“Practical elimination” principle in the Akkuyu Nuclear Power Plant design *

The paper considers the implementation of the “practical elimination” principle in the design of the Akkuyu NPP with VVER‑1200 reactors being under construction in Turkey. The “practical elimination” principle is defined as follows: for accident sequences or phenomena that contribute or lead to unacceptable radiological consequences for the public or the environment, it shall be shown with a high level of confidence that their occurrence is highly unlikely. “Practical elimination” is proved predominantly by results of a Level 2 probabilistic safety assessment. The implementation of the “practical elimination” principle was considered at the level of accident sequences leading to a large radioactive release. It has been shown that each accident sequence leading to an unacceptable release has the probability of occurrence below 4.45Е–8 per reactor per year, while their total probability not exceeding the value of 6.17Е–7 per reactor per year. For the phenomena inside the containment area during severe accidents, including hydrogen detonation, a large thermal explo - sion, direct containment heating, overpressure in the containment volume, and the containment damage at later stages due to the basement melting through, their “practical elimination” has been demonstrated. The paper also considers specific hard-to-assess scenarios of beyond design basis accidents, for which the applicability of the “practical elimination” principle is assessed as well: a major positive reactivity insertion, a rupture of the reactor pressure vessel and other large-scale components, damage of fuel elements in the spent fuel pool, severe accidents with the containment bypass or containment failure, and severe accidents accompanied the means for mitigating with their consequences being unavailable. Criteria have been developed and used for the “practical elimination” assessment. A sensitivity analysis was undertaken as part of the Level 2 probabilistic safety assessment which has shown that estimated values slightly depend on the analytical assumptions, as well as on the random change in the parameters that the affect the progression of severe accidents.


Introduction
The irreducible contribution to the calculated probabilistic safety metrics in most cases is made by the so-called "practically eliminated" events against which no immediate protective measures are provided in the NPP design.If such events are the predominant contributors to the estimated risk profile, it needs to be recognized that there are no more possibilities for improving safety, and a decision needs then to be taken therefore proceeding from the consideration of the radiation risk acceptability taking into account benefits for the economy and the society.
Historically, the term "practical elimination" dates back to nearly 25 years ago as discussed in Kuzmina et al. 2022.It was initially introduced into practice worldwide through a publication by the IAEA's International Nuclear Safety Advisory Group (INSAG) in 1999 (Basic Safety Principles for Nuclear Power Plants 1999).Though it was used in some of the IAEA Safety Standards within the 20 years that followed (e.g. in SSG-4 2010 and SSR-2/1 2016)), the definition of the term was formulated by the IAEA in its Safety Glossary as late as in 2018 (IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection 2018).
In parallel, the term "practical elimination" was introduced into practice through the European Utilities Requirements (EUR).The EUR and IAEA definitions for the term do not practically differ.
The "practical elimination" principle consists, as defined in the EUR, in the following: the accident sequences (AS) or phenomena capable to lead or leading to unacceptable radiological consequences for the public or the environment need to be either physically impossible or it needs to be shown with a high level of confidence that they are highly unlikely to take place (European Utility Requirements for LWR Nuclear Power Plants (EUR).Volume 1, 2. Revision Е 2016).
It should be noted that it is not possible to justify the 'physical impossibility' of accident sequences or phenomena that contribute or lead to unacceptable radiological consequences, except for extremely limited spectra, due to the fact that nearly any event is probabilistically possible.

Examples
1. Calculations show that the reaction force in the event of the reactor vessel ejection is not enough for the containment failure when the reactor bottom fails in the event of a severe accident with a high pressure inside the reactor.These calculations are highly conservative but, despite the computational conservatism, there is a nonzero probability that some of the factors that define the phenomenon (such as the properties of materials and the pressure within the vessel at the time of the failure) may differ with a very low probability from those adopted for the calculations to such extent that the containment will fail all the same.2. A dry reactor cavity is used in the design, and an ex-vessel steam explosion is believed to be physically impossible, but there is always a nonzero probability that the cavity was filled with water either as a result of the leakage through a crack in the vessel bottom prior to the severe accident or due to water entering the cavity before an abnormality occurs due to the operator error.
Essentially, "physically impossible" may be only the phenomena that are not applicable in principle to the fa-cility under consideration (e.g., sodium-water interaction in a water-cooled water-moderated reactor, or the steam generator tube clogging with shellfish in the process of the power operation).In addition, the impossibility for the flood spreading to higher elevations against the gravity action is an example of a "physically impossible" event.
Based on the above reasoning, the "practical elimination" principle is formulated in the Akkuyu NPP design as follows: for ASs or phenomena that contribute or lead to unacceptable radiological consequences for the public or the environment, it shall be shown with a high level of confidence that they are highly unlikely to take place.And the criterion for an AS or a phenomenon to be classified as "highly unlikely" varies depending on whether the AS or the phenomenon leads directly to unacceptable radiological consequences or there are additional conditions for such consequences to arise.
The Akkuyu NPP is the nuclear power plant under construction on the Mediterranean coast of Republic of Turkey.The Akkuyu NPP is built under a Russian project envisaging construction, commissioning, and operation of four units with VVER-1200 reactors.This is a firstof-a-kind BOO-project (i.e.Build-Own-Operate project).The General Designer for the Akkuyu NPP is JSC Atomenergoproekt.

