*3.2.1. Qualification by empirical method*

Empirical qualification of the plant equipment is a powerful tool for seismic re-qualification of operating NPPs. The empirical qualification methods have been recognised by IAEA in the Safety Guides NS-G-1.6 as well as NS-G-2.13.

The empirical qualification database developed for SQUG covers twenty classes of equipment, e.g. active equipment as well as cable raceways, tanks and heat exchangers (SQUG, 1992; Starck&Thomas, 1990), except of pipelines and structures. As an alternative solution, the U.S. Department of Energy [DoE] has developed the Seismic Evaluation Procedures, a procedure similar to GIP that also covers pipelines and ventilation ducts (DoE, 1997).

The steps of the Generic Implementation Procedure are as follows (SQUG, 1992):


The methodology and the database (the so called SQUG-database) can be adapted to the needs of different programmes for the resolution of design/qualification inadequacy issues.

Generally the process has to be started with development of the list of SSCs requiring requalification for a given level of earthquake. The basis of the identification of the scope can be the list of SSCs for safe shutdown or the seismic and/or safety classification database as it was the case at Paks NPP.

Four criteria are used for the verification of seismic capacity: (1) Comparison of the seismic demand to the SQUG bounding spectrum; (2) Checking in the experience database (caveats and inclusion rules); (3) Checking the anchorage; (4) Evaluation of the seismic interactions.

The seismic demand can be defined either by design floor response spectra, or by scaling-up the design floor response spectra to the required level, or by completely new response calculation for the required input (e.g. at Paks NPP the floor response spectra have been calculated for the newly defined DBE).

In case of most of this equipment, the load-bearing capacity is verified by demonstrating that the equipment is adequately anchored. Operability is demonstrated by verifying that the equipment is similar to the equipment of the database created on the basis of experience and that it meets all of the prescriptions included in the GIP.

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 89

(1)

������. (2)



<sup>=</sup> ����� ������

where *DNS* is the concurrent non-seismic demand for all non-seismic loads in the load combination*, ∆CS* is the reduction of the capacity due to concurrent seismic loading. The inelastic capacity-demand ratio (� �⁄ )� can be similarly calculated taking into account the ductility *Fμ*. If the inelastic capacity-demand ratio (� �⁄ )� exceeds unity the seismic margin earthquake level SME exceeds the reference level earthquake RLE for what the existence of sufficient margin has to be demonstrated. Otherwise, the built-in capacity that can be utilized for sustaining the seismic demand is equal to �� = (�����), the seismic demand is equal to (��+ΔCS). The RLE (or more precisely the PGA of the RLE) has to be scaled by the ratio ((�����) (��� + �� ⁄ )) in elastic response case; or by ��((�����) (��� + �� ⁄ )) when for inelastic response considered. That value will be the code deterministic failure margin with high confidence for low probability of failure (HCLPF) expressed in terms of

broadening to account for uncertainty while median damping is used.

� � �� �

����� = �����

to be evaluated for all items needed for ensuring the basic safety function.

2. Identification of success paths needed to bring the reactor into stable

e. Assures verification of as-installed properties and conditions

Rev 1 consisting of following main elements (EPRI, 1998):

a. Two independent functional paths to shutdown

4. Seismic capacity evaluation for unscreened components

1. Definition of the Review Level Earthquake (RLE)

c. Screening out the rugged components d. Identify characteristics, vulnerability

b. Define components in the paths

3. Plant walk-down

f. Identify interactions

������

The seismic capability active equipment (electrical, electromechanical and I&C) is qualified by tests or empirical method (see Section 3.2.1 above). Based on the qualification or fragility test data or generic data, a bound of the test response spectra have to be defined at about the 99 per-cent exceedance probability level. The in-structure response spectra calculated for the reference level earthquake and the ratio of the bound of the test response spectra and instructure/floor response spectra has to be calculated. Scaling up the reference level (PGA) with this ratio provides the HCLPF capacity of the equipment. The HCLPF capacity that has

A systematic SMA procedure and methodology has been developed by EPRI in NP 6041

analysis can be taken e.g. from (IAEA, 2003a)

The capacity-demand ratio for elastic response (� �⁄ )� is:

the peak ground acceleration, i.e.

Important element of the procedure is the walk-down that provides the basis for screening out the obviously rugged items and for the consideration of the as built conditions, since in majority of cases, the load-bearing capacity is ensured, if the equipment is adequately anchored.

The applicability of the empirical qualification method should be carefully checked via reviewing the similarities between the features of the items in the database and item to be qualified at the plant. The empirical method and database were adapted for the qualification of the VVER equipment (Masopust, 2003) and used for the qualification of the VVER at Paks NPP Hungary, Bochunice and Mochovce NPP in Slovakia, though the objective and scope of the particular seismic safety programmes differed very much from those in the USI A-46.

## *3.2.2. Deterministic margin analysis*

The plant design shall ensure sufficient margins against seismic demand, as it is required by the IAEA design requirements NS-R-1 (IAEA, 2000).

In case of operating plants, the objective of the seismic margin assessment (SMA) is to evaluate, quantify the inbuilt seismic margin of those structures, systems and components of the power plant that fulfil their basic safety functions during and after the earthquake. The quantification of the margins is also recommended by the IAEA Safety Guides NS-G-1.6 and NS-G-2.13 (IAEA, 2003 and 2009). The goal of the analysis is to determine the seismic shaking level at which there is a high-confidence-of-low-probability-of-failure (HCLPF). This HCLPF is mathematically defined as 95% confidence of less than 5% probability of failure.

In SMA calculation the seismic capacity *CS* is to compare to the Seismic Margin Earthquake (SME) demand *DS*. The capacity and the demand have to be calculated according to codes and standards while some specific assumptions should be accepted. These assumptions are as follows (EPRI, 1998):


The capacity-demand ratio for elastic response (� �⁄ )� is:

88 Nuclear Power – Practical Aspects

*3.2.2. Deterministic margin analysis* 

as follows (EPRI, 1998):

be accounted.

spectrum is median-shaped.

the parameter variation.

the IAEA design requirements NS-R-1 (IAEA, 2000).

