**2. Hazards and their severity**

Nuclear power plant can be constructed and operated at a particular site without undue risk to the health and safety of the public by ensuring the confinement of radioactive substances. From the technical point of view, this means that some fundamental safety functions should be ensured during and after the natural phenomena: the reactor should be shut-down, subcriticality of the reactor core and the spent fuel pool should be ensured, and the fuel in the reactor core and the spent fuel pool should be cooled. The most important function is the retaining capability of the reactor containment that should be kept leak-tight as long as possible.

Plants are designed per principle of defense in depth (DiD) [3, 4], applying overlapping provisions (design, operational, etc.), so that, if a failure were to occur, it would be detected and compensated for or corrected by appropriate measures returning the plant to the normal operational conditions. In case this is not succeeding, a hierarchy of protective means and procedures are designed in preventing the escalation of a failure to accidental event, even if a protective measure fails. These protective means are redundant safety systems that are conservatively designed to withstand even effects of natural hazards beyond those accounted for in the design.

The effects of natural hazards selected for the basis of design are loads defined conservatively and used in the design calculations according to codes and standards. Therefore, in deterministic sense, the effects of natural hazards within the basis of design should not cause accidents, or any failures, called initiating events, leading to accident sequences. Off course, the probability of failure of some systems or structures is not equal to zero, but the adequate design ensures low probability of

failure with high confidence. The conservative design ensures sufficient margin to resist the effects exceeding in some extent the design-basis level.

DiD also means a box-in-box design of physical barriers for confining the radioactive substances. The first barrier is the fuel matrix, the ceramic uranium dioxide pellets, and the second one is the cladding of fuel pins. The third barrier is the pressure-retaining boundary of the primary circuit, and the fourth and very last barrier is the containment building. The heat generation by the decay of fission product in the fuel lasts long after the chain reaction is stopped. If the residual heat will not be removed, the first two barriers the fuel matrix and the cladding tubes containing the pellets will be overheated, melted, and damaged. The third barrier is the pressure-retaining boundary of the primary circuit. The fourth barrier is the containment building.

Severity of natural hazards can be categorized according to the level of DiD affected, complexity, and duration of post-event situation. The highest level of severity is caused by rare, sudden, non-predictable, beyond-design-basis events with high damaging potential that can cause sudden loss of safety functions (that is called as cliff-edge effect). Retaining capability of the containment can be lost, and significant amount of radioactive material can be released. Compared to the above case, less severe are the hazard consequences, when the fundamental safety functions can be restored or ensured by severe accident management measures, that is, the accident sequence can be controlled, and the off-site releases can be limited. Moderate severity are those hazards, effects of which are within the design margins. In this case, the control of accident sequences for limiting the radiological releases and preventing escalation to severe accidents can be ensured by design means and procedures. Less severe are the hazards with effects within the design basis, especially, if a forecast or warning of the occurrence of dangerous event is possible. The effects of these hazards are manageable by operational features and measures.

The economic losses are strictly correlated by the extent of damage, possibility, and effort needed for restoring and restarting the plant operation, doses from releases, needs, and extent of off-site measures (evacuation and decontamination of large area).

Ranking the hazards with respect to safety and economic significance:


**33**

according to [7].

*Natural Hazards and Nuclear Power Plant Safety DOI: http://dx.doi.org/10.5772/intechopen.83492*

quences are presented in **Table 1**.

design basis of nuclear power plants.

logistical support of the plant.

features.

(Cernavoda NPP, Romania, ow-river level 2009).

E. Warning is possible, and effects are manageable by operational features and measures—Operation at a reduced power level and no safety consequences

An exhaustive list of external hazards that can affect the safety of nuclear power plants, including the list of possible correlated and independent concurrent hazards, are given, for example, in [7]. The nuclear safety regulations use a generic formula requiring identification and characterization of natural phenomena that are specific to the region and which have the potential to affect the safety of the nuclear installation [8–11]. Examples of hazards and their possible primary conse-

In **Table 1** examples of hazards are indicated, which can be or should be excluded by proper site selection (collapse of karst, avalanches, landslides). There are examples in **Table 1** for hazards, which can be excluded by engineering means (flood protection, soil improvements). Although the possibility of mitigation of some volcanic effects (tephra fallout, missiles, gas emissions, debris flows) is considered as realistic [12], it is preferable to exclude the volcanic hazard from the

The hazards accounted for in the design of the plant should be differentiated with regard their basic features: possibility of forecast, characteristic time for evolvement of phenomenon, possibility to avoid administrative or operational measures, possibility of protection of the site, and modification of adverse site

The earthquakes affect the site and large surrounding region. It is impossible to foresee and it happens suddenly. The effects of earthquake should be "as far as reasonably practicable" managed by design solutions even for the cases exceeding the design basis. The operators should be prepared to manage the post-earthquake extreme situations. Here, the long-lasting effect is caused by the damages at the site and in the area surrounding the plant. The dwellings of the operational personnel and the local infrastructure (transportation, communication) can be affected [13]; therefore, arrangements should be in place for the replacement of personnel and