Implementation of the "practical elimination" principle at the level of accident sequences leading to a large accidental release
The "highly unlikely" criterion assumed for the above ASs leading immediately to unacceptable radiological consequences is their occurrence probability value equal to 1Е-7 per reactor per year with an extra condition that the total probability of such sequences shall be such that the Criterion for Limited Impact (CLI) is below 1Е-6 per reactor per year.In accordance with European Utility Requirements for LWR Nuclear Power Plants (EUR).Volume 1, 2. Revision Е 2016, the Criterion for Limited Impact is the acceptance criterion determined by comparing the linear combination of the radionuclide release families against the maximum release value.Each criterion matches a particular type of limited consequences for the public.
To ensure that the said criterion is met, NPP designs include a range of technical measures to reduce the probability of occurrence of the accident sequences leading to a large or early accidental release.A Probabilistic Safety Assessment (PSA) of Level 1 has identified all ASs that cause a severe damage to nuclear fuel and potentially, therefore, a large or early accidental release.
It should be noted that all of the sequences which have been caused identified, caused by the initiating events (IE) taken into account in the design and leading potentially to a large or an early large accidental release, are taken into account in a certain way by applying the defense-in-depth (DID) concept (NP-001-15 2015).
It has been shown based on the Level 1 PSA results for the Akkuyu NPP in Republic of Turkey that, for internal IEs during power operation of the unit, none of the complex ASs that includes an initiating event and/ or random-type failures of components and/or human errors, and leading to a severe accident, has a probability of over 1Е-8 per reactor per year.For the Akkuyu NPP reactor during power operation, this is achieved by combining the performance of the safety functions by two active safety system trains (each with a 100% internal redundancy) and passive systems (Stage 1 and 2 Hydraulic Accumulators and the Passive Heat Removal System).For the period of a reactor shut down for preventive maintenance with a safety system train being out of service for repair, the probability value for the ASs causing damage to nuclear fuel is achieved at a level of below 1Е-8 per reactor per year thanks to the operation of the remaining active safety system train, including spent fuel pool heat removal systems and the passive safety systems.
The reliability of the DID systems of levels 1 through 3 is confirmed by the low total probability of fuel damage estimated as 6Е-6 per reactor per year.
It should be noted that for all ASs leading to the failure of the DID's levels 1 through 3, the Akkuyu NPP design includes tools at the DID's level 4 that prevent the transition to level 5 (the corium localization device, the sprinkler system, the additional spent fuel pool heat removal system).The efficiency of these systems is confirmed by the fact that the total probability of a large accidental release is estimated in the Akkuyu NPP design as 6.17E-7 per reactor per year.
With regard for the Akkuyu NPP PSA results, it has been shown that each of the ASs leading to an unacceptable release has the probability of occurrence below 4.45Е-8 per reactor per year, their total probability not exceeding 6.17Е-7 per reactor per unit.
Therefore, it is shown in the Akkuyu NPP design that the implementation of the DID principle and the use of both active and passive systems for performing the key safety functions guarantees that the above-mentioned "highly unlikely" criterion is met.