In case of most of this equipment, the load-bearing capacity is verified by demonstrating that the equipment is adequately anchored. Operability is demonstrated by verifying that the equipment is similar to the equipment of the database created on the basis of experience

Important element of the procedure is the walk-down that provides the basis for screening out the obviously rugged items and for the consideration of the as built conditions, since in majority

The applicability of the empirical qualification method should be carefully checked via reviewing the similarities between the features of the items in the database and item to be qualified at the plant. The empirical method and database were adapted for the qualification of the VVER equipment (Masopust, 2003) and used for the qualification of the VVER at Paks NPP Hungary, Bochunice and Mochovce NPP in Slovakia, though the objective and scope of the particular seismic safety programmes differed very much from those in the USI A-46.

The plant design shall ensure sufficient margins against seismic demand, as it is required by

In case of operating plants, the objective of the seismic margin assessment (SMA) is to evaluate, quantify the inbuilt seismic margin of those structures, systems and components of the power plant that fulfil their basic safety functions during and after the earthquake. The quantification of the margins is also recommended by the IAEA Safety Guides NS-G-1.6 and NS-G-2.13 (IAEA, 2003 and 2009). The goal of the analysis is to determine the seismic shaking level at which there is a high-confidence-of-low-probability-of-failure (HCLPF). This HCLPF is

In SMA calculation the seismic capacity *CS* is to compare to the Seismic Margin Earthquake (SME) demand *DS*. The capacity and the demand have to be calculated according to codes and standards while some specific assumptions should be accepted. These assumptions are






mathematically defined as 95% confidence of less than 5% probability of failure.


or functional limits in case of mechanical equipment.

of cases, the load-bearing capacity is ensured, if the equipment is adequately anchored.

and that it meets all of the prescriptions included in the GIP.

$$
\left(\frac{c}{D}\right)\_E = \frac{c - \Delta c\_S}{D\_S + D\_{NS}}\tag{1}
$$

where *DNS* is the concurrent non-seismic demand for all non-seismic loads in the load combination*, ∆CS* is the reduction of the capacity due to concurrent seismic loading. The inelastic capacity-demand ratio (� �⁄ )� can be similarly calculated taking into account the ductility *Fμ*. If the inelastic capacity-demand ratio (� �⁄ )� exceeds unity the seismic margin earthquake level SME exceeds the reference level earthquake RLE for what the existence of sufficient margin has to be demonstrated. Otherwise, the built-in capacity that can be utilized for sustaining the seismic demand is equal to �� = (�����), the seismic demand is equal to (��+ΔCS). The RLE (or more precisely the PGA of the RLE) has to be scaled by the ratio ((�����) (��� + �� ⁄ )) in elastic response case; or by ��((�����) (��� + �� ⁄ )) when for inelastic response considered. That value will be the code deterministic failure margin with high confidence for low probability of failure (HCLPF) expressed in terms of the peak ground acceleration, i.e.

$$H \text{CLPF} = \frac{c - a\_{NS}}{a\_S + a\_{S}} F\_{\mu} a\_{RLE} \,\text{.}\tag{2}$$

The seismic capability active equipment (electrical, electromechanical and I&C) is qualified by tests or empirical method (see Section 3.2.1 above). Based on the qualification or fragility test data or generic data, a bound of the test response spectra have to be defined at about the 99 per-cent exceedance probability level. The in-structure response spectra calculated for the reference level earthquake and the ratio of the bound of the test response spectra and instructure/floor response spectra has to be calculated. Scaling up the reference level (PGA) with this ratio provides the HCLPF capacity of the equipment. The HCLPF capacity that has to be evaluated for all items needed for ensuring the basic safety function.

A systematic SMA procedure and methodology has been developed by EPRI in NP 6041 Rev 1 consisting of following main elements (EPRI, 1998):

	- a. Two independent functional paths to shutdown
	- b. Define components in the paths
	- c. Screening out the rugged components
	- d. Identify characteristics, vulnerability
	- e. Assures verification of as-installed properties and conditions
	- f. Identify interactions

The SMA seismic input is the Review Level Earthquake (RLE) that should exceed the SSE. The RLE is that screening level at which structures, systems and components, necessary for the shutdown of power plant and for keeping it in the stable shutdown condition and considered to be in the 'success path', should be examined. (According to the definition of given in EPRI NP-6041 report, SME is equivalent to RLE specified by NUREG-1407. There are three categories of sites according to the PGA: PGA≤0.3g, 0.3<PGA≤0.5g and PGA>0.5g with reference level PGA 0.3g, 0.5g and >0.5g respectively. For the analysis, the NUREG/CR-0098 median shape ground motion response spectral can be selected.)

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 91

where the ℎ(��, ��, …) represents the hazard, i.e. it is the probability density function of applied loads and �(��, ��, …) denotes the conditional probability of failure. The Equation (3) is theoretically precise. Nevertheless, in the practice the peak ground acceleration is used as a single load parameter. There were also some attempts made for

The basics of the seismic PSA were outlined in (Kennedy & Ravindra, 1984). Frequencies of core damage caused by an earthquake are calculated by modelling of the plant behaviour by event trees constructed to simulate the plant system response. Fault trees are needed for the development of the probability of failure of particular components taking into account all failure modes. The hazard is expressed as complementary probability: 1-cumulative probability function, i.e. probability that the peak ground acceleration exceeds a given value. The fragility is defined as the conditional probability of core damage as a function of *a* – the PGA at free surface. The behaviour of the plant is modelled by the Boolean description of sequences leading to failure. Plant level fragility is obtained by combining component fragilities according to the Boolean-expression of the sequence leading to core damage. The plant level fragility is defined as the conditional probability of core damage as a function of free field PGA at the site. Plant level fragilities are convolved with the seismic hazard curves to obtain a set of doublets for the plant damage state. A great number of studies have been published on the seismic PSA, a review and referencing all of them is impossible in the frame of recent study. The method is now well developed and standardised by ASME in ASME/ANS RA-S–2008 (ASME, 2008) (see also the addendum