Contrary to the above example, reliable forecasts can be made for the majority of hydrometeorological extremes, like hurricanes, tornados, typhoons, extreme precipitation and temperatures, and floods. This allows implementation of protective measures and preparation of the NPP for the extreme situation. The operators should have procedures and means for preparedness to the possible abnormal situations. For most meteorological extremes, the implementation of protective design solutions can be combined with operation procedures for both, ensuring the safety and possible fast recovery of normal operation. Reduction of cooling capacity due

There are meteorological extremes with extended duration, for example, heat wave and drought. These long-lasting conditions can also affect the operational

There are hazards having similar effects, for example, the straight wind and tornado missiles and hail cause an impact effect. Obviously, the hazard with the largest impact effect will dominate the design of structures important for safety. Simultaneously occurring hazards should also be considered in the design. It is interesting to mention that almost 600 possible combinations can be identified

There are causally connected hazards where one hazard may cause another hazard, but the other hazard can occur by themselves (like earthquake and tsunami).

to clogging of cooling water system can be managed in a similar way.

personnel and the logistical support of the site.

*Natural Hazards - Risk, Exposure, Response, and Resilience*

containment building.

resist the effects exceeding in some extent the design-basis level.

failure with high confidence. The conservative design ensures sufficient margin to

DiD also means a box-in-box design of physical barriers for confining the radioactive substances. The first barrier is the fuel matrix, the ceramic uranium dioxide pellets, and the second one is the cladding of fuel pins. The third barrier is the pressure-retaining boundary of the primary circuit, and the fourth and very last barrier is the containment building. The heat generation by the decay of fission product in the fuel lasts long after the chain reaction is stopped. If the residual heat will not be removed, the first two barriers the fuel matrix and the cladding tubes containing the pellets will be overheated, melted, and damaged. The third barrier is the pressure-retaining boundary of the primary circuit. The fourth barrier is the

Severity of natural hazards can be categorized according to the level of DiD affected, complexity, and duration of post-event situation. The highest level of severity is caused by rare, sudden, non-predictable, beyond-design-basis events with high damaging potential that can cause sudden loss of safety functions (that is called as cliff-edge effect). Retaining capability of the containment can be lost, and significant amount of radioactive material can be released. Compared to the above case, less severe are the hazard consequences, when the fundamental safety functions can be restored or ensured by severe accident management measures, that is, the accident sequence can be controlled, and the off-site releases can be limited. Moderate severity are those hazards, effects of which are within the design margins. In this case, the control of accident sequences for limiting the radiological releases and preventing escalation to severe accidents can be ensured by design means and procedures. Less severe are the hazards with effects within the design basis, especially, if a forecast or warning of the occurrence of dangerous event is possible. The effects of these hazards are manageable by operational features and measures. The economic losses are strictly correlated by the extent of damage, possibility, and effort needed for restoring and restarting the plant operation, doses from releases, needs, and extent of off-site measures (evacuation and decontamination of large

Ranking the hazards with respect to safety and economic significance:

A. Sudden, non-predictable, beyond-design-basis event with high damaging potential, beyond-design-basis, significant damages over large region hindering accident management—Large releases due to containment failure, loss of plant, and evacuation of large area (Fukushima Dai-ichi NPP, Great

B. Sudden, non-predictable, beyond-design-basis event with high damaging potential but within the designed margins—Justification of safety and restoration works (Kashiwazaki-Kariwa NPP, Niigata-Chuetsu Oki Earthquake,

C. Sudden, non-predictable event with high damaging potential within the design basis—Outage for limited time (Onagawa NPP, tsunami due to Great

D. Events with damage potential, warning, and preventive measures are possible—Outage for limited time or restart after the event (NPPs impacted by Katrina hurricane, 2005; floods at Blayais NPP, France, 1999, and at Fort

Calhoun Nuclear Generating Station, USA, in 2011).

**32**

area).

Tohoku Earthquake 2011).

2007, North Anna NPP, 2011).

Tohoku Earthquake 2011).

E. Warning is possible, and effects are manageable by operational features and measures—Operation at a reduced power level and no safety consequences (Cernavoda NPP, Romania, ow-river level 2009).

An exhaustive list of external hazards that can affect the safety of nuclear power plants, including the list of possible correlated and independent concurrent hazards, are given, for example, in [7]. The nuclear safety regulations use a generic formula requiring identification and characterization of natural phenomena that are specific to the region and which have the potential to affect the safety of the nuclear installation [8–11]. Examples of hazards and their possible primary consequences are presented in **Table 1**.

In **Table 1** examples of hazards are indicated, which can be or should be excluded by proper site selection (collapse of karst, avalanches, landslides). There are examples in **Table 1** for hazards, which can be excluded by engineering means (flood protection, soil improvements). Although the possibility of mitigation of some volcanic effects (tephra fallout, missiles, gas emissions, debris flows) is considered as realistic [12], it is preferable to exclude the volcanic hazard from the design basis of nuclear power plants.

