When making safety assessments, we need to make a basic distinction between the risk potential, as the maximum possible damage a risk source can cause, and the risk, which involves considering both the potential extent of the damage and how likely that damage is to occur. Nuclear power plants and nuclear installations generally have a high risk potential, so safety is absolutely vital when designing, building, operating and shutting down such plants to minimise the risks involved (damage prevention).

In nuclear power plants, these requirements mean protective goals such as controlling reactivity, cooling fuel assemblies, confining radioactive substances and limiting radiation exposure must be adhered to. The components and building structures required to meet these requirements are safety-related and are therefore referred to as safety-related components and building structures.

To meet these safety goals, we basically use the safety barriers as shown in Figure 2.14 and the safety systems, which may be designed as either active or passive safety systems.

2. Fuel rod cladding

Reinforced concrete cylinder as radiation shield

Fig. 2.14 Passive safety barriers

These safety systems are highly reliable, thanks to the following:

— Redundancy

Main safety system components are multiplicated so that, should one of these modules fail, another identical module can take over.

— Diversity

Major components are made to different designs, so that not all the modules of the same type needed for these safety systems are likely to fail at the same time. This also reduces the risks of failing for the same reasons (common cause failure).

— Spatial separation

Major components of redundant safety systems are located away from one another, so that if an incident occurs that has limited local events that cause one module to fail, an identical module somewhere else which is not affected by that incident can take over the safety function (Figure 2.15).

Safety systems are needed to manage incidents, and must therefore be designed for both rare internal incidents (internal actions) and rare external ones (external actions). Internal design basis accidents include loss of coolant accident and internal flooding. A loss of coolant accident, and how it is handled, is shown in Figure 2.16. Significant external actions include earthquakes and floods. So plants must be designed to withstand an earthquake with the greatest seismic effects foreseeable where they are located.

These rare design basis accidents can be distinguished from the system status conditions in nominal use (normal operations as regular condition and anomalous operations as frequent condition) and the extremely rare events resulting from an accident (Table 2.2). Under the banded safety concept used in Germany, these system

Fig. 2.16 Controlling loss of coolant accidents

status conditions and events are assigned to four safety levels, as shown in Table 2.2, plus the extremely rare events which as accidents count as so-called ‘residual risks’ and which call for disaster prevention and environmental protection measures accordingly.

In the scenarios in Table 2.2, which must be considered as part of a safety philosophy, the focus is on preventing damage. One major contribution to this damage prevention is made by the International Atomic Energy Agency (IAEA), the international atomic energy organisation which sets the standards for erecting and operating nuclear plants. Another contribution comes from reviewing preventive measures and how effective the safety systems of each nuclear power plants are in the light of past events at nuclear plants which have occurred worldwide.

Following the reactor accident at Chernobyl in 1986, the IAEA launched the INES scale in 1991 (Table 2.3 ) for recording incidents and events at nuclear facilities.

This ranges from anomalies (levels 0-1), incident (levels 2-3) and accidents (levels 4-7). Depending on how they are rated, events must be assessed at the nuclear power plant concerned and rated with the controlling government organ­isations to show that the safety procedures in place are effective and to improve them if required.

On the INES scale, the Chernobyl incident must be classified as a major accident at the highest level 7. By way of comparison: the equally notorious event (partial meltdown) at Harrisburg (‘Three Mile Island’ in 1979, where the effects of the meltdown were limited to the plant itself, without damaging the health of the population, were classified as a level 5 event. In Germany, there have been 74 events since 1991 which were rated as level 1 on the INES scale and just three that were rated at level 2.

In assessing the risks that nuclear power plants present, we also include extremely rare events as ‘hypothetical’ accidents classified as residual risks. These include a melt­down due to serious core problems. Compared with the units now operating (up to Generation III), in which the effects of a meltdown are studied as part of a safety analysis, the new Generation III+ plans are designed such that they have structural

Fig. 2.17 EPR, core catcher (heat removal system)

safeguards and/or passive safety features to protect against a meltdown. For the EPR, for example, a meltdown prevention system was designed with a ‘core catcher’. As Figure 2.17 shows, should the reactor’s pressure vessel burn through, the molten core can be collected in a space below the reactor pressure vessel and cooled to avoid it burning through the foundations and to prevent pressure in the reactor pressure vessel increasing any further. This covers not only short-term but also long-term safety functions, without any further serious disaster prevention measures being required in the area around the plant.

The process of decommissioning a nuclear power plant until when it is deregistered under the Atomic Energy Act, including the rundown phase in direct dismantling, takes around 12 years.

We will now describe the individual phases of the process, taking the Stade nuclear power plant (KKS) as our example (Figure 4.24).