According to ASME/ANS RA-S-2008, for evaluation of core damage frequency the doublets ����������� have to be calculated, where *fij* is the frequency of the earthquake induced plant

where *pij* is the discrete probability of this frequency ��� = ����; *qi* is the probability

curve *Hj*. The seismic fragility *fi(a)* is the conditional probability of failure for a given value of seismic input parameter, e.g. peak ground acceleration. The fragility curve *fi(a)* is the *ith* representation of the conditional probability of the core damage. In the practice both the hazard and fragility is accounted by point estimates with subsequent uncertainty

> √����� � � �

where � = �� ��, is the logarithm of median capacity *Cm*, and the *βC* is the composite logarithmic standard deviation expressing the epistemic and aleatory uncertainty. The lognormal distribution of the fragility is a consequence of the representation of the median capacity, *Cm*, as a product and large number of different factors, *Fi* representing the

��� �� ���

*th* fragility curve *fi(a)* and *pj* is the probability associated with *jth* hazard

�(�����)� ��� �

, (4)

��, (5)

��� <sup>=</sup> � ��(� � � � )

evaluation. The fragility is modelled by lognormal distribution:

�(�) <sup>=</sup> � �

using the cumulative absolute velocity for load parameter (Katona, 2010, 2011).

ASME/ANS RA-Sa–2009).

damage state,

associated with *i*

In margin analysis, the success path selection must include a primary success path and an alternate success path utilizing to the greatest extent possible, different equipment. One of the paths must also have the capability to mitigate a small pipe break.

The rugged components have to be screened out during the plant walk-down. For those components that were not screened out during the walk-down phase, additional analyses shall be executed to determine the HCLPF. The weakest component in a shutdown path then defines the plant level HCLPF for that path.

For the new design, the margin beyond safe shutdown earthquake has to be demonstrated (HCLPF for at least 1.67 times of the SSE in the US design practice and 1.4 times of the SSE in the European design practice).

The seismic margin assessment procedure is experience and expert judgment driven. Therefore the selection of the team is a decisive precondition for success and adequacy of the result. The development of the safe shutdown equipment list and performance of the walk-downs require very experienced team consisting of systems engineer, structural/seismic engineers trained in design and empirical qualification as well.

### *3.2.3. Probabilistic seismic safety analysis (seismic PSA)*

One of the most complex cases for assessing the nuclear power plant (NPP) safety is the evaluation of the response of the plant to an earthquake load and the risk related with this. The objective of the seismic PSA is to define the contribution of the earthquakes to the core damage frequency of the reactor and finally to the overall risk of plant operation. Risk is expressed as triplets � = ����|��|����, where *Si* is the identification/description of the *i th* scenario or accident sequence; *pi* is the probability of occurrence of that scenario and *Li* is the measure of the consequences/losses caused by that scenario.

In case of earthquake, the probability of damage/failure of a structure or component *Pfail* depends on a rather complex load vector �=(��, ��, …) that expresses all features of the earthquake excitation (peak ground acceleration, duration of strong motion and frequency distribution of the energy of excitation). The *Pfail* can be calculated as follows:

$$P\_{fall} = \int\_{R} \begin{array}{cccc} h(\mathbf{x}\_1, & \mathbf{x}\_2, & \cdots \end{array} \text{\textquotedbl{}P \textquotedbl{} (\mathbf{x}\_1, & \mathbf{x}\_2, & \cdots \end{array} \text{\textquotedbl{}dx\_1dx\_2\dots} \tag{3}$$

where the ℎ(��, ��, …) represents the hazard, i.e. it is the probability density function of applied loads and �(��, ��, …) denotes the conditional probability of failure. The Equation (3) is theoretically precise. Nevertheless, in the practice the peak ground acceleration is used as a single load parameter. There were also some attempts made for using the cumulative absolute velocity for load parameter (Katona, 2010, 2011).

90 Nuclear Power – Practical Aspects

can be selected.)

The SMA seismic input is the Review Level Earthquake (RLE) that should exceed the SSE. The RLE is that screening level at which structures, systems and components, necessary for the shutdown of power plant and for keeping it in the stable shutdown condition and considered to be in the 'success path', should be examined. (According to the definition of given in EPRI NP-6041 report, SME is equivalent to RLE specified by NUREG-1407. There are three categories of sites according to the PGA: PGA≤0.3g, 0.3<PGA≤0.5g and PGA>0.5g with reference level PGA 0.3g, 0.5g and >0.5g respectively. For the analysis, the NUREG/CR-0098 median shape ground motion response spectral

In margin analysis, the success path selection must include a primary success path and an alternate success path utilizing to the greatest extent possible, different equipment. One of

The rugged components have to be screened out during the plant walk-down. For those components that were not screened out during the walk-down phase, additional analyses shall be executed to determine the HCLPF. The weakest component in a shutdown path

For the new design, the margin beyond safe shutdown earthquake has to be demonstrated (HCLPF for at least 1.67 times of the SSE in the US design practice and 1.4 times of the SSE

The seismic margin assessment procedure is experience and expert judgment driven. Therefore the selection of the team is a decisive precondition for success and adequacy of the result. The development of the safe shutdown equipment list and performance of the walk-downs require very experienced team consisting of systems engineer,

One of the most complex cases for assessing the nuclear power plant (NPP) safety is the evaluation of the response of the plant to an earthquake load and the risk related with this. The objective of the seismic PSA is to define the contribution of the earthquakes to the core damage frequency of the reactor and finally to the overall risk of plant operation. Risk is expressed as triplets � = ����|��|����, where *Si* is the identification/description of the *i*

scenario or accident sequence; *pi* is the probability of occurrence of that scenario and *Li* is the

In case of earthquake, the probability of damage/failure of a structure or component *Pfail* depends on a rather complex load vector �=(��, ��, …) that expresses all features of the earthquake excitation (peak ground acceleration, duration of strong motion and frequency

����� <sup>=</sup> � ℎ(��, ��, …)�� � (��, ��, …)������ …, (3)

distribution of the energy of excitation). The *Pfail* can be calculated as follows:

*th*

structural/seismic engineers trained in design and empirical qualification as well.

the paths must also have the capability to mitigate a small pipe break.

then defines the plant level HCLPF for that path.