Implementation of the practical elimination principle for different phenomena inside the containment during severe accidents
The design considers a number of phenomena, the occurence of which may contribute to an unacceptable accidental release: • hydrogen detonation; • large thermal explosion; • direct heating of the containment; • overpressure within the containment; • containment failure at later stages due to the basement meltdown.
Each of the above effects manifests itself in severe accident scenarios (leading to the fuel rod damage during the accidents initiated by internal IEs, internal or external hazards), the total probability of occurrence for which does not exceed 1Е-5 per reactor per year.However, even in the event of such scenarios taking place, the probability of the containment integrity loss leading to a major accidental release is rather low.
The following "highly unlikely" criterion has been assumed for such effects: the probability of occurrence for any individual considered scenario, including the analyzed effects, does not exceed 1Е-7 per reactor per year, the total probability of sequences leading to the CLI (Criterion for Limited Impact) being exceeded (European Utility Requirements for LWR Nuclear Power Plants (EUR).Volume 1, 2. Revision Е 2016) does not exceed 1Е-6 per reactor per year.
The design analyzes the probability of phenomena and processes to occur in severe accidents that may lead to the containment damage and, accordingly, to a large or an early accidental release.

Hydrogen detonation
To prevent explosion-hazardous concentrations of hydrogen within the containment, the design provides for a hydrogen monitoring and removal system, which comprises passive catalytic hydrogen recombiners installed at the potential hydrogen concentration points.In accordance with the requirements in NP-040-02 2002, the design basis for this system is prevention of hydrogen deflagration in design-basis accidents and prevention of detonation in beyond-design-basis accidents.
When selecting the recombiner type, number or installation points, all possible sources of hydrogen formation are taken into account with regard for the generation rate: • hydrogen contained initially in the containment atmosphere; • hydrogen formed as the result of the steam-zirconium reaction; • hydrogen formed via water radiolysis in the reactor, in the spent fuel pool and in the emergency sump; • hydrogen formed as the result of full oxidation in the corium localization device of the zirconium that has not been oxidized at the accident in-vessel stage.
The probability of detonation was considered conservatively for severe accident scenarios in the Level 2 PSA model, with postulating conservatively the containment failure and a large accidental release at the accident stage until the time the hydrogen concentration decreases to a safe level thanks to recycling through the recombiner operation.The total probability of such ASs for severe accidents involving detonation was estimated using the Level 2 PSA model as 6.05E-8 per reactor per year, the probability of occurrence for an individual scenario with detonation being 2.87Е-9 per reactor per unit.

Large thermal explosion
An in-vessel explosion is physically possible, but, as shown by international studies (NUREG-1150 1990), has a very low conditional probability of occurrence (less than 1Е-5).Given that this event is possible only if nuclear fuel melts in full that takes place with practically no water in the reactor vessel, the total probability of such phenomenon is below 1Е-10 per reactor per year, and it is also "practically eliminated".
An in-vessel steam explosion in the event the corium goes out of the reactor vessel is also excluded by the reactor cavity design and by using the corium localization device in which there is no water at the time of the reactor vessel failure.This is a peculiarity of the VVER-1200 reactor and cavity design.The exclusion is breaks in the elliptic part of the reactor vessel, in the event of which the primary circuit water may enter the cavity but the probability of such breaks is estimated to be below 1Е-10 per reactor per unit.

Direct containment heating
Direct heating of the containment is the possible scenario of a severe accident with the reactor vessel failure at a high pressure in the primary circuit.The occurrence of such scenarios during a beyond-design-basis accident is prevented in the Akkuyu NPP design through the following solutions: • installation of the pressurizer's pulse safety devices with the possibility of control using an additional line; • use of an emergency gas removal system for the primary circuit pressure reduction; • heat removal from the primary circuit via the passive heat removal system.
The total probability of scenarios with the corium escaping from the reactor vessel at a high pressure is estimated as 6.95E-11 per reactor per year.This means that the total probability of occurrence for accident sequences with a large thermal explosion and direct containment heating does not exceed 6.95E-11 per reactor per year and the phenomenon as such is "practically eliminated".

Overpressure within the containment
The containment overpressure is prevented by the water supplied through the sprinkler nozzles by one of the two independent systems: • the sprinkler system, • dedicated equipment for the beyond-design-basis accident management.
Each of these systems is powered and controlled independently.The containment failure and a large accidental release at a later severe accident stage were postulated conservatively in the Level 2 PSA model for severe accident scenarios with the containment overpressure.The total probability of such ASs for severe accidents has been estimated using the Level 2 PSA model as 8.9E-8 per reactor per year (for all IEs except for seismic events).
Taken into account low probability of such ASs (less than 5E-8), it is possible to state that these sequences are "practically eliminated".

