westinghouse nuclear - title: ap1000 pre-construction ... pdfs...1.5 quality assurance process...

Forms/NS-NPP/Document Cover Sheet.doc

F-3.4.1-1 Rev 3

DOCUMENT COVER SHEET TDC: Permanent File:

DOCUMENT NO. REVISION PAGE ASSIGNED TO OPEN ITEMS (Y/N)

UKP-GW-GL-732 2 1 of 501 W-D. Popp N

DOCUMENT STATUS: PRE CFC CAE DES

Westinghouse Acceptance of AP1000 Design Partner Document by:

N/A

(Name and Date)

ALTERNATE DOCUMENT NUMBER:

ORIGINATING ORGANIZATION: Westinghouse

WORK BREAKDOWN #: N/A

TITLE: AP1000 Pre-Construction Safety Report

ATTACHMENTS: none

CALCULATION/ANALYSIS REFERENCE: N/A

DCP/DCA/EDCR #/REV. INCORPORATED IN THIS DOCUMENT REVISION:

N/A

ELECTRONIC FILENAME

UKP-GW-GL-732

ELECTRONIC FILE FORMAT

M/S Word

ELECTRONIC FILE DESCRIPTION

© 2009 WESTINGHOUSE ELECTRIC COMPANY LLC, ALL RIGHTS RESERVED – WESTINGHOUSE NON-PROPRIETARY CLASS 3

All Class 3 Documents require the following two approvals in lieu of a Form 36.

LEGAL REVIEW L. A. Campagna

SIGNATURE / DATE (If processing electronic approval select option) Electronically Approved***

PATENT REVIEW D. E. Ekeroth

SIGNATURE / DATE Electronically Approved***

© 2009 WESTINGHOUSE ELECTRIC COMPANY LLC, ALL RIGHTS RESERVED – WESTINGHOUSE PROPRIETARY CLASS 2

This document is the property of and contains Proprietary Information owned by Westinghouse Electric Company LLC and/or its subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions of the agreement under which it was provided to you.

© 2009 WESTINGHOUSE ELECTRIC COMPANY LLC, ALL RIGHTS RESERVED and/or STONE & WEBSTER, INC.

WESTINGHOUSE PROPRIETARY CLASS 2 and/or STONE & WEBSTER CONFIDENTIAL AND PROPRIETARY

This document is the property of and contains Proprietary Information owned by Westinghouse Electric Company LLC and/or is the property of and contains Confidential and Proprietary Information owned by Stone & Webster, Inc. and/or their affiliates, subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions of the agreement under which it was provided to you. Third Party Provided Information To be used only for the specific contract under which it was provided. Requirements and responsibilities for this information are specified in APP-GW-GAP-104.

ORIGINATOR(S) WEC 6.1.pdf J. A. Green for G. S. Anderson

SIGNATURE / DATE (If processing electronic approval select option) Electronically Approved***

REVIEWER(S) WEC 6.1.pdf D. M. Popp


SIGNATURE / DATE

SIGNATURE / DATE

Verification Method: Independent Review VERIFIER(S) WEC 6.1.pdf R. P. Vijuk


Plant Applicability: All AP1000 plants except: Only the following plants: UKP

APPLICABILITY REVIEWER WEC 6.1.pdf J. A. Speer


RESPONSIBLE MANAGER* WEC 6.1.pdf

P. A. Russ


* Approval of the responsible manager signifies that the document and all required reviews are complete, the appropriate proprietary class has been assigned, electronic file has been provided to the EDMS, and the document is released for use.

*** Electronically approved records are authenticated in the electronic document management system. When a document is approved, this footnote is replaced by a footnote with a date stamp.

AP1000Pre-Construction Safety Report

UKP-GW-GL-732 Revision 2

AP1000 Pre-Construction Safety Report

UKP-GW-GL-732 i Revision 2

REVISION HISTORY

Report Description of Change

Revision 1 This document contains numerous editorial improvements and referenced reports revision updates from Revision 0.

Revision 2 The Pre-Construction Safety Report (PCSR), Revision 2 has been completely restructured to accommodate general NII comments on claims, arguments and evidence. The PCSR also includes a summary of new documents, External Hazards, a revised European DCD and a revised Environment Report. The PCSR also refers to the results of new evaluations, submitted in documents: AP1000 Equivalency / Maturity Study of the U.S. Codes and Standards, AP1000 UK Safety Categorization and Classification of Structures Systems and Components, and AP1000 UK Safety Categorization and Classification Methodology.


UKP-GW-GL-732 ii Revision 2

TABLE OF CONTENTS

Section Title Page

REVISION HISTORY i TABLE OF CONTENTS ii ABBREVIATIONS ABB 1-1

1.0 INTRODUCTION 1-1

1.1 Purpose of the Safety Report 1-1

1.1.1 Background of the Generic Design Assessment Process 1-1

1.1.2 Structure of the Generic Design Assessment Process 1-2

1.1.3 Purpose of the Pre-Construction Safety Report in GDA 1-2

1.2 Development of the AP1000 Safety Report 1-2

1.2.1 AP1000 Design Basis 1-2

1.2.2 UK Regulatory Regime 1-4

1.2.3 AP1000 Safety Report 1-4

1.3 GDA Documentation Structure and Interfaces 1-6

1.3.1 AP1000 Generic PCSR 1-6

1.3.2 Topic Reports Supporting the AP1000 Safety Case 1-7

1.3.3 Supporting Technical Documentation to the AP1000 Safety Case 1-9

1.4 Generic PCSR: Structure and Content 1-10

1.5 Quality Assurance Process followed during the Production of the Generic Pre-Construction Safety Report 1-12

1.5.1 Stakeholders in the PCSR 1-12

1.5.2 Quality Assurance associated with Westinghouse Design and Technical Information 1-13

1.5.3 Safety Case Review Process 1-14

1.6 Conclusion 1-14

2.0 GENERAL PLANT DESCRIPTION 2-1

2.1 Introduction 2-1

2.2 Evolution of the AP1000 Design 2-1

2.3 Basic Design and Technical Characteristics 2-2

2.4 Layout of the Main Civil Structures 2-3

2.4.1 Site Characteristics 2-3

2.4.2 Site Plan 2-4


UKP-GW-GL-732 iii Revision 2

TABLE OF CONTENTS (cont.)

Section Title Page

2.4.3 Plant Arrangement 2-4

2.4.4 Containment/Shield Building 2-5

2.5 Plant Arrangement Considerations 2-8

2.6 Proven Components and Technology in the AP1000 Design 2-9

2.7 Conclusion 2-10

3.0 GENERIC SITE CHARACTERISTICS 3-1


3.2 Site Design Parameters 3-1

3.2.1 Meteorology 3-2

3.2.2 Geology and Hydrogeology 3-3

3.2.3 Hydrology 3-3

3.3 Strategic Siting Assessment (SSA) 3-4

3.3.1 Exclusionary Criteria 3-4

3.3.2 Discretionary Criteria 3-5

3.3.3 Proximity to Hazardous Industrial Facilities and Operations (D3) 3-7

3.3.4 Proximity Access to Suitable Sources of Cooling (D10) 3-7

3.4 Other Site Specific Criteria 3-8

3.5 Monitoring of Site Specific Parameters 3-9

3.6 Conclusion 3-9

4.0 SAFETY ASPECTS OF DESIGN 4-1


4.2 Use of Safety Functions 4-3

4.2.1 Key Safety Functions 4-3

4.2.2 Categorisation of Safety Functions 4-5

4.3 Identification of Design Requirements for Safety 4-7

4.3.1 Identification of Design Requirements associated with Normal Operation 4-7

4.3.2 Identification of Design Requirements associated with Fault Conditions 4-7

4.4 Approach to Hazards 4-8

4.4.1 Assessment of Internal Hazards 4-8

4.4.2 Assessment of External Hazards 4-24


UKP-GW-GL-732 iv Revision 2


Section Title Page

4.5 Engineering Substantiation 4-38

4.5.1 Safety Classification of Systems, Structures and Components 4-38

4.5.2 Seismic Categorisation of Systems, Structures and Components 4-41

4.5.3 Incredibility of Failure Issues 4-42

4.5.4 Application of Codes and Standards 4-43

4.5.5 Environmental Qualification of Systems, Structures and Components 4-43

4.6 Conclusion 4-44

5.0 SAFETY ASSESSMENT APPROACH 5-1


5.2 Fault Schedule 5-1

5.2.1 Introduction 5-1

5.2.2 Identification of Initiating Events 5-2

5.2.3 Initiating Event Frequencies 5-3

5.2.4 Provision of Safety Measures 5-3

5.3 Design Basis Analysis 5-5


5.3.2 Selection of Representative Sequences 5-5

5.3.3 Thermal-Hydraulic Analysis Approach 5-5

5.3.4 Radiological Analysis Approach 5-14

5.3.5 Results 5-15

5.3.6 DBA Conclusions 5-30

5.4 Probabilistic Risk Analysis 5-31


5.4.2 Selection of Initiating Events 5-31

5.4.3 Analysis Approach 5-32

5.4.4 Results 5-34

5.4.4.7 Important Common Causes/Modes 5-41

5.4.4.8 Dependence on Operator Action 5-42

5.4.4.9 Treatment of Equipment Reliability 5-42

5.4.4.10 Shutdown PRA 5-43


UKP-GW-GL-732 v Revision 2


Section Title Page

5.4.5 Sensitivity Analysis 5-43

5.4.6 PRA Conclusions 5-44

5.5 Severe Accident Analysis 5-45


5.5.2 Identification of Plant Damage States 5-46

5.5.3 Construction of the Containment Event Tree 5-47

5.5.4 Quantification of Release Frequencies 5-50

5.5.5 Results 5-51

5.5.6 Severe Accident Analysis Conclusions 5-51

5.6 Safety Analysis Conclusions 5-52

6.0 DESCRIPTION OF PLANT SYSTEMS AND THEIR CONFORMANCE WITH DESIGN REQUIREMENTS 6-1


6.2 Primary Systems General Operation 6-1

6.3 Reactor 6-3

6.3.1 Reactor System 6-3

6.3.2 Reactor Coolant System 6-18

6.4 Engineered Safety Features 6-25

6.4.1 Containment System 6-27

6.4.2 Containment Isolation System 6-27

6.4.3 Passive Containment Cooling System 6-29

6.4.4 Main Control Room Emergency Habitability System 6-32

6.4.5 Passive Core Cooling System 6-33

6.5 Auxiliary Systems 6-42

6.5.1 Chemical and Volume Control System 6-43

6.5.2 Containment Hydrogen Control System 6-50

6.5.3 Normal Residual Heat Removal System 6-52

6.5.4 Communication System 6-55

6.5.5 Component Cooling Water System 6-55

6.5.6 Compressed and Instrument Air System 6-57

6.5.7 Containment Leak Rate Test System 6-57


UKP-GW-GL-732 vi Revision 2


Section Title Page

6.5.8 Demineralised Water Transfer and Storage System 6-58

6.5.9 Demineralised Water Treatment System 6-58

6.5.10 Fire Protection System 6-58

6.5.11 Gaseous Radwaste System 6-59

6.5.12 Liquid Radwaste System 6-61

6.5.13 Mechanical Handling System 6-63

6.5.14 Plant Gas System 6-66

6.5.15 Potable Water System 6-66

6.5.16 Primary Sampling System 6-67

6.5.17 Radiation Monitoring System 6-69

6.5.18 Radioactive Waste Drain System 6-70

6.5.19 Sanitary Drainage System 6-71

6.5.20 Secondary Sampling System 6-71

6.5.21 Service Water System 6-71

6.5.22 Solid Radwaste System 6-72

6.5.23 Spent Fuel Pool Cooling System 6-73

6.5.24 Standby Diesel Fuel Oil System 6-75

6.5.25 Turbine Building Closed Cooling Water System 6-76

6.5.26 Turbine Island Vents, Drains and Relief System 6-76

6.5.27 Waste Water System 6-77

6.6 Steam and Power Conversion Systems 6-77

6.6.1 Feed and Condensate System 6-77

6.6.2 Main Steam System 6-81

6.6.3 Turbine Bypass System 6-83

6.6.4 Main Turbine-Generator 6-84

6.6.5 Moisture Separator Reheaters 6-85

6.6.6 Condenser Air Removal System 6-86

6.6.7 Gland Seal System 6-87

6.6.8 Main Condenser 6-88

6.6.9 Steam Generator Blowdown System 6-89


UKP-GW-GL-732 vii Revision 2


Section Title Page

6.6.10 Circulating Water System 6-91

6.6.11 Auxiliary Steam Supply System 6-92

6.6.12 Turbine Island Chemical Feed System 6-93

6.6.13 Condensate Polishing System 6-93

6.7 Instrumentation and Control 6-93

6.7.1 Description 6-93

6.7.2 Design Requirements 6-94

6.7.3 Substantiation 6-94

6.8 Electrical Power Systems 6-102

6.8.1 Class 1E dc and Uninterruptible Power Supply System 6-103

6.8.2 Non-Class 1E dc and Uninterruptible Power Supply System 6-105

6.8.3 Main ac Power System 6-106

6.8.4 Onsite Standby Power System 6-107

6.8.5 Cathodic Protection System 6-108

6.8.6 Excitation and Voltage Regulation System 6-108

6.8.7 Grounding and Lightning Protection System 6-109

6.8.8 Lighting System 6-109

6.8.9 Plant Security System 6-109

6.8.10 Special Process Heat Tracing System 6-109

6.9 HVAC Systems 6-109

6.9.1 Annex/Auxiliary Building Nonradioactive Ventilation System 6-110

6.9.2 Central Chilled Water System 6-110

6.9.3 Containment Air Filtration System 6-111

6.9.4 Containment Recirculation Cooling System 6-112

6.9.5 Diesel Generator Building Ventilation System 6-112

6.9.6 Health Physics and Hot Machine Shop HVAC System 6-113

6.9.7 Hot Water Heating System 6-114

6.9.8 Nuclear Island Nonradioactive Ventilation System 6-114

6.9.9 Radiologically Controlled Area Ventilation System 6-120

6.9.10 Radwaste Building HVAC System 6-120


UKP-GW-GL-732 viii Revision 2


Section Title Page

6.9.11 Turbine Island Building Ventilation System 6-121

6.10 Conclusion 6-122

6.11 References 6-123

7.0 DESCRIPTION OF THE CIVIL WORKS AND STRUCTURES AND THEIR DESIGN REQUIREMENTS FOR SAFETY 7-1


7.2 Nuclear Island Structures 7-1

7.2.1 Design Requirements for Safety during Normal Operations 7-5

7.2.2 Design Requirements for Safety during Fault Conditions 7-5

7.2.3 Internal Hazards 7-6

7.2.4 External Hazards 7-6

7.3 Non-Nuclear Island Structures 7-6

7.4 Conclusion 7-7

8.0 ALARP ASSESSMENT OF THE DESIGN OF THE AP1000 8-1


8.1.1 Purpose 8-1

8.1.2 Scope 8-1

8.1.3 Content 8-2

8.2 Use of Relevant Good Practice 8-3

8.2.1 Application of Standards Defining Good Practice 8-3

8.2.2 Relevant Good Practice in Design 8-10

8.3 Use of the PRA Risk Model to Inform Design 8-16

8.3.1 Background to the PRA Work 8-16

8.3.2 System and Function Reliability 8-17

8.3.3 Human Reliability 8-17

8.3.4 Core Damage Frequency for Internal Initiating Events at Power 8-18

8.3.5 Large Release Frequency for Internal Initiating Events at Power 8-19

8.3.6 Core Damage Frequency and Large Release Frequency for Plant Initiating Events while Shutdown 8-20

8.3.7 Review of Defence in Depth Systems 8-21


UKP-GW-GL-732 ix Revision 2


Section Title Page

8.4 ALARP Review of the Principal Design Decisions during AP1000 Design Development 8-22


8.4.2 Residual Heat Removal 8-23

8.4.3 Containment Design 8-37

8.4.4 Control Room Systems 8-48

8.4.5 Primary System Design 8-56

8.4.6 Fuel Route 8-61

8.4.7 Duty Systems 8-65

8.5 Consideration of Further Options to Enhance Design Safety 8-68


8.5.2 The Process for Identifying Potential Design Improvement Options 8-68

8.5.3 Cost-Benefit Analysis Methodology Using UK Parameters and Regulatory Rules 8-70

8.5.4 Estimated Costs of the Potential Improvement Options 8-72

8.5.5 Benefit Threshold for the Potential Improvement Options 8-73

8.5.6 Cost Benefit Analysis of Individual Potential Design Options 8-76

8.6 Conclusions 8-78

APPENDIX 8.1 AP1000 RELEASE CATEGORIES AP8.1-1

A8.1.1 Introduction AP8.1-1

A8.1.2 Release Category IC – Intact Containment AP8.1-1

A8.1.3 Release Category CFE – Early Containment Failure AP8.1-2

A8.1.4 Release Category CFI – Intermediate Containment Failure AP8.1-2

A8.1.5 Release Category CFL – Late Containment Failure AP8.1-2

A8.1.6 Release Category CI – Containment Isolation Failure AP8.1-2

A8.1.7 Release Category BP – Containment Bypass AP8.1-3

APPENDIX 8.2 URD OVERALL OBJECTIVES AP8.2-1


A8.2.2 Simplification AP8.2-1

A8.2.3 Design Margin AP8.2-1

A8.2.4 Human Factors AP8.2-1


UKP-GW-GL-732 x Revision 2


Section Title Page

A8.2.5 Safety AP8.2-1

A8.2.6 Design Basis versus Safety Margin AP8.2-1

A8.2.7 Regulatory Stabilisation AP8.2-1

A8.2.8 Standardisation AP8.2-1

A8.2.9 Proven Technology AP8.2-2

A8.2.10 Maintainability AP8.2-2

A8.2.11 Constructability AP8.2-2

A8.2.12 Quality Assurance AP8.2-2

A8.2.13 Economics AP8.2-2

A8.2.14 Sabotage Protection AP8.2-2

A8.2.15 Good Neighbour AP8.2-2

APPENDIX 8.3 CHANGES TO THE AP600 AND AP1000 DESIGNS RESULTING FROM PRA AP8.3-1


A8.3.2 Changes to AP600 Based on PRA AP8.3-1

A8.3.3 Changes to AP1000 Based on PRA AP8.3-2

APPENDIX 8.4 LIST OF POTENTIAL UK AP1000 DESIGN IMPROVEMENTS THAT WERE NOT TAKEN FORWARD AP8.4-1


A8.4.2 Locate the Normal Residual Heat Removal System inside the Containment AP8.4-1

A8.4.3 Self-Actuating Containment Isolation Valves AP8.4-1

A8.4.4 Improved Reliability of the Diverse Actuation System AP8.4-1

A8.4.5 Diverse IRWST Injection Valves AP8.4-2

A8.4.6 Steam Generator Safety Valve Flow Directed to the IRWST AP8.4-2

A8.4.7 Steam Generator Shell-Side Passive Heat Removal System AP8.4-2

A8.4.8 Chemical and Volume Control System Upgraded to Mitigate Small LOCAs AP8.4-3

A8.4.9 Ex-vessel Core Catcher AP8.4-3

A8.4.10 Secondary Containment Filtered Ventilation AP8.4-3

A8.4.11 Passive Containment Spray AP8.4-4

A8.4.12 Filtered Containment Vent AP8.4-4


UKP-GW-GL-732 xi Revision 2


Section Title Page

A8.4.13 Increase of Steam Generator Secondary Side Pressure Capacity AP8.4-4

A8.4.14 High-pressure Containment Design AP8.4-5

A8.4.15 Active High-Pressure Safety Injection System AP8.4-5

A8.4.16 Larger Accumulators AP8.4-5

A8.4.17 Larger Fourth-Stage ADS Valves AP8.4-6

9.0 SAFETY MANAGEMENT THROUGHOUT THE PLANT LIFECYCLE 9-1


9.2 Safety Management Framework 9-1

9.3 Management of Safety throughout the Lifecycle 9-3

9.3.1 Design 9-3

9.3.2 Construction 9-4

9.3.3 Commissioning 9-5

9.3.4 Operations 9-6

9.3.5 Decommissioning 9-6

9.3.6 Quality Assurance 9-7

9.4 Safety Culture 9-7

9.5 Conclusion 9-7

10.0 COMMISSIONING 10-1


10.2 Overview of Construction Verification Process 10-1

10.3 Summary of Commissioning and Objectives 10-1

10.3.1 Pre-Operational Commissioning Objectives 10-2

10.3.2 Start-Up Commissioning Objectives 10-2

10.4 Organisation, Staffing and Responsibilities 10-3

10.5 Commissioning Specifications and Procedures 10-3

10.6 Conduct of Commissioning Programme 10-4

10.7 Review of Commissioning Results 10-5

10.8 Commissioning Records 10-5

10.9 Utilisation of Reactor Operating and Testing Experience in the Development of Commissioning 10-5


UKP-GW-GL-732 xii Revision 2


Section Title Page

10.10 Use of Plant Operating and Emergency Procedures 10-6

10.11 Commissioning Schedule 10-6

10.12 Initial Fuel Loading and Initial Criticality 10-6

10.12.1 Prerequisites 10-6

10.12.2 Initial Fuel Loading 10-7

10.12.3 Initial Criticality 10-8

10.12.4 Power Ascension 10-8

10.13 Pre-Operational Commissioning 10-9

10.13.1 Pre-Operational Commissioning of Systems with Safety Significant Functions 10-9

10.13.2 Pre-Operational Commissioning of Defence-in-Depth Systems 10-10

10.13.3 Pre-Operational Commissioning of Radioactive Systems 10-11

10.13.4 Pre-Operational Commissioning of Additional Systems 10-11

10.13.5 Start-Up Commissioning Procedures 10-12

10.13.6 Initial Criticality Tests 10-13

10.13.7 Low Power Tests 10-14

10.13.8 Power Ascension Tests 10-14


11.0 OPERATIONAL MANAGEMENT 11-1


11.2 Operating Instructions 11-1

11.3 Operational Limits and Conditions 11-1

11.4 Examination, Maintenance Inspection, and Testing 11-1

11.5 Site Licensee Operational Management 11-2


12.0 RADIOLOGICAL PROTECTION 12-1


12.2 Radiation Sources 12-1

12.3 Radiation Protection Principles and Criteria 12-5

12.4 Key Radiological Protection Issues 12-6

12.4.1 Radiation Protection during Normal Operation 12-6


UKP-GW-GL-732 xiii Revision 2


Section Title Page

12.4.2 Radiological Protection during Post-Accident Conditions 12-7

12.4.3 Radiological Access Areas 12-7

12.4.4 Protection for Work in Contaminated Areas 12-7

12.4.5 Handling Contaminated Items 12-7

12.4.6 Dose Control by Shielding 12-7

12.4.7 Radiation Protection Criteria 12-8

12.4.8 ALARP Principle 12-10

12.5 Design Features for Radiation Protection 12-10

12.5.1 Equipment and Component Designs 12-10

12.5.2 Facility Layout Design 12-11

12.5.3 Bulk Shielding 12-11

12.5.4 Airborne Activity 12-12

12.6 Radiation Monitoring 12-12

12.7 Radiation Protection Programme 12-14


13.0 EMERGENCY PREPAREDNESS 13-1


13.2 General 13-1

13.3 Emergency Response Facilities 13-3


14.0 ENVIRONMENTAL ASPECTS 14-1


14.2 Environmental Protection 14-1

14.2.1 General 14-1

14.2.2 Environment Agency - Regulatory Role 14-2

14.2.3 Radiological Controls 14-2

14.2.4 Non-Radiological Controls 14-3

14.3 Prevention of an Environmental Accident 14-3

14.3.1 General 14-3

14.3.2 Environmental Accidents 14-4


UKP-GW-GL-732 xiv Revision 2


Section Title Page

14.3.3 Potential Environmental Pollutants 14-7

14.3.4 Discussion of Generic Accident Scenarios 14-12

14.3.5 Accident Mitigation Measures (Commissioning/Operation) – Radioactive Pollutants 14-13

14.3.6 Accident Mitigation Measures (Construction/Commissioning/Operation) – Non-Radioactive Pollutants 14-17

14.3.7 Accident Mitigation Measures (Decommissioning) – Radioactive and Non-Radioactive Pollutants 14-20

14.4 Environmental Monitoring Programme 14-20

14.4.1 Development of Conceptual Site Model 14-21

14.4.2 Routine Environmental Monitoring 14-21

14.4.3 Review and Assessment of Monitoring Data 14-22

14.4.4 Quality Assurance and Reporting 14-22

14.4.5 Contingency Action Plan (CAP) and Emergency Response 14-23


15.0 RADIOACTIVE WASTE MANAGEMENT 15-1


15.2 Integrated Waste Strategy 15-2

15.3 BAT Assessment of AP1000 Nuclear Island 15-3

15.4 BAT Assessment Radwaste Treatment 15-3

15.4.1 Gaseous Radwaste System (WGS) 15-3

15.4.2 Liquid Radwaste System (WLS) 15-4

15.4.3 Solid Radwaste System (WSS) 15-4

15.5 Radiological Protection 15-5


16.0 DECOMMISSIONING AND END OF LIFE ASPECTS 16-1


16.2 General 16-1

16.3 Differing Approaches to Decommissioning 16-2

16.4 Decommissioning Concept 16-3

16.4.1 Stage 1–Description of Activities 16-4


UKP-GW-GL-732 xv Revision 2


Section Title Page



16.5 Provisions for Safety during Decommissioning 16-5

16.5.1 Inherently Simple Design 16-5

16.5.2 Design Features for Radiation Protection 16-6

16.5.3 Design Features for Protection against the Limitation of Contamination 16-6

16.5.4 Design Features Supporting Decommissioning 16-6

16.6 Decommissioned Site End Point 16-7


17.0 CONCLUSION 17-1


UKP-GW-GL-732 ABB 1-1 Revision 2

ABBREVIATIONS AND ACRONYMS

Abbreviation/Acronym Full Description ac Alternating Current ACI American Concrete Institute ADS Automatic Depressurisation System AHU Air Handling Unit AISC American Institute of Steel Construction AISI American Iron and Steel Institute ALARA As Low As Reasonably Achievable ALARP As Low As Reasonably Practicable ALWR Advanced Light Water Reactor ANS American Nuclear Society ANSI American National Standards Institute AoNB Areas of Outstanding Natural Beauty AOV Air Operated Valve ASME American Society of Mechanical Engineers ASTM American Society for Testing and Materials ATWS Anticipated Transients Without Scram AWS American Welding Society BAT Best Available Technique BDS Steam Generator Blow Down System BLEVEs Boiling Liquid Expanding Vapour Explosions BP Containment Bypass BSL Basic Safety Level BSO Basic Safety Objective BTP Branch Technical Position CAS Compressed and Instrument Air System CASS Cast Austenitic Stainless Steel CCA Civil Contingencies Act CCS Component Cooling Water System CDF Core Damage Frequency CDM Construction (Design and Management) CDS Condensate System CES Condenser Tube Cleaning System CFE Containment Failure Early CFI Containment Failure Intermediate CFL Containment Failure Late CFR Code of Federal Regulation CFS (Turbine Island) Chemical Feed System CGA Compressed Gas Association CI Release Category CIF Containment Isolation Failure CIPS Crud-induced Power Shift CMS Condenser Air Removal System CMT Core Make-up Tank COMAH Control of Major Accident Hazards CPS Condensate Polishing System CRDM Control Rod Drive Mechanism



CSA Control Support Area CSM Conceptual Site Model CVS Chemical and Volume Control System CWS Circulating Water System DAC Design Acceptance Confirmation DAS Diverse Actuation System DBA Design Basis Accident DBE Design Basis Event DBT Design Basis Threat dc Direct Current DCD Design Control Document DDS Data Display and Processing System DECC Department of Energy and Climate Change Defra Department for Environment, Food and Rural Affairs DG Diesel Generator DNB Departure from Nucleate Boiling DOE Department of Energy DOS Standby Diesel and Auxiliary Boiler Fuel System D- RAP Design Reliability Assurance Programme DTS Demineralised Water Treatment System DWS Demineralised Water Transfer and Storage System EA Environment Agency ECS Main ac Power System EDS Non-Class 1E dc and Uninterruptible Power Supply System EFS Communication System EIA Environmental Impact Assessment EIDAR Environmental Impact for Decommissioning Regulations EMIT Examination, Maintenance Inspection and Testing EP Environmental Permitting Regulations EPRI Electric Power Research Institute EQS Environmental Quality Standards ESF Engineered Safety Feature EUR European Utility Requirements FHA Fire Hazard Analysis FHM Fuel Handling Machine FHS Fuel Handling and Refuelling System FMEA Failure Mode and Effects Analyses FPS Fire Protection System FSDs Functional Support Diagrams FWS Main and Start-up Feedwater System GDA Generic Design Assessment GDC General Design Criteria GRCA Gray Rod Cluster Assembly GRP Glass Reinforced Pastic GSS Gland Seal System HCS Generator Hydrogen and CO2 System HDS Heater Drain System



HEPA High Efficiency Particulate Air HFE Human Factors Engineering HHISO Half Height ISO (Containers) HLW High Level Waste HSE Health and Safety Executive HSI Human System Interface HVAC Heating, Ventilation and Air Conditioning I&C Instrumentation and Control IAEA International Atomic Energy Agency IC Intact Containment ICRP International Commission on radiological protection IDS Class 1E dc and Uninterruptible Power Supply System IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers IIS In-core Instrumentation System ILW Intermediate Level Waste IMS Integrated Management System INPO Institute of Nuclear Power Operations IoF Incredibility of Failure IRWST In-containment Refuelling Water Storage Tank ISA Instrument Society of America ISLOCAs Inter-system Loss-of-coolant Accidents ITAAC Inspection, Tests, Analyses and Acceptance Criteria IVR In Vessel Retention IWS Integrated Waste Strategy kPa kilo-Pascal KSFs Key Safety Functions LCO Limiting Conditions of Operation LCSR Lifecycle Safety Report LBB Leak Before Break LLW Low Level Waste LOCA Loss of Coolant Accident LOOP Loss of Offsite Power LoTOP Low Temperature Overpressure Protection LOS Main Turbine and Generator Lube Oil System LRF Large Release Frequency LWR Light Water Reactor MAAP Modular Accident Analysis Programme MCR Main Control Room MHS Mechanical Handling System MOV Motor-Operated Valve MPa Mega-Pascal MSIV Main Steam Isolation Valve MSLB Main Steam Line Break MSR Moisture Separator Reheater MSS Main Steam System MSSV Main Steam Safety Valve MTS Main Turbine System



MW Mega-Watt NACE National Association of Corrosion Engineers NCIG National Construction Issues Group ND Nuclear Directorate NDA Nuclear Decommissioning Authority NDE Non-Destructive Examination NEMA National Electrical Manufacturers Association NFPA National Fire Protection Association NEPLG Nuclear Emergency Planning Liaison Group NII Nuclear Installations Inspectorate NPP Nuclear Power Plant Nuclear NPS Nuclear National Policy Statement NRC Nuclear Regulatory Commission NS Non Seismic NSD Nuclear Safety Directorate NSSS Nuclear Steam Supply System OBE Operating Basis Earthquake OCS Operation and Control Centre System ORE Occupational Radiation Exposure OSR Operational Safety Report PABX Private Automatic Branch Exchange PCCAWST Passive Containment Cooling Ancillary Water Storage Tank PCCWST Passive Containment Cooling Water Storage Tank PCmSR Pre-Commissioning Safety Report PCS Passive Containment Cooling System PCSR Pre-Construction Safety Report PCT Peak Clad Temperature PGS Plant Gas System PIE Postulated Initiating Event PLS Plant Control System PMS Protection and Safety Monitoring System POSR Pre-Operational Safety Report PPC Pollution Prevention and Control PRA Probabilistic Risk Assessment PRHR Passive Residual Heat Removal PRHR HX Passive Residual Heat Removal Heat Exchanger PSF Performance Shaping Factor PSS Primary Sampling System PVC Polyethylene/Polypropylene/Polyvinylchloride PWR Pressurised Water Reactor PWS Potable Water System PXS Passive Core Cooling System QA Quality Assurance QMS Quality Management System RCCA Rod Cluster Control Assembly RCDT Reactor Coolant Drain Tank RCS Reactor Coolant System



REPPIR Radiation Emergency Preparedness and Public Information Regulations RM Refuelling Machine RMS Radiation Monitoring System RNS Normal Residual Heat Removal System RSA Radioactive Substances Act RTD Resistance Temperature Detector RWMC Radioactive Waste Management Case RWS Raw Water System RXS Reactor System SAC Special Areas of Conservation SAMDA Severe Accident Mitigation Design Alternatives SAP Safety Assessment Principle SDS Sanitary Drainage System SEA Strategic Environmental Assessment SES Plant Security System SFP Spent Fuel Pool SFRs Safety Functional Requirements SFS Spent Fuel Pool Cooling System SGI Safeguards Information SGS Steam Generator System SGTR Steam Generator Tube Rupture SJS Seismic Monitoring System SMS Special Monitoring System SOER Significant Operating Event Report SPA Special Protection Area SPR Source-Pathway-Receptor SQEP Suitably Qualified and Experienced Personnel SRP Standard Review Plan SSA Strategic Siting Assessment SSC Systems, Structures and Component SSE Safe Shutdown Earthquake SSS Secondary Sampling System SSSI Sites of Special Scientific Interest Sv Sievert SWMP Site Waste Management Plan SWS Service Water System TCS Turbine Building Closed Cooling Water System Tech-Specs Technical Specifications THERP Technique for Human Error Rate Prediction TOS Main Turbine Control and Diagnostic System TSC Technical Support Centre TSP Trisodium Phosphate UK United Kingdom UKAEA United Kingdom Atomic Energy Authority UL Underwriters Laboratories UPS Uninterruptible Power Supplies URD Utility Requirements Document US United States



VAS Radiologically Controlled Area Ventilation System VBS Nuclear Island Non-Radioactive Ventilation System VCS Containment Recirculation Cooling System VDU Visual Display Units VES Main Control Room Emergency Habitability System VFS Containment Air Filtration System VHS Health Physics and Hot Machine Shop HVAC System VLS Containment Hydrogen Control System VRS Radwaste Building HVAC System VTS Turbine Building Ventilation System VUS Containment Leak Rate Test System VWS Central Chilled Water System VXS Annex / Auxiliary Buildings Non-Radioactive HVAC System VYS Hot Water Heating System VZS Diesel Generator Building Heating and Ventilation System WEC Westinghouse Electric Company WENRA West European Nuclear Regulators Association WGS Gaseous Radwaste System WIN Westinghouse Integral Nozzle WLS Liquid Radwaste System WOG Westinghouse Owners Group WRS Radioactive Waste Drain System WSS Solid Radwaste System WWS Waste Water System ZAS Main Generation System ZBS Transmission Switchyard and Offsite Power System ZOS Onsite Standby Power System ZVS Excitation and Voltage Regulation System


UKP-GW-GL-732 1-i Revision 2

CHAPTER 1: INTRODUCTION


UKP-GW-GL-732 1-1 Revision 2

1.0 INTRODUCTION

This chapter introduces the generic design assessment (GDA) process being undertaken by the United Kingdom (UK) regulators and describes the overall purpose and scope of this generic pre-construction safety report (PCSR), its development, and its interface with the GDA.. The structure of the safety case presented in the PCSR is described together with how it relates to the supporting documents. The process to ensure the quality of the PCSR during its production is also described.

The PCSR is a live document and explains the expected development of the safety case through the stages towards operation.

1.1 Purpose of the Safety Report

1.1.1 Background of the Generic Design Assessment Process

The new UK document, Meeting the Energy Challenge, A White Paper on Energy, DTI, (Reference 1.1), includes the provision of nuclear power reactors to meet the UK’s energy needs. A generic design assessment (GDA) process has been established to assess the implications of the safety, security, and environmental implications before an application is made for the permission to build at a particular site (New Nuclear Power Stations, Generic Design Assessment, A Guide to the Regulatory Process, Reference 1.2). This provides a coordinated approach by all of the regulators, principally the Health and Safety Executive (HSE) Nuclear Directorate (ND), Nuclear Installations Inspectorate (NII), and the Environment Agency (EA) for the pre-licensing / pre-authorisation phase. For the NII, this has been developed into a two-phase licensing process; Phase 1 Generic Design Assessment (GDA) / Phase 2 Nuclear Site Licensing (Reference 1.2).

• Phase 1 is the NII assessment of the safety case for a generic design, leading to the issue of a design acceptance confirmation (DAC) if the outcome is positive.

• Phase 2 is the NII assessment of the application for a Nuclear Site Licence and therefore is site, reactor design and operator specific.

Westinghouse is a requesting party in the GDA process as it seeks design acceptance confirmation from the NII and EA for its AP1000 Standard Design.

The NII grants site licences to the operators of nuclear power stations. Applicants must satisfy the NII about the safety aspects of the design, manufacture, construction, commissioning, operation, maintenance, and decommissioning of the installation, and the management of the radioactive waste on the site, before a licence is granted. The NII operates a permissioning approach to regulation of nuclear power in the UK. To obtain the GDA DAC, the requesting party is required to demonstrate safety through the definition of its own design and safety principles, through which they prove that the plant and its operation are safe and conform to the principle that risk is as low as reasonably practicable (ALARP).

The EA (in England and Wales) has a role in the regulation of licensed nuclear sites alongside the NII. The EA role is to ensure protection of the environment, primarily through regulation of all disposal of radioactive waste on nuclear licensed sites; this includes authorised discharges to air and water and management/disposal of solid wastes.

The Office for Civil Nuclear Security (OCNS) is the security regulator for the UK’s civil nuclear industry. It’s role is to ensure that the vendor’s site conceptual security plan meets UK standards and requirements.



1.1.2 Structure of the Generic Design Assessment Process

The GDA process has four steps:

• Step 1 is the preparatory design assessment process, which involves discussions between the NII and EA with the requesting party, to establish a full understanding of the requirements and processes that will be applied.

• Step 2 is a review of the fundamental acceptability of the proposed reactor design concept within the UK regulatory regime, to identify any fundamental design aspects or safety shortfalls that could prevent the proposed design from being licensed in the UK.

• Step 3 requires the requesting party to provide a detailed generic PCSR for the NII, and an environment report for the EA, to review the safety and environment aspects of the proposed reactor design. The general intention is to move from the fundamentals of the previous step to an analysis of the design, primarily by examination at the system level and by analysis of the requesting party’s supporting arguments.

• Step 4 is an in-depth assessment by the NII and EA of the safety case and generic site envelope submitted. The general intention of this step is to move from the system-level assessment of Step 3 to a fully detailed examination of the evidence, on a sampling basis, given by the safety analyses. The aim of this step is to:

• Confirm that the higher-level claims, such as system functionality, are properly justified.

• Complete a sufficiently detailed assessment to allow the NII and EA to come to a judgment whether or not a DAC can be issued.

1.1.3 Purpose of the Pre-Construction Safety Report in GDA

The aim of this generic PCSR is to demonstrate to the NII, EA, and the potential operating organisations, prior to beginning construction of the plant, that an AP1000 built on the generic UK site can make and satisfy claims as to its safety.

This current document provides a detailed generic AP1000 PCSR for use in the commencement of Step 4 of GDA. Previous issues of the generic PCSR supported GDA Step 3. The prime development for this issue is the expression of the safety case in a clearer claims-argument-evidence structure. It is expected that a final issue of the generic PCSR will occur to coincide with the end of Step 4 to encapsulate all of the safety claims-argument-evidence to support the DAC.

1.2 Development of the AP1000 Safety Report

1.2.1 AP1000 Design Basis

The AP1000 design is the result of taking proven designs and design concepts and applying them to a defined set of functional requirements in the most simple, effective way practicable.

The design is founded upon rigorously holding to a few inviolate principles:

• No ac power (other than that converted from the appropriately justified dc batteries) would be required to perform any safety function. This includes performing the following:



- Stopping the nuclear reaction

- Removing decay heat

- Maintaining the reactor coolant water inventory

It also includes maintaining other safety functions such as: spent fuel pool cooling, main control room habitability, and beyond-design-basis security related mitigation features.

• Maintain the fission product barriers of the fuel clad, the reactor vessel and coolant system, and the containment vessel. Maintaining the fuel clad by transfer of decay heat out of the core using natural, unpumped mechanisms like natural circulation, evaporation, conduction, convection, and condensation. The containment vessel is the final barrier against radioactive releases to the environment.

• Minimize core damage frequency and large release frequency as calculated by a robust probabilistic risk assessment (PRA), by designing out failure modes in lieu of designing in mitigation features.

This approach ultimately results in a plant design that is safe, because it has the design objectives of lowest hazard and risk to the operators and the public. Additional design objectives for the AP1000 are to provide a greatly simplified plant with respect to design, licensing, construction, operation, inspection, and maintenance.

Fault conditions can challenge the safety of plant personnel and the public if they result in loss of control of core reactivity, loss of control of core heat removal, uncontrolled dispersion of radioactive material, or uncontrolled radiation doses. The AP1000 design addresses these challenges as follows:

• Control of core reactivity is maintained by control rods, which drop into the core upon receipt of a signal from one of several diverse monitoring and actuation systems, or loss of power. Any water subsequently added to the core to control heat removal contains boron, which maintains the low levels of reactivity.

• Removal of heat from the core is controlled by one of a range of plant duty systems if ac power is available; or by automatically actuated passive safety systems, which are qualified against environmental conditions and hazard challenges within the design basis. These passive safety systems can be maintained without operator intervention for at least 72 hours.

• The uncontrolled dispersion of radioactive material or uncontrolled exposure of personnel or the public to radiation is prevented by the integrity of the containment vessel, which is maintained for fault conditions within the design basis and identified severe accident scenarios.

• Spent fuel stored on site is also a potential radiological hazard. Its reactivity is controlled by its location in an appropriately configured, qualified, and protected storage rack. The potential for radiological consequences to arise due to fuel overheating, damage or loss of shielding as a result of a fault condition are addressed by the presence of make-up systems capable of providing additional water for cooling and shielding over the substantial grace times available.

• Other radiological material on site that could represent a radiological hazard in a fault condition is stored or transported in appropriately qualified containers.



• Challenges to plant safety that could arise from internal or external hazards (i.e., those hazards that could arise inside or outside the site boundary, respectively) would be withstood by plant systems and structures to the extent that safety systems can maintain control of reactivity, core heat removal, radioactive material dispersion, and radiological dose at all times.

1.2.2 UK Regulatory Regime

The NII operates a permissioning approach to regulation of nuclear power in the UK compared with the prescriptive approach in the US. The responsibility lies with the operator (licensee) to demonstrate that he is operating his site safely in compliance with the 36 Site Licence Conditions. These conditions cover a range of requirements, which are designed to ensure that the plant is operated in a safe and forward looking manner.

The Site Licence conditions set requirements on the management arrangements, which includes the level of qualification and experience of the operator organisation to confirm that they are an intelligent operator.

It is up to the potential vendor/licensee to demonstrate that the proposed nuclear power plant is adequately safe by the use of claims-arguments-evidence structure, and it is the role of the AP1000 safety report to present the safety case.

1.2.3 AP1000 Safety Report

A documented safety case needs to be produced to present the claims, arguments, and evidence that the plant or facility is safe to undertake its scope of operation throughout its required life. A safety case is the totality of documented information and arguments that substantiates the safety of the plant, activity, operation, or modification in question. It provides a written demonstration that relevant standards have been met and that risks have been reduced ALARP. The safety case for the plant should be a living document, which is subject to review, change, and amendment as time proceeds.

A safety case applies during all stages of the life of the nuclear plant, from conception through to disposal. However, there are a number of key stages in the life cycle that require special consideration. The safety case should demonstrate safety before beginning each stage, and should contain enough detail to give confidence that the safety intent will be achieved in subsequent stages. This staged approach supports the application of a hold point control process within a safety permissioning regime.

It is important that the safety case is kept up to date throughout the life of the plant. As time progresses, there can be a number of reasons why the safety case may require updating:

• Modifications may be made to the plant equipment.

• Modifications may be made to how the plant is operated.

• Emergent issues may occur that question/undermine the basis of the case.

• Enhanced understanding and knowledge may be gained.

• Experience of plant operation may provide a revised understanding of the plant.

A process will be applied to identify any issues that change the basis of the safety case. The process will also categorise the safety impact of the change, make sure appropriate remedial action



is taken if required, and manage the update to the safety case. These changes will become the responsibility of the future site operator and licensee, who will process these changes in accordance with his own procedures. These will need to conform with the Nuclear Site License, in particular condition 22.

The initial stage of the AP1000 programme in the UK will be vendor-led, and as such will be generic. Operating utilities will then take over responsibility for developing the safety case for each of their respective plants; at this stage, each safety case will become site specific. Thus, it is anticipated that the AP1000 programme in the UK will require a safety case at the following stages:

• Generic PCSR

• Site specific PCSR

• Site specific pre-commissioning safety report (PCmSR)

• Site specific pre-operational safety report (POSR)

• Site specific operational safety report (OSR)

This generic PCSR provides the basis for a ‘living’ safety case, which will be developed further as various supporting activities are completed.

The aim of this generic PCSR is to demonstrate to the regulators and the potential operating organisations, prior to beginning construction of the plant, that an AP1000 built on a generic UK site can make and satisfy the claims as to its safety.

The site-specific PCSR must demonstrate to the regulators that potential operating organisations can make and satisfy various claims as to safety prior to beginning construction of an AP1000 built on a specific UK site. The generic safety arguments have already been made in this report; the site-specific PCSR will be particularly developed to cover aspects such as effect of local conditions, site-specific risk evaluation and emergency provisions, and site-specific environmental impact.

The pre-commissioning safety report (PCmSR) provides confidence that the as-built plant meets the design definition and can be released for commissioning.

The pre-operational safety report (POSR) provides confidence that the as-built and commissioned plant meets the safety requirements and can be released for operation.

The operational safety report (OSR) provides the demonstration that the plant is safe throughout its operation for a defined period.

The safety report remains live during a defined period. Under the Site Licence Conditions, the licensee is required to implement adequate arrangements for the periodic and systematic review and assessment of the safety case. The purpose of this is to make sure that each plant remains adequately safe, and that its safety case is kept up-to-date throughout its life. This review is known as the periodic safety review, which sets out to determine, by means of comprehensive assessment, whether the plant, its processes, the management arrangements and operations covered by the extant safety case remain as safe as reasonably practicable when judged against modern standards. It also confirms that ageing and other time-related phenomena will not compromise safety, particularly before the next review period. It takes account of experience from



operating the plant or from operating other nuclear plants elsewhere. The report also assesses any changes that have been necessary, and confirms that the safety case is still valid. Periodic safety reviews must be undertaken at time intervals throughout the plant life agreed with the regulator.

1.3 GDA Documentation Structure and Interfaces

This generic PCSR is the top-tier document within the safety submission: the suite of documents that have been produced for the GDA of the AP1000, which collectively justify the safety, security, and environmental impact of the AP1000 in a UK context.

The AP1000 GDA document structure and its general alignment with the claims-arguments-evidence structure is shown in Figure 1.1.

Figure 1.1 AP1000 Generic Design Assessment Document Structure

In general, the PCSR sets out the overarching claims, and links the arguments to the specific topic reports. The central document for the delivery of evidence is the WEC EPS-GW-GL-700, AP1000 European Design Control Document (EDCD) (Reference 1.11), supported by related detailed technical documentation. Due to the given design and regulatory review process of the country of origin, the original EDCD and related documentation provide the information from the viewpoint of the US regulatory approach. To prevent extensive rewriting of the US documentation for UK application, the PCSR and the UK-specific topical reports provide the route into the demonstration of safety as expected under UK regulatory system.

The elements of the submission, their scope, and their principal interfaces with the PCSR are discussed further in the following sub-sections.

1.3.1 AP1000 Generic PCSR

The AP1000 safety case is based on a claims-arguments-evidence structure. The claims for the safety case are derived from the overall safety goals for nuclear power plants and the expectations of the UK regulatory regime. This generic PCSR is a coordinating document that presents the



overarching claims and arguments of the safety case with a summary of the evidence to show how the claims and arguments are met. In specific areas, topic documents have been produced to further detail the claims, arguments, and evidence. In the majority of cases, the evidence supporting the safety case is contained in the EDCD (Reference 1.11), which summarises the extensive technical supporting documentation. The evidence in the EDCD has been through a design control process to ensure it is based on supportable grounds (see EDCD Section 1.5). The EDCD has been supplemented in a number of areas to address the environmental aspects of claims for the AP1000; this supporting information is contained in the WEC UKP-GW-GL-790, UK AP1000 Environment Report, December 2009 (Reference 1.12).

A PCSR provides confirmation that the detailed design of the plant is fit for purpose and can be adopted for construction (subject to any site specific issues). The main objective of this generic PCSR is to satisfy the regulators and the potential operating organisations that the generic design, built on a generic UK site, is acceptably safe in accordance with UK legal requirements and relevant good practice. UK numerical targets and legal limits encompass specific targets for radiological dose and risk, and the demonstration that risk from all conceivable faults is as low as reasonably practicable (ALARP). It must also be demonstrated that all safety case outputs, with regard to activities required to substantiate plant performance and manage systems, structures, and components and processes through life, have been captured and a suitable management framework can be put in place. It must also be demonstrated that the discharges and disposals through life to the environment are minimised and safely conducted.

The AP1000 generic PCSR is the head safety case document within the GDA, and as such, provides the overarching claims and arguments that the design is safe throughout plant life, referencing the appropriate supporting evidence. The overarching nuclear safety claims made in this PCSR are presented below.

• The AP1000 is designed to operate in a safe manner throughout its lifecycle.

The lifecycle of the plant includes construction, commissioning, operation, maintenance, refueling, and decommissioning. It includes all modes of operation, including power operation and shutdown. It also includes discharges and waste disposal.

• The AP1000 systems, structures, and components are designed to maintain the plant within prescribed safety limits for postulated fault conditions.

The postulated fault conditions are defined in a fault schedule, and the engineering safety features are demonstrated to limit core damage and release of radioactive material within the safety limits defined.

• The AP1000 risks have been reduced to ALARP.

The dose and risk associated with the operation of the AP1000 are assessed to demonstrate that the design has reduced them to ALARP.

The three claims cover the safety case for the AP1000 because they cover the possible plant conditions over the plant lifetime and the impact of the plant on the operators, the public, and the environment.

1.3.2 Topic Reports Supporting the AP1000 Safety Case

Supporting the PCSR, specific topic reports have been developed to address particular demonstration/description requirements.



• The AP1000 Plant Life Cycle Safety Report (LCSR) (Reference 1.3) describes the management arrangements and philosophies of safety and quality that will be applied throughout the lifecycle of UK application of the AP1000. This includes knowledge transfer between vendor and utility, management arrangements associated with construction, commissioning, operation and decommissioning, and health and safety arrangements for installation, construction, and commissioning.

The PCSR is aligned with the arrangements discussed in the LCSR, in its discussion of how the plant is managed in accordance with the safety case.

• The WEC UKP-GW-GLR-003 Rev. 0, AP1000 Fault Schedule for the United Kingdom (reference 1.4)] identifies credible initiating events within the AP1000 design basis (together with large loss of coolant accident, which is outside the design basis), and shows that safety measures are in place to provide adequate protection.

The PCSR uses the initiating events identified and the analyses of fault sequence development as the basis for the design basis assessment (DBA) presented in Chapter 5 of this report.

• The WEC UKP-GW-GLR-001, AP1000 Internal Hazards Topic Report (Reference 1.5) identifies the claims, arguments, and evidence associated with the plant response to credible internal hazards (i.e., those hazards originating within the site boundary).

This information is drawn upon in the PCSR to show that the DBA addresses all potential initiating events that could result from internal hazards, and that all claims that demonstrate the AP1000 to be adequately protected against the effects of internal hazards have been identified and substantiated.

• The WEC UKP-GW-GL-043, AP1000 External Hazards Topic Report (Reference 1.6) identifies the claims, arguments, and evidence associated with the plant response to credible external hazards (i.e., those hazards originating beyond the site boundary).

This information is drawn upon in the PCSR to show that the DBA has considered all potential initiating events that could result from external hazards, and that all claims that demonstrate the AP1000 to be adequately protected against the effects of external hazards have been identified and substantiated.

• The WEC UKP-GW-GL-044, AP1000 Safety Categorisation and Classification (Reference 1.7) uses a consistent process to identify the importance to nuclear safety of all AP1000 systems, structures, and components (SSC), and assigns Safety Classes to each SSC accordingly. Codes and standards associated with the substantiation, construction and through life management of SSCs are identified for each Safety Class. This document is supported by Westinghouse technical documentation, providing further detail relating to the classification of component structural integrity and control and instrumentation.

The PCSR uses this information to demonstrate that SSCs are appropriately robust in accordance with their importance to nuclear safety.

• The WEC UKP-GW-GL-736, Safe Operating Envelope and Operating Regime that Maintains Integrity of Envelope (Reference 1.8) describes the principles behind development of the safe operating envelope and how this information has been used to support the design basis assessment and plant technical specifications.



This information underpins the design basis assessment presented in the PCSR and the linkage between the output of this assessment and the plant through life management requirements.

• WEC APP-GW-GER-005, Safe and Simple: the Genesis and Process of the AP1000 Design (Reference 1.9) describes the evolution of the AP1000 design, identifying input from utilities and relevant good practice in its development.

This report is a key reference in the demonstration that risk associated with operation of the AP1000 is as low as reasonably practicable (ALARP), which is presented in Chapter 8 of this PCSR.

• The WEC UKP-GW-GL-045, AP1000 Equivalence/Maturity Study of the US Codes and Standards (Reference 1.10) reviews those codes and standards underpinning safety significant aspects of plant design and substantiation, to confirm that they represent, or are equivalent to, relevant good practice in the UK.

This review underpins the choice of codes and standards for the safety classes that are defined for the AP1000 in the UK, and demonstrates, in support of the ALARP assessment in the PCSR, that relevant good practice has been used in plant design.

Additional reports are also in production for the AP1000. These will provide further support to the PCSR as follows.

• The AP1000 Human Factors Topic Report will identify the claims made on operators with regard to actions of significance to plant safety.

• The AP1000 Electrical System Topic Report will identify key claims and standards associated with the transfer of the current 60 Hz design based on US standards to the UK.

• AP1000 spent fuel handling is being evaluated in a series of separate studies that will present a detailed safety assessment of the processes and equipment associated with spent fuel handling for the AP1000, identifying claims, arguments and evidence that demonstrate them to be adequately safe.

1.3.3 Supporting Technical Documentation to the AP1000 Safety Case

The EDCD (Reference 1.11) provides a full description of the AP1000 design, analysis associated with its response to fault conditions, risk evaluation and design control processes for application throughout plant life. The EDCD is also supported by a range of licensing documents providing additional information relating to design definition and analysis. The information in the EDCD and supporting licensing documents is used extensively in the PCSR and its supporting documents to underpin the nuclear safety claims made on systems, structures, and components.

The role of the EDCD is to define the design in sufficient detail to enable the safety of that design to be reviewed by the regulators, and to provide a basis to control any design changes made to the plant as the design is developed, in response to regulator or operator requirements. Detailed aspects of the design reside in the technical supporting documentation. Document control procedures are in place for any changes in the supporting documentation to be incorporated in the EDCD.

To support the concept of a standardised plant that is built in a number of countries, the EDCD has remained in the format and content to support the US licensing approach. It provides a focus



on the technical issues of the AP1000, including system description, safety functions, safety demonstration, and safety analysis.

The EDCD and its supporting licensing documents are themselves also underpinned by a range of design documentation, which includes, but is not limited to:

• System specification documents

• Functional specifications

• Containment specification document

• Control and protection system functional requirements

• Core design documentation

• Chemistry specification

• Nuclear steam supply system (NSSS) structural design interface guidelines

• NSSS design transients

• Radiation analysis manual

• Fluid systems safeguards data

• General arrangement drawings

• Piping and instrumentation diagrams

• Logic drawings

• Equipment outline drawings

• General assembly drawings

• Concrete outline drawings

• Steel framing drawings

• Electrical system drawings

The Environment Report (Reference 1.12).describes those elements of the AP1000 design that could directly impact a generic UK site. The Environment Report itself is supported by several technical reports, including the AP1000 Disposability Assessment – UKP-GW-GL-012 (Reference 1.13) and the AP1000 Integrated Waste Strategy (Reference 1.14). Information from the Environment Report is used to underpin those claims in the PCSR that refer to the management of environmental impact and radioactive waste disposal.

1.4 Generic PCSR: Structure and Content

It should also be noted that the current structure of the generic PCSR has been developed to be drawn upon and be aligned with IAEA best practice and calls on generic US design and safety



information where appropriate. In subsequent plant safety reports that are specific to deployment of the AP1000 on UK sites, the structure may be revised to suit specific safety purposes.

The structure of the report serves the overarching nuclear safety claims as follows:


o Chapter 2 presents a general description of the AP1000 plant and site.

o Chapter 3 assesses AP1000 generic site parameters and associated plant design bases relative to UK site parameters.

o Chapter 4 identifies the safety functions to be maintained by plant SSCs during normal operation.

o Chapter 4 presents the processes in place to make sure that the codes, standards and qualifications associated with SSC design and operation are appropriate to their importance to safety.

o Chapter 6 identifies and substantiates the design requirements for plant systems that ensure safety functions are maintained during normal operations.

o Chapter 7 identifies and substantiates the design requirements for civil works and structures that ensure safety functions are maintained during normal operations.


o Chapter 5 (supported by the AP1000 Fault Schedule) identifies the safety functions to be maintained by plant SSCs during fault conditions.

o Chapter 5 shows how plant design and engineered safety features ensure that the plant can be maintained within safety limits for all postulated Design Basis fault conditions.

o Chapter 5 shows that the risks associated with all postulated fault conditions meet relevant UK legal and regulatory targets.

o Chapter 6 identifies and substantiates the design requirements for plant systems that ensure safety functions are maintained during fault conditions.

o Chapter 7 identifies and substantiates the design requirements for civil works and structures that ensure safety functions are maintained during fault conditions.

• The AP1000 risks have been reduced to as low as reasonably practicable (ALARP).

o Chapter 8 presents the ALARP argument for the AP1000 design, which shows that:

The plant meets operational dose and accident risk criteria.



The plant has followed relevant good practice in design.

The basic design has been enhanced by consideration of probabilistic risk assessment (PRA).

Principal design decisions taken during design evolution are ALARP.

Other potential design enhancements would not be ALARP.

All three claims are also underpinned by appropriate safety management, which will apply throughout the lifecycle of the AP1000 and is described in Chapters 9 to 16 of the PCSR as follows:

• Chapter 9 presents a high level summary of safety management issues across the plant lifecycle.

• Chapter 10 shows that plant construction verification and commissioning will confirm that the plant as built is in accordance with the safety case, and is safe to operate. The material in this chapter will be subject to significant development in the site specific safety reports, particularly the pre-commissioning safety report, to follow.

• Chapter 11 identifies how the safety case will be reflected in the operational management of the plant. The material in this chapter will be subject to significant development in the site specific safety reports, particularly the pre-operational safety report, to follow.

• Chapter 12 presents the processes for normal operational dose assessment and radiation protection programme design features.

• Chapter 13 provides information on the emergency preparedness facilities and the required emergency arrangements that they support. The material in this chapter will be subject to significant development in the site specific safety reports to follow.

• Chapter 14 presents the impact of radioactive discharges, the potential for accidents to impact the environment, and the monitoring of the environment.

• Chapter 15 presents the proposal for the management of solid, liquid, and gaseous radioactive waste.

• Chapter 16 presents the strategy for safe decommissioning of the AP1000.

1.5 Quality Assurance Process followed during the Production of the Generic Pre-Construction Safety Report

1.5.1 Stakeholders in the PCSR

1.5.1.1 Westinghouse

Westinghouse is the AP1000 reactor vendor organisation and a requesting party in the GDA process. It has developed and proved the AP1000 design. It is responsible for the supporting evidence for the safety case claims, with all documentation being produced under its internal quality assurance procedures. Westinghouse is responsible for producing this generic PCSR.



1.5.1.2 The Utilities

Several nuclear operating organisations have expressed an interest in deploying the AP1000 design in the UK. They have been consulted during the production of the generic PCSR, as ultimately each of them that decide to proceed with building an AP1000 would have to develop it into a site-specific PCSR.

1.5.1.3 The Nuclear Installations Inspectorate

The PCSR is structured to enable a logical presentation of the safety claims and arguments to be put together which, together with the supporting references, ensure that safety has been delivered within the AP1000 design. The NII will use this to guide their assessors to ensure that these arguments are complete and valid and meet accepted industry standards, and verify by sampling that evidence exists that support these arguments.

1.5.1.4 Environment Agency

The role of the EA is to evaluate the environmental case to ensure that best practices have been used in the design and that the plant will be built, operated, and decommissioned in a manner compatible with the environment. The prime document in support of the EA is the Environment Report (Reference 1.12). The PCSR supports the case that the environmental impact due to the AP1000 has been minimised by the utilisation of appropriate and adequate design measures.

1.5.2 Quality Assurance associated with Westinghouse Design and Technical Information

Work performed by Westinghouse related to the GDA of the AP1000 in the UK is performed in accordance with the Westinghouse quality management system (QMS). The QMS has been developed to comply with regulatory, industry, and customer quality requirements imposed by customers or regulatory agencies provided by Westinghouse worldwide operations. The QMS describes the Westinghouse commitments to the quality assurance requirements of ISO 9001, ISO 9003, 10 CFR 50, ASME NQA-1 and IAEA 50-C-QA.

The nuclear power plant (NPP) organisation within Westinghouse is chartered to direct the operations of all new nuclear plant projects. The NPP organisation establishes and maintains a quality programme in accordance with the QMS, and is responsible for interface control among Westinghouse design organisations participating in a given project. NPP have produced WEC UKP-GW-GL-045, Project Quality Plan for the UK Generic Design Assessment (Reference 1.15), which presents the organisation and procedures used to control quality for the GDA process.

Design control is a key aspect of this. Specific design control responsibilities of the project are:

• Identifying, documenting, and specifying design interfaces and associated design requirements.

• Controlling all changes to designs and ensuring that all design organisations are supplied with correct and proper design information.

Further information relating to the QMS and the NPP organisation in relation to the AP1000 GDA project is presented in the LCSR.

The EDCD (Reference 1.11) and other licensing documents are subject to the Westinghouse configuration control process. Under this process, any changes to a document must be identified as design change proposals, and classified in accordance with their significance to the overall



design. Lower class changes, of limited significance and limited impact, are recorded formally; higher class changes are subject to change control board for evaluation, and all changes arising to other controlled documents must be identified and verified. This process provides assurance that the information in the EDCD and other licensing documents, that is referenced in this PCSR and its supporting technical documents, reflects the AP1000 design and is quality assured.

1.5.3 Safety Case Review Process

In addition to being subject to the Westinghouse QMS processes, the AP1000 PCSR and its principal supporting documents have also been reviewed by the potential operating organisations.

1.6 Conclusion

This chapter has explained the requirement for this PCSR and laid out how that intent will be delivered. In doing so, it has outlined the key overarching claims made in this PCSR and sets the scene for the arguments to support these claims to evolve in the following chapters.



REFERENCES

1.1. Meeting the Energy Challenge, A White Paper on Energy, DTI, May 2007.

1.2. New Nuclear Power Stations, Generic Design Assessment, A Guide to the Regulatory Process, Version 2, August 2008.

1.3. WEC, UKP-GW-GL-737, Rev 1, AP1000 Plant Life Cycle Safety Report (To be issued).

1.4. WEC, UKP-GW-GLR-003 Rev. 0, AP1000 Fault Schedule for the United Kingdom, September 2009.

1.5. WEC, UKP-GW-GLR-001, Rev 0, AP1000 Internal Hazards Topic Report, (to be issued).

1.6. WEC, UKP-GW-GL-043, Rev 0, AP1000 External Hazards Topic Report, December 2009.

1.7. WEC, UKP-GW-GL-044, Rev 0, AP1000 Safety Categorisation and Classification, December 2009

1.8. WEC, UKP-GW-GL-736 Rev 0, Safe Operating Envelope and Operating Regime that Maintains Integrity of Envelope, November 2008.

1.9. WEC, APP-GW-GER-005 Rev 1, Safe and Simple: the Genesis and Process of the AP1000 Design, August 2008.

1.10. WEC, UKP-GW-GL-045, Rev 0, AP1000 Equivalence/Maturity Study of the US Codes and Standards.

1.11. WEC, EPS-GW-GL-700 Rev 1, AP1000 European Design Control Document, December 2009.

1.12. WEC, UKP-GW-GL-790 Rev 2, UK AP1000 Environment Report, December 2009.

1.13. WEC, UKP-GW-GL-012, Rev. 0, Generic Design Assessment: Summary of Disposability Assessment for Wastes and Spent Fuel arising from Operation of the Westinghouse Advanced Passive Pressurised Water Reactor (AP1000), September 2009.

1.14. WEC, UKP-GW-GL-054, Rev. 0, AP1000 Integrated Waste Strategy, 2009.

1.15. WEC, UKP-GW-GL-045, Rev. 0, Project Quality Plan for the U.K Generic Design Assessment, 2008.



CHAPTER 2: GENERAL PLANT DESCRIPTION



2.0 GENERAL PLANT DESCRIPTION

2.1 Introduction

The Westinghouse AP1000 is an advanced and passively safe pressurised water reactor (PWR) with an output capability of 1117MWe (at nominal site conditions) and an expected service life of 60 years. Its design includes passive safety features not present on the Generation-2 plants in service today, and extensive plant simplifications to enhance nuclear safety and facilitate the construction, operation and decommissioning of the plant. This chapter presents the following information:

• An overview of how the AP1000 evolved from the Generation-2 plants, through the advanced passive AP600 PWR design, into the present AP1000 design.

• The key technical characteristics of the AP1000.

• The layout of the main AP1000 civil structures.

• A summary of the principal enhancements that the AP1000 design has over Generation-2 plants.

2.2 Evolution of the AP1000 Design

Westinghouse has been involved with PWR design since the earliest days of commercial nuclear power, in the 1950s. It has designed and delivered more than 100 commercial nuclear power plants.

In the late 1980s and early 1990s, Westinghouse was involved in the US Advanced Light Water Reactor (ALWR) programme, the purpose of which was to design a new plant with levels of safety significantly improved over the Generation-2 plants, by using the lessons learned from the operating experience garnered over the previous three decades. This effort culminated in the Westinghouse AP600 design, an advanced and passively safe PWR with a nominal electrical output of 600MW.

When the AP600 received its Design Certification, it was designed and specified to be the safe, simple, economic nuclear power plant on the world market; however, its relatively modest electrical output meant that it was uneconomic compared to natural gas plants, which were the plants of choice in the US at the time. In order to compete against natural gas plant designs, the AP600 needed to lower its cost per megawatt by over 30%. The AP600’s cost per megawatt was already optimised because of its inherent simplicity, and to lessen this cost still further by eliminating any more systems, structures, or components (SSCs) would have lessened its safety margins and increased its risk to the public; this approach was rejected. Instead, it was decided to raise the power level of the design without raising the overall plant price by a proportionate amount, to drive the cost per megawatt down below that of a natural gas plant.

The Westinghouse AP1000 is based closely on the AP600 design, with a significant portion of its design identical to that of the AP600. The following key steps in the design evolution were carried out:

• The nuclear island footprint was maintained by increasing the height of the reactor vessel and of the containment structure, while maintaining their diameters, thereby avoiding the need to repeat most of the structural and seismic analysis already completed.



• The AP600’s large margins to safety limits were maintained.

• The maintenance used for proven components was retained.

• The testing data obtained for the AP600 were shown to be applicable to the AP1000.

• The design impacts on the AP600 Design Control Document were minimised.

• The compliance was retained with the US utilities’ requirements, which correct problems that existed in the currently operating plants and incorporate features that assure a simple, robust and more forgiving design.

