**5. Difficulties of the safe design**

*Natural Hazards - Risk, Exposure, Response, and Resilience*

for the effects with *HD*, that is, *PT* =*HD* ∙ *RH*.

intensity of a storm with a 10<sup>−</sup><sup>4</sup>

can be applied as for the single event, that is, a 10<sup>−</sup><sup>4</sup>

the same physical origin.

combined with a 10<sup>−</sup><sup>4</sup>

protecting the sites.

improvement.

design-basis earthquake happens.

effects should be considered in the design.

a 10<sup>−</sup><sup>4</sup>

plant.

The SSCs should be categorized regarding their safety relevance/function. A target performance, *PT*, should be set to each category. The hazard exceedance frequency for the design of the particular SSC, *HD*, should be selected taking into account the achievable resistance, *RH*, that is the conditional probability of failure

Care should be taken to the convolved frequency, where there are multiple parameters used to define an event. For example, it is not reasonable to consider

correlation. Obviously, there is a strong correlation between the phenomena having

tion of a big storm with a high tide could lead to the external flooding of a power

Regarding combinations of independent events, the same probabilistic criterion

Specific considerations are made in case of causal-related events, like earthquake and liquefaction, earthquake and tsunami, or earthquake and failure of structures

In case of liquefaction, based on the soil date and the design-basis earthquake magnitude, the conditional probability of liquefaction can be calculated. The total probability—earthquake and liquefaction—should be less than the probabilistic screening criterion for neglecting the liquefaction hazard (see, e.g., [20]). This condition can also be formulated in terms of safety factor with respect to liquefaction. If the site soil conditions are improved by engineering methods, this probability and/or value of safety factor can be applied for acceptance criterion for the soil

There are multiple causally correlated hazards. For example, possibility of multiple causally linked hazards has been recognized at Tricastin site in France that initiated a focused safety justification in 2017 [21]. The level of the Tricastin site is 6 meters below the nearby channel level. The nuclear site is protected by embarkment. Although the embarkment would resist the maximum historically credible earthquake, it could not be excluded that it would fail if the design-basis earthquake of the plant hits the site. If the site would be flooded, loss of off-site and on-site electrical power supply and failure of the cooling systems of the reactors could be expected. Limited access to the site would hinder the emergency response. In this case the seismic resistance of the embarkment is the key question, since the plant remains safe in case of design-basis earthquake. The probability of loss of safety function in this case is defined by the probability of design-basis earthquake, since the embarkment failure and the consequent flooding are highly probable if a

In case of causally linked hazards, the damaging effects of root cause event and the consequential event would not be necessarily simultaneous. The timing of

The above considerations with the small probabilities may seem like the usual reasoning and magic of the nuclear industry. As a matter of fact, that is the state of the art. However, this is recognized to be not sufficient. The generic design paradigm afore Fukushima Dai-ichi accident was "design for sufficient low probability of effects for ensuring the acceptable risk." The new design paradigm is "to be prepared for the impossible." Since a devastating natural event can never be completely ruled out, the necessary provisions for managing a radiological emergency situation, onsite and offsite, must be planned, tested, and regularly

/a strong wind. Contrary to this, for example, the combina-

duration of a storm unless there is a clear

/a earthquake should not be

**38**

reviewed [22, 23].

Two fundamental questions have to be answered here:


Presentation of the state-of-the-art methodologies for hazard evaluation is out of scope of the recent chapter. The nuclear industry is adapting the most novel scientific achievements for the site characterization and investigation (see, e.g., [24]). The hazards accounted for in the design are subject to regular review and update in countries where the regime of periodic safety review is established. Most extensive programs for natural hazard evaluation and upgrading and justification of operating plant safety have been implemented in the USA and several Eastern-European countries, where the operators should deal with the issues of underestimation of the seismic hazard for the design basis. Summary description of these programs is given in [25–28]. Events, like the Great Tohoku Earthquake, triggered an overall review, correction, and justification of hazard evaluation at the plants (see the stress test initiated by the European Union and the reviews and upgrading programs in several countries, e.g., [29, 30]).

The Fukushima accident is the worst-case example for improper characterization of tsunami hazard. The NPPs can be protected from the flooding due to tsunamis, assuming that the design-basis wave height is adequately defined and the uncertainties of the tsunami characterization are properly compensated by the conservative design. Contrary to the Fukushima Dai-ichi plant, the 14-m high seawall protected the Onagawa NPP from flooding due to tsunami [31].

The basic difficulties of the hazard characterization are the epistemic and aleatoric uncertainties that should be evaluated and accounted for.

Considering the design-basis hazards, the uncertainty is compensated by conservative approach: in the definition of the demand and calculation of the resistance of the SSCs. The generic design rules are fixed in the nuclear regulations and acceptable standards (see, e.g., [9] and [32, 33]).

It should be emphasized, that in the engineering practice, prediction of the effects of hazardous phenomena is recognized to be "a posteriori" uncertain. Therefore, the design should cope with this uncertainty not only within the design basis but also beyond.

It is required that the NPPs should be prepared for the unexpected exceedance of *EDB* and the sudden loss of safety functions (a cliff-edge phenomena) shall be eliminated. This can be expressed as *P*( *fail if E*≳*EDB*)≲*M*, where *M* is some acceptable probability of failure for unfortunate cases, if the design-basis effect is exceeded by a certain value *E*=*EDB* + *E*.

Very important are how large should be the acceptable value of *M* and *E*.

In the case of earthquakes exceeding the design basis, the design should provide an adequate margin to protect items ultimately necessary to prevent escalation of the event sequence to severe accident. According to the regulations, the

best-estimate approach can be adopted for the evaluation of this margin [34]. The high-confidence of low-probability of failure (HCLPF) could be the measure of the seismic margin [35, 36]. For new plants, depending on the regulatory framework and design practice, a HCLPF capacity of at least 1.67 [37] or 1.4 [38] times the design-basis peak ground acceleration is required to be demonstrated. These values are based on the conservatism of the nuclear design standards and justified by extensive studies. In the standard ASCE/SEI 43–05 [33], it is proposed to accept the probability of unacceptable performance less than about 10% for a ground motion equal to 150% of the design-basis ground motion, while for the design basis, the probability of unacceptable performance less than about a 1%.

The above concept can be adopted for other hazards as it is proposed, for example, in [37].