*3.2.3. Probabilistic seismic safety analysis (seismic PSA)* 

measure of the consequences/losses caused by that scenario.

in the European design practice).

The basics of the seismic PSA were outlined in (Kennedy & Ravindra, 1984). Frequencies of core damage caused by an earthquake are calculated by modelling of the plant behaviour by event trees constructed to simulate the plant system response. Fault trees are needed for the development of the probability of failure of particular components taking into account all failure modes. The hazard is expressed as complementary probability: 1-cumulative probability function, i.e. probability that the peak ground acceleration exceeds a given value. The fragility is defined as the conditional probability of core damage as a function of *a* – the PGA at free surface. The behaviour of the plant is modelled by the Boolean description of sequences leading to failure. Plant level fragility is obtained by combining component fragilities according to the Boolean-expression of the sequence leading to core damage. The plant level fragility is defined as the conditional probability of core damage as a function of free field PGA at the site. Plant level fragilities are convolved with the seismic hazard curves to obtain a set of doublets for the plant damage state. A great number of studies have been published on the seismic PSA, a review and referencing all of them is impossible in the frame of recent study. The method is now well developed and standardised by ASME in ASME/ANS RA-S–2008 (ASME, 2008) (see also the addendum ASME/ANS RA-Sa–2009).

According to ASME/ANS RA-S-2008, for evaluation of core damage frequency the doublets ����������� have to be calculated, where *fij* is the frequency of the earthquake induced plant damage state,

$$f\_{lj} = \int\_0^\infty f\_l(a') \frac{dH\_l}{da} da',\tag{4}$$

where *pij* is the discrete probability of this frequency ��� = ����; *qi* is the probability associated with *i th* fragility curve *fi(a)* and *pj* is the probability associated with *jth* hazard curve *Hj*. The seismic fragility *fi(a)* is the conditional probability of failure for a given value of seismic input parameter, e.g. peak ground acceleration. The fragility curve *fi(a)* is the *ith* representation of the conditional probability of the core damage. In the practice both the hazard and fragility is accounted by point estimates with subsequent uncertainty evaluation. The fragility is modelled by lognormal distribution:

$$f(a) = \int\_0^a \frac{1}{\sqrt{2\pi}\beta\_{\mathcal{C}}x} e^{-\frac{(\ln x - \mu)^2}{2\beta\_{\mathcal{C}}^2}} d\mathfrak{x},\tag{5}$$

where � = �� ��, is the logarithm of median capacity *Cm*, and the *βC* is the composite logarithmic standard deviation expressing the epistemic and aleatory uncertainty. The lognormal distribution of the fragility is a consequence of the representation of the median capacity, *Cm*, as a product and large number of different factors, *Fi* representing the uncertainties of all contributing to the capacity factors as well as the uncertainty in demand, i.e. ∏� ��. According to the central limit theorem the sum of random variables tends to the normal random variable independent form the distribution of each of them. This rule is applicable to the logarithm of the product above.

The HCLPF is related to the *Cm* as follows:

$$\mathcal{L}\_m = HCLPF \cdot e^{\left(2.3264\beta\_C\right)}.\tag{6}$$

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 93

conclusion can be made regarding seismic PSA results obtained for the Paks NPP, where the contribution of the seismic events to the total CDF is approximately equal to 75 per-cent of the total CDF; see also (Riechner et al., 2008) on the Swiss experiences. Generally, the acceptable level of the annual probability of reactor core damage due to seismic events is of order of magnitude 10-5. It seems that the uncertainties dominate the seismic CDF caused by both uncertainty of the hazard definition, especially in the range below 10-5/a frequencies,

An interval representation can be proposed for accounting the uncertainty of the fragility (Durga et al., 2009; Katona, 2010). The fragility is a doublet ��������� composed from set of fragility functions *fi(a)* with probability weight *qi*, where the variable a is the horizontal component of the ground motion acceleration. It can be represented by a probability box (p-box), ��������� � ���(�), �(�)�, where *F(a)* is the conditional probability distribution of the failure. The �F�(a), F(a)� is the probability-box specified by a left side F�(a), and a right side F(a) distribution functions, where the relations F�(a) ≥ F(a) and F(a) ≤ F(a) ≤ F�(a) are

The most trivial case for the use of p-box can be the screening according to ruggedness of the component. The rugged components might be described by p-box with lower and upper bounding value of the variable a, or any other damage indicator, i.e. cumulative absolute

It can also be convenient to express the uncertainty of fragility in form of a p-box, defined by a lower bound *u(p)* and an upper bound *d(p)* on the function *L-1(p)* defined as inverse of the probability distribution *F(a)*, i.e. �(�) ≥ ���(�) ≥ �(�), where *p* is

As it was mentioned above, in the practice the lognormal distribution is applied for

distribution *L* are known, � � �(�, �)|� � ���, ���,� � ���, ���� the bounds on the distribution can be obtained by computing the envelope of all lognormal distributions *L*

The NRC seismic margins method (NUREG CR 5334) is a truncation of PSA, i.e. the plant systems are modelled by Boolean method, while the systems needed for ensuring the basic safety functions are considered, the seismic fragility curves are developed, and the plant level HCLPF is computed (Campbell, 1998). The procedure does not involve the use of a seismic hazard for the computation of the HCLPF and the core damage frequency is not

The NRC seismic margins method involves the following steps (Prassinos at al, 1986):

and standard deviation

of a lognormal

�� (�) and �(�) =

velocity. The probability bounds can be defined via expert elicitation.

that have parameters within the specified intervals: �(�) = max� ��

fragility of structures. If the bounds on mean,

and by the uncertainty of the fragilities.

valid.

probability level.