A detailed comparison of the two designs is given in Chapter 1.3 of WEC, EPS-GW-GL-700, AP1000 European Design Control Document (EDCD) (Reference 2.1).

2.3 Basic Design and Technical Characteristics

The AP1000 has a well-defined design that has been confirmed through engineering analyses and testing. Some of the key design characteristics of the plant are as follows:

• The plant design objective is 60 years without the planned replacement of the reactor vessel, which itself has a 60- year design objective based on conservative assumptions. The design provides for the replace-ability of other major components, including the steam generators.

• There is a net electrical power of 1117 MW (at nominal site conditions) and a thermal power of 3415 MW.

• Refuelling outages can be conducted in 17 days or less.

• The overall plant availability target is greater than 90%, including forced and planned outages; the goal for unplanned reactor trips is less than one per year.

• The plant is designed with significantly fewer components and significantly fewer safety significant components than a current PWR of a comparable size.

• The design of the major components required for power generation such as the steam generators, reactor coolant pumps, fuel, internals, turbine and generator is based on equipment that has successfully operated in power plants. Modifications to these proven designs were based on similar equipment that had successful operating experience in similar or more severe conditions. A comparison with similar plant design is provided in Chapter 1.3 of EDCD (Reference 2.1).

• There are no reactor pressure vessel penetrations below the top of the core. This reduces the possibility of a loss of coolant accident (LOCA) by leakage from the reactor pressure vessel, which could lead to the core being uncovered.

• Major safety systems are passive; they require no operator action for 72 hours after an accident and they maintain core and containment cooling for a protracted time without ac power.

• Seismic assessment is based on 0.3g ground acceleration with a seismic margin assessed to be 0.5g as a minimum. This capability is beyond that required by UK seismic conditions,



which generally would require a design basis earthquake of 0.25g, with seismic margins being considered at 0.35g.

• Security is enhanced with safe shutdown equipment located in safety-reinforced concrete nuclear island buildings.

• There is in-vessel retention of core debris following core melt, which significantly reduces the uncertainty in the assessment of containment failure and radioactive release to the environment due to severe accident phenomena.

Technical characteristics of the AP1000 are described in more detail in Section 1.2 of the EDCD (Reference 2.1) and are summarised in Table 2-1 below:

Table 2-1 AP1000 BASIC TECHNICAL CHARACTERISTICS

Parameter Value

Thermal Power 3415 MW

Net Electrical Power 1117 MW (at nominal site conditions)

Core (Fuel Enrichment)

<4.95%

Coolant Light Water

Number of Tubes per Steam Generator 10,025

Operating Cycle Length (Time of Operation between

Refuelling) 18 Months

Containment Design Pressure 0.41 MPa

Containment Design Temperature 149°C

Cold Leg Temperature 281°C

Primary Circuit Design Pressure 17.2 MPa

Primary Circuit Flow Rate 9.9 m3.s-1

Primary Circuit Design Temperature 321°C

Main Steam System Design Pressure 8.3 MPa

Feed Water Flow 2.3 m3.s-1

Yearly ILW(1) and LLW(2) Produced 35 Tonnes

Note: (1) Intermediate level waste; (2) Low level waste

2.4 Layout of the Main Civil Structures

2.4.1 Site Characteristics

The AP1000 is a standard plant that is to be placed on a site with parameters bounded by those described in Chapter 2, “Site Characteristics,” of EDCD (Reference 2.1). The site parameters relate to the seismology, hydrology, meteorology, geology, heat sink and other site-related aspects; they are discussed in Chapter 3 of this PCSR.



The AP1000 is designed on the basis that the equipment, modules, structures, and bulk material can be shipped to the site by commercial rail or truck. This does not preclude the shipment of large equipment or structures by barges, should a specific site be accessible by water. An overview of the plant layout is shown in Figure 2.1.

2.4.2 Site Plan

The site plan will be defined in the site specific licensing process. A proposed plan has been provided for site interface purposes. Specific details of the site plan will be covered in the site application.

2.4.3 Plant Arrangement

The plant arrangement consists of the following five principal building structures.

• Nuclear island

• Turbine building

• Annex building

• Diesel generator building

• Radwaste building

The turbine, annex, diesel generator, and radwaste buildings contain no equipment that is essential to nuclear safety, therefore their hazard-withstand requirement is less onerous than that for the nuclear island.

These building structures are set out such that the turbine building and the other principal buildings are adjacent to the nuclear island so as to meet their functional purpose.

The circulating water pumps circulate the cooling water from the pump basin to the main condenser and back through two supply and return pipes that are below grade (ground level). Supply to the pump basin will depend on the specific site requirements, currently assumed to be sea water cooling, but could include cooling towers.

The transformer area is located immediately adjacent to the turbine building. The unit auxiliary transformers, the reserve auxiliary transformers, and the main step-up transformers are located in the transformer area. The main switchyard area and the rail and road access to the site are site specific.

Figure 2.2 provides a functional representation of the principal systems and components that are located in each of the key AP1000 buildings. This figure identifies major systems and components that are contained in these structures.

2.4.3.1 Nuclear Island

The nuclear island consists of the containment/shield building (composed of a free-standing steel containment vessel and a concrete and steel shield building), and an auxiliary building (which consists of two segregated halves; the radiological auxiliary building and the non-radiological auxiliary building). The foundation for the nuclear island is an integral basemat that supports these buildings. The safety equipment designed to perform accident mitigation functions is



located in the nuclear island. The nuclear island is structurally designed to meet seismic requirements, as defined in Section 5.5.3 of US NRC, Regulatory Guide 1.29, Seismic Design Classification (Reference 2.2).

The nuclear island structures are designed to withstand the effects of natural phenomena, such as hurricanes, floods, tornados, tsunamis, and earthquakes, without losing the capability to perform safety functions. Their ability to withstand these various natural phenomena is based on the industry standards described in Chapters 2 and 3 of the EDCD (Reference 2.1).

The nuclear island is also designed to withstand the effects of internal events such as fires and flooding without losing the capability to perform safety functions.

Containment/Shield Building

This building contains the component parts of the primary coolant system, the passive decay heat removal system and the passive containment cooling system. Also present are parts of the normal residual heat removal system and the chemical and volume control system. The reactor pressure vessel holds the bulk of the radioactive material present on site, in the form of the irradiated fuel within it. The principal contents of the containment/shield building are the:

• Reactor pressure vessel.

• Reactor coolant system.

• Pressuriser.

• Two steam generators.

• In-containment refuelling water storage tank (IRWST).

• Two accumulators.

• Two core makeup tanks.

• Automatic depressurisation system valves.

• Passive containment cooling system storage tank and associated valves (these are within the shield building, but outside the containment vessel, with their own dedicated heating, ventilation, and air conditioning (HVAC) system, completely separate from the containment air filtration system).

• Pipes and valves between the reactor coolant system and the normal residual heat removal system.

• Letdown portion of the chemical and volume control system.

• Inside containment isolation valves.

• Maintenance floor.

• Operating deck.



2.4.3.2 Non-Radiological Auxiliary Building

This part of the auxiliary building houses SSCs associated with the auxiliary functions that do not involve radioactive material. The SSCs within this building are as follows:

• Feed and steam mains, the steam isolation valves, the steam blowdown valves, and the steam safety valves.

• Four divisions of the protection and safety monitoring system (PMS), housed within two battery compartments, two electrical equipment rooms and two instrumentation and control (I&C) rooms – one each for divisions A/C and divisions B/D of the protection and monitoring system respectively.

• Main control room.

• Reactor coolant pump trip switchgear.

• Reactor trip switchgear.

• Remote shutdown room.

• Nuclear island ventilation system.

2.4.3.3 Radiological Auxiliary Building

This part of the auxiliary building accommodates those auxiliary functions involved with radioactive material. The SSCs within this building are the following:

• Normal residual heat removal pumps and its heat exchangers.

• Chemical and volume control system makeup pump.

• Containment isolation valve area.

• Spent fuel storage pool and its cooling system, the fuel transfer canal, the cask washdown pit and the cask-loading pit.

• New fuel storage pit and the rail car bay/filter storage area.

• Liquid radwaste system.

• Gaseous radwaste system.

• Solid radwaste system.

• Component cooling water system valves.

• Main control room emergency habitability system air storage cylinders (though these air cylinders are housed in the radiological auxiliary building, they are included within the containment/shield building fire area).



2.4.3.4 Turbine Building

This building houses the main turbine generator and the majority of the conventional plant. The principal items are the:

• Turbine-generator and its auxiliaries

• Main condenser

• Moisture separator reheaters

• Low-pressure feed heater, the deaerator and the high-pressure feed heaters

• Three main feedwater pumps

• Two start-up feedwater pumps

• Switchgear rooms

• Electrical equipment room

• Lube oil storage tanks

• Motor-driven fire pumps

• Air compressors

• Back-up batteries and battery charging equipment

• Condensate chemical dosing equipment

• Various tanks for storing chemicals

• Component cooling water pumps and heat exchangers

• Power supply for each reactor coolant pump’s variable-speed drive

• Secondary sampling system

2.4.3.5 Annex Building

The annex building contains the following equipment:

• Demineralised water deoxygenating equipment.

• Boric acid batching equipment.

• Air intake plenum for the radiologically controlled area ventilation system and the containment air filtration system.

• Exhaust units from the containment air filtration system.

• Ancillary diesel generators.



• Various batteries and battery chargers.

• Machine shops.

• Control support area.

2.4.3.6 Diesel Generator Building

The diesel generator building houses the two diesel generators and their associated HVAC equipment.

The diesel generator buildings features include two standby diesel generators supplying power to priority defence-in-depth loads in the event of loss-of-normal power from ac power sources preferred and the maintenance. Only one standby diesel generator is needed to fulfill this defence-in-depth duty.

The standby diesel generators are supplied from two above-ground bulk fuel oil storage tanks, one for each of the standby diesel generators. Each of these tanks has sufficient fuel for each bulk tank to supply its diesel generator for seven days operation at the maximum continuous rating. These bulk tanks are remote from any other AP1000 building.

The building also contains the diesel generator’s associated HVAC equipment.

2.4.3.7 Radwaste Building

The radwaste building contains:

• Various radwaste processing and packaging operations

• A waste accumulation room

• A packaged waste storage room

• A monitor tanks room

• A truck staging area

• An HVAC equipment room

• An electrical and mechanical equipment room

2.5 Plant Arrangement Considerations

Radioactive equipment and piping in all buildings are arranged and shielded to minimise radiation exposure.

The overall plant arrangement utilises building configurations and structural designs to minimise the building volumes and quantities of bulk materials (concrete, structural steel, rebar) consistent with safety, operational, maintenance, and structural needs.

Systems essential to maintaining nuclear safety are contained in the nuclear island. Separation between redundant essential safety equipment and systems ensures that the safety design functions can be performed. In general, this separation is provided by partitioning areas with concrete walls.



The plant arrangement provides separation for radioactive and non-radioactive equipment and provides separate pathways to these areas for personnel access.

Pathways through the plant are designed to accommodate equipment maintenance and removal from within the plant. The size of the pathways is dictated by the largest appropriate piece of equipment that may have to be removed or installed after initial installation. Where required, lay down space is provided for disassembling large pieces of equipment to accommodate the removal or installation process.

Adequate space is provided for equipment maintenance, lay down, removal, and inspection. Hatches, monorails, hoists, and removable shield walls are provided to facilitate maintenance.

During construction, a heavy lift crane is used to place major pieces of equipment such as the turbine-generator, the reactor vessel, the steam generators, the containment ring sections, the large structural modules, and other large or heavy equipment modules.

2.6 Proven Components and Technology in the AP1000 Design

By using proven components and technology, the likelihood of an initiating event is much reduced. The following items are relevant:

• The core and major components of the AP1000 are to designs proven by their use in currently operating Westinghouse PWRs:

o The AP1000 core uses a proven design for the fuel.

o The control rod drive mechanisms are a proven design.

o The AP1000 steam generator design is based on proven steam generator technology, which includes design features incorporated in the latest Westinghouse replacement steam generator designs (see Section 5.4.2 of the EDCD (Reference 2.1) for additional details). The steam generators in currently operating PWRs have been the source of many problems, and have had to be completely replaced on some plants; by adopting a steam generator design evolved from this experience, principally using better materials, these problems are expected to be minimised in the future.

o Component construction materials in the AP1000 have been selected based on lessons learned from the operation of existing plants, in order to prevent crack development in the AP1000 components, thereby avoiding fluid leakage and the associated safety challenges, clean-up, repair, and operator radiation dose. This operating experience has resulted in the specification of improved materials in primary system components, such as the reactor vessel and steam generators; and secondary side components, such as condenser tubes and heat exchangers (see Section 5.2.3 of the EDCD (Reference 2.1) for additional details). A specific example of this materials specification is the elimination of Inconel 600, which is vulnerable to stress corrosion.

o The development of digital I&C systems for back-fitting to currently operating plants has allowed such systems to be incorporated into the AP1000 design, with a level of risk proven by practical experience and extensive computer software verification and validation.



o The development of improved robotic tooling on current plants has enhanced the maintainability of the AP1000 by improving the quality of inspections and repairs, and reducing the radiation doses to workers.

• Several important enhancements, all based on existing technology, improve the safety performance characteristics of the design relative to currently operating Westinghouse PWRs:

o The AP1000 reactor coolant pumps do not have seals. Their design is based on proven pump technology. This eliminates the potential for LOCAs caused by seal failure, which significantly enhances safety and reduces pump maintenance (see Section 5.4.1 of the EDCD (Reference 2.1) for additional details).

o The AP1000’s larger reactor coolant system piping has been designed to experience much lower levels of stress, so that it will leak before it breaks, thereby providing forewarning of incipient failure. This stress reduction has also allowed the designers to eliminate many of the pipe whip restraints, which improves the ability to perform in-service inspection and also reduces operation radiation exposures associated with such inspections.

o The number of containment penetrations has been reduced by half, and the containment isolation valves previously used have been replaced by those less likely to leak.

o The AP1000 design features an advanced main control room, as required by the Advanced Light Water Reactor Utility Requirements Document (ALWR URD) and NRC human factors criteria. Incorporating human factors engineering in the design and testing of the main control room reduces the likelihood of the operators either inadvertently causing a fault sequence, or performing the wrong actions during a fault sequence (Chapter 18 of the EDCD (Reference 2.1).

2.7 Conclusion

This chapter has provided an overview of the AP1000 design, and how it has evolved by incorporating the benefits gained from many hundreds of years of reactor operational experience by using utility feedback to drive the design requirements. The overview includes the layout as well as the philosophy underpinning component choice, which is to focus on proven components wherever possible. The emphasis throughout has been to build on experience, thereby developing a design in which there is minimum risk with maximum confidence.



Figure 2.1 General Layout of AP1000 Plant



Figure 2.2 Functional Site Allocation of AP1000 Plant SSCs



REFERENCES

2.1 WEC, EPS-GW-GL-700, AP1000 European Design Control Document, Rev. 1, December 2009.

2.2 US NRC, Regulatory Guide 1.29, Seismic Design Classification, Rev. 3, September 1978.



CHAPTER 3: GENERIC SITE CHARACTERISTICS



3.0 GENERIC SITE CHARACTERISTICS

3.1 Introduction

The AP1000 is a standardised plant designed for construction and operation at a site that meets a broad range of site design parameters. These parameters are set out in the European Design Control Document (EDCD) (Reference 3.1) and are reproduced in Table 3-1.

The site design parameters relate to seismology, hydrology, meteorology, geology, and other site related aspects. A site is acceptable for construction/operation of an AP1000 plant provided that site specific conditions are within the site design parameters. Such a site is described as acceptable from an engineering point of view.

In parallel with the Generic Design Assessment (GDA) process to assess generic designs for new nuclear power stations, the UK government is undertaking a process to identify strategically suitable sites for possible new build. This process, which is being undertaken independently from the GDA, is known as the Strategic Siting Assessment (SSA).

That a site is identified as strategically suitable under the SSA process does not imply that site-specific conditions are such that it is acceptable for construction with regard to site design parameters. Hence, for a site to be taken forward for new build construction, it will need to be both strategically suitable and acceptable from an engineering point of view.

The objectives of this chapter of the PCSR are:

• To identify generic site parameters and provide confidence that they will be met for UK candidate sites (i.e., strategically suitable sites that are identified by the SSA process); and,

• To identify other site specific issues that will need to be addressed during the planning and detailed design for development of any of the candidate sites (i.e., strategically suitable sites that are identified by the SSA process).

3.2 Site Design Parameters

The bounding site design parameters provided in the EDCD (Reference 3.1) (and summarised in Table 3-1 of the PCSR) include parameters relating to naturally occurring environmental conditions and to anthropomorphic factors. The parameters relating to the natural environment can be grouped as follows:

• Meteorology – air temperature, wind speed, precipitation, atmospheric dispersion;

• Geology and hydrogeology – seismic activity, soil, groundwater level; and,

• Hydrology – flood level, plant grade elevation.

Section 3.2 provides an outline demonstration that the natural environmental conditions for the candidate sites in the UK will be within the bounds of the relevant site design parameters.

The impact of several of these parameters on the safe operation of the generic design has been assessed in detail in AP1000 External Hazards Topic Report (Reference 3.2). These assessments include the possible influence of climate change, based on the information provided in the UK Climate Projections reports 2009study (UKCP09), with the key findings presented in a Briefing Report (Reference 3.4).



This study discusses the effects of climate change and is an update of the climate change predictions presented by UKCP02. The detailed effects are included in the discussions below. UKCP09 (reference 3.4) contains localised data; therefore, only the main points are considered here.

3.2.1 Meteorology

The extreme range of recorded temperatures in England taken from the UK Meteorological Office data is 38.5°C to -26.1°C. These values are bounded by the AP1000 site parameters. The possible impact of extreme temperatures on the safety of the generic design is considered in AP1000 External Hazards Topic Report (Reference 3.2, Section 6.5), which demonstrates that credible extreme temperature conditions would not compromise nuclear safety.

The highest recorded low-level wind speed in England is a gust of 53m/s (118mph) in Cornwall in 1979. Damaging tornadoes are rare events in England, occurring at a level of severity that is significantly lower than encountered elsewhere in the world. In Birmingham in 2005, a tornado was observed with an estimated severity of F2 on the Fujita scale. F2 tornadoes cause considerable damage, with local winds in the range 50.5ms to 70m/s (113mph to 157mph). Overall wind speed extremes from gusting and tornadoes are within the bounds of Table 3-1. The possible impact of extreme wind on the safety of the generic design is considered further in the AP1000 External Hazards Topic Report (Reference 3.2, Section 6.7), which demonstrates that extreme wind conditions, within the design basis, would not compromise the control of core reactivity and the removal of heat from the core; and, would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

The UK Meteorological Office recorded data on extreme rainfall in England give a number of time-related rainfall figures. The comparable figures to those in Table 3-1 are 92mm in 1 hour and 32 mm in 5 minutes. These extremes fall within the bounds of Table 3-1. The UKCP09 (Reference 3.4) estimates that the annual mean precipitation by 2080 for the whole of the UK will change very little – within a few percent of zero. However, there are regional variations expected; the biggest changes in winter precipitation are seen on the western side of the UK, in the range of +9 to +70%, and in summer, there are reductions of about 40% over parts of southern England.

In most years, coastal regions of England and Wales have been snow free; however, in 1946-47 and 1962-63 there were more than 30 days of snowfall with drifting.

The site design parameters quoted for atmospheric dispersion values are not related to plant design, but are based on those applicable to typical AP1000 sites. This is an issue that must be considered further at site-specific planning/design phases in conjunction with site-specific modelling of gaseous radioactive emission. A generic assessment of atmospheric emissions and related dose rates is summarised in the AP1000 Environment Report (Reference 3.3) using the parameters assumed for the GDA “generic site”. This generic site has been specified so as to be typical of ones identified as potential new build sites.

Therefore, it is demonstrated that the generic AP1000 design is tolerant to the range of meteorological conditions likely to be encountered at candidate sites in the UK. Further confirmation that this is the case will be necessary at the site specific planning/design stages.

In the major storm that affected the southern part of England in 1987, grid connection was lost completely at some power plant sites. Communications to and from the plants were severely disrupted. Section 8.2.2 of the EDCD (Reference 3.1) makes the point that the passive safety features of the design remove safety dependence on the grid connection. However, the possible



impact of meteorological conditions on other infrastructure associated with the generic AP1000 site must be considered further at the detailed site specific design phase.

3.2.2 Geology and Hydrogeology

The safe shutdown earthquake (SSE) has been established as 0.3g for the AP1000 design where vertical peak ground acceleration is conservatively assumed to equal the horizontal value (EDCD, Reference 3.1, Section 2.5.2). An SSE is defined as the maximum potential vibratory ground acceleration for safe shutdown without loss of plant capability to perform safety functions. This SSE value is expected to be bounding for proposed sites within the UK by some margin (the corresponding figure used in current UK plants is 0.25g). The possible impact of seismic activity on the safety of the generic design is considered in the AP1000 External Hazards Topic Report (Reference 3.2, section 6.1), which demonstrates that nuclear safety will not be compromised in a credible seismic event due to plant design as the safety functions required to bring the plant to a safe shutdown state and contain any radioactivity will be fully effective..

Geotechnical engineering parameters for soils (e.g., bearing capacities) to support the generic design are provided in Table 3-1. Foundation design will need to be considered further at site specific design stage and appropriate ground engineering options identified. This will require geotechnical ground investigation to determine soil types and their engineering properties; this will include investigation of groundwater level and variability.

The AP1000 External Hazards Topic Report (Reference 3.2, section 6.6) considers the potential impact of drought and associated changes in groundwater levels on foundations. It concludes that the geology of the site upon which the foundations will be built will not be affected by changes in groundwater levels to an extent that it will affect nuclear safety. This needs to be confirmed on a site specific basis.

Therefore, it is demonstrated that the design of the generic AP1000 design can be accommodated by the underlying geology and hydrogeology likely to be encountered at a candidate site in the UK.

Further confirmation will be provided by the geotechnical investigation and assessment required to support detailed site specific design. This assessment will need to consider site specific and regional geology, and include for appropriate site specific seismic assessment.

3.2.3 Hydrology

All SSA nominated sites are either coastal or estuarine. For such locations, the primary flood risk arises from future elevation of the sea level with superimposed storm surges. The range in absolute sea level rise around the UK (before land movements are included) is projected to be between 0.12m and 0.76m for the period 1990-2095 (UKCIP09, Reference 3.4). Vertical land movement (i.e., sinking of surface levels) will add another 0.1m rise in the southern area of the UK. The incidence of tsunami and seiche events in the UK is very low; nevertheless, these issues will be factors in the consideration of potential flooding of the UK candidate sites.

The factors that will affect the flood risk over the projected lifetime of an AP1000 plant are the extreme upper tidal range, the mean sea level, and the magnitude of storm surges. The possible impact of flooding on the safety of the generic design is considered in the AP1000 External Hazards Topic Report (Reference 3.2, section 6.2), which demonstrates that there will be no loss of key safety functions in a credible flood event (including precipitation) due to plant design.



Therefore, it is demonstrated that the design of the generic AP1000 design can withstand the flood conditions likely to be encountered at candidate sites in the UK. Further confirmation that this is the case will be provided by site specific flood risk assessments that are required at the planning stage and to input into the detailed site specific design. This will include defining maximum predictable flood levels and identifying any requirement for site specific flood protection beyond that provided by the generic AP1000 design.

3.3 Strategic Siting Assessment (SSA)

The SSA is being undertaken by the Department of Energy and Climate Change (DECC); details of this process are provided in the Draft National Policy Statement for Nuclear Power Generation (Reference 3.5). The initial phase of the SSA process was the preparation of a Strategic Environmental Assessment (SEA) Scoping report. Based on the findings of the SEA (and a consultation exercise), criteria have been developed against which the strategic suitability of possible sites can be judged; these are presented in Reference 3.6.

Eleven sites have been nominated by either possible operators or the Nuclear Decommissioning Authority (NDA) under the SSA process; the sites are listed and details provided in the Draft National Policy Statement for Nuclear Power Generation (Reference 3.5). Of these sites, nine are located adjacent to existing nuclear power stations (either operational or in a decommissioning phase). The other two nominated sites are located on the west coast of Cumbria, i.e., within the wider locality of Sellafield.

DECC is currently considering the nominated sites against the SSA criteria and will publish their findings in the Nuclear National Policy Statement (Nuclear NPS), a final version of which is due Spring 2010. Identification of a site in the Nuclear NPS is not an authorisation to develop. Developers and future operators will still need to apply for consents for these sites under the relevant planning and regulatory regimes.

The SSA criteria (Reference 3.9) relate to nuclear safety, environmental protection, societal issues, and operational requirements. The criteria are identified as either exclusionary or discretionary; the definitions are as follows:

• Exclusionary – criteria that, if not satisfied or exceeded, will categorically exclude all or part of a site from further consideration; or,

• Discretionary – criteria that, singly or in combination, could make all or part of a site unsuitable for new nuclear power station.

Site specific information for each of these criteria has been used by the DECC to assess the suitability of the nominated sites and identify which of these sites are to be included in the Nuclear National Policy Statement (Nuclear NPS).

3.3.1 Exclusionary Criteria

With regard to the exclusionary criteria, nominated sites can be excluded from further consideration if the criteria are breached. Decisions on exclusion as a result of these criteria will not be influenced by plant design considerations. The exclusionary criteria identified in the SSA are:

• Demographics (C1 – exclusionary);

• Proximity to military activities (C2 – exclusionary);



The SSA process has not concluded that any of the nominated sites should be excluded on the basis of these criteria.

As noted above, sites nominated under the SSA process are adjacent to or in the locality of current nuclear power stations. From an emergency planning standpoint, there are significant advantages in locating AP1000 plants on candidate sites adjacent to existing nuclear facilities. The emergency arrangements for the existing plants will have been agreed by the NII, and there will have been regular exercises to test the arrangements. The Licensee and all relevant off-site civil agencies will have been involved in these exercises. The translation of the existing arrangements to the specific hazards presented by an AP1000 should not present major difficulties.

3.3.2 Discretionary Criteria

With regard to discretionary criteria, nominated sites will not be excluded from further consideration because of these criteria; rather the SSA will make assumptions about likely scale impacts and whether these will be mitigated by plant design.

Set out below is a brief discussion of the generic AP100 design with regard to the discretionary SSA criteria. A high level demonstration that the generic design should mitigate against any significant impact associated with these criteria, whichever of the sites are ultimately identified as strategically suitable for new build nuclear reactors:

• Flooding, tsunami, and storm surge (D1 - discretionary). This criterion relates to flooding as an external hazard to the facility and possible impact to the facility with regard to flood protection of the surrounding area. Both of these possible impacts must be assessed on a site specific basis. The AP1000 External Hazards Topic Report (Reference 3.2, Section 6.2) confirms that the generic design protects against the range of flooding conditions that are recorded in the UK.

• Coastal processes (D2 - discretionary). This criterion relates to coastal erosion or other landscape changes. This criterion is site specific and is not addressed by the generic AP1000 design. Further consideration of this issue will be necessary at the site specific planning/design stages.

• Proximity to hazardous industrial facilities and operations (D3 - discretionary). The criterion relates to proximity of hazardous industrial facilities; for example those that fall under the Control of Major Accidents and Hazards Regulation (COMAH) (Reference Error! Reference source not found.). Whilst assessment of this discretionary criterion is site specific, it is addressed in part by the generic AP1000 design. This criterion is discussed further in subsection 3.3.3.

• Proximity to civil aircraft movements (D4 - discretionary). This criterion relates to possible hazard from civil aircraft movements (as a result of impact) and to risk to safe use of civil aircraft; the Air Navigation Regulations (Reference Error! Reference source not found.) control flights in the vicinity of UK nuclear sites. Whilst assessment of this discretionary criterion is site specific, it is addressed in part by the generic AP1000 design. The External Hazards Topic Report (Reference 3.2, section 6.3) demonstrates that the AP1000 has been designed such that credible civil aircraft impact would not compromise the control of core reactivity or the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.



• Proximity to military activities not included in C2 (D5 - discretionary). This criterion relates to military sites which are not included in (C2), for example technical sites, transmitters, etc. This criterion is site specific and is not addressed by the generic AP1000 design.

• Internationally designated sites of ecological importance (D6 - discretionary). This criterion relates to sites designated for protection under European legislation, e.g., SACs, SPAs, etc. Whilst assessment of this discretionary criterion is site specific, it is addressed in part by the generic AP1000 design. The potential impact on such site on the surrounding environment is considered in Section 14.3 of this PSCR, which demonstrates that design features are in place to mitigate against a major environmental accident.

• Nationally designated sites of ecological importance (D7 - discretionary). This criterion relates to sites designated for protection under national legislation, e.g., Sites of Special Scientific Interest (SSSI) and National Nature Reserves. Whilst assessment of this discretionary criterion is site specific, it is addressed in part by the generic AP1000 design. The argument set out with regard to European designated sites is also applicable to nationally designated sites.

• Areas of amenity heritage and landscape value (D8 - discretionary). This criterion relates to National Parks, Areas of Outstanding Natural Beauty (AoNB), scheduled monuments, and other similar sites. Whilst assessment of this discretionary criterion is site specific, it is addressed in part by the generic AP1000 design. The argument set out with regard to European designated sites would also be applicable to amenity sites, etc.

• Size of site to accommodate operation (D9 - discretionary). This criterion requires a demonstration that there will be sufficient area within the boundaries of the nominated sites to allow secure operation of at least one new build nuclear power station. A typical layout for the generic AP1000 plant is discussed elsewhere in Chapter 2 of this PCSR. With the exception of the parking area, the entire facility is contained within a perimeter fence that encloses approximately 10 hectares (ha). The site boundaries for the SSA nominated sites enclose areas of between 75 ha and 298 ha (Reference 3.7). Allowing for ancillary facilities, the typical area estimated for the SSA nominated sites required for operational purposes is 30 to 50 ha. Hence, all of the nominated sites are sufficient area for at least one new build nuclear power station. The finalised layout will need to ensure that the constructed AP1000 plant can be operated in a safe and secure manner, with access to site (and nuclear materials) strictly controlled. The finalised layout will need to accommodate both generic and site specific requirements and meet with the approval of the regulators.

• Access to suitable sources of cooling (D10 - discretionary). This criterion requires a demonstration that suitable cooling can be provided to ensure safe and efficient operation. All of the nominated sites have access to sea water for cooling. This criterion is discussed further in subsection 3.3.4.

After consideration of the site specific information for these discretionary criteria, the SSA has concluded that 10 out of the 11 nominated sites should be carried forward into the Nuclear NPS. The Dungeness site is excluded from further consideration in the draft Nuclear NPS due to potential impacts on internationally designated sites of ecological importance (Reference 3.7).

Further consideration of these discretionary criteria will be necessary for any of the sites identified in the Nuclear NPS that are taken forward for new build. The detailed site specific assessments will need to identify whether any revisions to plant design are required to mitigate impact that new build could have on the surrounding area/environment, and to ensure safe operation of the new



build plant. These site specific assessments will need to cover all stages of the lifecycle of a new build nuclear site.

3.3.3 Proximity to Hazardous Industrial Facilities and Operations (D3)

The hazards to the safe operation of the nuclear facility presented by nearby hazardous industrial facilities are primarily either physical (i.e., as a result of fire or explosion) or chemical/toxic (i.e., as a result of release of gases, vapours, etc.).

Physical hazards, such as fire and explosion, are considered in the AP1000 External Hazards Topic Report (Reference 3.2) as follows:

• The report demonstrates that the generic AP1000 design will withstand the effects of external smoke, heat, or fumes caused by external fires to the extent that they would not compromise the control of core reactivity and the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

• The report demonstrates that the AP1000 plant has been designed such that any damage caused by external explosions would not compromise the control of core reactivity and the removal of heat from the core or result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

The External Hazards Topic Report has not specifically considered potential hazards of toxic gases from external source, but does demonstrate that smoke from external fire will not compromise nuclear safety. Furthermore the AP1000 main control room is designed to provide isolation from toxic gases, etc. generated on site (see Chapter 6 of this PCSR). Provided that sufficient warning is received (as would be expected with regard to any COMAH sites or similar), these isolation systems should also be effective against a similar externally sourced hazard.

Further consideration of these issues will be necessary to confirm that the assumptions and data used in the External Hazards Topic Report are applicable on a site-specific basis.

3.3.4 Proximity Access to Suitable Sources of Cooling (D10)

All of the sites identified in the Nuclear NPS have access to sea water for cooling. Sea water can be used to provide either:

• Direct cooling – in which cooling water (at a temperature slightly higher than the intake) is discharged from turbine condensers direct to the marine environment; or,

• Indirect cooling – in which cooling water (at a higher temperature than for direct cooling) is passed through cooling towers prior to discharge to the marine environment.

An assessment of the generic impact of cooling water discharge on the marine environment is provided in UKP-GW-GL-034 (Reference Error! Reference source not found.). This assessment assumes that the AP1000 will be cooled by a direct (once through) cooling water system; this being the option that maximises cooling efficiency and requires less overall use of sea water.

Historically, the only cooling water problems that have been encountered by plants on similar sites have been due to marine organisms blocking the cooling water inlet screens. The AP1000 External Hazards Topic Report (Reference 3.2, section 6.10) has considered the potential external



hazard associated with biological fouling of cooling water inlets. This report demonstrates the AP1000 plant protects against the entry of biological agents so they will not compromise the control of core reactivity and the removal of heat from the core, or result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation. Therefore, nuclear safety will not be adversely affected by biological fouling.

Further consideration of the cooling water system will be necessary at the site specific planning/design stages.

3.4 Other Site Specific Criteria

In addition to the exclusionary and discretionary criteria listed above, the SSA has identified other criteria which will need to be considered at the site specific planning/design stage for any sites identified in the Nuclear NPS that are subsequently taken forward towards development. These (local) criteria are:

• Seismic risk;

• Capable faulting;

• Non-seismic ground conditions;

• Meteorological conditions;

• Proximity to civil aircraft movements (beyond those specified for D4);

• Proximity to mining, drilling and other underground operations;

• Emergency planning;

• Significant infrastructure resources;

• Access to transmission infrastructure; and,

• Size of site to accommodate construction and decommissioning.

This list of site specific criteria should not be considered exhaustive and is likely to be expanded for any individual site as that site moves into the planning and detailed design phases.

Further assessment of these site specific criteria will be required with regard to:

• The environmental impact assessment (EIA) that will be required as part of the development planning process; and/or

• To inform detailed engineering design and operational management for the new facility.

On the basis that these criteria are site specific and not strategic, they have been excluded and will not be discussed further at this stage of the GDA process. It should be noted, however, that some issues e.g. seismic risk and meteorology have been discussed briefly in this chapter with regard to the generic AP1000 design.



3.5 Monitoring of Site Specific Parameters

The monitoring of site specific parameters will be undertaken in conjunction with the monitoring that is required as part of the environmental management system for environmental protection purposes (see Chapter 14.4 of this PCSR). With regard to the SSA and other site specific criteria noted above, the parameters to be monitored should include, but not be restricted to:

• Monitoring of meteorological conditions and tidal cycles/height (both in advance and to identify any longer-term changes);

• Monitoring groundwater levels,

• Monitoring for any signs of coastal erosion; and,

• Monitoring the structural integrity and effectiveness of any flood protection systems at the plant.

Monitoring will begin prior to construction in order to develop a baseline against which to judge any changes that occur throughout the lifecycle of the plant. The collation of baseline data is required as part of an environmental impact assessment to support an application for planning consent.

As the development programme moves into the construction phase, any changes in the baseline will need to be identified and an assessment made of whether revisions of either plant design or construction methodologies are required. Likewise, monitoring will be continued throughout the operational phase and into the decommissioning phase to identify whether any revisions are necessary to operational procedures or facility engineering.

Throughout the full lifecycle of the plant, the operating organisation, Westinghouse , and other responsible parties that will vary throughout the lifecycle, will require to be kept appraised by the local planning authorities and the Health and Safety Executive of any developments in the vicinity of the plant which could affect plant safety or emergency planning arrangements. For example, any new housing developments in the vicinity of the plant could affect the emergency planning assumptions.

3.6 Conclusion

This chapter has explained the reasons why the concept of a generic site has benefits in the context of UK licensing in that it complements the Strategic Site Assessment process. A set of key site environmental parameters associated with the generic site has been presented. This chapter then sets out the arguments which demonstrate that the generic site concept is a suitable basis for a generic assessment of the AP1000 design and will form a sound basis for any future specific site licensing.



Table 3-1 SITE PARAMETERS

Parameter Definition Air Temperature

Maximum Safety 46.11°C (115°F) dry bulb/30.06°C (86.1°F) coincident wet bulb 30.06°C (86.1°F) wet bulb (non-coincident)

Minimum Safety -40°C (-40°F) Maximum Normal 38.33°C (101°F) dry bulb/26.72°C (80.1°F) coincident wet bulb

26.72°C (80.1°F) wet bulb (non-coincident) Minimum Normal -23.33°C (-10°F)

Wind Speed Operating Basis 64.82m/sec (145mph) (3 second gust); importance factor 1.15 (safety),

1.0 (non-safety); exposure C; topographic factor 1.0 Tornado 134.11m/sec (300mph)

Seismic Safe Shutdown Earthquake 0.30g peak ground acceleration Fault Displacement Potential Negligible

Soil Average Allowable Static Bearing Capacity

Greater than or equal to 426.1kPa (8,900lb/ft2) over the footprint of the nuclear island at its excavation depth

Maximum Allowable Dynamic Bearing Capacity for Normal Plus Safe Shutdown Earthquake

Greater than or equal to 1675.8kPa (35,000lb/ft2) at the edge of the nuclear island at its excavation depth

Shear Wave Velocity Greater than or equal to 304.8m/sec (1,000ft/sec) based on low-strain best-estimate soil properties over the footprint of the nuclear island at its excavation depth

Lateral Variability Soils supporting the nuclear island should not have extreme variations in sub-grade stiffness

Liquefaction Potential Negligible Minimum Soil Angle of Internal Friction

Greater than or equal to 35 degrees below footprint of nuclear island at its excavation depth

Missiles – Tornado • 1814.4kg (4000lb) automobile at 46.94m/sec (105mph) horizontal, 33.1m/sec (74mph) vertical • 124.7kg (275lb), 203.2mm (8 in.) shell at 46.94m/sec (105mph) horizontal, 33.1m/sec (74mph) vertical • 25.4mm (1 inch) diameter steel ball at 46.94m/sec (105mph) horizontal and vertical

Flood Level Less than plant elevation datum Ground Water Level Less than 0.6m (2 feet) below plant elevation datum Plant Grade Elevation Less than plant elevation datum (marked as 100 m /100 feet (not true

elevation) on drawings) except for portion at a higher elevation adjacent to the annex building

Precipitation Rain 525.8mm (20.7 in.)/hr (160.0mm (6.3 in.)/ 5 min) Snow/Ice 3.6kPa (75 pounds per square foot) on ground with exposure factor of

1.0 and importance factors of 1.2 (safety) and 1.0 (non-safety)



Table 3-1 SITE PARAMETERS (Cont'd)

Parameter Definition Atmospheric Dispersion Values - χ/Q(e)

Site boundary (0-2 hr) ≤5.1 x 10-4 sec/m3 Site boundary (annual average) ≤~2.0 x 10-5 sec/m3 Low population zone boundary 0 - 8 hr 8 - 24 hr 24 - 96 hr 96 - 720 hr

≤~2.2 x 10-4 sec/m3 ≤~1.6 x 10-4 sec/m3 ≤~1.0 x 10-4 sec/m3 ≤~8.0 x 10-5 sec/m3

Population Distribution Exclusion area (site) 0.8km (0.5 miles)



REFERENCES

3.1 WEC Report EPS-GW-GL-700, Rev. 1, “AP1000 European Design Control Document,” December 2009.

3.2 WEC Report UKP-GW-GL-043, Rev. 0, “AP1000 External Hazards Topic Report,” December 2009.

3.3 WEC Report UKP-GW-GL-790, Rev. 2, “UK AP1000 Environment Report,” December 2009 (to be issued before PCSR update).

3.4 DEFRA, UK Climate Projections Briefing Report, June 2009. DECC, Draft National Policy Statement for Nuclear Power Generation, November 2009.

3.5 DECC, Office for Nuclear Development, Towards a Nuclear National Policy Statement – Government response to consultations on the Strategic Siting Assessment process and siting criteria for new nuclear power stations in the UK; and to the study on the potential environmental and sustainability effects of applying the criteria - ANNEX C: Guidance for Nominations, January 2009.

3.6 DECC, Office for Nuclear Development, Towards a Nuclear National Policy Statement - Applying the Strategic Siting Assessment Criteria: an update to the study of the potential environmental and sustainability effects, January 2009.

3.7 Health and Safety, No. 743, The Control of Major Accident Hazards Regulations 1999, April 1999.

3.8 UK Office of Public Sector Information, Statutory Instrument 1929, Air Navigation (Restriction of Flying) (Nuclear Installations) Regulations 2007, August 2007.

3.9 WEC, UKP-GW-GL-034, Revision 0, Generic Assessment of the Impacts of Cooling Options for the Candidate Nuclear Power Plant AP1000, January 2009.



CHAPTER 4: SAFETY ASPECTS OF DESIGN



4. SAFETY ASPECTS OF DESIGN

4.1 Introduction

This chapter of the PCSR describes the processes underpinning the safety aspects of the design for both normal operation and fault conditions. These are key elements of a comprehensive nuclear safety assessment process that embodies relevant UK good practice.

In keeping with relevant UK good practice, the nuclear safety assessment includes the following elements:

• Identification of the key safety functions that need to be maintained by the plant (which are presented in sub-section 4.2.1 of this chapter).

• Breakdown of the key safety functions into specific safety functions, which are maintained by particular AP1000 systems, structures and components (SSCs). A system, structure or component that is important to safety is interpreted as one which provides direct support to a safety function or one whose failure could adversely affect an SSC which provides a safety function. This process is presented in sub-section 4.2.2.

• Identification of the safety importance of particular safety functions, which informs the safety categorisation process for SSCs in normal operation and fault conditions. The safety categorisation process is presented in sub-section 4.2.2 of the PCSR.

• The means by which safety functions of the plant could be challenged are identified as:

• Failure of SSCs to perform their normal operational duties

• Faults arising due to plant failures within the Design Basis (as presented in the AP1000 fault schedule)

• Internal and external hazards

• Design requirements and requirements from SSCs are derived by the following processes:

• For normal operations, AP1000 SSCs maintaining particular safety sub-functions are identified, to determine the requirements placed on them. This process is summarised in sub-section 4.3.1.

• For Design Basis fault conditions, as identified in the AP1000 Fault Schedule (see Chapter 5), design requirements are derived based on the SSCs maintaining the safety functions during and following fault conditions (i.e. safety measures). This process is summarised in sub-section 4.3.2.

• For internal and external hazards, the plant withstand and response to each potential hazard is assessed in the relevant Topic Reports, and claims on specific SSCs are identified. This process is summarised in sub-section 4.4.



• The requirements on plant SSCs are substantiated by the following processes, which cover normal operations and fault conditions:

• The SSCs delivering specific requirements are assigned a safety class, in accordance with their contribution maintaining a safety function, and the safety category of that function. Each safety class has associated codes and standards that drive the robustness of the SSC design and through life management. This process is summarised in sub-section 4.5.1.

• Safety classification is supplemented by other related processes addressing the contribution of SSCs to maintaining safety functions; these are seismic categorisation and incredibility of failure (IoF) cases. These processes are summarised in sub-sections 4.5.2 and 4.5.3 respectively.

• The codes and standards underpinning the higher safety classes must be appropriately rigorous and mature; their appropriateness and maturity has been subject to a study for UK application. This study is summarised in sub-section 4.5.4.

• The SSCs must also be appropriately qualified to function in the limiting environmental conditions they will experience during normal operations and fault conditions. The process by which the appropriate level of qualification is identified and demonstrated is summarised in sub-section 4.5.5.

Specific analysis and evidence substantiating plant responses in normal operations and Design Basis fault conditions are presented in Chapters 5, 6 and 7 of this PCSR. Specific analysis and evidence substantiating plant responses to internal and external hazards are presented in the Internal Hazards Topic Report (Reference 4.3) and External Hazards Topic Report (Reference 4.8).

The overall suite of process discussed here are summarised in Figure 4.1-1.

These processes cover faults and hazards that could arise during each phase of the plant lifecycle (i.e. construction, commissioning, operation, which includes shutdown, refuelling and fuel handling; and decommissioning). The PCSR takes into account all lifecycle stages, i.e. by providing assurance that during the construction, commissioning, operation and decommissioning phases of the plant lifecycle the plant has acceptably low associated risks.



Figure 4.1-1 Safety Categorisation, Classification and Engineering Substantiation

4.2 Use of Safety Functions

4.2.1 Key Safety Functions

The safety of any nuclear power plant can be challenged by the hazards and faults it experiences throughout its life. Its ability to withstand these hazards and faults is governed by the functionality of the duty systems and the safety systems included in its design. The safety function of any particular SSC is the specific role required of it in maintaining

Key Safety Functions (KSFs)

KSFs decomposed into safety functions maintained by plant SSCs

Safety functions categorised in terms of their importance to safety

Normal operations design requirements

identified

Fault conditions design requirements identified

Int/ext hazards claims identified

Design requirements and claims on SSCs substantiated robustly

Engineering Substantiation

Analysis and evidence substantiating

requirements and claims on SSCs

Normal operations and

DB fault conditions – Ch 5,

6, 7 of PCSR

Internal and external hazards – addressed in relevant Topic

Reports

Safety Classification

of SSCs

Seismic Categorisation

of SSCs

IoF Environmental Qualification

of SSCs

Codes and Standards Study



nuclear and radiological safety during normal operation or when the plant is challenged by a hazard.

Building a safety case around safety functions is the distinguishing requirement of a modern nuclear safety case. It is the approach recommended in Reference 4.1 by the International Atomic Energy Agency (IAEA). The safety functions accommodate nuclear and radiological hazards only; conventional hazards to personnel safety are outside the scope of nuclear safety cases.

The Key Safety Functions (KSFs) are high level safety functions that fundamentally need to be maintained to provide assurance of nuclear and radiological safety. If the Key Safety Functions can be maintained, the plant will be acceptably safe.

Key Safety Functions have the principal benefit of clarifying the duties associated with nuclear safety that SSCs perform during normal operation and the means by which nuclear safety can be challenged during an initiating fault. Often, an SSC may be contributing to the delivery of more than one key safety function, and an initiating fault may challenge more than one Key safety function; in these cases, it is essential that the correct claims are made on the SSCs to ensure that normal operation is appropriately safe and fault conditions are fully protected against.

The Key Safety Functions are open to a degree of choice: different selections reflect the aims and ethos of the operating organisation. Typically, only a few Key Safety Functions are required to make sure that nuclear safety is maintained. The following Key Safety Functions are identified for the AP1000:

• Control of Core Reactivity

• Removal of Heat from the Core

• Prevent the Uncontrolled Dispersion of Radioactive Material to the Environment

• Prevent the Uncontrolled Exposure of the Personnel to Radiation

Each Key Safety Function can be broken down into subordinate safety functions; this process identifies which plant SSCs provide are contributing to the delivery of particular Key Safety Functions. This process has been used to inform the design requirements on plant SSCs to maintain safety.

The guidance in the IAEA Safety Standard, Safety of Nuclear Power Plants: Design (Reference 4.1) specifies three fundamental safety functions:

• Control of reactivity.

• Removal of heat from the core.

• Confinement of radioactive materials and control of operational discharges.

However, it is UK nuclear safety case practice to consider dose to the operator separately from dose to the public. It can be seen that the third of the IAEA’s fundamental safety functions can easily be decomposed into third and fourth of the Key Safety Functions proposed for the AP1000.

The technical scope of the safety case is effectively defined by the Key Safety Functions presented in the previous sub-section. Consideration is given, within the nuclear safety case, to faults, operator errors and hazards that could challenge the Key Safety Functions.



4.2.2 Categorisation of Safety Functions

It is international good practice for SSCs in a nuclear power plant to be classified in accordance with their importance to nuclear safety, with increased levels of robustness associated with the higher classes. This greater robustness is achieved via the use of codes and standards recognised as international good practice for design and through life management.

UK relevant good practice for the classification of SSCs is to categorise safety functions required to maintain safety in the event of specific fault sequences occurring, identify which SSCs deliver these safety functions and classify them accordingly. This process makes sure that all SSCs associated with the delivery of safety functions are identified, so a consistent measure of their importance to safety is obtained.

The categorisation of safety claims in this way is purely functional; there is no recognition at this stage of how the safety function is delivered by the design.

The categorisation process to be applied to AP1000 safety functions is defined in AP1000 UK Safety Categorisation and Classification of Structures, Systems, and Components (Reference 4.2). It is performed by identifying the high-level safety function that a specific claim is associated with delivering. These safety functions are categorised A to C based on the nuclear safety significance of delivery failure. The safety categories are defined as follows:

Category A

• A Category A safety function is a principal means of maintaining nuclear safety. Failure to maintain a Category A safety function has the potential to result in significant core damage or a high-activity release to the environment within 72 hours of the accident. Specific safety functions include:Removing decay heat from the reactor coolant during normal operation and accident conditions (including providing a heat sink for those systems involved in the removal of heat from the reactor coolant during normal operation and accident conditions).

• Mitigating reactor coolant overpressure during normal operation and accident conditions.

• Preventing the release of radioactive material from the containment.

• Preventing the release of radioactive material through the boundary of the reactor coolant system.

• Controlling core reactivity during normal operation and accident conditions.

• Maintaining reactor coolant inventory.

• Maintaining spent fuel sub-critical.

• Maintaining habitability of the main control room.

• Maintaining spent fuel integrity such that significant radioactive releases do not occur (as a result of impacts or overheating).



• Protecting against internal/external hazards that would directly and inevitably result in loss of one of the other Category A safety functions.

• Instrumentation and control systems required to automatically actuate or provide manual actuation (where this is the only means of actuation) for SSCs delivering other Category A functions.

Category B

A Category B safety function is a significant contributor to nuclear safety. Failure to maintain the safety function has the potential to result in a design basis accident (DBA), but one that does not lead to significant core damage or large activity releases to the environment for at least 72 hours after the accident. Alternatively, failure to maintain the safety function may reduce safety margins significantly, but not result in a DBA. Specific examples include:

• Preventing the release of radioactive waste material from on-site storage facilities.

• Protecting against internal/external hazards that would directly and inevitably result in loss of one of the other Category B safety functions.

• Protecting against internal/external hazards that could, as part of a sequence of failures, result in loss of one of the safety functions, such as preventing fire spread that could compromise all normally operating systems and safety systems delivering a specific function.

• Maintaining Category A safety functions after 72 hours following an accident.

• Instrumentation used to monitor Category A safety functions (but not required to facilitate actuation).

• Providing isolation of control systems whose operation could reduce margins or increase consequences of SSC failure.

Category C

Category C safety functions are those that may make a contribution to nuclear safety, but failure to maintain the safety function does not have the potential to result in a DBA. Specific examples include:Category C safety functions are those which may make a contribution to nuclear safety, but failure to maintain the safety function does not have the potential to result in a DBA. Specific examples include:

• Providing long-term support of category A or B functions.

• Controlling the level of radioactivity within the reactor coolant.

• Controlling levels of radioactivity released into the environment.

• Monitoring radioactivity released into the environment.

• Protecting against design basis accidents that could result in the loss of one of the safety



functions. 4.3 Identification of Design Requirements for Safety

4.3.1 Identification of Design Requirements associated with Normal Operation

The FSDs have been decomposed to the point at which it is possible to identify SSCs that fulfil the decomposed safety function. Provided that SSCs can be identified as reliably delivering each of the decomposed safety functions, the plant is capable of maintaining the KSFs during normal operation.

Once an SSC has been associated with a specific safety function, a functional design requirement can be identified for that SSC, to make sure that the safety function is delivered. The requirements relate to aspects of the performance of the duty SSC in support of the identified safety function; for example, a requirement might be “the SSC removes an adequate amount of heat from the core” or “the SSC is capable of being actuated in time to prevent a release of radiation”. Taken together, the design requirements should provide assurance that the safety function can be maintained.

All the design requirements on SSCs associated with safety during normal operation that are identified through the application of this process are presented in Chapters 6 and 7 of this PCSR, accompanied by substantiation statements, which refer to more detailed design information in AP1000 technical documentation. Chapter 6 of the PCSR identifies all design requirements associated with safety during normal operation for each system in turn, and Chapter 7 covers those associated with civil works and structures.

Claims on operator actions associated with safety during normal operation will be identified and addressed in the Human Factors Topic Report which will be delivered during the first quarter of 2010.

4.3.2 Identification of Design Requirements associated with Fault Conditions

4.3.2.1 Fault Identification

The fault identification process is detailed in Chapter 5 of this PCSR. Fault identification is based on the use of fault checklists, which are augmented by operating experience and consideration of the AP1000 design. These checklists inform the design basis assessment, the probabilistic risk assessment and the severe accident analysis.

4.3.2.2 Identification of Safety Measures

The AP1000 fault schedule presents the Design Basis initiating events that are identified by the fault identification process. For each fault, it also provides the following information:

• The initiating event frequency

• The safety measures utilized to protect against loss of KSFs for each fault

• The duty systems that can provide additional defence in depth protection against loss of KSFs for each fault, but that are not claimed in the design basis assessment.



An overview of the fault schedule, including identification of the safety measures claimed and those systems that can provide additional defence in depth, is presented in Chapter 5.

4.3.2.3 Identification of Design Requirements

The fault schedule has been used as the basis for the derivation of the design requirements associated with design basis fault conditions as it identifies the plant failure related initiating events that are within the Design Basis of the plant.

The fault schedule identifies the systems involved in the provision of specific safety measures and defence in depth roles

Design requirements are identified where associated with the provision of the safety measures protecting against each fault condition – these are design requirements for safety during fault conditions.

It is also identified where duty systems have the capability to provide additional defence in depth to protect against fault conditions. These systems are not claimed in the design basis assessment and are therefore not identified as design requirements on SSCs; however, they do provide additional margin and this benefit should be recognized.

All design requirements and defence in depth capabilities for each system are collated, with substantiation statements, in Chapter 6 of this PCSR. All design requirements associated with civil works and structures are presented in Chapter 7.

4.4 Approach to Hazards

The plant Key Safety Functions can be challenged by internal and external hazards; therefore it is necessary to identify the claims on SSCs to withstand these hazards or respond such that the KSFs are protected.

4.4.1 Assessment of Internal Hazards

A detailed review of internal hazards has been undertaken in the supporting Internal Hazards Topic Report (Reference 4.3) with the following objectives:

• Identification of internal hazards within the design basis.

• Demonstration that design basis internal hazards would not compromise the delivery of the Key Safety Functions due to withstand of safety significant SSCs.

The following sub-sections summarise how these objectives have been met.



4.4.1.1 Identification of Internal Hazards

A list of internal hazards has been identified in the Internal Hazards Report (Reference 4.3). This was developed after a review of United Kingdom (UK) good practice for nuclear safety cases. These have been assessed to ensure that the AP1000 SSCs have adequate withstand such that safety is not compromised. The list of internal hazards identified for review is given below:

• Fire

• Flood

• Water spray

• Steam leakage

• Pipe whip effects

• Explosion

• Missiles

• Releases of toxic, corrosive and flammable material

• Collapsing or falling loads

• Biological agents

• On site transport accidents

• Electromagnetic interference

Combinations of these internal hazards, and the potential for consequential hazards to arise, have been assessed, where these are realistic.

The withstand required by plant systems, structures and components against internal hazards, such that appropriately safe operation can be maintained, has been addressed comprehensively in the European Design Control Document (DCD) (Reference 4.4), primarily in Chapter 3, and will be discussed for each hazard in turn, in the sub-section following. On the basis of the requirements for withstand being directly incorporated into the design basis for the plant systems, structures and components, only those postulated hazards with significant requirements on management are taken forward for further assessment in the Probabilistic Risk Assessment (PRA), to make sure that the requirements to ensure any potential vulnerabilities are identified and addressed. The internal hazards taken forward to the PRA for this purpose are internal fire and internal flood.

This screening process is supported by a review of operating experience documented in NUREG/CR-2300 (Reference 4.5) and NUREG/CR-5750 (Reference 4.6) as well as the INPO and Westinghouse databases. This confirmed that only internal fire and internal flood require further detailed analysis. The consideration of these internal hazards in the PRA is discussed in Chapter 5 of this PCSR.



4.4.1.2 Plant Withstand to Internal Hazards

Each internal hazard has been reviewed separately in the Internal Hazards Topic Report (Reference 4.3). The Internal Hazards Topic Report reviews each internal hazard to identify the requirements from the SSCs that ensure that the delivery of the key safety functions (KSFs) is not compromised. In the topic report these are termed safety functional requirements (SFRs) and are summarised against each internal hazard. The Internal Hazards Topic Report provides the evidence that these SFRs can be substantiated.

The reviews of each internal hazard, identifying the types of requirements that are placed on specific SSCs in the Topic Report, are summarised below.

Internal Fire

The Internal Hazards Topic Report has reviewed the safe shutdown internal fire case for the AP1000 and concludes that there is sufficient evidence that the SFRs for fire protection, including the functionality of the fire barriers, is such that the safety-significant equipment available after an internal fire, is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The fire safety case is based on the following types of requirements on SSCs:

• AP1000 structures within the Nuclear Island do not collapse such that safety significant SSCs could be prevented from delivering the KSFs.

• AP1000 SSCs within the Nuclear Island are laid out such that safety-significant SSCs that could be disabled by fire, such that delivery of the KSFs could be compromised, incorporate segregated, redundant elements.

• Barriers between segregated fire areas containing safety significant plant within the Nuclear Island, which include walls, doors, cable tray enclosures, isolation and penetration seals, are rated to withstand the most onerous fires to which the fire hazard analysis shows they could be subjected, where spread of the fire could otherwise result in KSFs being compromised.

• Fire dampers in the ventilation systems prevent the spread of smoke and hot gas between fire areas containing safety significant plant within the Nuclear Island, where spread of the fire could otherwise result in KSFs being compromised.

• Where barriers are not available then sufficient distance and withstand is available to provide adequate segregation of redundant safety significant SSCs such that the KSFs are not compromised.

• No inadvertent initiations are caused by fire that would compromise the KSFs.

• The ventilation system(s) maintains the concentration of hydrogen within the battery compartments below 2%, such that a flammable atmosphere cannot develop.

• The non-Nuclear Island structures do not contain any safety significant SSCs, and fires in these structures could not result in a loss of the KSFs.



• The barriers between the Nuclear Island structures and non-Nuclear Island structures are rated to withstand fires outside the Nuclear Island to a sufficient degree that safety significant SSCs within the Nuclear Island will not fail.

No safety requirements are made on fire suppression systems or operator actions in the event of a fire; these serve to provide defence in depth and have been identified in the Internal Hazards Topic Report.

Safety requirements are also made on various analyses and processes that are in place:

• Fire zones have been identified within the containment building that have been shown to provide effective fire segregation without the provision of rated fire barriers.

• Processes are in place to control fire loading such that it will not exceed those levels established for the design basis fires.

Substantiation of such requirements is presented against the equivalent SFRs in the Internal Hazards Topic Report, which is supported by the DCD and other WEC technical documentation.

The safety-significant SSCs are designed to minimise the probability and effect of fires. Non-combustible and fire-resistant materials are used in the containment and main control room. Additionally, non-combustible and fire-resistant materials are used on components of safety-significant systems, and elsewhere in the plant where fire is a potential risk to safety-significant systems.

The fire protection system (FPS) and the fire hazard analysis (FHA) are presented in Chapter 9.5.1 and Appendix 9A of Reference 4.4 respectively. The FPS has been designed to provide appropriate fire detection and suppression in line with the nuclear safety implications of fires in specific areas of the plant; it has been designed to take consideration of the fire hazard analysis, to make sure that safety-significant SSCs required for safe plant shutdown or to prevent significant releases of radioactive material can maintain functionality. It is not however required to ensure nuclear safety in the event of a fire. A full suite of safety functions associated with the FPS is specified in Chapter 6 of this PCSR.

The FPS detects fires and provides the capability to extinguish them using fixed automatic and manual suppression systems, manual hose streams, and/or portable firefighting equipment. It includes architectural and structural features to segregate plant such that it can be subdivided into fire areas to isolate potential fires and minimize the risk of the spread of fire and the resultant consequential damage from corrosive gases, fire suppression agents, smoke, and radioactive contamination. Some fire areas are subdivided into fire zones to permit more precise identification of the type and locations of combustible materials, fire detection, and suppression systems. The subdivision into fire zones is based on the configuration of interior walls and floor slabs, and the location of major equipment within each fire area. Outside of the primary containment and the main control room, the arrangement of plant equipment and routing of cable are such that safe shutdown can be achieved with all components (except those protected by 3-hour fire barriers) in any one fire area rendered inoperable by fire. The fire protection analysis contains a description of plant fire areas, fire zones, fire barriers, and the protection of fire barrier openings, as well as a description of the separation between redundant safe shutdown components. Ventilation system fire dampers close automatically against full airflow on high temperature to control the spread of fire and combustion products.



Fire dampers serving certain safety-significant, smoke-sensitive areas are also closed in response to an initiation signal from the fire detection system.

Fire hazards analysis provides the design basis for the FPS. The purpose of the FHA is as follows:

• Identify the potential for fires based on the type, quantity, and location of combustible

materials.

• Determine the consequences of postulated fires.

• Provide a basis for decisions on how to prevent, detect, contain, and suppress fires.

• Assess fire protection system adequacy.

• Confirm the capability to safely shut down the plant following a fire. The safe shutdown evaluation is based upon all components in a single fire area outside containment or any fire zone inside containment being disabled by the fire.

The FHA divides the plant into fire areas and fire zones, segregated by barriers and distance. Within each area, combustibles are inventoried, and the maximum temperature and duration of a fire are calculated. Conservative estimates are made as to which safety-significant SSCs within the specific area could be disabled by such a fire; redundant and segregated systems are specified where required to maintain essential functionality. Interfaces with other fire areas are considered; potential for fire/smoke propagation where fire barrier/fire damper duration could be exceeded is identified, and appropriate protective features incorporated against the failure of safety-significant SSCs. It should also be noted that, to afford a quantitative consideration of process and management issues associated with fire fault sequences, it is also assessed in the AP1000 PRA, which shows that the plant’s system and layout designs promote a low-fire induced core damage frequency.

Outside the Nuclear Island there are no safety significant SSCs, but fire prevention features are incorporated to prevent such events affecting the Nuclear Island and to limit the demand on safety significant SSCs. In addition to fire suppression systems, this includes the siting of flammable materials, and bunding and drainage of tankage containing flammable materials.

Internal Flood

The Internal Hazards Topic Report has reviewed the safe shutdown internal flood evaluation in Reference 4.4, and concludes that there is sufficient evidence that the SFRs for flood protection, including the functionality of the flood barriers, are such that the safety-significant equipment available after an internal flood, are adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The internal flood safety case is based on the following requirements from SSCs:

• AP1000 SSCs acting as flood barriers provide adequate segregation of safety-significant SSCs in the event of the worst case internal flood.

• The worst case internal flood does not prevent safety-significant SSCs from achieving their safety functions due to their environmental withstand or location above flood levels.

• Adequate drainage is provided to ensure the worst case flood does not prevent safety-



significant SSCs from achieving their safety functions.

The AP1000 SSCs acting as flood barriers include the following:

• Structural enclosures

• Structural barriers

• Curbs and elevated thresholds

• Leak detection systems

• Drain systems

Internal plant flooding can be attributed to piping ruptures, tank failures, or the actuation of fire suppression systems. The assessment of internal flooding is presented in Chapter 3.4 of Reference 4.4. The AP1000 arrangement provides physical separation of redundant safety-significant components and systems from each other and from non-safety-significant components. As a result, component failures resulting from internal flooding do not prevent safe shutdown of the plant or prevent mitigation of the flooding event. This includes the assessment of the clean side of the Auxiliary Building such that flood levels, including the limiting of the volume of fire fighting water supply, will not affect the operation of those electrical systems required for safe shutdown of the plant.

The AP1000 minimizes the number of penetrations through enclosure or barrier walls below the flood level. Those few penetrations through flood protection walls that are below the maximum flood level are watertight. Any process piping penetrating below the maximum flood level either is embedded in the wall or floor or is welded to a steel sleeve embedded in the wall or floor. There are no watertight doors in the AP1000 used for internal flood protection because they are not needed to protect SSCs from the effects of internal flooding. The walls, floors, and penetrations are designed to withstand the maximum anticipated hydrodynamic loads associated with a pipe failure. The two watertight doors on the waste holdup tank compartments limit the consequence of a failure on spent fuel pool water level. Systems classified as safety-significant that have the potential to be adversely affected by internal flooding have been designed to incorporate redundancy and segregation such that loss of one train will not affect overall functionality, or have been located such that they are above the highest potential internal flood level. The Internal Hazards Topic Report presents further information on design features of the AP1000 which provide conformance with this requirement. It should also be noted that, to afford a quantitative consideration of process and management issues associated with internal flooding fault sequences, it is also assessed in the AP1000 PRA.

The evaluation of containment flooding events addresses the impact of flooding on the SSCs. The AP1000 passive core cooling system, the internal containment compartments, and the equipment locations are designed for internal flooding to maintain post accident long-term cooling flow to the reactor core from the flooded volumes.

Outside the Nuclear Island there are no safety significant SSCs but flood prevention features are incorporated to prevent such events affecting the Nuclear Island and to limit the demand on safety significant SSCs. This includes drainage in the Turbine Building, and bunding and drainage of tankage.



Water Spray

The Internal Hazards Topic Report has reviewed the safe shutdown spray evaluation of the AP1000 and concludes that there is sufficient evidence that the SFRs, including the functionality of spray barriers, is such that the safety-significant equipment available after a spray event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The water spray safety case is based on the following types of claims on SSCs:

• AP1000 structures provide adequate segregation of safety-significant SSCs in the event of the worst case water spray.

• The worst case water spray does not prevent safety-significant SSCs from achieving their safety functions. This argument includes the use of spray shields and environmental qualification of electrical equipment and containment valves.

Adequate drainage is available for the the most limiting flood..

The assessment of spray is presented in Chapter 3.6.2.7 of Reference 4.4. The safe shutdown components inside containment are designed to withstand wetting from design basis events inside containment. These conditions bound the effects of spray from moderate size cracks in high/moderate energy piping. Sensitive components are qualified for this environment as described in Section 3.11 of Reference 4.4. This includes placing equipment in appropriately qualified enclosures; for example the doors to the auxiliary Class 1 battery rooms are normally closed, so spray cannot affect the batteries if fire fighting activities or a pipe crack were to occur in the corridor. If fire fighting activities were to occur in a particular room, all of the equipment is assumed inoperable due to the fire, therefore, no further spray effects need be considered. The containment isolation valves subject to spray and the safe shutdown components in the main steam tunnels are provided with spray protection.

Outside the Nuclear Island there are no safety significant SSCs, and internal flood prevention features will address hazards arising due to water spray.

Steam Leakage

The Internal Hazards Topic Report has reviewed the safe shutdown steam leakage evaluation and concludes that there is sufficient evidence that the SFRs, including the functionality of barriers, is such that the safety-significant equipment available after a steam leakage event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The steam leakage safety case is based on the following types of claims on SSCs:

• AP1000 structures provide adequate segregation of safety-significant SSCs in the event of the worst case steam leakage, this includes the transient differential pressure.

• The worst case steam leakage does not prevent safety-significant SSCs from achieving their safety functions. This includes spray shields and environmental qualification of electrical equipment and containment valves.

Adequate drainage is bounded by the worst case flood drainage claim.

