**3. Designing for safety**

*Natural Hazards - Risk, Exposure, Response, and Resilience*

There are simultaneous hazards when one hazard is a prerequisite for a correlated

There are associated hazards, which are probable to occur at the same time due to a common root cause or having same physical origin, for example, the storms and

The analysis of the probability of event combinations should consider the duration of the events. The exact coincidence of the demand is decisive for the design and safety. It is possible for more than one independent natural event to occur

**34**

**Table 1.**

hazard (earthquake-liquefaction).

lightning and storms and extreme precipitation.

*Hazards, hazard effects, and possible consequences at NPPs.*

As it is shown above, the risks of nuclear power plants due to natural hazards can be controlled in two ways:


In the first case, if the effects of external events affecting the sites and the region cannot be compensated by proven engineering solutions for protection of the NPP, the site should be discarded.

The hazards can be qualified as avoided, if it is physically impossible to occur under the conditions at the site or if the hazard can be considered with a high degree of confidence to be extremely unlikely. For example, landslides should not be expected, if the site is located in a flat area; collapse of karst should not be expected if there are no karst formations below the site. Specific considerations on how to define the acceptable low probability will be given below. Rules and requirements for site survey and selection are given, for example, in [8, 10]. The International Atomic Energy Agency published a series of design guidances focusing on different hazards [12, 14–16].

In the second case, the hazards shall be properly identified, characterized, and accounted for in the design basis as required in [10]. The performance of the plant safety features should be ensured by the design and/or administrative measures for the design-basis hazard effects, that is, for the case of design-basis hazards, very low probability of failure of the safety-related SSCs should be justified with high confidence. The generic design rules and requirements are set, for example, in the [9]. The International Atomic Energy Agency published series of design guidance focusing on different hazards [17, 18]. The applicable design requirements are as follows:


The generic design principles applicable are related either to system engineering or structural and layout aspects. These are:


The design solutions can also be classified as:


For the optimal use of design means, the SSCs are usually categorized in accordance of their safety relevance and intended function during and after the natural phenomena. This allows to implement the graded approach regarding design conservatism, quality, and reliability requirements. The safety systems are usually in the highest category that should be designed to withstand high-magnitude low-annual-probability hazardous effects, while the systems needed for the continuous operation only are designed in accordance of nonnuclear building/construction codes and standards for a moderate magnitude and for 10<sup>−</sup><sup>2</sup> –10<sup>−</sup><sup>3</sup> annual probability effects, as usual.

It should be emphasized that the natural hazards affect the entire plant, all facilities at the site, or even the whole region. Therefore, the events could simultaneously challenge several redundant or diverse trains of a safety system, causing multiple failures of SSCs.

In the state-of-the-art practice, plant conditions more severe and complex as those accounted for in the design basis are considered as design extension conditions. In design extension conditions, prevention of severe accident, mitigation of the consequences of complex plant conditions, and the integrity of the containment should be maintained by additional safety features or extension of the capability of safety systems as far as is reasonably practicable.

The chances for multiple failures and complex plant conditions due to natural hazards can be rather large, if the magnitude of event exceeds those accounted for in the design.

#### **4. Safety goal, design basis, and beyond-design-basis hazards**

Let us start with a simple consideration. The simplest formulation of the risk due to some damaging effect is the *R*=*Pfail* ∙ *C*, where *Pfail* is the probability of the failure caused by that effect and leading to the consequences with measure *C*.