Containment failure at later stages due to the basement meltdown
The Akkuyu NPP design includes a corium localization device that prevents, in the event of a severe accident, the core melt interaction with the reactor cavity concrete structures.
The corium localization device is a passive device but its efficient operation is possible only with the successful operation of the systems mentioned above and preventing the containment overpressure.
In the Level 2 PSA model, severe accidents scenarios with the containment overpressure lead also to its concrete basement melting through.The containment failure and a large accidental release at a later severe accident stage were postulated conservatively for these.The total probability of such ASs for severe accidents has been estimated using the Level 2 PSA model as 8.9E-8 per reactor per year.
Taking into account low probability of each of such ASs (less than 5E-8), it is possible to state that these sequences are "practically eliminated".

Implementation of the "practical elimination" principle for specific scenarios of beyond-design-basis accidents
The ASs and effects (phenomena) described above have sufficiently predictable consequences.The probability of their occurrence can be also estimated with the sufficient level of confidence.
However, the Akkuyu NPP unit design also considers scenarios of accidents, the consequences of which are hard to assess and for which the applicability of the "practical elimination" principle is also evaluated: • a major positive reactivity insertion (including non-uniform dilution of boric absorber); • rupture of large-size pressurized components (e.g., the reactor vessel and large-size primary circuit components); • fuel element failure in the spent nuclear fuel storage (spent fuel pool); • severe accidents with the loss of the containment integrity because of its bypass (e.g. in the event of the steam generator tube or header failure, an isolating valve failure, or an accident with a break in an adjacent system); • severe accidents in the reactor state when the containment is depressurized or the severe accident management means are out of service.
For the above scenarios the meeting of any of the following conditions is considered as a criterion of "highly unlikely": C1. probability of a severe accident of less than 1Е-6 per reactor per year provided the containment remains intact.
C2. probability of a severe accident of less than 1Е-7 per reactor per year with the containment integrity lost (including the containment bypass).
The above scenarios are considered below in the context of using these two criteria.

Major positive reactivity insertion (including non-uniform dilution of boric absorber)
It has been shown by the analyses presented in the Preliminary Safety Analysis Report for the Akkuyu NPP that such ASs will lead to the reactor scram of type 1 and the unit brought into a safe state even in the event of pure condensate erroneously fed to the makeup pump suction side.The probability of a severe damage to fuel for all of the above scenarios is below 1Е-7 per reactor per year, and no containment integrity is lost that makes it possible to state that they are "practically eliminated" (Criterion C1).As to the control rod ejection capable to lead to a critical reactivity insertion, such accidents are limited by the crossbeam which "eliminates them physically".

Rupture of large-size pressurized components (e.g. the reactor vessel or large-size primary circuit components)
In accordance with requirements of NP-001-15 2015, ruptures (failures) of the reactor vessel manufactured and operated to the highest standard and regulatory requirements may not be classified as anticipated operational occurrences, design-basis or beyond-design-basis accidents, requiring an additional safety analysis of the reactor facility, if it has been shown that the probability of the reactor vessel failure does not exceed 1Е-7 per reactor per year.
The reactor vessel and the primary circuit equipment are manufactured using high-quality materials the mechanical characteristics of which have a high safety margin for the reactor facility's operating parameters and ensure the equipment service life of not less than 60 years.
The probability of the reactor vessel failure is estimated in the reactor facility design and the Level 1 PSA as 1.1Е-10 per reactor per year.
The effects from the failure of other primary circuit vessels are limited by the diameter of the connected pipeline and are taken into account by the design.The probability of the scenario for such accidents is below 1E-7 per reactor per year which makes it possible to state that they are "practically eliminated" (Criterion C1).

Fuel element failure in the spent fuel storage (pool)
Fuel element failure in the spent fuel pool (SFP) is "practically eliminated" thanks to: • a large initial water reserve in the SFP; • the operation of the spray system that removes heat from the SFP in normal operating modes; • the emergency and scheduled cooldown system that is the back-up for the spray system for heat removal from the SFP; • the possibility for the SFP makeup from the hydraulic accumulator system; • the possibility for the SFP makeup from the water treatment system sources ; • dedicated means for the beyond-design-basis accident management (mobile equipment); • an additional SFP cooling system that is not dependent on the essential service water and power supply systems.
The probability of fuel failure in the SFP (with regard for leakage through the spent fuel pool lining) in total for all scenarios has been estimated in the Level 1 PSA as 4.73E-08 per reactor per year, with none of the scenarios having a probability of over 1.2Е-8 per reactor per year (this makes it possible to state that they are "practically eliminated").Such low probability is achieved by a large water reserve in the SFP and by multiple paths for removal of heat and for water makeup in the SFP.
The probability of severe fuel damage in the SFP is less than 1Е-7 per reactor per year, and as the probability of loss of containment integrity is low, it is possible to state that fuel element failure in the spent fuel storage (pool) is "practically eliminated" (Criterion C1).