The assessment of steam leakage is presented in Chapter 3.6 of Reference 4.4. Systems designated essential for safe shutdown in the event of pipe rupture, where in proximity to pipe work that has not been assessed to demonstrate leak before break (LBB), are protected from the effects of steam leakage by distance and protective barriers, which are appropriately



qualified. Each sub-compartment is analyzed for effects of differential pressures resulting from the break of the most limiting line in the sub-compartment which has not been evaluated for LBB in Chapter 6.2.1 of Reference 4.4. The sub-compartment analysis demonstrates that the wall differential pressures resulting from the most limiting high energy line break within the sub-compartments are within the design capability.

Outside the Nuclear Island there are no safety significant SSCs but steam leakage prevention features, e.g. pressurisation of the main steam tunnels, are incorporated to prevent such events affecting the Nuclear Island and to limit the demand on safety significant SSCs.

Pipe Whip Effects

The Internal Hazards Topic Report has reviewed the safe shutdown pipe whip evaluation for the AP1000 and concludes that there is sufficient evidence that the SFRs, including the functionality of barriers, is such that the safety-significant equipment available after a pipe whip event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The pipe whip safety case is based on the following types of claims on SSCs:

• AP1000 structures provide adequate segregation of safety-significant SSCs in the event of the worst case pipe whip.

• The worst case pipe whip does not prevent safety-significant SSCs from achieving their safety functions. This includes pipe restraints, shields and environmental qualification of electrical equipment and containment valves.

Adequate drainage is bounded by the worst case flood drainage claim.

Section 3.6 of Reference 4.4 shows that the escape of steam, water, combustible or corrosive fluids, gases, and heat in the event of a pipe rupture will not preclude:

• Subsequent access to any areas, as required, to recover from the postulated pipe rupture

• Habitability of the control room

• Capability of safety-significant instrumentation, electric power supplies, components, and controls to perform safety functions

The assessment of the consequential effects of a pipe whip event has been addressed separately under internal flood, water spray, steam leakage, etc. Those systems designated essential for safe shutdown in the event of pipe rupture are the reactor coolant system, the steam generator system, the passive cooling system, the protection and safety monitoring system, Class 1 dc, the uninterruptible power supply, main control room and habitability system, containment penetrations and isolation valves.

Systems designated essential for safe shutdown in the event of pipe rupture, where in proximity to pipe work that has not been assessed to demonstrate leak before break, are protected from the effects of pipe whip by distance, protective barriers and pipe restraints, which are appropriately qualified.

Outside the Nuclear Island there are no safety significant SSCs but steam leakage prevention features are incorporated to prevent such events affecting the Nuclear Island, particularly from breaks in the main steam lines, and to limit the demand on safety significant SSCs.



Explosion

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation in the DCD and concludes that there is sufficient evidence that the SFRs, including the functionality of barriers, is such that the safety-significant equipment available after an explosion event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The explosion safety case is based on the following types of claims on SSCs:

• AP1000 structures provide adequate withstand to maintain segregation of safety-significant SSCs in the event of an explosion.

• Systems and components must prevent an explosion that would preclude the AP1000 from maintaining its KSFs. This would include the accumulation of explosive gases, inadvertent initiation of squib valve propellant and failure of gas pressurised equipment.

This section considers the potential hazards to plant caused by explosions of flammable fluids such as hydrocarbons and hydrogen, from high pressure systems, including nitrogen, and from high energy electrical components.

As far as practicable, the AP1000 plant design precludes explosion by avoiding the use of explosive material in the vicinity of safety-significant SSCs or preventing the build up of explosive material. Batteries present a potential source of hydrogen, so battery compartments are ventilated by a system designed to preclude the possibility of hydrogen accumulation. Hydrogen supplied to facilities on the Nuclear Island is stored in a compartment that contains no safety-significant SSCs. Only one hydrogen bottle at a time is connected to the hydrogen supply line, so the contents of this single bottle represents the maximum potential release – such a quantity, even if it remained concentrated in a single compartment (taking no account of ventilation) would not result in an explosion. The hydrogen supply line is not routed through compartments that do not have air movement due to ventilation systems. The storage area for plant gases is located sufficiently far from the Nuclear Island that an explosion would not result in missiles more energetic than the tornado missiles for which the Nuclear Island has designed withstand.

Where high pressure systems are required, leak-before-break compliant equipment has been used that allows depressurisation before a high energy ruptures could occur. Additionally, pressure relief is provided to high pressure systems, where possible, to ensure that over-pressurisation does not occur.

Compartments containing potential explosion sources are also designed to withstand the transient differential pressures, and are vented so that differential pressures remain within structural limits.

Outside the Nuclear Island there are no safety significant SSCs but explosion prevention features are incorporated to prevent such events affecting the Nuclear Island and to limit the demand on safety significant SSCs. This includes siting of explosive materials, and appropriate construction together with bunding and drainage of tankage containing potentially explosive materials.

Missiles

The Internal Hazards Topic Report concludes that the safety-significant equipment available after a missile event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The missile safety case is based on the following types of claims on



SSCs:

• AP1000 structures provide adequate withstand to maintain segregation of safety-significant SSCs in the event of a missile.

• Systems, structures and components must prevent production of a missile that would preclude the AP1000 from maintaining its KSFs.

This section considers the potential hazards to plant caused by missiles generated by rotating machinery and high energy systems.

In the AP1000 design the main items of rotating machinery are the reactor coolant pumps and the turbine generator.

Reactor coolant pump assembly rotational inertia is provided by a flywheel (inside the pump pressure boundary) motor rotor, and other rotating parts. These have been assessed in section 5.4 of Reference 4.4 to demonstrate that failures would not breach the coolant boundary.

The turbine orientation minimises potential interaction between turbine missiles and safety-significant structures and components (SSCs). In the AP1000, the safety-significant area is contained within the containment Shield Building and the Auxiliary Building. The probability of destructive overspeed condition and missile generation, assuming the recommended inspection and test frequencies, is less than 1x10-5 per year. In addition, orientation of the turbine-generator is such that a high-energy missile would be directed at a 90 degree angle away from safety-significant structures, systems, or components. Therefore the potential for a high-trajectory missile to impact safety-significant areas of the AP1000 is less than 10-7. Failure of turbine-generator equipment does not preclude safe shutdown of the reactor. Details of turbine missile protection are documented in section 3.5.1.3 of Reference 4.4.

The following design principles have been applied to high energy water systems to avoid the generation of missiles:

• Valve stems of valves located in high-energy systems have at least two retention features. In addition to the stem threads, acceptable features include back seats on the stem or a power actuator, such as an air or motor operator.

• Thermowells and other instrument wells, vents, drains, test connections and other fittings located in high-energy systems are attached to the piping or pressurised equipment by welding. The completed joint should have a design strength greater than the parent metal. Threaded connections in high-energy systems are avoided.

• Instrumentation such as pressure, level and flow transmitters and associated piping and tubing are not considered as credible missiles. The quantity of high energy fluid in these instruments is limited and will not result in the generation of missiles. The connecting piping and tubing is made up using welded joints or compression fittings for the tubing. The tubing is of small diameter, and it has only a small amount of stored energy.



• Nuts, bolts, nut and bolt combinations and nut and stud combinations have only a small amount of stored energy, and are not considered as credible missiles.

• Rupture of vessels constructed without welding, using ASME Code Section VIII criteria (Reference Error! Reference source not found.), are not considered credible, because of their conservative design, material characteristics, inspections, quality control during fabrication and erection and prudent operation.

The assessment of missile protection is presented in section 3.5 of Reference 4.4. Two fundamental criteria are applied in the AP 1000 design:

• Missiles are not to be capable of damaging SSCs to prevent safe shutdown or to result in a significant release of activity.

• Single active component failure is assumed in systems used to mitigate the effects of missiles and achieve safe shutdown, in addition to the direct consequences of the missile; this includes offsite power being unavailable (although not losses of structural integrity).

Outside the Nuclear Island there are no safety significant SSCs but missile prevention features are incorporated to prevent such events affecting the Nuclear Island and to limit the demand on safety significant SSCs. This includes siting of energy sources, the principal being the turbine as discussed above.

Releases of Toxic, Corrosive and Flammable Materials

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation of the AP1000 and concludes that there is sufficient evidence for the SFRs such that the safety-significant equipment available after the release of toxic, corrosive and flammable materials is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The safety case is based on the following types of claims on SSCs:

• The AP1000 has been designed that, where practicable, toxic, corrosive or flammable material is minimised, and stored in locations and vessels designed (e.g. bunded vessels) such that quantities that could threaten safety-significant SSCs could not be released during storage or transit to the point of use.

• Where there is the potential for the accumulation or release of toxic, corrosive or flammable material there is suitable and sufficient indications, alarms and controls to alert the operators of the need to take appropriate action.

• Each room and compartment is so designed that complete loss of operability of safety-significant SSCs within it due to the release of toxic, corrosive or flammable material would not compromise the KSFs.

There is a certain amount of non-radiological hazardous material present by necessity at nuclear power stations. Should this be accidentally accumulated, released or disturbed it might challenge nuclear safety in a variety of ways:

• By causing a fire

• By causing an explosion



• By asphyxiating or poisoning personnel required to respond to a challenge to nuclear safety

• By causing operating diesel engines to shut down

• By chemical or corrosive attack on some safety-significant SSC

• Brittle fracture of structural support through exposure to cryogenics

• By causing a criticality excursion, should it be a moderator (liquid hydrogen or a hydrocarbon) and it spills onto nuclear fuel.

The following materials are present on an AP1000, and are potentially hazardous:

• Liquid and gaseous hydrogen

• Liquid and gaseous carbon dioxide

• Liquid and gaseous nitrogen

• Other industrial gases

• Boric acid

• Hydrazine

• Sulphuric acid

• Caustic soda

• Lithium hydroxide

• Turbine control gear hydraulic fluid

• Hydrogen peroxide (used as an algaecide, for keeping the passive containment cooling water supply clear of algae)

• Chemicals for dosing the circulating water system, the service water system and the central chilled water system (antifreeze)

• Refrigerant for the central chilled water system chillers

Potential for corrosion is considered in the DCD for three potential sources:



• The escape of steam, water, combustible or corrosive fluids, gases, and heat in the event of a pipe rupture will not preclude:

- Subsequent access to any areas, as required, to recover from the postulated pipe rupture

- Habitability of the control room

- Capability of essential instrumentation, electric power supplies, components, and controls to perform safety functions to the extent necessary to meet the criteria outlined in this section

• Prevention of internal pipe and vessel cracking mechanisms potentially involving corrosion (e.g. stress corrosion cracking) is treated implicitly by the plant design via appropriate control of primary coolant chemistry, as discussed in Section 5.2.3 of the DCD.

• Fire areas are designed to limit the spread of potentially corrosive gases in the event of a fire, with discharge routes to avoid areas where safety-significant SSCs are located. Further information is provided in Reference 4.4, Section 9.5.1.2.1.1.

The siting of toxic, corrosive and flammable material storage is such that they do not affect the ability of the safety significant SSCs to achieve their KSFs. This will include appropriate bunding, drainage and ventilation.

Collapsing or Falling Loads

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation of the AP1000 and concludes that there is sufficient evidence for the SFRs such that the safety-significant equipment available after a dropped load event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The dropped load safety case is based on the following types of claims on SSCs:

• AP1000 fuel handling equipment are designed and operated to prevent fuel damage. This includes the qualification and integrity of the lifting devices and use of safe lifting heights and transfer paths.

• AP1000 fuel handling equipment must be able to withstand the consequences of plant fault conditions such that the required safety significant SSCs continue to achieve their safety functions.

• Equipment handling devices must have sufficient integrity to prevent damage to safety significant SSCs.

This hazard covers loads dropped or mishandled by cranes and other types of lifting equipment that could damage safety-significant SSCs, including fuel, either directly by impact on the fuel or the SSC, or indirectly because of the collapse of a floor or wall supporting the SSC.

AP1000 SSCs are justified against collapsing or falling loads generally via their seismic justification, which is required to show that they have been located at a safe distance from dropped loads or can withstand their impact. Sub-section 4.4.2 of this PCSR addresses the



safety assessment process associated with deterministic assessment of plant protection against seismic events.

The main equipment handling devices within containment are the polar crane, equipment hatch hoist and maintenance hatch hoist. Fuel is moved between the reactor vessel and the fuel transfer system by the refuelling machine. Outside containment the fuel is moved using the fuel handling machine, the casks by the cask handling crane, new fuel by the new fuel elevator and operations in the railcar by its dedicated gantry crane.

Biological Agents

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation of the AP1000 and concludes that there is sufficient evidence for the SFRs is such that the safety-significant equipment available after a biological event is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The biological agent safety case is based on the following types of claims on SSCs:

• The AP1000 has been designed such that biological agents, e.g. marine life, rodents, birds, insect swarms, will not threaten the performance of safety-significant SSCs.

Micro-organisms, birds, animals and fish, by getting into safety significant areas, can compromise nuclear safety. The principal mechanisms are the blocking of cooling water systems, gnawing through electrical cables and blocking ventilation ducts or drains with nest material. Facilities are installed to dose cooling water with biocide agents to keep pipework clear. During site specific design detail features to prevent fish entering the cooling water pipes and bird entry defences will be defined.

On-Site Transport Accidents

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation of the AP1000 and concludes that the safety-significant equipment available after an on-site transport accident is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The on-site transport safety case is based on the following types of claims on SSCs:

• AP1000 structures provide adequate withstand to maintain segregation of safety-significant SSCs in the event of an on-site transport accident.

• The movement of radioactive materials within the site boundary of the AP1000 will be in justified containers and in a manner that will not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

On-site radioactive movements include new fuel delivery, spent fuel cask movement to its dedicated on-site store, ILW, after encapsulation in the rail-car bay, to its dedicated Intermediate Level Waste (ILW) store and Low Level Waste (LLW) movement to an interim on-site store or despatch off-site. These movements occur in justified containers.

On-site non-radioactive movements will include the delivery of diesel fuel to the ancillary and main diesel generator fuel stores and chemicals for the treatment of primary and secondary water. The toxic, corrosive and flammable chemicals are listed above.

Control of movements on-site will form part of the site-specific safety case once the position of movement routes of the various containers and tankers have been defined.



Electromagnetic Interference

The Internal Hazards Topic Report has reviewed the safe shutdown evaluation of the AP1000 and concludes that the safety-significant equipment will be available after an electromagnetic interference event to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The electromagnetic interference safety case is based on the following types of claims on SSCs:

• Electronic equipment used to defend the control of reactivity and core heat removal within the AP1000 design is procured and tested to the relevant standards that should render it immune to electro-magnetic interference.

The Class 1 electrical equipment, identified in Table 2.5.2-1 of Reference 4.4, has electrical surge withstand capability and can withstand electromagnetic interference, radio frequency interference and electrostatic discharge conditions that would exist before, during and after a Design Basis accident without loss of safety function for the time required to perform the safety function. SSCs required to perform the plant safety functions (reactivity control, core heat removal control, exposure to radioactive material, release of radioactive material) that could be vulnerable to these effects are classified as Class 1.

Consequential Hazards

The Internal Hazards Topic Report has reviewed the potential for an initial internal hazard resulting in a secondary hazard and concludes that there is sufficient evidence for the SFRs is such that the safety-significant equipment available is adequate to bring the plant to a safe shutdown condition, i.e. the KSFs are not compromised. The following combinations of hazards have been identified and reviewed:

• Fire causes flooding or water spray or an explosion or a dropped load.

• Water spray causes a steam release.

• Steam release causes a dropped load.

• Pipe whip causes flooding or water spray or steam release or explosion or missiles or dropped load.

• Explosion causes missiles or dropped load.

• Missiles cause flooding or dropped load.

• Dropped load causes flooding or water spray or steam release or pipe whip or explosion.

• An internal hazard causes an on-site transport accident.

The safety case to account for consequential hazards is based on that these are either bounded by the claims identified above or by the following claim:

• AP1000 structures provide adequate withstand to maintain integrity of safety-significant SSCs in the event of an internal hazard, e.g. the polar crane does not collapse following a steam release or pipe whip event.




The Internal Hazards Topic Report has identified where there is the potential for an initial external hazard causing an internal hazard. Such consequential hazards are addressed in the External Hazards Topic Report (Reference 5.11) – see Section 4.5 of the PCSR.

• Earthquake followed by fire

• Earthquake followed by a pipe rupture

• Earthquake followed by turbine disintegration

• Earthquake followed by a dropped load

• Aeroplane crash followed by fire

• Aeroplane crash followed by a pipe rupture

• Aeroplane crash followed by turbine disintegration

• Aeroplane crash followed by a dropped load

• Extreme ambient temperature followed by a dropped load

• Extreme ambient temperature followed by a fire (freezing the fire fighting water).

The significance of the internal hazards resulting from such external hazards is reviewed in section 4.4.2, where consequential internal and external hazards are addressed.

4.4.1.3 Consideration of Internal Hazards in the Safety Assessment

The AP1000 design basis is that where possible the threat from internal hazards to prevent safe shutdown has been designed out and where the AP1000 has potential vulnerabilities to an internal hazard this is tested using the Probabilistic Risk Assessment (PRA) as described in European DCD Chapter 19 (it should be noted that the DCD uses the terminology of ‘external events’ for both internal and external hazards on the basis they are external to the plant systems).

Internal hazards considered in the AP1000 PRA are those events whose cause is external to systems associated with normal and emergency operations situations. Some internal hazards may not pose a significant threat of a severe accident. Some internal hazards are considered at the design stage and have a sufficiently low contribution to core damage frequency or plant risk.

The internal hazards that do not affect the design basis assessment of the AP1000 or are assessed as part of the design are:

• Pipe whip effects (impact)

• Explosion



• Missiles

• Releases of toxic, corrosive and flammable material

• Biological agents

• On site transport accidents

• Electromagnetic interference

The internal hazards that have been selected for evaluation of their effect on the design basis assessment of the AP1000 are:

• Fire

• Flood

Internal fire and internal flood have been selected for evaluation both for at-power and shutdown modes of operation. Chapter 5 provides a summary of the results of the PRA. Conservative, bounding fire and flood assessments show the core damage risk from these events is small compared to the core damage risk from at-power and shutdown events and that the potential for fires and floods and their spreading to safety-significant equipment is significantly reduced by the AP1000 layout and barriers. The PRA does not currently include an evaluation of the radiological risk during new and spent fuel handling.

The effects of the following internal hazards are encompassed within the assessment of internal flood:

• Water spray

• Steam leakage

• Pipe whip effects (water/steam leakage)

The following internal hazard will be reviewed as part of the evaluation of the radiological risk during new and spent fuel handling: • Collapsing or falling loads

4.4.2 Assessment of External Hazards

A detailed review of external hazards has been undertaken in the supporting External Hazards Topic Report (Reference 4.8), with the following objectives:

• Identification of external hazards to be assessed (i.e. those within the Design Basis, with some consideration of hazard types and magnitudes beyond the Design Basis).

• Demonstration that the external hazards identified, would not compromise the delivery of the KSFs due to withstand of safety significant SSCs.

The following sub-sections detail how these objectives have been met.



4.4.2.1 Identification of External Hazards

A list of external hazards has been identified in Section 2 of the External Hazards Topic Report (Reference 4.8) following a review of UK good practice for nuclear safety cases. These have been assessed to ensure that the AP1000 SSCs have adequate withstand such that nuclear safety is not compromised.

The list of external hazards identified for review is presented below:

• Seismic

• External Flooding

• Aircraft Impact

• External Explosion

• Extreme Temperature

• Drought

• Extreme Wind

• External Fire

• External Missiles

• Biological Fouling

• EMI and Lightning

• Malicious Activities

• Surrounding Influences

Where appropriate, combinations of these external hazards (and also internal hazards), including consequential hazards, have also been assessed.

The withstand required by plant systems, structures and components against external hazards, such that appropriately safe operation can be maintained, has been addressed comprehensively in the DCD, primarily in Chapter 3 and will be discussed in more detail in the sub-section following. On the basis of the requirements for withstand being directly incorporated into the Design Basis for the plant systems, structures and components, only those postulated hazards with significant requirements on management are taken forward for further assessment in the PRA, to make sure that the requirements to address any potential vulnerabilities are captured. The external hazards taken forward to the PRA for this purpose are external flooding, extreme winds, seismic and transportation accidents (external explosion).



4.4.2.2 Plant Withstand to External Hazards

Each external hazard has been reviewed separately in the External Hazards Topic Report (Reference 4.8). For each external hazard, the External Hazards Topic Report identifies the claims on SSCs, supported by arguments that ensure that the delivery of the Key Safety Functions (KSFs) is not compromised. The External Hazards Topic Report also provides the evidence that these arguments can be substantiated. Consideration is also given, in each case, to combined hazards (whereby multiple external hazards could credibly affect the plant simultaneously, e.g. drought and external fire) and consequential hazards (whereby other external or internal hazards could potentially arise as the result of an eternal hazard, e.g. internal fire caused by a seismic event).

The conclusions arrived at for each external hazard are summarised in the following sections.

Seismic Hazards

In contrast to any other external hazard, a seismic event affects all the components of the plant at the same time. If the magnitude of the seismic event is sufficient, it could cause disruption and failures of components and buildings over the entire site. For the purposes of the seismic fault analysis, seismic events are described in terms of ground acceleration at an assumed rock outcrop. A seismic motion affecting any system, structure and component (SSC) is dependent on the properties of soil between the bedrock and the building and the response of the building structure to these motions.

The AP1000 seismic design has been reviewed relative to potential levels of UK seismic activity, and each of the AP1000 principal buildings and safety significant systems have been reviewed to identify their specific safety arguments and supporting evidence. It is concluded that candidate sites would not experience seismic activity of a magnitude that exceeds the AP1000 design basis, and the specific claims against seismic activity, as an external hazard, are satisfied. These safety requirements are achieved by designing safety-significant systems, structures, components and fuel handling systems to preserve their integrity and capability after a Design Basis earthquake by claims of the following types:

• A seismic categorisation process has been put in place for the AP1000 to capture design and substantiation requirements such that KSFs will be maintained in a credible seismic event.

• Nuclear Island buildings will withstand a seismic event such that KSFs are not compromised.

• Non-Nuclear Island buildings have been assessed and have been demonstrated not to fail in a seismic event such that safety significant SSCs in the Nuclear Island could be impaired.

• Seismic margin analysis has been carried out for AP1000 safety-significant SSCs that provides assurance of seismic withstand beyond the UK Design Basis.

• Safety-significant SSCs are seismic Category I or II (see section 4.5.2 of this PCSR) and as such are designed to withstand seismic events, such that they maintain any function required to maintain plant safety and do not compromise the any such functions delivered by SSCs in the local area.



• No other SSC could fail following a seismic event such that a safety-significant SSC is consequently adversely affected.

The threat from seismic activity alone is shown not to present a significant risk to nuclear safety. Consideration is also given to internal and external hazards arising consequentially from a seismic event; it is show that the withstand of the safety significant systems and structures is sufficient that loss of KSFs will not occur.

The seismic categorisation process is summarised in sub-section 4.5 of the PCSR; all the associated claims on AP1000 systems and structures, and the arguments and evidence providing substantiation, are presented in the External Hazards Topic Report.

External Flooding

The basic steps involved in an external flooding analysis are similar to those followed for internal flooding in the individual plant examination. However, the focus of attention is on areas, which due to their location and grading may be susceptible to external flood damage. This requires information on such items as dykes, surface grading, locations of structures and locations of equipment within the structures. It is expected that the generic envelope will bound site hazard parameters.

The AP1000 has been designed such that any external flooding event within the Design Basis would not compromise the control of core reactivity or the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation. This is achieved by preventing external flooding from accessing SSCs that deliver these safety functions with a combination of sea/estuarine defences as well as building withstand measures. Each of the AP1000 principal buildings has been reviewed to identify their specific safety requirements and specify the supporting evidence. It is concluded that the specific demands against flood, as an external hazard, are satisfied by the following:

• AP1000 assessment parameters for external flooding exceed those associated with the UK Design Basis events, even when account is taken for climate change.

• Nuclear Island building structures have been designed such that precipitation cannot cause structural failure, access safety significant SSCs or otherwise compromise the capability of safety-significant SSCs to deliver safety functions.

• Flooding from land-based sources is protected against in the AP1000 design by appropriate site grading, protection of piping penetrations below grade and waterproofing below grade.

• Defence from seawater flooding is provided however the adequacy of this defence will need to be confirmed on a site-specific basis.

• Safety-significant SSCs are seismic Category I or II and as such are designed to withstand seismic events, such that they maintain any function required to maintain plant safety and do not compromise the any such functions delivered by SSCs in the local area.

• No other SSC could fail following an external flooding event such that a safety-significant SSC is consequently adversely affected.



All the associated claims on AP1000 systems and structures, and the arguments and evidence providing substantiation, are presented in the External Hazards Topic Report.

Aircraft Impact

The evaluation of plant damage caused by aircraft impact is a complex problem involving phenomena associated with structural impact, shock-induced vibration and fire effects. The analysis of the aircraft impact considers structural damage, such as that caused by the penetration of hardened components (e.g. engine rotors, landing gear), the effects of aircraft fuselage and wing structure and the effects of shock-induced vibration on SSCs is performed.

The probability of an accidental aircraft impact can be said to be acceptably low because of the regulatory and administrative arrangements that prohibit aircraft access close to UK nuclear power station sites. An aircraft crashing into the AP1000 will need a site-specific assessment to determine if this event is beyond design basis.

The AP1000 has been designed such that any aircraft impact within the Design Basis would not compromise the control of core reactivity or the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation. This is achieved primarily through arguments of the following types:

• Safety-significant SSCs are seismic Category I and are designed to withstand aircraft impact.

• No other SSC could fail following an aircraft impact such that a Class 1 SSC is consequently adversely affected.

Aircraft impact is assessed in more detail in separate reports that will not be available for use in this document for reasons of security.

All claims, and the arguments and evidence providing substantiation, are also presented fully in the External Hazards Topic Report.

External Explosion

Within the framework of nuclear safety, sources of credible external explosion are:

• Vapour cloud explosions (uncontrolled chemical reactions)

• Boiling liquid expanding vapour explosions (BLEVEs)

• Rapid phase transitions (RPT)

• Explosion of dangerous material such as dynamite or other munitions.

The effects of explosives that are of concern in analysing structural response to blast are incident or reflected pressure (overpressure), dynamic (drag) pressure, blast-induced ground motion and blast-generated missiles. Nevertheless, credible external explosions events have a magnitude for which overpressure effects are controlling. Drag pressure effects will be much smaller than those due to the wind loading assumed for the Design Basis tornado. The effects



of blast-induced ground motion for credible source of explosions are less than those of the vibratory ground motion associated with the Safe Shutdown Earthquake (SSE).

The evaluation of nuclear plant damage caused by an external explosion is a very complex problem that involves the analysis of various phenomena: the nature of the explosion, the amount of explosive material, magnitude of the shock wave overpressure, subsequent shock-induced vibrations, thermal and radiation effects and fire.

The AP1000 has been designed such that any damage caused by external explosions would not compromise the control of core reactivity and the removal of heat from the core or result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

Each of the AP1000 principal areas and buildings has been reviewed to identify their specific safety requirements and their supporting evidence. It is concluded that the specific claims against external explosions have been assessed and are satisfied. It follows that the design of the plant, not withstanding a site-specific assessment, ensures that explosions external to the site will not threaten nuclear safety-significant systems. Exlosions next to the site do not threaten nuclear safety. These objectives are achieved by as follows:

• Nuclear Island buildings will withstand an external explosion such that KSFs are not compromised.

• Non-Nuclear Island buildings have been assessed and have been demonstrated not to fail following an external explosion such that safety significant SSCs in the Nuclear Island could be impaired.

• COMAH regulations will identify hazards from surrounding sites, which will help to reduce the risk posed by such sites.

• Safety-significant SSCs are seismic Category I and as such are designed to withstand seismic events, such that they maintain any function required to maintain plant safety and do not compromise the any such functions delivered by SSCs in the local area.

• No other SSC could fail following an external explosion such that a safety-significant SSC is consequently adversely affected.


Extreme Ambient Temperature

Extremes of high and low temperature have been considered for both air and seawater and the impacts that these can have on the plant systems. There are three main issues that need to be addressed when considering extreme temperature; these are:

• The effects of high and low air temperature on the plant and equipment, in particular safety critical electronics and HVAC systems. The Auxiliary Building HVAC system is required to maintain the ambient temperature within the rooms which house the Class 1 equipment to within their acceptable operating range. The extreme ambient temperature could have an impact on the HVAC systems ability to provide this function due to it



being outside its operating envelope.

• The reduction in the effectiveness of the two key heat sinks for the plant; the air and sea.

• The effect of humidity on the plant and equipment, in particular safety critical electronics and HVAC systems.

The safety features for the AP1000 will function within their design requirements across the full range of extreme ambient temperatures and humidity. Each of the AP1000 principal buildings has been reviewed to identify their specific safety functional requirements and specify the supporting evidence. These objectives are achieved by claims of the following types:

• The projections of the extremes of UK temperature (including consideration of climate change) are bounded by the Design Basis of the plant and thus will not challenge the high-level safety functions of the AP1000. This is discussed further in Chapter 3.1 of this PCSR.

• Environmental qualification of the safety significant SSCs within the Containment/Shield Building ensure that key safety function delivery will not be affected by extreme ambient temperature.

• The effects of damage to SSCs within non-Nuclear Island buildings and the structures of these buildings on safety-significant plant located elsewhere are bounded by the consideration of seismic hazards.

All the associated claims on AP1000 systems and structures, and the arguments and evidence providing substantiation, are presented in the External Hazards Topic Report (Reference 4.8)

Drought

The two potential hazards, which arise due to drought conditions, are:

• The interruption to the supply of the plant’s water from the local source.

• Damage to the plant’s foundations from changes in the water table.

It is judged that the geology of the site upon which the foundations will be built will not be affected by changes in ground water levels to an extent that it will affect nuclear safety; however this will be confirmed on a site specific basis.

The AP1000 has been designed such that due to the substantial lead-time, a drought would not compromise the control of core reactivity or the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

Each of the AP1000 principal buildings has been reviewed to identify their specific safety requirements and specify the supporting evidence. It is concluded that the specific claims against drought are satisfied through the substantial lead time to protect against drought and the use of appropriately sized water buffer storage tanks, where required, to eliminate any reliance on the external water supply and the use of appropriate building design standards.



All the associated claims on AP1000 systems and structures, and the arguments and evidence providing substantiation, are presented in the External Hazards Topic Report (Reference 4.8).

Extreme Wind

Wind comes in various forms and is influenced by many factors including location, altitude, direction and topography as some examples. A more detailed analysis of these factors will be covered in the site-specific external hazards reports.

Sources of extreme wind include:

• Sustained wind

• Gusting

• Tornadoes

• Hurricanes

• Sand storm

• Salt spray.

Wind induced missiles (such as wind induced car impact) are generally considered to be bounding for the AP1000 and are covered under external missile hazards.

Extreme winds (including tornadoes) can affect plant structures in particular ways:

• If wind forces exceed the load capacity of a building or other external facility, the walls or framing might collapse or the structure might overturn due to the excessive loading.

• Damage caused by the wind may result in loss of offsite power (LOOP), which is covered in the fault analysis.

The AP1000 has been designed as such that any hazard caused by extreme wind within the Design Basis would not compromise the control of core reactivity and the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

Each of the AP1000 principal buildings has been reviewed to identify their specific safety requirements and specify the supporting evidence. It is concluded that the specific claims against extreme wind are satisfied as such that the buildings are designed to withstand extreme wind outside of what is expected in the UK. Where it is required, adequate alarms, systems and controls are in place to inform operators of any action required. These objectives are achieved as follows:

• AP1000 assessment parameters for extreme wind exceed those associated with the UK Design Basis events.



• Nuclear Island building structures will withstand extreme wind such that KSFs are not compromised.

• Extreme wind-induced damage to SSCs outside the Nuclear Island will not compromise key safety-significant SSCs on the Nuclear Island.

• Safety-significant SSCs are seismic Category I and as such are designed to withstand seismic events, such that they maintain any function required to maintain plant safety and do not compromise the any such functions delivered by SSCs in the local area.

• No other SSC could fail due to extreme wind such that a safety-significant SSC is consequently adversely affected.


External Fire

Fires originating externally to the site boundary are considered to be in the form of the following:

• Marine based

• Land based (including bush fires)

Marine fires, such as fires aboard a ship and land based fires (e.g. bush or forest fires) pose a threat to nuclear safety through the possibility of smoke and toxic/hot fumes entering the building and effecting personnel and equipment and also by restricting access to the site or affecting offsite power. Man made external fire hazards may arise from fixed hazardous facilities or from transport of combustible material and these hazards should be assessed on a site-specific basis.

Any fires that penetrate the site boundary are considered to be internal fires and are discussed in the Internal Hazards Topic Report (Reference 4.3).

The AP1000 is designed to withstand the effects of external smoke, heat or fumes caused by external fires to the extent that they would not compromise the control of core reactivity and the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation. Each of the AP1000 principal areas and buildings has been reviewed to identify their specific safety requirements and their supporting evidence. It is concluded that the specific claims against fire, as an external hazard, have been assessed and are satisfied. These objectives are achieved by claims of the following types:

• Nuclear Island building structures and equipment will protect against smoke entering the building such that KSFs and MCR operator actions are not compromised.

• Fire doors prevent external smoke from entering areas of the plant where safety significant SSCs that are susceptible to smoke damage are housed.



• The Main Control Room Emergency Habitability System (VES) / Control Support Area (CSA) are designed so that the occupants of the MCR are protected against external smoke.

• Smoke-induced damage to SSCs outside the Nuclear Island will not compromise key safety significant SSCs on the Nuclear Island.

All the associated claims on AP1000 systems and structures, and the arguments and evidence providing substantiation, are presented in the External Hazards Topic Report (Reference 4.8).

External Missiles

The term missile is used to describe a moving object that is capable of striking any component of the plant. Malicious missiles, whether explosive or not (e.g. bombs and rockets), are specifically excluded from consideration. Missiles covered include:

• Wind Induced Missiles

• Missiles from adjacent sites

• Explosion Induced Missiles

• Meteorites

The AP1000 has been designed such that any external missiles within the Design Basis would not compromise the control of core reactivity or the removal of heat from the core and would not result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation. This is achieved by designing the safety significant SSCs to withstand the effects of missile impact.

Each of the AP1000 principal buildings has been reviewed to identify their specific safety requirements and specify the supporting evidence. It is concluded that the specific claims against external missiles are satisfied as such that the AP1000 criteria protect the integrity of the reactor coolant system pressure boundary and maintain offsite radiological dose/concentration levels. These objectives are achieved by claims of the following types:

• Missiles produced by tornados that could credibly be experienced in the UK are within the AP1000 Design Basis.

• External missiles cannot cause structural failure, access safety significant SSCs or otherwise compromise the SSCs ability to deliver safety functions within the shield/containment building.


Biological Fouling

There have been instances on UK nuclear power stations where micro organisms, birds, animals and fish, by infiltrating safety significant areas, have compromised nuclear safety. The principal mechanisms that have been observed are the blocking of cooling water systems,



gnawing through electrical cables and blocking drains with nest material; there are potentially other mechanisms that should be considered also.

Biological agents considered in the External Hazards Topical Report cover:

• Land/Air based biological hazards

- Rodents

- Seagulls

- Insects (airborne swarms, infestation)

- Tree roots

• Water based biological hazards

- Seaweed (marine growth)

- Fish/Jelly Fish

- Microbes (organic materials)

The AP1000 protects against the entry of biological agents so they will not compromise the control of core reactivity and the removal of heat from the core, or result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant personnel or the public to radiation.

The high-level safety functions will not be adversely affected by biological fouling. For example, bird screens are fitted to the Shield Building air inlets to prevent fouling of the passive containment cooling system and chemicals are used in the water to prevent biological growth. It is concluded that the specific claims against biological agents, as an external hazard, have been assessed and are satisfied.


Electro Magnetic Interference ( EMI )and Lightning

The following have been considered as external sources emitting EMI. Only external sources more onerous then internal have been considered. EMI will also be used to refer to Electromagnetic Interference.



• Natural EMI sources - Sources that are associated with natural phenomena. They include atmospheric charge/discharge phenomena such as lightning and precipitation static and extraterrestrial sources including radiation from the sun and galactic sources such as radio stars, galaxies and other cosmic sources.

• Man-made EMI sources - Sources associated with man-made devices such as power lines.

• Conducted EMI - Noise signals transmitted via electrical conduction paths (i.e. wires, ground planes, etc).

• Radiated EMI - Electric and magnetic fields transmitted through space from source to receptor.

• Intentional radiating emitters - Emitters whose primary function depends on radiated emitters. Examples include electronic licensed communication systems i.e. communication, navigation and radar systems.

• Unintentional (incidental) radiating devices - Devices that radiate radio frequencies but is not considered their primary function.

• Restricted radiating devices - Devices that intentionally use electromagnetic radiation for purposes other than communication or data transfer (i.e. operating systems, wireless microphones, etc.).

Class 1E electronic equipment within the AP1000 design is resistant to external electro-magnetic interference and lightning. Even so, the complete loss of operability of electronic equipment within multiple cabinets would not compromise the control of core reactivity and the removal of heat from the core, or result in the uncontrolled dispersion of radioactivity or the uncontrolled exposure of plant.

The protection and safety monitoring system and the diverse actuation system, amongst others, can withstand electromagnetic interference and other electrical threats, to ensure safe shutdown of the reactor. It is concluded that the specific claims against electromagnetic interference have been assessed and are satisfied.


Malicious Activities

Malicious activities are covered in documents APP-GW-GLR-066 and APP-GW-GLR-126. Due to the sensitive nature of this topic the claims, arguments and evidence are discussed in separate reports, with the considerations needed for the site discussed here.

Surrounding Influences

Outstanding surrounding influences identified in this document are site specific and will be covered on an individual basis.



Combined Hazards

Hazards occurring in combination with an external hazard are considered in detail in the External Hazards Topic Report (Reference 4.8). This section presents a number of the key findings. No credible combination of external hazards has been identified that could result in more impact on nuclear safety than would be achieved by each occurring independently.

Combination of hazards could include extreme wind and flooding (seawater/precipitation). Although these events are likely to happen together, this biggest risk to the site would be from an extreme rainfall event and extreme high sea level with a storm surge. High winds could potentially lead to greater wave heights, leading to overtopping of the sea defences. For the generic site there is no risk from seawater flooding as grade is at 30.5m (100’). However, site-specific analysis will be required to take into account local variations.

An extreme rainfall event could occur in combination with an extreme high sea level and a storm surge. High winds could potentially lead to greater wave heights, leading to overtopping of the sea defences. For the generic site there is no risk from seawater flooding as grade is at 30.5m (100’). . However, site-specific analysis will be required to take into account local variations.

It is also feasible, during periods of extreme high temperature, that the risk of bush fire and perhaps even explosions of fuel tanks, etc. are possible. The combined effect of these hazards however, is no more severe than the individual consequences. The greatest risk to nuclear safety would be during periods of drought and high ambient temperature when a demand is put on the fire water supplies.


Consequential hazards arising as a result of an external hazard are considered in detail in the External Hazards Topic Report (Reference 4.8). This section presents a number of the key findings.

External hazards such as external explosion or external missile could occur as a result of a seismic event, however, the effect of these events would be no more of a threat to nuclear safety than if they were to occur independently.

Detailed discussions are provided in the External Hazards Topic Report relating to fire, turbine disintegration and pipe rupture arising as a consequence of a seismic event, to show that the withstand of the plant systems and structures, particularly those that are safety significant, is sufficient that loss of the KSFs is protected against.

With the exception of a BLEVE, no credible consequential hazards have been identified as a result of a Design Basis external explosion event. The consequential hazards of a BLEVE are judged to be a site specific issue as discussed in the External Hazards Topic Report (Reference 4.8).

Other plant accidents or severe natural phenomena are not assumed to occur following a postulated missile impact. In addition, offsite power is assumed to be unavailable if a trip of the turbine-generator or reactor protection system is a direct consequence of the postulated missile.



It is possible that flooding or high sea levels could increase the amount of biological fouling. This will be a site specific issue dependent upon the location of the service water supply connection, adequate inspections will be needed to maintain connection pathways.

Lightning is not considered to present a significant threat to nuclear safety. In particular, lightning does not pose a threat to any SSCs which are claimed in support of the internal fire hazard and therefore the threat to nuclear safety is no worse than an internal fire event caused by other means.

4.4.2.3 Consideration of External Hazards in the Safety Assessment

The AP1000 design basis is that where possible the threat from external hazards to prevent safe shutdown has been designed out and where the AP1000 has potential vulnerabilities to an external hazard this is tested using the Probabilistic Risk Assessment (PRA) as described in Reference 4.4 Chapter 19 (it should be noted that Reference 4.4 uses the terminology of ‘external events’ for both internal and external hazards on the basis they are external to the plant systems).

External hazards considered in the AP1000 PRA are those events whose cause is external to systems associated with normal and emergency operations situations. The majority of external hazards do not pose a significant threat of a severe accident. Some external hazards are considered at the design stage and have a sufficiently low contribution to core damage frequency or plant risk.

The external hazards that have been selected for evaluation of their effect on the design basis assessment of the AP1000 are:

• External flooding

• Extreme winds

• Seismic

• Transportation accidents (external explosion).

Other external hazards do not affect the design basis assessment of the AP1000 nor are they assessed as part of the design.

Chapter 5 of this PCSR provides a summary of the results of the PRA. Conservative, bounding assessments show the core damage risk from events listed above is small compared to the core damage risk from at-power and shutdown events and that the potential for consequential hazards spreading to safety-significant equipment is significantly reduced by the AP1000 layout and barriers.

It should be noted that the PRA does not currently include an evaluation of the radiological risk during new and spent fuel handling.



4.5 Engineering Substantiation

Once requirements or claims have been identified for plant systems, structures and components to maintain specific safety functions, as discussed in the previous sub-sections for normal operations, fault conditions and internal/external hazards, consideration has to be given as to how the SSC will satisfy the claim or requirement with an appropriate degree of confidence. This sub-section shows the various categorization, classification and qualification processes that are applied, to make sure that SSCs are designed with a degree of robustness appropriate to their importance to nuclear safety. Consideration is also given to confirming that the codes and standards underpinning the categorization and classification processes are appropriate and mature.

Chapter 5 goes on to present safety analyses showing how the plant responds appropriately in fault conditions, and Chapters 6 and 7 present further substantiation of specific design requirements on SSCs.

4.5.1 Safety Classification of Systems, Structures and Components

For the AP1000, once a safety function category (A, B or C) has been assigned to a claim or requirement on a specific SSC, in line with the safety function it delivers (or supports the delivery of), the SSC is assigned a Safety Class between 1 and 3. The Safety Class takes account of the extent to which the SSC supports its corresponding safety function. At this point, consideration is given to functional defence in depth, diversity and redundancy in the plant design; these issues are not considered prior to this point in the categorization and classification processes.

The Safety Classes are defined below.

Class 1:

Class 1 SSCs provide the principal means of fulfilling a safety function.

These SSCs are standby or normally operating SSC required to mitigate design basis accidents consistent with the analysis in the European DCD. These SSCs provide the principal means for the protection of the health and safety of the public, are referred to as safety-related, and are selected using deterministic methods. The reliability of these features is confirmed using a probabilistic sensitivity analysis.

Generally, Class 1 SSCs are subject to operability and availability limitations as documented in the AP1000 Technical Specifications, Inservice Testing (IST) Program, and Inservice Inspection (ISI) Program.

Class 2:

Class 2 SSCs are a significant contributor to fulfilling a safety function.

A significant contributor is defined as a SSC that provides a supplementary capability for those SSCs utilized in the response to design basis and beyond design basis accidents. Class 2 SSCs are identified using a combination of deterministic and probabilistic analysis methods. Examples of these analyses include:



• Anticipated Transient without Scram (ATWS)

• Loss of all ac power

• Post-72-hour actions

• Containment performance

• Adverse interactions with the AP1000 safety-related systems

• Seismic considerations

• Probabilistic risk assessment (PRA) event mitigation evaluation

• PRA initiating event frequency evaluation

Class 2 SSCs support active functions intended to supplement the performance of Class 1 passive safety functions. These Class 2 functions increase the reliability of their associated Class 1 SSCs by reducing the number of operating cycles imposed on the Class 1 SSCs. These Class 2 functions are those defence-in-depth functions that are designed for post-trip operation and considered the preferred alternate means (to the safety-related means) of fulfilling a safety-related function.

Class 2 SSCs are subject to the application of availability controls based on the importance of the associated safety function. Types of availability control include Technical Specifications, Investment Protection Short-Term Availability Controls, and the plant maintenance program.

Class 3:

Class 3 SSCs are all other SSCs that are not Class 1 or Class 2 that provide contributions to maintaining nuclear safety.

The three levels of classification are linked to the use of codes and standards to define design features, levels of substantiation and through-life management.

Class 1 SSCs use recognised nuclear industry codes. The majority of Class 1 SSCs are designed and manufactured to ASME Section III, Class 1, 2 or 3. In some instances, no nuclear standard has been identified because of the nature of the SSC. In these cases, “manufacturer’s standards” are used, meaning the capability of the SSC is developed through engineering practice. Examples of Class 1 SSCs for which this is the case include:In-containment refuelling water storage tank (IRWST) gutter

• IRWST screens

• Control rod control clusters

The majority of the Class 2 SSCs are designed to ASME VIII or to the manufacturer’s standards. The following codes and standards are used for Class 2 SSCs:

• ANSI/AMCA 210, 211 and 300 are used for the battery room exhaust fans



• ANSI 16.34 and B31.1 are used for Class 2 valves

• ANSI/AMCA 500 are used for dampers in the auxiliary building

• API 650 is used for the passive containment cooling auxiliary water storage tank

• Hydraulic Institute standards are used for the start up feed water and Passive Containment Cooling System (PCS) recirculation pumps

• UL 142 is used for the ancillary diesel generator fuel tank

• UL 1025 and NFPA 70 are used for unit heaters

• UL 555S is used for fire dampers

Class 3 SSCs uses the same codes and standards applicable to Class 2 SSCs.

The application of the codes used in the design and justification of Class 1 and 2 SSCs is reviewed against UK relevant good practice in the AP1000 Codes and Standards Equivalence and Maturity Study (Reference 5.14), to confirm that they provide an appropriately rigorous basis for seismic design. This review is discussed in more detail in sub-section 4.5.4 of this report. The codes and standards associated with structural withstand are discussed in the following sub-section on seismic categorisation.

A listing of safety categories and classes associated with normal operation and DB fault conditions for all plant SSCs are presented in the AP1000 UK Safety Categorisation and Classification of Structures, Systems and Components report (Reference 4.2).

It should be noted that further work is currently ongoing to identify the codes and standards associated with these Safety Classes for electrical systems which will be reported in the Electrical System Topic Report. The US classification associated with electrical systems is retained in some parts of this report; where an SSC is identified as Class 1E, this corresponds to Safety Class 1 or 2. SSCs identified as non-Class 1E correspond to Safety Class 3.

The specific application of classification to instrumentation and control is under development.

In this classification system, and throughout this PCSR and supporting technical documents, those SSCs of Safety Class 1 are termed ‘safety significant’. Use of this term recognises that SSCs of these classifications are required to function in the event of a Design Basis event (unless it is their failure that has precipitated the event), and must maintain their safety function when challenged by Design Basis internal and external hazards. Therefore, SSCs of these classifications are required to have robust withstand against the conditions and loadings that may be experienced in Design Basis events and as a result of internal and external hazards. Sometimes these challenges may be indirectly caused by hazards; for example, a safety significant SSC may withstand the direct effect of a seismic event, but could be challenged by the collapse of a neighbouring SSC that is not safety significant. Challenges such as these are addressed by seismic categorisation of AP1000 SSCs.



4.5.2 Seismic Categorisation of Systems, Structures and Components

The seismic categorisation methodology applied for the AP1000 places plant SSCs into one of three categories, as summarised below:

• Seismic Category I SSCs are those that are safety significant (i.e. Safety Class 1). These SSCs are required to retain safety functionality following a Design Basis seismic event.

• Seismic Category II SSCs are those that are not safety significant (i.e. Safety Class 3, Class 2, or without a safety classification) but that could pose a threat to the functionality of safety significant SSCs in the event of failure in a Design Basis seismic event. Seismic Category II structures are designed or physically arranged (or both) so that the safe shutdown earthquake could not cause unacceptable structural interaction with or failure of seismic Category I structures, systems, and components.

• Non-Seismic SSCs are those that are not Seismic Category I or II.

Those structures that make up the AP1000 Nuclear Island are designated seismic Category I. These are the Containment Building, the Shield Building, the Auxiliary Building and their common basemat. For each building, the categorisation encompasses their internal and external structures, with the exception of the plant vent and stair structures, which are designated seismic Category II. Section 3.7.2 of the European DCD (Reference 4.4) presents the seismic design process applied for seismic Category I structures and sub-Section 6.1.3 of the External Hazards Topic Report (Reference 4.8) presents the claims, arguments and evidence associated with the demonstration that the Nuclear Island will withstand the Design Basis seismic event without loss of safety functionality. The Design Basis seismic event for the UK is defined in sub-Section 6.1.2 of the External Hazards Topic Report.

Of the AP1000 structures outwith the Nuclear Island, the portion of the Annex Building that is adjacent to the Nuclear Island is designated seismic Category II, and all other structures are non-seismic. Sub-Section 3.7.2.8 of the European DCD (Reference 4.4) presents the analysis carried out with regard to the interaction of seismic Category II and non-seismic structures with seismic Category I SSCs. Sub-Section 6.1.3 of the External Hazards Topic Report (Reference 4.8) presents the claims, arguments and evidence associated with the demonstration that the effect of a Design Basis seismic event on the non-Nuclear Island structures will not affect safety function delivery.

The safety significant AP1000 systems and components are identified in the AP1000 UK Safety Categorisation and Classification of Structures Systems and Components report (Reference 4.2) as those assigned Safety Class 1. This report also identifies the seismic categorisation of all of these systems and components. Sub-Section 3.7.3 of the European DCD (Reference 4.4) presents the seismic design process applied for seismic Category I structures, and sub-Section 3.7.3.13 presents the analysis carried out with regard to the interaction of seismic Category II and non-seismic systems and components with seismic Category I SSCs. Sub-Section 6.1.3 of the External Hazards Topic Report (Reference 4.8) presents the claims, arguments and evidence associated with the demonstration that the effect of a Design Basis seismic event on the AP1000 systems and components will not affect safety function delivery.

The principal codes identifying the design and analysis procedures associated with the seismic Category I SSCs, including assumptions on boundary conditions and expected behaviour under loads, are ACI-349 for concrete structures and AISC-N690 for steel



structures. The application of these codes is reviewed against UK relevant good practice in the AP1000 Codes and Standards Equivalence and Maturity Study (Reference 4.9), to confirm that they provide an appropriately rigorous basis for seismic design.

The seismic Category I structures of the AP1000 are also designed to be resistant to loadings from other external sources; pressure and missiles arising from extreme wind and loads generated by probable maximum precipitation. The claims, arguments and evidence associated with qualification against these loadings are presented in Section 6.0 of the External Hazards Topic Report (Reference 4.8).

4.5.3 Incredibility of Failure Issues

While all plant SSCs are assigned a Safety Class 1 to 3 in accordance with the process detailed previously in this sub-section, there are some components that are special cases of Class 1. These special cases are invoked where:

• A metal component or structure forms a principal means of ensuring nuclear safety, and

• The estimated likelihood of gross failure needs to be very low or the safety case claims gross failure can be discounted.

In these cases, a more demanding assessment is required for the component in question, referred to as an Incredibility of Failure (IoF) structural integrity safety case. For IoF components, where defence in depth does not exist in the sense that there are not multiple physical barriers to provide protection, defence in depth must be based on application of alternative multiple arguments and/or diverse sources of information. In addition, the component or structure should be as defect-free as possible, and tolerant of defects.

The safety case for IoF components must include:

• Sound design engineering practices including proven designs, proper materials selection, and appropriate manufacturing methods

• Application of appropriate non-destructive examination methods during manufacturing, including the use of European Network for Inspection Qualification (ENIQ)-based qualified manufacturing examination methods to confirm the absence of structurally significant crack-like defects

• Definition of a defensible end of life limiting defect size that can be applied in the determination of a qualification defect size for the ENIQ-based inspection system qualification

• Selection of a material toughness that allows for defect tolerant materials

• Performance of a site-applied pre-service inspection using an inspection system qualified per ENIQ practices

• Sound operation, maintenance and inspection practices.

The parameters and standards associated with the development of IoF safety cases are under development and are discussed in more detail in the WEC response to ND Regulatory



Observation RO-AP1000-18.A1 (Reference 4.10). This reference also presents a process to be applied systematically to AP1000 SSCs to ensure that the level of structural integrity assessment applied is proportionate to their importance to nuclear safety. This involves review of SSC safety classes, Design Basis accident analyses and plant layout, to identify any components that are special cases in accordance with the criteria presented at the start of this sub-section. Any such components are designated IoF and substantiation for the claims made on their structural integrity will be addressed accordingly. A preliminary review suggests that the components likely to be identified as IoF are the reactor pressure vessel, the pressuriser, steam generator shall, channel head and tubesheet, reactor coolant pump casing and any Class 1 piping that does not have appropriately qualified pipe whip restraints. When this review has been performed, it will be reported within the PCSR and supporting documents.

4.5.4 Application of Codes and Standards

The classification (or seismic categorisation) of an SSC dictates the level of rigour to be adhered to in the design and fabrication of the SSC, reflected in the use of appropriate codes and standards.

The AP1000 Equivalence/Maturity Study of US Codes and Standards report (Reference 4.9) considers the safety-significant US codes and standards used in the design of the Westinghouse AP1000 plant, and determines whether their equivalence and maturity to current versions of those codes and standards used in the UK and European is adequate.

The report presents a structured review process to identify not only those codes and standards that are directly used to support Class 1 and Class 2 (i.e. safety significant) SSCs, but those standards that underpin the general plant design such that they have a significant impact on nuclear safety. These codes and standards, in the versions applied in the plant design, are subjected to equivalence and maturity reviews to determine whether they are:

• Recognised/utilised in the UK and Europe, or

• Are equivalent to recognised UK and European codes and practices (termed equivalence review)

• Are the current version, or

• They are equivalent to the current version (termed maturity review).

Equivalence and maturity success criteria were developed for the comparison of codes/standards used in the AP1000 design against the closest UK/European equivalent. Overarching codes and standards are addressed directly in the study, and elements of supporting codes and standards have been reviewed as required.

Instrumentation and Control and Electrical codes and standards have not been included in this review as they are part of another study. The outcome of this study will be reported in the PCSR when it is complete.

4.5.5 Environmental Qualification of Systems, Structures and Components

It is UK relevant good practice that procedures for the qualification of equipment should address operational, environmental and fault conditions specified in the design, and that the



qualification procedures should demonstrate a level of confidence commensurate with their safety classification. This has been undertaken for the AP1000 via the recognition of those SSCs that support the maintenance of the KSFs and applying a rigorous environmental qualification programme.

A review has been carried out, which identifies electrical and mechanical equipment that may be vulnerable to environmental conditions, which are involved in the maintenance of the following safety functions during normal operation and fault conditions:

• Emergency reactor shutdown.

• Containment isolation.

• Reactor core cooling.

• Containment and reactor heat removal.

• Otherwise essential in preventing a significant release of radioactive material to the environment.

The list is presented in full in Table 3.11-1 of the European DCD (Reference 4.4). This list encompasses Class 1 and 2 SSCs that could be vulnerable to environmental effects, and some Class 3 systems that provide defence in depth in fault conditions. The equipment in this list is qualified to withstand the following conditions, as defined in Appendix A of the AP1000 Equipment Qualification Methodology (Reference 4.11):

• Normal operating environmental conditions - those conditions existing during routine plant operations for which the equipment is expected to be available on a continuous basis to perform required functions. This includes consideration of radiation effects.

• Abnormal environmental conditions - those plant conditions for which the equipment is designed to operate for a period of time without accelerating normal periodic tests, inspections, and maintenance schedules for that equipment.

• Design Basis accident (DBA) and post-DBA conditions are those plant conditions resulting from the bounding Design Basis faults in terms of environmental effects (e.g. submergence in water, high pressure, high temperature etc). Consideration is given to conditions during the Design Basis initiating event and post-accident.

Each of these conditions varies for each area of plant, depending on prevalent environmental conditions during normal operations and the local effects of Design Basis events. The conditions are defined in Appendix A of the AP1000 Equipment Qualification Methodology and Appendix 3D of the European DCD, and a bounding length of time for which the equipment must be demonstrated to withstand these conditions throughout life is also identified.

4.6 Conclusion

This chapter has set out the framework whereby the safety arguments are assembeld. It has done this in a structured way by first outlining the important safety functions that need to be



met to support the safety claim, and how these are categorized. It then proceeds to examine safety requirements under both normal operation and fault conditions and shows they are supported by the Systems Structures and Components (SSCs) within the design.

The challenges posed by both internal and external hazards are discussed and shown to be met by the design.

Finally, the chapter proceeds to discuss how the various aspects of the design are substantiated by first establishing safety demands on SSCs by the process of classification, , then demonstrating the appropriate use of industry best practice including code compliance and finally equipment and process qualification

Thus this chapter combines all the elements which identify what is needed for safety and then demonstrated that it is delivered in the AP1000 design.



REFERENCES 4.1 IAEA Safety Standards Series, No. NS-R-1, Safety of Nuclear Power Plants: Design,

September 2000.

4.2 WEC, UKP-GW-GL-044, AP1000 Safety Categorisation and Classification of Structures Systems and Components, Rev. 0, December 2009..

4.3 WEC, UKP-GW-GLR-001, AP1000 Internal Hazards Topic Report, Rev. 0, (to be issued).

4.4 WEC, EPS-GW-GL-700 AP1000 European Design Control Document, Rev. 1, December 2009.

4.5 NUREG/CR-2300, A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants, Volume 1, ANS and IEEE, January 1983.

4.6 NUREG/CR-5750 Rates of Initiating Events at US Nuclear Power Plants 1987-1995, February 1999.

4.7 ASME, Boiler and Pressure Vessel Code Section VIII - Rules for Construction of Pressure Vessels, 2007.

4.8 WEC, UKP-GW-GL-043, AP1000 External Hazards Topic Report, Rev. 0, December 2009.

4.9 WEC, UKP-GW-GL-045 AP1000 Equivalency/Maturity Study of the US Codes and Standards, Rev. 1, December 2009.

4.10 NII Regulatory Observation, RO-AP1000-18.A1.

4.11 APP-GW-G1-002, AP1000 Plant Equipment Qualification Methodology, Rev. 1, June 2008.



CHAPTER 5: SAFETY ASSESSMENT APPROACH



5.0 SAFETY ASSESSMENT APPROACH

5.1 Introduction

The AP1000 has been designed such that there is an acceptably low probability of any radioactive release that could endanger the health of site workers or members of the public.

To demonstrate that this is the case, three high-level claims are derived in Chapter 1:


• The AP1000 Systems Structures and Components (SSCs) are designed to maintain the plant within prescribed safety limits for postulated fault conditions.

• The AP1000 risks have been reduced to levels that are as low as reasonably practicable (ALARP).

This chapter demonstrates that the second of those claims is satisfied, by modelling the plant behaviour in a number of bounding fault conditions and demonstrating that the plant can be safely shut down, remains coolable and will enable radioactivity to be contained throughout its life.

This chapter also provides key evidence to demonstrate that the third claim is satisfied, by quantifying the AP1000 risks. The quantified risk forms a sound basis for subsequent ALARP arguments.

The safety assessment, and particularly the fault analysis, is underpinned by the AP1000 Fault Schedule (Reference 5.1), which identifies the challenges to the design of the AP1000, as well as the lines of protection that are available. The fault schedule is discussed further in subsection 5.2.

The Design Basis Analysis (DBA) of the faults in the fault schedule is then described in subsection 5.3. The DBA aims to demonstrate, through thermal-hydraulic and radiological analysis of bounding fault sequences, the effectiveness of the protection identified for each of the faults in the fault schedule.

Following the discussion of the DBA, the probabilistic risk assessment (PRA) and severe accident analysis are described in subsections 5.4 and 5.5. The PRA and severe accident analysis seek to demonstrate that the numerical risk to operators and members of the public are acceptably low, and serve as an input into the ALARP assessment in Chapter 8.

5.2 Fault Schedule

5.2.1 Introduction

The fault schedule (Reference 5.1) is a key document in the DBA. The fault schedule presents the postulated faults, and the identified protection for each of the Key Safety Functions (KSFs). The fault schedule describes the response of the AP1000 to initiating events in the following categories:

• Reactor trip faults (fault group 4.1).

• Increase in heat removal faults (fault group 4.2).

• Decrease in heat removal faults (fault group 4.3).



• Electrical supply faults (fault group 4.4).

• Decrease in reactor coolant flow rate faults (fault group 4.5).

• Reactivity and power distribution anomalies (fault group 4.6).

• Increase in reactor coolant inventory faults (fault group 4.7).

• Decrease in reactor coolant inventory faults (fault group 4.8).

• Radioactive release from a subsystem or component (fault group 4.9).

• Shutdown faults (fault group 4.10).

• Spent fuel pool faults (fault group 4.11).

For every fault in each of the above categories, the fault schedule lists the reactor trip signals generated and engineered safety features actuated, as well as the mitigating features available.

5.2.2 Identification of Initiating Events

The initiating faults in the Fault Schedule have been identified by application of the checklist of categorised initiating faults specified in American National Standards Institute (ANSI) N18.2 (Reference 5.2). This document presents a checklist of categorised hazards that have been drawn from assessment of US nuclear plant systems, structures and components (SSCs) failure modes and many years of operating experience – including hazards applicable to both Pressurised Water Reactors (PWRs) and Boiling Water Reactors (such that hazards can be discounted where they are inappropriate to a specific reactor type). The categorisation system groups potential sources of postulated faults into four categories according to anticipated frequency of occurrence and potential radiological consequences to the public:

• Condition I: normal operation and operational transients.

• Condition II: faults of moderate frequency.

• Condition III: infrequent faults.

• Condition IV: limiting faults.

Condition I occurrences are those that are expected to occur frequently or regularly in the course of power operation, refuelling or maintenance of the plant. As such, Condition I occurrences are accommodated with margin between a plant parameter and the value of that parameter requiring either automatic or manual protective action.

Condition II faults, at worst, result in a reactor trip with the plant being capable of returning to operation. Condition II events are not expected to result in fuel rod failures, reactor coolant system failures, or secondary system over-pressurisation.

Condition III events are faults that may occur infrequently during the life of the plant. They may result in the failure of only a small fraction of the fuel rods, with an attendant minor release of radioactivity.



Condition IV events are faults that are not expected to take place, but are postulated because their consequences include the potential of the release of significant amounts of radioactive material. They are the faults that must be designed against, and they represent limiting design cases. Condition IV faults are such that, without engineered Safety Measures and barriers to release, a significant fission product release to the environment may occur.

The application of the N18.2 checklist has been reviewed against the AP1000 design and PRA, and been appropriately updated to reflect the plant’s specific design features. On this basis, while potential Anticipated Transient Without Scram (ATWS) faults are included in ANSI N18.2, for the AP1000 no causes for these have been identified within the Design Basis (i.e. the initiating event frequency is less than 10-5 per reactor year). These faults are addressed via PRA and Severe Accident Analysis (as described in Section 5.4 and 5.5 of this chapter). This issue is discussed in sub-section 4.4.1.3 of the AP1000 Fault Schedule (Reference 5.1).

The identification of initiating faults is also supported by a review of operating experience documented in NUREG/CR-2300 (Reference 5.3) and NUREG/CR-5750 (Reference 5.4) as well as the INPO and Westinghouse databases. A more recent review using NUREG/CR-6928 (Reference 5.5) has identified no additional hazards that need to be addressed.

The application of the N18.2 checklist has also been reviewed against relevant good practice in hazard identification; as a result of this, bounding initiating faults while in shutdown states are identified, as are bounding initiating faults relating to spent fuel handling and storage.

It is recognised that the above approach, while making good use of historical data and operating experience, does not meet the UK requirement for fault identification. In particular, the N18.2 checklist only considers single events as initiators of a fault sequence. It does not consider complex situations in which a combination of events may initiate a fault sequence. In the UK it is considered good practice to consider any fault sequence with a frequency greater than 10-7 per year to be within the Design Basis. Regulatory guidance limits the reliability claim that may be placed on any safety system to less than 10-5 per demand, which suggests for any initiating frequency greater than 10-2 per year (and in practice for most initiating frequencies greater than 10-3 per year) a diverse safety system is required to be provided for each safety function; that safety system needs to be single failure tolerant, and the functional capability of the system needs to be demonstrated in the DBA.

As a result, the Design Basis initiating events with a frequency of greater than 10-3 per year will be reviewed to demonstrate that a diverse safety system, qualified to an appropriate standard, is provided for each safety function. This extension to the DBA will be reported in Step 4 of the Generic Design Assessment (GDA).

5.2.3 Initiating Event Frequencies

The initiating event frequencies are based on the AP1000 PRA (see Chapter 19 of Reference 5.6). Data from INPO, Electric Power Research Institute (EPRI), and Westinghouse operating plants is used to derive these initiating event frequencies.

5.2.4 Provision of Safety Measures

The fault schedule demonstrates that for each fault at least one safety measure composed of safety significant SSCs (primarily Safety Class 1 engineered safety features) is provided to maintain control over reactivity and heat removal, allowing the plant to be brought to safe and controllable shut down state with containment integrity intact. The following subsections summarise the plant



responses that make sure that control of reactivity, control of core heat removal and containment integrity are maintained for Design Basis faults.

Control of Reactivity

The Class 1 engineered safety features claimed in the fault schedule for reactivity control are:

• The protection and safety monitoring system (PMS), to trip the reactor (see subsection 6.6).

• The core makeup tanks (CMTs), accumulators and in-containment refuelling water storage tank (IRWST - see subsection 6.3), to provide borated water post-trip.

Control of Core Heat Removal

Immediately following reactor trip, which has in turn tripped the turbine and set the steam circuit to the turbine by-pass line, duty systems would be deployed as defence in depth to manage the fault by controlling reactor pressure, temperature and inventory, thereby avoiding actuation of the engineered safety features (ESFs). The duty systems are not claimed in the fault schedule – they are providing additional defence in depth.

If the duty systems are unavailable, or are unable to control the fault, passive residual heat removal (PRHR) is initiated and the CMTs actuated to inject borated water into the reactor coolant system (RCS). In most cases this will be sufficient to manage the fault for at least 72 hours.

For loss of coolant accident (LOCA) scenarios core makeup tank (CMT) draining will signal actuation of the first three stages of the automatic depressurisation system (ADS), depressurising the reactor and allowing the accumulators to inject more borated water into the RCS. If the pressure falls further, the residual heat removal system (RNS) can also be aligned to remove heat. This latter action provides additional defence in depth but is not claimed in the fault schedule.

The final stage in the sequence is the actuation of the fourth stage ADS valves, which further depressurises the reactor and allows injection of IRWST water. The RCS vents steam to the containment volume, which is cooled by the PCS.

During shutdown, the combination of Class 1 safety measures claimed will differ, depending on the plant state, e.g. depending whether the RCS boundary is open or if fuel is being moved; this is addressed in the fault schedule.

The Class 1 engineered safety features claimed in the fault schedule for heat removal are:

• The PMS, to initiate some of the engineered safety features (see subsection 6.6).

• Passive residual heat removal (see subsection 6.3).

• The CMTs (see subsection 6.3).

• The accumulators (see subsection 6.3).

• Full ADS (see subsection 6.3).

• The IRWST (see subsection 6.3).

• The PCS (see subsection 6.3).



• FWS isolation (see subsection 6.5).

• CVS isolation (see subsection 6.4).

Containment Integrity

Containment integrity is assured in all Design Basis fault conditions by ensuring that the containment building remains intact, with all penetrations isolated. Containment integrity is protected by the passive containment cooling system (PCS), which cools the containment structure, keeping temperature and pressure within design values.