**37**

*Natural Hazards and Nuclear Power Plant Safety DOI: http://dx.doi.org/10.5772/intechopen.83492*

confined in the fuel elements.

new design should be less than 10<sup>−</sup><sup>5</sup>

can be expressed as *PCD* =*P*( *fail* if *E*) ∙ *P*(*E*)≤10−5

less approximate by an order of a magnitude.

high degree of confidence, that is, 10<sup>−</sup><sup>7</sup>

plexity of post-event conditions.

due to failure caused by natural hazards should not exceed 10<sup>−</sup><sup>6</sup>

value for a new design should be *PLR* =*P*( *fail* if *E*) ∙ *P*(*E*)≤10−6

The probability *Pfail* depends on the probability of occurring of an event with damaging effect *E*, *P*(*E*) and on the conditional probability of failure if the effect is equal to

Thus, the term "fail" can be first linked to the core damage (CD) and to the loss of the first two barriers (fuel matrix and cladding). The annual probability of the core damage, *PCD*, is limited by the nuclear regulations. The acceptable value for a

withstand the effects of natural hazards and fulfill their intended functions for avoiding the core damage. The acceptable probability of loss of any safety function

In very improbable cases when the safety features fail, and the conditions are more severe than those accounted for in the design, the radioactive releases shall be kept as low as practicable. The most important objective of this level is the protection of the confinement function. In this case, the term "fail" is linked to the large release (LR) of radioactive substances to the environment. It is as dangerous as earlier it happens in the course of the severe accident. The annual probability of the early large releases, *PLR*, is also limited by the nuclear regulations. Its allowable

accident sequences. It means the acceptable value for a singular sequence should be

It is obvious from the above consideration that a hazard could be screened out and neglected on the basis of probabilistic consideration, if the probability of occurrence is less than the acceptable for severe accident probabilistic limit with a

/a or less. Since the consequences of nuclear accidents caused by natural hazards can be enormous, the risk should be reduced by selecting effects for the basis of design with very low annual probability. Therefore, the magnitude of natural hazard accounted for in the design basis should be associated to the probability 10<sup>−</sup><sup>4</sup>

per year depending on the strength or capacity assured by the design. Some exception is the regulation regarding the tornado hazard in the USA, where the tornado hazard is a reality due to meteorological and topographical conditions. The Nuclear Regulatory Commission has determined the best-estimate design-basis tornado wind speeds for new reactors, which correspond to the exceedance frequency of 10–7 per year [19]. Probably, the reason for this conservative approach is the com-

summarized over all accident sequences. This

. Thus, the safety systems should

/a.

summarized over all

–10<sup>−</sup><sup>5</sup>

*Pfail*=*P*(*E*) ∙ *P*( *fail* if *E*). The state-of-the-art design procedures and standards ensure a very low probability of failure with respect to the effects accounted for in the design, *EDB*; this can be expressed as *P*(*fail* if *E*≤*EDB*)≪1. There are hazards damaging the potential of which can be characterized by several parameters; thus, *E*={*E*1,*E*2,⋯ ,*En*}. In the practice of the nuclear industry, the term "fail" could have several meanings. The term "failure" can be associated to a single component, to a system performing certain safety function, and to the entire plant, respectively. As it has been mentioned above, for ensuring the confinement of radioactive substances, the nuclear power plants are designed per principle of defense in depth. Failure of some structures, systems, and components (SSCs) can trigger a sequence of events at the plant deviating from normal operational conditions. If a sequence was considered in the design basis of the plant, the safe stable condition of the plant should be ensured by safety systems. The safety systems shall ensure the control of reactivity, that is, the chain reaction in the reactor shall be stopped, the heat generated by decay of radioactive fission elements shall be removed from the reactor core to the ultimate heat sink (to the environment), and the radioactive substances shall be

*E,* that is, *P*( *fail* if *E*). Thus, the total probability of failure can be written as

#### *Natural Hazards and Nuclear Power Plant Safety DOI: http://dx.doi.org/10.5772/intechopen.83492*

*Natural Hazards - Risk, Exposure, Response, and Resilience*

• Redundancy of components and systems.

• Independence of system and components.

The design solutions can also be classified as:

capacity to avoid sudden loss of function.

safety systems as far as is reasonably practicable.

• Diversity via employing different principles of operation.

• Ensuring physically separation of redundant safety systems.

• Layout solutions: separating the redundant safety systems.