Dismantling phases, using KKS as example:

Phase 1:

— Take down various systems inside and outside control area

— Put different buildings to different uses

— Set up dismantling infrastructure

Phase 2:

— Remove main coolant lines and pumps

— Remove boiler and other large components

— Remove other contaminated system components

Phase 3:

— Make preparations to remove and pack activated building sections and components

— Remove and treat reactor pressure vessel fittings

— Remove reactor pressure vessel

— Remove bioshield

Phase 4:

— Remove remaining system components within control area

— Decontaminate and clear standing structures

— Withdraw from decontaminated areas in stages and seal against recontamination

— Clear site

— Release complete site from Atomic Energy Act monitoring

4.5.1 Individual structural measures involved in dismantling

We list some individual building services below which those involved in dismantling

will normally have to carry out [35]:

— Reconstruction measures: fit extra shields, create openings, close openings, take fire precautions

— Strengthen building components to take increased loads due to temporary interim conditions, for example

— Create routes for transport logistics within control area while removing contami­nated and activated system components and logistics work retrofitting lifting gear, including creating access roads required

— Removing contaminated concrete structures: establishing depth and extent of contamination levels, cutting off and removing contaminated building surfaces and packing in transport containers

— Removing activated concrete structures (bioshield)

— Measures to prevent building work problems: making safe against falling loads

— Setting up temporary buildings for treating and storing radioactive waste, clearance measurement of system components released completely and unconditionally if classified accordingly

— General service functions such as scaffolding or client providing site electricity supply

It is a general rule for all structural fastenings that they must be designed by engineers. Deciding how to design them at the execution stage is not enough. So anchor plates with headed studs must be designed in an engineering-like manner also. This includes providing analytical verification that they have sufficient structural strength and serviceability and producing detailed drawings concerned, such as anchoring and formwork drawings.

Within the scope of general engineering construction and for non-safety-related anchorings, verification of the load-bearing capacity is based on the General Technical Approvals. Such approvals contain all the details required of specific product strengths, permitted edge and centreline distances and instructions and cross-references to the calculation methods to be used.

According to the current status of the General Technical Approvals, anchor plates with headed studs are designed in the same way as anchors based on Annexe C to European Guidelines ETAG 001 [65]. Design includes verification of headed studs against steel failure and verification of the anchor base against concrete failure. In terms of concrete failure, there are a number of failure modes to be considered, depending on the effects of actions involved, such as concrete cone failure, concrete edge fracturing and pry-out failure. The individual failure modes and calculation procedures are described in detail in [76].

In addition to the provisions of ETAG 001, General Technical Approvals for anchor plates with headed studs include additional reinforcement for anchoring the headed studs within the background bending compression area. Particularly where anchorings are close to edges, in new buildings, specifying such additional reinforcement can avoid broken edges and improve structural strength. Further studies on the effectiveness of back-tying reinforcement are described in [77].

During the construction period of the first nuclear power plants there were not yet any rules on using back-tying reinforcement for anchorings with headed studs. For post­calculating anchor plates as part of repairs and retrofits, more recent rules in DIN SPEC 1021-4-2:2009 [75] govern the co-function of existing structural component reinforcement. The existing reinforcement must meet certain design principles such as a sufficient anchoring length inside and outside the fracture cone and should be in the influence area up to 0.75 hef by the headed studs. If these conditions for use are satisfied, anchorings close to edges in existing structures can often be shown to have a greater structural strength. The more extensive rules in DIN SPEC 1021-4-2:2009 are expected to be incorporated in individual approvals for headed studs by the end of 2010.

General Technical Approvals do not cover the verification of the structural strength of anchorings for safety-related components; this must therefore be approved on a case — by-case basis (see section 7.2.5.1).

The notice of consent given by the authorities concerned and the associated expert opinion lay down the calculation methods to be used and the rules to be followed. In exceptional cases, they also include details of the materials to be used, the number and size of the studs to be used for the anchor groups concerned and additional provisions on partial safety factors, if required.

One essential feature here is the data on the structural strength of headed studs in cracked reinforced concrete structural components under accidental actions. This data is based on additional tests and assessments in line with DIBt Guidelines [63], and provides the design basis for fastenings in requirement category A3 to DIN 25449:2008 [15].

The notice of approval also contains additional general rules on accounting for existing reinforcement.

The serviceability of anchor plates with headed studs is less important with non-safety — related fastenings. The loads to be induced are generally relatively small, and the components to be attached are not sensitive to the low levels of deformation to be expected. Reference values for the deformations to be expected in the headed studs are included in the General Technical Approvals.

With safety-related fastenings, the deformation and the sensitivity to deformation of the components to be attached facing accidental actions must be matched to one another. The resilience of the fastenings must be taken into account in calculations when dimensioning components which are vulnerable to deformations, such as pipes.

Reference values for the deformations to be expected in the headed studs under accidental actions are included in the notices of consent and the associated opinions.