Additional defence in depth is provided by the fan coolers, which can be manually actuated by the DAS to supplement and enhance the cooling provided by the PCS.

Because the engineered safety features are passive systems or are actuated by the protection and safety monitoring system (with diverse actuation system (DAS) backup), whereas the plant duty systems are electrically powered and actuated by the plant control system (PLS), there is significant diversity between the duty and protection systems.

In addition to the principal safety systems listed above, the fault schedule demonstrates that there is at least one safety measure (which may be a Class 1 system that is not claimed in the analysis, or a non-Class 1 system) available to enhance control over the KSFs. Because the non-Class 1 systems are, like the duty systems, electrically powered and actuated by the PLS there is diversity between the claimed safety systems and the defence in depth.

5.3 Design Basis Analysis

5.3.1 Introduction

The DBAs, and the associated fault studies, model the plant’s core physics, thermal hydraulics, heat transfer and a wide range of other physical phenomena under steady state, transient and fault conditions in order to identify those faults that might lead to a release of radioactive material. This is followed by a thorough examination of the conditions brought about by those faults. In particular, for those conditions which might affect the integrity of the nuclear fuel, the aim is to demonstrate the adequacy of the engineered protection systems in preventing the release of radioactive material.

The fault schedule underpins the DBA. It defines the faults to be analysed, and describes the engineered safety features to be credited in the analysis.

5.3.2 Selection of Representative Sequences

It is not possible to analyse every possible permutation of every fault; for this reason, a number of scenarios are considered for each fault within the Design Basis, based on the initial plant parameters and subsequent engineered safety feature responses that will give rise to the most severe consequences.

5.3.3 Thermal-Hydraulic Analysis Approach

The approach of the DBA is to model bounding plant configurations using validated computer codes, based on conservative assumptions regarding the initial conditions and subsequent development of the fault sequence, to demonstrate that the Design Basis thermal-hydraulic and radiological limits are not exceeded for Design Basis accidents.



This subsection describes the acceptance criteria for the analysis, and the computer codes used to perform the analysis. It then discusses the generic assumptions made regarding important plant parameters. These assumptions hold true for all the analyses; the generic assumptions fall into the following categories:

• Plant characteristics and initial conditions.

• Reactivity coefficients.

• Rod cluster control assembly (RCCA) insertion characteristics.

• Protection and safety monitoring system (PMS) set points and time delays to trip.

• Plant systems and components available for mitigation of accident effects.

• Fission product inventories.

• Residual decay heat.

• Component failures.

• Operator actions.

• Loss of offsite ac power.

5.3.3.1 Acceptance Criteria

The thermal-hydraulic design bases form the acceptance criteria for the thermal-hydraulic modelling of intact circuit faults, and are as follows:

• The departure from nucleate boiling (DNB) Design Basis is that there is at least a 95-percent probability, at a 95-percent confidence level, that DNB does not occur on the limiting fuel rods during normal operation and operational transients and any transient conditions arising from faults of moderate frequency.

• The fuel temperature Design Basis is that during modes of operation associated with normal operation and faults of moderate frequency, there is at least a 95-percent probability at a 95-percent confidence level that the peak kW/ft fuel rods will not exceed the uranium dioxide melting temperature. The melting temperature of uranium dioxide is 2804°C unirradiated and decreasing 32.2°C per 10,000 MWD/MTU. By precluding uranium dioxide melting, the fuel geometry is preserved and possible adverse effects of molten uranium dioxide on the cladding are eliminated.

• The core flow Design Basis is that a typical minimum value of 94.1 percent of the thermal flow rate is passes through the fuel rod region of the core and is effective for fuel rod cooling. Coolant flow through the thimble and instrumentation tubes and the leakage between the core barrel and core shroud, head cooling flow, and leakage to the vessel outlet nozzles are not considered effective for heat removal.

• The hydrodynamic stability Design Basis is that modes of operation associated with normal operation and faults of moderate frequency do not lead to hydrodynamic instability.

The acceptance criteria for LOCAs are as follows:



• The calculated maximum fuel element cladding temperature shall not exceed 1204°C.

• Localized cladding oxidation shall not exceed 17 percent of the total cladding thickness before oxidation.

• The amount of hydrogen generated from fuel element cladding reacting chemically with water or steam shall not exceed 1 percent of the total amount if all metal cladding were to react.

• The core remains amenable to cooling for any calculated change in core geometry.

• The core temperature is maintained at a low value, and decay heat is removed for the extended period of time required by the long-lived radioactivity remaining in the core.

5.3.3.2 Computer Codes Used

The design analysis has been carried out using well-established nuclear computer codes. The validation and verification of those codes is described in topical reports. A summary of the major codes used in the thermal-hydraulic analysis is presented below.

5.3.3.2.1 FACTRAN

FACTRAN calculates the transient temperature distribution in a cross section of a metal-clad uranium dioxide fuel rod and the transient heat flux at the surface of the cladding using as input the nuclear power and the time-dependent coolant parameters (pressure, flow, temperature, and density). The code uses a fuel model which simultaneously exhibits the following features:

• A sufficiently large number of radial space increments to handle fast transients such as rod ejection accidents.

• Material properties which are functions of temperature and a sophisticated fuel-to-clad gap heat transfer calculation.

• The necessary calculations to handle post-DNB transients: film boiling heat transfer correlations, zircaloy-water reaction, and partial melting of the materials.

FACTRAN was used in the analysis performed in support of the Sizewell B PCSR (Reference 5.7). There is, therefore, a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.2.2 LOFTRAN

LOFTRAN is used for studies of transient response of a pressurised water reactor system to specified perturbations in process parameters. LOFTRAN simulates a multi-loop system by a model containing the reactor vessel, hot and cold leg piping, steam generator (tube and shell sides), and pressuriser. The pressuriser heaters, spray, and safety valves are also considered in the program. Point model neutron kinetics, and reactivity effects of the moderator, fuel, boron, and rods are included. The secondary side of the steam generator uses a homogeneous, saturated mixture for the thermal transients and a water level correlation for indication and control. The protection and safety monitoring system is simulated to include reactor trips on high neutron flux, overtemperature ΔT, high and low pressure, low flow, and high pressuriser level. Control systems are also simulated, including rod control, steam dump, feedwater control, and pressuriser level and pressure control. The passive core cooling system, including the accumulators, is also modelled.



The Nuclear Regulatory Commission (NRC) first approved the use of LOFTRAN codes for passive plant analysis in NUREG-1512 (Reference 5.8). LOFTRAN was also used in the analysis performed in support of the Sizewell B PCSR (Reference 5.7). There is therefore a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.2.3 TWINKLE

TWINKLE is a multidimensional spatial neutron kinetics code, which is patterned after steady-state codes currently used for reactor core design. The code uses an implicit finite-difference method to solve the two-group transient neutron diffusion equations in one, two, and three dimensions. The code uses six delayed neutron groups and contains a detailed multi-region fuel-clad-coolant heat transfer model for calculating point-wise Doppler and moderator feedback effects. The code handles up to 2000 spatial points and performs its own steady-state initialisation. Aside from basic cross-section data and thermal-hydraulic parameters, the code accepts as input basic driving functions, such as inlet temperature, pressure, flow, boron concentration, control rod motion, and others. Various edits are provided (for example, channel-wise power, axial offset, enthalpy, volumetric surge, point-wise power, and fuel temperatures).

The TWINKLE code is used to predict the kinetic behaviour of a reactor for transients that cause a major perturbation in the spatial neutron flux distribution. TWINKLE was used in the analysis performed in support of the Sizewell B PCSR (Reference 5.7). There is therefore a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.2.4 VIPRE-01

VIPRE-01 is a finite-volume sub-channel analysis code capable of three-dimensional modelling of reactor cores and other similar geometries in steady-state and transient conditions. VIPRE-01 calculates the detailed steady-state and operational transient core flow distributions, coolant conditions, fuel rod temperature and departure from nucleate boiling ratio (DNBR).

VIPRE-01 is approved for use by the NRC (Reference 5.9) and so there is a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.2.5 COAST

The COAST computer program is used to calculate the reactor coolant flow coast down transient for any combination of active and inactive pumps and forward or reverse flow in the hot or cold legs. The equations of conservation of momentum are written for each of the flow paths of the COAST model assuming unsteady one-dimensional flow of an incompressible fluid. The equation of conservation of mass is written for the appropriate nodal points. Pressure losses due to friction, and geometric losses are assumed proportional to the flow velocity squared. Pump dynamics are modelled using a head-flow curve for a pump at full speed and using four-quadrant curves, which are parametric diagrams of pump head and torque on coordinates of speed versus flow, for a pump at other than full speed.

COAST is approved for use by the NRC (Reference 5.10) and so there is a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime



5.3.3.2.6 WCOBRA/TRAC

WCOBRA/TRAC is a thermal-hydraulic computer code that calculates realistic fluid conditions in a PWR during the blowdown and re-flood of a postulated large-break LOCA.

WCOBRA/TRAC has already been reviewed by the NRC and approved as a best-estimate code. Westinghouse and the Electrical Power Research Institute (EPRI) developed this best-estimate LOCA methodology, and it has been used in more than ten Westinghouse four-loop and three-loop plant large-break LOCA licensing analyses to date. There is therefore a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.2.7 NOTRUMP

The NOTRUMP computer code is used in the analysis of LOCAs due to small-breaks in the reactor coolant system. The NOTRUMP computer code is a one-dimensional, general network code, which includes a number of advanced features. Among these features are the calculation of thermal non-equilibrium in all fluid volumes, flow regime-dependent drift flux calculations with counter-current flooding limitations, mixture level tracking logic in multiple-stacked fluid nodes, and regime-dependent heat transfer correlations. The version of NOTRUMP used in AP1000 small-break LOCA calculations has been validated against applicable passive plant test data.

The NOTRUMP code was previously approved by the NRC for small break LOCA analyses on conventional Westinghouse PWRs. There is therefore a high degree of confidence that an acceptable verification statement can be made in the context of the UK regulatory regime.

5.3.3.3 Plant Characteristics and Initial Conditions

For most accidents that are DNB limited, nominal values of initial conditions are assumed. The allowances on power, temperature, and pressure are determined on a statistical basis and are included in the DNBR design limit values, as described in Reference 5.11.

For most accidents that are not DNB limited, or for which the revised thermal design procedure is not used, the initial conditions are obtained by adding the maximum steady-state errors to rated values. The following conservative steady-state errors are assumed in the analysis:

• Core power: + 2 percent allowance for calorimetric error. The main feedwater flow measurement supports a 1-percent power uncertainty; use of a 2-percent power uncertainty is conservative.

• Average reactor coolant: +3.61 or -3.89°C allowance for controller dead band system temperature and measurement errors.

• Pressuriser pressure: + 0.345MPa allowance for steady-state fluctuations and measurement errors.

Initial values for core power, average reactor coolant system temperature, and pressuriser pressure are selected to minimize the initial DNBR unless otherwise stated in the sections describing the specific accidents.

5.3.3.4 Power Distribution



The transient response of the reactor system is dependent on the initial power distribution. The nuclear design of the reactor core minimises adverse power distribution through the placement of fuel assemblies and control rods. Power distribution may be characterised by the nuclear enthalpy rise hot channel factor (FΔH) and the total peaking factor (Fq).

For transients that may be DNB limited, the radial peaking factor is important. The radial peaking factor increases with decreasing power level due to control rod insertion. This increase in FΔH is included in the core limits. Transients that may be DNB limited are assumed to begin with an FΔH, consistent with the initial power level defined in the Technical Specifications (see Chapter 16 of Reference 5.6).

The axial power shape used in the DNB calculation is a chopped cosine for transients analysed at full power and the most limiting power shape calculated or allowed for accidents initiated at non-full power or asymmetric RCCA conditions.

For transients that may be overpower-limited, the total peaking factor (Fq) is important. Transients that may be overpower-limited are assumed to begin with plant conditions, including power distributions, which are consistent with reactor operation as defined in the Technical Specifications (see Chapter 16 of Reference 5.6).

For overpower transients that are fast with respect to the fuel rod thermal time constant (for example, the uncontrolled RCCA bank withdrawal from subcritical or lower power startup and RCCA ejection incident, both of which result in a large power rise over a few seconds), a detailed fuel transient heat transfer calculation is performed.

5.3.3.5 Reactivity Coefficients

The transient response of the reactor system is dependent on reactivity feedback effects, in particular, the moderator temperature coefficient and the Doppler power coefficient. These reactivity coefficients are discussed in subsection 6.3 of this PCSR.

In the analysis of certain events, conservatism requires the use of large reactivity coefficient values. The values used are given in Figure 5.3-1, which shows the upper and lower bound Doppler power coefficients as a function of power, used in the transient analysis. The justification for use of conservatively large versus small reactivity coefficient values is treated on an event-by event basis. In some cases, conservative combinations of parameters are used to bound the effects of core life, although these combinations may not represent possible realistic situations.



Figure 5.3-1 Reactivity Coefficients

5.3.3.6 RCCA Insertion Characteristics

The negative reactivity insertion following a reactor trip is a function of the acceleration of the RCCAs as a function of time and the variation in rod worth as a function of rod position. For accident analyses, the critical parameter is the time of insertion up to the dashpot entry, or approximately 85 percent of the rod cluster travel. In analyses where all of the reactor coolant pumps are coasting down prior to, or simultaneously with, RCCA insertion occurring, a time of 2.09 seconds is used for insertion time to dashpot entry. In analyses where some or all of the reactor coolant pumps are running, the RCCA insertion time to dashpot is conservatively taken as 2.47 seconds.

The use of such a long insertion time provides conservative results for accidents and is intended to apply to all types of RCCAs, which may be used throughout plant life. Drop time testing requirements are specified in the Technical Specifications (contained in Chapter 16 of Reference 5.6).

5.3.3.7 PMS Set points and Time Delays to Trip

A reactor trip signal acts to open two trip breaker sets connected in series, feeding power to the control rod drive mechanisms (CRDMs). The loss of power to the mechanism coils causes the mechanisms to release the RCCAs, which then fall by gravity into the core. There are various instrumentation delays associated with each trip function including delays in signal actuation, in opening the trip breakers, and in the release of the rods by the mechanisms. The total delay to trip is defined as the time delay from the time that trip conditions are reached to the time the rods are free and begin to fall.

Limiting trip set points assumed in accident analyses and the time delay assumed for each trip function are given in Table 15.0-4a of Reference 5.6. Table 15.0-4a also summarises the set points and the instrumentation delay for engineered safety features functions used in accident



analyses. Time delays associated with equipment actuated (such as valve stroke times) by engineered safety feature functions are summarised in Table 15.0-4b of Reference 5.6.

There is a difference between the limiting set point assumed for the analysis and the nominal set point as specified in the Technical Specifications in Chapter 16 of Reference 5.6, which represents an allowance for instrumentation channel error and set point error. During plant startup tests, it is demonstrated that actual instrument time delays are equal to or less than the assumed values. Additionally, protection system channels are calibrated and instrument response times are determined periodically in accordance with the plant Technical Specifications.

5.3.3.8 Plant Systems and Components Available for Mitigation of Accident Effects

The plant systems and components credited for mitigation of accident effects are defined in the fault schedule, and are listed in subsection 5.2.3. The fault schedule presents both those systems credited in the safety analysis (which are, in general, robust Class 1 systems) and systems which are not credited in the analysis but which provide defence in depth.

5.3.3.9 Residual Decay Heat

For a LOCA, residual heat in a subcritical core is calculated according to the US regulatory requirements of 10 CFR 50.46, as described in References 5.12 and 5.13, which requires that cooling performance must be calculated in accordance with an acceptable evaluation model, and must be calculated for a number of postulated LOCAs of different sizes, locations, and other properties sufficient to provide assurance that the most severe postulated LOCAs are calculated. The evaluation model must include sufficient supporting justification to show that the analytical technique realistically describes the behaviour of the reactor system during a loss-of-coolant accident; comparisons to applicable experimental data must be made, and uncertainties in the analysis method and inputs must be identified and assessed so that the uncertainty in the calculated results can be estimated and accounted for.

The large-break LOCA methodology considers uncertainty in the decay power level. The small-break LOCA events and post-LOCA long-term cooling analyses use 10 CFR 50 Appendix K, decay heat, which conservatively assumes infinite irradiation time before the core goes subcritical to determine fission product decay energy.

For intact circuit faults, the same models are used, except that fission product decay energy is based on core average exposure at the end of an equilibrium cycle.

During a LOCA, the core is rapidly shut down by void formation, RCCA insertion, or both, and a large fraction of the heat generation considered comes from fission product decay gamma rays. This heat is not distributed in the same manner as steady-state fission power. Local peaking effects, which are important for the neutron-dependent part of the heat generation, do not apply to the gamma ray contribution. The steady-state factor, which represents the fraction of heat generated within the cladding and pellet, drops to 95 percent or less for the hot rod in a LOCA.

5.3.3.10 Component Failures

The most limiting single active failure (where one exists) of safety significant equipment (i.e. that claimed in the safety analysis) is accounted for in each analysis. In some instances, because of redundancy in protection equipment, no single failure that could adversely affect the consequences of the transient is identified.



An active failure is defined differently for different components. For valves, an active failure is the failure of a component to mechanically complete the movement required to perform its function. This includes the failure of a remotely operated valve to change position on demand. The spurious, unintended movement of the valve is also considered as an active failure. Failure of a manual valve to change position under local operator action is included.

Spring-loaded safety or relief valves that are designed for and operate under single-phase fluid conditions are not considered for active failures to close when pressure is reduced below the valve set point. However, when valves designed for single-phase flow are challenged with two-phase flow, such as a steam generator or pressuriser safety valve, the failure to reseat is considered as an active failure.

For other active equipment – such as pumps, fans, and rotating mechanical components – an active failure is the failure of the component to start or to remain operating.

For electrical equipment, the loss of power, such as the loss of offsite power or the loss of a diesel generator, is considered as a single failure. In addition, the failure to generate an actuation signal, either for a single component actuation or for a system-level actuation, is also considered as an active failure.

Spurious actuation of an active component is considered as an active failure for active components in safety-related passive systems. An exception is made for active components if specific design features or operating restrictions are provided that can preclude such failures (such as power lockout, confirmatory open signals, or continuous position alarms).

It is recognised that UK good practice demands consideration of both active and passive failures. A passive failure is the structural failure of a static component that limits the effectiveness of the component in carrying out its design function. Examples include cracking of pipes, sprung flanges, or valve packing leaks. As described in subsection 5.2, a study to be undertaken during Step 4 of the GDA will consider all faults in the Design Basis, and will ensure that there are adequate, diverse safety measures in place. This study will consider the tolerance of those safety measures to a single, active or passive, failure.

5.3.3.11 Operator Actions

Operator action is not generally required for operation of the safety measures claimed in the DBA. For events where the PRHR heat exchanger is actuated, the plant automatically cools down to the safe shutdown condition without operator action.

Once the automatic systems have brought the plant to a stable condition following a reactor trip, the operator may take manual control of the plant and proceed with orderly cooldown of the reactor in accordance with the normal, abnormal, or emergency operating procedures. This is not required to maintain the plant in a stable and safe condition; however, it is clearly desirable from a commercial point of view. The exact actions taken and the time at which these actions occur depend on what systems are available and the plans for further plant operation.

In three cases, manual actions are invoked as part of a safety measure. The relevant faults are boron dilution during operation at power with rods under automatic control (fault 4.6.5), small coolant line break outside containment (fault 4.8.4) and loss of residual heat removal system function during refuelling (fault 4.10). In the first case, the operators would be made aware of the need for action by a number of alarms and indications, and would have 5 hours to respond. In the second case, the potential release of primary coolant would be very small, with attendant very low



potential radiological consequences. In the third case, the refuelling cavity water would be expected to provide cooling for at least 72 hours without the requirement for operator action.

5.3.3.12 Loss of Offsite ac Power

The analysis of anticipated operational occurrences and postulated accidents takes into account a potential loss of offsite ac power. The loss of offsite ac power is considered to be a potential consequence of the event; as a result, it is not considered as a single failure in the analysis described in subsection 5.3.3.10.

A loss of offsite ac power will be considered a consequence of an event due to disruption of the grid following a turbine trip during the event. Event analyses that do not result in a possible consequential disruption of offsite ac power do not assume offsite power is lost.

For those events where offsite ac power is lost, an appropriate time delay between turbine trip and the postulated loss of offsite ac power is assumed in the analyses. A time delay of 3 seconds is used. This time delay is based on the inherent stability of the offsite power grid (see subsection 8.2 of Reference 5.6). Following the time delay, the effect of the loss of offsite ac power on plant auxiliary equipment (such as reactor coolant pumps, main feedwater pumps, condenser, startup feedwater pumps, and RCCAs) is considered in the analyses.

For Design Basis LOCA analyses, the availability of offsite power is significant only regarding reactor coolant pump (RCP) operation, since all the safety-related systems are passive. A sensitivity study for AP1000 has shown that for large-break LOCAs, assuming the loss of offsite power at the start of the LOCA event is not limiting when compared with the assumption of continued RCP operation until the automatic RCP occurs, following an “S” signal, less than ten seconds into the transient. For small-break LOCA events, the AP1000 automatic RCP trip feature prevents continued operation of the RCPs from mixing the liquid and vapour present within a two-phase RCS inventory, which would increase the liquid break flow and deplete the RCS mass inventory rapidly. The automatic RCP trip occurs early enough during AP1000 small-break LOCA transients that safety system performance is not affected by the loss of offsite power, because the total break flow is approximately equivalent for RCP trip occurring either at the start of the transient or as a result of the “S” signal. Whether a loss of offsite power is postulated at the start of the LOCA event or whether it occurs automatically later on is unimportant to the long-term cooling analyses because with either assumption, the RCPs are tripped long before the long-term cooling timeframe.

The AP1000 PMS and passive safeguards systems are not dependent on offsite power or on any backup diesel generators. Following a loss of ac power, the protection and safety monitoring system and passive safeguards are able to perform the safety functions and there are no additional time delays for these functions to be completed.

5.3.4 Radiological Analysis Approach

The Design Basis primary coolant source terms used in the radiological analysis are listed in Table 11.1-2 of Reference 5.6. The source terms are based on continuous plant operation with 0.25-percent fuel defects, which is very conservative.

The radiological analysis that has been undertaken to date has demonstrated compliance with US regulatory requirements. Both the requirements and the prescribed analysis methodology differ between the US and UK regulatory regimes. For this reason, a UK-specific consequence analysis, using a UK approach, will be carried out during Step 4 of the GDA. However, based on the



source terms and release pathways described in Reference 5.6 there is high confidence that the consequence analysis will be a confirmatory exercise.

For this reason, accident doses are not presented in subsection 5.3.5, as the conservatisms required by the US approach to consequence analysis result in doses that would be considered extremely high if they were arrived at using a UK approach.

5.3.5 Results

This subsection provides a summary of the analysis results for the fault schedule fault categories defined in subsection 5.2. Also included is a discussion of any significant analysis assumptions that differ from, or are supplemental to, the generic assumptions described in subsection 5.3.3.

Further information on each of the faults is provided in References 5.1 and 5.6, at the level of the individual faults, rather than at the higher fault level category as presented here.

5.3.5.1 Reactor Trip Faults (fault group 4.1)

A signal to trip the reactor spuriously or inadvertently (fault 4.1.1 in the fault schedule) could arise from the following causes:

• Failure of sufficient sensors measuring a single parameter in such a way as to generate a spurious requirement for the reactor to trip.

• A fault within the protection and safety monitoring system generates a spurious signal to trip the reactor.

• A spurious safeguards actuation signal (“S” signal).

• Inadvertent operator action to manually trip the reactor.

The limiting case for this fault is from full power, because this imposes the maximum performance requirements on the post-trip heat removal equipment. The post-trip duty systems operate to bring the plant to hot shutdown conditions and maintain it in this state for at least 30 minutes. Safety measures, as such, are not really required, given that the fault does not affect any of the duty heat removal systems that provide defence in depth. However, in the event that the duty systems are not available, for example due to an extended loss of the grid connection on reactor trip, the passive residual heat removal heat exchanger would need to be deployed to fulfil the required nuclear safety function. If the standby diesels start correctly and then provide power to the start-up feed pumps, steam generator cooling could be maintained. Otherwise, without any feed flow, the passive residual heat removal heat exchanger would be activated automatically.

The role of the operator is to monitor that the nuclear safety functions are being successfully maintained by the various systems, diagnose the cause of the initiating fault, act to prevent any escalation of the situation and decide on the long term requirements, if any. In most cases there should be nothing preventing the return of the reactor to power.

5.3.5.2 Increase in Heat Removal Faults (fault group 4.2)

Faults in this category result in a cool-down of the RCS. As the AP1000 has a negative moderator temperature coefficient, a cool-down of the RCS will result in an increase in the reactivity and power of the core, which has the potential to threaten the integrity of the fuel cladding. If the



reactor is in the hot, zero power condition, the positive reactivity feedback induced by the cool down may return the reactor to power, increasing the fuel temperature.

The fault schedule identifies the following faults within this category (where more than one sequence is modelled, the modelled sequences are shown in brackets):

• Feedwater system malfunctions causing a reduction in feedwater temperature (low-pressure heater train or a high-pressure heater train out of service or bypassed). This is fault 4.2.1 in the fault schedule.

• Feedwater system malfunctions causing an increase in feedwater flow (two cases were modelled: the accidental opening of one feedwater control valve with the reactor just critical at zero load conditions; and the accidental opening of one feedwater control valve with the reactor in automatic control at full power). This fault models the failure of one protection division as the limiting single failure. This is fault 4.2.2 in the fault schedule.

• Excessive increase in secondary steam flow (four cases were modelled; reactor control in automatic and manual, each with minimum and maximum moderator reactivity feedback). This fault models the failure of one protection division as the limiting single failure. This is fault 4.2.3 in the fault schedule.

• Inadvertent opening of a steam generator relief or safety valve (spurious opening, with failure to close, of the largest of any single steam dump, relief, or safety valve). This fault models the failure of one core makeup tank discharge valve as the limiting single failure. This is fault 4.2.4 in the fault schedule.

• Steam system piping failure (main steam line break). This fault models the failure of one core makeup tank discharge valve as the limiting single failure. This is fault 4.2.5 in the fault schedule.

• Inadvertent operation of the PRHR heat exchanger (inadvertent opening of one of a PRHR isolation valve). This fault models the failure of one protection division as the limiting single failure. This is fault 4.2.6 in the fault schedule.

Of the above faults, only the steam line break is considered to have the potential to release radioactive material.

Each of the above faults has been analysed using LOFTRAN (with the exception of the feedwater system malfunction causing a reduction in feedwater temperature). LOFTRAN simulates a multi-loop system, modelling the neutron kinetics, pressuriser, pressuriser safety valves, pressuriser spray, steam generator, and steam generator safety valves. The code computes pertinent plant variables, including the nuclear power transient, the flow coast-down, the primary system pressure transient, and the primary coolant temperature transient. FACTRAN code is then used to calculate the heat flux based on the LOFTRAN analysis results for nuclear power and flow. Finally, VIPRE-01 is used to calculate the DNBR during the transient, using the heat flux from FACTRAN and the flow from LOFTRAN.

Feedwater system malfunctions causing a reduction in feedwater temperature were not modelled as described above; rather, the transient was analysed by calculating conditions at the feedwater pump inlet following the removal of a low-pressure feedwater heater train from service. The feedwater conditions were then used to recalculate a heat balance through the high-pressure heaters. This heat balance gives the new feedwater conditions at the steam generator inlet. The decrease in feedwater temperature transient so calculated was less severe than (and therefore



bounded by) the increase in feedwater flow event or the increase in secondary steam flow event, and so was not analysed further.

The analysis described above concludes that the DNB Design Basis is met for all increase in heat removal faults within the Design Basis.

The only fault which would result in a radionuclide release is the main steam line break. The only releases of significance are iodine and the alkali metals that become airborne and are released to the environment as a result of the accident. Noble gases are also released to the environment, but their impact is secondary because any noble gases entering the secondary side during normal operation are rapidly released to the environment.

The doses calculated in the radiological assessment meet US regulatory criteria. Further consequence analysis will have to be carried out to confirm compliance with UK criteria.

5.3.5.3 Decrease in Heat Removal Faults (fault group 4.3)

A number of transients and accidents that could result in a reduction of the capacity of the secondary system to remove heat generated in the reactor coolant system are postulated. Analyses are presented in this section for the following events that are identified as more limiting than the others:

• Loss of external electrical load (considered bounded by a turbine trip). This is fault 4.3.2 in the fault schedule.

• Turbine trip. This is fault 4.3.3 in the fault schedule.

• Inadvertent closure of main steam isolation valves (results in, and is therefore bounded by, a turbine trip). This is fault 4.3.4 in the fault schedule.

• Loss of condenser vacuum and other events resulting in turbine trip (results in, and is therefore bounded by, a turbine trip). This is fault 4.3.5 in the fault schedule.

• Loss of ac power to the station auxiliaries. This is fault 4.3.6 in the fault schedule.

• Loss of normal feedwater flow. This is fault 4.3.7 in the fault schedule.

• Feedwater system pipe break. This is fault 4.3.8 in the fault schedule.

Of the above faults, only the feedwater system pipe break is considered to have the potential to release radioactivity to the environment.

The turbine trip fault is analysed using LOFTRAN. LOFTRAN computes pertinent plant variables, including the nuclear power transient, the flow coast-down, the primary system pressure transient, and the primary coolant temperature transient. FACTRAN code is then used to calculate the heat flux based on the LOFTRAN analysis results for nuclear power and flow. Finally, VIPRE-01 is used to calculate the DNBR during the transient, using the heat flux from FACTRAN and the flow from LOFTRAN.

The results of the analyses show that a turbine trip presents no challenge to the integrity of the reactor coolant system or the main steam system. Pressure-relieving devices incorporated in the two systems are adequate to limit the maximum pressures to within the design limits. The analyses



show that the predicted DNBR is greater than the design limit at any time during the transient. Thus, the DNB Design Basis is met.

The remaining faults are analysed using a modified version of LOFTRAN, which describes the reactor thermal kinetics, reactor coolant system (including natural circulation), pressuriser, steam generators, and feedwater system responses and computes pertinent variables, including the pressuriser pressure, pressuriser water level, and reactor coolant average temperature.

Results of the analysis for loss of ac power and loss of normal feedwater show that the PRHR heat exchanger capacity is sufficient to prevent water relief through the pressuriser safety valves, DNBR always remains above the Design Basis values and overpressurisation of the RCS and secondary side are prevented.

Results of the analysis for the postulated feedwater line rupture show that the capacity of the PRHR heat exchanger is adequate to remove decay heat, to prevent overpressurising the reactor coolant system, and to maintain the core cooling capability. Radioactivity doses from ruptures of the postulated feedwater lines are less than those presented for the postulated main steam line break and meet US regulatory criteria. Further consequence analysis will be conducted to demonstrate that the results meet the relevant UK criteria.

5.3.5.4 Electrical supply faults (fault group 4.4)

The only identified loss of electrical supply faults would be a loss of ac power to station auxiliaries (see subsection 5.3.5.3), or a loss of power to the normal residual heat removal system (see subsection 5.3.5.10).

5.3.5.5 Decrease in reactor coolant flow rate faults (fault group 4.5)

A decrease in RCS flow rate could result from a number of initiating faults. These can be grouped as follows:

• Partial loss of forced reactor coolant flow. This is fault 4.5.1 in the fault schedule.

• Complete loss of forced reactor coolant flow. This is fault 4.5.2 in the fault schedule.

• Reactor coolant pump impeller seizure (locked rotor). This is fault 4.5.3 in the fault schedule.

• Reactor coolant pump shaft break. This is fault 4.5.4 in the fault schedule.

Of the above faults, the reactor coolant pump impellor seizure is considered to have the most significant radiological release and is discussed below.

A partial loss of coolant flow accident can result from a mechanical or an electrical failure of a reactor coolant pump or from a fault in the power supply to the pump or pumps. If the reactor is at power at the time of the event, the immediate effect of the loss of coolant flow is a rapid increase in the coolant temperature. A complete loss of flow accident may result from a simultaneous loss of electrical supplies to the reactor coolant pumps. If the reactor is at power at the time of the accident, the immediate effect of a loss of coolant flow is a rapid increase in the coolant temperature.

In both cases the transient is analysed using three computer codes. First, LOFTRAN is used to calculate the core flow during the transient based on the input loop flows, the nuclear power



transient, and the primary system pressure and temperature transients as predicted from the loss of two reactor coolant pumps. FACTRAN is then used to calculate the heat flux transient based on the nuclear power and flow from LOFTRAN. Finally, VIPRE-01 is used to calculate the DNBR during the transient, based on the heat flux from FACTRAN and the flow from LOFTRAN. The DNBR transients presented represent the minimum of the typical cell or the thimble cell.

The transient results show that, for either partial or complete loss of reactor coolant flow, the DNBR does not decrease below the Design Basis value at any time during the transient.

The analysis of the reactor coolant pump impeller seizure transient uses two digital computer codes. LOFTRAN calculates the resulting core flow transient following the pump seizure and the nuclear power following reactor trip. This code is also used to determine the peak pressure. The thermal behaviour of the fuel located at the core hot spot is investigated by using FACTRAN. This code uses the core flow and the nuclear power calculated by LOFTRAN. FACTRAN includes a film-boiling heat transfer coefficient.

The results of the analysis demonstrate that the peak reactor coolant system pressure reached during the transient is less than that which causes stresses to exceed the faulted condition stress limits of the ASME Code, Section III. Also, the peak cladding surface temperature is considerably less than 1482°C. These results represent the most limiting conditions with respect to the locked rotor event or the pump shaft break. With the reactor tripped, a stable plant condition is eventually attained. Normal plant shutdown may then proceed.

Although the analysis demonstrates that no fuel rods are damaged, and that there is therefore no release to the reactor coolant, a conservative analysis has been performed assuming 10 percent of the rods are damaged. Activity carried over to the secondary side because of primary-to-secondary leakage is available for release to the environment via the steam line safety valves or the power-operated relief valves. The significant radionuclide releases due to the locked rotor accident are the iodines, alkali metals and noble gases.

The doses are calculated to be a small fraction of the US regulatory criteria. However, further consequence analysis will be required to demonstrate that the releases are acceptable under the UK regulatory regime.

The reactor coolant pump shaft break accident is postulated as an instantaneous failure of a reactor coolant pump shaft. Flow through the affected reactor coolant loop is rapidly reduced, though the initial rate of reduction of coolant flow is greater for the reactor coolant pump rotor seizure event.

With a failed shaft, the impeller could be free to spin in a reverse direction as opposed to being fixed in position as is the case when a locked rotor occurs. This results in a decrease in the end point (steady-state) core flow. For both the shaft break and locked rotor incidents, reactor trip occurs very early in the transient. In addition, the locked rotor analysis conservatively assumes that DNB occurs at the beginning of the transient. The calculated results presented for the locked rotor analysis bound the reactor coolant pump shaft break event. No radiological release would result from faults of this grouping.

5.3.5.6 Reactivity and Power Distribution Anomalies (fault group 4.6)

A number of faults are postulated that result in reactivity and power distribution anomalies. Reactivity changes could be caused by control rod motion or ejection, boron concentration changes, or addition of cold water to the reactor coolant system. Power distribution changes could be caused by control rod motion, misalignment, or ejection, or by static means such as fuel



assembly mislocation. These events are discussed in this section. Analyses are presented for the most limiting of these events.

The following incidents are discussed in this section:

• Uncontrolled rod cluster control assembly (RCCA) bank withdrawal from a subcritical or low-power startup condition. This is fault 4.6.1 in the fault schedule.

• Uncontrolled RCCA bank withdrawal at power. This is fault 4.6.2 in the fault schedule.

• RCCA misalignment. This is fault 4.6.3 in the fault schedule.

• Startup of an inactive reactor coolant pump at an incorrect temperature. This is fault 4.6.4 in the fault schedule.

• Chemical and volume control system malfunction that results in a decrease in the boron concentration in the reactor coolant. This is fault 4.6.5 in the fault schedule.

• Inadvertent loading and operation of a fuel assembly in an improper position. This is fault 4.6.6 in the fault schedule.

• Spectrum of RCCA ejection accidents. This is fault 4.6.7 in the fault schedule.

The RCCA ejection accident is judged to have the most severe radiological consequences, which are discussed below.

An RCCA withdrawal accident is an uncontrolled addition of reactivity to the reactor core caused by the withdrawal of RCCAs which results in a power excursion. Such a transient can be caused by a malfunction of the reactor control or rod control systems. This can occur with the reactor subcritical, at hot zero power, or at power.

The analysis of the uncontrolled RCCA bank withdrawal from subcritical accident is performed in three stages. In the first stage, the average core nuclear calculation is performed using spatial neutron kinetics methods, using TWINKLE, to determine the average power generation with time, including the various total core feedback effects (Doppler reactivity and moderator reactivity). In the second stage, the average heat flux and temperature transients are determined by performing a fuel rod transient heat transfer calculation in FACTRAN. In the final stage, the average heat flux is used in VIPRE-01 for the transient DNBR calculation.

The analysis of the uncontrolled RCCA bank withdrawal from subcritical accident concludes that the core and the reactor coolant system are not adversely affected because the combination of thermal power and the coolant temperature results in a DNBR greater than the safety analysis limit value. Thus, no fuel or cladding damage is predicted as a result of DNB.

The RCCA withdrawal at-power transient is primarily analysed using LOFTRAN. For that portion of the analysis that includes a primary coolant flow coast down caused by the consequential loss of offsite power, a combination of three computer codes is used to perform the DNBR analysis. First, LOFTRAN is used to predict the nuclear power transient, the flow coast down, the primary system pressure transient, and the primary coolant temperature transient. FACTRAN is then used to calculate the heat flux based on the nuclear power and flow from LOFTRAN. Finally, VIPRE-01 is used to calculate the DNBR during the transient, using the heat flux from FACTRAN and the flow, inlet core temperature (and pressure) from LOFTRAN.



The RCCA withdrawal at-power analysis concludes that the power range neutron flux instrumentation, overtemperature ΔT and high pressuriser pressure trip functions provide adequate protection over the entire range of possible reactivity insertion rates. The DNB Design Basis, as defined in Section 5.3.3, is met for all cases.

RCCA misoperation accidents include:

• One or more dropped RCCAs within the same group.

• Statically misaligned RCCA.

• Withdrawal of a single RCCA.

For evaluation of the dropped RCCA event, the transient system response is calculated using LOFTRAN. The code simulates the neutron kinetics, reactor coolant system, pressuriser, pressuriser safety valves, pressuriser spray, steam generator and steam generator safety valves. The code computes pertinent plant variables, including temperatures, pressures and power level. Steady-state nuclear models using ANC and APOLLO are used to obtain a hot channel factor consistent with the primary system transient conditions and reactor power. By combining the transient primary conditions with the hot channel factor from the nuclear analysis, the departure from nucleate boiling Design Basis is shown to be met using VIPRE-01.

Steady-state power distributions for statically misaligned RCCAs are analyzed using the computer codes ANC and APOLLO. The peaking factors are then used as input to VIPRE-01 to calculate the DNBR.

Power distributions within the core following the withdrawal of a single RCCA are calculated using ANC and APOLLO. The peaking factors are then used by VIPRE-01 to calculate the DNBR for the event. The case of the worst rod withdrawn from the mechanical shim or axial offset bank inserted at the insertion limit, with the reactor initially at full power, is analysed. This incident is assumed to occur at beginning of life because this results in the minimum value of moderator temperature coefficient. This assumption maximises the power rise and minimises the tendency of increased moderator temperature to flatten the power distribution.

The analysis of the RCCA misoperation accidents concludes that:

• For cases of dropped RCCAs or dropped banks, including inadvertent drops of the RCCAs in those groups selected to be inserted as part of the rapid power reduction system, it is shown that the DNBR remains greater than the safety analysis limit value and, therefore, the DNB Design Basis is met.

• For cases of any one RCCA fully inserted, or the mechanical shim or axial offset banks inserted to their rod insertion limits with any single RCCA in one of those banks fully withdrawn (static misalignment), the DNBR remains greater than the safety analysis limit value.

• For the case of the accidental withdrawal of a single RCCA, with the reactor in the automatic or manual control mode and initially operating at full power with the mechanical shim or axial offset banks at their insertion limits, an upper bound of the number of fuel rods experiencing DNB is 5 percent of the total fuel rods in the core.

The startup of an inactive RCP at an incorrect temperature is not assessed. Technical Specification 3.4.4 (see Chapter 16 of Reference 5.6) requires all RCPs to be operating during



startup or while at power. The maximum initial core power level for the startup of an inactive loop transient is approximately 0MWt. Furthermore, the reactor will initially be subcritical by the Technical Specification requirement. There will be no increase in core power, and no automatic or manual protective action is required.

Boron dilutions during refuelling, cold shutdown, hot shutdown, hot standby, startup, and power modes of operation are considered in the fault schedule. Conservative values for necessary parameters are used (high reactor coolant system critical boron concentrations, high boron worths, minimum shutdown margins, and lower-than-actual reactor coolant system volumes). These assumptions result in conservative determinations of the time available for operator or automatic system response after detection of a dilution transient in progress.

The analysis concludes that inadvertent boron dilution events are prevented during refuelling and automatically terminated during cold shutdown, safe shutdown, and hot standby modes. Inadvertent boron dilution events during startup or power operation, if not detected and terminated by the operators, result in an automatic reactor trip. Following reactor trip, automatic termination of the dilution occurs and post-trip return to criticality is prevented.

Fuel and core loading errors can inadvertently occur, such as those arising from the inadvertent loading of one or more fuel assemblies into improper positions, having a fuel rod with one or more pellets of the wrong enrichment, or having a full fuel assembly with pellets of the wrong enrichment. This leads to increased heat fluxes if the error results in placing fuel in core positions calling for fuel of lesser enrichment. Also included among possible core-loading errors is the inadvertent loading of one or more fuel assemblies requiring burnable poison rods into a new core without burnable poison rods.

Steady-state power distributions in the x-y plane of the core are calculated at 30-percent rated thermal power using the three-dimensional nodal code ANC (Reference 5.7). Representative power distributions in the x-y plane for a correctly loaded core are described in Chapter 4 of Reference 5.6.

The analysis of fuel and core loading errors concludes that:

• Fuel assembly enrichment errors are prevented by administrative procedures implemented in fabrication. In the event that a single pin or pellet has a higher enrichment than the nominal value, the consequences in terms of reduced DNBR and increased fuel and cladding temperatures are limited to the incorrectly loaded pin or pins and perhaps the immediately adjacent pins.

• Fuel assembly loading errors are prevented by administrative procedures implemented during core loading. In the unlikely event that a loading error occurs, the analysis confirms that resulting power distribution effects are either readily detected by the online core monitoring system or cause a sufficiently small perturbation to be acceptable within the uncertainties allowed between nominal and design power shapes.

RCCA ejection accidents caused by mechanical failure of a control rod mechanism pressure housing, resulting in the ejection of an RCCA and drive shaft. The consequence of this mechanical failure is a rapid positive reactivity insertion together with an adverse core power distribution, possibly leading to localised fuel rod damage.

If a rupture of an RCCA drive mechanism housing is postulated, the operation using chemical shim is such that the severity of an ejected RCCA is inherently limited. In general, the reactor is operated with the power control (or mechanical shim) RCCAs inserted only far enough to permit



load follow. The axial offset RCCAs are positioned so that the targeted axial offset can be met throughout core life. Reactivity changes caused by core depletion and xenon transients are normally compensated for by boron changes and the mechanical shim banks, respectively. Further, the location and grouping of the power control and axial offset RCCAs are selected with consideration for an RCCA ejection accident. Therefore, should an RCCA be ejected from its normal position during full-power operation, a less severe reactivity excursion than analysed is expected.

It may occasionally be desirable to operate with larger than normal insertions. For this reason, a power control and axial offset rod insertion limit is defined as a function of power level. Operation with the RCCAs above this limit provides adequate shutdown capability and an acceptable power distribution. The position of the RCCAs is continuously indicated in the main control room. An alarm occurs if a bank of RCCAs approaches its insertion limit or if one RCCA deviates from its bank. Operating instructions require boration at the low level alarm and emergency boration at the low-low level alarm.

The probability of damage to an adjacent housing is considered remote. If damage is postulated, it is not expected to lead to a more severe transient because RCCAs are inserted in the core in symmetric patterns and control rods immediately adjacent to worst ejected rods are not in the core when the reactor is critical. Damage to an adjacent housing could, at worst, cause that RCCA not to fall on receiving a trip signal. This is already taken into account in the analysis by assuming a stuck rod adjacent to the ejected rod.

As a result of an ejection accident, it is assumed that 10 percent of the fuel rods will be damaged such that the activity contained in the fuel-cladding gap is released to the reactor coolant. In addition, a small fraction of fuel is assumed to melt and release core inventory to the reactor coolant.

Activity released to the containment via the spill from the reactor vessel head is assumed to be available for release to the environment because of containment leakage. Activity carried over to the secondary side due to primary-to-secondary leakage is available for release to the environment through the steam line safety or power-operated relief valves. The significant radionuclide releases due to the rod ejection accident are the iodines, alkali metals, and noble gases.

The doses are determined to be well within the US regulatory criteria. However, further analysis is required to demonstrate that doses are acceptable under the UK licensing regime.

5.3.5.7 Increase in Reactor Coolant Inventory Faults (fault group 4.7)

Two faults are postulated that could lead to an increase in the reactor coolant inventory:

• Inadvertent operation of the core makeup tanks during power operation. This is fault 4.7.1 in the fault schedule.

• Chemical and volume control system malfunction that increases reactor coolant inventory. This is fault 4.7.2 in the fault schedule.

Neither of the above faults is expected to result in the release of radioactive material to the environment.

The plant response to an inadvertent core makeup tank or CVS actuation is analysed by using a modified version of the computer program LOFTRAN which simulates the neutron kinetics, reactor coolant system, pressuriser, pressuriser safety valves, pressuriser spray, steam generator,



steam generator safety valves, PRHR heat exchanger, and core makeup tank. The program computes pertinent plant variables, including temperatures, pressures, and power level.

The results of this analysis show that inadvertent operation of the core makeup tanks or CVS during power operation does not adversely affect the core, the reactor coolant system, or the steam system. The PRHR heat removal capacity is such that reactor coolant water is not relieved from the pressuriser safety valves. DNBR always remains above the design limit values, and reactor coolant system and steam generator pressures remain below 110 percent of their design values.

5.3.5.8 Decrease in Reactor Coolant Inventory Faults (fault group 4.8)

A number of events have been identified that could result in a decrease in reactor coolant inventory:

• Accidental depressurisation, caused by inadvertent opening of a pressuriser safety valve or inadvertent operation of the ADS. This is fault 4.8.1 in the fault schedule.

• A break in an instrument line or other lines from the reactor coolant pressure boundary that penetrate the containment. This is fault 4.8.2 in the fault schedule.

• A steam generator tube rupture (SGTR). This is fault 4.8.3 in the fault schedule.

• A LOCA resulting from a spectrum of postulated piping breaks within the reactor coolant pressure boundary. This is fault 4.8.4 in the fault schedule.

The most severe radiological consequences are for a large LOCA, and are discussed below.

The accidental depressurisation transient is analysed by using LOFTRAN. For reactor coolant system depressurisation analyses that include a primary coolant flow coast down caused by a consequential loss of offsite power, a combination of three computer codes is used to perform the DNBR analyses. First LOFTRAN is used to perform the plant system transient. FACTRAN is then used to calculate the core heat flux based on nuclear power and reactor coolant flow from LOFTRAN. Finally, VIPRE-01 is used to calculate the DNBR using heat flux from FACTRAN and flow from LOFTRAN.

The results of the analysis show that the overtemperature ΔT reactor protection system signal provides adequate protection against the reactor coolant system depressurisation events. The calculated DNBR remains above the design limit. The long-term plant response due to a stuck-open ADS valve or pressuriser safety valve, which cannot be isolated, is bounded by the small-break LOCA analysis.

The small lines carrying primary coolant outside containment are the reactor coolant system sample line and the discharge line from the chemical and volume control system to the liquid radwaste system. A sample line break is considered limiting because the flow rate will be marginally higher (29.5m3/hr as opposed to the chemical and volume control system flow of 22.7m3/hr) and the activity will be higher (as one of the functions of the chemical and volume control system is to remove activity). These lines are used only periodically. No instrument lines carry primary coolant outside the containment.

A small line break will have negligible effect on the integrity of the fuel or core. It will, however, result in a radiological release. The only significant radionuclide releases are iodine and the noble gases. The analysis assumes that the reactor coolant iodine is at the maximum Technical Specification level for continuous operation (see Chapter 16 of Reference 5.6). In addition, it is



assumed that an iodine spike occurs at the time of the accident. The reactor coolant noble gas activities are assumed to be those associated with the Design Basis fuel defect level.

The reactor coolant that is spilled from the break is assumed to be at high temperature and pressure. A large portion of the flow flashes to steam, and the iodine in the flashed liquid is assumed to become airborne. The iodine and noble gases are assumed to be released directly to the environment with no credit for depletion, although a large fraction of the airborne iodine is expected to deposit on building surfaces. No credit is assumed for radioactive decay after release.

The steam generator tube rupture accident examined is the complete severance of a single steam generator tube. The accident is assumed to take place at power with the reactor coolant contaminated with fission products corresponding to continuous operation with a limited number of defective fuel rods within the allowance of the Technical Specifications (see Chapter 16 of Reference 5.6). The accident leads to an increase in contamination of the secondary system due to leakage of radioactive coolant from the reactor coolant system. In the event of a coincident loss of offsite power, or a failure of the condenser steam dump, discharge of radioactivity to the atmosphere takes place via the steam generator power-operated relief valves or the safety valves.

A thermal-hydraulic analysis is performed to determine the plant response for a Design Basis SGTR, the integrated primary-to-secondary break flow, and the mass releases from the ruptured and intact steam generators to the condenser and to the atmosphere. This information is then used to calculate the radioactivity release to the environment and the resulting radiological consequences.

The plant response following an SGTR until the primary-to-secondary break flow is terminated is analyzed with the LOFTTR2 program. The LOFTTR2 program is modified to model the PRHR system, core makeup tanks, and protection system actions appropriate for the AP1000.

The results of the SGTR analysis show that the overfill protection logic and the passive system design features provide protection to prevent steam generator overfill. Following an SGTR accident, the operators can identify and isolate the ruptured steam generator and complete the required actions to terminate the primary-to-secondary break flow before steam generator overfill or ADS actuation occurs. Even when no operator actions are assumed, the AP1000 protection system and passive design features initiate automatic actions that can terminate a steam generator tube leak and stabilize the reactor coolant system in a safe condition while preventing steam generator overfill and ADS actuation.

A LOCA is the result of a pipe rupture of the reactor coolant system pressure boundary. For the analyses reported here, a major pipe break (large break) is defined as a rupture with a total cross-sectional area equal to or greater than 0.09 m2. Such an event is not expected to occur during the lifetime of the plant but is postulated as a conservative Design Basis. A minor pipe break (small break) is defined as a rupture of the reactor coolant pressure boundary with a total cross-sectional area less than 0.09 m2 in which the normally operating charging system flow is not sufficient to sustain pressuriser level and pressure. This is considered an infrequent fault that may occur during the life of the plant.

The WCOBRA/TRAC computer code is used to perform best-estimate large break LOCA analyses. WCOBRA/TRAC is a thermal- hydraulic computer code that calculates realistic fluid conditions in a PWR during the blowdown and re-flood of a postulated large-break LOCA. The analysis demonstrates that the LOCA acceptance criteria are met, specifically:

• The calculated maximum fuel element cladding temperature will not exceed 1204°C.



• The calculated total oxidation of the cladding (i.e. maximum cladding oxidation) will nowhere exceed 0.17 times the total cladding thickness before oxidation.

• The calculated total amount of hydrogen generated from the chemical reaction of the cladding with water or steam (i.e. maximum hydrogen generation) will not exceed 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react.

• The calculated changes in core geometry are such that the core remains amenable to cooling. Note that this criterion has historically been satisfied by adherence to the fuel element cladding temperature and oxidation criteria, and by assuring that fuel deformation due to combined LOCA and seismic loads is specifically addressed. The fuel element cladding temperature and oxidation criteria are satisfied for best-estimate large-break LOCA applications. The approved methodology specifies that effects of LOCA and seismic loads on core geometry do not need to be considered unless grid crushing extends beyond the assemblies in the low power channel as defined in the WCOBRA/TRAC model. This situation has not been calculated to occur for the AP1000. Therefore, this acceptance criterion is satisfied.

• After successful initial operation of the passive core cooling system, the core temperature will be maintained at an acceptably low value and decay heat will be removed for the extended period of time required by the long-lived radioactivity remaining in the core. This criterion is satisfied if a coolable core geometry is maintained and the core is cooled continuously following the LOCA. The AP1000 passive core cooling system provides effective core cooling following a large-break LOCA event, even assuming the limiting single failure of a core makeup tank delivery line isolation valve. The large-break LOCA transient has been extended beyond fuel rod quench until 1400 seconds, a time at which the CMT liquid level has decreased to the low-2 set point that actuates the fourth-stage ADS valves and IRWST injection. A significant increase in safety injection flow rate occurs when the IRWST becomes active. The analysis performed demonstrates that CMT injection is sufficient to maintain the mass inventory in the core and downcomer, from the period of fuel rod quench until IRWST injection. The AP1000 passive core cooling system provides effective post-LOCA long-term core cooling.

Although the analysis of the core response during a LOCA shows that core integrity is maintained, for the evaluation of the radiological consequences of the accident it is assumed that major core degradation and melting occur. The release of activity to the containment consists of two parts. The initial release is the activity contained in the reactor coolant system. This is followed by the release of core activity. The release pathways are the containment purge line and containment leakage, and the activity releases are assumed to be ground level releases.

Both the operator and off-site doses are calculated to be within the US regulatory limits; however further analysis will be required to demonstrate compliance with UK criteria.

The NOTRUMP computer code is used in the analysis of LOCAs due to small-breaks in the reactor coolant system. The NOTRUMP computer code is a one-dimensional, general network code, which includes a number of advanced features. Among these features are the calculation of thermal non-equilibrium in all fluid volumes, flow regime-dependent drift flux calculations with counter-current flooding limitations, mixture level tracking logic in multiple-stacked fluid nodes, and regime-dependent heat transfer correlations. The code has limited capability in modelling upper plenum and hot leg entrainment and did not predict the core collapsed level during the



accumulator injection phase adequately. Therefore a NOTRUMP homogeneous sensitivity model and a critical heat flux assessment during the accumulator injection phase supplement the base NOTRUMP analysis to demonstrate the adequacy of the design.

The small-break LOCA analyses performed show that the performance of the AP1000 plant design to small-break LOCA scenarios is excellent and that the passive safeguards systems in the AP1000 are sufficient to mitigate LOCAs. Specifically, it is concluded that:

• The primary side can be depressurised by the ADS to allow stable injection into the core.

• Injection from the core makeup tanks, accumulators, and IRWST prevents excessive cladding heat up for small-break LOCAs analyzed, including double-ended ruptures in the passive safeguards system lines. The peak AP1000 heat flux during the accumulator injection period is below the predicted critical heat flux.

• The effect of increasing upper plenum/hot leg entrainment does not significantly affect plant safety margins.

The analyses performed demonstrate that the LOCA acceptance criteria are met in the case of the small-break LOCA. The 254 mm cold leg break exhibits the limiting minimum inventory condition that occurs during the initial blowdown period and is terminated by accumulator injection. The AP1000 design is such that the minimum inventory occurs just prior to IRWST injection for all breaks except the 254 mm cold leg break. All breaks simulated in the break spectrum produce results that demonstrate significant margin to peak cladding temperature acceptance criteria limits.

5.3.5.9 Radioactive Release from a Subsystem or Component (fault group 4.9)

This group of events includes the following:

• Release of radioactivity to the environment due to a liquid tank failure.

• Fuel handling accident.

• Spent fuel cask drop accident.

Tanks containing radioactive fluids are located inside plant structures. In the event of a tank failure, the liquid would be drained by the floor drains to the auxiliary building sump. From the sump, the water would be directed to the waste hold-up tank. The basemat of the auxiliary building is 1.83m thick, the exterior walls are 0.914m thick, and the building is seismic Category I. The exterior walls are sealed to prevent leakage. Thus, it is currently assumed that there is no release of the spilled liquid waste to the environment. However, an analysis of this event will be carried out which does not take credit for liquid retention by the unlined building foundations. This analysis should include consideration of tank liquid level, processing and decay of tank contents, potential paths of spilled waste to the environment, as well as other pertinent factors.

A fuel handling accident can be postulated to occur either inside the containment or in the fuel handling area inside the Auxiliary Building. The fuel handling accident is defined as the dropping of a spent fuel assembly such that every rod in the dropped assembly has its cladding breached so that the activity in the fuel/cladding gap is released. The possibility of a fuel handling accident is remote because of the many administrative controls and the equipment operating limits that are incorporated in the fuel handling operations:



• Only one spent fuel assembly is lifted at a time, and the fuel is moved at low speeds, exercising caution that the fuel assembly does not strike anything during movement.

• The containment, auxiliary building, refuelling pool, and spent fuel pool are designed to seismic Category I requirements to thus provide their integrity in the event of a safe shutdown earthquake.

• The spent fuel storage racks are located to prevent a credible external missile from reaching the stored fuel assemblies.

• The fuel handling equipment is designed to prevent the handling equipment from falling onto the fuel in the reactor vessel or fuel stored in the spent fuel pool.

• The facility is designed so that heavy objects, such as the spent fuel shipping cask, cannot be carried over or tipped into the spent fuel pool.

The spent fuel handling operations take place underwater. Thus, activity releases are first scrubbed by the column of water 7m in depth. This has no effect on the releases of noble gases or organic iodine but there is a significant removal of elemental iodine. The overall pool scrubbing decontamination factor for iodine is assumed to be 200. After the activity escapes from the water pool, it is assumed that it is released directly to the environment within a 2-hour period without credit for any additional iodine removal process. If the fuel handling accident occurs in the containment, the release of activity can be terminated by closure of the containment purge lines on detection of high radioactivity. No credit is taken for this in the analysis. Additionally, no credit is taken for removal of airborne iodine by the filters in the containment purge lines. For the fuel handling accident postulated to occur in the spent fuel pool, there is assumed to be no filtration in the release pathway. Activity released from the pool is assumed to pass directly to the environment with no credit for hold-up or delay of release in the building.

The spent fuel cask handling crane is prevented from travelling over the spent fuel. Therefore no radiological consequences analysis is necessary for the spent fuel cask drop event.

5.3.5.10 Shutdown Faults (fault group 4.10)

The fault schedule reviews the at-power faults described in subsections 5.3.5.1 to 5.3.5.9 to ensure that the analysis, performed for startup or power operations, remains bounding for shutdown operations.

The review presented in the fault schedule draws the following conclusions:

• Inadvertent reactor trip accidents are impossible when shut down.

• Increase in heat removal faults are more severe for power operations because the resulting load increase while at power will increase reactor power to its highest power level. Load increases during startup or shutdown conditions will not reach as high a power level.

• Decrease in heat removal faults are more severe for power operations because the stored energy in the RCS is substantially higher and the demands on the heat removal systems are therefore more severe.

• Electrical supply faults include the loss of the normal residual heat removal system, which requires explicit assessment for shut down operations.



• Decrease in reactor coolant flow rate faults effectively reduce the heat removal from the core, and so assessment of these faults during power operations is bounding as it is for decrease in heat removal faults.

• Reactivity and power distribution anomalies are generally more severe for power operations. RCCA withdrawal from a subcritical condition and startup of an inactive RCP were not originally assessed at power (since they cannot happen at power); Subcritical RCCA withdrawal was analysed for startup conditions, which bounds the shutdown states. Startup of an inactive RCP will have relatively little effect while shut down, since there will be little or no temperature difference between the loops.

• Increase in reactor coolant inventory faults are more severe for power operations, since the amount of stored energy in the plant is maximised.

• Decrease in reactor coolant inventory faults are generally more severe for power operations, since the reactor coolant temperature and pressure are significantly higher than in other modes of operation. However, LOCAs require explicit assessment during shutdown operations, as the power operation case is not necessarily more bounding.

The review identified two scenarios requiring further assessment: loss of electrics while shut down, and LOCA while shut down.

Loss of electrics while shut down would result in the loss of the normal residual heat removal system. Two situations are considered; one with the RCS intact, and one with the RCS open.

The starting point for the intact circuit assessment is immediately following the changeover from steam generator cooling, when the decay heat burden on the normal residual heat removal system is at its maximum. The analysis assumes the worst case availability of safety measures permitted by the Technical Specifications for any intact circuit shutdown mode (see Chapter 16 of Reference 5.6):

• The steam generator secondary side is partially full of water, but steam generator cooling is no longer available.

• Both core make-up tanks are available.

• Only three of the stage-4 ADS valves are available.

The starting point for the open circuit assessment is sees the RCS vented to the IRWST by way of fully open valves in the first three stages of the ADS. The pressuriser pressure is atmospheric plus the elevation head from the in-containment refuelling water storage tank; that is, it is at 1.25 bar. Typically, this mode of operation is entered 24 hours after reactor shutdown. The reactor coolant temperature would be around 70°C.

The analysis assumes the worst case availability of safety measures permitted by the Technical Specifications for this shutdown mode (see Chapter 16 of Reference 5.6):

• The steam generator secondary side is drained, so steam generator cooling is no longer available.

• Both core make-up tanks and the accumultators are isolated, to preclude inadvertent draining into the reactor coolant system.



• The passive residual heat removal heat exchanger are assumed to be unavailable for cooling.

• Only one of the in-containment refuelling water storage tank injection paths is available.

• Only two of the Stage-4 automatic depressurisation system valves are available.

The analysis concludes that the consequences of a loss of the normal residual heat removal system while shut down are acceptable, depressurisation and IRWST injection (and CMT injection, in the intact circuit case) provide cooling capability.

LOCA requires specific shutdown assessment because, as the plant proceeds through shutdown modes of operation, various passive core cooling system equipment are removed from service at identified points in time. This means that the safety measures credited in the power operations analysis may not be available. One particularly significant action in the course of taking the AP1000 to cold shutdown, in the elimination of passive core cooling system equipment, is the isolation of the accumulators at 6.89MPa. This procedural action reduces the capability of the passive core cooling system to mitigate LOCAs.

To assess the adequacy of the remaining passive core cooling system components to mitigate postulated LOCA events, a limiting double-ended cold leg guillotine break is analysed assuming it occurs immediately after the isolation of the accumulators. The analysis is performed using the AP1000 Large-Break LOCA WCOBRA-TRAC model used for the power operations Design Basis accident analysis. Only safety-significant systems are modelled in the analysis of this event.

For the analysis, the plant was assumed to be shut down at steady-state conditions of 6.89MPa and 218°C with the accumulators isolated. An initial pressure of 6.89MPa is assumed because this is the highest pressure with the accumulators isolated, and a hot leg temperature of 218°C is the highest expected temperature when the pressure is 6.89MPa. The decay heat level is determined at 2.78 hours after reactor shutdown based on the time estimate to cool down the plant from full-power operation to 218°C at a cooldown rate of 10°C per hour. The low pressuriser pressure safeguards signal is also assumed to be disabled because the initial pressure is below the set point.

The analysis demonstrates that the shutdown LOCA is less severe than the equivalent at-power LOCA, and indeed is less severe than the largest at-power small LOCA.

The review described above provides confidence that the AP1000 is tolerant of faults associated with shutdown operations is acceptable. However, it is UK good practice to perform a robust shutdown fault identification exercise, with the identified faults included in the fault schedule and analysed using Design Basis analysis techniques. This fault identification and analysis will be undertaken during Step 4 of the GDA.

5.3.5.11 Spent fuel pool faults (fault group 4.11)

Protection for spent fuel pool faults is largely provided by the operator. The discussion in the fault schedule therefore revolves around the operator actions that comprise the lines of defence against loss of spent fuel cooling faults and loss of electrics (onsite power or all ac power) faults.

As with the shutdown faults, it is UK good practice to perform a robust shutdown fault identification exercise, with the identified faults included in the fault schedule and analysed using DBA techniques. This fault identification and analysis will be undertaken during Step 4 of the GDA.

5.3.6 DBA Conclusions



The analysis described above and reported in References 5.1 and 5.6 demonstrates that the plant handles Design Basis faults without violation of the appropriate limits and conditions, as described in subsection 5.3, and provides a high degree of confidence that the radiological consequences will be acceptable (accepting that consequence modelling in accordance with UK good-practice methods has yet to be completed). This satisfies the second of the overarching safety claims made in Chapter 1, namely that the AP1000 SSCs are designed to maintain the plant within prescribed safety limits for postulated fault conditions.

5.4 Probabilistic Risk Analysis

5.4.1 Introduction

PRA is a quantitative analysis that provides measures of the overall risk to the public that might result from a range of faults. PRA enables complex inter-system interactions to be modelled and provides a sound basis for identifying any relative weak points in the proposed reactor system design.

The PRA is presented in three parts or levels, consistent with modern good practice:

• Level 1, focusing on the potential for reactor core damage.

• Level 2, considering the magnitude and frequency of releases of radioactive material to the environment.

• Level 3, addressing risks to the public from off-site releases.

The AP1000 PRA was developed to support the application for design certification of the AP1000 nuclear plant in the US. The AP1000 design is based extensively on the AP600 standard nuclear plant that received design certification in December 1999. The AP600 PRA, which was reviewed by the US NRC in detail during the seven-year review of the AP600, is used as the starting point for the AP1000 PRA. Since the configuration of the AP1000 reactor and safety systems is the same as the AP600, the AP600 PRA is used as the basis of the AP1000 PRA with relevant changes implemented in the model to reflect the AP1000 design changes. AP1000 plant-specific thermal-hydraulic analyses are performed in order to determine the system success criteria.

Because the PRA was developed over a decade ago, to meet US regulatory requirements, it does not always meet the expectations of the UK regulator. For this reason, a substantial package of work is ongoing to update the PSA in accordance with UK good practice. Nevertheless, the PSA as is currently stands is a valuable tool for interpreting the risks associated with the AP1000, and for assessing the relative strengths and weaknesses of the plant design.

5.4.2 Selection of Initiating Events

For probabilistic risk assessment of the AP1000, the list of postulated faults encompasses at-power operations, shutdown operations and those internal and external hazards to which plant risk is most sensitive (internal fire, internal flood and seismic events). The list of initiating events has been developed by the following process (which is discussed further in Chapter 19 of Reference 5.6:

• Evaluation of the initiating events applicable to the AP1000 by reviewing the initiating events reported in NUREG/CR-3862 (Reference 5.14).



• Evaluation of the applicability of initiating events considered in past probabilistic risk assessments and the plant-specific configuration and success criteria.

• Identification of additional plant-specific initiating events produced by failures or incorrect operation of the front-line or support systems.

• Following identification of a comprehensive set of initiating events, the events are categorised according to the plant response, possible consequential events, plant systems required, and subsequent plant-related effects. The categorisation of initiating events reduces the number of initiating event groups to a manageable size for event tree analysis.

• Categorising initiating events is an interactive process with developing the event trees. Event tree interactions assure that once an event category has been developed, all initiators within the category are bounded by the sequences developed. Event trees model the functions required to maintain the plant in a safe, stable condition.

The consolidated categories for initiating events reflect their potential to affect delivery of the Key Safety Functions; spurious reactor trip, increase in heat from the primary systems, decrease in heat removal by the secondary system, decrease in reactor coolant flow rate, reactivity and power distribution anomalies, increase in reactor coolant inventory, decrease in reactor coolant inventory and anticipated transients without scram.

It should be noted that the hazards taken forward for assessment in the DBA and PRA place differing emphasis on challenges to the plant in some areas:

• Where an initiating fault can be shown deterministically not to result in a threat to a specific KSF (e.g. the plant being tolerant, in terms of reactivity control, to the ejection of a single control rod), such an event is only addressed in the DBA.