–10<sup>−</sup><sup>3</sup>

**4. Safety goal, design basis, and beyond-design-basis hazards**

caused by that effect and leading to the consequences with measure *C*.

It should be emphasized that the natural hazards affect the entire plant, all facilities at the site, or even the whole region. Therefore, the events could simultaneously challenge several redundant or diverse trains of a safety system, causing

In the state-of-the-art practice, plant conditions more severe and complex as those accounted for in the design basis are considered as design extension conditions. In design extension conditions, prevention of severe accident, mitigation of the consequences of complex plant conditions, and the integrity of the containment should be maintained by additional safety features or extension of the capability of

The chances for multiple failures and complex plant conditions due to natural hazards can be rather large, if the magnitude of event exceeds those accounted for

Let us start with a simple consideration. The simplest formulation of the risk due to some damaging effect is the *R*=*Pfail* ∙ *C*, where *Pfail* is the probability of the failure

or structural and layout aspects. These are:

• Using failsafe components.

moderate magnitude and for 10<sup>−</sup><sup>2</sup>

multiple failures of SSCs.

• Avoiding structural interactions.

The generic design principles applicable are related either to system engineering

• Systems-solutions: inherently safe design, use of preferable passive safety systems capable to function even in the case of beyond-design-basis hazards.

• Structural solutions: optimized for hazard effect structures with sufficient

For the optimal use of design means, the SSCs are usually categorized in accordance of their safety relevance and intended function during and after the natural phenomena. This allows to implement the graded approach regarding design conservatism, quality, and reliability requirements. The safety systems are usually in the highest category that should be designed to withstand high-magnitude low-annual-probability hazardous effects, while the systems needed for the continuous operation only are designed in accordance of nonnuclear building/construction codes and standards for a

annual probability effects, as usual.

**36**

in the design.

The probability *Pfail* depends on the probability of occurring of an event with damaging effect *E*, *P*(*E*) and on the conditional probability of failure if the effect is equal to *E,* that is, *P*( *fail* if *E*). Thus, the total probability of failure can be written as *Pfail*=*P*(*E*) ∙ *P*( *fail* if *E*). The state-of-the-art design procedures and standards ensure a very low probability of failure with respect to the effects accounted for in the design, *EDB*; this can be expressed as *P*(*fail* if *E*≤*EDB*)≪1. There are hazards damaging the potential of which can be characterized by several parameters; thus, *E*={*E*1,*E*2,⋯ ,*En*}.

In the practice of the nuclear industry, the term "fail" could have several meanings. The term "failure" can be associated to a single component, to a system performing certain safety function, and to the entire plant, respectively. As it has been mentioned above, for ensuring the confinement of radioactive substances, the nuclear power plants are designed per principle of defense in depth. Failure of some structures, systems, and components (SSCs) can trigger a sequence of events at the plant deviating from normal operational conditions. If a sequence was considered in the design basis of the plant, the safe stable condition of the plant should be ensured by safety systems. The safety systems shall ensure the control of reactivity, that is, the chain reaction in the reactor shall be stopped, the heat generated by decay of radioactive fission elements shall be removed from the reactor core to the ultimate heat sink (to the environment), and the radioactive substances shall be confined in the fuel elements.

Thus, the term "fail" can be first linked to the core damage (CD) and to the loss of the first two barriers (fuel matrix and cladding). The annual probability of the core damage, *PCD*, is limited by the nuclear regulations. The acceptable value for a new design should be less than 10<sup>−</sup><sup>5</sup> summarized over all accident sequences. This can be expressed as *PCD* =*P*( *fail* if *E*) ∙ *P*(*E*)≤10−5 . Thus, the safety systems should withstand the effects of natural hazards and fulfill their intended functions for avoiding the core damage. The acceptable probability of loss of any safety function due to failure caused by natural hazards should not exceed 10<sup>−</sup><sup>6</sup> /a.