Severe accidents with the containment integrity lost due to its bypass (e.g. in the event of the steam generator tube or header failures, the containment isolation valve failure to close, or an accident with a break in an adjacent system)
The containment bypass is possible with the following fundamentally different cases: • primary-to-secondary circuit leakage; • leakage beyond the containment via adjacent systems; • leakage via the primary circuit blowdown line; • failure of the containment localization system.
For each of these, the Akkuyu NPP design provides for safety measures to reduce the probability of negative consequences, namely, fuel damage.It should be noted that in the event of fuel damage in the containment bypass scenarios, a large accidental release was postulated in the Level 2 PSA (where calculations did no show that it would be possible to stop the release to beyond the containment after the nuclear fuel meltdown).
A dedicated algorithm was developed in the design for the primary-to-secondary circuit leakage that allows coping efficiently with such accidents.Fuel damage and direct release of radioactive substances into the environment is possible in the event when the steam dump valves on the damaged steam generator open and fail to close, and the heat removal from the secondary circuit via intact steam generators fails.The total probability of such ASs for severe accidents has been estimated based on a Level 1 PSA model as 2.95E-8 per reactor per year that makes it possible to state that such scenarios are "practically eliminated" (Criterion C2).
Other scenarios with the containment bypass (leakage through adjacent systems and leakage through the blowdown line) lead to nuclear fuel damage with a probability smaller than 1Е-7 per reactor per year that also allows concluding that they are "practically eliminated" (Criterion C2).
The design includes measures, which ensure operating reliability of the containment localization system (reliable power supply to the isolation valves for more than 72 hours using independence, redundancy and diversity principles).For an AS for a severe accident with the containment isolation system valves failing to close, a large accidental release was postulated conservatively in the Level 2 PSA.The total probability of such ASs for severe accidents has been estimated as 2.9E-8 per reactor per year that also allows concluding that they are "practically eliminated" (Criterion C2).

Severe accidents in the reactor state when the containment has lost its integrity or the means for eliminating the effects of severe accidents are out of service
The containment integrity may be lost either in the event of the localization system failure if an IE occurs during power operation, or in the process of handling operations during scheduled maintenance.
For the ASs for a severe accident with the containment isolation system valves failing to close, it was conservatively postulated in the Level 2 PSA that there is a large accidental release.The total probability of such ASs for severe accidents has been estimated as 2.9E-8 per reactor per year that also allows a conclusion that they are "practically eliminated" (Criterion C2).
The probability for a severe accident to take place in modes with the reactor shut down has been minimized due to the possibility of using the water reserve in the hydraulic accumulators for the reactor and spent fuel pool makeup, including the design of an extra system (in addition to the emergency and scheduled cooldown systems) for the reactor and spent fuel pool decay heat removal with power supply and service water cooling not relying on the safety systems.The performance of the dedicated means provided by the design for managing the beyond-design-basis accident taking into account the additional spent fuel pool decay heat removal system is also sufficient for ensuring the nuclear fuel integrity.The total probability of such ASs for severe accidents has been estimated as 2.9E-8 per reactor per year which also allows a conclusion that they are "practically eliminated" (Criterion C2).

Conclusions
A valid conclusion can be made as the result of considering the "practical elimination" of ASs and phenomena that all of these have been supported by relevant evidence and existing analyses.The probability of a large accidental release estimated in the Level 2 PSA as 6.17Е-7 per reactor per year confirms the Akkuyu NPP safety with regard for the technical and organizational measures implemented in the plant design.
To ensure the reliability of the low probabilistic estimates obtained, which make it possible to conclude that the considered phenomena are "practically eliminated" due to their negligibly low probability, a sensitivity analysis was undertaken in the Level 2 PSA which has shown that estimated values depend slightly on the analytical assumptions, as well as on a random variation in the parameters that affect the development of severe accidents not taken into account in the PSA.