• Where the DBA may only assess a bounding case of a particular fault (e.g. a LOCA of a bounding size), the PRA may assess a range of events, to determine the overall risk associated with different plant and operator responses. For example, the DBA assesses LOCAs of bounding size, while the PRA identifies eight different types of LOCA, line break or tube/vessel rupture.

5.4.3 Analysis Approach

5.4.3.1 Acceptance Criteria

The NII SAPs (Reference 5.15) provide a collation of the numerical targets and legal limits against which the PRA results can be judged. They assign levels and objectives for radiation doses to individuals and groups; these are the Basic Safety Levels (BSLs) and Basic Safety Objectives (BSOs), respectively. These targets cover the risks to people during normal operation, and risks arising from Design Basis faults and from radiological accidents. The target and limits for normal operation (known as Targets 1 to 3) are discussed in Chapter 12 of this PCSR. Targets 4 to 9 are discussed in subsection 5.4.4.

The AP1000 PRA was carried out in support of the US licensing process and so does not currently directly compare with these targets and limits; however, an interpretation can be provided against Targets 4 to 9 to provide confidence that an acceptable result will be achievable. Work on the PRA will be ongoing throughout Step 4 of the GDA to demonstrate that the generic design meets the UK requirements.



5.4.3.2 Accident Sequence Analysis (Event Trees)

One event tree is constructed for each initiating event category, as described in subsection 5.4.2. The entry point of the event tree is the occurrence of an initiating event. The end point of an event tree sequence is either success or core damage.

Each event tree describes the plant response to the most representative (not necessarily most limiting) event in a category. Limiting cases may be additionally studied in sensitivity and uncertainty analyses. In defining the plant response, credit is taken for all classes of safety systems as long as they are realistically expected to respond to the event. Moreover, credit is taken for proceduralised operator actions that are expected to be performed.

5.4.3.3 System Analysis (Fault Trees)

Qualitative analysis and fault tree construction are performed for all classes of safety front-line systems and supporting systems that contribute to prevention or mitigation of severe accident events. The analysis identifies the importance of each component for each system. Extensive analyses are performed with MAAP4, NOTRUMP and other codes to determine the success criteria for system mitigation following initiating events.

5.4.3.4 Human Reliability Analysis

The human reliability analysis (HRA) for the AP1000 is based on the technique for human error rate prediction (THERP) methodology described in NUREG/CR-1278 (Reference 5.16). Human reliability analysis is used to quantify the human errors that are modelled in the event trees or fault trees. The critical steps for the tasks, modelled in the PRA, are developed with collaboration among analysts from various disciplines (human reliability analysis, system analysis, design engineering, and emergency operating procedure design). Therefore, the human reliability analysis consists of identifying the steps that are believed to be necessary for successfully completing the task for a given event, modelling the task in failure configuration, and deducing the probability that the operating crew will fail to complete the task. Failure to complete any (or combination) of the selected steps for a task will result in failure of that task.

5.4.3.5 Common Cause Failure Analysis

The AP1000 common-cause failure analysis follows a three-step process:

• Identification of the common-cause component groups. These are a group of similar components that are considered to have a high potential for failure due to the same cause. The identification is based on a qualitative screening analysis within each system and among different redundant systems performing the same function.

• Identification of design or operational defences to reduce the susceptibility to root-cause and to coupling mechanisms that provide the bases to screen out a component from the common-cause component group or to provide the bases for a quantitative evaluation. Quantification of the common-cause component groups not screened out is performed by using data derived from the EPRI Requirements Document (Reference 5.17).

• Identify inter-component dependencies, also called common-cause failures, due to shared root cause of failures. These dependencies are modelled and quantified using the multiple Greek letter method.



The analysis is performed looking for potential common-cause failures within each system and, later, when the event tree sequences are identified, for the potential common-cause failures among the several systems called upon during each event tree sequence.

5.4.3.6 Severe Accident Analysis

Analyses are performed with the MAAP4 code to study the progression of severe accident sequences and to define the radionuclide source terms. The severe accident analysis is discussed in subsection 5.5.

5.4.4 Results

This subsection presents an interpretation of the PRA results against each of the NII targets 4 to 9. As discussed in subsection 5.4.3.1, the PRA results do not match exactly the UK targets, and work is ongoing to rectify this; however, the discussion that follows provides confidence that an acceptable result will be achieved.

5.4.4.1 Target 4

The limit on the effective annual dose resulting from a Design Basis fault sequence for any person on site:

BSL 20mSv for initiating fault sequences exceeding 10-3 per year

200mSv for initiating fault sequences between 10-3 per year and 10-4 per year

500mSv for initiating fault sequences less than 10-4 per year

BSO 0.1mSv per year

The limit on the effective annual dose resulting from a Design Basis fault sequence for any person off site:

BSL 1mSv for initiating fault sequences exceeding 10-3 per year

10mSv for initiating fault sequences between 10-3 per year and 10-4 per year

100mSv for initiating fault sequences less than 10-4 per year

BSO 0.01mSv per year

This target is set on the predicted maximum dose received by any person arising from a Design Basis fault sequence. Different targets are set for on-site and off-site individuals. The BSL target varies according to the frequency band of the fault sequence. For those faults with an initiating fault frequency exceeding 1x10-3 per year, the BSLs are based on the legal limits for normal operation (these are the same as Targets 1 and 3, but which are on annual dose). Each and every Design Basis sequence needs to be assessed.

This is a Design Basis target, which requires a deterministic analysis that demonstrates the fault tolerance of the facility and the effectiveness of the safety measures. Ideally, the analysis should demonstrate in preferential order that:



• None of the physical barriers to release should be breached.

• If the physical barriers are breached, at least one should remain intact, with no threat to its integrity.

• If radioactivity is released, then no individual should receive a significant dose, as defined by Target 4.

Table 5.4.3-2 lists those initiating event categories that contribute to the frequency bands identified in Target 4. The large release frequency (LRF) is used as a surrogate to compare with this target. Consequence calculations demonstrate that at the site boundary a whole body 24 hour dose of less than 100mSv occurs with a frequency of less than 1×10-6 per year and for doses of greater than 100mSv with frequencies of less than 1×10-7 per year. These dose frequencies and the information in Table 5.4.3-1 provides assurance that the AP1000 Design Basis fault sequences are below the BSO at a level that further ALARP justification would be grossly disproportionate.

Table 5.4.3-2 provides the initiating events categories listing. Any of the fault sequences could develop into a core damage event, but they are prevented from doing so by the safety measures included in the design. The conditional core damage probability, which is the ratio of the CDF to the initiating event frequency for each sequence (Table 19.59-2 of Reference 5.6), is a measure of the effectiveness of these safety measures (given in brackets after each initiating event list below). A value of less than 1×10-3 indicates that one or more robust protective safety measures are in place.

For initiating fault sequences whose frequencies exceed 10-3 per year:

• Steam generator tube rupture (1.75×10-6)

• ATWS precursor with no main feed water (7.49x10-9)

• Transient with main feed water (2.20×10-9)

• RCS leak (2.75×10-7)

• Core power excursion (3.69×10-7)

• Loss of condenser (1.11×10-8)

• Loss of off-site power (7.98×10-9)

• Loss of main feed water (2.60×10-9)

• ATWS precursor with main feed water available (6.09×10-10)

• Loss of compressed air (1.93x10-8)

• Main steam line safety valve stuck open (2.54×10-7)

• Loss of main feed water to one steam generator (2.36×10-9)

• Loss of CCW/SW (2.24×10-9)

• ATWS precursor with SI signal (7.48×10-9)



• Loss of RCS flow (1.96×10-9)

For initiating fault sequences with frequencies between 10-3 per year and 10-4 per year:

• Safety injection line break (4.48×10-4)

• Small LOCA (3.62×10-5)

• Medium LOCA (3.70×10-5)

• Passive RHR tube rupture (3.74×10-6)

• Main steam line break upstream of isolating valve (3.51×10-7)

• Main steam line break downstream of isolating valve (1.54×10-8)

For initiating fault sequences whose frequencies are less than 10-4 per year:

• Spurious ADS actuation (5.48×10-4)

• CMT line break (3.95×10-5)

Every single Design Basis fault sequence has a value of less than 1×10-3, usually by many orders of magnitude. Thus the design provides for an adequate deterministic safety case for Design Basis fault sequences with the expectation that not all the physical barriers to release will be breached resulting in a minimal release of radioactivity. The fault tolerance of the facility and the effectiveness of the safety measures are thus met.

Table 5-1 PRA Results

Events Core Damage Frequency (per year) Large Release Frequency (per year)

At-Power Shutdown At-Power Shutdown

Plant Events 2.41E-07 1.23E-07 1.95E-08 2.05E-08

Internal Flood 8.82E-10 3.22E-09 7.14E-11 5.37E-10

Internal Fire 5.61E-08 8.5E-08 4.54E-09 1.43E-08

Total = 2.97E-07 2.11E-07 2.41E-08 3.53E-08



Table 5-2 Contribution of Initiating Events to CDF and LRF (1 of 2)

INITIATING EVENT CATEGORY IEF (per year)

CDF (per year)

LRF (per year)

Initiating events > 1E-03 per year

Steam generator tube rupture IEV-SGTR 3.88E-03 6.79E-09 3.04E-09

ATWS precursor with no main feedwater IEV-ATWS 4.81E-01 3.61E-09 3.27E-09

Transient with main feedwater IEV-TRANS 1.40E+00 3.08E-09 1.43E-09

Reactor cooling system leak IEV-RCSLK 6.20E-03 1.71E-09 2.93E-10

Core power excursion IEV-POWEX 4.50E-03 1.66E-09 9.49E-11

Loss of condenser IEV-LCOND 1.12E-01 1.24E-09 5.22E-10

Loss of off-site power IEV-LOSP 1.20E-01 9.58E-10 4.70E-10

Loss of main feedwater IEV-LMFW 3.35E-01 8.70E-10 3.80E-10

ATWS precursor with main feedwater IEV-ATW-T 1.17E+00 7.12E-10 7.12E-10

Loss of compressed air IEV-LCAS 3.48E-02 6.72E-10 1.00E-10

Main steam line stuck-open safety valve IEV-SLB-V 2.39E-03 6.06E-10 2.33E-10

Loss of main feedwater to one steam generator

IEV-LMFW1 1.92E-01 4.53E-10 2.12E-10

Loss of CCW/SW IEV-LCCW 1.44E-01 3.23E-10 1.37E-10

ATWS precursor with SI signal IEV-ATW-S 1.48E-02 1.11E-10 1.01E-10

Loss of reactor cooling system flow IEV-LRCS 1.80E-02 3.52E-11 1.58E-11

Total = 4.04E+00 2.28E-08 1.10E-08

Initiating events < 1E-03 and > 1E-04 per year

Safety injection line break IEV-SI-LB 2.12E-04 9.50E-08 1.88E-09

Small LOCA IEV-SLOCA 5.00E-04 1.81E-08 1.14E-09

Medium LOCA IEV-MLOCA 4.36E-04 1.61E-08 9.02E-10

Passive RHR tube rupture IEV-PRSTR 1.34E-04 5.02E-10 8.64E-11

Main steam line break upstream of MSIV IEV-SLB-U 3.72E-04 1.31E-10 4.97E-11

Main steam line break downstream of MSIV

IEV-SLB-D 5.96E-04 9.15E-12 9.07E-12

Total = 2.25E-03 1.30E-07 4.07E-09



Table 5-2 Contribution of Initiating Events to CDF and LRF (2 of 2)

INITIATING EVENT CATEGORY IEF (per year)

CDF (per year)

LRF (per year)

Initiating events < 1E-04 and > 1E-05 per year

Spurious ADS IEV-SPADS 5.40E-05 2.96E-08 2.51E-09

CMT line break IEV-CMTLB 9.31E-05 3.68E-09 1.98E-10

Total = - 1.47E-04 3.33E-08 2.71E-09

Total within Design Basis (Excluding ATWS as includes double counting) =

- 2.39E+00 1.86E-07 1.78E-08

Initiating events < 1E-05 per year

Large LOCA IEV-LLOCA 5.00E-06 4.50E-08 3.16E-10

Reactor vessel rupture IEV-RV-RP 1.00E-08 1.00E-08 1.03E-09

Interfacing systems LOCA IEV-ISLOC 5.00E-11 5.00E-11 4.74E-13

Total Beyond Design Basis = - 5.01E-06 5.51E-08 1.35E-09

Total (Excluding ATWS as includes

double counting) =

- 2.38E+00 2.41E-07 1.91E-08

Note: The base case LRF had previously been calculated to be 1.95x10-8/yr and reported in various places; this has been retained as the value of record.

5.4.4.2 Target 5

The limit on the risk of death from an on-site accident that releases ionising radiation, for any person on site:

BSL 1×10-4 per year

BSO 1×10-6 per year

This target covers the individual risk of death to a worker on the site, from all on-site accident sequences that result in exposure to ionising radiation. It requires the calculation of the maximum effective dose to the worker potentially most exposed to ionising radiation for each sequence; this willbe done using a best estimate approach.

The risk of death from an on-site accident for persons on-site is considered bounded from the doses received at the site boundary (0.5 miles, 0.8km), directly downwind, during the entire exposure period of 24 hours following the onset of core damage. No mitigating effects are taken into account, including sheltering and evacuation. The risk of death is 2.58×10-8 per year (see Table 5.4.3-3) which is an order of magnitude below the BSO. This is based on the Sv whole body dose per year summed for each release category (see Table 5.5.3-1 for an explanation of release categories), which is based on the reference site defined in the ALWR URD (Reference 5.17), multiplied by the fatality risk of 5% per Sv.



The most significant release category is early containment failure (CFE) due to some dynamic severe accident phenomena, such as hydrogen detonation, hydrogen diffusion flame, steam explosions and vessel failures. The risk of death for this release category is 1.58×10-8 per year. The next release category is containment bypass (BP) with fission products being released directly from the RCS to the environment via the secondary system or other interfacing system bypass. The risk of death for this release category is 6.05×10-9 per year. These risks are about two orders of magnitude below the BSO. At this level, further ALARP justification would be grossly disproportionate. The target is thus satisfied.

Table 5-3 Site Boundary Whole Body 24-hour Dose Results

Release Category Release Frequency (per reactor year)

Mean Dose (Sievert)

Risk (Sv per year)

Percentage Contribution to

Total Risk

CFI 1.89E-10 3.25E+01 6.14E-09 1.2

CFE 7.47E-09 4.23E+01 3.16E-07 61.4

IC 2.21E-07 1.82E-02 4.02E-09 0.8

BP 1.05E-08 1.15E+01 1.21E-07 23.5

CI 1.33E-09 5.10E+01 6.78E-08 13.2

CFL 3.45E-13 2.54E+01 8.90E-12 0.0

Total = 2.4E-07 5.15E-07 100.0

Risk of Death = 2.58E-08

Note: Risk of death = risk (Sv per year) x 0.05 (death per Sv)

5.4.4.3 Target 6

This target sets limit and objectives on the frequency of occurrence of individual accidents that result in a dose to an individual on site. The limit varies with the predicted effective dose resulting from the accident: the higher the accident’s dose, the lower the limit on its frequency.

Effective dose, mSv Predicted frequency per annum

BSL BSO

2 – 20 1x10-1 1x10-3

20 – 200 1x10-2 1x10-4

200 – 2000 1x10-3 1x10-5

> 2000 1x10-4 1x10-6

The target frequencies are grouped into bands, each covering a decade. All the release categories other than late containment failure (CFL) result in doses that exceed 2 Sv and therefore need to be assessed against the BSO frequency 1×10-6 per year. Table 5.4.3-3 gives the total release frequency as 2.4×10-7 per year. This is below the BSO and thus the target is met.



5.4.4.4 Target 7

The limit on the risk of death from an on-site accident that releases ionising radiation, for any person off site:



Using the same methodology as for Target 5, but assuming 72 hours exposure at the site boundary, the risk of death from Table 5.4.3-4 is 2.78×10-8 per year. This is more than an order of magnitude below the BSO, thus the target is met and further ALARP justification would be grossly disproportionate.

Table 5-4 Site Boundary Whole Body 72-hour Dose Results

Release Category

Release Frequency (per reactor year)

Mean Dose (Sievert)

Risk (Sv per year)

Percentage Contribution to

Total Risk

CFI 1.89E-10 3.49E+01 6.60E-09 1.2

CFE 7.47E-09 4.60E+01 3.44E-07 61.8

IC 2.21E-07 2.21E-02 4.88E-09 0.9

BP 1.05E-08 1.23E+01 1.29E-07 23.2

CI 1.33E-09 5.40E+01 7.18E-08 12.9

CFL 3.45E-13 2.80E+01 9.66E-12 0.0

Total = 2.4E-07 5.56E-07 100.0

Risk of Death = 2.78E-08

Note: Risk of death = risk (Sv per year) x 0.05 (death per Sv)

5.4.4.5 Target 8

This target sets the maximum value allowed for the total predicted frequency of accidents in the facility that results in a specific dose to an individual off the site. Radiological analysis is required to evaluate the maximum effective dose for a hypothetical person located at the point of greatest dose for each accident sequence. A different target is set according to the magnitude of the dose involved; that is, the higher the dose the lower the allowed value of the frequency. The target values are as follows:

Effective dose, mSv Total predicted frequency per year

BSL BSO

0.1 – 1 1 1x10-2

1 – 10 1x10-1 1x10-3

10 – 100 1x10-2 1x10-4

100 – 1000 1x10-3 1x10-5

> 1000 1x10-4 1x10-6



Table 5.4.3-4 gives the frequency and expected whole body dose for each category of release of radioactivity.

The AP 1000 has no predicted releases in the first two (0.1-1 and 1-10 mSv) dose bands.

Release category IC is in the third (10-100mSv) dose band, with dose of 22.1mSv. The predicted frequency for IC release category is 2.21×10-7 per year. This is below the BSO for this dose band of 1x10-4 per year by three orders of magnitude. At this level, further ALARP justification would be grossly disproportionate. The target is thus satisfied.

The AP 1000 has no predicted releases in the fourth (100-1000mSv) dose band.

All other release categories are in the fifth dose band, with doses of in excess of 1Sv. The summation of their predicted frequencies is 1.95×10-8 per year. This is below the BSO for this dose band of 1x10-6 per year by two orders of magnitude. At this level, further ALARP justification would be grossly disproportionate. The target is thus satisfied.

5.4.4.6 Target 9

The limit on the risk of 100 or more deaths from on-site accidents that release ionising radiation:



As a measure of the societal concerns that would result from a major accident, a representative target has been defined. It is based on an accident leading to immediate or eventual 100 or more fatalities, mainly from very low doses to very large populations that lead to stochastic deaths. The safety case needs to identify all accidents that result in source terms that could cause 100 or more deaths. The total probability of all such accidents should be calculated, taking account of the frequency distribution of the source terms together with probabilistic weather conditions, and including both on-site and off-site fatalities.

The LRF for at-power plant events (excluding seismic, fire, and flood events) is 1.95×10-8 events per reactor-year. The AP 1000 safety goal for the LRF is that a 24-hour, whole-body, site boundary dose greater than 25rem (0.25Sv) has a frequency of less than 1×10-6 per year. Thus the AP1000 satisfies its own safety goal that bounds Target 9 by an order of magnitude. At this level, further ALARP justification would be grossly disproportionate.

5.4.4.7 Important Common Causes/Modes

The risk increase importance values for common cause failures of the following sets of components show that these are also of potential significance to the current low level of CDF from plant events:

• Common cause failure of software in the protection and safety monitoring system and plant control system, logic board failures of the protection and safety monitoring system; failures of transmitters used in the protection and safety monitoring system.

• Failures of reactor trip breakers.

• Plugging of containment sump recirculation screens.



• Failures of in-containment refuelling water storage tank gravity injection line check valves and squib valves.

• Plugging of strainers in the in-containment refuelling water storage tank.

• Failures of fourth-stage automatic depressurisation system squib valves.

• Failures of output cards for the protection and safety monitoring system.

These and similar common cause failures are of potential significance in maintaining the current level of low plant CDF.

The leading risk decrease common cause failures of hardware are associated with ADS fourth stage squib valves, gravity injection and recirculation line components, and I&C components and sensors.

5.4.4.8 Dependence on Operator Action

The results of the PRA show that the AP1000 has significantly less dependence on operator action to reduce plant risk to acceptable levels than current plants. This was shown through the sensitivity analyses and the operator action contributions from both the risk decrease and risk increase measures. Almost all operator actions credited in this PRA are performed in the control room; there are very few local actions outside the control room. Further, the human actions modelled in the AP 1000 PRA are generally simple. Thus, the tasks for AP 1000 operators are easier and less likely to fail. If it were assumed that the operators never perform any actions credited in the PRA, the plant events CDF would still be lower than the result obtained for many current pressurised water reactors including operator actions.This low dependence on operator action is therefore ALARP.

5.4.4.9 Treatment of Equipment Reliability

The highest system unavailabilities (i.e., 1×10-2 to 1×10-3, indicating lower reliability) are associated with non Class 1 safety systems or non Category 1 functions.

The lower unavailabilities (i.e., 1×10-3 to 1×10-5, indicating higher reliability) are associated with Class 1 safety significant systems, due to the nature of the system design (passive systems). Moreover, multiple means of success exist for transients and credible loss-of-coolant accident events. This means that a failure of a safety significant system will not lead to core damage, because other systems back up the first one. This defence-in-depth philosophy contributes to the low CDF.

The AP1000 D-RAP identifies those SSCs that should be given priority in maintaining their reliability through surveillance, maintenance, and quality control actions during plant operation. The PRA importance and sensitivity analyses identify those systems and components important in plant risk in terms of either risk increase (for example, what happens to plant risk if a system or component, or a train is unavailable), or in terms of risk decrease (for example, what happens to plant risk if a component or a train is perfectly reliable/available). This ranking of components and systems in such a way provides an input for the reliability assurance program. For more information on the AP1000 reliability assurance programme, refer to Section 17.4 of Reference 5.6.



5.4.4.10 Shutdown PRA

The AP1000 Level 1 shutdown PRA has estimated the CDF to be 1.23×10-7 events/year, see Table 5.4.3-1. This CDF is conservative because credit is not taken for the design enhancement in using diverse squib valves in the recirculation lines. If credit is taken for the diverse squib valves in the recirculation lines of the AP1000 plant, the estimated CDF of the Level 1 shutdown PRA would be the 1.04×10-7 per year.

The LRF is estimated to be 2.05×10-8 per year, see Table 5.4.3-1. This frequency for events at shutdown is comparable to the release frequency for plant events at power.

The results of the low-power and shutdown assessment show that the AP1000 design includes redundancy and diversity at shutdown. In particular, the in-containment refuelling water storage tank provides a unique safety backup to the normal residual heat removal system. Maintenance at shutdown has less impact on the defence-in-depth features for AP1000. In accordance with plant technical specifications, safety significant system planned maintenance is performed only during those shutdown modes when the protection provided by the safety significant system is not required. Further, maintenance of non Class 1-safety systems, such as the normal residual heat removal system, component cooling water system, and service water system, is performed at power to avoid adversely affecting shutdown risk. These contribute to the extremely low shutdown core damage.

The risk from the spent fuel pool has been evaluated in Reference 5.18. The fuel damage frequency is 1.59×10-10 per year. This is dominated by the loss of component cooling/service water system (78%). The second largest contributor is loss of offsite power leading to station blackout (17%).

5.4.5 Sensitivity Analysis

The results of the sensitivity analyses show that the protection and safety monitoring system and the Class 1E dc power system are most important in maintaining a low CDF. The risk-important systems are safety significant systems. The Class 1 safety systems are all of high or medium importance. The non-Class 1 safety systems are only marginally important to the plant CDF.

A sensitivity analysis is made for the unavailability of all five of the standby non-Class 1 safety systems (chemical and volume control system (CVS), start-up feedwater system (SFW), normal residual heat removal system (RNS), diverse actuation system (DAS), diesel generators (DGs)). The plant CDF obtained is 7.40×10-6, which is a factor of 31 increase over the base case. This sensitivity analysis shows that if no credit is taken for non-Class 1 safety t systems then the plant CDF, and hence any impact on the workers of the public, would increase to just above the BSO, confirming that they are only marginally important and rated appropriately.

An additional sensitivity analysis has been undertaken on the margin in the control and instrumentation reliability. Reference 5.19 evaluates three cases. Sensitivity cases 1 and 2 both evaluate the effect of increasing the probability for software common cause failure of the AP1000 protection and safety monitoring system (PMS) and the plant control system (PLS) while making no change to the diverse actuation system (DAS) value. The failure probabilities for PMS and PLS are increased by the same factor of 100 for case 1, with an additional factor of 4.5 on PLS for case 2. The core damage and large release frequencies increased by factors of 2.1 and 2.2 for CDF and 12 and 13 for LRF respectively. Case 3 looked at the effect of increasing the reliability of DAS by a factor 2 which changed the CDF by a factor of 1.9 and LRF by a factor of 9.9, restoring some of the margin lost in cases 1 and 2. The sensitivity analysis demonstrated acceptable results were still obtained if margins were lost.



5.4.6 PRA Conclusions

A summary of the insights gained from the PRA about the AP1000 design includes:

• The AP1000 design benefits from the high level of redundancy and diversity of the passive safety significant systems. The passive systems have been shown to be highly reliable, their designs are simple so that a limited number of components are required to function.

• The non-Class 1 safety support systems (ac power, component cooling water, service water, and instrument air) have a limited role in the plant risk profile because the passive safety significant systems do not require cooling water or ac power.

• AP1000 is less dependent on human actions. Even when no credit is taken for operator actions, the AP1000 meets the acceptance targets discussed in Section 5.4.3.1

• The core damage and large release frequencies are low despite the conservative assumptions made in specifying success criteria for the passive systems. The success criteria have been developed in a more systematic, rigorous manner than typical PRA success criteria. The baseline success criteria are bounding cases for a large number of PRA success sequences. The baseline success sequences, in most cases, have been defined with:

i. Worst (i.e. the most limiting) break size and location for a given initiating event

ii. Worst ADS assumption in the success criterion

iii. Worst number of available CMTs and accumulators

• Worst containment conditions for in-containment refuelling water storage tank (IRWST) gravity injection

• Many less-limiting sequences are therefore represented by a baseline success criterion.

• Single system or component failures are not overly important due to the redundancy and diversity of safety significant systems in the design. For example, the following lines of defence are available for reactor coolant system (RCS) makeup:

i. CVS and Core make-up tanks

ii. Partial automatic depressurisation system in combination with normal residual heat removal

iii. Full automatic depressurisation system with accumulators and in- containment refuelling water storage tank

iv. Full automatic depressurisation system with core makeup tanks and in- containment refuelling water storage tank

• Typical current PRA dominant initiating events are significantly less important for the AP 1000. For example, the reactor coolant pump (reactor coolant pump) seal LOCA event has been eliminated as a core damage initiator since AP 1000 uses canned motor reactor coolant pumps which do not have seals. Another example is the loss of offsite power (LOOP) event. The station blackout and loss of offsite power event is a minor contributor to AP 1000 since the passive safety significant systems do not require the support of ac power.



• Passive safety significant systems are available in all shutdown modes. Planned maintenance of passive features is only performed during shutdown modes when that feature is not risk important. In addition, planned maintenance of non-safety significant defence-in-depth features used during shutdown is performed at power.

• The AP1000 passive containment cooling design is highly robust. Air cooling alone is significant and may prevent containment failure, although the design has other lines of defence for containment cooling such as fan coolers and passive containment cooling water.

• The potential for containment isolation and containment bypass is lessened by having fewer penetrations to allow fission product release. In addition, normally open and risk important penetrations are fail-closed, thus eliminating the dependence on instrumentation and control (I&C) and batteries.

• The reactor vessel lower head has no vessel penetrations, thus eliminating penetration failure as a potential vessel failure mode. Preventing the relocation of molten core debris to the containment eliminates the occurrence of several severe accident phenomena, such as ex-vessel fuel-coolant interactions and core-concrete interaction, which may threaten the containment integrity. Therefore, AP 1000, through the prevention of core debris relocation to the containment, significantly reduces the likelihood of containment failure.

• The potential for the spreading of fires and floods to safety significant equipment is significantly reduced by the AP1000 layout.

5.5 Severe Accident Analysis

5.5.1 Introduction

The core damage event trees modelled in the Level 1 PRA identify three types of end states for the sequences defined in the event trees:

• Success end states where core damage is avoided.

• Late containment failure end states (LCF) where the containment heat removal by either PCS or CCS heat exchangers via NRS fails. This end state is separately treated in the level two analysis.

• Core damage end states.

The event trees modelled in the Level 1 PRA identify all of the plant event sequences that lead to core damage. Many of the core damage sequences have common characteristics with respect to the reactor system and containment system response. Such sequences can be grouped together into end states (plant damage states) to reduce the number of containment event trees that need to be quantified. The end states form the link between the core damage event tree and the containment event tree.

The containment event tree is a tool that provides a logical and practical structure for uniting the complex phenomenology of postulated severe accident event sequences. The treatment of severe accidents provided by the containment event tree provides assurance that important contributors to fission-product release are identified and evaluated in a structured and disciplined approach. The bases for the nodes on the tree are supported by analyses, evaluations and testing, empirical data from past studies, and by the AP1000 design.



5.5.2 Identification of Plant Damage States

The core damage sequences from the Level 1 PRA are grouped together into end states or plant damage states (PDSs) on the basis of similarities in the following characteristics:

• The initiating event type, such as LOCA, transient, and ATWS leading to core damage.

• The primary system pressure at the time of initial core damage (high or low).

• Timing of core damage (early or late).

• Containment integrity at the time of core damage (intact or impaired).

• Availability of safety systems at the time of core damage.

• Disposition of water in the containment at the time of core damage.

• Containment pressure and temperature at the time of core damage.

For each end state, an equation made up of the Boolean sum of the minimal cutsets for all sequences combined into that class is prepared. The cutset equations for the end states are used as input for the quantification of the containment event trees.

Table 5.5-1 summarises the core damage end states that emerge as the dominant ones at the end of plant core damage calculations. The frequency of each plant damage state is calculated by adding the frequencies of all the Level 1 sequences. Each plant damage state is connected to a containment event tree.



Table 5-5 Plant Damage States

End State Subclass Definition

1 A Core damage with RCS at high pressure following transient or very small LOCA

AP Core damage with no depressurisation following small LOCA and very small LOCA with passive residual heat removal operating or medium LOCA

B Core damage following loss of offsite power not recovered in 24 hours

C Core damage following loss of all dc power supply

D Core damage with partial depressurisation of RCS following transient

2 Loss of containment integrity - potential core damage following loss of containment water inventory

3 A Core damage with RCS at high pressure following anticipated transient without scram or main steam line break inside containment

BR Core damage following LOCA or other events with full RCS depressurisation, but CMT and accumulator failed

BA Medium LOCA without CMT and accumulator, core melt is arrested by normal residual heat removal injection

BE Core damage following large LOCAs or other event with full depressurisation

BL Core damage at long term following failure of water recirculation to RPV after successful gravity injection

EE, ER, EL Same as 3BE, 3BR, 3BL with SBO initiating event

C Core damage following vessel rupture

D Core damage following LOCA (except large) with partial depressurisation

5 Core damage sequences with steam line break upstream of unisolated MSIV

6 E Core damage following steam generator tube rupture or ISLOCA. The containment is bypassed. Early core damage (loss of injection)

L Core damage following steam generator tube rupture. The containment is bypassed. Late core damage (loss of recirculation)

5.5.3 Construction of the Containment Event Tree

The nodes on the containment event tree describe the points in the accident progression that may affect the containment integrity. Typical top events are related to:

• Containment systems that are not evaluated in the Level 1 analysis, which can mitigate large releases.

• Operator actions to mitigate large releases.

• Severe accident phenomena that may challenge the containment integrity.



The containment event tree considers the following phenomena that represent the severe accident issues relevant to the AP1000 containment integrity:

• In-vessel fuel-coolant interactions.

• In-vessel hydrogen generation.

• Creep rupture failure of steam generator tubes.

• High-pressure melt ejection.

• Melt attack on the containment pressure boundary.

• Containment overpressurisation from decay heat.

• Reactor vessel integrity.

• Ex-vessel fuel-coolant interactions.

• Core-concrete interaction and hydrogen generation.

• Hydrogen deflagration and detonation.

• Elevated temperatures of the containment shell (diffusion flame heating).

• Elevated gas temperatures (equipment survivability).

Operator actions and containment systems that address, prevent, or mitigate the severe accident phenomena are considered on the containment event tree. The operator actions and systems that are explicitly modelled on the containment event tree are:

• Depressurisation of anticipated transient without scram or high-pressure sequences after core uncovery.


• Passive containment cooling.

• Containment Venting.

• Reactor cavity flooding to submerge the vessel.

• Hydrogen control (glow-plug igniters).

The end-state of each path on the containment event tree describes the effectiveness of the containment to mitigate offsite doses for that accident sequence. The radiological consequences of the core-melt accident are largely determined by three major considerations:

• The mode of the postulated containment failure (bypass, isolation failure, gross failure, or intact containment).

• The time of postulated containment failure relative to the time of major fission-product release from the core or core debris.



• Fission-product removal mechanisms in the containment.

Natural deposition processes, gravitational settling, thermophoresis, and diffusiophoresis are the primary removal mechanisms that scrub aerosols from the containment atmosphere. These natural processes are time-dependent, thus the mode of containment failure, timing of the containment failure, and magnitude of the offsite release are directly related and treated together for the AP1000 containment event tree development.

For the purposes of the offsite doses, time zero occurs after core uncovery when significant fission-product masses are released from the fuel. During the initial stages of the severe accident, the core uncovers and the fuel temperature rapidly increases because of decay heat and heat of zirconium oxidation. The core heat up leads to failure of the fuel rod cladding. As the cladding fails, a fraction of the noble gases and volatile fission products, normally present in the fuel-clad gap, is released into the reactor coolant system. This is the “gap release.” As the fuel pellet temperature rises toward the melting point, the release of volatile fission products from the fuel is enhanced. This is “temperature-enhanced release.” During the melting of the fuel matrix, a large proportion of the total core inventory of volatile fission products is released from the fuel. This is the “melt release.”

The gap release, temperature-enhanced release, and initiation of melt release occur sufficiently close together that they are considered to occur coincidentally and termed the onset of core damage. Indications of the onset of core damage are in-vessel hydrogen generation and noble gas and volatile fission products in the reactor coolant system and containment.

The AP1000 release category definitions consider four time frames for the definition of release categories:

• Time frame 1: accident initiation until onset of core damage.

• Time frame 2: onset of core damage until end of core relocation.

• Time frame 3: after the end of core relocation until 24 hours after core damage.

• Time frame 4: greater than 24 hours after core damage.

Each release category is represented by a fission-product source term that is used to evaluate the offsite consequences in the Level 3 analysis. The source term is an offsite release specified in terms of the timing, magnitude, and energy. The release categories define the timing and the magnitude of the releases, and energy is conservatively assumed to be very low to maximize the site boundary doses. The release categories are summarized in Table 5.5.3-1.



Table 5-6 Release Category Definitions

Release Category

Definition Release Category Description Release Magnitude

Release Time

Frame

IC Intact containment

Containment integrity is maintained throughout the accident, and the release of radiation to the environment is due to nominal leakage.

Normal leakage

-

BP Containment bypass

Fission products are released directly from the RCS to the environment via the secondary system or other interfacing system bypass. Containment failure occurs prior to onset of core damage

Large release 1

CI Containment isolation failure

Fission-product release through a failure of the system or valves that close the penetrations between the containment and the environment. Containment failure occurs prior to onset of core damage.

Large release 1

CFE Early containment failure

Fission-product release through a containment failure caused by severe accident phenomenon occurring after the onset of core damage but prior to core relocation. Such phenomena include hydrogen combustion phenomena, steam explosions, and vessel failure.

Large release 2

CFV Containment venting

Fission-product release through a containment vent line during intentional depressurisation of the containment

Controlled release

3

CFI Intermediate containment failure

Fission-product release through a containment failure caused by severe accident phenomenon, such as hydrogen combustion, occurring after core relocation but before 24 hours.

Large release 3

CFL Late containment failure

Fission-product release through a containment failure caused by severe accident phenomenon, such as a failure of passive containment cooling, occurring after 24 hours.

Large release 4

5.5.4 Quantification of Release Frequencies

Once the containment event trees have been constructed, and the release categories defined and assigned, it is possible to calculate the large release fraction (LRF). The LRF is simply the frequency of containment failure plus the bypass sequences, and is calculated by summing the frequencies of the BP, CI, CFE, CFI, CFL, and CFV release categories.



5.5.5 Results

The results of the Level 2 (containment response) and Level 3 (plant risk) analyses for the plant initiating events at power demonstrate that the AP1000 containment design is robust in its ability to prevent releases following a severe accident and that the risk to the public due to severe accidents for AP1000 is very low. The LRF (containment failure frequency) of the AP1000 can be divided into two types of failures:

• Initially failed containment, in which the integrity of the containment is either failed due to the initiating event or already failed from the beginning of the accident.

• Containment failure induced by high-energy severe accident phenomena.

The total of these failures is the overall LRF. The following summarises important results of the containment event tree quantification with respect to LRF.

The overall release frequency for AP1000 is 1.95×10-8 events per year. This is approximately 8 percent of the CDF for plant initiating events at power. The ability of the containment to prevent releases (i.e., the containment effectiveness) is 92 percent.

The Level 3 analysis, as shown above, demonstrates that the resulting risk to the population is small and well within the established goals.

The results of the PRA show that the following AP1000 design features provide the ability to respond to various severe accidents and contribute to a very small release frequency and a small release of radioactive material to the environment.

• The capability to flood the reactor cavity prevents the failure of the reactor vessel given a severe accident. The vessel and its insulation are designed so that the water in the cavity is able to cool the vessel and prevent it from failing; that is, in-vessel retention (IVR). By maintaining the vessel integrity, the core debris in the vessel eliminates the potential of a large release due to ex-vessel phenomena and its potential to fail the containment.

• The capability to depressurise the reactor coolant system in a high-pressure transient mitigates the consequences of a high-pressure severe accident. Such accidents have a large potential to fail the reactor coolant system pressure boundary vessel, piping, or steam generator tubes, and such a failure is assumed without further analysis if the reactor coolant system remains at high pressure. A high-pressure failure of the reactor coolant system pressure boundary is assumed to fail or bypass the containment. Thus, the capability to depressurise the reactor coolant system reduces the LRF due to high-pressure severe accidents.

The annular spaces between the steel containment vessel and the shield building help to reduce the release of radioactive materials to the environment by enhancing the deposition of the materials before they exit the containment.

5.5.6 Severe Accident Analysis Conclusions

The following conclusions can be drawn from the analyses of the severe accident phenomena carried out in support of the AP1000 PRA:



• The design of the AP1000 reactor vessel, vessel insulation and reactor cavity, and the ability to flood the cavity after a severe accident reduce the potential challenges to the containment integrity by maintaining the vessel integrity.

• Should a failure of the reactor vessel occur, the design of the reactor cavity enhances the ability to cool any core debris that exits the vessel.

• Lower head vessel failure due to in-vessel steam explosions is physically unreasonable.

• The ADS and PRHR system are design features that can be used to prevent high-pressure core melt in a severe accident.

• A directly-initiated hydrogen detonation in the AP1000 containment is not a credible event.

• The equipment needed to mitigate the consequences of a severe accident is designed to provide reasonable assurance that it will continue to operate during an accident.

5.6 Safety Analysis Conclusions

Chapter 1 of this PCSR identifies three high-level safety claims:


• The AP1000 SSCs are designed to maintain the plant within prescribed safety limits for postulated fault conditions.

• The AP1000 risks have been reduced to levels that are ALARP.

The deterministic DBA has demonstrated that the AP1000 SSCs are designed to maintain the plant within prescribed safety limits (the acceptance criteria used in the thermal-hydraulic analyses) for postulated fault conditions.

The probabilistic analysis supports the deterministic analysis by providing confidence that the safety systems used to control faulted conditions are tolerant to a single failure of an active component. The PRA also shows that the AP1000 risks are likely to be less than UK targets, recognising that a formal demonstration is still to be presented. This forms a sound basis for the ALARP argument.

Both these demonstrations support the first claim that the AP1000 is designed to operate in a safe manner throughout its lifecycle.



REFERENCES

5.1 WEC, UKP-GW-GLR-003, AP1000 Fault Schedule for the United Kingdom, Rev. 1, September 2009.

5.2 ANSI N18.2 Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants, 1973.

5.3 NUREG/CR-2300, A Guide to the Performance of Probablisitic Risk Assessments for Nuclear Power Plants, Volume 1, ANS and IEEE, January 1983.

5.4 NUREG/CR-5750 Rates of Initiating Events at US Nuclear Power Plants 1987-1995, February 1999.

5.5 NUREG/CR-6928, Industry Average Performance for Components and Initiating Events at US Commercial Nuclear Power Plants, Idaho National Laboratory, February 2007.


5.7 SXB-IP-771001 Sizewell B PWR Pre-Construction Safety Report, Issue C, November 1987.

5.8 NUREG-1512, Final Safety Evaluation Report Related to Certification of the AP600 Standard Design, September 1998.

5.9 WCAP-14565-P-A and WCAP-15306-NP-A, VIPRE-01 Modelling and Qualification for Pressurised Water Reactor Non-LOCA Thermal-Hydraulic Safety Analysis, Sung, Y. X., et al., October 1999.

5.10 CENPD-98-A, COAST Code Description, April 1973 (NRC Approval Letter dated December 4, 1974).

5.11 WCAP-11397-A, Revised Thermal Design Procedure, Friedland, A. J., Ray S., April 1989.

5.12 WCAP-10081-A, Westinghouse Small- Break ECCS Evaluation Model Using the NOTRUMP Code, Lee, N., Rupprecht, S. D., Schwarz, W. R., and Tauche, W. D., August 1985.

5.13 WCAP-12945-P-A, Volumes 1-5, Westinghouse Code Qualification Document for Best Estimate Loss of Coolant Accident Analysis, Revision 1, March 1998.

5.14 NUREG/CR-3862, Development of Transient Initiating Event Frequencies for Use in Probabilistic Risk Assessments, Mackowiak, D. P., Gentillon, C. D., and Smith, K. L., 1985.

5.15 HSE’s Safety Assessment Principles for Nuclear Facilities, Rev. 1, 2006.

5.16 NUREG/CR-1278 , Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Swain, A. D., & Guttman, H. E, 1983.

5.17 EPRI, Utility Requirements Document, Advanced Light Water Reactor Utility Requirements Document, Revision 8, 1999.

5.18 WEC, UKP-GW-GL-743, AP1000 PRA Spent Fuel Pool Evaluation, Rev. 0, December 2008.

5.19 WEC, UKP-GW-GL-744, Control and Instrumentation Sensitivity Cases, Rev. 0, December 2008.



CHAPTER 6: DESCRIPTION OF PLANT SYSTEMS AND THEIR CONFORMANCE WITH DESIGN REQUIREMENTS



6.0 DESCRIPTION OF PLANT SYSTEMS AND THEIR CONFORMANCE WITH DESIGN REQUIREMENTS

6.1 Introduction

The purpose of this chapter is to provide a technical description of the AP1000 plant in order to enable a clear understanding of the safety claims and arguments presented in other chapters of this PCSR.

This section of the PCSR describes the systems and components of the AP1000. First, an overview of the operation of the primary systems (the reactor coolant system and supporting systems) is provided. Then the description of the individual systems and components is provided, split into eight broad groups, each of which is further split into subsections covering individual subsystems or components:

• The reactor system (the reactor vessel and integrated head package, reactor internals, fuel assemblies, rod cluster control assemblies, control rod drive mechanisms and in-core instrumentation).

• The reactor coolant system (the steam generators, pressuriser and associated pumps and pipework).

• The engineered safety features (those subsystems and components making up the passive core cooling and passive containment cooling systems).

• The auxiliary systems (providing water, air and process services).

• The steam and power conversion systems.

• Instrumentation and control.

• Electrical power systems.

• Heating, ventilation and air conditioning (HVAC) systems.

Each subsection provides a brief overview of the subsystem or component, identifies the design requirements for safety during normal operation and faulted conditions and the defence in depth capability, and provides evidence that those requirements can be met.

6.2 Primary Systems General Operation

The reactor coolant system consists of two heat transfer circuits, each with a steam generator and two reactor coolant pumps per loop with a single hot leg and two cold legs for circulating reactor coolant. In addition, the system includes the pressuriser, interconnecting piping, valves, and instrumentation for operational control and safeguards actuation. All reactor coolant system equipment is located in the reactor containment.

During operation, the reactor coolant pumps circulate pressurised water through the reactor vessel then the steam generators. The water, which serves as coolant, moderator, and solvent for boric acid (chemical shim control), is heated as it passes through the core. It is transported to the steam generators where the heat is transferred to the steam system. The water is then returned to the reactor vessel by the pumps to repeat the process.



The primary circuit boundary provides a barrier against the release of radioactivity that is generated within the reactor. It is designed to provide a high degree of integrity throughout the lifetime of the plant.

The reactor coolant system pressure is controlled by the pressuriser, where water and steam are maintained in equilibrium by the activation of electrical heaters or a water spray, or both. The pressure is increased through the generation of steam that is formed by the heaters, and decreased by the condensation of steam by the water sprayers. Spring-loaded safety valves are installed at the top of the pressuriser and provide overpressure protection for the reactor coolant system. These valves discharge into the containment atmosphere.

The reactor coolant system interfaces with a number of auxiliary systems, principally the chemical and volume control system, the normal residual heat removal system, the steam generators, the primary sampling system, the liquid radwaste system and the component cooling water system.

When the reactor is shut down, the steam generators provide cooling until system pressure and temperature are reduced to a level that can be accommodated by the normal residual heat removal system. The normal residual heat removal system takes its suction from one of the hot legs, the same one that has the surge line connection to the pressuriser, and it returns its cooled flow into both direct vessel injection lines.

When the reactor is to be refuelled, the refuelling cavity is flooded, following which the reactor vessel closure head is removed and then parked. The normal residual heat removal system continues to cool the reactor core but now also the refuelling cavity, by virtue of the reactor vessel being open to the water in this cavity.

The reactor coolant system is pictured in Figure 6.2-1.



Figure 6.2-1 Reactor Coolant System

6.3 Reactor

6.3.1 Reactor System

Within the reactor system, water acts as both the coolant and the moderator. Its normal operating pressure is 15.5 MPa absolute (155 bar a). A variable amount of boron, which is a strong neutron absorber, is dissolved in the water to change the intrinsic reactivity of the core. The concentration is varied to compensate for reactivity changes due to fuel burn-up, fission product poisoning such as that arising from xenon and samarium, burnable absorber depletion and the reactivity change resulting from moderator temperature changes during start-up, shut down and other operational manoeuvres.

The reactor system consists of the following components:

• Reactor vessel.

• Integrated head package.

• Reactor upper and lower internals assemblies.



• Fuel assemblies (157-off).

• Rod cluster control assemblies (53-off) and grey rod cluster assemblies (16-off).

• Discrete burnable absorber and neutron source assemblies.

• Control rod drive mechanisms (69-off).

• In-core instrumentation.

These components are described in detail in the sections that follow.

6.3.1.1 Reactor vessel

6.3.1.1.1 Description

The following components are considered to be the component parts of the reactor vessel:

• Vessel body and nozzles.

• Closure head, which includes the two vent lines and the eight instrumentation nozzles.

• The studs holding them together and the sealing gasket between them.

The reactor vessel is cylindrical, with a hemispherical bottom head and a removable, flanged, hemispherical upper head. The reactor vessel contains and supports all the internal components of the reactor system, and it supports the integrated head package; it is also part of the reactor coolant system pressure boundary. The vessel interfaces with the reactor internals, the integrated head package, the reactor coolant loop piping and the direct vessel injection lines, and it is supported within the reactor cavity of the containment building concrete structure. It is in two parts: the reactor vessel body and the reactor vessel closure head. The head is removable, to allow fuelling and refuelling; it is connected to the vessel body by means of studs and nuts. The reactor vessel body is insulated, to conserve heat and to protect the concrete of the pressure vessel cavity from too high a temperature. The overall reactor vessel arrangement is shown in Figure 3.9-8 of Reference 6.1.

The vessel has four inlet nozzles (cold leg) and two outlet nozzles (hot leg) positioned in two horizontal planes between the upper head flange and the top of the reactor core, with the inlet nozzles positioned above the outlet nozzles. There are also two direct vessel injection lines in a horizontal plane even lower down. Coolant enters the vessel through the inlet nozzles and flows down the core barrel-vessel wall annulus, turns at the bottom and then flows up through the core to the fuel assembly outlet nozzles. Some flow bypasses the core, due to leakage through the gap between the vessel and the barrel, and some bypass is deliberately engineered for cooling the head, the shroud and the guide thimble tubes; this bypass flow is expected to be less than 5.9% of the total flow. The direct vessel injection lines, when in use, inject their flow into the core barrel-vessel wall annulus.

The 69 control rod drive mechanisms are attached to the reactor vessel head; a drive rod from each passes through the head and then connects to either a black rod cluster control assembly or a grey rod cluster assembly inside the vessel. Eight “Quick loc” nozzles allow in core instrumentation to pass through the reactor vessel head. Two head vent lines penetrate the reactor vessel head, each with two series isolation valves. A dozen supports for the integrated head package are mounted on the reactor vessel head, three of which have lifting lugs.



The design of the AP1000 reactor vessel closely matches the existing vessel designs of Westinghouse three-loop plants:

• Almost the same vessel height and diameter.

• Same number of fuel assemblies.

New features for the AP1000 have been incorporated into the AP1000 reactor vessel design:

• Improved materials allow a 60-year design life.

• Smaller (55.9 cm or 22 inches) but more inlet nozzles (four rather than three).

• Fewer outlet nozzles (two rather than three).

• Two direct vessel injection nozzles (20.3 cm or 8 inches) added.

• Shallower reactor vessel bottom head lessens the elevation of the lower core support plate, permitting a higher elevation of the inlet and outlet nozzles relative to the core.

• The inclusion of the direct vessel injection nozzles allows the inlet nozzles to be positioned at a higher vertical elevation than the outlet nozzles, resulting in dry cold legs during mid-loop operation and thereby enabling the removal of a reactor coolant pump with the normal residual heat removal system in operation.

• Additional control rod drive mechanism head penetrations, to accommodate the grey rod control cluster assemblies.

• Complete elimination of the instrument penetrations through the bottom head, replaced with additional head penetrations for instrumentation.

• No nozzles or instrument penetrations below the top of the core elevation, precludes core uncovery because of leakage.

6.3.1.1.2 Design Requirements

The following requirements for the reactor vessel support safe operation of the plant under normal conditions:

• The reactor vessel must not fail during its 60-year design life, when subjected to the long-term stresses of normal operation.

• The reactor vessel design must enable it to be readily inspected at intervals throughout its life, either directly or by inference from samples placed so as to experience the same or more arduous physical conditions.

• The reactor vessel must allow the operators to manoeuvre the plant during normal operation without challenging any of its metallurgical limits.

The following design requirement on the reactor vessel supports safe shutdown of the plant during faulted conditions:

• The reactor vessel must not fail during any transients within the AP1000 Design Basis.



The reactor vessel also has the following capability, which provides defence in depth following a core melt fault:

• The insulation on the outside of the reactor vessel allows cooling water to penetrate through it to the outer surface of the vessel, thereby providing an in-vessel retention capability. The passive core cooling approach results in the introduction of large amounts of water into the lower portions of the containment. The expected level of water in the containment after an accident is above the nozzles of the reactor vessel and, hence, above the top of the fuel. The water in the containment sump is able to flow into the reactor vessel insulation structure, and come into contact with the reactor vessel. It would then cool the reactor vessel by convection and evaporation.

6.3.1.1.3 Substantiation

The reactor vessel is designed and fabricated in accordance with the requirements of the ASME Code, Section III for a Class 1 component. Principal design parameters of the reactor vessel are given in Table 5.3-5 of Reference 6.1. The vessel is manufactured from low alloy steel plates and forgings to minimise size. Assurance of adequate fracture toughness of ferritic materials in the reactor vessel is provided by compliance with the requirements for fracture toughness testing included in NB-2300 to Section III of the ASME Code. The vessel fracture toughness data are given in Table 5.3-3 of Reference 6.1. Spontaneous failure of the reactor vessel due to pre-existing cracks and defects within it is precluded through the design and build assurance process.

A surveillance program is used to monitor the radiation damage to the vessel material throughout its life. In the surveillance program, the evaluation of radiation damage is based on pre-irradiation testing of Charpy V-notch and tensile specimens and postirradiation testing of Charpy V-notch, tensile, and 1/2-T compact tension fracture mechanics test specimens. The program is directed toward evaluation of the effect of radiation on the fracture toughness of reactor vessel steels based on the transition temperature approach and the fracture mechanics approach. The vessel design and construction enables inspection in accordance with the ASME Code, Section XI. A number of ultrasonic, dye penetrant and magnetic particle inspections are also undertaken, which are additional to those required by the ASME Code. The inspection requirements are detailed in Section 5.3.2.3 of Reference 6.1.

During power raising, normal operation at power and whilst being shut down, the reactor vessel experiences the full range of operational temperatures and reactor coolant system pressures. Heat-up and cooldown pressure-temperature limit curves are required as a means of protecting the reactor vessel during start-up and shut down to minimize the possibility of fast fracture. The methods outlined in Appendix G of Section III of the ASME Code are employed in the analysis of protection against nonductile failure. The curves are shown in Figures 5.3-2 and 5.3-3 of Reference 6.1. The Tech-Specs ensure compliance with the various metallurgical limits on the reactor vessel during such operation.

Some Beyond Design Basis fault sequences could result in a core melt; in such circumstances reactor vessel integrity and therefore prevention of a large release of radioactivity is maintained by flooding the reactor cavity with water, thereby cooling the vessel by evaporation within its insulation. Changes have been made to the flow path between the outside of the reactor vessel and the reactor vessel insulation, and testing has confirmed the robustness of the heat transfer required for in-vessel retention (Section 1B.1.5 of Reference 6.1).



6.3.1.2 Integrated Head Package


The purpose of the integrated head package is to reduce the outage time and personnel radiation exposure during a refuelling outage by combining several components in one assembly which can be moved together. The integrated head package:

• Enables cables to be disconnected rapidly, including the control rod drive mechanism power cables, the digital rod position indication cables and the in-core instrument cables.

• Provides for the rapid disconnection of the reactor head vent system.

• Allows the reactor vessel head and all the components attached to it to be lifted as a single assembly.

• Provides support for the vessel head stud tensioner-detensioner during refuelling.

The integrated head package is located on top of the reactor vessel head. It contains the control rod drive mechanisms and the reactor head vent piping. It includes a lifting rig with an attachment point for the polar crane hook, seismic restraints for the control rod drive mechanisms and shroud, fans for the air-cooling of the control rod drive mechanism coils, support for the reactor head vent piping, a cable bridge, power cables, cables for the in-core instrumentation, cable supports and a shroud assembly. The arrangement of the integrated head package is shown in Figure 3.9-7 of the Reference 6.1.


The following design requirements for the integrated head package supports safe operation of the plant under normal conditions:

• The integrated head package load path must be able to take its own weight and the weight of the vessel head, the control rod drive mechanisms and their seismic supports, the shroud, the cooling ducts and the insulation.

• The control rod drive mechanism rod travel housings must be protected from being deflected by external mechanical forces to the extent either that one or more drive rods bind during insertion of the control rods, or that the bending moment at the point where the housings attach to the vessel head is sufficient to fail them, causing a LOCA or a rod ejection fault.

The following design requirement for the integrated head package supports safe shutdown of the plant during faulted conditions:

• The integrated head package must provide protection for the control rod drive mechanism rod travel housing from forces arising due to a seismic event, and from pipe whip from nearby high-energy lines and missiles resulting from such ruptures.


The lifting rig is capable of lifting and carrying, with the required margin for safety, the total assembled load of the package, which includes the vessel head, the control rod drive mechanisms



and their seismic supports, the shroud, the cooling ducts and the insulation (Section 3.9.7.3 of Reference 6.1).

The integrated head package adequately restricts the deflection of the top of the control rod drive mechanism rod travel housing (Section 3.9.7.3 of Reference 6.1). The integrated head package must fully support the control rod drive mechanisms during a Design Basis seismic event. The seismic support structure provides the required seismic restraint for the control rod drive mechanisms. It is located near the top of the control rod drive mechanism travel housings. This support structure interfaces with the shroud assembly to transfer seismic loads from the control rod drive mechanism rod travel housing to the reactor vessel head (Section 3.9.7.2 of Reference 6.1). The integrated head package has been analysed for the break of any pipe in its vicinity not qualified for leak-before-break, and shown to provide adequate protection (Section 3.9.7.3 of Reference 6.1).

6.3.1.3 Reactor Internals


The AP1000 reactor internals consist of two major assemblies: the upper internals and the lower core support assembly. The upper internals consist of the upper support, the upper core plate, the support columns and the guide tube assemblies. Figure 3.9-6 of the Reference 6.1 shows the upper core support assembly. The major containment and support member of the reactor internals is the lower core support assembly, which is shown in Figure 3.9-5 of the Reference 6.1. This assembly consists of the core barrel, the lower core support plate, the secondary core support, the vortex suppression plate, the core shroud, neutron panels, radial supports and related attachment hardware.


The reactor internals must fulfil the following nuclear safety functions during normal operation and following Design Basis initiating events:

• Align and support the core and the control rods, so as to ensure that the rods can move freely into and out of the core.

• Direct the main coolant flow to and from the fuel assemblies, so as to ensure the adequate removal of core heat.

• Ensure thorough mixing of the coolant, so as to maintain the homogeneity of the soluble boron concentration and the temperature distribution of the coolant in order to avoid uncontrolled reactivity changes.

• Absorb the dynamic loads associated with control rod movement, so as to avoid damage to them or to the fuel assemblies.

• Support instrumentation within the reactor.

• Provide protection for the reactor vessel against excessive radiation exposure from the core.

• Position and support the reactor vessel radiation surveillance specimens.




Materials

The materials used for reactor internals are chosen to be compatible with the primary coolant chemistry and, as far as is possible, to be free from elements such as carbon or cobalt, which are prone to activation. Full details of the materials used, as well as the controls on fabrication, are provided in Section 4.5 of Reference 6.1.

Core support structure and threaded structural fastener materials are specified in the ASME Code, Section III, Appendix I as supplemented by Code Cases N-60 and N-4. The major core support material for the reactor internals is SA-182, SA-336, SA-376, SA-479, or SA-240 Types 304, 304L, 304LN, or 304H stainless steels. For threaded structural fasteners the material used is strain hardened Type 316 stainless steel and for the clevis insert-to-vessel bolts either UNS N07718 or N07750. Remaining internals parts not fabricated from Types 304, 304L, 304LN, or 304H stainless steels typically include wear surfaces such as hardfacing on the radial keys, clevis inserts, alignment pins (Stellite™ 6 or 156 or low cobalt hardfaces); dowel pins (Type 316); hold down spring (Type 403 stainless steel (modified)); clevis inserts (UNS N06690); and irradiation specimen springs (UNS N07750). Instrument guide assembly materials that are not Types 304, 304L, 304LN, or 304H stainless steel are the guide bushings and guide stud tip (UNS S21800) and the instrument guide tube spring (UNS N07718).

The use of cast austenitic stainless steel is minimised in the AP1000 reactor internals. Where used, cast austenitic stainless steel is limited in carbon and ferrite contents, and is evaluated in terms of thermal aging effects (Section 4.5.2.1 of Reference 6.1).

Core Flow Pattern

During reactor operation, the core barrel directs the coolant flow from the reactor vessel inlet nozzles through the down-comer annulus and into the lower plenum below the lower core support plate. The flow then turns and passes through the lower support plate and into the core region. After leaving the core, it passes through the upper core plate; then bypasses through and around the control rod guide tubes and the support columns to reach the outlet nozzles. During operation, a small amount of inlet coolant is diverted from the core to cool the core shroud and the vessel head area.

The method used to undertake the thermal hydraulic design of the reactor and the references to the design information is provided in Section 4.4.2 of Reference 6.1. The analysis of the thermal hydraulic design shows that there is a sufficient flow rate and flow distribution through the reactor to adequately remove the reactor core heat. The analysis covers normal operation and Design Basis transients, and it has considered:

• Critical heat flux ratio and departure from nucleate boiling.

• Linear heat generation rate.

• Void fraction distribution.

• Core coolant flow distribution.

• Core pressure drops and hydraulic loads.

• Correlation and physical data.



• Thermal effects of operational transients.

• Uncertainties in the estimates.

• Flux tilt.

• Fuel and cladding temperatures.

6.3.1.4 Fuel Assemblies


The reactor core contains a matrix of 157 fuel assemblies, along with various control and structural elements. An AP1000 fuel assembly consists of 264 fuel rods in a 17x17 square array. The 25 positions in the array not containing a fuel rod each contain a guide thimble tube, which provide the supporting structure for the fuel grids. The centre position in the fuel assembly has a guide thimble tube reserved for in-core instrumentation; the remaining 24 guide thimble tubes, depending on the position of the fuel assembly within the core, accommodate:

• A single rod cluster control assembly occupying all 24 guide thimble tubes within a fuel assembly.

• A single grey rod cluster assembly occupying all 24 guide thimble tubes within a fuel assembly.

• Neutron source assemblies.

• Discrete burnable absorber assemblies; that is, neutron poison not incorporated into a fuel rod.

• Thimble tube plugs.

Figure 4.2-1 of the Reference 6.1 shows the arrangement.

The guide thimbles are attached to the top and bottom nozzles of the fuel assembly. The bottom nozzle is a box-like structure that serves as the lower structural element of the fuel assembly, and it directs the coolant flow distribution to the assembly. It incorporates a low profile debris filter that minimises the potential for fuel damage due to debris in the reactor coolant; that is, the size of flow passages through the bottom nozzle limits the size of debris that can enter the fuel assembly. The top nozzle assembly serves as the upper structural element of the fuel assembly and provides a partial protective housing for a rod cluster control assembly or other components. The top nozzle is a one-piece casting, with no potential for loose parts; it incorporates top mounted core instrumentation. The fuel grids consist of an egg-crate arrangement of interlocked straps, which maintain the lateral spacing between the rods. The grid straps have spring fingers and dimples, to grip and support the fuel rods. There is a protective grid immediately above the bottom nozzle, for enhanced debris resistance; a top grid immediately below the top nozzle; and seven mid grids; none of these grids contain mixing vanes. There are also four intermediate flow mixing grids. Figure 4.2-2 of Reference 6.1 shows the disposition of guide thimbles, nozzles, grids and intermediate flow mixing grids within a fuel assembly.

The fuel rods consist of low enriched uranium up to 5% U235, in the form of cylindrical pellets of uranium dioxide, contained in zirconium alloy tubing. The tubing is plugged and seal welded at the ends to encapsulate the fuel. An axial blanket comprised of fuel pellets with reduced



enrichment may optionally be placed at each end of the enriched fuel pellet stack, to reduce the neutron leakage and to improve fuel utilisation. The fuel rods are pressurised internally with helium during fabrication, to reduce clad creep down during operation and thereby prevent clad flattening. The fuel rods in the AP1000 fuel assemblies contain additional gas space below the fuel pellets, to allow for the increased fission gas production due to high fuel irradiation. Figure 4.2-3 of Reference 6.1 shows a schematic of a fuel rod.

Fuel rods containing burnable absorber integral with the fuel may be used within some fuel assemblies: one type uses a thin zirconium boride coating on the surface of the fuel pellets; another type uses fuel pellets containing gadolinium oxide mixed with uranium dioxide. Combinations of the two types may be used within a reload.


The following design requirement for the fuel assemblies support safe operation of the plant under normal conditions:

• The fuel assemblies must maintain their integrity throughout the duration of their operation in the reactor core. The fuel must not melt, the cladding must not fail and the structure must not deform to the extent that it interferes with the functioning of other components within the reactor. These requirements determine the pellet size and density, the clad-pellet diametral gap, the gas plenum size and the helium pre-pressurisation level.


The fuel rod and fuel assembly design bases and acceptance limits are described in the Westinghouse Fuel Criteria Evaluation Process (Reference 6.8).

The fuel rods are designed to satisfy the fuel rod design criteria for rod burnup levels up to the design discharge burnup using the extended burnup design methods described in the Extended Burnup Evaluation report (Reference 6.9).

The AP1000 fuel rod design considers effects such as fuel density changes, fission gas release, clad creep, and other physical properties that vary with burnup. The integrity of the fuel rods is provided by being designed to prevent:

• Excessive fuel temperatures (Section 4.2.1.2.1 of Reference 6.1).

• Excessive internal rod gas pressures due to fission gas releases (Sections 4.2.1.3.1 and 4.2.1.3.2 of Reference 6.1).

• Excessive cladding stresses, strains and strain fatigue (Sections 4.2.1.1.2 and 4.2.1.1.3 of Reference 6.1).

Integrity of the fuel assembly structure is provided by setting limits on stresses and deformations due to various loads and by preventing the assembly structure from interfering with

As a result of the design of the core, the reactor coolant system, the steam generators and the normal residual heat removal system it has been possible to demonstrate that there is at least a 95% probability, at a 95% confidence level, that the fuel rods will not exceed the uranium dioxide melting temperature:

• During normal operation and operational transients.



• Any transient conditions arising from faults of moderate frequency (Section 4.4.1.2 of Reference 6.1).

A burnup-dependent fission gas release model has been used to determine the internal gas pressure as a function of irradiation time (Section 4.2.3.1.2 of Reference 6.1). This information has been used to ensure that the plenum volume of the fuel rod has been designed such that the maximum internal pressure of the fuel rod will not exceed the value which would cause fuel damage. Void volume and clearances are provided within the fuel rods to accommodate fission gases released from the fuel, as well as differential thermal expansion between the clad and the fuel, and fuel density changes during irradiation. In addition, the ends of the fuel pellets themselves are dished slightly to allow greater axial expansion at the pellet centreline and to increase the void volume for fission gas release.

The clad stress, strain and fatigue have been analysed (Section 4.2.1.1 of Reference 6.1) and demonstrated to be within acceptable limits. The analysis covers normal operation and Design Basis transients.

6.3.1.5 Rod Cluster Control Assemblies and Grey Rod Cluster Assemblies


The rod cluster control assemblies and grey rod cluster assemblies are moveable absorbers located inside some of the guide thimble tubes within the fuel assemblies. The control rod drive mechanisms insert or withdraw the rod cluster control assemblies and grey rod cluster assemblies from the core to control reactivity; when not being moved, the rod cluster control assemblies and grey rod cluster assemblies are held at the required vertical position by the control rod drive mechanisms. The rod cluster control assemblies and grey rod cluster assemblies also unlatch upon loss of electrical power to the control rod drive mechanisms, thereby releasing them to fall under gravity to their bottom position. The drive rod arrangement connecting a rod cluster control assembly or grey rod cluster assembly to a control rod drive mechanism is shown in Figure 4.2-8 of Reference 6.1.

Each rod cluster control assembly consists of 24 absorber rods fastened at the top end to a common hub (or spider) assembly. The rod cluster control assemblies are used to make relatively rapid changes in reactivity and to control the axial power distribution. Figure 4.2-9 of Reference 6.1shows a rod cluster control assembly, with Figure 4.2-10 giving detail of an individual absorber rod.

Each grey rod cluster assembly consists of 24 light absorber rods fastened at the top end to a common hub (or spider) assembly. Figure 4.2-11 of Reference 6.1 shows a grey rod cluster assembly. The grey rod cluster assemblies are used in control of core reactivity during normal core depletion as well as load follow manoeuvring. The assemblies provide a mechanical shim reactivity mechanism to minimise the need for changes to the concentration of soluble boron.