In very improbable cases when the safety features fail, and the conditions are more severe than those accounted for in the design, the radioactive releases shall be kept as low as practicable. The most important objective of this level is the protection of the confinement function. In this case, the term "fail" is linked to the large release (LR) of radioactive substances to the environment. It is as dangerous as earlier it happens in the course of the severe accident. The annual probability of the early large releases, *PLR*, is also limited by the nuclear regulations. Its allowable value for a new design should be *PLR* =*P*( *fail* if *E*) ∙ *P*(*E*)≤10−6 summarized over all accident sequences. It means the acceptable value for a singular sequence should be less approximate by an order of a magnitude.

It is obvious from the above consideration that a hazard could be screened out and neglected on the basis of probabilistic consideration, if the probability of occurrence is less than the acceptable for severe accident probabilistic limit with a high degree of confidence, that is, 10<sup>−</sup><sup>7</sup> /a or less.

Since the consequences of nuclear accidents caused by natural hazards can be enormous, the risk should be reduced by selecting effects for the basis of design with very low annual probability. Therefore, the magnitude of natural hazard accounted for in the design basis should be associated to the probability 10<sup>−</sup><sup>4</sup> –10<sup>−</sup><sup>5</sup> per year depending on the strength or capacity assured by the design. Some exception is the regulation regarding the tornado hazard in the USA, where the tornado hazard is a reality due to meteorological and topographical conditions. The Nuclear Regulatory Commission has determined the best-estimate design-basis tornado wind speeds for new reactors, which correspond to the exceedance frequency of 10–7 per year [19]. Probably, the reason for this conservative approach is the complexity of post-event conditions.

The SSCs should be categorized regarding their safety relevance/function. A target performance, *PT*, should be set to each category. The hazard exceedance frequency for the design of the particular SSC, *HD*, should be selected taking into account the achievable resistance, *RH*, that is the conditional probability of failure for the effects with *HD*, that is, *PT* =*HD* ∙ *RH*.

Care should be taken to the convolved frequency, where there are multiple parameters used to define an event. For example, it is not reasonable to consider a 10<sup>−</sup><sup>4</sup> intensity of a storm with a 10<sup>−</sup><sup>4</sup> duration of a storm unless there is a clear correlation. Obviously, there is a strong correlation between the phenomena having the same physical origin.

Regarding combinations of independent events, the same probabilistic criterion can be applied as for the single event, that is, a 10<sup>−</sup><sup>4</sup> /a earthquake should not be combined with a 10<sup>−</sup><sup>4</sup> /a strong wind. Contrary to this, for example, the combination of a big storm with a high tide could lead to the external flooding of a power plant.

Specific considerations are made in case of causal-related events, like earthquake and liquefaction, earthquake and tsunami, or earthquake and failure of structures protecting the sites.

In case of liquefaction, based on the soil date and the design-basis earthquake magnitude, the conditional probability of liquefaction can be calculated. The total probability—earthquake and liquefaction—should be less than the probabilistic screening criterion for neglecting the liquefaction hazard (see, e.g., [20]). This condition can also be formulated in terms of safety factor with respect to liquefaction. If the site soil conditions are improved by engineering methods, this probability and/or value of safety factor can be applied for acceptance criterion for the soil improvement.

There are multiple causally correlated hazards. For example, possibility of multiple causally linked hazards has been recognized at Tricastin site in France that initiated a focused safety justification in 2017 [21]. The level of the Tricastin site is 6 meters below the nearby channel level. The nuclear site is protected by embarkment. Although the embarkment would resist the maximum historically credible earthquake, it could not be excluded that it would fail if the design-basis earthquake of the plant hits the site. If the site would be flooded, loss of off-site and on-site electrical power supply and failure of the cooling systems of the reactors could be expected. Limited access to the site would hinder the emergency response. In this case the seismic resistance of the embarkment is the key question, since the plant remains safe in case of design-basis earthquake. The probability of loss of safety function in this case is defined by the probability of design-basis earthquake, since the embarkment failure and the consequent flooding are highly probable if a design-basis earthquake happens.

