic safety assessment of external flooding is limited. Therefore, it is necessary to locate parts of a NPP where no further analysis is required or to apply graded procedures which take into account plant- and site-specific conditions for the respective hazard.
Appropriate screening procedures are those which on the one hand allow to constrain the complexity of the analysis and, on the other hand, ensure that relevant information are not lost during the screening process and that all safety significant parts of the plant are taken into account. The approach for these screening processes is different for each type of external hazard.
The German PSA Guide, issued in 1997, contained reference listings of initiating events for NPP with Pressure Water Reactor (PWR) and Boiling Water Reactor (BWR) respectively, which have to be checked plant specifically with respect to applicability and completeness. Plant internal fires and plant internal flooding were included in these listings, but not explicitly external hazards.
In 1997 detailed instructions have been provided in technical documents on PSA methods, which have been developed, by a working group of technical experts from nuclear industry, authorities and technical safety organizations chaired by Bundesamt für Strahlenschutz (BfS).
In October 2002, the Commission on Reactor Safety of the States Committee for Atomic Nuclear Energy has agreed to a new draft of the PSA Guide. An updated draft had then been completed in September 2004. The corresponding documents on PSA method and data have been revised and discussed in the respective committees including the German Reactor Safety Commission. All documents have been issued in autumn 2005 [4], [6], [7].
Regarding external hazards, the updated probabilistic safety assessment guidelines require probabilistic considerations of aircraft crash, external flooding, earthquake and explosions pressure waves.
A graded approach for the extent of a probabilistic assessment in case of external flooding containing deterministic and probabilistic elements has been developed and is described in [6]. This approach takes into account site-specific aspects like the NPP grounded level compared with surroundings level and plant-specific aspects such as design with permanent protection measures and prescribed shut down of the plant according to the instructions of the operation manual at a specified water level which is significantly below the level of the design flooding.
3. Extent of the graded approach in PSA for external flooding evaluation
With respect to the phenomena leading to a flooding event, in principle the sites can be differentiated as follows:
a) Sites on rivers and on inland lakes, which are endangered by, flood runoffs from the prevailing drainage areas.
b) Coastal sites endangered by flood levels of the ocean.
c) Sites on tidal rivers endangered both by flood runoffs from the prevailing drainage areas and by flood levels of the ocean.
German nuclear power plants were erected at sites of type a) (without inland lakes) and c). In the first case a high water-level situation may arise from an unfavourable ratio of water inflow to outflow, in the second case the coincidence of storm, flooding and high tide is the determining factor. In the proposed method, the yearly probability of reaching extremely high water levels (in the following named as exceedance frequency) is determined by an extrapolation of actually measured water-level data according to
various established methods [11], [13]. The under-lying probabilistic considerations and mathematical procedures to calculate the exceedance frequencies has recently been developed and issued in November 2004 as part of the German Nuclear Safety Standard "Flood Protection for Nuclear Power Plants" [12].
The graded approach for external flooding can be summarized as given in Table 1. The main two substantial modifications and innovations of the revised standard are:
The design of the protection of nuclear power plants against flooding emanates from a rare flooding event with an exceeding frequency of 10-4/a, but it is underlined that the methods used to determine the design water level must be different for river sites without and for sites with tidal influences. For river sites without tidal influence, the design water level can be assessed using the runoff of the river with the given exceeding frequency as basis.
For river sites with tidal influences, an extreme flood event - tide combined with storm water level setup - must be assumed.
Therefore, it is necessary to determine statistically the storm-tide water level with an exceeding frequency of 10-2/a plus a site-specific addend. In conclusions, a storm-tide must be covered with an exceeding frequency of 10-4/a.
Table 1. The graded process of evidence regarding external flooding
Criterion Extent of analysis
Flooding of plant site can be practicable excluded due to the NPP grounded level compared with surroundings level No analysis necessary
1. The plant is designed against the design-basis flood with an exceedance probability of 10-4 per year 2. Design with permanent protection measures 3. Shut down of the plant according to the instructions of the operation manual at a specified water level which is significantly below the level 4. Conditional probability for water impact in case of the design-basis flood less than 10-2 Determination of possible water paths in relevant structures and estimation of the conditional probability for water impact in case of the design-basis flood
Other design Determination of the exceedance for the design-basis flood of the plant up to a value of > 10-4 per year, detailed event sequence considerations including the quantification of core damage frequency
In the context of the analysis, design-basis flood is that particular flood event on which the flood protection of the plant is based, specifically with regard to meeting the safety objectives. The permanent flood protection is that flood protection which is effective at all times (e.g. protection by flood-safe enclosure, by structural seals). The loads due to the design-basis flood must be combined with other loads:
- external loads of normal usage (e.g. operational loads, earth thrust, wind load),
- loads due to the design-basis flooding (e.g. static water pressure due to the design water level, streaming water, waves, upswing, flotsam, ice pressure),
- loads of events as a consequence of the design flooding (e.g. undermining, erosion).
4. Steps of the external flooding analysis
The probabilistic safety assessment of external flooding can be distinguished into four main steps:
- hazard analysis of the site,
- check that starting from an assumed water level of the plant which is equivalent with the designbasis flood, the non-availability of safety functions for the electrical energy supply and for the residual heat removal in a time schedule of five days for river sites and one day for tidal sites is less than
10"2,
- analysis of the event sequence and quantification of the contributions to the total frequency of core damage states,
- conduct of an uncertainty analysis.
5. Example of an event in Germany
In Germany, up to now only one event happened (in 2006). The plant was in full power operation. In the control room a flooding was detected by a signal from the reactor building drainage system for the pump room of one of the four nuclear secondary cooling water loops.
At that time, the storm-tide water level was 4.5 m above normal level. The flooding happened through a cable penetration, which was not used anymore. The room contained a drive motor of the secondary cooling water pump and the isolating butterfly valve, driven by a motor, which were both unavailable. The root cause investigation showed that the cover plate to close the cable penetration has loosened. Due to corrosion and the static water pressure on the cover plate the tie-rod of the cover plate screwed up.
As a back fitting measure the unused cable penetration was welded. The damaged electrical components were changed. The check of the other redundancies did not show any comparable conditions.
The event had no large safety significance because three further redundancies of the residual heat removal chain were available. Two chains are already sufficient for a safe shutdown of the plant.
6. Determination of flood runoffs and storm tide water levels with a probability value of 10-4/a
6.1. Basics
The flood protection for nuclear power plants in accordance with [12] presumes a flood event with a probability value (p-value) of 10-4/a, i.e. an extremely seldom flood event. Depending on whether the site is located on inland waters or on coasts with or without tidal waters, different procedures are required for determining the design-basis water level in the vicinity of the plant components to be protected and in the vicinity of the protective structures of the nuclear power plant.
In the case of inland water sites, the base assumption is a flood runoff with this p-value for the respective water body. A procedure for determining such a seldom flood runoff is presented in Section 6.2. In individual cases other site-independent procedures may be employed [13]. For inland water sites both the conditions at the site (maximum possible flow) as well as the large-area water retention effects of the water catchments area (water shed) shall be taken into consideration.
In the case of such a seldom flood event it cannot be assumed that the inland water dyke system in the water catchments area will still be fully effective.