�� (�).

*3.2.4. Probabilistic margin analysis* 


min� ��

calculated.

The ℎ(�) � ���� �� � � is the probability density function of the applied seismic load expressed in terms of peak ground acceleration, taken from the *j th* hazard curve. The form of the hazard curve is as follows (McGuire et al., 2001):

$$h(a) = k\_0 \langle a \rangle^{-k} \,, \tag{7}$$

where *k0* and *k* are constants that can be defined on the basis of probabilistic seismic hazard assessment (PSHA).

The basic steps of seismic PSA are the followings:

	- a. Fault trees and event trees
	- b. Define accident sequences, associated systems, components

Since the level of core damage probability to be assessed is very low, the assessment of seismic hazard has to be performed up to very low level of annual probability, e.g. up-to 10-7/a or less. The median hazard curve can be used which can be defined adapting the guidance in the IAEA Safety Guide SSG-9 (IAEA, 2010).

The consideration of uncertainty in both fragility and seismic hazard is important for adequate safety assessment. The above formulation uncouples the uncertainties in the load and resistance parameters, embodied in the in the fragility and load probability density functions respectively. These uncertainties are usually of different origins and it is convenient to be able to treat them separately.

The level 1+ seismic PSA gives estimation for the probability of seismic induced reactor core-melt. The level 1+ means the examination of containment that includes the evaluation of the safety of containment integrity and isolation as well as the development of bypass.

The experiences of the seismic probabilistic safety (risk) studies performed in the U.S. are summarised in (NRC, 2010). In comparison with core damage frequency (CDF) due to internal initiators, the seismic core damage frequencies seem to be dominating. Similar conclusion can be made regarding seismic PSA results obtained for the Paks NPP, where the contribution of the seismic events to the total CDF is approximately equal to 75 per-cent of the total CDF; see also (Riechner et al., 2008) on the Swiss experiences. Generally, the acceptable level of the annual probability of reactor core damage due to seismic events is of order of magnitude 10-5. It seems that the uncertainties dominate the seismic CDF caused by both uncertainty of the hazard definition, especially in the range below 10-5/a frequencies, and by the uncertainty of the fragilities.

An interval representation can be proposed for accounting the uncertainty of the fragility (Durga et al., 2009; Katona, 2010). The fragility is a doublet ��������� composed from set of fragility functions *fi(a)* with probability weight *qi*, where the variable a is the horizontal component of the ground motion acceleration. It can be represented by a probability box (p-box), ��������� � ���(�), �(�)�, where *F(a)* is the conditional probability distribution of the failure. The �F�(a), F(a)� is the probability-box specified by a left side F�(a), and a right side F(a) distribution functions, where the relations F�(a) ≥ F(a) and F(a) ≤ F(a) ≤ F�(a) are valid.

The most trivial case for the use of p-box can be the screening according to ruggedness of the component. The rugged components might be described by p-box with lower and upper bounding value of the variable a, or any other damage indicator, i.e. cumulative absolute velocity. The probability bounds can be defined via expert elicitation.

It can also be convenient to express the uncertainty of fragility in form of a p-box, defined by a lower bound *u(p)* and an upper bound *d(p)* on the function *L-1(p)* defined as inverse of the probability distribution *F(a)*, i.e. �(�) ≥ ���(�) ≥ �(�), where *p* is probability level.

As it was mentioned above, in the practice the lognormal distribution is applied for fragility of structures. If the bounds on mean, and standard deviation of a lognormal distribution *L* are known, � � �(�, �)|� � ���, ���,� � ���, ���� the bounds on the distribution can be obtained by computing the envelope of all lognormal distributions *L* that have parameters within the specified intervals: �(�) = max� �� �� (�) and �(�) = min� �� �� (�).

### *3.2.4. Probabilistic margin analysis*

92 Nuclear Power – Practical Aspects

The ℎ(�) � ����

assessment (PSHA).

2. Systems analysis

applicable to the logarithm of the product above.

the hazard curve is as follows (McGuire et al., 2001):

The basic steps of seismic PSA are the followings:

1. Determination of seismic hazard by PSHA

a. Fault trees and event trees

expressed in terms of peak ground acceleration, taken from the *j*

b. Define accident sequences, associated systems, components

4. Integration of hazard and fragility resulting in seismic core damage frequency.

Since the level of core damage probability to be assessed is very low, the assessment of seismic hazard has to be performed up to very low level of annual probability, e.g. up-to 10-7/a or less. The median hazard curve can be used which can be defined adapting the

The consideration of uncertainty in both fragility and seismic hazard is important for adequate safety assessment. The above formulation uncouples the uncertainties in the load and resistance parameters, embodied in the in the fragility and load probability density functions respectively. These uncertainties are usually of different origins and it is

The level 1+ seismic PSA gives estimation for the probability of seismic induced reactor core-melt. The level 1+ means the examination of containment that includes the evaluation of the safety of containment integrity and isolation as well as the

The experiences of the seismic probabilistic safety (risk) studies performed in the U.S. are summarised in (NRC, 2010). In comparison with core damage frequency (CDF) due to internal initiators, the seismic core damage frequencies seem to be dominating. Similar

3. Fragility analysis of SSCs – Conditional failure probability

guidance in the IAEA Safety Guide SSG-9 (IAEA, 2010).

convenient to be able to treat them separately.

development of bypass.

The HCLPF is related to the *Cm* as follows:

��

uncertainties of all contributing to the capacity factors as well as the uncertainty in demand, i.e. ∏� ��. According to the central limit theorem the sum of random variables tends to the normal random variable independent form the distribution of each of them. This rule is

�� � ����� � �(��������)

where *k0* and *k* are constants that can be defined on the basis of probabilistic seismic hazard

� � is the probability density function of the applied seismic load

ℎ(�) � ��(�)�� , (7)

. (6)

*th* hazard curve. The form of

The NRC seismic margins method (NUREG CR 5334) is a truncation of PSA, i.e. the plant systems are modelled by Boolean method, while the systems needed for ensuring the basic safety functions are considered, the seismic fragility curves are developed, and the plant level HCLPF is computed (Campbell, 1998). The procedure does not involve the use of a seismic hazard for the computation of the HCLPF and the core damage frequency is not calculated.