There are two control rod banks of six rod cluster control assemblies each and four grey rod banks of four grey rod cluster assemblies each, which control core reactivity and average temperature, and which (the rod cluster control assemblies) have sufficient reactivity worth to shut the reactor down. Although the grey rod cluster assemblies are expected to drop during a trip insertion, they are neither required nor claimed to shut down the reactor. Four shutdown banks of eight rod cluster control assemblies each are used to hold the reactor sub-critical once it has been shut down, taking full account of reactivity increase as the core cools down. There is one axial offset bank of nine rod cluster control assemblies, which is used to control the axial flux shape. The grey



rod cluster assemblies provide the finer control of reactivity needed for load following, eliminating the requirement for frequent changes to the concentration of the soluble boron.

Load rejections requiring greater than a fifty percent reduction of rated thermal power initiate the rapid power reduction system. This trips preselected rod cluster control assemblies into the reactor core to rapidly reduce reactor power into a range where the rod control and reactor control systems can maintain stable plant operation.


The following design requirements for the rod cluster assemblies support safe operation of the plant under normal conditions and safe shutdown of the plant under faulted conditions:

• The rod cluster control assemblies must be able to quickly shut down the reactor and then hold it sub-critical.

• The rod cluster control assemblies and the grey rod cluster assemblies together must be able to offset fast reactivity changes associated with load changes, power raising, fluctuations in the boron concentration, fluctuations in coolant temperature and fluctuations in xenon concentration.

• The maximum reactivity insertion rate due to withdrawal of rod cluster control assemblies or grey rod cluster assemblies must be limited by design, so that the rate of change of reactivity for the accidental withdrawal of a control bank can cause neither fuel melting nor departure from nucleate boiling.

• The rod cluster control assembly control rod banks in conjunction with boron addition by the passive core cooling system must be capable of shutting down the core and then holding it down under the postulated Design Basis accident conditions, and with appropriate allowance for most onerous stuck rod. The shutdown groups must provide the additional negative reactivity to establish an adequate shutdown margin.


The rod cluster control assembly banks provide sufficient reactivity to overcome the power defect in going from full power to zero power, and then to provide the specified shutdown margin. The ability to accomplish shutdown from hot conditions, at end of life when the moderator temperature coefficient is at its most negative value, is demonstrated in Sections 4.3.2.4 and 4.3.2.5 of Reference 6.1.

The maximum reactivity change rate for accidental withdrawal of two control banks is set such that peak linear heat rate and the departure from nucleate boiling ratio limitations are not challenged (Section 4.3.1.4.1 of Reference 6.1). Reactivity addition associated with an accidental withdrawal of a control bank or banks is limited by the maximum rod speed (set at 1.14 m (45 inches) per minute for both rod cluster control assemblies and grey rod cluster assemblies) and by the worth of each bank (Section 4.3.1.4.2 of Reference 6.1).

The reactivity worth of a rod cluster control assembly is limited to preclude rupture of the coolant pressure boundary or disruption of the core internals to a degree that would impair core cooling capability due to a rod withdrawal or an ejection accident (Section 4.3.1.4.1 of Reference 6.1).



6.3.1.6 Discrete Burnable Absorber and Neutron Source Assemblies


Burnable absorber rods are incorporated into the core design for several purposes:

• To reduce the dissolved boron requirement for the control of excess reactivity.

• For power distribution management throughout core life.

• To achieve an acceptable moderator temperature coefficient throughout core life.

In the initial core that is loaded before the reactor goes to power for the first time, the burnable absorber rods consist of borosilicate glass tubes contained within stainless steel tubular cladding that is plugged and seal welded at the ends to encapsulate the glass. An alternative discrete burnable absorber is the wet annular burnable absorber, in which case the burnable absorber material is boron carbide contained in an alumina matrix. Figure 4.2-12 of Reference 6.1shows a schematic of discrete burnable absorber assembly, with Figure 4.2-13 showing a borosilicate glass burnable absorber rod assembly.

An antimony beryllium neutron source is required in the initial core and all subsequent reloads. Because this needs to be activated by exposure to neutrons, the initial core also requires a californium (plutonium-beryllium is a possible alternate) primary source, which spontaneously emits neutrons during initial core loading, reactor start-up and initial operation of the first core; however, the primary source becomes depleted as it becomes irradiated, so it is not a long-term solution. Neutron source assemblies are positioned at opposite sides of the core. Four source assemblies are typically installed in the initial load of the reactor core: two primary source assemblies and two secondary source assemblies. Each primary source assembly contains one primary source rod and a number of burnable absorber rods; each secondary source assembly contains a symmetrical grouping of secondary source rodlets. Figure 4.2-14 of Reference 6.1 shows the primary source assembly, and Figure 4.2-15 shows the secondary source assembly.

A neutron source assembly is a modified discrete burnable absorber assembly that emits neutrons. Its purpose is to provide a base neutron level, to demonstrate that the detectors are operational and responding to core multiplication neutrons. The source assembly also permits detection of changes in the core multiplication factor during core loading, refuelling and the approach to criticality.

Guide thimble tubes that do not contain any other core components are plugged, to minimise the cooling water flow that bypasses the core.


The following design requirements for the burnable absorber and neutron source assemblies support safe operation of the plant under normal conditions:

• The distribution of burnable absorbers must result in a radial core power distribution in line with the assumptions of the safety case.

• The burnable absorbers must have sufficient reactivity worth to prevent the moderator temperature coefficient from ever going positive under normal operating conditions.




The burnable absorbers control the radial peaking factor and prevent the moderator temperature coefficient from ever going positive under normal operating conditions. They achieve this by reducing the requirement for soluble boron in the moderator at the beginning of the fuel cycle: too high an initial concentration would result in a net reactivity injection as the moderator density reduces on heating up (Section 4.3.2.4.1.14 of Reference 6.1).

6.3.1.7 Control Rod Drive Mechanisms


Each control rod drive mechanism is connected either to a rod cluster control assembly or to a grey rod cluster assembly, and is identical for the two types of rod cluster assembly. The control rod drive mechanism is a magnetically operated jack, consisting of three electromagnets energised in a controlled sequence to insert or withdraw rod cluster control assemblies and grey rod cluster assemblies in the reactor core in discrete steps (see Section 3.9.4.1.2 to 3.9.4.1.4 of Reference 6.1 for more information on this electrical sequencing). After rod motion has ended, the rod is held in place by both the stationary and the movable gripper coils.

The mechanism operates on a drive rod, which is connected to a rod cluster assembly. The control rod drive mechanism consists of four separate subassemblies:

• Control rod drive mechanism pressure vessel

• Coil stack assembly

• Latch assembly

• Drive rod assembly

The control rod drive mechanism pressure vessel consists of a latch housing and a drive rod travel housing. The latch housing is the lower portion of the vessel, which contains the latch assembly. It is welded to the control rod drive mechanism nozzle, which in turn is attached to the reactor vessel head by a shrink-fit and a partial penetration weld. The drive rod travel housing is the upper portion of the vessel, which provides space for the drive rod during its upward movement as the control rods are withdrawn from the core. The top of the rod travel housing interfaces with the integrated head package, thereby providing seismic support to the entire control rod drive mechanism pressure vessel. The pressure housing portion of the 69 control rod drive mechanisms comprise a portion of the reactor coolant system pressure boundary. The control rod drive mechanisms are physically attached to the reactor vessel closure head, and their interior is open to the reactor coolant.

The coil stack assembly includes the coil housings, the electrical conduit and connector and the three operating coils: the stationary gripper coil, the movable gripper coil and the lift coil. The coil stack assembly is a separate unit. It is installed on the control rod drive mechanism by sliding it over the outside of the latch housing. It rests on the base of the latch housing, without mechanical attachment. Energising the operating coils causes movement of the pole pieces and latches inside the latch assembly.

The latch assembly includes the guide tube, the stationary pole pieces, the movable pole pieces and two sets of latches: the movable gripper latches and the stationary gripper latches. The latches engage grooves in the drive rod assembly. The stationary gripper latches hold the drive rod



assembly while the movable gripper latches are repositioned for the next step. The movable gripper latches are moved up or down in 16 mm (5/8-inch) steps by the lift pole, to raise or lower the drive rod.

The drive rod assembly includes a coupling, a drive rod, a disconnect button, a disconnect rod and a locking button. The drive rod has a 16 mm (5/8-inch) pitch from groove to groove, which engages the latches during holding or moving of the drive rod. The coupling is attached to the drive rod, and it provides the means for coupling to the rod cluster control assembly or grey rod cluster assembly directly below the control rod drive mechanism. The disconnect button, the disconnect rod and the locking button provide positive locking of the coupling to the rod cluster control assembly or grey rod cluster assembly, and permit remote disconnection of the drive rod. This is needed during refuelling, when all the rod cluster control assembly and grey rod cluster assemblies need to be disconnected from their respective control rod drive mechanisms, to allow the reactor vessel closure head to be lifted off.

The control rod position is measured by 48 discrete coils mounted on the position indicator assembly surrounding the rod travel housing. Each coil magnetically senses the entry and presence of the top of the ferromagnetic drive rod assembly as it moves through the coil centre line.


The following design requirements for the control rod drive mechanisms support safe operation of the plant under normal conditions:

• The design and construction of the control rod drive mechanism must preclude the possibility of gross failure of the housing sufficient to allow a control rod to be ejected from the core.

• Those parts of the control rod drive mechanisms and control rod drive line exposed to reactor coolant must be made of materials that resist the corrosive action of the coolant, in order to ensure the continued free movement of the rod cluster assemblies.

• A control rod drive mechanism must be able to insert or withdraw rod cluster assemblies in a slow and controlled manner, in order to control average core temperature during normal operation and to change the core reactivity during start-up, power change and shutdown.

• It must not be possible for a control rod drive mechanism to physically withdraw its rod cluster assembly fully out of the guide tubes.

• Each control rod drive mechanism must provide a measurement of the vertical position of its rod cluster assembly.

• The three control rod drive mechanism operating coils must be kept at or below 200°C (392°F) by the forced air cooling arrangements within the integrated head package.

The following design requirements for the control rod drive mechanisms support safe shutdown under faulted conditions:

• The control rod drive mechanism pressure housing must be able to withstand full reactor coolant temperature and pressure during normal operation and under all anticipated Design Basis fault transient conditions.



• Electrical power interruption to the control rod drive mechanism operating coils must release the control rod drive mechanism drive rod assembly, thereby allowing the rod cluster assembly to fall under gravity to its fully inserted position, with a trip delay time of less than or equal to 150 milliseconds.


The control rod drive mechanism are designed to operate at full reactor coolant temperature 343°C (650°F) and pressure 17.2 MPa abs (172 bar a or 2500 psi a). The control rod drive mechanism pressure housing is constructed in conformance with requirements of 10 CFR 50.55a (see Section 3.9.4.2.2 of Reference 6.1) to ensure its integrity under all anticipated Design Basis fault transient conditions. The stress levels in the mechanism are unaffected by system thermal transients at power or by thermal movement of the reactor coolant loops.

The design, construction and testing of the control rod drive mechanism is such that gross failure of the housing sufficient to allow a control rod to be ejected from the core would be incredible (Section 3.9.4.1.1 of Reference 6.1).

Three types of metals are used exclusively: stainless steels, nickel-chromium-iron alloys and, to a limited extent, cobalt-based alloys. These materials have provided many years of successful operation in similar control rod drive mechanisms. In the case of stainless steels, only austenitic and austenitic stainless steels are used. Where low or zero cobalt alloys are substituted for cobalt-based alloy pins, bars, or hard facing, the substitute material is qualified by evaluation or test. The materials used for reactor internals are chosen to be compatible with the primary coolant chemistry and, as far as is possible, to be free from elements such as carbon or cobalt, which are prone to activation. Full details of the materials used, as well as the controls on fabrication, are provided in Section 4.5 of Reference 6.1.

The maximum speed of movement of either type of rod cluster assembly is 1143 mm (45 inches) per minute (Section 3.9.4.1.1 of Reference 6.1).

The rod clusters cannot be physically withdrawn from the guide tubes by the control rod drive mechanisms because no additional grooves are machined in the drive rod past the last position (Section 3.9.4.1.4 of Reference 6.1).

The control rod drive mechanism is designed to release the drive rod and rod cluster control assembly during any part of the power cycle sequencing should the electrical power coils be interrupted. When released from the control rod drive mechanism, the drive rod and rod cluster control assembly or grey rod cluster assembly falls by gravity into the core. After the drive rod is released by the mechanism, it falls freely until the control rods enter the dashpot section of the fuel assembly, where the coolant in the guide thimble tubes slows the rate of descent until the rods are fully inserted. The trip time requirement is confirmed for each control rod drive mechanism prior to initial reactor operation and at periodic intervals after initial reactor operation, as required by the Tech-Specs (see Section 3.9.4.4 of Reference 6.1). The postulated failure of a control rod drive mechanism to insert a control assembly is included within the safety analyses, which conservatively assume that the control assembly at the most reactive core location is inoperable; acceptable consequences are justified for all Design Basis initiating events (see Section 3.9.4.2.3 of Reference 6.1).

A failure of the control rod position measurement would neither preclude a rod assembly from tripping nor would it result in an unplanned withdrawal of a rod assembly (see Section 4.6.2 of Reference 6.1).



Loss of the air cooling to a control rod drive mechanism would fail its coils, which would then result in the release of the drive rod (see Section 3.9.4.1.1 of Reference 6.1). Before such a point is reached, failure of one or two coils within some control rod drive mechanisms could result in an inability to move a rod or bank of rods, but would not result in it being unable to be released to fall into the core.

6.3.2 Reactor Coolant System

The following systems are addressed in this section of the document:

• Reactor coolant pressure boundary.

• Pressuriser.

• Reactor coolant pumps.

• Steam generators.

• Reactor coolant system shielding.

6.3.2.1 Reactor Coolant Pressure Boundary


The reactor coolant pressure boundary is defined as the vessels, piping, pumps, and valves that are part of the reactor coolant system (reactor coolant system), or that are connected to the reactor coolant system up to and including the following:

• The outermost containment isolation valve in system piping that penetrates the containment;

• The second of two valves closed during normal operation in system piping that does not penetrate containment;

• The reactor coolant system overpressure protection valves.

The functionality of the above components is discussed elsewhere in this section. However, the assurance of integrity is common across all pressure boundary components and is discussed here.


A single design requirement is placed on the reactor coolant pressure boundary, which supports safe operation during normal conditions and safe shutdown during accident conditions:

• The reactor coolant pressure boundary must contain the reactor coolant during normal operations and anticipated non-LOCA faulted conditions.


In accordance with UK best practice the integrity of the reactor coolant pressure boundary is demonstrated by considering the design and manufacture of the boundary, the functional testing that is carried out, the failure analysis that has been performed and the testing and inspection programmes that provide forewarning of failure.



Design and Manufacture

Reactor coolant pressure boundary components are designed and fabricated in accordance with the ASME Boiler and Pressure Vessel Code, Section III. A portion of the chemical and volume control system inside containment that is defined as reactor coolant pressure boundary is built to an alternative standard, as discussed in Section 6.5.1.

The reactor coolant pressure boundary meets the ASME III code requirements for Class 1 components. These requirements are relaxed for components which are connected to the reactor coolant pressure boundary but can be isolated from the reactor coolant system by two valves in series (both closed, both open, or one closed and the other open), with automatic actuation to close; such components are designed to ASME III Class 3.

The materials used in the reactor coolant pressure boundary conform to the applicable ASME code rules. A full list of the materials used, and a discussion of the compatibility of those materials with the primary coolant chemistry and the containment building environmental conditions, is provided in Section 5.2.3 of Reference 6.1. That same section also describes the fabrication process, which meets the requirements of ASME II, III and IX.

Reactor coolant system overpressure protection during power operation is provided by the pressuriser safety valves, discussed in Section 6.3.2. The provided overpressure protection is compliant with the requirements of the ASME III Paragraphs NB-7300 and NC-7300 for pressurised water reactor systems. Low temperature overpressure protection is provided by a relief valve in the suction line of the normal residual heat removal system, as described in Section 6.5.3.3.

Pre-service and in-service inspection and testing of the pressure-retaining components (including vessels, piping, pumps, valves, bolting, and supports) within the reactor coolant pressure boundary are performed in accordance with Section XI of the ASME code, including all mandatory appendices. Section 5.2.4 of Reference 6.1 provides details of the inspection programme, techniques and procedures.

Functional Testing

A pre-operational test program is implemented as required by NB-3622.3, NC-3622, and ND-3622 of the ASME Code, Section III to verify that the piping and piping restraints can withstand dynamic effects due to transients, such as pump trips and valve trips, and that piping vibrations are within acceptable levels. The piping systems to be tested include ASME Code, Section III, Class 1, 2, and 3 systems, high energy systems inside seismic Category I structures, high energy portions of systems whose failure could reduce the functioning of seismic Category I features to an unacceptable level, and the seismic Category I portions of moderate-energy piping systems located outside containment. This includes instrumentation lines up to the first support in each of three orthogonal directions from the process pipe or equipment connection point. See Section 3.9.2.1 of Reference 6.1 for further details.

Failure Analysis

To provide confidence in the reactor coolant boundary, the integrity of the ASME Class 1 components is assessed against design, service, and test conditions. The design conditions include those pressure, temperature, and mechanical loadings selected as the basis for the design. Service conditions cover those normal operating conditions, anticipated transients, and postulated accident conditions expected or postulated to occur during operation, as assessed in the Design Basis analysis (see Section 5.3). The evaluation of the service and testing conditions includes an



evaluation of fatigue due to cyclic stresses. Detailed discussion of the design, service and test conditions is provided in Section 3.9.1.1 of Reference 6.1.

Forewarning of Failure

Leakage detection monitoring provides a means of detecting and to the extent practical, identifying damage to the reactor coolant boundary. Leakage detection monitoring is accomplished using diverse measurement methods including level, flow, and radioactivity measurements. Section 5.2.5 of Reference 6.1 describes leakage detection monitoring in detail.

6.3.2.2 Pressuriser


The pressuriser contains the water inventory used to maintain reactor coolant system pressure and, in the event of a minor primary system leak, it is capable of supplying water for a reasonable period without replenishment. The pressuriser surge line connects the pressuriser to one reactor coolant hot leg. This allows continuous coolant volume and pressure adjustments between the reactor coolant system and the pressuriser.

The AP1000 pressuriser is a conventional design, based on proven technology, although it has a larger volume of 59.5 m3 (2100 ft3). The large pressuriser avoids challenges to the plant and operator during transients, which increases transient operation margins and results in a more reliable plant with fewer reactor trips. It also eliminates the need for fast-acting power-operated relief valves, a possible source of reactor coolant system leakage and maintenance.

Further information related with the pressuriser can be found in Section 5.4.5 of Reference 6.1.


The following pressuriser design requirements ensure control over the key safety functions during normal operation:

• The pressuriser must maintain primary coolant pressure above its saturation pressure.

The following pressuriser design requirements support safe operation of the plant in faulted conditions:

• The pressuriser pressure relief valves must relieve sufficient mass to prevent overpressure of the reactor coolant system.


Pressure Control in Normal Operations

The pressuriser provides a point in the reactor coolant system where liquid and vapour are maintained in equilibrium under saturated conditions for pressure control of the reactor coolant system during steady-state operations and transients. The pressuriser provides a controlled volume from which level can be measured.

The normal operating water volume at full-load conditions is approximately 50% of the free internal vessel volume. Under part-load conditions the water volume in the pressuriser is reduced proportionally with reductions in plant load to approximately 25% of the free internal vessel



volume at the zero-power condition. Electric immersion heaters in the bottom of the pressuriser keep the water at saturation pressure and maintain a constant operating pressure. Section 5.4.5.3.1 of Reference 6.1 provide more information on system pressure control.

During initial system heat-up, or near the end of the second phase of plant cooldown, the pressuriser is filled with water, and so the electric immersion heaters cannot be used to control pressure. Instead, the pressure is controlled by the pressuriser letdown flowrate.

Overpressure Protection

The sizing of the pressuriser safety valves is based on the analysis of a complete loss of steam flow to the turbine, with the reactor operating at 102% of rated power. In this analysis, feedwater flow is also assumed to be lost. No credit is taken for operation of the pressuriser level control system, pressuriser spray system, rod control system, steam dump system or steamline power-operated relief valves – all of which provide additional defence in depth. The reactor is maintained at full power (no credit for direct reactor trip on turbine trip and for reactivity feedback effects), and steam relief through the steam generator safety valves is considered. The total pressuriser safety valve capacity is required to be at least as large as the maximum surge rate into the pressuriser during this transient. Section 5.4.9 of Reference 6.1 discusses the capacities of the pressuriser safety valves. The setpoints and reactor trip signals which occur during operational overpressure transients are discussed in Section 5.4.5 of Reference 6.1.

The relief capacities of the pressuriser safety valve is determined from the postulated overpressure transient conditions in conjunction with the action of the reactor protection system. An overpressure protection report is prepared according to Article NB-7300 of Section III of the ASME code. Reference 6.2 describes the analytical model used in the analysis of the overpressure protection system and the basis for its validity.

6.3.2.3 Reactor Coolant Pumps


The high-inertia reactor coolant pumps are highly reliable, low-maintenance, hermetically sealed pumps, which circulate the reactor coolant through the reactor core, loop piping, and steam generators. The motor size is minimized through the use of a variable speed controller to reduce motor power requirements during cold coolant conditions.

Further information related to the reactor coolant pump design can be found in Section 5.4.1 of Reference 6.1.


The following design requirements for the reactor coolant pumps ensure control over the key safety functions during normal operation:

• The reactor coolant pumps supply the coolant flow necessary to remove the required heat from the reactor core and transfer it to the steam generators.

• The reactor coolant pump casing and stator shell provide a barrier to the release of reactor coolant and other radioactive materials inside the containment building.

The following design requirement for the reactor coolant pumps supports safe operation of the plant in faulted conditions:



• Upon loss of electrical power, the reactor coolant pumps must provide sufficient flow coastdown capability to support core cooling.


Reactor Coolant Pump Integrity

The reactor coolant pumps form part of the primary coolant boundary, and so their integrity is assured by the processes described in Section 6.3.2.1. However, because the reactor coolant pump is an active component with moving parts, further consideration is required, as described below.

This seal-less pump has the motor and all rotating components inside a pressure vessel. The pressure vessel components are designed for full reactor coolant system pressure. The pressure boundary integrity is verified for normal, anticipated transients and postulated accident conditions. The pressure boundary components meet the requirements of the ASME Boiler and Pressure Vessel Code, Section III, as described in Section 6.3.2.1.3.

Coolant Flow

The reactor coolant pumps provide an adequate core cooling flow rate for sufficient heat transfer to maintain a departure from nucleate boiling ratio greater than the limit established in the safety analysis.

Initial verification of the reactor coolant system flow rate is made during the plant initial test program. Reactor coolant system flow rates are measured during the pre-core load hot functional tests and during the startup tests. The objective of these tests is to verify that the reactor coolant system flow rate meets the flow rate range of LCO 3.4.1 of the Tech-Specs (see Chapter 16 of Reference 6.1).

After the pre-core reactor coolant system flow rate measurement is taken, analytical adjustments are made to the pre-core measured reactor coolant system flow rate to predict a post-core reactor coolant system flow rate. Calculations of the reactor coolant system flow rate with and without the core loaded are performed. The calculation of the pre-core load reactor coolant system flow rate is compared with results of the pre-core load flow testing and this information will be used in the calculation of the post-core load reactor coolant system flow rate as appropriate. The predicted post-core load reactor coolant system flow rate is checked to verify that it satisfies Technical Specification 3.4.1. Verifications are also made that the post-core load reactor coolant system flow rates satisfy LCO 3.4.1 of the Tech-Specs flow limits during start-up testing.

It is important to reactor protection that the reactor coolant continues to flow for a time after reactor trip and loss of electrical power. To provide this flow, each reactor coolant pump has a high-density flywheel and high-inertia rotor. The rotating inertia of the pump, motor, and flywheel is used during the coastdown period to continue the reactor coolant flow. The reactor coolant pump is designed for the safe shutdown earthquake. The coastdown capability of the pump is maintained even for the case of loss of offsite and onsite electrical power coincident with the safe shutdown earthquake. Core flow transients and figures are provided in Sections 15.3.1 and 15.3.2 of Reference 6.1.

With the reactor coolant pumps coasting down or stopped then natural circulation removes decay heat in one of two ways:



• If the secondary heat removal system (e.g. steam generator and condenser) are operable then natural flow of coolant within the reactor coolant system must be sufficient to remove decay heat.

• If the secondary heat removal system is not operable then the passive residual heat removal heat exchanger, in conjunction with the passive containment cooling system, is designed to remove decay heat for an indefinite time in a closed-loop mode of operation.

The passive residual heat removal heat exchanger is designed to cool the reactor coolant system to 216°C (420°F) in 36 hours, with or without reactor coolant pumps operating (Reference 6.1, Section 6.3.1.1.1). This allows the reactor coolant system to be depressurised and the stress in the reactor coolant system and connecting pipe to be reduced to low levels. This also allows plant conditions to be established for initiation of normal residual heat removal system operation.

6.3.2.4 Steam Generators


The AP1000 has two steam generators. These extract heat from the reactor coolant by boiling feed water to produce steam. The feed water is supplied from the feed and condensate system; the steam is taken away by the main feed system; the cooled reactor coolant is returned to the reactor.

Each steam generator is a vertical-shell U-tube evaporator with integral moisture separating equipment. The reactor coolant flow enters the steam generator through a single hot leg nozzle before passing into the inverted U-tubes where it transfers heat to the secondary side as it passes through the U-tubes and finally returning to the cold leg side of the primary chamber. The flow leaves the steam generator through two cold leg nozzles, to each of which a reactor coolant pump is directly attached.

Water from the main feed line enters the steam generator at an elevation above the top of the U-tubes, through a single main feed water nozzle. The feed water enters a feed ring inside the steam generator through a thermal sleeve connection and leaves it through multiple nozzles attached to the top of the feed ring. The incoming feed water mixes with the water removed by the moisture separators, and the combined flow then passes down the annulus between the U-tube wrapper and the shell. At the bottom of the wrapper, the water is directed inwards toward the centre of the tube bundle by the tube support plate. As the water rises through the tube bundle, it is converted into a steam-water mixture. Subsequently, the steam-water mixture from the tube bundle rises into the steam drum section, where inertial moisture separators remove most of the entrained water from the steam. The steam then continues to the secondary separators for further moisture removal. The steam exits through an outlet nozzle at the top of the steam generator.


The following design requirements for the steam generators support safe operation of the plant under normal conditions:

• The integrity of the steam generator tubing must be sufficient to prevent rupture at the anticipated operating temperatures and pressures.

• The steam generators must remove the heat intentionally produced by the reactor core during start-up and operation at power.



• The steam generators must remove fission product heat from the reactor core in the initial phase of shutdown operation before the normal residual heat removal system can be connected.

• The steam generators must be mounted above the reactor at a vertical height sufficient to provide sufficient flow under natural circulation conditions to remove the fission product heat arising immediately following a reactor trip or controlled shutdown.

• The quality of the steam produced by the steam generators must be sufficient to ensure good thermodynamic cycle efficiency and to minimise turbine blade erosion.


The hot and cold leg nozzles, the primary chamber, the tube plate and the U-tubes are part of the reactor coolant system pressure boundary. They have the integrity to maintain this boundary against the maximum temperature and pressure experienced within the reactor coolant system during normal and fault conditions. The necessary build and integrity requirements of the steam generators are specified in Section 5.4.2.1 of Reference 6.1.

The area of the U-tubes provides sufficient heat theat transfer capability for the specified steam quality at full load operation (Sections 5.4.2.2 and 5.4.2.3.1 of Reference 6.1); it is obviously more than adequate for fission product decay heat removal following a reactor trip. This capability includes a conservative allowance for fouling. The heat transfer capabilities of the steam generators when the primary side is under natural circulation flow conditions is discussed in Section 5.4.2.3.2 of Reference 6.1.

6.3.2.5 Reactor Coolant System Shielding


The primary shield consists of a large mass of concrete surrounding the reactor vessel (Section 12.3.2.1 of Reference 6.1). The secondary shield consists of the concrete compartment walls around the principal components of the reactor coolant system: the reactor vessel, the steam generators, the pressuriser, the reactor coolant pumps and the associated piping; that part of the chemical and volume control system within the containment is also located in a shielded compartment: the regenerative heat exchanger, the letdown heat exchanger, the filters, the demineralisers and the letdown lines.


The following design requirement for reactor coolant shielding supports safe operation of the plant during normal conditions:

• Reactor coolant shielding must be provided to protect personnel and limit the neutron activation of components.

6.3.2.5.3 Substantiation of the Reactor Coolant System Shielding

The main source of radiation is the reactor core, which emits gamma rays and neutrons. These are attenuated by the reactor internal components and by the reactor vessel, but further external shielding, the primary shield, is still necessary to limit the neutron activation of components and structural materials.



Elsewhere within the reactor coolant system, there are sources of gamma radiation in the form of fission products released from fuel, and activation of the coolant itself and of corrosion products that circulate in the reactor coolant. Nitrogen-16 is the predominant activation product with respect to the radiation emitted from the reactor coolant pumps, the steam generators and reactor coolant piping during normal operation. It is not a factor in the radiation sources for other components within the reactor coolant system, due to its short half-life (7.11 seconds). Fission and radioactive corrosion product circulating in the reactor coolant system and the out-of core crud deposits comprise the remaining radiation sources, both during operation at power and when shutdown.

The primary shielding design needed for the radiation emmited from reactor core is reported in Section 12.2.1.2.2 of Reference 6.1.

The secondary shielding reduces the radiation level sufficiently to allow limited access inside the containment during normal operation at power. After shutdown, it limits the radiation level from sources within the reactor coolant system so as to permit limited access to the reactor vessel and the reactor coolant system equipment (Section 12.2.1.1.2 of Reference 6.1).

Chapter 12 of this PCSR assesses the normal operations dose associated with the AP1000, taking into account the primary and secondary shielding, and demonstrates that the doses are within UK legal limits.

6.4 Engineered Safety Features


• Containment.


• Passive containment cooling.

• Main control room emergency habitability.

• Passive core cooling.

The passive containment cooling system is shown in Figure 6.4-1, and the passive core cooling system is shown in Figure 6.4-2.



Figure 6.4-1 Passive Containment Cooling System



Figure 6.4-2 Passive Core Cooling System

6.4.1 Containment System

6.4.1.1 Description

The containment system is the collection of boundaries that separates the containment atmosphere from the outside environment during Design Basis initiating events.

6.4.1.2 Design Requirements

Duty requirements for the containment vessel and associated structures that make up the containment boundary are presented in Section 7.2.2 of this PCSR.

Containment isolation is presented in the following Section 6.4.2.

6.4.2 Containment Isolation System

6.4.2.1 Description

The major function of the containment isolation system of the AP1000 is to preserve the integrity of the containment boundary and prevent the release of radioactivity to the environment, when required, but at all other times to allow the passage of fluids through the containment boundary. To achieve this, fluid lines penetrating the primary containment boundary are isolated in the event of an accident. When isolated, this prevents or limits the release of radioactivity to the environment.



The containment isolation system consists of the piping, valves, and actuators that isolate the containment.


The following design requirement for the containment isolation system is needed to maintain key safety functions during a design basis initiating event:

• Containment building isolation must prevent loss of inventory and the spread of radioactive contamination to the atmosphere if primary coolant has been released inside the containment building.

6.4.2.3 Substantiation

Containment penetrations, including purge system flow paths, provide direct access from the containment atmosphere to the outside atmosphere. Containment isolation is achieved by actuating valves. These are capable of maintaining containment isolation at the containment design pressure of 0.4 MPa gauge (Section 3.8.2.1 of Reference 6.1). Additionally:

• The containment isolation design provides two barriers – one inside containment and one outside containment. Usually these barriers are valves, but in some cases they are closed piping systems not connected to the reactor coolant system or to the containment atmosphere.

• The total number of penetrations requiring isolation valves has been minimized in the design stage.

• Isolation valve closure times are designed to limit the release of radioactivity and are consistent with standard valve operators, except where a shorter closure time is required.

• The majority of the penetrations that are normally open incorporate fail closed isolation valves that close automatically with the loss of support systems such as instrument air.

Table 6.2.3-1 of Reference 6.1 lists the AP1000 containment mechanical penetrations and the isolation valves associated with them. The systems penetrating the containment are:

• Compressed and instrument air systems

• Component cooling water system

• Chemical and volume control system

• Demineralised water transfer and storage system

• Fuel handling and refuelling system

• Fire protection system

• Primary sampling system

• Nitrogen supply in the passive core cooling system

• Normal residual heat removal system



• Spent fuel pit cooling system

• Steam generator system

• Containment air filtration system

• Central chilled water system

• Liquid radwaste system

• Spare penetrations

• Containment system

• Containment leak rate test system

Isolation valves are designed to provide leak tight service against the medium to which the valves are exposed in the short and long-term course of any accident. For example, a valve is gas-tight if the valve is exposed to the containment atmosphere.

Manual and automatic isolation is achieved via the protection and safety monitoring system, as described in Section 6.7. Redundancy of the protection and safety monitoring system is covered in Section 6.7 of this PCSR.

6.4.3 Passive Containment Cooling System

6.4.3.1 Description

The passive containment cooling system is an engineered safety features system. Its functional objective is to reduce the containment temperature and pressure following a loss of coolant accident or main steam line break accident inside the containment by removing thermal energy from the containment atmosphere. The passive containment cooling system also serves as the means of transferring heat for other events resulting in a significant increase in containment pressure and temperature.

The passive containment cooling system also:

• Limits releases of radioactivity (post-accident) by reducing the pressure differential between the containment atmosphere and the external environment, thereby diminishing the driving force for leakage of fission products from the containment to the atmosphere.

• Provides a source of makeup water to the spent fuel pool in the event of a prolonged loss of normal spent fuel pool cooling water.

To achieve this, the containment building is made of steel to provide efficient heat transfer from within to outside containment. During normal operation, heat is removed from the containment vessel by continuous natural circulation of air. During an accident, however, more heat removal is required and air-cooling is supplemented by evaporation of water, provided by the passive containment cooling system water storage tank.

The major components of the passive containment cooling system are:



• The passive containment cooling water storage tank which is incorporated into the shield building structure above the containment

• An air baffle, located between the steel containment vessel and the concrete shield building, which defines the cooling air flow path

• Air inlets and an air exhaust, also incorporated into the shield building structure

• A water distribution system, mounted on the outside surface of the steel containment vessel, which functions to distribute water flow on the containment

Additionally, a passive containment cooling ancillary water storage tank and two recirculation pumps are provided for onsite storage of additional passive containment cooling system cooling water, to transfer the inventory to the passive containment cooling water storage tank, and to provide a back-up supply to the fire protection system seismic standpipe system.

Manual and automatic actuation of the passive containment cooling system is achieved via the protection and safety monitoring system. This is described in Section 6.7.

Further information related with the passive containment cooling system can be found in Section 6.4 of Reference 6.1.


The following design requirements for the passive containment cooling system support safe shutdown of the plant in faulted conditions:

• The passive containment cooling system must be able to remove decay heat following Design Basis events and thereby keep containment pressure and temperature below the design values.

• The passive containment cooling system must be able to provide makeup water to the spent fuel pool in case of a prolonged loss of normal spent fuel pool cooling.


Heat Removal

The passive containment cooling system provides water that drains by gravity from the passive containment cooling water storage tank, thus removing heat from the containment building. The passive containment cooling system is capable of removing sufficient thermal energy including subsequent decay heat from the containment atmosphere following a Design Basis event resulting in containment pressurisation such that the containment pressure remains below the design value with no operator action required for 72 hours. The passive containment cooling water storage tank is housed at the top of the shield building. The PMS automatically actuates the system by opening the passive containment cooling water storage tank isolation valves on receipt of a High-2 containment pressure signal. This allows the passive containment cooling water storage tank water to be delivered to the top, external surface of the steel containment shell. The flow of water, provided entirely by the force of gravity, forms a water film over the dome and side walls of the containment structure. The passive containment cooling water storage tank is sized to be capable of supplying water for 72 hours.



The flow of water to the containment outer surface is initially established for short-term containment cooling following a Design Basis LOCA. The flow rate is reduced over a period of at least 72 hours to reflect the reduction in fuel decay heat. This flow provides the desired reduction in containment pressure over time and removes decay heat.

The flow rate change is dependent only upon the decreasing water level in the passive containment cooling water storage tank. Within 72 hours of the event, operator actions align the Passive Containment Cooling Ancillary Water Storage Tank (PCCAWST) to the suction of the passive containment cooling system recirculation pumps to replenish the cooling water supply to the passive containment cooling water storage tank. Sufficient inventory is available within the PCCAWST to maintain the minimum flow rate for an additional 4 days (see Section 6.2.2.4.2 of Reference 6.1).

Redundancy has been provided for critical components of the system:

• The passive containment cooling water storage tank has redundant level measurement channels and alarms for monitoring the tank water level and redundant temperature measurement channels to monitor and alarm for potential freezing.

• The passive containment cooling water storage tank outlet piping is equipped with three sets of redundant isolation valves. Failure of a component in one train does not affect the operability of the other mechanical train or the overall system performance. The fail-open, air operated valves require no electrical power to move to their safe (open) position. The normally open motor-operated valves are powered from separate redundant Class 1 dc power sources.

• There are redundant passive containment cooling water delivery pipes and auxiliary water source piping

• The annulus drains that route the excess water out of the upper annulus are redundant.

Consequently, a single failure could reduce the flow rate of water to the reactor coolant system, but it would not disable the passive core cooling function. Table 6.2.2-3 of Reference 6.1 presents a failure modes and effects analysis of the passive containment cooling.

Analysis of the heat removal capability of the passive containment cooling system show that the system is able to remove decay heat following Design Basis events and keep containment pressure and temperature below the design values. The analytical models have been validated, including through use of testing performed specifically for this purpose (see Section 6.2.1 of Reference 6.1)

Spent Fuel Pool Cooling

The passive containment cooling system provides a source of makeup water to the spent fuel pool in the event of a prolonged loss of normal spent fuel pool cooling. To enable this:

• A normally isolated, manually-opened flow path is available between the passive containment cooling system water storage tank and the spent fuel pool.

• The passive containment cooling ancillary water storage tank is filled with demineralised water and has a useable volume of greater than required for makeup to the passive containment cooling water storage tank and the spent fuel pool as defined in Table 6.2.2-2 of Reference 6.1.



The capacity of the passive containment cooling ancillary water storage tank is adequate to supply these functions for a duration of 4 days. (Section 6.2.2.4.2 of Reference 6.1).

6.4.4 Main Control Room Emergency Habitability System

6.4.4.1 Description

The main control room habitability system provides a protected environment from which operators can control the plant following an uncontrolled release of radioactivity. The system is designed to operate following a Design Basis initiating event that requires protection from the release of radioactivity. In these events, the nuclear island non-radioactive ventilation system would continue to function if ac power is available. If ac power is lost or a High-2 main control room radiation signal is received, the main control room habitability system is actuated. The main control room habitability system also limits the heat up of the main control room, the safety instrumentation and control equipment rooms, and the safety equipment rooms by using the heat capacity of surrounding structures.

Manual and automatic actuation of the main control room habitability system is achieved via the protection and safety monitoring system. This is described in Section 6.7.


The system provides support during fault conditions:

• The main control room habitability system must protect the operators inside the main control room against the release of radioactive material.


Operation of the main control room habitability system is automatically initiated on high-2 particulate or iodine radioactivity set point, or low pressuriser pressure, a safety related signal is generated to isolate the main control room from the nuclear island non-radioactive ventilation system and to initiate air flow from the main control room habitability system storage tanks. Isolation of the nuclear island non-radioactive ventilation system consists of closing valves in the supply and exhaust ducts that penetrate the main control room pressure boundary. Main control room habitability system airflow is initiated by a signal which opens the isolation valves in the main control room habitability system supply lines (see Section 6.4 of Reference 6.1).

In order to supply breathable air to the occupants of the main control room, the main control room habitability system is composed of compressed air storage tanks, two air delivery flow paths, associated valves, piping, and corresponding instrumentation. The tanks contain enough breathable air to supply the required air flow to the main control room for at least 72 hours. The main control room habitability system is designed to maintain CO2 concentration less than 0.5% for up to 11 main control room occupants (see Section 6.4.1.1 of Reference 6.1).

The compressed air storage tanks are initially pressurised to 23.4 MPa gauge. During operation of the main control room habitability system, a self contained pressure regulating valve maintains a constant downstream pressure regardless of the upstream pressure. An orifice downstream of the regulating valve is used to control the air flow rate into the main control room. The main control room is maintained at a 0.32 cm gauge positive pressure to minimize the infiltration of airborne contaminants from the surrounding areas.



In the unlikely event that power to the nuclear island non-radioactive ventilation system is unavailable for more than 72 hours, main control room envelope habitability is maintained by operating one of the two main control room ancillary fans to supply outside air to the main control room envelope (see Section 6.4.2.2 of Reference 6.1).

6.4.5 Passive Core Cooling System

The passive core cooling systems consists of the following subsystems and components:

• Accumulators

• Automatic depressurisation system

• Core makeup tanks

• In-containment refuelling water storage tank

• Containment recirculation system

• Passive residual heat removal system

• pH adjustment system

The primary function of the passive core cooling system is to provide emergency core cooling following postulated Design Basis events. To accomplish this primary function, the passive core cooling system is designed to perform the following functions:

• Core decay heat removal: Provide core decay heat removal during transients, accidents or whenever the normal heat removal paths are lost. This heat removal function is available at reactor coolant system conditions including shutdowns. During refuelling operations, when the in-containment refuelling water storage tank is drained into the refuelling cavity, other passive means of core decay heat removal are utilized. Section 6.3.3.4.4 of Reference 6.1 provides a description of how this is accomplished.

• Reactor coolant system emergency makeup and boration: Provide reactor coolant system makeup and boration during transients or accidents when the normal reactor coolant system makeup supply from the chemical and volume control system is unavailable or is insufficient.

• Safety injection of makeup water: Provide safety injection to the reactor coolant system to provide adequate core cooling for the complete range of loss of coolant accidents, up to and including the double-ended rupture of the largest primary loop reactor coolant system piping.

• Containment pH control: Provide for chemical addition to the containment during post-accident conditions to establish flood up chemistry conditions that support radionuclide retention with high radioactivity in containment and to prevent corrosion of containment equipment during long-term flood up conditions.

The passive core cooling system is designed to operate without the use of active equipment such as pumps and ac power sources. The passive core cooling system depends on reliable passive components and processes such as natural circulation, gravity injection and expansion of compressed gases. The passive core cooling system does require a one-time alignment of valves upon actuation of the specific components.



The system is designed in such as a way as to ensure that its safety functions are performed, even in the unlikely event of the most limiting single failure occurring coincident with postulated design basis events (see Section 6.3.1 of Reference 6.1).

Manual and automatic actuation of the passive core cooling system components is achieved via the protection and safety monitoring system. This is described in Section 6.7.

6.4.5.1 Accumulators


Accumulators provide automatic and passive injection of borated cooling water to the reactor coolant system when the primary circuit is partially depressurised.

Fluid flow is driven by the stored energy of the compressed nitrogen gas within the accumulators. Each accumulator delivers its flow into one of the two direct vessel injection lines, each of which connects separately into the reactor vessel. Each direct vessel injection line is shared with one of the core make-up tanks and one of the injection lines from the in-containment refuelling water storage tank.

No instrumentation and control equipment is needed for operation of the accumulators.

Further information related with accumulators can be found in the in Section 6.3.2.2.2 of Reference 6.1.


The following design requirement for the accumulators supports safe shutdown in faulted conditions:

• Accumulators provide makeup borated water to maintain the reactor in a shutdown state and maintain reactor coolant inventory when reactor coolant pressure falls below 4.8 MPa gauge.


The supply of borated water from the accumulators is designed to maintain the plant in a shutdown state. The accumulators have been sized to provide makeup water in the event of loss of water reactor coolant system inventory, such that decay heat can be removed from the core. In addition, injection of borated water provides neutron absorption, which controls reactivity. Nominally, these 57 m3 tanks are filled with 48 m3 of water and 8.5 m3 of nitrogen at an initial pressure of 4.8 MPa gauge.

Accumulator pressure is provided by a supply of nitrogen gas and can be adjusted as required during normal plant operation. However, the accumulators are normally isolated from the nitrogen supply.

Accumulator level and pressure are monitored by indication and alarms. The operator can take action, as required, to meet the technical specification requirements for accumulator operability.

Gas relief valves on the accumulators protect them from over-pressurisation and potential explosion. The system also includes the capability to remotely vent gas from the accumulator, if required.



If reactor coolant pressure falls sufficiently, borated primary coolant would flow from the two accumulators once the primary coolant pressure has fallen to below their pressurisation pressure (4.8 MPa gauge). The boron concentration is 2600 ppm.

Accumulators provide a very high flow for a limited time, which depends on the initiating fault (Section 15.6 of Reference 6.1). For example, in the event of a large-break LOCA transient, calculations demonstrate that accumulators provide sufficient makeup water. These show that the lower plenum fills to the point where water begins to re-flood the core from below after approximately 54 seconds (Section 15.6.5.4A.6 of Reference 6.1).

6.4.5.2 Automatic Depressurisation System


The automatic depressurisation system provides a controlled method to depressurise the reactor coolant system.

The automatic depressurisation system valves act in conjunction with the passive core cooling system to mitigate accidents. Their function is to reduce the reactor coolant system pressure in a controlled fashion to allow the required safety injection flow rates from the accumulators and the in-containment refuelling water storage tank (in-containment refuelling water storage tank). It consists of four different valve stages that open sequentially to reduce reactor coolant system pressure sufficiently so that long-term core cooling can be provided from the passive core cooling system.


The following design requirements for the automatic depressurisation system support safe shutdown in faulted conditions:

• When actuated, the automatic depressurisation system must partially depressurise the reactor coolant system to enable the accumulators and the normal heat removal system to inject.

• When actuated, the automatic depressurisation system must fully depressurise the reactor coolant system to enable the in-containment refuelling water storage tank to inject.


Partial Depressurisation

Partial depressurisation of the reactor coolant system is achieved by actuation of the partial automatic depressurisation system. The partial automatic depressurisation system consists of valve stages 1,2 and 3 having a common inlet header connected to the top of the pressuriser and a common discharge line to one of the spargers in the in-containment refuelling water storage tank. Each of two lines of stages 1, 2 and 3 is arranged with an isolation valve in series with (and upstream of) a control valve, both of which are normally closed. When the automatic depressurisation system is actuated, the isolation valve opens first, then the control valve subsequently opens to initiate and control the flow to the in-containment refuelling water storage tank.

Actuation of the automatic depressurisation system reduces the reactor coolant system pressure to below the operational pressure of the accumulators. Following actuation of stage 3, the operational procedure is to start the normal residual heat removal system when the reactor coolant system



pressure has been reduced to 3.1 MPa gauge. Injection from the normal residual heat removal system stops the core make-up tank injection and prevents the fourth stage automatic depressurisation system valves from being actuated. This feature prevents containment pressurisation and flooding.

Full Depressurisation

If the normal residual heat removal system is unavailable or there is an operator failure, the fourth stage automatic depressurisation system valves are actuated. The fourth-stage valves connect to the top of the reactor coolant system hot-legs and vent directly into the steam generator compartment to allow for gravity injection from the in-containment refuelling water storage tank thus providing long term cooling.

Stage 4 is arranged in two identical groups of two lines each. Each group has a common inlet header connected to one of the reactor coolant system hot legs. Each stage 4 group discharges separately into the associated reactor coolant system loop compartment at an elevation above the post-accident flood up level. Each of four 4th stage lines has two valves arranged in series, a 36cm normally open isolation valve with a motor operator upstream of one 36cm normally closed squib (explosive) valve.

The automatic depressurisation system valve descriptions for the AP1000 plant design are presented in Table 15.6.5-10 of Reference 6.1. Accident analysis in Chapter 15 of Reference 6.1 demonstrates the automatic depressurisation system operates fast enough in providing its safety function.

6.4.5.3 Core Makeup Tanks


The core make-up tanks subsystem is a passive, subsystem that injects borated makeup water into the reactor coolant system. The core makeup tanks are connected to the reactor coolant system through a discharge injection line and an inlet pressure balance line connected to a cold leg.

Each core make-up tank consists of a low-alloy steel vessel with 308L stainless steel internal cladding. The minimum free internal volume for the core makeup tank is 70 m3. The normal full power temperature and pressure in the core makeup tank are 21.1 to 48.9°C and 15.5 MPa abs, respectively. The tank is designed to withstand the design environment of 17.2 MPa abs and 343°C.

There are two core make-up tanks located inside the containment at an elevation slightly above the reactor coolant loops. During normal operation, the core makeup tanks are completely full of cold, borated water.

Further information related to the core make-up tank design can be found in Section 5.4.13 of Reference 6.1.




The following design requirements for the core makeup tanks support safe shutdown in faulted conditions:

• The core make-up tanks must be able to feed borated water into the core post-trip following a Design Basis accident, to ensure that the reactor remains subcritical.

• The core make-up tanks must provide makeup water to the reactor coolant system to maintain reactor coolant inventory during safe shutdown and Design Basis events, and to support cooling during a large LOCA.


Boration

Addition of boron after shutdown compensates for the increase in reactivity due to the reduction in the reactor coolant temperature as the core has a negative moderator reactivity coefficient. The boron concentration within the core make-up tanks is at 3400 ppm and sufficient to maintain the reactor at sub-critical conditions. The core make-up tank size and injection capability are selected to provide adequate reactor coolant system boration and safety injection for the limiting Design Basis initiating event.

The boron concentration in each core make-up tank is verified every seven days, to confirm that it is within the required limits assumed in the safety analysis. The seven day frequency is adequate to promptly identify changes which could occur from mechanisms such as leakage.

If the water temperature or boron concentration of one core make-up tank is not within the Tech-Spec limits (see Chapter 16 of Reference 6.1), it must be returned to within limits in less than 72 hours. The deviations in these parameters are expected to be slight, considering the frequent surveillances and control room monitors.

Make Up

The core make-up tank has been sized to ensure reactor coolant inventory is maintained during all Design Basis initiating events. For non-LOCA events, the core make-up tanks provide sufficient makeup water to accommodate reactor coolant system leakage and cool down shrink without automatic depressurisation system actuation. The core make-up tanks use gravity to provide reactor coolant system injection. To make gravity effective a pressure balance line is connected from the cold leg to the top of the core make-up tank. This line allows for two different modes of operation. One mode is water circulation, which is used for non-LOCA events and the early stages of LOCAs. In this mode, hot water from the cold leg circulates to the core make-up tank and cold core make-up tank water is injected into the reactor core by natural circulation. The other mode of operation is steam displacement, which is used to provide greater injection during LOCA events. Therefore, the provision of makeup water depends on the nature of the fault.

The core makeup tanks are connected to the reactor coolant system through a discharge injection line and an inlet pressure balance line connected to a cold leg. The discharge line is blocked by two normally closed, parallel air-operated isolation valves that open on loss of air pressure or electrical power, or on control signal actuation. The core makeup tank discharge isolation valves



are diverse from the passive residual heat removal heat exchanger outlet isolation valves (Section 6.3.2.1.2 of Reference 6.1).

6.4.5.4 In-Containment Refuelling Water Storage Tank


The in-containment refuelling water storage tank is a large, stainless steel lined tank located underneath the operating deck inside the containment. The in-containment refuelling water storage tank performs the following major functions:

• The in-containment refuelling water storage tank provides a heat sink for the passive residual heat removal heat exchanger, which is used to remove decay heat from the core in the event that the steam generators are unable to perform that function.

• During LOCA events, the in-containment refuelling water storage tank is also used to provide a long-term supply of water to the core, with condensate off the containment walls draining into the in-containment refuelling water storage tank.

• The in-containment refuelling water storage tank water is also used to flood the containment during refuelling operations and core melt accidents.

Further information related to the in-containment refuelling water storage tank design can be found in Section 6.3.2.2.3 of Reference 6.1.


The following design requirements for the in-containment refuelling water storage tank support safe shutdown in faulted conditions:

• The in-containment refuelling water storage tank must provide the heat sink for the passive residual heat removal system.

• After the reactor coolant system has been fully depressurised the in-containment refuelling water storage tank must provide sufficient makeup water to provide long-term reactor cooling.

• After the reactor coolant system has been fully depressurised the in-containment refuelling water storage tank must feed borated water into the core to maintain the shut down of the fission reaction.


Passive Residual Heat Removal Heat Sink

The in-containment refuelling water storage tank absorbs decay heat for more than one hour before the water begins to boil. Once boiling starts, steam passes to the containment. This steam condenses on the steel containment vessel and, after collection, drains by gravity back into the in-containment refuelling water storage tank. The passive residual heat removal heat exchanger, in-containment refuelling water storage tank and the passive containment cooling system combined provide indefinite decay heat removal capability with no operator action required.

Long-Term Reactor Cooling



The in-containment refuelling water storage tank has a minimum required water volume of 2090 m3. The tank is sized to provide the flooding of the refuelling cavity for normal refuelling, the post-loss of coolant accident flooding of the containment for reactor coolant system long-term cooling mode, and to support the passive residual heat removal heat exchanger operation.

The in-containment refuelling water storage tank can provide sufficient injection until the containment sump floods up high enough to initiate recirculation flow. In this long-term cooling mode, the core is covered and the steam boils off into the containment. The water in the containment sump provides recirculation flow to the core through the direct vessel injection line.

The in-containment refuelling water storage tank is connected to the primary circuit by two injection lines, each containing two squib isolation valves in parallel, only one of which needs to open to activate the in-containment refuelling water storage tank. These valves determine the reliability of the system, everything else being passive except for a non-return valve just upstream of each squib valve. Each in-containment refuelling water storage tank injection line delivers its flow into one of the two direct vessel injection lines, each of which connects separately into the reactor vessel. Each direct vessel injection line is shared with one of the core make-up tanks and one of the accumulators.

Boration

Boron concentration in the in-containment refuelling water storage tank is maintained between 2600 ppm and 2900 ppm. This margin ensures long term reactivity control after a large-break LOCA event as described in Section 15.6.5.4C.4 of Reference 6.1.

If the in-containment refuelling water storage tank water volume, boron concentration, or temperature are not within limits, the core cooling capability from injection or passive residual heat removal heat exchanger heat transfer and the reactivity benefit of injection assumed in safety analyses may not be appropriate. Due to the large volume of the in-containment refuelling water storage tank, online monitoring of volume and temperature, and frequent surveillances, the deviation of these parameters is expected to be minor. The allowable deviation of the water volume is limited to 3%. Working within this limit prevents a significant change in boron concentration and is consistent with the long-term cooling (Section 6.3 of Reference 6.1).

6.4.5.5 Containment Recirculation System


After condensation of steam occurs on the steel containment vessel, which is cooled by the passive containment cooling system, the condensed water drains down through the containment wall and it is collected by the containment recirculation, thus providing sufficient makeup water for long term cooling.

The time that it takes until the initiation of containment recirculation flow varies greatly, depending on the specific event. With a break in a direct vessel injection line, the in-containment refuelling water storage tank spills out through the break and floods the containment, along with reactor coolant system leakage, and recirculation can occur in several hours. In the event of automatic depressurisation without a reactor coolant system break and with condensate return, the in-containment refuelling water storage tank level decreases very slowly. Recirculation may not initiate for several days.




The following design requirements for containment recirculation support safe shutdown in faulted conditions:

• The containment recirculation gutter must return condensed water inside the containment building back to the in-containment refuelling water storage tank or the containment sump.

• The containment sump must inject water into the pressure vessel.


Recirculation Flow to the in-containment refuelling water storage tank

Under normal operating conditions, the gutter isolation valves are open and the gutter sends excess condensate to the liquid radwaste system (liquid radioactive waste system) containment sump MT 02. During events with passive residual heat removal actuation, the air-operated valves close to shut off access to the waste sump. Thus, water is returned to the in-containment refuelling water storage tank, allowing the passive residual heat removal heat exchanger to remain submerged in water and thus maintaining the passive residual heat removal heat exchanger heat sink for an indefinite period of time (see subsection 6.3.2.1.1 of Reference 6.1).

Recirculation Flow to the Core

The protection and safety monitoring system automatically initiates containment sump recirculation upon receipt of a low-3 in-containment refuelling water storage tank water level in coincidence with an automatic depressurisation system actuation signal. The protection and safety monitoring system actuates containment sump recirculation by opening the normally closed squib valves on the recirculation lines, allowing the water in the containment sump to provide recirculation flow to the core through the direct vessel injection lines. It is also possible for the operators to manually actuate containment sump recirculation, if automatic actuation fails.

Diversity is provided in the actuation by using diverse squib valves. The motor-operated valve is designed so that it remains open in case of failure. Recirculation flow is provided through parallel check valve/squib valve flow paths; the check valves open once a sufficient gravity injection head is established. The success criterion for the containment sump recirculation is defined as injection into the reactor coolant system from the containment sump through one out of four recirculation lines and the corresponding gravity injection lines.

6.4.5.6 Passive Residual Heat Removal system


The passive residual heat removal (passive residual heat removal) system removes core decay heat when a loss of cooling capability via the steam generators and feed water systems occurs. The passive residual heat removal system consists of a heat exchanger and associated valves, piping and instrumentation to provide a means of passively cooling the core. The heat exchanger is located in the in-containment refuelling water storage tank, which provides the heat sink. Alternative heat sinks are provided during refuelling operations when the in-containment refuelling water storage tank is drained into the containment.



Further information related to the passive residual heat removal can be found in Section 5.4.14 of Reference 6.1 with a discussion on the operation of this system being provided in the Section 6.3 of Reference 6.1.


The following design requirements for the passive residual heat removal system support safe shutdown in faulted conditions:

• The passive residual heat removal system is designed to remove decay heat from the reactor coolant system.


For faults affecting decay heat removal through the steam generators, the passive residual heat removal removes decay heat from the reactor for an unlimited period of time, together with the condensate from steam generated in the in-containment refuelling water storage tank being returned to the tank. The passive residual heat removal heat exchanger is designed to withstand the AP1000 maximum operating pressure and temperature of 17.2 MPa abs and 343°C.

The decay heat is transferred to the in-containment refuelling water storage tank, which starts to boil after about one hour. In the longer term steam is vented to the containment where it is condensed. Most of this condensate drains down the containment wall and back into the in-containment refuelling water storage tank, thus providing decay heat removal indefinitely.

Passive residual heat removal heat exchanger flow and inlet and outlet line temperatures are monitored by indicators and alarms. The operator can take action to control of the passive residual heat removal heat exchanger operation.

The passive residual heat removal heat exchanger isolation valves provide redundancy for accomplishing successful actuation. These valves are air-operated and are normally closed. They require both an air supply (compressed air system) and 125 V dc Class 1 control power to remain closed. Loss of air supply or loss of 125 V dc Class 1 control power results in valves opening.

Analyses discussed in Chapter 15 of Reference 6.1 confirm the effectiveness of the passive residual heat removal capability.

6.4.5.7 pH Adjustment


The passive core cooling system also provides pH adjustment of the containment water following a LOCA event. Chemical adjustment is necessary to counter the effects of the boric acid contained in the safety injection supplies and acids (nitric acid from the irradiation of water and air and hydrochloric acid from irradiation and pyrolysis of electric cable insulation). The desired pH values significantly reduce formation of elemental iodine in the containment water, which reduces the production of organic iodine and the total airborne radioactive iodine in the containment. This pH adjustment is also provided to prevent stress corrosion cracking of safety significant containment components during long-term cooling.


The system also has the following capability to provide support during fault conditions:



• The passive core cooling system must provide pH adjustment of water flooding the containment.


Control of the pH in the containment sump water post-accident is achieved through the use of four pH adjustment baskets containing granulated trisodium phosphate. The baskets are located below the minimum post-accident flood up level, and chemical addition is initiated passively when the water reaches the baskets. The baskets are placed at least a foot above the floor to reduce the chance that water spills in containment will dissolve the trisodium phosphate. These baskets are sized such that they provide the correct quantity of trisodium phosphate to maintain the pH of the containment sump water in a range from 7.0 to 9.5.

6.5 Auxiliary Systems


• Chemical and volume control system.

• Containment hydrogen control system.

• Normal residual heat removal system.

• Communication system.

• Component cooling water system.

• Compressed and instrument air system.

• Containment leak rate test system.

• Demineralised water transfer and storage system.

• Demineralised water treatment system.

• Fire protection system.

• Gaseous radwaste system.

• Liquid radwaste system.

• Mechanical handling system.

• Plant gas system.

• Potable water system.

• Primary sampling system.

• Radiation monitoring system.

• Radioactive waste drain system.



• Sanitary drainage system.

• Secondary sampling system.

• Service water system.

• Solid radwaste system.

• Spent fuel pool cooling system.

• Standby diesel fuel oil system.

• Turbine building closed cooling water system.

• Turbine island vents, drains and relief system.

• Waste water system.

The plant auxiliary systems consist of the water, process and heating, ventilation and air conditioning systems that support the AP1000. They generally provide component cooling, chemistry monitoring and control, waste storage and disposal, and habitability functions.

6.5.1 Chemical and Volume Control System

6.5.1.1 Description

The chemical and volume control system provides chemistry control of, and make-up to, the reactor coolant system. The chemical and volume control system is designed to perform the following major functions:

• Maintain reactor coolant purity and activity level within acceptable limits.

• Maintain the required coolant inventory in the reactor coolant system, and maintain the programmed pressuriser water level during normal plant operations.

• Maintain reactor coolant chemistry during plant start ups, provide normal dilution to compensate for fuel depletion, and provide shutdown boration; also provide the means for controlling the reactor coolant system pH by maintaining the proper level of lithium hydroxide.

• Provide the means for maintaining the proper level of dissolved hydrogen in the reactor coolant during power operation, and for achieving the proper oxygen level before start up after each shutdown.

Under normal operation, the chemical and volume control system is connected to reactor coolant system cold leg No.1, and returns to the steam generator outlet chamber. The chemical and volume control system is made up of two sub-systems; a chemical control subsystem, located inside containment, which consists of regenerative and letdown heat exchangers, mixed bed demineralisers and filters; and a makeup subsystem, located largely outside containment and consisting of makeup pumps, mini flow heat exchangers and chemical dosing tanks. Containment isolation valves are provided on both sides of the containment penetrations.



The safety functions provided by the chemical and volume control system are limited to containment isolation of chemical and volume control system lines penetrating containment, termination of inadvertent reactor coolant system boration, isolation of makeup on a steam generator or pressuriser high level signal, and preservation of the reactor coolant system pressure boundary, including isolation of normal chemical and volume control system letdown from the reactor coolant system.


The following design requirements for the chemical and volume control system support safe operation of the plant during normal operation:

• The primary coolant boundary must remain intact under normal conditions and anticipated operational transients.

• The chemical and volume control system must maintain reactor coolant system fluid purity so as to reduce any contaminants that may reduce the heat transfer between the fuel and the primary coolant.

• The chemical and volume control system must maintain the reactor coolant system fluid activity level within acceptable limits.

• The chemical and volume control system must maintain the required coolant inventory in the reactor coolant system and must maintain the programmed pressuriser water level during normal plant operations.

• The chemical and volume control system must control the concentration of boron in the coolant for plant start-ups, normal dilution to compensate for fuel depletion and shutdown boration.

• The chemical and volume control system must prevent corrosion of the fuel and primary coolant boundary by controlling the reactor coolant system pH.

• The chemical and volume control system must limit corrosion of the fuel and primary coolant boundary by maintaining the proper level of oxygen in the reactor coolant system.

• It must be possible to isolate the chemical and volume control system from the reactor coolant system to prevent boron dilution.

The system also has the following capability to provide additional defence in depth support during fault conditions:

• Following an accident trip, the chemical and volume control system provides borated water to the reactor coolant system to ensure the reactor remains shut down.

• The chemical and volume control system is capable of being isolated from the reactor coolant system to prevent primary fluid loss in the event of a leak.


Integrity



The majority of the chemical and volume control system is designed and built to the requirements of the ASME III design code, as discussed in Section 6.3.2.

A portion of the chemical and volume control system is not required to be constructed to the ASME III design code, as it can be double-isolated from the RCS. This portion of the system is inside containment and is designed using ANSI B31.1 and ASME Code, Section VIII for the construction of the piping, valves, and components. This portion begins after the second isolation valve between the reactor coolant system and the chemical and volume control system, and provides purification of the reactor coolant, containing heat exchangers, demineralisers, filters and connecting piping.

The purification subsystem has been analyzed for seismic withstand; the methods and criteria used for the seismic analysis are similar to those used for seismic Category II pipe. The chemical and volume control system components are located inside the containment, which is itself a seismic Category I structure.

The isolation valves between the reactor coolant system and the chemical and volume control system are active valves that are designed, qualified, inspected and tested for the isolation requirements. The isolation valves between the reactor coolant system and chemical and volume control system are designed and qualified for design conditions that include closing against blowdown flow with full system differential pressure. These valves are qualified for adverse seismic and environmental conditions.

The potential for release of activity from a break or leak in the chemical and volume control system is minimized by the location of the purification subsystem inside containment and the design and test of the isolation valves. Chemical and volume control system leakage inside containment is detectable by the reactor control leak detection function as potential reactor coolant pressure boundary leakage.

See Section 9.3.6 of Reference 6.1 for more details on the design and construction of the chemical and volume control system.

Coolant Purification

The normal chemical and volume control system purification loop is inside containment and operates at reactor coolant system pressure, utilizing the developed head of the reactor coolant pumps as the motive force for the purification flow. During power operations, fluid is continuously circulated through the chemical and volume control system from the discharge of one of the reactor coolant pumps. It passes through the regenerative heat exchanger where it is cooled by the returning chemical and volume control system flow, and is further cooled by component cooling water in the letdown heat exchanger to a temperature compatible with the demineraliser resins. The purification fluid flows through a mixed bed demineraliser, optionally through a cation bed demineraliser, and through a filter. It returns to the suction of a reactor coolant pump after being heated in the regenerative heat exchanger. The purification loop operates at reactor coolant system pressure.

The mixed bed demineralisers are provided in the purification loop to remove ionic corrosion products and certain ionic fission products; they also remove zinc during periods of zinc addition. The demineralisers also act as filters. One mixed bed is normally in service, with a second demineraliser acting as backup in case the normal unit should become exhausted during operation. Each demineraliser and filter is sized to provide a minimum of one fuel cycle of service without change-out.



The mixed bed demineraliser in service can be supplemented by intermittent use of the cation bed demineraliser for additional purification in the event of fuel defects. In this case, the cation resin removes mostly lithium and caesium isotopes. The cation bed demineraliser has sufficient capacity to maintain the cesium-136 concentration at acceptable levels with the assumed level of Design Basis fuel defects. Each mixed bed and the cation bed demineraliser is sized to accept the maximum purification flow. Filters are provided downstream of the demineralisers to collect particulates and resin fines.

Since the motive force for the purification loop is the reactor coolant pump head in a closed loop with the reactor coolant system, continuous purification is provided without operating the chemical and volume control system makeup pumps.

During plant shutdown periods, where the reactor coolant pumps are stopped, the normal residual heat removal system provides the motive force for the chemical and volume control system purification. Purification flow from the normal residual heat removal system heat exchanger is routed directly through the normal chemical and volume control system purification loop. Boron changes and dissolved gas control are still possible by operating the chemical and volume control system in a semi-closed loop arrangement.

Coolant purification is described in more detail in Section 9.3.6.2.1 of Reference 6.1.

Activity Control

The chemical and volume control system removes radioactive corrosion products and ionic fission products by filtration, and fission gases by routing flow to the liquid radioactive waste system degassifier. The chemical and volume control system has sufficient reactor coolant system purification and degasification capability (in conjunction with the liquid radioactive waste system) to allow the reactor vessel head to be removed in a timely manner during a refuelling shutdown. In addition, purification during shutdowns has a positive impact on the occupational radiation exposure to workers during the outage (see Section 9.3.6.1.2.1 of Reference 6.1).

