Following the Fukushima incident in 2011, the nuclear industry has placed a renewed focus on risk mitigation from extraordinary events caused by nature. The various regulatory bodies around the world have gone back to basics to consider not only the design basis for operational sites, but also revisit their risk analysis, accident management strategy and periodic safety review policies. Considering that many nuclear power stations are located on the coast – and the UK is a good example of this – the risk of flooding from both seismic events and severe weather has been a prominent concern too.
Of particular importance has been reviewing the methodology used to derive the seismic hazard, and how that hazard has been mitigated through the design process and present-day operational systems. The operational monitoring of seismic vibration for both structures and equipment plays an important role in providing automatic shutdown protection and the recording of seismic events for later analysis.
Sensonics’ experience suggests that no two nuclear plants are the same in terms of their approach to seismic monitoring and protection: some sites utilise data from the national network of geophysical instruments, while others implement independent monitoring and shutdown on each critical plant item. In each case, the derivation of the required seismic monitoring and protection strategy must meet the safety case and provide appropriate risk mitigation.
Vibrations from an earthquake cause structural effects on a plant. They are classified in terms of seismic response spectra. This defines the ground acceleration magnitude versus frequency, typically over a range of 0.1Hz to 100Hz. Two such types of spectra are specified: the operational basis earthquake (OBE) and the design basis earthquake (DBE), based on a predicted worst-case seismic event within a specified period of time (for example OBE may be specified within 100 years).
Secondary response spectra are derived from the ground accelerations, through modelling, to predict the response of each structure and each level within that structure. A nuclear plant will allocate several seismic categories for specifying the design requirements, and assess them according to the safety class. For example, the highest or most stringent category will demand the equipment or process be tested to the DBE level plus a margin (+40% is recommended in IEEE 344, Standard for Seismic Qualification of Equipment for Nuclear power generating Stations). That is because the process must still remain operable to the design basis, even if other less critical plant processes may have failed above the OBE level. Any earthquake above the OBE level may result in the plant being shut down and to remain so, until analysis and/or inspection has determined that the plant is safe to continue operations.
The challenge is to design and construct plant in a cost-effective manner to meet the seismic categorisation, as well as to provide sufficient design margin. It may not be possible for all equipment or processes, through either analysis or testing, to meet its categorisation fully; this is where independent seismic monitoring systems can be utilised to provide detection of the OBE event and to bring the process to a safe state. Not only must these monitoring systems withstand seismic events, but also they need to exhibit high levels of availability beyond the DBE magnitude event to maintain a valid alarm function.
In combination with the seismic requirements, various safety standards are applied to obtain a stated availability, with EN IEC 61508 being the most common approach. Adherence to such a standard provides a stated system reliability and availability, while at the same time providing an understanding of the systematic failures and ensuring compliance with the 61508 lifecycle model.
TWO TYPES OF SENSORS
The starting point with any seismic monitoring design is the sensor. It is important to recognise there is a clear technical difference between the types of sensors that are used for seismic protection and those used for geophysical earthquake monitoring. Geophysical seismic monitoring utilises broad-band magnet and moving coil (electrodynamic) sensor arrangements capable of measuring micro g acceleration events with sinusoidal periods of over 100 seconds.
On the other hand, strong motion sensors for seismic protection applications only need to provide a resolution down to 1mg and a response to 10 seconds; while historically electrodynamic sensors have been used, nowadays for these applications piezoelectric-based accelerometers are preferred, as they match the technical requirement closely, and provide higher reliability as they have no moving parts.
A trend in vibration monitoring is the adoption of MEMS (micro electromechanical systems) devices in a wide range of sensing applications. These devices offer an excellent low-frequency response, and exhibit the required dynamic range for strong motion seismic monitoring. MEMS devices have been widely used in civil engineering applications since the 1990s. Their relatively low-cost and small size suit applications where many measurement points are required on structures for a limited period of time.
However, adoption of this technology has been slow for the seismic protection market, where stated reliability and maintainability are the key requirements. MEMS is a fast-moving technology; with limited application experience, selection of a specific sensor may prove difficult to maintain in future years as a result of obsolescence.
Significant earthquake events are few and far between. How do we verify that an installed strong motion sensor is working correctly, when for most of the time, there is nothing to measure? This situation is exacerbated by the sensor installation, which is normally difficult to access. With broad-band seismometers, it is common to have a secondary coil arrangement that can be excited, and therefore stimulate movement of the mass to verify calibration without physical shaking.
Sensonics has incorporated a similar mechanism into its piezoelectric-based seismic sensors, to ensure the measuring element is operating to the correct sensitivity; this self-test feature is in fact a critical requirement.
Utilising redundant sensor configurations in the overall monitoring system concept is a common design feature. In this seismic sensor system design, three separate physical locations are monitored with triaxial sensors capable of measuring acceleration in the three orthogonal axes. The acceleration of each sensor is processed by a trip amplifier. The overall triaxial unit performs a one out of three (1oo3) logic operation to derive the location OBE alarm. The trip alarms from each location are fed back to the central control panel, which performs a subsequent two out of three logic operation to determine the final trip result. In this example, the voting logic is also redundant, to enhance reliability and maintainability. Finally, the system is connected to the specific plant circuit breakers, or to the emergency shutdown system, to complete the safety loop.
For redundancy, a simple one out of two (1oo2) system will usually meet with the reliability requirements, and in fact demonstrates a higher reliability than the 2oo3 system. However, this configuration offers no protection against spurious trips that can result from mechanical interference or sensor failure. Two out of two (2oo2) is an alternative. However, on failure of a channel, the system defaults to a 1oo1 system, compared to defaults of either 2oo2 or 1oo2 from a 2oo3 system. As both of the latter are preferred over 1oo1, the 2oo3 system is the norm for nuclear protection applications.
Combine these channels with dual voting arrangements, and the inbuilt sensor test function results in a system design that can be fully proof-tested while online, maximising the availability of the system. Each voting circuit can be isolated and tested in turn, through signal injection of each sensor. A critical aspect of the system performance is that the sensor will still respond to a real seismic event even while under test.
The avoidance of interactive and connected ‘smart’ devices within the protection loop also eases the analysis burden to meet safety requirements, so is the preferred solution for most clients. Separating the protection and event-recording functions in addition enables the latest technologies and features to be utilised for the seismic waveform recording, without impacting on the protection safety case.
The industrial norm for modern-day nuclear applications is the use of proven technologies in combination with measurement redundancy. Self-testing features and resilience to spurious trips are of particular importance in relation to nuclear power plants’ automatic reactor operation shutdown systems. Adopting these features has become standard for new plant installations, and should also be considered for obsolete seismic monitoring equipment on existing sites. Typical nuclear industry applications include reactor structural monitoring, fuel handling, waste processing and the safe shutdown of crane equipment.