The hazards accounted for in the design of the plant should be differentiated with regard their basic features: possibility of forecast, characteristic time for evolvement of phenomenon, possibility to avoid administrative or operational measures, possibility of protection of the site, and modification of adverse site features.

The earthquakes affect the site and large surrounding region. It is impossible to foresee and it happens suddenly. The effects of earthquake should be "as far as reasonably practicable" managed by design solutions even for the cases exceeding the design basis. The operators should be prepared to manage the post-earthquake extreme situations. Here, the long-lasting effect is caused by the damages at the site and in the area surrounding the plant. The dwellings of the operational personnel and the local infrastructure (transportation, communication) can be affected [13]; therefore, arrangements should be in place for the replacement of personnel and logistical support of the plant.

Contrary to the above example, reliable forecasts can be made for the majority of hydrometeorological extremes, like hurricanes, tornados, typhoons, extreme precipitation and temperatures, and floods. This allows implementation of protective measures and preparation of the NPP for the extreme situation. The operators should have procedures and means for preparedness to the possible abnormal situations. For most meteorological extremes, the implementation of protective design solutions can be combined with operation procedures for both, ensuring the safety and possible fast recovery of normal operation. Reduction of cooling capacity due to clogging of cooling water system can be managed in a similar way.

There are meteorological extremes with extended duration, for example, heat wave and drought. These long-lasting conditions can also affect the operational personnel and the logistical support of the site.

There are hazards having similar effects, for example, the straight wind and tornado missiles and hail cause an impact effect. Obviously, the hazard with the largest impact effect will dominate the design of structures important for safety.

Simultaneously occurring hazards should also be considered in the design. It is interesting to mention that almost 600 possible combinations can be identified according to [7].

There are causally connected hazards where one hazard may cause another hazard, but the other hazard can occur by themselves (like earthquake and tsunami).


#### **Table 1.**

*Hazards, hazard effects, and possible consequences at NPPs.*

There are simultaneous hazards when one hazard is a prerequisite for a correlated hazard (earthquake-liquefaction).

There are associated hazards, which are probable to occur at the same time due to a common root cause or having same physical origin, for example, the storms and lightning and storms and extreme precipitation.

The analysis of the probability of event combinations should consider the duration of the events. The exact coincidence of the demand is decisive for the design and safety. It is possible for more than one independent natural event to occur

**35**

*Natural Hazards and Nuclear Power Plant Safety DOI: http://dx.doi.org/10.5772/intechopen.83492*

hazards is considered as unreasonable.

**3. Designing for safety**

can be controlled in two ways:

the location of NPP.

the site should be discarded.

site and plant protection.

accounted for in the design.

simultaneously at the site. Combinations of frequent hazards with similar effects should be considered carefully, since the simultaneous effects can be superimposed. It should be noted that simultaneous occurrence of two independent low-frequency

As it is shown above, the risks of nuclear power plants due to natural hazards

a.The hazards can be avoided via site selection deeming the sites unsuitable for

b.Appropriate design and/or administrative measures shall be implemented for

In the first case, if the effects of external events affecting the sites and the region cannot be compensated by proven engineering solutions for protection of the NPP,

The hazards can be qualified as avoided, if it is physically impossible to occur under the conditions at the site or if the hazard can be considered with a high degree of confidence to be extremely unlikely. For example, landslides should not be expected, if the site is located in a flat area; collapse of karst should not be expected if there are no karst formations below the site. Specific considerations on how to define the acceptable low probability will be given below. Rules and requirements for site survey and selection are given, for example, in [8, 10]. The International Atomic Energy Agency published a

In the second case, the hazards shall be properly identified, characterized, and accounted for in the design basis as required in [10]. The performance of the plant safety features should be ensured by the design and/or administrative measures for the design-basis hazard effects, that is, for the case of design-basis hazards, very low probability of failure of the safety-related SSCs should be justified with high confidence. The generic design rules and requirements are set, for example, in the [9]. The International Atomic Energy Agency published series of design guidance focusing on

• Apply reasonable design conservatism for design-basis hazards that provides sufficient margins for the case, if the effects of hazards exceeding the level

• Apply passive safety features (no need of external or emergency power supply).

• Apply adequate means and procedures to coop with hazards that are predictable.

• Ensure that the safety systems intended to be used in design-basis accidents will

different hazards [17, 18]. The applicable design requirements are as follows:

• Develop pre-event preparedness and post-event procedures.

• Consider temporary limitation of the off-site logistical support.

be not adversely affected by the natural hazards.

• Ensure sufficient resources at multiunit sites.

series of design guidances focusing on different hazards [12, 14–16].

simultaneously at the site. Combinations of frequent hazards with similar effects should be considered carefully, since the simultaneous effects can be superimposed. It should be noted that simultaneous occurrence of two independent low-frequency hazards is considered as unreasonable.