A soluble zinc compound may be added to the coolant as a means of reducing radiation fields within the primary system and to reduce the potential for crud-induced power shift (CIPS). CIPS is caused by the precipitation of a boron-containing species in fuel crud under certain conditions, and results in an abnormal power shift due to the neutron absorbing properties of the crud.

The chemical and volume control system is designed to maintain the reactor coolant system activity level at less than the technical specification limit for normal operations, with Design Basis fuel defects. The applicable technical specification is 3.4.10, presented in Chapter 16 of Reference 6.1. The purification rate is based on minimizing occupational radiation exposure and providing access to the reactor coolant system equipment. The chemical and volume control system provides a reactor coolant system purification rate of at least one reactor coolant system mass per 16 hours (see Section 9.3.6.1.2.1 of Reference 6.1).

Inventory Control

The chemical and volume control system provides a means to add and remove mass from the reactor coolant system, as required, to maintain the programmed inventory during normal plant operations. Operations that are accommodated include start-up, shutdown, step load changes, and ramp load changes.

The chemical and volume control system is capable of maintaining a constant volume in the reactor coolant system while the plant is being heated up or cooled down. During a heatup it is



necessary to remove reactor coolant system mass due to expansion. The maximum rate of net expansion occurs at the end of the heat-up, so the limiting case is based on controlling the pressuriser level during this phase of operation. This expansion is accommodated by the normal letdown path. During cool down, it is necessary to add mass due to reactor coolant system shrinkage. The chemical and volume control system is capable of maintaining the minimum pressuriser level with makeup during cool down from hot zero power to cold shutdown while maintaining normal purification flow. Ramp and step load changes, as well as load rejections, are accommodated by the reactor coolant system pressuriser level control system. The chemical and volume control system can function to accommodate normal pressuriser level control system makeup and letdown requirements (see Section 9.3.6.1.2.2 of Reference 6.1).

Boration

The concentration of boron in the reactor coolant system is changed, as required, to maintain the desired control rod position with core depletion. The required boron concentrations at various power levels are provided in Table 4.3-2 of Reference 6.1.

The chemical and volume control system has the capacity to accommodate a cold shutdown followed by a return to power at the end of core life and also (as an independent case) to borate the plant to cold shutdown immediately following return to power from refuelling. The system has boration and dilution capacity to meet these requirements, as well as the capability to transfer effluents to other systems (see Section 9.3.6.1.2.3 of Reference 6.1).

To borate the reactor coolant system, the operator sets the makeup control system to automatically add a preset amount of boric acid by fully diverting the three-way valve in the pump suction line to the boric acid storage tank, with delivered flow measured at the discharge of the makeup pumps. Dilution operates in a similar fashion. In either case, if the pressuriser level exceeds its control point, the letdown path to the liquid radioactive waste system holdup tanks is automatically opened by the protection and safety monitoring system.

pH Control

Lithium hydroxide is chosen for its compatibility with the material and water chemistry of borated water, stainless steel, and zirconium systems (see Section 9.3.6.2.3.2 of Reference 6.1). In addition, lithium-7 is produced in the core region because of irradiation of the dissolved boron in the coolant.

The required concentration of Li7OH is varied to minimize the formation of tritium. A chemical mixing tank is provided to introduce the solution to the suction of the makeup pumps as required to maintain the proper concentration of Li7OH in the reactor coolant system.

The solution is poured into the chemical mixing tank and is then flushed to the suction manifold of the makeup pumps with demineralised water. A flow orifice is provided on the demineralised water inlet pipe to allow chemicals to be flushed into the reactor coolant system at acceptable concentrations.

The concentration of lithium-7 in the reactor coolant system varies according to a pH control curve as a function of the boric acid concentration of the reactor coolant system. If the concentration exceeds the proper value, as it may during the early stages of core life when lithium-7 is produced in the core at a relatively high rate, the cation bed demineraliser is used in the letdown path in series with the mixed bed demineraliser to lower the lithium-7 concentration. Since the build up of lithium is slow, the cation bed demineraliser is used only intermittently. When letdown is being diverted to the liquid radioactive waste system, the purification flow is



routed through the cation bed demineraliser for removal of as much lithium-7 and caesium as possible.

Oxygen Control

During plant start-up from cold conditions, an oxygen scavenging agent is used. The oxygen scavenger solution is introduced into the reactor coolant system via the makeup flow and chemical mixing tank, in the same manner as described for lithium-7 addition. The oxygen scavenger is used for oxygen control only at start-up from cold shutdown conditions.

Dissolved hydrogen is employed during normal power operation to control and scavenge oxygen produced due to radiolysis of water in the core region. Hydrogen makeup is supplied to the reactor coolant system by direct injection of high-pressure gaseous hydrogen. The hydrogen comes from a bottle outside containment, through a containment penetration, and is mixed in the chemical and volume control system purification loop. Hydrogen removal from the reactor coolant system is not necessary because hydrogen is consumed in the core.

Containment Isolation

The chemical and volume control system valves are stainless steel for compatibility with the borated reactor coolant. All the isolation valves are actuated by the containment isolation system; in addition, they can all be actuated manually from the main control room. The containment isolation valves are described in Section 9.3.6.3.7 of Reference 6.1; a summary description is provided below.

The letdown flow inside containment isolation valve is a normally closed, fail closed, air-operated globe valve that isolates letdown to the liquid radwaste system. This valve automatically opens and closes on a plant control system signal from the pressuriser level control or a containment isolation signal from the protection and safety monitoring system. It automatically opens on high pressuriser level and closes when the pressuriser level returns to normal. It also closes on a high-high liquid radwaste system degassifier level or a containment isolation signal. This valve operator has a flow restricting orifice in the vent line so it closes more slowly than the letdown flow outside containment isolation valve. Manual control is also provided in the main control room and at the remote shutdown workstation.

The letdown flow outside containment isolation valve is a normally closed, fail closed, air-operated globe valve that isolates letdown to the liquid radwaste system. This valve automatically opens and closes on a plant control system signal from the pressuriser level control system or a containment isolation signal from the protection and safety monitoring system. This valve operates in the same fashion as the letdown flow inside containment isolation valve. The letdown flow outside containment isolation valve closes more quickly than inside containment letdown flow isolation valve to limit seat wear of inside containment isolation valve. This valve operator has a flow restricting orifice in the air line, so it opens more slowly than inside containment letdown flow isolation valve. In addition, during brief periods of shutdown, when the reactor coolant system is water solid, this valve throttles to maintain the reactor coolant system pressure. Manual control is also provided in the main control room and at the remote shutdown workstation.

The makeup line containment isolation valves are normally open, motor-operated globe valves that provide containment isolation of the chemical and volume control system makeup line and automatically close on a high-2 pressuriser level, high steam generator level, or high-2 containment radiation signal from the protection and safety monitoring system. The valves close on a source range flux doubling signal to terminate possible unplanned boron dilution events. The valves also close on a safeguards actuation signal coincident with high-1 pressuriser level. This



allows the chemical and volume control system to continue providing reactor coolant system makeup flow, if the makeup pumps are operating following a safeguards actuation signal. These valves are also controlled by the reactor makeup control system and close when makeup to other systems is provided. Manual control is provided in the main control room and at the remote shutdown workstation.

The hydrogen addition containment isolation valve is a normally open, fail closed, air-operated globe valve is located outside containment in the hydrogen addition line. The valve automatically closes on a containment isolation signal from the protection and safety monitoring system. Manual control is provided in the main control room and at the remote shutdown workstation.

Isolation from the Reactor Coolant System

In the event of a leak in the chemical and volume control system, it is desirable to be able to isolate the chemical and volume control system and thus stop the leak, rather than relying on leak protection systems. The chemical and volume control system can be isolated from the reactor coolant system using the purification stop valves.

The purification stop valves are normally open, motor-operated valves located inside containment. They close automatically on a low pressuriser level signal from the protection and safety monitoring system to preserve reactor coolant pressure boundary and to prevent uncovering of the heater elements in the pressuriser. However, they can also be manually operated from the main control room and the remote shutdown workstation (Section 9.3.6.3.7 of Reference 6.1).

The chemical and volume control system is also isolable from the reactor coolant system in the event of a boron dilution accident. In this case, the redundant valves are closed, tripping the make-up pumps, and/or aligning the suction of the makeup pumps to the boric acid tank (see Section 9.3.6.4.5.1 of Reference 6.1).

For dilution events occurring at power (assuming the operator takes no action), a reactor trip is initiated automatically on either an overpower trip or an over-temperature ΔT trip. Following a reactor trip signal, the line from the demineralised water system is isolated by closing two, air operated valves. The three-way pump suction control valve aligns so the makeup pumps take suction from the boric acid storage tank. If the event occurs while the makeup pumps are operating, the realignment of these valves causes the makeup pumps, if they continue to operate, to borate the plant.

For dilution events during shutdown, the source range flux doubling signal is used to isolate the makeup line to the reactor coolant system by closing the two motor-operated valves, isolating the line from the demineralised water system by closing the two air-operated valves, and tripping the makeup pumps.

For refuelling operations, administrative controls are used to prevent boron dilutions by verifying the valves in the line from the demineralised water system are closed and secured.

For boron dilution events at power, dilution would have to continue for at least 325 minutes to overcome the minimum available shutdown margin (see Section 15.4.6.2.6 of Reference 6.1). The at-power case is bounding for reactivity addition events. 325 minutes is judged to provide adequate time for the line from the demineralised water system to be closed or for the makeup pump suction lines to be realigned.



6.5.2 Containment Hydrogen Control System

6.5.2.1 Description

Hydrogen is postulated to be released following accident sequences in which the reactor overheats to the extent that the zirconium fuel cladding chemically reacts with the steam that is present; any breach in the reactor coolant system boundary would provide a route for this hydrogen to escape into the containment atmosphere. When mixed with the air in the containment, the hydrogen can burn (sub-sonic flame front) once its concentration reaches the lower flammability limit; at a higher concentration it can detonate (super-sonic flame front), potentially generating a pressure pulse of a magnitude sufficient to damage the containment structure. This must be avoided, because such accident sequences also release radioactivity into the containment atmosphere, and this would escape to the environment should the containment be damaged. The hydrogen needs to be removed gradually, ideally whilst at a low concentration, by chemically reacting it with the oxygen in the air in a controlled manner. This is done on an AP1000 by its containment hydrogen control system.

The containment hydrogen control system consists of three elements:

• Two passive autocatalytic recombiners installed above the operating deck combine any hydrogen as it arises.

• 64 electrically powered hydrogen igniters distributed throughout the containment to set fire to any hydrogen at their respective locations before the concentration of hydrogen can build up to explosive levels.

• Three hydrogen sensors in the upper dome monitor the bulk hydrogen concentration and alert the operators to the need for remedial action.


The system also has the following capability to provide additional defence in depth support during fault conditions:

• The structures within the containment are arranged by design to promote the mixing of any hydrogen released from the reactor core and to eliminate dead-end compartments, so that the likelihood of hydrogen concentration reaching explosive levels is minimised.

• The autocatalytic recombiners are designed to be effective from hydrogen concentrations of less than 1 percent and at ambient temperature, and they must be impaired neither by being wet nor by the presence of very high steam concentrations.

• The autocatalytic recombiners are sized by design to accommodate the hydrogen production rate anticipated for the limited amounts of damage to the fuel and its cladding such as would arise from a loss of coolant accident.

• The hydrogen igniters are designed to be able to burn hydrogen at concentrations well below the explosive limit.

• The hydrogen igniters are able by design to accommodate the massive hydrogen production postulated to occur during a degraded core accident or a core melt accident in which all of the zirconium fuel cladding reacts with steam to produce hydrogen. The rapid hydrogen production rate would otherwise overwhelm the capacity of the



autocatalytic recombiners, and the hydrogen concentration would then rise above the flammability limit.

• The hydrogen igniters are protected against the water and spray expected during Beyond Design Basis sequences.

• An alarm system is in place to alert the operators to the presence of hydrogen in the containment and the consequential need to activate the hydrogen igniters. The hydrogen sensors is able to monitor the range of hydrogen concentration from well below the flammability limit up to and beyond the explosive limit.


The structures within the containment are arranged to promote mixing by means of natural circulation. For a postulated break low in the containment, buoyant flows develop through the lower compartments due to density head differences between the rising plume and the surrounding containment atmosphere, tending to drive mixing through the lower compartments and into the region above the operating deck. There is also a degree of mixing within the region above the operating deck, which occurs as the steam-rich leakage plume rises up from the operating deck openings.

Three general characteristics have been incorporated into the design of the AP1000 to promote mixing and eliminate dead-end compartments, thereby reducing the likelihood of hydrogen concentration reaching explosive levels:

• The compartments below deck are large open volumes with relatively large interconnections, which promote mixing throughout the below deck region.

• All compartments below deck are provided with openings through the top of the compartment to eliminate the potential for a dead pocket of high-hydrogen concentration.

• In addition, if forced containment air-circulation is operated during post-accident recovery, the fan coolers contribute to circulation in containment.

The autocatalytic recombiners are effective from very low hydrogen concentrations (less than 1 percent) at ambient temperature, and they are impaired neither by being wet nor by the presence of very high steam concentrations. They begin the recombination of hydrogen and oxygen almost immediately upon exposure to oxygen and hydrogen when the catalyst is not wetted; if the catalyst material is wet, then a short delay is experienced (References 6.10 and 6.11). The autocatalytic recombiners are effective over a wide range of ambient temperatures, concentrations of reactants (rich and lean, oxygen/hydrogen less than 1 percent) and steam inserting (steam concentrations greater than 50 percent) (see 6.2.4.2.2 of Reference 6.1).

The autocatalytic recombiners are sized to accommodate the hydrogen production rate anticipated for the limited amounts of damage to the fuel and its cladding such as would arise from a loss of coolant accident. They have been shown to be effective at minimising the build up of hydrogen inside the containment following loss of coolant accidents (Reference 6.12).

The hydrogen igniters can burn hydrogen at concentrations less than 10 percent by volume and prevent the containment hydrogen concentration from exceeding this limit (see Section 6.2.4.4 of Reference 6.1).



The hydrogen ignition subsystem consists of 64 hydrogen igniters strategically distributed throughout the containment, based on evaluation of hydrogen transport in the containment and the hydrogen combustion characteristics (see Table 6.2.4-6 of Reference 6.1). The hydrogen igniters are designed to accommodate severe accident sequences. When an igniter is energised, its surface heats up to ≥ 927°C (1700°F), which is sufficient to ignite hydrogen in its vicinity once its concentration exceeds the lower flammability limit. The primary objective of installing an igniter system is to promote hydrogen burning at a low concentration and, to the extent possible, to burn the hydrogen more or less continuously so that the hydrogen concentration does not build up to explosive levels in the containment. To achieve this goal, the igniters are placed in the major regions of the containment where hydrogen might be released, through which it could flow or where it might accumulate. The igniter coverage, distribution and power supply has been designed to minimise the potential loss of igniter protection globally for containment and locally for individual compartments (see Section 6.2.4.2.3 of Reference 6.1).

A spray shield is provided to protect each igniter from falling water drops resulting from the condensation of steam on the containment shell and on nearby equipment and structures.

The hydrogen sensors are designed to provide a rapid response detection of changes in the bulk containment hydrogen concentration (see Section 6.2.4.2.1 of Reference 6.1). They are powered by electricity, and the need to be manually turned on. To bring this about, the hydrogen sensors monitor bulk containment hydrogen concentration; this is continuously indicated in the main control room. Additionally, high hydrogen concentration alarms are provided. The sensors are powered by the uninterruptible power supply system. The hydrogen sensors have sufficient range to monitor concentrations up to 20% hydrogen (see Section 6.2.4.4 of Reference 6.1).

6.5.3 Normal Residual Heat Removal System

6.5.3.1 Description

The principal function of this system is to cool the reactor coolant system when the reactor is in a shut down state, from the time the plant enters the second phase of cooldown until the reactor is started up again; it also provides defence in depth for removing heat from the reactor coolant system during certain fault sequences. Its other functions include:

• Provide purification flow from the reactor coolant system and the refuelling cavity to the chemical and volume control system during refuelling operations.

• Provide cooling for the in-containment refuelling water storage tank.

• Provide low pressure make-up to the reactor coolant system.

• Provide long-term, post-accident water make-up flow to the containment inventory.

• Provide back-up for cooling the spent fuel pool.

The normal residual heat removal system consists of two mechanical trains of equipment, each comprising one pump, one heat exchanger and the associated pipes, valves and instrumentation.


The following design requirements for the normal residual heat removal system support safe operation of the plant under normal conditions:



• The normal residual heat removal system must be able to remove the fission product heat from the reactor coolant system from the time after shutdown when the reactor coolant system pressure falls below the design operating pressure of the normal residual heat removal system of 62 bar (900 psig).

• The normal residual heat removal system must be protected against spurious and inadvertent over-pressurisation, because, once connected, the reactor coolant system pressure boundary is extended to include the entirety of the normal residual heat removal system. That part of the system outside the containment has a design pressure that is lower than the main part of the reactor coolant system.

The normal residual heat removal system also has the capability to provide the additional defence in depth during and following fault conditions:

• It has the capability of cooling the spent fuel pool.

• It can provide make-up to the reactor coolant system and decay heat removal.


Following the shutting down of the reactor, cooling of the reactor coolant system is provided initially by the steam generators. When the reactor coolant system pressure is sufficiently low (typically 4 hours after reactor shutdown, with the reactor coolant system at a temperature of around 177°C (350°F) and a pressure of 32 bar (450 psig)), the normal residual heat removal system may be connected and cooling by means of the steam generators discontinued. The normal residual heat removal system reduces the temperature of the reactor coolant system from 177° to 51.7°C within 96 hours after shutdown, as described in Section 5.4.7.1.2.1 of the Reference 6.1. The system maintains the reactor coolant temperature at or below 51.7°C for the plant shutdown. The system provides this cooldown rate based on the following:

• Operation of the system with both subsystems of normal residual heat removal system pumps and heat exchangers available.

• Initiation of normal residual heat removal system operation at four hours following reactor shutdown, after the first phase of cool down by the main steam system has reduced the reactor coolant system temperature to less than or equal to 176.7°C and 3.1 MPa gauge.

• The component cooling water system supply temperature to the normal residual heat removal system heat exchangers is based on maximum normal ambient wet bulb temperature as defined in Table 2-1 of Reference 6.1. The maximum normal ambient temperature is assumed for shutdown cooling;

• Operation of the system is consistent with reactor coolant system cool down rate limits and consistent with maintaining the component cooling water below design limits during cool down.

• Core decay heat generation is based on the decay heat curve for a three-region core having burn-ups consistent with a 24-month or 18-month refuelling schedule and based on the ANSI/ANS-5.1-1994 decay heat curve.

The system also provides the following capabilities:



• A failure of an active component during normal cool down does not preclude the ability to cool down, but lengthens the time required to reach 51.7°C. Furthermore, if such a single failure occurs while the reactor vessel head is removed, the reactor coolant temperature remains below boiling temperature.

• The system operates at a constant normal residual heat removal flow rate throughout refuelling operations. This includes the time when the level in the reactor coolant system is reduced to a mid-loop level to facilitate draining of the steam generators or removal of a reactor coolant pump. Operation of the system at the minimum level that the reactor coolant system can attain using the normal reactor coolant system draining connections and procedures results in no incipient vortex formation which would cause air entrainment into the pump suction.

• The pump suction line is self-venting with continually upward sloped pipe from the pump suction to the hot leg. This arrangement prevents entrapment of air and minimizes system venting efforts for start-up;

• Features are included that permit mid-loop operations to be performed from the main control room.

With the normal residual heat removal system in service when shutdown, the only over-pressure protection claimed by the fault schedule (Section 4.10.5.9 of Reference 6.13) is the normal residual heat removal system safety relief valve (Section 19E.4.10.1 of Reference 6.1). This valve is located inside the containment on the suction header, and set to open at 35.5 bar (500 psig). The capacity of the relief valve is 3200 litres per minute (850gpm) (Section 4.10.5.10.6 of Reference 6.13).

The normal residual heat removal system has the capability of being connected to supplement or take over the cooling function of the spent fuel pool cooling system, as part of defence in depth. The normally closed valves in the cross-connecting piping are opened, and one normal residual heat removal pump is started. Spent fuel pool water is drawn through the pump, passed through a heat exchanger and returned to the pool. The normal residual heat removal system can therefore provide redundancy in the event of a spent fuel pool cooling system heat exchanger failure, or can provide additional cooling as required. This mode of cooling is available when the normal residual heat removal system is not needed for normal shutdown cooling. The spent fuel pool water flow path between the spent fuel pool and the normal residual heat removal system is independent of the flow path used for spent fuel pool cooling by the spent fuel pool cooling system.

The normal residual heat removal system is capable of providing make-up to the reactor coolant system during fault conditions. The normal residual heat removal system provides low pressure make-up from the cask loading pit to the reactor coolant system. The system is manually initiated by the operator following receipt of an automatic depressurisation signal. If the system is available, it provides reactor coolant system makeup once the pressure in the reactor coolant system falls below the shutoff head of the normal residual heat removal system pumps. The system provides make-up from the cask loading pit to the reactor coolant system and provides additional margin for core cooling. As a defence in depth, the normal residual heat removal system is capable of providing decay heat removal to the component cooling water system during certain fault sequence scenarios. (see Chapter 19 of Reference 6.1)

Indication is provided to alert the operator to the actuation of the normal residual heat removal system relief valve. Positive position indication is provided for the normal residual heat removal system relief valve. Temperatures in the safety valve discharge lines are measured, and an



indication and a high temperature alarm are provided in the control room. An increase in a discharge line temperature is an indication of leakage or relief through the associated valve.

Containment isolation valves are provided on either side of containment penetrations. The normal residual heat removal system has two containment penetrations: the normal residual heat removal system suction line penetration, and the normal residual heat removal system discharge line penetration. Both penetrations are provided with containment valves inside and outside containment, which are actuated by the containment isolation system.

6.5.4 Communication System

The communication system provides effective intra-plant communications and effective plant-to-offsite communications during normal, maintenance, transient, fire, and accident conditions, including loss of offsite power.

No design requirements associated with maintaining safety functions are placed on the communication system.

6.5.5 Component Cooling Water System

6.5.5.1 Description

The component cooling water system is a closed loop cooling system that transfers heat from various plant components to the service water system during normal phases of operation. It removes heat from various components needed for plant operation and removes core decay heat and sensible heat for normal reactor shutdown and cooldown.

The system includes two component cooling water pumps, two component cooling water heat exchangers, one component cooling water surge tank and associated valves, piping, and instrumentation. The system components are arranged into two mechanical trains. Each train includes one component cooling water pump and one component cooling water heat exchanger. Each pump discharges directly to its respective heat exchanger. A bypass line around each heat exchanger containing a throttle valve prevents overcooling of the component cooling water.


The following design requirements for the component cooling water system support safe operation of the plant during normal operations:

• The component cooling water system can transfer heat from plant components as required, to support normal power operation.

• The component cooling water system can remove, in conjunction with the normal residual heat removal system, both residual and sensible heat from the core and the reactor coolant system and reduce the temperature of the reactor coolant system during the second phase of cool down.

The component cooling water system also has the capability to provide the additional defence in depth during and following fault conditions:

• It has the capability of cooling the spent fuel pool.

• It can support decay heat removal by way of the normal residual heat removal system.




Component Cooling

The component cooling water system transfers heat from the following plant components, needed to support normal power operation, with a single active component failure in the component cooling water system:

• The reactor coolant pumps and the reactor coolant pump variable frequency drives in the reactor coolant system.

• The letdown and mini-flow heat exchangers in the chemical and volume control system.

• The reactor coolant drain tank in the liquid radioactive waste system.

• The residual heat removal pumps and heat exchangers in the normal residual heat removal system.

• The spent fuel pool heat exchangers in the spent fuel pool cooling system.

• The chillers in the central chilled water system.

• The sample heat exchanger in the primary sampling system.

• The air compressors in the compressed air system.

• The condensate pump oil coolers in the condensate system.

During normal operation, only one component cooling water pump and heat exchanger are required to remove heat in accordance with the above criteria. The other train is aligned to automatically start in case of failure of the operating component cooling water pump. Further details are provided in Section 9.2.2.4.2 of Reference 6.1.

The component cooling water system is designed for normal operation in accordance with the following criteria (see Section 9.2.2.1.2.1of Reference 6.1):

• The component cooling water supply temperature to plant components is not more than 38°C (the normal operational ambient temperature assumed in the design analysis).

• The minimum component cooling water supply temperature to plant components is approximately 16°C.

• The component cooling water system provides sufficient surge capacity to accept approximately 11.4 m3/hr leakage into or out of the system for 30 minutes before any operator action is required.

Shutdown Heat Removal

The first phase of plant cool down is accomplished by transferring heat from the reactor coolant system via the steam generators to the main steam systems (see Section 6.6.6). The component cooling water system, in conjunction with the normal residual heat removal system (see Section



6.5.3) removes both residual and sensible heat from the core and the reactor coolant system and reduces the temperature of the reactor coolant system during the second phase of cool down.

As a defence in depth, the component cooling water system is capable of providing decay heat removal to the service water system during certain fault sequence scenarios. (see Chapter 19 of Reference 6.1)

6.5.6 Compressed and Instrument Air System

6.5.6.1 Description

The compressed and instrument air system consists of three subsystems; instrument air, service air, and high-pressure air.

The instrument air subsystem supplies compressed air for air-operated valves and dampers.

Service air is supplied at outlets throughout the plant to power air-operated tools and is used as a motive force for air-powered pumps. The service air subsystem is also utilized as a supply source for breathing air. Individually packaged air purification equipment is used to produce breathing quality air for protection against airborne contamination.

The high-pressure air subsystem supplies air to the main control room emergency habitability system, the generator breaker package, and fire fighting apparatus recharge station. The high-pressure air subsystem also provides a connection for refilling the main control room habitability system storage tanks from an offsite source. Major components of the compressed and instrument air system are located in the turbine building.

No design requirements associated with maintaining safety functions are placed on the compressed and instrument air system.

6.5.7 Containment Leak Rate Test System

6.5.7.1 Description

The reactor containment, containment penetrations and isolation barriers are designed to permit periodic leak rate testing. Three types of test are carried out:

• Containment integrated leak rate testing (Type A): The containment is pressurised with clean, dry air and the leak rate from the containment structure is established. Type A testing uses temporary equipment connected through penetration C01.

• Local leak rate testing of containment penetrations with a design that incorporates features such as resilient seals, gaskets, and expansion bellows (Type B): The leakage limiting boundary is pressurised with air or nitrogen and the pressure decay or the leak flow rate is measured. Type B testing uses permanently installed connections.

• Local leak rate testing of containment isolation valves (Type C): The piping test volume is pressurised with air or nitrogen and pressure decay or the leak flow rate is measured. Type C testing uses features built into the tested subsystems.

No design requirements associated with maintaining safety functions are placed on the containment leak rate test system.



6.5.8 Demineralised Water Transfer and Storage System

6.5.8.1 Description

The demineralised water transfer and storage system receives water from the demineralised water treatment system, and provides a reservoir of demineralised water to supply the condensate storage tank and for distribution throughout the plant. Demineralised water is processed in the demineralised water transfer and storage system to remove dissolved oxygen. In addition to supplying water for make-up of systems that require pure water, the demineralised water is used to sluice spent radioactive resins to the solid radwaste system from the ion exchange vessels in the chemical and volume control system, the spent fuel pool cooling system and the liquid radioactive waste system.

The demineralised water transfer and storage system consists of the demineralised water storage tank, the demineralised water transfer pump, two catalytic oxygen reduction units and a condensate storage tank. The system has one containment penetration, with isolation valves on either side.

No design requirements associated with maintaining safety functions are placed on the demineralised water transfer and storage system.

6.5.9 Demineralised Water Treatment System

6.5.9.1 Description

The demineralised water treatment system receives water from the raw water system, processes this water to remove ionic impurities and provides demineralised water to the demineralised water transfer and storage system. The system consists of two reverse osmosis feed pumps, two 100-percent reverse osmosis units normally operating in series for primary demineralization and one electrode ionization unit for secondary demineralisation.

No design requirements associated with maintaining safety functions are placed on the demineralised water treatment system.

6.5.10 Fire Protection System

6.5.10.1 Description

The fire protection system detects and suppresses fires, and is an integral part of the AP1000 fire protection program. The primary objectives of the AP1000 fire protection program are to prevent fires and to minimise the consequences should a fire occur. The program provides protection so that the plant can be shut down safely following a fire.

The fire protection system consists of a number of fire detection and suppression subsystems, referred to as systems, including:

• Detection systems for early detection and notification of a fire.

• A water supply system including the fire pumps, yard main, and interior distribution piping.

• Fixed automatic fire suppression systems.



• Manual fire suppression systems and equipment, including hydrants, standpipes, hose stations and portable fire extinguishers.


The principal design requirements of the fire protection system, that of detecting and protecting against fires, are described and substantiated in the Internal Hazards Topic Report (Reference 6.3).

The fire protection system also has the following capability to provide the additional defence in depth support during and following fault conditions: it can deliver an alternative supply of cooling water to the normal residual heat removal system after a loss of normal component cooling water system function.

6.5.10.3 Substantiation of the Fire Protection System

Connections are provided between the fire protection system and the normal residual heat removal system. A permanent connection is provided to allow the fire protection system to furnish water to cool a normal residual heat removal system pump and heat exchanger following a fire that disables the normal component cooling water system cooling function (see Table 9.5.1-4 of Reference 6.1).

6.5.11 Gaseous Radwaste System


The AP1000 gaseous radwaste system is a once-through ambient temperature activated carbon delay system that collects and processes gaseous wastes originating from the reactor coolant system that are radioactive, to prevent an uncontrolled atmospheric release. The system includes a gas cooler, a moisture separator, an activated carbon-filled guard bed and two activated carbon-filled delay beds. Also included in the system are an oxygen analyser and a gas sampler.

The gaseous radwaste system is designed to receive radioactive gases generated during operation. The radioactive gas flowing into the gaseous radwaste system enters as trace contamination in a stream of hydrogen and nitrogen. The incoming gas first passes through a gas cooler. Moisture formed due to gas cooling is removed in the moisture separator. The waste gas then flows through the guard bed, where iodine and chemical (oxidizing) contaminants are removed. The guard bed also removes any remaining excessive moisture from the waste gas. The waste gas then flows through the two delay beds, where xenon and krypton are delayed by a dynamic adsorption process.


The following design requirements for the gaseous radwaste system support safe operation of the plant under normal operations:

• The gaseous radwaste system must have the capacity to process the maximum anticipated flow of hydrogen and nitrogen containing trace amounts of radioactive gas arising from the normal primary coolant letdown operations and from the reactor coolant drain tank.

• The moisture separator must be able to accommodate the design basis purge flow rate.

• The gas leaving the moisture separator must be monitored for temperature and oxygen concentration, and alarmed should an abnormal condition requiring attention occur.



• The levels of radiation released from the gaseous radwaste system must be within the specified limits.

• The gas leaving the delay beds must be monitored for temperature, flow rate and radioactivity, alarmed should an abnormal condition requiring attention occur, and the discharge line closed on radioactivity in the gaseous radwaste system in excess of a predetermined set point or low ventilation exhaust duct flow.

6.5.11.3 Substantiation of the Gaseous Radwaste System

The gaseous radwaste system is designed to accept the following expected inputs, as described in Section 11.3.1.2.1.1 of Reference 6.1:

• Letdown diversion for dilution, reactor coolant system with maximum hydrogen concentration. This input is 0.85 m3/hr on an intermittent basis carrying a very small volume of radioactive gas, yielding 15.6 m3 total hydrogen.

• Letdown diversion for reactor coolant system degassing, assumed to remove gases from the reactor coolant system to a level of 1 cc/kg beginning with the reactor coolant system at the maximum hydrogen concentration of 40 cc/kg. At its maximum this input is 0.85 m3/hr hydrogen carrying a very small volume of radioactive gas yielding 6.94 m3 total hydrogen.

• Reactor coolant drain tank liquid transfer to maintain proper reactor coolant drain tank level, assuming 0.06 m3/hr liquid input from the reactor coolant system, intermittently yielding 0.85 m3/hr hydrogen and nitrogen carrying a very small volume of radioactive gas, yielding about 2.27 m3 hydrogen and nitrogen total.

• Reactor coolant drain tank gas venting, conservatively estimated at 0.028 m3/d, yielding 1.27 m3 total nitrogen and hydrogen.

The moisture separator is sized for the design basis purge flow rate, and is therefore oversized for the normal flow rate (see Section 11.3.2.3.3 of Reference 6.1.

The gas leaving the moisture separator is monitored for temperature, and a high alarm alerts the operator to an abnormal condition requiring attention. Oxygen concentration is also monitored. On a high oxygen alarm, a nitrogen purge is automatically injected into the effluent line.

The waste gas then flows through the two delay beds where xenon and krypton are delayed by a dynamic adsorption process. A single bed provides adequate performance (see Section 11.3.2.3.3 of Reference 6.1). The anticipated annual average airborne releases of radionuclides from the plant are calculated in the UK AP1000 Environment Report (Reference 6.14), and are shown to be below the designated limits. Limits are provided for radioiodine, noble gasses, tritium, carbon-14 and other particulates. The adsorption of radioactive gases in the delay bed occurs without reliance on active components or operator action. Operator error or active component failure would not result in an uncontrolled release of radioactivity to the environment.

Failure to remove moisture prior to the delay beds (due to loss of chilled water or other causes) results in a gradual reduction in gaseous radwaste system performance. Reduced performance is indicated by high temperature and discharge radiation alarms (see Section 11.3.2.2.1 of Reference 6.1).The discharge line is equipped with a valve that automatically closes on either radioactivity in excess of a predetermined set point in the gaseous radwaste system discharge line or low ventilation exhaust duct flow.



6.5.12 Liquid Radwaste System


The liquid radioactive waste system is designed to collect, process, store and dispose of liquid radioactive waste generated as the result of normal operation, including anticipated operational occurrences such as reactor coolant system level reduction for refuelling. Nonradioactive secondary system waste is not processed by the liquid radioactive waste system; however, if significant radioactivity is detected in secondary-side systems, blowdown or a portion of the blowdown may be diverted to the liquid radwaste system for processing and disposal.

The liquid radioactive waste system includes tanks, pumps, ion exchangers and filters. The liquid radioactive waste system is designed either to process liquid radioactively contaminated liquid waste, or to store for processing by mobile equipment. The liquid waste is in four major categories:

• Borated reactor-grade waste water collected from the reactor coolant system effluents received through the chemical and volume control system, the primary sampling system sink drains and equipment leak offs and drains.

• Floor drains and other wastes with potentially high suspended solids content, collected from various building floor drains and sumps.

• Detergent wastes collected from the plant hot sinks and showers and some clean-up and decontamination processes. Such waste generally has low concentrations of radioactivity.

• Chemical waste collected from the laboratory and other relatively small volume sources. This could be a mixture of hazardous and radioactive wastes, or other radioactive wastes with high dissolved solids content.

The liquid radioactive waste system has two effluent hold-up tanks, which contain the liquid waste prior to processing. They receive borated and hydrogen-bearing liquid from two sources: the reactor coolant drain tank and the chemical and volume control system. The reactor coolant drain tank collects leakage and drainage from various primary systems and components inside the containment. Effluent from the chemical and volume control system is produced mainly as a result of reactor coolant system heat-up, boron concentration changes and reactor coolant system level reduction for refuelling. Input collected by the effluent system normally contains hydrogen and dissolved radioactive gases. Therefore, it is routed through the liquid radioactive waste system vacuum degasifier before being stored in the effluent hold-up tanks. The contents of the effluent hold-up tanks may be recirculated and sampled, recycled through the degasifier for further gas stripping, returned to the reactor coolant system by way of the chemical and volume control system make-up pumps, discharged to the mobile treatment facility, processed through the ion exchangers, or directed to the monitor tanks for discharge without treatment.

The AP1000 liquid radioactive waste system first filters the incoming liquid. It then enters four ion exchange resin vessels in series. Any of these vessels can be manually bypassed, and the order of the last two can be interchanged so as to provide complete usage of the ion exchange resin. The top of the first vessel is normally charged with activated carbon, to act as a deep-bed filter and to remove oil from floor drain wastes. Moderate amounts of other wastes can also be routed through this vessel. It can be bypassed for processing relatively clean waste streams. This vessel is somewhat larger than the other three, with an extra sluice connection to allow the top bed of activated carbon to be removed. This feature is associated with the deep bed filter function of the vessel; the top layer of activated carbon collects particulates, and the ability to remove it without



disturbing the underlying zeolite bed minimises solid waste production. The second, third and fourth beds are in identical ion exchange vessels, which are selectively loaded with resin, depending on prevailing plant conditions.

After deionisation, the water passes through an after-filter, where radioactive particulates and resin fines are removed. The processed water then enters one of the monitor tanks. When one of the monitor tanks is full, the system automatically realigns to route the processed water to another monitor tank.


The following design requirements for the liquid radioactive waste system support safe operation of the plant under normal conditions:

• The liquid radioactive waste system must collect and process liquid waste collected from the reactor coolant system and connected systems, and then discharge the processed liquid to the environment in a controlled manner.

• The levels of radiation released from the liquid radioactive waste system after treatment must be within the allowed discharge limits.

• The liquid radioactive waste system must be capable of being isolated by the containment isolation system.


The liquid radioactive waste system is appropriately sized to handle the predicted waste arising. The two effluent hold-up tanks have a combined total capacity of 212 m3 (see Table 11.2-2 of Reference 6.1). This is significantly greater than the volume of liquid expected to arise, which are of the order of 10 m3 per day (see Table 11.2-6 of Reference 6.1).

The permanently installed processing capacity is 17 m3/hr through the ion exchange/filtration train. This is adequate capacity to meet the anticipated processing requirements of the plant (see Section 11.2.1.2.1 of Reference 6.1).

The contents of the monitor tank are recirculated and sampled. In the unlikely event of radioactivity in excess of operational targets, the tank contents are returned to a waste hold-up tank for additional processing. Normally, however, the radioactivity is expected to be well below the discharge limits (see Section 11.2.2.1.1 of Reference 6.1), and the dilute boric acid is discharged for dilution to the circulating water blowdown. The discharge flow rate is set to limit the boric acid concentration in the circulating water blowdown stream to an acceptable concentration for local requirements. Detection of high radiation in the discharge stream stops the discharge flow and operator action is required to re-establish discharge. The raw water system, which provides make-up for the circulating water system, is used as a back-up source for dilution water.

Containment isolation valves are provided on either side of containment penetrations. The liquid radioactive waste system has two containment penetrations: the reactor coolant drain tank liquid radioactive waste system connection penetration and the containment sump pumps combined discharge penetration. Both penetrations are provided with isolation valves inside and outside containment, which are actuated by the containment isolation system.



6.5.13 Mechanical Handling System


The light load handling system consists of the equipment and structures needed for the refuelling operation. This equipment is comprised of fuel assemblies, core component and reactor component hoisting equipment, handling equipment, and a fuel transfer system. The structures associated with the fuel handling equipment are the refuelling cavity, the transfer canal, the fuel transfer tube, the spent fuel pool, the cask loading area, the new fuel storage area and the new fuel receiving and inspection area. The light load handling system consists of the following subsystems:

• Refuelling machine.

• Fuel transfer system.

• Fuel handling machine.

• Fuel handling tools and equipment.

The heavy load handling systems consist of equipment that lifts loads whose weight is greater than the combined weight of a single spent fuel assembly and its handling device (approximately 1406 kg). The following systems are part of the heavy load handling system:

• Containment polar crane.

• Equipment hatch hoist.

• Maintenance hatch hoist.

• Cask handling crane.

• Main steam isolation valve monorail hoists.


The following requirements are made on the mechanical handling system during normal operations:

• The light load handling lifting systems must have redundant paths of load support.

• The design of the light load handling systems must prevent the dropping of fuel assemblies.

• The design of the light load handling systems must prevents jamming of fuel assemblies.

• The design of the light load system must prevent the over-raising of a spent fuel assembly to the point that the minimum required depth of water shielding fails to be maintained.

• The heavy load handling systems must be single failure proof, where a dropped load could affect nuclear safety.



A full suite of design requirements associated with the mechanical handling system during fault conditions and their substantiation will be presented in the AP1000 Spent Fuel Handling Topic Report (Reference 6.4).


The components of the refuelling machine, fuel transfer system and fuel handling machine that perform significant lifting operations are provided with redundant load paths:

• The refuelling machine main hoist system is supplied with redundant paths of load support such that failure of any one component will not result in free fall of the fuel assembly. Two wire ropes are anchored to the winch drum and carried to a load equalizing mechanism on the top of the gripper tube. The fuel assembly gripper has four fingers gripping the fuel, any two of which will support the fuel assembly weight (see Section 9.1.4.3.1 of Reference 6.1).

• The fuel transfer system does not perform any significant lifting.

• The fuel handling machine hoists are supplied with redundant paths of load support so that failure of any one component will not result in a free fall of the fuel assembly. When redundant paths are not practical, conservative safety factors will be applied (see Section 9.1.4.3.3 of Reference 6.1).

The design of the light load handling systems prevents the dropping of fuel assemblies, by being designed and fabricated to appropriate codes and standards.

The light load handling systems incorporate interlocks that prohibit the incorrect release of carried loads. The refuelling machine is provided with a number of features which prevent the dropping of fuel assemblies, including (see Section 9.1.4.3.1 of Reference 6.1):

• The refuelling machine can only place a fuel assembly in the core, in the in-containment storage rack, or in the fuel transfer system.

• When a fuel assembly is raised or lowered, interlocks provide confidence that the refuelling machine can only apply loads which are within safe operating limits.

• The fuel gripper is monitored by devices to confirm operation to the fully engaged or fully disengaged position. Alarms are actuated if both engage and disengage switches are actuated at the same time, or if neither is actuated.

• The gripper tube is prevented from lowering completely out of the mast.

• Before the fuel gripper can release a fuel assembly, the fuel gripper must be in its down position in the core, in the in-containment storage rack, or in the fuel transfer system.

• The weight of the fuel assembly must be off the gripper before the fuel gripper can release a fuel assembly.

The fuel transfer system does not perform any significant lifts; the only lifting capability the fuel transfer system has is the lifting arm which pivots the fuel assembly to the horizontal position for passage through the fuel transfer tube, or back to a vertical position so that the assembly can be lifted out of the fuel container (see Section 9.1.4.2.1 of Reference 6.1).



The fuel handling machine is provided with a number of features which prevent the dropping of fuel assemblies, including (see Section 9.1.4.3.3 of Reference 6.1):

• The fuel handling machine, and its associated fuel handling tool, can only place a fuel assembly in the new fuel rack, spent fuel racks, fuel transfer system, new fuel elevator, spent fuel cask, fuel inspection/repair station, or rail car bay traveller.

• When a fuel assembly is raised or lowered, interlocks provide confidence that the fuel handling machine can apply only loads that are within safe operating limits.

The design of the light load handling systems includes features to prevent jamming of fuel assemblies during a lift, or lifting of an already-jammed assembly. The refuelling machine is provided with a number of features which prevent the jamming of fuel assemblies or the snagging of lifting equipment, including (see Section 9.1.4.3.1 of Reference 6.1):

• When the refuelling machine gripper is engaged, the machine cannot traverse unless the fuel assembly bottom nozzle is clear of the lower core plate alignment pins.

• When the refuelling machine gripper is disengaged, the machine cannot traverse unless the gripper is withdrawn into the mast.

• Simultaneous traversing and hoisting operations are prevented.

• Lowering of the gripper is not permitted if slack cable exists in the hoist.

The fuel transfer system is provided with a number of features which prevent the jamming of fuel, including (see Section 9.1.4.3.3 of Reference 6.1):

• An interlock on the fuel transfer system prevents the up-ender from being moved from the horizontal to the vertical position if the transfer car has not reached the end of its travel.

• An interlock on the transfer tube valve permits transfer car operation only when the transfer tube valve position switch indicates the valve is fully open.

• The fuel transfer system is interlocked with the refuelling machine. Whenever the transfer car is located in the refuelling cavity, the fuel transfer system cannot be operated unless the refuelling machine mast is in the fully retracted position or the refuelling machine is over the core.

• On the spent fuel pool side, the fuel transfer system is interlocked with the fuel handling machine. The fuel transfer system cannot be operated until the loaded fuel handling machine hoist is at the up limit, the empty tool is clear of the up-ender, or the fuel handling machine is moved away from the fuel transfer system area. An interlock is provided from the fuel handling machine to the fuel transfer system to accomplish this.

The fuel handling machine is provided with a number of features that prevent the jamming of fuel assemblies or the snagging of lifting equipment (see Section 9.1.4.3.3 of Reference 6.1), including:

• When the hoist load weighing system detects a load greater than the spent fuel assembly handling tool, the machine cannot traverse unless the hoist is at the up limit. For new fuel handling, the load is greater than a new fuel handling tool.



• Simultaneous traversing and hoisting operations are prevented.

• Lowering of the hoist is not permitted if slack cable exists.

• The fuel handling machine hoist is prevented from moving in the transfer machine zone unless the fuel transfer machine up-ender is vertical. An interlock is provided from the fuel transfer system to the fuel handling machine to accomplish this.

The design of the light load system prevents the over-raising of a spent fuel assembly to the point that the minimum required depth of water shielding fails to be maintained, by incorporating appropriate hoist to prevent the over-raising of a spent fuel assembly. The spent fuel pool and fuel transfer canal are designed such that a minimum water level is maintained above the fuel, so as to reduce the dose to the operator to less than 0.025 mSv/hr (see Section 12.3.2.2.4 of Reference 6.1). The refuelling machine (see Section 9.1.4.3.1 of Reference 6.1) and the fuel handling machine (see Section 9.1.4.3.3 of the Reference 6.1) are provided with hoist up travel stops, which prevent a spent fuel assembly from being raised above the minimum water depth for shielding.

The heavy load handling systems with nuclear safety significance are designed and fabricated to appropriate design codes for single failure proof cranes. The polar crane and cask handling crane are designed according to the requirements of NUREG-0554 supplemented by ASME NOG-1 for a Type I, single-failure-proof crane. The containment equipment hatch hoist and maintenance hatch hoist incorporate single-failure-proof features based on NUREG-0612 guidelines (see Section 9.1.5.2 of Reference 6.1). The monorail hoists are not required to be single failure proof, since it is not possible for failure of the hoists to jeopardise nuclear safety. The polar crane, cask handling crane and containment equipment and maintenance hatch hoists stop and hold a critical load following the credible failure of a single component. Either redundancy or double design factor is provided for load bearing components such as the hoisting ropes, sheaves, equaliser assembly, hooks, and holding brakes. These systems are designed to support a critical load during and after a safe shutdown earthquake. The seismic Category I equipment and maintenance hatch hoist systems are designed to remain operational following a safe shutdown earthquake. The polar crane is designed to withstand rapid pressurisation of the containment during a design basis loss of coolant accident or main steam line break, without collapsing.

6.5.14 Plant Gas System


The plant gas system provides hydrogen, carbon dioxide and nitrogen gas to the plant systems, as required. Other gases such as oxygen, methane, acetylene and argon are supplied in smaller individual containers, and are not supplied by the plant gas system.

No design requirements associated with maintaining safety functions are placed on the plant gas system.

6.5.15 Potable Water System


The potable water system is designed to furnish water for domestic use and human consumption.

No design requirements associated with maintaining safety functions are placed on the potable water system.



6.5.16 Primary Sampling System


The primary sampling system is a manually operated system. It collects representative samples of fluids from the reactor coolant system and various primary auxiliary system process streams for analysis by the plant operating staff. This sampling process is performed during normal plant operations.

The primary sampling system consists of two separate portions: The liquid sampling portion and the gas sampling portion. The liquid sampling portion collects samples from the reactor coolant system and the auxiliary systems and transports them to a common location in a sample room in the auxiliary building. The gaseous sampling portion collects gaseous samples from the containment atmosphere. Gaseous sampling is conducted in the sample room in the auxiliary building, and it shares with the liquid sampling portion the grab sampling unit and the control panel.


The following requirements for the primary sampling system support safe operation of the plant under normal conditions:

• The primary sampling system must maintain the integrity of the primary coolant boundary.

• The primary sampling system must be able to provide a representative sample of the primary coolant, whilst minimising operator doses to levels that are ALARP.


The primary sampling system maintains the integrity of the primary coolant boundary by being designed and fabricated to appropriate codes and standards.

The primary sampling system collects representative samples of primary coolant. During normal operation, the primary sampling system collects representative samples of fluids in the following reactor coolant system and auxiliary primary systems process streams:

• The reactor coolant system hot leg, before the chemical and volume control system demineraliser.

• The pressuriser liquid space.

• Downstream from the chemical and volume control system demineraliser.

• The passive core cooling system accumulators and core make-up tanks.

• The discharge from the containment sump pump.

• The sampling system also collects gaseous samples of the containment air.

The results of the sample analyses are used to perform the following functions:

• Monitor core reactivity.



• Monitor fuel rod integrity.

• Evaluate ion exchanger (demineraliser) and filter performance.

• Specify chemical additions to the various systems.

• Maintain acceptable hydrogen levels in the reactor coolant system.

• Detect radioactive material leakage.

The measurements are used to evaluate water chemistry and to recommend corrective action by the laboratory staff.

The liquid sampling portion of the primary sampling system collects samples from the reactor coolant system and the auxiliary systems and transports them to a common location in a sample room in the auxiliary building. This portion of the system uses 6.3 mm stainless steel tubing. The small tubing flow area limits flow to less than chemical and volume control system makeup capacity in the event of a leak in the sampling lines. Dissolved gases in the reactor coolant system are also collected in this system. Sample flow is routed to a grab sampling unit.

Because the motive force during normal operations is the system pressure, the sampling system is designed to reactor coolant system pressure. If system pressure is not available, an eductor supplies the motive force for sample collection.

A direct line from the grab sampling unit to the laboratory provides the capability for continuous liquid sampling and analysis with online monitors.

Prior to the collection of liquid samples either in the laboratory or in the grab sampling unit, the lines are purged with source liquid to provide representative samples. The purging flow returns to the effluent holdup tank of the liquid radioactive waste system.

The gaseous sampling portion of the primary sampling system collects gaseous samples from the containment atmosphere. Gaseous sampling is conducted in the sample room in the auxiliary building, and it shares with the liquid sampling portion the grab sampling unit and the control panel. However, it uses larger, 9.5 mm, stainless steel tubing. Similar to the liquid sampling system, the gas sample subsystem is also manually operated with extension stems on the valves. Only grab samples are collected for the gas sampling process. The lines are purged prior to sample collection to provide representative samples. The purged gas returns to the containment sump.

Provisions are also made to dilute the gas sample. The dilution process uses nitrogen from a local gas bottle.

The gas sampling system uses an ejector as the motive force for sample collection. The ejector uses nitrogen from a local gas bottle as the motive force.

Further information about operation of the primary sampling system is provided in Section 9.3.3 of Reference 6.1.

Doses to the operator associated with the use of the primary sampling system are ALARP. A delay coil of tubing is installed inside containment to provide at least 60 seconds of transit time for the sampling fluid to exit the containment from the hot leg. This 60-second delay is needed for N-16 decay. Control and instrumentation is provided for safe, reliable operation. Sample flow is routed to a grab sampling unit. This unit is in an enclosure, which controls the spread of contamination



and provides shielding. The grab sampling unit is further shielded by a concrete wall to minimize radiation exposure. Valves inside the grab sampling unit have long handles extending outside the enclosure and are manually operated. This arrangement allows the operator to obtain a sample quickly with minimum radiation exposure. A schematic diagram is provided on the front of the grab sampling unit to illustrate the tube routing inside. The operator dose associated with the use of the primary sampling system is considered in the normal operations dose assessment presented in Section 12 of this PCSR.

6.5.17 Radiation Monitoring System


The radiation monitoring system provides plant effluent monitoring, process fluid monitoring, airborne monitoring, and continuous indication of the radiation environment in plant areas where such information is needed. The radiation monitoring system is installed permanently and operates in conjunction with regular and special radiation survey programs to assist in meeting applicable regulatory requirements.

The radiation monitoring system is divided functionally into two subsystems:

• Process, airborne, and effluent radiological monitoring and sampling.

• Area radiation monitoring.


The following design requirement for the radiation monitoring system supports safe operation of the plant under normal conditions, and provides defence in depth capability during faulted conditions:

• The radiation monitoring system must provide early indication of a system or equipment malfunction that could result in excessive radiation dose to plant personnel or lead to plant damage.


The radiation monitoring system provides effective monitoring of process discharges and airborne contamination. The process and effluent radiological monitoring and sampling subsystem provides radiation monitoring for the four functions listed below. Individual monitors may provide functionality in more than one of these functions.

• Fluid process monitors determine concentrations of radioactive material in plant fluid systems.

• Airborne monitors provide operators with information on concentrations of radioactivity at various points in the ventilation system, providing information on airborne concentrations in the plant.

• Liquid and gaseous effluent monitors measure radioactive materials discharged to the environs.

• Post-accident monitors monitor potential pathways for release of radioactive materials during accident conditions.



The area radiation monitoring subsystem provides plant personnel information on radiation at fixed locations in AP1000. Post-accident monitoring functions are also performed by certain area monitors.

The radiation monitoring system uses distributed radiation monitors, where each radiation monitor consists of one or more radiation detectors and a dedicated radiation processor. Each radiation processor receives averages and stores radiation data and transmits alarms and data to the plant control system for control (as required), display and recording. The alarms provided include: low (fail), alert and high. Selected channels have a rate-of-rise alarm.

Each radiation detector (except the in-duct radiation detectors and the containment high range ion chambers) has a check source that is actuated from the associated local radiation processor. The check source is used to verify detector and monitor operation. The check source is shielded to meet ALARP requirements, and returns to its fully retracted/shielded position upon loss of actuator power. The in-duct radiation detector operation may be checked using an internal LED to simulate light pulses emitted in response to radiation. The containment high range monitors have an internal source that provides a minimum reading; loss of signal from the detector indicates detector inoperability.

Further details of the radiation monitoring system are provided in Section 11.5.2 of Reference 6.1.

6.5.18 Radioactive Waste Drain System


The radioactive waste drain system collects radioactive liquid wastes from equipment and floor drainage of the radioactive portions of the auxiliary building, annex building, and radwaste building and directs these wastes to a centrally located sump located in the auxiliary building. The contents of the sump are pumped to the liquid radwaste system tanks.


The following design requirement for the radioactive waste drain system supports safe operation of the plant under normal conditions:

• The radioactive waste drain system must collect the radioactive liquid wastes from equipment and floor drains during normal operation, start-up, shutdown and refuelling, and transfer the liquid wastes to the appropriate processing and disposal systems.


The radioactive waste drain system has adequate capacity for the predicted waste arising. The radioactive waste drain system collects radioactive liquid wastes at atmospheric pressure from equipment and floor drainage of the radioactive portions of the auxiliary building, annex building, and radwaste building and directs these wastes to a centrally located sump located in the auxiliary building. The drains are adequately sized to meet the flow requirements, and the drain systems are designed to avoid crud traps and minimise drain traps (see Section 9.3.5.1.2 of Reference 6.1). The sumps have a volume of 5.3 m3 (see Table 9.3.5-1 of Reference 6.1); this equates to two days of storage, based on the predicted waste volume provided in Table 11.2-1 of Reference 6.1.

The radioactive waste drain system transfers collected waste to the liquid radioactive waste system. The contents of the sump are pumped to the liquid radioactive waste system tanks. Drainage lines from the negative pressure boundary areas of the auxiliary, radwaste, and annex



buildings do not terminate outside the negative pressure boundary without a normally closed valve or plugged drain to maintain the integrity of the negative pressure boundary. Further information on the components and operation of the radioactive waste drain system is provided in Section 9.3.5 of Reference 6.1.

6.5.19 Sanitary Drainage System

The sanitary drainage system is designed to collect the site sanitary waste for treatment, dilution and discharge.

No design requirements associated with maintaining safety functions are placed on the sanitary drainage system.

6.5.20 Secondary Sampling System

The secondary sampling system delivers representative samples of fluids from secondary systems to sample analyser packages.

No design requirements associated with maintaining safety functions are placed on the secondary sampling system.

6.5.21 Service Water System


The service water system supplies cooling water to remove heat from the component cooling water system heat exchangers in the turbine building.


The following design requirements for the service water system support safe operation of the plant during normal operations:

• The service water system can transfer heat from the component cooling water system as required, to support normal power operation.

• The component cooling water system can remove, in conjunction with the component cooling water system, both residual and sensible heat from the core and the reactor coolant system and reduce the temperature of the reactor coolant system during the second phase of cool down.

The service water system also has the capability to provide the additional defence in depth during and following fault conditions:

• It has the capability of transferring heat from the component cooling water system to the atmosphere.


Shutdown Heat Removal

The service water system, in conjunction with the component cooling water system (see Section 6.5.35) removes both residual and sensible heat from the core and the reactor coolant system and



reduces the temperature of the reactor coolant system in normal operations during the second phase of cool down.

As a defence in depth, the service water system is capable of providing decay heat removal to the atmosphere during certain fault sequence scenarios. (see Chapter 19 of Reference 6.1)

6.5.22 Solid Radwaste System


The solid waste management system is designed to collect and accumulate spent ion exchange resins and deep bed filtration media, spent filter cartridges, dry active wastes, and mixed wastes generated as a result of normal plant operation, including anticipated operational occurrences. The system is located in the auxiliary and radwaste buildings.


The following design requirements for the solid waste management system support safe operation of the plant under normal conditions:

• The solid waste management system must provide sufficient temporary on-site storage for wastes prior to processing, and for the packaged wastes.

• The solid waste management system must provide adequate shielding.


The solid waste management system has adequate capacity to store the predicted waste arising. The solid radwaste system is designed to collect and accumulate solid wastes generated as a result of normal plant operation, including anticipated operational occurrences. The system is located in the auxiliary and radwaste buildings. Processing by encapsulation in concrete and packaging of wastes are by mobile systems in the auxiliary building rail car bay and in the mobile systems facility part of the radwaste building. The packaged waste is stored in the auxiliary and radwaste buildings until it is shipped offsite to a licensed disposal facility.

The solid waste management system is designed to meet the following objectives:

• Provide for the transfer and retention of spent radioactive ion exchange resins and deep bed filtration media from the various ion exchangers and filters in the liquid radioactive waste system, chemical and volume control system and the start-up feed system.

• Provide the means to mix, sample and transfer spent resins and filtration media to high integrity containers or liners for dewatering or solidification as required.

• Provide the means to change out, transport, sample and accumulate filter cartridges from liquid systems in a manner that minimises radiation exposure of personnel and spread of contamination.

• Provide the means to accumulate spent filters from the plant HVAC systems;

• Provide the means to segregate solid wastes (trash) by radioactivity level and to temporarily store the wastes.



• Provide the means to accumulate radioactive hazardous (mixed) wastes;

• Provide the means to segregate clean wastes originating in the radiologically controlled area.

• Provide the means to store packaged wastes for at least 6 months in the event of delay or disruption of offsite shipping.

• Provide the space and support services required for mobile processing systems that will reduce the volume of and package radioactive solid wastes for offsite shipment and disposal.

The system has sufficient temporary waste accumulation capacity based on maximum waste generation rates so that maintenance, repair or replacement of the solid radwaste system equipment does not impact power generation.

Adequate shielding is provided for the anticipated stored solid waste arising. During normal operations, the major components in the auxiliary building with potentially high radioactivity are those in liquid radwaste, gaseous radwaste, and spent resin handling systems. Auxiliary building shielding is provided consistent with the postulated maximum combined activity of the liquid, gaseous and solid waste streams (see Section 12.3.2.2.3 of Reference 6.1) Concrete plugs are utilised to provide necessary access for equipment maintenance and spent filter cartridge replacement. Where necessary, labyrinth entrances with provisions for adequate ingress and egress for equipment maintenance and inspection are provided and are designed to be consistent with the access and zoning requirements of adjacent areas. Shielding is provided as necessary for the waste storage areas in the radwaste building. Temporary partitions and shield walls will be provided, as required, to supplement the permanent shield walls surrounding the waste accumulation and packaged waste storage rooms inside the radwaste building.

6.5.23 Spent Fuel Pool Cooling System


The spent fuel pool cooling system is designed to remove decay heat which is generated by stored fuel assemblies from the water in the spent fuel pool. This is done by pumping the high temperature water from within the fuel pool through a heat exchanger, and then returning the water to the pool.

The spent fuel pool cooling system consists of two mechanical trains of equipment. Each train includes one spent fuel pool pump, one spent fuel pool heat exchanger, one spent fuel pool demineraliser and one spent fuel pool filter. In addition, the spent fuel pool cooling system includes the piping, valves, and instrumentation necessary for system operation.


The spent fuel pool cooling system has the following capability to provide the additional defence in depth support during and following fault conditions:

• The spent fuel pool cooling system provides adequate cooling to remove decay heat from the spent fuel pool during normal operations.



• The spent fuel pool cooling system provides adequate cooling to remove decay heat from the spent fuel pool during refuelling operations.

• The spent fuel pool cooling system maintains the level of water in the spent fuel pool such that adequate protection is provided for the operator against radiation from the spent fuel.

• Adequate make-up must be provided to the spent fuel pool in the event of a loss of cooling.


The spent fuel pool cooling system provides adequate cooling to remove decay heat from the spent fuel pool during normal operations. A single mechanical train of the spent fuel pool cooling system is capable of removing the required decay heat from the spent fuel pool. After a refuelling operation has taken place, one spent fuel pool cooling system mechanical train of equipment is operating, and provides sufficient cooling to maintain the spent fuel pool temperature below 60ºC (see Table 9.1-2 of Reference 6.1). The operating train is aligned to provide spent fuel pool cooling and purification. The other train is available as a standby, or to perform the other functions of the spent fuel pool cooling system such as water transfers or in-containment refuelling water storage tank purification. See Section 9.1.3.4.1 of Reference 6.1. Because only one train of the spent fuel pool cooling system is required during normal operations, the spent fuel pool cooling system is tolerant to a failure in the operating train. If a spent fuel pool cooling system pump fails when only one pump is operating, an alarm is actuated. Due to the heat capacity of the water in the spent fuel pool, sufficient time exists for the operators to manually align the standby spent fuel pool cooling system train of equipment (pump/heat exchanger) to cool the spent fuel pool (see Section 9.1.3.4.3.1 of Reference 6.1). By extension, if any part of the operating mechanical train of equipment fails during normal operation sufficient time would be available to align the standby train.

A single mechanical train of the spent fuel pool cooling system is capable of removing the required decay heat from the spent fuel pool. The design basis refuelling event is a full core off load. Both spent fuel pool mechanical trains are required for refuelling. One train is aligned for spent fuel pool cooling and purification throughout the refuelling. In addition, one train of the normal residual heat removal system is required to provide cooling. Together the two trains remove sufficient heat to maintain the spent fuel pool temperature below 49ºC (see Table 9.1-2 of Reference 6.1). The other train of the spent fuel pool cooling system performs various support functions during the refuelling, by purifying water from the in-containment refuelling water storage tank and transferring it to, and back from, the refuelling cavity in the course of refuelling. When the train is not in use in this way, it can be used in conjunction with the cooling train to provide additional heat removal. See Section 9.1.3.4.2 of Reference 6.1.

The spent fuel pool cooling system maintains the level of water in the spent fuel pool such that adequate protection is provided for the operator against radiation from the spent fuel. The minimum allowable water level is set to keep operator dose below 0.025 mSv/hr. Spent fuel removal and transfer operations are performed under borated water to provide radiation protection and maintain sub-criticality. The minimum allowable water depth above active fuel in the spent fuel pool during fuel handling is 2.67 m. This limits the dose to personnel on the spent fuel pool handling machine to less than 0.025 mSv/hr for an assembly in a vertical position. Minimum water depth above the stored assemblies is about 7.92 m, and for this depth the dose rate at the pool surface is insignificant. The concrete walls of the spent fuel pool supplement the water shielding and limit the maximum radiation dose levels in working areas to less than 0.025 mSv/hr (see Section 12.3.2.2.4 of Reference 6.1).



Mechanisms for water loss are identified and protection against this possibility are provided. Water loss can be the result of leakage or pool cooling water boil off. The connections for the drain and make-up lines are located to preclude the draining of the spent fuel pool due to a break in a line or failure of a pump to stop (see Section 9.1.2.2 of Reference 6.1). The spent fuel pool itself is a Seismic Category 1 structure, and is assessed to withstand a design basis earthquake. The spent fuel pool cooling system maintains the temperature of the water at 49ºC, which is well below boiling temperature. The radiation shielding normally provided by the water above the fuel is not required when normal spent fuel pool cooling is not available. Personnel are not permitted in the area when the level in the pool is below the minimum level.

Adequate make-up can be provided to the spent fuel pool in the event of a loss of cooling. Alarms are provided to alert the operator to the need to supply make-up water. In the unlikely event of an extended loss of normal spent fuel pool cooling, the water level will drop. Low spent fuel pool level alarms in the control room will indicate to the operator the need to initiate makeup water to the pool. These alarms are provided from safety significant level instrumentation in the spent fuel pool.

In the unlikely event of complete loss of normal spent fuel cooling capability, adequate volumes of water are available to provide make-up sufficient to maintain the minimum spent fuel pool water levels for at least 7 days. The spent fuel pool cooling system includes connections from the passive containment cooling system water storage tank in the passive containment cooling system to establish makeup to the spent fuel pool following a design basis event including a seismic event. Makeup water can also be supplied to the fuel pool from the fuel transfer canal and the cask wash down pit. If make-up water beyond these sources is required, water from the passive containment cooling system ancillary water storage tank is provided to the spent fuel pool. Section 9.1.3.4.3 of Reference 6.1 describes the activities and timescales required to provide adequate makeup under various conditions.

6.5.24 Standby Diesel Fuel Oil System


The diesel generator fuel oil transfer system consists of two independent fuel storage, transfer and recirculation flow paths; that is, one path per diesel generator. Each path consists of a fuel oil storage tank, one fuel transfer pump, diesel fuel oil supply and fuel return piping, a day tank, and the associated specialties valves, fittings, and instrumentation. The supply lines from the transfer pumps to the day tanks include fuel oil heaters, filters and moisture separators. The system is protected from the effects of low temperatures by the inline electric oil heater in the transfer line.

The ancillary diesel generator fuel oil supply portion of the system consists of a single tank serving both ancillary diesel generators. The tank is located inside the annex building and is served by the annex building heating and ventilation system. The tank is insulated and provided with heaters to maintain the fuel oil above the oil cloud point. Fuel oil lines from the tank to the diesels are insulated.


The system has the following capability to provide the additional defence in depth support during and following fault conditions:

• The standby diesel fuel oil system is capable of providing a supply of fuel to the standby diesel generators and to the ancillary diesel generators (see Section 6.8.4).




The fuel storage tanks store sufficient fuel for seven days of operation for each standby diesel generator. The fuel oil storage tanks are sized to provide sufficient capacity for seven days of operation for each standby diesel generator (see Section 9.5.4.4 of Reference 6.1). This provides time for additional fuel to be transported to the site, if required. The design of the tanks allows replenishment of fuel without interrupting the operation of the diesel generator (see Section 9.5.4.2.2.1 of Reference 6.1).

The ancillary fuel storage tank stores sufficient fuel for four days of operation of both ancillary diesel generators. The ancillary diesel generator fuel oil storage tank is sized to provide four days of operation for both the ancillary diesel generators (see Section 9.5.4.2.2.4 of Reference 6.1). The ancillary diesel generators are not required for the first three days following a loss of electrical power. Therefore, the operator has seven days to arrange for the delivery of additional fuel (see Section 9.5.4.4 of Reference 6.1). Fuel can be transferred from the storage tanks to the ancillary diesel generators. The ancillary diesel generator fuel oil storage tank is located in the same room as the ancillary diesel generators in the annex building. The tank elevation is selected to provide the necessary head for the diesels (see Section 9.5.4.2.2.4 of Reference 6.1).