The NRC seismic margins method involves the following steps (Prassinos at al, 1986):



The systems models and fragility curves are used to determine the dominant accident sequences and the plant level HCLPF. The RLE selection and walk-down procedures are similar to those used in the EPRI margin method. The screening is conducted to eliminate many components from fragility computations.

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 95

IAEA NS-R-3, SSG-9 and NS-G-3.6)

for design basis response spectra.

According to the safety and seismic classification plus interacting SSCs. Stable shutdown conditions have to be ensured as minimum for 72 hours. Single

failure criterion has to be applied.

response) or upgrade;

1988, 1989, ANS 2002)

Seismic PSA

**Table 1.** Assumptions and methods applicable while complying with newly defined design basis

earthquake, e.g. (NRC, 1997a, 1997b), (EPRI, 1989), (ANS, 2002) and (IAEA 2011).

There are specific procedures developed for the evaluation of the plant safety after a strong earthquake that are part of the plant emergency procedures (EOPs) for the case of

and standards.

Graded approach: Class 1-3 evaluation by analysis according to design codes; Class 1 and 2 outliers has to be fixed; For Class 3 outliers justification via less conservative method (realistic damping, inelastic

Design of modification according to codes

Qualification by tests or empirical method.

According to the IAEA NS-G-1.6, NRC Regulatory Guide and 1.12, 1.166 and 1.167, (IAEA, 1995; NRC, 1997a, 1997b, 2000, EPRI,

As for new design, preferable PSHA (see the

DBE as for new design – The Ground Motion Response Spectra have to be modified in accordance to ASCE/SEI 43-05 (ASCE, 2005) and Reg. Guide 1.208 (NRC, 2007) to be taken

**Task Practicable/advisable method** 

Evaluation of the seismic hazard of the site that includes the associated with earthquake

Development of the design basis earthquake

Identification of the structures, systems and equipment, which are needed for ensuring

Evaluation of the seismic capacity of SSCs and identification of the upgrading;

Design and implementation of the necessary

Installation of seismic instrumentation; Development of pre-earthquake preparedness and post-earthquake

Evaluation of the CDF due to earthquake, quantification of the safety margins.

**3.3. Studies for restart after strong earthquake** 

corrective measures (fixes and

qualifications);

measures;

requirements

events, e.g. liquefaction;

that basic safety functions;

characteristics;

The HCLPF capacities for components in each system included into the plant model have to be defined and combined according to the Boolean representation of the system via minimum-maximum procedure: minimum HCLPF of the elements connected by or-gate and maximum HCLPF of the elements connected by the and-gate. For example, if the Boolean representation of a system composed from elements *A, B, C* and *D* is equal to *A\*(B+C)\*D* then the HCLPF of the system is equal to *Maximum of (A; Minimum of (B, C); D).* The plant HCLPF can also been calculated via convolution procedure.

### *3.2.5. Use of design methods and standards*

A consequent use of design methods and standards for the re-evaluation and upgrading is not practicable for the operating plants. However, in case if the plant was not designed for earthquakes or the hazard was very underestimated, the design methods and standards have to be used for achieving the compliance with design basis requirements as much as practicable.

The graded approach has to be applied for appropriate selection of evaluation methods. Deviation from design procedures can be accepted in case of qualification of outliers of Class 3 (seismic classification see e.g. IAEA Safety Guide NS-G-1.6 (IAEA, 2003b), safety classification principles are given e.g. in the IAEA NS-R-1 (IAEA, 2000b).

The possibility of differentiation at design is exposed by guideline NS-G-1.6:


The assumptions and methods applicable for each tasks of the seismic re-evaluation and upgrading of the operating plants with the aim of design basis reconstitution are given in the Table 1. Practical example is given in Section 5 below.


**Table 1.** Assumptions and methods applicable while complying with newly defined design basis requirements

#### **3.3. Studies for restart after strong earthquake**

94 Nuclear Power – Practical Aspects



practicable.




many components from fragility computations.

*3.2.5. Use of design methods and standards* 

smaller safety margin'

Class 4: general industrial standard can be used

the Table 1. Practical example is given in Section 5 below.


The plant HCLPF can also been calculated via convolution procedure.

classification principles are given e.g. in the IAEA NS-R-1 (IAEA, 2000b).

The possibility of differentiation at design is exposed by guideline NS-G-1.6:

Class 1: design ensuring the function and great safety margin are necessary

Class 3: these can be designed differentiated according to hazard

The systems models and fragility curves are used to determine the dominant accident sequences and the plant level HCLPF. The RLE selection and walk-down procedures are similar to those used in the EPRI margin method. The screening is conducted to eliminate

The HCLPF capacities for components in each system included into the plant model have to be defined and combined according to the Boolean representation of the system via minimum-maximum procedure: minimum HCLPF of the elements connected by or-gate and maximum HCLPF of the elements connected by the and-gate. For example, if the Boolean representation of a system composed from elements *A, B, C* and *D* is equal to *A\*(B+C)\*D* then the HCLPF of the system is equal to *Maximum of (A; Minimum of (B, C); D).*

A consequent use of design methods and standards for the re-evaluation and upgrading is not practicable for the operating plants. However, in case if the plant was not designed for earthquakes or the hazard was very underestimated, the design methods and standards have to be used for achieving the compliance with design basis requirements as much as

The graded approach has to be applied for appropriate selection of evaluation methods. Deviation from design procedures can be accepted in case of qualification of outliers of Class 3 (seismic classification see e.g. IAEA Safety Guide NS-G-1.6 (IAEA, 2003b), safety

Class 2: items are classified because of seismic interactions; they 'can be designed with

The assumptions and methods applicable for each tasks of the seismic re-evaluation and upgrading of the operating plants with the aim of design basis reconstitution are given in There are specific procedures developed for the evaluation of the plant safety after a strong earthquake that are part of the plant emergency procedures (EOPs) for the case of earthquake, e.g. (NRC, 1997a, 1997b), (EPRI, 1989), (ANS, 2002) and (IAEA 2011).