In case of causally linked hazards, the damaging effects of root cause event and the consequential event would not be necessarily simultaneous. The timing of effects should be considered in the design.

The above considerations with the small probabilities may seem like the usual reasoning and magic of the nuclear industry. As a matter of fact, that is the state of the art. However, this is recognized to be not sufficient. The generic design paradigm afore Fukushima Dai-ichi accident was "design for sufficient low probability of effects for ensuring the acceptable risk." The new design paradigm is "to be prepared for the impossible." Since a devastating natural event can never be completely ruled out, the necessary provisions for managing a radiological emergency situation, onsite and offsite, must be planned, tested, and regularly reviewed [22, 23].

**39**

*Natural Hazards and Nuclear Power Plant Safety DOI: http://dx.doi.org/10.5772/intechopen.83492*

Two fundamental questions have to be answered here:

1.Whether the characterization of rare natural hazards can be performed with high enough assurance? The question is related to the possibility of definition of the hazard curve, which is the annual probability of an event that will occur

2.Whether there are proven engineering solutions available for ensuring enough capability of NPPs to withstand safely the effects of hazards? In other words: Whether the design will ensure *P*(*fail if E*≤*E DB*)≪1 for the conditional probability of failure? The question is related to the vulnerability/fragility of the NPP.

Presentation of the state-of-the-art methodologies for hazard evaluation is out of scope of the recent chapter. The nuclear industry is adapting the most novel scientific achievements for the site characterization and investigation (see, e.g., [24]). The hazards accounted for in the design are subject to regular review and update in countries where the regime of periodic safety review is established. Most extensive programs for natural hazard evaluation and upgrading and justification of operating plant safety have been implemented in the USA and several Eastern-European countries, where the operators should deal with the issues of underestimation of the seismic hazard for the design basis. Summary description of these programs is given in [25–28]. Events, like the Great Tohoku Earthquake, triggered an overall review, correction, and justification of hazard evaluation at the plants (see the stress test initiated by the European Union and the reviews and upgrading programs in several

The Fukushima accident is the worst-case example for improper characterization of tsunami hazard. The NPPs can be protected from the flooding due to tsunamis, assuming that the design-basis wave height is adequately defined and the uncertainties of the tsunami characterization are properly compensated by the conservative design. Contrary to the Fukushima Dai-ichi plant, the 14-m high

The basic difficulties of the hazard characterization are the epistemic and

Considering the design-basis hazards, the uncertainty is compensated by conservative approach: in the definition of the demand and calculation of the resistance of the SSCs. The generic design rules are fixed in the nuclear regulations

It should be emphasized, that in the engineering practice, prediction of the effects of hazardous phenomena is recognized to be "a posteriori" uncertain. Therefore, the design should cope with this uncertainty not only within the design

Very important are how large should be the acceptable value of *M* and *E*. In the case of earthquakes exceeding the design basis, the design should provide an adequate margin to protect items ultimately necessary to prevent escalation of the event sequence to severe accident. According to the regulations, the

It is required that the NPPs should be prepared for the unexpected exceedance of *EDB* and the sudden loss of safety functions (a cliff-edge phenomena) shall be eliminated. This can be expressed as *P*( *fail if E*≳*EDB*)≲*M*, where *M* is some acceptable probability of failure for unfortunate cases, if the design-basis effect is exceeded by

seawall protected the Onagawa NPP from flooding due to tsunami [31].

aleatoric uncertainties that should be evaluated and accounted for.

and acceptable standards (see, e.g., [9] and [32, 33]).

at the NPP site with a damaging effect exceeding a given threshold.

**5. Difficulties of the safe design**

countries, e.g., [29, 30]).

basis but also beyond.

a certain value *E*=*EDB* + *E*.