The post-earthquake evaluation is in principle eclectic. The practicable methods are e.g. the evaluation by analysis, margin assessment, checking the post-earthquake condition of equipment along empirical criteria, in-service inspections and testing. Selection of the method can be performed on the basis of walk-down and visual inspection's experiences, safety classification, etc. Lessons learnt from the case of the Kashiwazaki-Kariwa plant after the 2007 earthquake are of great importance.

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 97

to be expected, if the beyond design basis hits the plant. For example soil liquefaction can be the dominating issue and cause cliff-edge effect on soft soil sites if a strong beyond design base earthquake hits the site, while the liquefaction may not happen in

It has to be also assumed that extreme conditions, including logistical obstacles due to onsite and off-site damages will be in place while the accident management measures have to

The seismic PSA and margin type analyses provide the basis for the definition of the possible damage sequences and identification of effective measures. According to the PSA experience, the most serious is the sequence of the total loss of power and possibility of the heat removal to the ultimate heat sink or even loss the ultimate heat sink while the containment isolation is lost with or without of containment isolation with or without

Essential task of the studies related to severe accident management is the aseismic design of the connections of the provisional systems for cooling the reactor and spent fuel pool (pipelines for cooling and DC/AC power cabling and connections). The design basis of these provisions has to be defined well beyond the plant "usual" design basis. The seismic hazard

The concept and the main tasks of the severe accident management studies are as

1. identification of possible minimum configurations needed for shutdown and heat

2. identification of provisional and mobile tools for ensuring the heat removal and

b. identification of interactions affecting the SSCs within the minimum configuration and the inhibiting the connections of provisional power and cooling lines c. identification of the logistical obstacles impeding the implementation of SAM

As it has been shown in the Sections above, the walk-down of the power plant is a key element of the seismic re-evaluation and re-qualification of the operating NPPs. The walkdowns provide the opportunity to see what is difficult or impossible to recognise just

looking, reviewing the documentation. The aim of the walk-down is as follows:

removal of the reactor and spent fuel and protection of the containment

design base case.

be implemented.

follows:

significant structural damage of the containment.

curve should be available for this reason.

containment protection

a. screening out the robust elements

4. identification of the measures needed for SAM 5. assessment/quantification of the margins

3. plant walk-down for

measures

**3.5. Role of the walk-downs** 

The justification of the continuation of the operation after a strong earthquake (even if it is below the SSE-level) is a rather complex issue.

The design is success oriented. Consequently, the comparison design versus experienced parameters provides basis for a deterministic statement, whether an SSC will fail or not.

The seismic PSA is failure oriented, it indicate the week links that have to be carefully checked. The margin studies quantify the built-in capacities/reserves that may cover the demand even beyond the design base, see (Kassawara, 2008).

Although it is the most time-consuming and expensive, the careful testing and the implementation of state-of-the-art analysis methods and removing the unnecessary conservatism of material parameters (mainly the damping) seems to be the most powerful tool for the evaluation of post-event situation.

There is an obvious need for a better damage indicator as the PGA and response spectra of the experienced earthquake and the comparison of these to the design base PGA and response spectra. The cumulative absolute velocity (CAV) is a good indicator for no damage according to the EPRI study (EPRI, 1988). Some recent studies show that the CAV can be used for damage indicator for assessing the post-event conditions, especially for the fatigue failure mode, since the CAV can be correlated to the product of the number of load cycles and the stress amplitudes, thus the fatigue lifetime limit can be written as a function of the CAV (Katona, 2011). Comparing of the Niigata-Chuetsu-Oki earthquake in 2007 and the Great Tohoku earthquake in 2011, the most significant difference is not in the PGA but in the overall energy of the ground motion that is properly characterised by the CAV value.

### **3.4. Severe accident management oriented studies**

Recently, the severe accident management (SAM) studies with regard to extreme environmental conditions and hazards become great importance. For the planning of the accident management and mitigation measures and development of the severe accident management guidelines, the possible accident scenarios have to be known and the plant vulnerabilities and robust features have to be identified. For the design of technical means for the accident management/mitigation, the post-event conditions have to be forecasted.

For the adequate preparation for severe accident situations, simultaneous occurrence of extremities has to be assumed. Occurrence of additional earthquake induced events has to be expected, if the beyond design basis hits the plant. For example soil liquefaction can be the dominating issue and cause cliff-edge effect on soft soil sites if a strong beyond design base earthquake hits the site, while the liquefaction may not happen in design base case.

It has to be also assumed that extreme conditions, including logistical obstacles due to onsite and off-site damages will be in place while the accident management measures have to be implemented.

The seismic PSA and margin type analyses provide the basis for the definition of the possible damage sequences and identification of effective measures. According to the PSA experience, the most serious is the sequence of the total loss of power and possibility of the heat removal to the ultimate heat sink or even loss the ultimate heat sink while the containment isolation is lost with or without of containment isolation with or without significant structural damage of the containment.

Essential task of the studies related to severe accident management is the aseismic design of the connections of the provisional systems for cooling the reactor and spent fuel pool (pipelines for cooling and DC/AC power cabling and connections). The design basis of these provisions has to be defined well beyond the plant "usual" design basis. The seismic hazard curve should be available for this reason.

The concept and the main tasks of the severe accident management studies are as follows:


96 Nuclear Power – Practical Aspects

the 2007 earthquake are of great importance.

below the SSE-level) is a rather complex issue.

tool for the evaluation of post-event situation.

CAV value.

forecasted.

demand even beyond the design base, see (Kassawara, 2008).

**3.4. Severe accident management oriented studies** 

The post-earthquake evaluation is in principle eclectic. The practicable methods are e.g. the evaluation by analysis, margin assessment, checking the post-earthquake condition of equipment along empirical criteria, in-service inspections and testing. Selection of the method can be performed on the basis of walk-down and visual inspection's experiences, safety classification, etc. Lessons learnt from the case of the Kashiwazaki-Kariwa plant after

The justification of the continuation of the operation after a strong earthquake (even if it is

The design is success oriented. Consequently, the comparison design versus experienced parameters provides basis for a deterministic statement, whether an SSC will fail or not.

The seismic PSA is failure oriented, it indicate the week links that have to be carefully checked. The margin studies quantify the built-in capacities/reserves that may cover the

Although it is the most time-consuming and expensive, the careful testing and the implementation of state-of-the-art analysis methods and removing the unnecessary conservatism of material parameters (mainly the damping) seems to be the most powerful

There is an obvious need for a better damage indicator as the PGA and response spectra of the experienced earthquake and the comparison of these to the design base PGA and response spectra. The cumulative absolute velocity (CAV) is a good indicator for no damage according to the EPRI study (EPRI, 1988). Some recent studies show that the CAV can be used for damage indicator for assessing the post-event conditions, especially for the fatigue failure mode, since the CAV can be correlated to the product of the number of load cycles and the stress amplitudes, thus the fatigue lifetime limit can be written as a function of the CAV (Katona, 2011). Comparing of the Niigata-Chuetsu-Oki earthquake in 2007 and the Great Tohoku earthquake in 2011, the most significant difference is not in the PGA but in the overall energy of the ground motion that is properly characterised by the

Recently, the severe accident management (SAM) studies with regard to extreme environmental conditions and hazards become great importance. For the planning of the accident management and mitigation measures and development of the severe accident management guidelines, the possible accident scenarios have to be known and the plant vulnerabilities and robust features have to be identified. For the design of technical means for the accident management/mitigation, the post-event conditions have to be

For the adequate preparation for severe accident situations, simultaneous occurrence of extremities has to be assumed. Occurrence of additional earthquake induced events has


## **3.5. Role of the walk-downs**

As it has been shown in the Sections above, the walk-down of the power plant is a key element of the seismic re-evaluation and re-qualification of the operating NPPs. The walkdowns provide the opportunity to see what is difficult or impossible to recognise just looking, reviewing the documentation. The aim of the walk-down is as follows:

	- a. the as-is lay-out conditions,
	- b. the adequacy of the anchorages,
	- c. to check the compliance with the conditions in the re-qualification database,

Seismic Safety Analysis and Upgrading of Operating Nuclear Power Plants 99

judgement. Consequently, the re-evaluation, re-qualification and upgrading of operating plants have to be peer reviewed to provide an independent overview of its adequacy. The recommendations for the peer review are part of the descriptions of the procedures and also

Operating basis earthquake level is understood as a limit for the continuation of the safe operation. If the plant is designed for two levels of earthquake, i.e. OBE and SSE, the limit of safe operation should be set equal to the OBE PGA measured at free-field, or to the response acceleration level at an appropriate location of the structure, e.g. at containment basement, calculated for the OBE. If the acceleration is crossing the set level the reactor protection system is actuated automatically. An automatic seismic trip system could be designed in accordance with the concept of the reactor protection system design with regard to the instrumentation, redundancy and the logic of the generation of actuating command. The system design should eliminate as much as possible the spurious trips. There are different concepts for selection of the trigger level. A "high level" trip could be set based on some percent of the SSE (usually chosen as greater than 60% of the SSE level) and could be designed to minimize spurious trips due to after-shock and low acceleration earthquakes. A "low level" trip would be set to activate on the compressional waves (P waves) when this first arrival caused displacement or acceleration greater than the calculated maximum allowable P wave for an OBE. The decision on the OBE exceedance per acceleration level crossing could be considered as traditional. Considerations have been made regarding advisability of the automated reactor shutdown in case of small earthquakes (Cummings, 1976, IAEA, 1995). There are plants and sites in low and moderate seismic activity regions where an automatic PGA or acceleration level triggered shutdown can be caused by practically harmless ground motions. There are plants that are practically not designed for two levels of earthquakes just upgraded to comply with the SSE related requirements. For these cases the U.S. NRC Regulatory Guide and 1.12, 1.166 and 1.167, and the IAEA as well as the NRC documents on the "Advisability of seismic scram" provide guidance; see the also the (IAEA,

At the plant in the moderate seismicity regions the operational limit related to the OBE exceedance is formulated in terms of cumulative absolute velocity and spectral amplitude of the acceleration and velocity response spectra measured at the free field; see (NRC, 1997a, 1997b and 2000; EPRI, 1988; 1989, ANS 2002). According to U.S. NRC Regulatory Guide

"The OBE response spectrum is exceeded if any one of the three components (two horizontal and one vertical) of the 5 percent of critical damping response spectra generated

**4. Pre-earthquake preparedness and post-earthquake actions** 

**4.1. Operating basis earthquake (OBE) exceedance** 

1.166 the OBE exceedance criteria are as follows:

using the free-field ground motion is larger than:

given in the (IAEA, 2003, 2009).

1995).

3. to check the feasibility of upgrading measures.

Examples for checking the interaction items during the walk-down are listed below:


The plant walk-down is also required for the assessment of the severe earthquake vulnerabilities and design of accident management and mitigation measures, including the identification of the on-site and off-site logistical obstacles.

## **3.6. Design of upgrading**

Design of the upgrading have to be performed according to the design codes and standards and for the design basis earthquake as defined by current licensing basis.

The seismic upgrading are design modifications requiring proper configuration management and regulatory approvals.

### **3.7. Role of the peer-reviews**

All methods presented above for the re-evaluation and re-qualification of the operating plants require specific knowledge and experience and decisively based on the expert judgement. Consequently, the re-evaluation, re-qualification and upgrading of operating plants have to be peer reviewed to provide an independent overview of its adequacy. The recommendations for the peer review are part of the descriptions of the procedures and also given in the (IAEA, 2003, 2009).