6.5.25 Turbine Building Closed Cooling Water System


The turbine building closed cooling water system provides chemically treated demineralised cooling water for the removal of heat from heat exchangers in the turbine building, and rejects the heat to the circulating water system. The turbine building closed cooling water system provides cooling water to the:

• Main turbine lube oil coolers.

• Main feed water pump lube oil coolers.

• Generator hydrogen coolers.

• Generator stator cooling water cooler.

• Isolated phase bus coolers.

• Moisture separator-reheater drain pump.

• Electro-hydraulic control coolers.

• Secondary sampling system coolers.

No design requirements associated with maintaining safety functions are placed on the turbine building closed cooling water system.

6.5.26 Turbine Island Vents, Drains and Relief System


Air in-leakage and noncondensable gases removed from the condenser air removal system and the gland seal system are routed to the turbine island vents, drains and relief system, where they are



monitored for radioactivity. The design requirements and substantiation of this radioactivity monitoring are considered under the gland sealing system (Section 6.6.7) and the condenser air extraction system (Section 6.6.6).

6.5.27 Waste Water System


The waste water system collects non-radioactive waste from floor and equipment drains in auxiliary, annex, turbine, and diesel generator building sumps or tanks.

No design requirements associated with maintaining safety functions are placed on the waste water system.

6.6 Steam and Power Conversion Systems


• Feed and condensate system.

• Main steam system.

• Turbine bypass system.

• Main turbine-generator.

• Moisture separator reheaters.

• Condenser air removal system.

• Gland seal system.

• Main condenser.

• Steam generator blowdown system.

• Circulating water system.

• Auxiliary steam supply system.

• Turbine island chemical feed system.

• Condensate polishing system.

6.6.1 Feed and Condensate System

6.6.1.1 Description

This system consists of the pipes, valves, pumps, feed heaters and de-aerator supplying feed water from the main condenser to the two steam generators. It is required to do this during start-up and operation at power, to remove the heat intentionally produced by the reactor core; and also in the initial phase of shutdown operation before the normal residual heat removal system can be



connected, to remove the fission product heat from the reactor core. The feed and condensate system performs the following major functions:

• It supplies feed water to the steam generators during during start-up and operation at power, and during the initial phase of shutdown operation before the normal residual heat removal system is connectable.

• It pressurises the feed water to the current steam generator pressure, and it controls automatically the flow of the water into each steam generator to the rate required to remove the heat generated by the reactor core under the prevailing conditions, without the steam generator becoming over-filled.

• During operation at power, it heats the feed water to the optimum temperature for maximising the thermodynamic cycle efficiency.

• It removes from the feed water those dissolved gases originating from air leaking into the sub-atmospheric parts of the condensate system and from gases dissolved in the condensate in the condenser hotwell.

• It extracts some of the wetness from the steam as it expands through the turbine cylinders by selectively bleeding relatively wet steam for its feed heaters, thereby improving thermodynamic cycle efficiency and minimising turbine blade erosion.

Condensate is pumped out of the main condenser hotwell, which is at sub-atmospheric pressure, by the condensate pumps. The water passes through the low-pressure feedwater heaters, which heat it using steam bled from the low-pressure turbine cylinders; the largest and last low-pressure heater is incorporated into the de-aerator tank, which also removes dissolved air from the feed water and, by virtue of its substantial volume, acts as a reservoir of feed water equivalent to several minutes supply at full delivery flow.

The feedwater pumps pressurise the water up to the high pressure required by modern steam turbines. The main feedwater pumps are each preceded by a booster pump, to pressurise the inlet of the main feed pump and thereby prevent them cavitating. The booster pumps draw their suction from the de-aerator tank. The high-pressure feed flowing out of the main feed pumps passes through the high-pressure feed heaters, which heat it up further using steam bled from the high-pressure turbine cylinder. The start-up feedwater pumps are much smaller and do not require booster pumps. They draw their suction from the condensate storage tank; they supply direct to the steam generators, with no feed heating at all. A cavitating venturi is installed at the discharge of each of the start-up feed water pumps, because the potential exists for excessive reactor coolant system cool down or steam generator over fill if the water flow from the start-up feed water pumps should increase to too high a value; the venturi flow elements provide a passive means of limiting the maximum achievable flow.

Main feedwater is supplied to each of the two steam generators through its own main feedwater line. Each of the two lines is anchored at the interface between the auxiliary building and the turbine building, and has sufficient flexibility to provide for relative movement of its associated steam generators resulting from thermal expansion. Each main feed line contains a control valve, a non-return and an isolation valve. These valves are installed in the line before it enters the containment. The main feed lines are a closed system inside the reactor containment, and so they do not require any further valves in the line inside the containment. This is because any radioactivity within the containment atmosphere has no way of passing into a closed system.



The principal purpose of each main feed control valve is to maintain the level of water in its associated steam generator at a programmed level; its secondary purpose is to provide a back-up isolation capability. These pneumatically actuated valves are normally under automatic control, but can be swiched to manual.

An isolation valve is installed downstream of each feedwater control valve, whose main purposes are to stop hot pressurised feed water leaking into the containbment in the event of a main feed line break inside the containment, and to isolate the steam generators in the event of a steam generator tube rupture; closure of the isolation valve uses compressed nitrogen as its energy source.

Each main feedwater line also includes a check valve. During normal and abnormal conditions, this check valve prevents reverse flow from the steam generator should the feedwater pumps be tripped. In addition, the valves stop the uncontrolled blowdown from the steam generators in the event of a feed line break outside the containment, and they stop more than one steam generator from blowing down in the event of feed line break inside the containment.

There are two start-up feedwater lines, with the same disposition of valves as the two main feedwater lines. Each of these lines supplies its own steam generator through an injection nozzle at the same elevation as the main feedwater nozzle but rotated circumferentially away from the main feedwater nozzle. During start up, feed is supplied through the start-up feed water control valves until the capacity limit of the start-up pumps is approached, at which point control is automatically transferred from the start-up feed water control valves to the main feedwater control valves, and the start-up feed isolation valves are then closed.

There is a connection from the main feed system to the start-up feed system, at the feed pump outlet headers for each system. The connection has an isolation valve and a non-return valve, allowing the main feed pumps to supply the steam generators should the start-up feed pumps not be available. On reactor trip, this line is automatically aligned so as to ensure supply to the steam generators through the start-up feed lines only.


The following design requirement for the feed and condensate system supports safe operation of the plant under normal conditions:

• The main and the start-up feed lines must be able to withstand the pressure and temperature of the feed water flowing through them, with a low likelihood of failing.

The following design requirements for the feed and condensate system support safe shutdown during faulted conditions:

• The two feed water control valves and the two feed water isolation valves must close automatically on reactor trip, and the main feed pumps must be automatically aligned with the start-up feed lines, to ensure more precise steam generator level control under low feed flow conditions.

• The two start-up feed water control valves and the two start-up feed water isolation valves must close automatically in response to potential over-cooling of the reactor coolant system or potential over-filling of a steam generator.




• The start-up feed water pumps start automatically on loss of the main feed water to the steam generators.

• A single start-up feed water pump are capable of delivering sufficient flow to both steam generators in the period following a reactor trip from full power to remove the fission product heat and preclude the need for actuation of the passive core cooling system.

• The maximum flow rate capability of the two start-up feed water pumps is physically limited, so as to avoid any possibility of overcooling the reactor coolant system or of overfilling the steam generators or of inputting excessive steam into the containment following a main steam line break.

• The volume of feedwater is available to the start-up feed water pumps from the condensate storage tank is sufficient for 8 hours of operation.

• The start-up feed water pumps deliver feed water to the steam generators using a completely diverse route from that of the main feed system.

• Each start-up feed water pump and its associated motor operated isolation valve must be able to receive power from one of the two onsite standby diesels in the event of loss of the normal ac power supply, with the other pump supplied from the other diesel.


Failure of a main feed line or a start-up feed line is an initiating event within the fault schedule. Such failure could also result in consequential damage to nearby SSCs, through pipe whip, explosion, flooding, water spray or missiles. The integrity of the main feed lines and the start-up feed lines is assured by the material selection process and by their design and build integrity. These are discussed in Sections 10.3.6.2 and 10.4.9.1.1 of Reference 6.1.

The two start-up feed water control valves and the two start-up feed water isolation valves close automatically in response to the protection and monitoring system detecting potential over-cooling of the reactor coolant system (a low Tcold signal) or potential over-filling of a steam generator (Section 10.4.9.2.2 of Reference 6.1).

A main feed water isolation signal would occur if the protection and safety monitoring system detects high steam generator level, or low reactor coolant temperature coincident with a reactor trip, to protect against over-filling a steam generator or over-cooling the reactor coolant system respectively (Section 7.2.1.1.6 of Reference 6.1). Exactly the same response is required to an “S” signal (Section 7.3.1.2.6 of Reference 6.1). A main feed water isolation signal result in the following actions:

• Both the main feed water pumps trip immediately.

• The two feed water control valves and the two feed water isolation valves automatically close.

• The isolation valve in the connection line between the main feed system and the start-up feed system automatically close immediately, if open.

In the event of loss of the main feed water system, the start-up feed water pumps start automatically, initiated by low steam generator level, and supply feed water to the steam generators (Section 10.4.9.2.3.4 of Reference 6.1).



A single start-up feed water pump is capable of delivering sufficient flow to both steam generators in the period following a reactor trip from full power to remove the fission product heat and preclude the need for actuation of the passive core cooling system (Section 10.4.9.1.2 of Reference 6.1).

The maximum flow rate capability of the two start-up feed water pumps is physically limited, so as to avoid any possibility of overcooling the reactor coolant system or of overfilling the steam generators or of inputting excessive steam into the containment following a main steam line break (Section 10.4.9.2.1 of Reference 6.1).

A sufficient volume of feedwater is available to the start-up feed water pumps from the condensate storage tank for 8 hours of operation at hot standby conditions (Section 10.4.9.1.2 of Reference 6.1).

The start-up feed water pumps deliver feed water to the steam generators using a route diverse from that of the main feed system. It is possible to isolate this supply from a single steam generator by manually closing an isolation valve in the event of a tube rupture or main steam line break affecting the said steam generator (Section 10.4.9.1.2 of Reference 6.1).

Each start-up feed water pump and its associated motor operated isolation valve is supplied from one of the two onsite standby diesels in the event of loss of the normal ac power supply, with the other pump supplied from the other diesel; the power demand is within the capability of the diesel (Section 10.4.9.1.2 of Reference 6.1).

The two feed water control valves and the two feed water isolation valves close automatically on reactor trip, and the main feed pumps are automatically aligned with the start-up feed lines. This is done to ensure more precise steam generator level control under low feed flow conditions (Section 10.4.9.2.3.3 of Reference 6.1).

6.6.2 Main Steam System

6.6.2.1 Description

This system consists of the pipes and valves that take the steam from each steam generator to the stop valves of the high-pressure turbine. It diverts a proportion of the steam to the to the moisture-separator reheater (Section 6.6.5) and a small amount of steam to seal the low-pressure turbine glands (Section 6.6.7). There is also a turbine bypass connection, which allows the steam to be dumped directly into the main condenser (Section 6.6.8) without passing through the turbine.

The main steam system is required during start-up and operation at power, to remove the heat intentionally produced by the reactor core; and also in the initial phase of shutdown operation before the normal residual heat removal system can be connected, to remove the fission product heat from the reactor core. The heat sinks are provided either by venting steam to atmosphere or by the turbine bypass system dumping steam to the condenser.

Each main steam line goes from its steam generator and passes through the containment boundary. The first valve encountered in each line is the main steam isolation valve, which is outside the containment boundary; each isolation valve has a bypass valve in parallel with it. Beyond the main steam isolation valve in each of the two steam lines are the six steam safety valves; every one of these safety valves vents to atmosphere through a discharge pipe and vent stack. Downstream of the safety valves is the power-operated atmospheric relief valve, which vents to atmosphere through a vent pipe and silencer. The operation of the power-operated relief valves is automatically controlled by steam line pressure during plant operations: the power-operated relief



valves automatically modulate open and exhaust to atmosphere whenever the steam line pressure exceeds a predetermined set point; as steam line pressure decreases, the relief valves modulate closed. Each main steam line is anchored at the point where it passes through the wall between the auxiliary building and the turbine building; the section of it from the steam generator to the anchor has sufficient flexibility to accommodate thermal expansion. Beyond this wall the two main steam lines are cross-connected into a common header, which itself subsequently branches into four lines to the turbine stop valves; the connections to the the two moisture-separator reheaters, the gland sealing system and the turbine bypass are also in this common header.


The following design requirements for the main steam system support safe operation of the plant under normal conditions:

• The main steam lines must be able to withstand the pressure and temperature of the steam flowing through them, with a low likelihood of failing.

• The radiation monitor on each main steam line must sound an alarm in the main control room on detection of high radiation level in the steam.

The following design requirements for the main steam system support safe shutdown during faulted conditions:

• The main steam isolation valve and the associated bypass valve on each main steam line must both close automatically on receipt of an “S-signal”.

• The safety valves on the main steam lines must have sufficient capacity to exhaust the steam produced during any Design Basis initiating event without the pressure rising unacceptably.


• The power-operated atmospheric relief valves on the main steam lines have sufficient capacity to dump to atmosphere the steam arising during any Design Basis initiating event, for cooling down the steam generators and the reactor coolant system when the main condenser is unavailable.


Failure of a main steam line is an initiating event within the fault schedule. Such failure could also result in consequential damage to nearby SSCs, through pipe whip, explosion or missiles. The main steam lines between the steam generator and the containment penetration are designed to leak-before-break. The portion of the main steam lines between the containment penetration and the pipe anchor downstream of the isolation valves, safety valves and relief valves is part of the break exclusion zone (Section 3.6 of Reference 6.1). The integrity of the main steam lines is assured by the material selection process and by their design and build integrity. These are discussed in Section 10.3.6.2 of Reference 6.1.

The main steam isolation valve and the associated bypass valve on each main steam line both close automatically to isolate the secondary side of each of the steam generators and thereby prevent the uncontrolled blowdown of more than one steam generator on receipt of an “S-signal” from one of the following triggers (Section 7.3.1.2.10 of Reference 6.1):



• High containment pressure.

• Low steam line prssure.

• High rate of reduction in steam line prssure.

• Low cold leg temperature.

The safety valves provide overpressure protection of the steam generator secondary side and the main steam piping during normal operation and fault conditions. Their capacity is sufficient to exhaust the steam produced during any Design Basis initiating event before the pressure rise threatens the integrity of the steam generator or the main steam lines (Section 10.3.2.2.2 of Reference 6.1). They also provide defence in depth safety by cooling down the steam generators and the reactor coolant system in conjunction with the power-operated atmospheric relief valves when the condenser is not available.

An alarm sounds in the main control room on detection of a high radiation level by the main steam line radiation monitor (Section 10.3.3 of Reference 6.1), to alert the operators of the need to take the appropriate remedial action, such as isolating the affected steam generator.

The power-operated atmospheric relief valves provide defence in depth by cooling down the steam generators and the reactor coolant system when the condenser is unavailable. The valves are sized such that the maximum flow at design pressure that would result in an acceptable (by the analysis) reactor transient if one valve should inadvertently open and remain open (Section 10.3.2.2.3 of Reference 6.1).

6.6.3 Turbine Bypass System

6.6.3.1 Description

The turbine bypass pipe work and valves provide the capability to dissipate heat directly to the condenser during plant start-up, and during the cool down of the reactor coolant system up to the point where the normal residual heat removal system can be placed in service (Section 10.4.4 of Reference 6.1). They also reduce the challenges to the main steam power-operated relief valves, the main steam safety valves, the steam generator level control and the pressuriser safety valves following a reactor trip, rapid load reductions during normal operation and turbine trips without a reactor trip.

For small power reductions (less than a 10% change in load), the turbine bypass system is not actuated. Instead, it is accommodated by the reactor power control, the pressuriser level control, the pressuriser pressure control and the steam generator level control systems.

For medium load rejections (greater than 10% but less than 50%, or a turbine trip from 50% power or less), the turbine bypass system operates in conjunction with the same control systems used for the small power reductions.

For large load rejections (greater than 50% power), the rapid power reduction system operates in conjunction not only with the previously mentioned control systems but also with the rapid power reduction system (Section 7.7.1.10 of Reference 6.1), which is designed to rapidly reduce the reactor power to a value that can be handled by the turbine bypass system. Upon the detection of a large and rapid turbine power reduction, a preselected number of control rods are dropped into the reactor core, causing the reactor power to reduce to approximately 50%.




The following design requirements for the turbine bypass system support safe operation of the plant under normal conditions:

• The turbine bypass pipe work and valves must be able to withstand the pressure and temperature of the steam flowing through them, with a low likelihood of failing.


• The turbine bypass pipe work and valves connected to the main steam lines must have sufficient capacity to dump to the main condenser the steam arising during any Design Basis initiating event, for cooling down the steam generators and the reactor coolant system when the main condenser is available.


If the bypass valves should fail open, additional heat load would be placed on the condenser. This load might be enough to cause the turbine to trip on high condenser pressure, in which case the ultimate overpressure protection for the condenser would be provided by rupture discs (Section 10.4.4.3 of Reference 6.1). The pipe whip or other mechanical disruption resulting from the failure of a turbine bypass high-energy line would not disable the turbine speed control system, and even if it did the turbine speed control system is designed in such a manner that its failure would cause a turbine trip (Section 10.4.4.4 of Reference 6.1).

The turbine bypass pipe work and valves provide defence in depth by cooling down the steam generators and the reactor coolant system when the main condenser is available. The maximum capacity is restricted to a dump steam flow rate (nominally 40 percent of the full plant load steam flow) that neither damages the condenser tubes nor causes it to over-pressurise the main condenser. In the event of high condenser pressure or trip of the circulating water pumps, the control system prohibits the turbine bypass valves from opening (Section 10.4.4.2.2 of Reference 6.1). The turbine bypass system total flow capacity, in combination with the bypass valve response time, the reactor coolant system design and reactor control system response is sufficient to reduce challenges to the main steam power-operated relief valves, the main steam safety valves and thepressuriser safety valves during reactor trips from full power, and full load rejection or turbine trip from full power without reactor trip (Section 10.4.4.1.2 of Reference 6.1).

6.6.4 Main Turbine-Generator

6.6.4.1 Description

The main turbine receives steam from the steam generators, extracts useful energy from the steam by expanding it, and then exhausts it into the main condenser. It consists of a single double flow high-pressure turbine cylinder and three double-flow low-pressure turbine cylinders. There is a moisture separator-reheater between the high-pressure cylinder and the low-pressure cylinders (Section 6.6.5). Some steam is bled off at various points during the expansion of the team as it passes down the turbine, which principally is used for heating the feed water and reheating the steam, but the bleeding also selectively extracts some of the wetness from the steam; each of these processes enhance the cycle thermodynamic efficiency. There are a number of auxiliary systems associated with the main turbine: the bearing lubrication oil system, a digital electro-hydraulic control system, a turbine gland steam sealing system (Section 6.6.7), over-speed protective devices and barring gear.



The main generator is on the same shaft as the turbine. It is rated at 1375 MVA at 0.90 power factor. Its stator is cooled by de-ionised water; its rotor by hydrogen gas. The magnetisation current for the rotor comes from the rectified output of an excitation transformer, which itself is fed from the main generator; the magnetisation current being controlled through a voltage regulator. There are a number of auxiliary systems associated with the main generator: the same bearing lubrication oil system as the main turbine, the stator cooling water system, the hydrogen and seal oil system, and a carbon dioxide system for the purging of hydrogen and air during lay-up or plant outages.

The flow of main steam entering the high-pressure turbine is controlled by four control valves. The turbine control valves are adjusted automatically by electrohydraulic servo actuators. These actuators control the turbine speed when it is starting up, and for load control after the turbine-generator unit is synchronised. In series with each control valve is a stop valve, whose function is to shut off and isolate the steam flow to the turbine when required.

The intercept valves control steam flow to the low-pressure turbine cylinders. There are six of them, located in the hot reheat lines at the inlet to the low-pressure turbine cylinders. During normal operation of the turbine, automatic action progressively adjusts the intercept valve opening as turbine load changes. There is a reheat stop valve in series with each intercept valve. The reheat stop and intercept valves all close completely on a turbine trip.


The following design requirement for the main turbine supports safe operation of the plant under normal conditions:

• Automatic protection must be available on the main turbine to detect any over speed situation and then rapidly close the main valves and intercept valves.


Turbine over speed could result in a major turbine failure that produces missiles; these would pose an internal hazards threat (see AP1000 Internal Hazards Topic Report, Reference 6.3). The turbine stop valves and the reheat stop valves are all closed by actuation of the overspeed trip system, which is completely independent of the turbine control system (Sections 10.2.2.4.3 and 10.2.2.5.1 of Reference 6.1). The probability of destructive overspeed condition and missile generation, assuming the recommended inspection and test frequencies, is less than 1x10-5 per year. In addition, the orientation of the turbine-generator is such that a high-energy missile would be directed away from the nuclear island (Section 10.2.2 of Reference 6.1).

6.6.5 Moisture Separator Reheaters

6.6.5.1 Description

After expanding through the high-pressure turbine, the exhaust steam is wet and at saturation temperature. It is routed through two external moisture separator-reheater vessels where it is dried and superheated.. The external moisture separators reduce the moisture content of the high-pressure exhaust steam from approximately 10 to 13 percent at the rated load to 0.5 percent or less moisture. It uses multiple vane chevron banks for the moisture removal. The moisture removed drains to a moisture-separator drain tank, from where it is pumped to the deaerator, which is at similar pressure to the steam entering the low pressure turbine.



The dried steam is then reheated in a two-stage reheater to superheated conditions: the first stage reheat uses the steam bled from part way down the high pressure turbine, while the second stage reheat uses a portion of the much hotter main steam supply from the steam generators. Each stage of the reheater is a shell and tube heat exchanger; the pressure on the tube side being much higher than on the shell side. Condensed steam in the reheater (tube side) is drained to the reheater drain tank, from where it flows into the shell side of the No. 7 feedwater heater, and then cascades to the No. 6 feedwater heater.

The dried and superheated steam from the reheater flows to the inlets of the three low-pressure turbines through six reheat steam lines, each with a separate stop and intercept valve (Section 6.6.4.2).

The moisture separator-reheaters are required to take the wet steam emerging from the high pressure turbine exhaust, dry it and then superheat it. This enables the low pressure turbine cylinders to achieve a much higher thermodynamic efficiency in their expansion of the steam, at the same time experiencing much lower rates of blade erosion from the water droplets that would otherwise be present. The heat remaining in the bled steam after its passage through the reheater is used for feed heating, further enhancing the overall thermodynamic efficiency.


There are no design requirements on this system associated with maintaining safety functions.

6.6.6 Condenser Air Removal System

6.6.6.1 Description

The condenser air removal system removes noncondensable gases (mainly nitrogen, oxygen and ammonia) from the main condenser during plant startup, cooldown and normal operation. Without this, the condenser tubes would become blanketed by these gases, and thereby lose their effectiveness in condensing the steam. The air removal system consists of four liquid ring vacuum pumps: one vacuum pump is provided for each of the three condenser shells, and one pump is provided as a standby. The noncondensable gases together with some steam are drawn through the air cooler sections of the condenser shells to the suction of the vacuum pumps, which exhaust them to the atmosphere through the turbine island vents drains and relief system.

Failure of the condenser air removal system for one of the main condenser shells would result in a gradually increasing back pressure in that particular condenser shell. Eventually, if not resolved by the operators, this would result in a turbine trip (Section 10.4.2.2.1 of Reference 6.1).

The mixture of noncondensable gases and steam is not normally radioactive; however, it is possible for the mixture to become contaminated in the event of primary-to-secondary system leakage.


The following design requirement for the condenser air removal system supports safe operation of the plant under normal conditions:

• The turbine island vent discharge radiation monitor must measure the concentration of radioactive gases in the steam and noncondensable gases discharged by the condenser vacuum pumps and the gland seal steam condenser (Section 11.5.2.3.3 of Reference 6.1), in order to provide early indication of leakage from the primary to the secondary side of



the steam generators. The monitor must trigger an alarm in the main control room should concentrations exceed a predetermined set point.


The turbine island vent discharge radiation monitor alarm is part of the defence in depth claimed for the steam generator tube rupture fault. It would reliably detect the radiation released into the secondary system as a result of such a fault and then immediately alert the operators in the main control room. Without it, recognition by the operators that such an event has occurred would be in jeopardy, with the required remedial actions delayed as a consequence. The turbine island vent discharge radiation monitor measures the concentration of radioactive gases in the steam and non-condensable gases that are discharged by the condenser vacuum pumps and the gland seal steam condenser. This measurement provides early indication of leakage between the primary and secondary sides of the steam generators. The monitor provides an alarm in the main control room if concentrations exceed a predetermined set point (Section 11.5.2.3.3 of Reference 6.1). Should abnormal levels of radiation be detected, operating procedures require that the appropriate remedial action be taken.

6.6.7 Gland Seal System

6.6.7.1 Description

The annular space between the turbine shaft and the turbine casing is sealed by glands, which minimise the leakage out of those turbine cylinders that are above atmospheric pressure, or minimise the leakage into those turbine cylinders that are below atmospheric pressure: for the former, the sealing steam is the actual leakage steam through the gland; for the latter, the sealing steam is supplied from the main steam system or, during start-up of the turbine, from the auxiliary steam system. At the outside ends of the glands, the leaking steam is collected in piping held just below atmospheric pressure, and then routed to the gland seal condenser. Unavoidably, there is air leakage as well into the collection pipe work, because of the small gap between it and the rotating turbine shaft.

The gland seal condenser is a shell and tube type heat exchanger where the steam-air mixture from the turbine seals is discharged into the shell side; condensate from the main condenser flows through the tube side as the cooling medium. The gland seal condenser internal pressure is maintained at a slight vacuum by motor-operated blowers. Condensate from the steam-air mixture drains to the main condenser, and the noncondensable gas (mostly air) is exhausted to the atmosphere through the turbine island vents drains and relief system through a common discharge line shared by the vapour extractor blowers.

The main condenser is an essential component of the defence in depth capability identified within the fault schedule for cooling down the steam generators and the reactor coolant system during several Design Basis initiating events. Failure of the gland seal system during such fault transients would rapidly result in the main condenser becoming unavailable. A reliable gland seal system is thus desirable but not essential, because defence in depth capability is not claimed by the safety case.

The mixture of noncondensable gases discharged from the gland seal condenser blower is not normally radioactive; however, it is possible for the mixture to become contaminated in the event of primary-to-secondary system leakage.




The following design requirement for the gland seal system supports safe operation of the plant under normal conditions:

• The turbine island vent discharge radiation must measure the concentration of radioactive gases in the steam and noncondensable gases discharged by the condenser vacuum pumps and the gland seal steam condenser (Section 11.5.2.3.3 of Reference 6.1), thereby providing early indication of leakage from the primary to the secondary side of the steam generators. The monitor must trigger an alarm in the main control room should concentrations exceed a predetermined set point.


The turbine island vent discharge radiation monitor alarm is part of the defence in depth claimed for the steam generator tube rupture fault. It reliably detects the radiation released into the secondary system as a result of such a fault and then immediately alerts the operators in the main control room. Without it, recognition by the operators that such an event has occurred would be in jeopardy, with the required remedial actions delayed as a consequence. The monitor provides an alarm in the main control room if concentrations exceed a predetermined set point (Section 11.5.2.3.3 of Reference 6.1). Should abnormal levels of radiation be detected, operating procedures require that the appropriate remedial action be taken.

6.6.8 Main Condenser

6.6.8.1 Description

The main condenser provides the heat sink for the steam cycle, receiving and condensing exhaust steam from the main turbine or the turbine bypass system. It consists of three heat exchanger shells, each located beneath its respective low-pressure turbine. The cooling water makes a single pass through the condenser, through each shell in turn; consequently, the condenser shells operate at slightly different pressures and temperatures. The condenser is equipped with titanium or stainless steel tubes, because of the corrosion and erosion resisting properties of these materials. Full details of the operation of the main condenser are provided in Section 10.4.1.2.1 of Reference 6.1.

The main condenser is designed to receive and condense the full-load main steamflow exhausted from the main turbine. It also receives discharges from auxiliary systems such as the feed water heater vents and drains and the gland sealing steam spillover and drains. To protect the condenser shells and turbine exhaust hoods from overpressurisation, steam relief blowout diaphragms are provided in the low-pressure turbine exhaust hoods. Two low-pressure feedwater heaters are located in the neck area of each condenser shell, adjacent to where their steam is bled from the low-pressure turbine.

Condensate from the hotwell of the lowest pressure (coldest) condenser shell drains through internal piping to the to the hotwell of the intermediate pressure shell, where it mixes with the condenaste there, and the combined flow then drains through internal piping to the hotwell of the highest pressure (hottest) shell. Condensate then flows through a single outlet to the suction of the condensate extraction pumps and into the feed and condenaste system (Section 6.6.1).

The hotwells have a condensater storage capacity of three minutes of feed flow at maximum power flow rate. The hotwell level controller provides automatic make-up or extraction of condensate to maintain a normal level in the condenser hotwells. On low level, the make-up



control valves open and admit condensate by vacuum draw to the hotwell from the condensate storage tank. On high-water level the condensate reject control valves open to divert water from the condensate extraction pump discharge to the condensate storage tank. This extraction stops automatically when the hotwell level falls within the normal operating range. Extraction from hotwell to the storage tank can be manually overridden upon indication of high-hotwell conductivity, to prevent transfer of contaminants into the condensate storage tank in the event of a condenser tube failure.

Air inleakage and noncondensable gases contained in the turbine exhaust steam naturally accumulate in the condenser and must be removed. This is achieved by the condenser air removal system (Section 6.6.6).

A condenser tube cleaning system performs mechanical cleaning of the circulating water side of the tubes. This cleaning, along with chemical treatment of the circulating water, reduces fouling and helps to maintain the thermal performance of the condenser.


The following design requirement for the main condenser supports defence in depth capability of the plant under faulted conditions:

• The main condenser provides heat transfer duty should one of the relevant Design Basis initiating events occur.

6.6.8.3 Substantiation of the Main Condenser

The main condenser is an essential component of the defence in depth capability identified within the Fault Schedule (Reference 6.13) for cooling down the steam generators and the reactor coolant system during several Design Basis initiating events.

6.6.9 Steam Generator Blowdown System

6.6.9.1 Description

The principal purpose of the steam generator blowdown system is to remove impurities from the feed water within the steam generator, which would otherwise rise in concentration as pure water and other volatiles boil off. This is particularly necessary during the anticipated operational occurrences of in-leakage of sea water into the main condenser and steam generator tube rupture, both of which would add contaminants. The steam generator blowdown system continuously extracts a small proportion of the water from each steam generator, at a rate of approximately one-thousandth that of the feed flow rate. This blowdown flow is cooled and depressurised before being chemically processed to remove the impurities. It finishes the process by being put back into the condensate, from whence it returns to the steam generators.

The steam generator blowdown system also includes a recirculation-drain pump for use during operating modes when the steam generator pressure is low. This pump enables the steam generator blowdown system to fulfil the following additional functions:

• Cooling down the steam generator for inspection and maintenance purposes.

• Establishing and maintaining steam generator wet lay-up conditions during plant outages.

• Draining the secondary side of the steam generators for maintenance.



• Steam generator tube flushing.

Full details of how the system is operated for its various duties are given in Section 10.4.8.2.2 of Reference 6.1.

The system consists of two blowdown trains, one for each steam generator. The blowdown water is extracted just above the tube sheet of a steam generator. Flow control valves adjust the blowdown flow rate from each steam generator and depressurise it. The blowdown flow is cooled by means of a regenerative heat exchanger, which uses the heat to warm the condensate. It then enters an ion-exchange purification unit, which removes impurities. Downstream of the purification unit, both trains combine into a common header, which contains a relief valve for providing overpressure protection for the low-pressure portion of the system.

It is necessary to protect the low-pressure portion of the blowdown system from the high-pressure and temperature it could be exposed to should the pressure reduction or the cooling of the blowdown flow not be achieved. Each of the two blowdown lines has two isolation valves in series, which are located in the auxiliary building. The valves fail closed on loss of air or power. The stream generator blowdown lines are a closed system inside the reactor containment, and so they do not require any further valves in the line inside the containment. This is because any radioactivity within the containment atmosphere has no way of passing into a closed system. Not only do the isolation valves close automatically on high blowdown system temperature or pressure, but also on low steam generator water levels, on actuation of the passive residual heat removal heat exchanger, on receipt of a containment isolation signal or on detection of high blowdown system radiation level. The isolation of the steam generator blowdown system provides for the continued availability of the steam generators as a heat sink during various fault transients by not reducing further the water inventory of the steam generators.

The radiation monitors associated with the steam generator blowdown system provide a means of recognising when the secondary side becomes radioactively contaminated, an indication of a steam generator tube rupture. The blowdown flow and the ion exchange waste stream (brine) flow are both continuously monitored for radioactivity. If such radioactivity is detected, the liquid radwaste system is aligned to process the blowdown and ion-exchange waste effluent. If radioactivity should exceed a preset level, the blowdown flow control valves and the isolation valves would automatically close.


The following design requirements of the steam generator blowdown system support safe operation of the plant under normal conditions:

• The steam generator blowdown lines must be able to withstand the pressure and temperature of the steam flowing through them, with a low likelihood of failing.

• An alarm must sound in the main control room on detection of a high radiation level within the blowdown system.

The following design requirement of the steam generator blowdown system supports safe shutdown of the plant during faulted conditions:

• The four steam generator blowdown system isolation valves must close automatically in response to: high blowdown system temperature or pressure, or low steam generator water levels, or actuation of the passive residual heat removal heat exchanger, or high blowdown system radiation level, or on receipt of a containment isolation signal.




Failure of a steam generator blowdown line is an initiating event within the fault schedule. Such failure could also result in consequential damage to nearby SSCs, through pipe whip, explosion, flooding, water spray or missiles. The integrity of the blowdown lines is assured by the material selection process and by their design and build integrity. These are discussed in Section 10.4.8.1.1 of Reference 6.1.

The four steam generator blowdown system isolation valves close automatically (Section 10.4.8.2.1 of Reference 6.1) in response to any of the following:

• High blowdown system temperature or pressure, in order to protect the ion-exchange resins and the low-pressure parts of the blowdown system.

• Low steam generator water levels or on actuation of the passive residual heat removal heat exchanger, in order not to deplete further the steam generator water inventory.

• Detection of high blowdown system radiation level.

• On receipt of a containment isolation signal.

An alarm sounds in the main control room on detection of a high radiation level within the blowdown system, to alert the operators of the need to take the appropriate remedial action, such as aligning the liquid radwaste system to process the blowdown and ion-exchange waste effluent, and isolating the affected steam generator (Section 10.4.8.2.2 of Reference 6.1).

6.6.10 Circulating Water System


The circulating water system consists of three electric-powered water pumps and the associated piping, valves and instrumentation. The main duty of the circulating water system is to supply cooling water to the main condensers; as such, it is the principal heat sink during normal operation and during those fault conditions for which the main condenser is claimed as defence in depth. Its secondary purpose is supply cooling water to the turbine building closed cooling water system heat exchangers and to the condenser vacuum pump seal water heat exchangers. The generic UK site for new build is by the sea, in order to facilitate the availability of the large amounts of cooling water that are required. The water in the circulating water system is thus sea water; there is unlikely to be a requirement for cooling towers at a UK coastal site.

The underground portions of the circulating water system piping are constructed of concrete pressure piping. The remainder is carbon steel, with an internal coating of a corrosion-resistant compound. Motor-operated butterfly valves are provided in each of the circulating water lines at their inlet to and exit from the condenser shell, to allow isolation of portions of the condenser.

Control of the chemistry of the circulating water is necessary, to maintain the cooling water in a noncorrosive and non scale-forming condition, and thereby limit the growth of biological organisms that might reduce the heat transfer rate in the condenser and the heat exchangers supplied by the circulating water system. The chemicals are in the categories: biocide, algaecide, pH adjuster, corrosion inhibitor, scale inhibitor and a silt dispersant. Addition of these chemicals is performed by local chemical feed injection metering pumps.



The circulating water system poses an internal hazard flooding threat on account of the enormous potential flow rate should any part of the system fail. Small circulating water system leaks in the turbine building would drain into the waste water system. Large circulating water system leaks due to pipe failures or the rupture of an expansion joint could flood the turbine building. To mitigate this possibility, the base slab of the turbine building is located at grade elevation and so tripping the circulating water pumps would rapidly stop the flood, because the leak would be above sea level. In the short term, before the pumps are tripped, there is a relief panel in the turbine building west wall, which would release the water before its level could rise sufficiently high to cause significant damage. Any such flooding would not result in detrimental effects on safety-significant equipment because there is no safety-significant equipment in the turbine building, but it could threaten the defence in depth capability identified in the fault schedule.


The main condenser is a component of the defence in depth capability identified within the fault schedule for cooling down the steam generators and the reactor coolant system during several Design Basis initiating events. Failure of the circulating water system during such fault transients would result in the main condenser becoming unavailable.

6.6.11 Auxiliary Steam Supply System


The auxiliary steam boiler is an electric package boiler. It supplies the steam required during a cold start of the main steam system and the turbine-generator; additionally, it provides the steam for hot water heating. Main steam supplements the auxiliary steam header during start-up, and it supplies the auxiliary steam during normal operation at power. The auxiliary boiler provides the steam during a plant shutdown.

The auxiliary steam system provides the following services:

• Steam to the plant hot water heating system heat exchangers for use by the heating system ventilation coils.

• Steam to the de-aerator prior to returning to operation at power and after a turbine trip, to heat, to pressurise and to de-aerate the feed water.

• Sealing steam to the glands of the main turbine prior to returning to operation at power when main steam is unavailable.

• Steam to the moisture separator reheaters and to the feed water heaters when main steam is unavailable.


There is a minor requirement for the auxiliary steam system after a turbine trip, when the main condenser is a desirable component of the defence in depth capability identified within the fault schedule for cooling down the steam generators and the reactor coolant system. Failure of the auxiliary steam system during such fault transients could result in the main condenser becoming unavailable if no gland sealing steam were available. A reliable auxiliary steam system is thus desirable but not essential, because defence in depth capability is not claimed by the safety case.



6.6.12 Turbine Island Chemical Feed System


The turbine island chemical feed system injects the required chemicals into the condensate, the feed water, the auxiliary steam, the service water and the stored demineralised water treatment. It is entirely located in the turbine building.

No design requirements associated with maintaining safety functions are placed on the turbine island chemical feed system.

6.6.13 Condensate Polishing System


The condensate polishing system chemically cleans up the condensate by passing it through ion exchange resins to remove corrosion products and ionic impurities. It is required during start-up, until the desired water quality is attained, but during power operation would be used only when abnormal secondary conditions exist, such as a “continuous” condenser tube leak.

No design requirements associated with maintaining safety functions are placed on the condensate polishing system.

6.7 Instrumentation and Control

6.7.1 Description

The instrumentation and control (I&C) system presented in this chapter provides protection against unsafe reactor operation during steady-state and transient power operations. It initiates selected protective functions to mitigate the consequences of design basis initiating events and protect against the loss of the KSFs.

The I&C architecture is arranged in a hierarchical manner. Above the real-time data network are the systems whose purpose is to facilitate the interaction between the plant operators and the I&C systems. These are the operations and control centres system and the data display and the data display and processing system (DDS). Below the real-time data network are the systems and functions that perform the protective, control and data monitoring functions. These are the PMS, the PLS, the in-core instrumentation system, the special monitoring system and the DAS.

The special monitoring and in-core instrumentation systems do not provide any functions directly related to the control or protection of the plant (see subsection 2.1 of AP1000 Instrumentation and Control Defence-in-Depth and Diversity Report, Reference 6.5) and so are not discussed further in this subsection.

The operations and control centres system consists of parts of the PMS, PLS, DAS and DDS, along with the control console structures.

Figure 6.7-1, which is adapted from Figure 2.1 of AP1000 Instrumentation and Control Defence-in-Depth and Diversity Report (Reference 6.5), provides a simple graphical representation of the I&C architecture.



Figure 6.7-1 Instrumentation and Control Architecture

6.7.2 Design Requirements

The following design requirements for the I&C system support safe operation of the plant during normal operations:

• The I&C system must provide a reliable means of controlling duty systems to keep the plant within the permitted operating envelope during reactor start-up, critical operations and while shut down.

• The I&C system must prevent undemanded actuation of ESFs.

The following design requirements for the I&C system support safe shutdown during fault conditions:

• The I&C system must provide a reliable means of controlling engineered safety features during fault conditions.

• The I&C system must provide diversity between control and protection functions.

The system also has the following capability to provide additional defence in depth support during accident conditions:

• The I&C system must provide a reliable means of controlling defence-in-depth systems during, or following, a fault condition.

6.7.3 Substantiation

Plant Control System

The PLS provides control and coordination of the plant during startup, ascent to power, power operation, and shutdown conditions. The PLS integrates the automatic and manual control of the reactor, reactor coolant, and various reactor support processes for required normal and off-normal conditions. The PLS provides control over the following reactor system functions:

• Rod control.



• Pressuriser pressure and level control.

• Steam generator water level control.

• Steam dump (turbine bypass) control.

• Rapid power reduction.

In addition, the PLS provides control over a number of supporting duty systems, as listed in Table 7.7-3 of Reference 6.1, including:

• The CCS, which provides cooling for the RNS, CVS and SFS. See subsection 6.4.3 for a description of the operation of the CCS.

• The CVS, which supplies makeup and boration to the RCS. See subsection 6.4.1 for a description of the operation of the CVS.

• The FWS, which provides feedwater via the startup feedwater system for heat removal from the reactor coolant system, in the event of a feedwater system failure. See subsection 6.6.5 for a description of the operation of the FWS. The startup feedwater is also automatically actuated on signals which indicate a loss of water inventory or heat sink in the secondary side of the steam generator (see subsection 7.7.1.8.2 of Reference 6.1).

• The RNS, which removes heat from the RCS during shutdown operation at reduced pressure and temperature, and provide low temperature overpressure protection (LoTOP) for the RCS and provides low-pressure makeup to the RCS. See subsection 6.5.7 for a description of the operation of the RNS.

• The SFS, which removes heat from the spent fuel stored in the spent fuel pool. See subsection 6.5.16 for a description of the operation of the SFS.

• The SGS, which provides decay heat removal capability during shutdown operations by delivery of startup feedwater flow to the steam generator and venting of steam from the steam generators to the atmosphere via the power-operated relief valves. See subsection 6.3.6 for a description of the operation of the CVS.

• The service water system (SWS), which removes heat from the CCS, SFS and RNS.

• The VBS, which provides ventilation and cooling to the main control room envelope, safety significant instrumentation and control rooms, safety significant equipment rooms, and safety significant battery rooms.

• The VWS, which provides chilled water to support the nuclear island non-radioactive ventilation system cooling of the main control room envelope, safety significant instrumentation and control rooms, safety significant dc equipment rooms, and the safety significant battery rooms. It also provides cooling to the unit coolers in the CVS and RNS.

• The VXS, which provides ventilation of the electrical switchgear rooms that contain the diesel bus switchgear and the equipment room that contains the switchgear room air-handling units.



• The VZS, which provides ventilation and cooling of the diesel generator building, and ventilation and heating of the diesel oil transfer mod1ule enclosure to support operation of the onsite standby power system.

The PLS provides automatic regulation of reactor and other key system parameters in response to changes in operating limits (load changes). The PLS acts to maximize margins to plant safety limits and maximize the plant transient performance. The PLS also provides the capability for manual control of plant systems and equipment. Redundant control logic is used in some applications to increase single-failure tolerance.

The control system is capable of manoeuvring the plant through certain transients. This manoeuvring is done without the need for manual intervention and without violating plant protection or component limits. The PLS provides high reliability during these anticipated operational occurrences and meets the following objectives (see subsection 7.7.2 of Reference 6.1):

• The capability to accept 10-percent step load decreases from an initial power level between 100-percent and 25-percent of full power, and step load increase of 10-percent from an initial power level between 15-percent and 90-percent of full power without reactor trip or steam dump actuation.

• The capability to accept ramp load changes at 5-percent power per minute while operating in the range of 15-percent to 100-percent of full power without reactor trip or steam dump system actuation, subject to core power distribution limits.

• The capability to accept the design full-load rejection without reactor trip.

• The capability to accept a turbine trip from full-power operation without reactor trip. This capability is provided with the normally available systems (such as steam dump and feedwater control).

• The capability to follow the design basis network load follow pattern for 90-percent of the fuel cycle. The design basis load follow pattern is defined as the daily (24-hour period) cycle consisting of 10 to 18 hours of operation at 100-percent power, followed by a 2-hour linear ramp to 50-percent power, followed by 2 to 10 hours of operation at 50-percent power and then a 2-hour linear ramp back to 100-percent power.

• The capability to satisfy a 20-percent power increase or decrease within 10 minutes.

• The capability of handling grid frequency changes equivalent to 10-percent peak-to-peak power changes at a two percent per minute rate. This capability is provided over a 15- to 100-percent power range throughout the plant operating life. A total of 35 peak-to-peak swings per day are allowed for in the design of the PLS.

The control system permits manoeuvring the plant through the transients without actuation of the following:

• Steam generator safety valves.

• Steam generator power operated relief valves.

• Pressuriser safety valves.



In addition, these valves are not actuated during a normal plant trip.

Protection and Safety Monitoring System

AP1000 provides instrumentation and controls to sense accident situations and initiate ESFs for the mitigation. The occurrence of a limiting fault, such as a loss of coolant accident or a secondary system break, requires a reactor trip plus actuation of one or more of the ESFs. This combination of events prevents or mitigates damage to the core and reactor coolant system components, and provides containment integrity.

The I&C equipment performing reactor trip and ESF actuation functions, their related sensors, and the reactor trip switchgear are four-way redundant (see subsection 7.1.1 of Reference 6.1). This redundancy permits the use of bypass logic so that a division or individual channel out of service can be accommodated by the operating portions of the protection system reverting to a two-out-of-three logic from a two-out-of-four logic. The redundancy and voting logic also mean that a single faulty sensor cannot spuriously actuate an ESF.

The variables monitored for reactor trip and ESF actuation are listed in Table 6.7-1.

Tables 2-1 and 2-2 of WCAP-15776 (Reference 6.7) shows limits, ranges, accuracies and typical response times for the reactor trip and ESF variables, respectively.

To the extent feasible, inputs used for reactor trip are derived from signals that are direct measurements of the desired variables described above (see subsection 7.2.2.2.4 of Reference 6.1). Two exceptions exist, overtemperature and overpower, which cannot be directly measured:

• The overtemperature ΔT trip setpoint is calculated from pressuriser pressure, reactor coolant temperature, and nuclear axial power shape. The setpoint is compared against the measured ΔT power signal.

• Overpower ΔT is calculated from reactor coolant temperature and the nuclear axial power shape in the core. This value is compared against the measured ΔT power signal.

The process variables that do affect these parameters can be measured and they are used to continuously calculate the setpoints.

As discussed in WCAP-15776, (Reference 6.7) the setpoints provide a margin to the safety limits which are assumed in the accident analyses, to allow for uncertainties and instrument errors. The safety limits are based on mechanical or hydraulic limitations of equipment or on heat transfer characteristics of the reactor core. While most setpoints used for reactor trip are fixed, there are continuously calculated setpoints for the overtemperature and overpower ΔT trips.

A single failure in the PMS or the reactor trip actuation divisions does not prevent a reactor trip, even when a reactor trip channel is bypassed for test or maintenance. Conformance of the equipment to this requirement is discussed in WCAP-15776 (Reference 6.7). In addition to the redundancy of equipment, diversity of reactor trip functions is incorporated. Most design basis initiating events requiring a reactor trip are protected by trips from diverse parameters. For example, reactor trip, because of an uncontrolled rod cluster control assembly bank withdrawal at power, may occur on power range high neutron flux, overtemperature, overpower, pressuriser high pressure or pressuriser high water level. Reactor trip on complete loss of reactor coolant flow may occur on low flow or from the diverse parameter of low reactor coolant pump speed.



A single failure in the PMS does not prevent an actuation of the ESFs when the monitored condition reaches the preset value that requires the initiation of an actuation signal (see subsection 7.3.2.2.2 of Reference 6.1). The single failure criterion is met even when one division of the ESF coincidence logic is being tested, as discussed in subsection 7.1.2.9 of Reference 6.1, or when there is a bypass condition in connection with test or maintenance of the PMS.

Adequacy of the software and the hardware is demonstrated for the PMS through a verification and validation program. Details on the verification and validation program are provided in the Software Program Manual for Common Q Systems (Reference 6.6).



Table 6.7-1 PMS Signals Resulting in ESF Actuation and Duty System Isolation 1 of 2

PMS Action On receipt of signal:

Generate a safeguards actuation “S” signal

Low-1 pressuriser pressure OR Hi-1 containment pressure OR Low compensated steam line pressure OR Low-3 cold leg temperature OR Manual initiation

Reactor trip due to: Nuclear startup faults Overpower Core cooling faults Overpressurisation Loss of heat sink Feedwater isolation ADS actuation Safety injection Turbine trip

Source range high neutron flux OR Intermediate range high neutron flux OR Power range high neutron flux (low setpoint) Power range high neutron flux (high setpoint) OR Power range high positive flux Overtemperature ΔT OR Overpower ΔT OR Low pressuriser pressure OR Low reactor coolant cold leg flow OR Low reactor coolant pump speed OR RCP bearing water high temperature High pressuriser pressure OR High pressuriser water level Low steam generator level (narrow range) High-2 steam generator level ADS actuation signal “S” signal Various signals (e.g. high vibration, high lube oil temperature, low lube oil flow)

Containment isolation “S” signal OR Manual initiation OR Manual initiation of containment cooling

PRHR HX initiation [Low steam generator (narrow range) in any steam generator AND low FWS flow after time delay] OR Low steam generator level (wide range) in any steam generator OR CMT actuation OR ADS actuation OR Manual initiation

CMT initiation “S” signal OR Low-2 pressuriser level OR [High hot leg temperature AND Low steam generator level (wide range)] OR Manual initiation



Table 6.7-1 PMS Signals Resulting in ESF Actuation and Duty System Isolation 2 of 2

PMS Action On receipt of signal:

ADS First stage Second stage Third stage Fourth stage

Manual initiation OR [Low-1 CMT level in either CMT AND CMT actuation signal] [First stage ADS signal AND time delay] [Second stage ADS signal AND time delay] [Low-2 CMT level in either CMT AND third stage ADS signal AND time delay] OR

Low hot leg level AND time delay

RCP trip CMT actuation signal OR ADS first stage actuation OR High pump bearing temperature

Open IRWST injection line valves

Fourth stage ADS signal OR Manual initiation

Passive containment cooling

Hi-2 containment pressure OR Manual initiation

Open containment recirculation valves

Low IRWST level (low-3 setpoint)

Main feedwater isolation (and trip feedwater pump)

Low-1 reactor coolant system Tc OR Hi-1 steam generator narrow range level OR “S” signal OR Manual initiation

FWS isolation Low-2 reactor coolant system Tc OR Hi-2 steam generator narrow range level

Steam line isolation Low steam line pressure OR Low-2 reactor coolant system Tc OR Hi-1 containment pressure OR Low-2 steam generator narrow range level OR Manual initiation

SG blowdown isolation PRHR HX actuation signal

Demineralised water isolation (and CVS suction aligned to boron addition tank)

Reactor trip OR CMT actuation OR Source range high neutron flux OR Loss of offsite power

CVS flow isolation Hi-2 steam generator level (narrow range) OR High pressuriser level

Pressuriser heater trip CMT actuation

Turbine trip Manual feedwater isolation OR Reactor trip OR High-2 steam generator narrow range level

Diverse Actuation System

The DAS provides a diverse backup to the PMS. This backup is included to support the aggressive AP1000 risk goals by reducing the probability of a severe accident which potentially



results from the unlikely coincidence of postulated transients and postulated common mode failure in the protection and control systems.

The PMS is designed to prevent common mode failures between itself and the PLS. However, in the low probability case where a common mode failure does occur, the DAS provides diverse protection. The specific functions performed by the DAS are presented in Table 6.7-2. The DAS functional requirements are based on an assessment of the protection system instrumentation common mode failure probabilities combined with the event probability (see subsection 7.7.1.11 of Reference 6.1).

The DAS operates with two actuation logic modes, automatic and manual. The automatic actuation logic mode functions to logically combine the automatic signals from the two redundant automatic subsystems in a two-out-of-two basis. The two-out-of-two logic is implemented by connecting the outputs in series. Actuation signals are output to the loads in the form of normally de-energized, energize-to-actuate signals. The normally de-energized output state, along with the dual, two out of two redundancy reduces the probability of inadvertent actuation. See subsection 7.7.1.11 of Reference 6.1.

The manual actuation mode operates in parallel to independently actuate the final devices, and is made possible by hard-wiring the controls located in the main control room directly to the final loads in a way that completely bypasses the normal path through the PMS cabinets and the DAS automatic logic.

To support the diverse manual actuations, sensor outputs are displayed in the main control room in a manner that is diverse from the protection system display functions. The instrument sensor output displayed in the main control room is repeated at the DAS instrumentation cabinet. The indications that are provided from at least two sensors per function are (see subsection 7.7.1.11 of the Reference 6.1):

• Steam generator water level – for reactor trip and passive residual heat removal actuations, and for overfill prevention by manual actuation of the automatic depressurisation system valves.

• Hot leg temperature – for passive residual heat removal actuation.

• Core exit temperature – for automatic depressurisation system actuation and subsequent initiation of in-containment refuelling water storage tank injection and also containment hydrogen igniter actuation.

• Pressuriser level – for core makeup tank actuation and reactor coolant pump trip.

• Containment temperature – for containment isolation and passive containment cooling system actuation.

• Rod control motor generator voltage – for reactor and turbine trip.

The automatic actuation signals provided by the DAS are generated in a functionally diverse manner from the PMS signals. Diversity between DAS and PMS is achieved by the use of different architectures, different hardware implementations, and different software, where software is used. See subsection 7.7.1.11 of Reference 6.1 for a full description of the separation between the DAS and the PMS.



The DAS uses sensors that are separate from those being used by the PMS and the PLS. This prohibits failures from propagating to the other plant systems through the use of shared sensors.

The DAS manual and automatic logic is independent of PMS circuitry. DAS is a standalone system that is not connected or interlocked with PMS. Except for motor-operated valve control, no actuation interfaces are shared between the DAS and the PMS. The DAS actuation devices are isolated from the PMS actuation devices, so as to avoid adverse interactions between the two systems. The actuation devices of each system are capable of independent operation that is not affected by the operation of the other. The DAS is designed to actuate components only in a manner that initiates the safety function. This type of interface also prevents the failure of an actuation device in one system from propagating a failure into the other system.

The DAS and the PMS use independent and separate power sources and internal power supplies.

Table 6.7-2 DAS Signals Resulting in ESF Actuation and Duty System Isolation

DAS action On receipt of signal:

Reactor trip Low steam generator wide range level OR Low pressuriser level OR Manual initiation

Turbine trip Low steam generator wide range level OR Manual initiation

PRHR HX actuation Low steam generator wide range level OR High hot leg temperature OR Manual initiation

CMT actuation Low pressuriser level OR Manual initiation

Passive containment cooling (inc. fan coolers) High containment temperature OR Manual initiation

Critical containment isolation valves High containment temperature OR Manual initiation

Reactor coolant pump trip Low pressuriser level

Initiate IRWST injection (mid loop operation) Low hot leg level

ADS valves Manual initiation

Containment hydrogen igniters Manual initiation

Steam generator overfill protection Manual initiation

6.8 Electrical Power Systems


• Class 1E dc and uninterruptible power supply system.

• Non-Class 1E dc and uninterruptible power supply system.

• Main ac power system.

• On-site standby power system.



• Cathodic protection system.

• Excitation and voltage regulation system.

• Grounding and lightning protection system.

• Lighting system.

• Plant security system.

• Special process heat tracing system.

6.8.1 Class 1E dc and Uninterruptible Power Supply System

6.8.1.1 Description

The Class 1E dc and uninterruptible power supply (UPS) system (IDS) provides reliable power for the safety significant equipment required for the plant instrumentation, control, monitoring, and other vital functions. In addition, the class 1E dc and UPS system provides power to the emergency lighting in the main control room and at the remote shutdown workstation.

The IDS is capable of providing reliable power for the safe shutdown of the plant without the support of battery chargers during a loss of all ac power sources coincident with a design basis accident. The system is designed so that no single failure will result in a condition that will prevent the safe shutdown of the plant.


The following design requirements for the IDS to support safe shutdown during fault conditions:

• The class 1E dc system must provide power to the plant safety equipment when demanded by the PMS or the operator.

• The UPS system must provide a backup source of electrical power for plant safety equipment in the event of failure of the main dc system.


IDS dc System

The IDS dc system has sufficient capacity to achieve and maintain safe shutdown of the plant for 72 hours following a complete loss of all ac power sources without requiring load shedding (see section 8.1.4.2.1 of Reference 6.1).

The IDS has four independent 250 V dc divisions, A, B, C, and D. Divisions A and D each comprise one battery bank, one switchboard, and one battery charger. The battery bank is connected to the switchboard through a set of fuses and a disconnect switch. Divisions B and C are each composed of two battery banks, two switchboards, and two battery chargers. Industry standard stationary batteries are provided to supply the dc power source in case the battery chargers fail to supply the dc distribution bus system loads. The first battery bank in the four divisions, designated as the 24-hour battery bank, provides power to the loads required for the first 24 hours following an event of loss of all ac power sources concurrent with a design basis accident. The second battery bank in divisions B and C, designated as the 72-hour battery bank, is



used for those loads requiring power for 72 hours following the same event. Each switchboard connected with a 24-hour battery bank supplies power to an inverter, a 250 V dc distribution panel, and a 250 V dc motor control centre. Each switchboard connected with a 72 hour battery bank supplies power to an inverter. No load shedding or load management program is needed to maintain power during the required 24-hour safety actuation period.

Nominal ratings of equipment supplied by the IDS are listed in Table 8.3.2-5 of Reference 6.1.

The class 1E dc system is designed in compliance with requirements for physical separation, electrical isolation, equipment qualification, effects of single active component failure, capacity of battery and battery charger, instrumentation and protective devices, and surveillance test requirements. The class 1E dc components are housed in seismic category I structures.

Important system component failures are annunciated. The battery monitoring system detects battery open circuit condition and monitors battery voltage. The class 1E 230 V ac distribution panels are equipped with undervoltage protection. The set of fuses located in the 250 V dc switchboards provide selective tripping of circuits for a fault to limit the effects of the abnormal condition, minimize system disturbance and protect the battery from complete accidental discharge through a short circuit fault. The class 1E dc system is ungrounded, thus, a single ground fault does not cause immediate loss of the faulted system. Ground detections with alarms are provided for each division of power so that ground faults can be located and removed before a second ground fault could disable the affected circuit. A spare battery bank and charger enables testing, maintenance, and equalization of battery banks offline.

Subsections 8.3.2.1.1.1 and 8.3.2.2 of Reference 6.1 provide more information on the class 1E dc system.

UPS System

The class 1E UPS provides power at 230 V ac to four independent divisions of class 1E instrument and control power buses. Divisions A and D each consist of one class 1E inverter associated with an instrument and control distribution panel and a backup voltage regulating transformer with a distribution panel. The inverter is powered from the respective 24-hour battery bank switchboard. Divisions B and C each consist of two inverters, two instrument and control distribution panels, and a voltage regulating transformer with a distribution panel. One inverter is powered by the 24-hour battery bank switchboard and the other by the 72-hour battery bank switchboard. During normal operation, the class 1E inverters receive power from the associated dc switchboard. If an inverter is inoperable or the class 1E 250 V dc input to the inverter is unavailable, the power is transferred automatically to the backup ac source (regulating transformer) by a static transfer switch featuring a make-before-break contact arrangement. The backup power is received from the diesel generator-backed non-class 1E ac bus through the class 1E voltage regulating transformer. In addition, a manual mechanical bypass switch is provided to allow connection of backup power source when the inverter is removed from service for maintenance.

In order to supply power during the post-72-hour period following a design basis accident, provisions are made to connect a permanently installed ancillary ac generator to the regulating transformers (divisions B and C only). This powers the post-accident monitoring systems and the lighting in the main control room and ventilation in the main control room (MCR) and divisions B and C I&C rooms. See section 8.3.1.1.1 of Reference 6.1 for post-72-hour power distribution details, section 9.4.1 for post-72-hour ventilation, and section 9.5.3 for post-72-hour lighting details respectively.



Subsection 8.3.2.2 of Reference 6.1 provides more information on the class 1E UPS system.

6.8.2 Non-Class 1E dc and Uninterruptible Power Supply System

6.8.2.1 Description

The non-Class 1E dc and UPS system (EDS) consists of the electric power supply and distribution equipment that provide dc and uninterruptible ac power to the plant dc and ac loads that are needed for safe operation of the plant under normal conditions and for investment protection, and to the hydrogen igniters located inside containment.


The following design requirement for the EDS supports safe operation of the plant during normal operations:

• The EDS must provide a reliable source of power to plant loads that are needed for safe operation of the plant under normal conditions, and for investment protection.


The non-class 1E dc and UPS system is comprised of two subsystems representing two separate power supply trains. Each subsystem is comprised of two sets of identical electrical equipment. In addition, a fifth subsystem is provided for dedicated turbine dc loads. The subsystems are located in separate rooms in the annex building.

Each of the EDS subsystems consists of separate dc distribution buses. These two buses can be connected by a normally open circuit breaker to enhance the power supply source availability.

Each dc subsystem includes battery chargers, stationary batteries, dc distribution equipment, and associated monitoring and protection devices.

The dc subsystems (exclusive of the turbine subsystem) provide dc power to associated inverter units that supply the ac power to the EDS uninterruptible power supply ac system. An alternate regulated ac power source for the UPS buses is supplied from the associated regulating transformers.

The onsite standby diesel generator backed 400 Vac distribution system provides the normal ac power to the battery chargers. Industry standard stationary batteries are provided to supply the dc power source in case the battery chargers fail to supply the dc distribution bus system loads. The batteries are sized to supply the system loads for a period of at least two hours after loss of all ac power sources.

The EDS dc system shares with the IDS the Class 1 spare battery bank as a temporary replacement for any primary Class 3 battery bank. In this design configuration, the spare Class 1 battery bank would be connected to the EDS dc bus but could not simultaneously supply Class 1 safety loads through the IDS, nor perform safety significant functions. Additionally, the design includes two current interrupting devices placed in series with the main feed from the spare battery that are fault-current activated. This will preserve the spare Class 1 battery integrity should the EDS bus experience an electrical fault. This arrangement will not degrade the electrical independence of the IDS Class 1 safety circuits.

Further information on the EDS is presented in section 8.3.2.1.2 of Reference 6.1.



6.8.3 Main ac Power System

6.8.3.1 Description

The onsite ac power system (ECS) is a non-class 1E system comprised of a normal, preferred, maintenance and standby power supplies. The normal, preferred, and maintenance power supplies are included in the main ac power system. The standby power is included in the onsite standby power system.


The following design requirement for the ECS supports safe operation of the plant under normal conditions:

• The ECS must provide power to the plant duty systems.


The major ac equipment electrical loads are listed in Table 8.3.1-2 of Reference 6.1.

During power generation mode, the turbine generator normally supplies electric power to the plant auxiliary loads through the unit auxiliary transformers. The plant is designed to sustain a load rejection from 100 percent power with the turbine generator continuing stable operation while supplying the plant house loads.

During plant startup, shutdown, and maintenance the generator breaker remains open. The main ac power is provided by the preferred power supply from the high-voltage switchyard (switchyard voltage is site-specific) through the plant main step up transformers and two unit auxiliary transformers. Each unit auxiliary transformer supplies power to about 50 percent of the plant loads.

A maintenance source is provided to supply power through two reserve auxiliary transformers. The maintenance source and the associated reserve auxiliary transformers primary voltage are site specific. The reserve auxiliary transformers are sized so that it can be used in place of the unit auxiliary transformers.

The onsite standby power system, powered by the two onsite standby diesel generators, supplies power to selected loads in the event of loss of normal, and preferred ac power supplies followed by a fast bus transfer to the reserve auxiliary transformers. Those loads that are priority loads for defence-in-depth functions based on their specific functions (termed permanent non-safety loads) are assigned to buses ES1 and ES2. These plant permanent non-safety loads are divided into two functionally redundant load groups (degree of redundancy for each load is described in the sections for the respective systems). Each load group is connected to either bus ES1 or ES2. Each bus is backed by a non-class 1E onsite standby diesel generator. In the event of a loss of voltage on these buses, the diesel generators are automatically started and connected to the respective buses. In the event where a fast bus transfer initiates but fails to complete, the diesel generator will start on an undervoltage signal; however, if a successful residual voltage transfer occurs, the diesel generator will not be connected to the bus because the successful residual voltage transfer will provide power to the bus before the diesel connection time of 2 minutes. The source incoming breakers on switchgear ES1 and ES2 are interlocked to prevent inadvertent connection of the onsite standby diesel generator and preferred/maintenance ac power sources to the high voltage buses at the same time. The diesel generator, however, is capable of being manually paralleled with the preferred or reserve power supply for periodic testing. Design



provisions protect the diesel generators from excessive loading beyond the design maximum rating, should the preferred power be lost during periodic testing. The control scheme, while protecting the diesel generators from excessive loading, does not compromise the onsite power supply capabilities to support the defence-in-depth loads. See section 8.3.1.1.2 of Reference 6.1 for starting and load sequencing of standby diesel generators.

Two ancillary ac diesel generators, located in the annex building, provide ac power for class 1E post-accident monitoring, MCR lighting, MCR and I&C room ventilation, and pump power to refill the PCS water storage tank and the spent fuel pool, when all other sources of power are not available.

Each ancillary ac generator output is connected to a distribution panel. The distribution panel is located in the room housing the diesel generators. Each distribution panel has the following outgoing connections:

• Connection for Class 1 voltage regulating transformer to power the post-accident monitoring loads, the lighting in the main control room, and ventilation in the main control room and divisions B and C I&C rooms.

• Connection for PCS recirculation pump to refill the PCS water storage tank and the spent fuel pool.

• Connection for local loads to support operation of the ancillary generator (lighting and fuel tank heating).

• Temporary connection for a test load device (e.g. load resistor).

6.8.4 Onsite Standby Power System

6.8.4.1 Description

Two onsite standby diesel generator units, each furnished with its own support subsystems, provide power to the selected plant ac loads. Power supplies to each diesel generator subsystem components are provided from separate sources to maintain reliability and operability of the onsite standby power system.

Each of the generators is directly coupled to the diesel engine. Each diesel generator unit is an independent self-contained system complete with necessary support subsystems that include:

• Diesel engine starting subsystem.

• Combustion air intake and engine exhaust subsystem.

• Engine cooling subsystem.

• Engine lubricating oil subsystem.

• Engine speed control subsystem.

• Generator, exciter, generator protection, monitoring instruments, and controls subsystems.

The support subsystems are described in detail in section 8.3.1.1.2.1 of Reference 6.1.




The following design requirement for the ZOS provides post-fault defence-in-depth:

• The ZOS provides ac power to the IDS and to selected electrical components of the plant defence-in-depth systems.


Each generator continuous rating is based on supplying the electrical ac loads listed in Tables 8.3.1-1 and 8.3.1-2 of Reference 6.1, which include the IDS dc system, the UPS system and selected defence-in-depth components.

The loads shown on Tables 8.3.1-1 and 8.3.1-2 of Reference 6.1 represent a set of loads which provide shutdown capability using plant duty or defence in depth systems. The generators can also provide power for additional investment protection ac loads. The plant operator would normally provide power to these loads by de-energizing one of those system components that are redundantly supplied by both the diesel generators. The diesel generator design is compatible with the step loading requirements identified in Tables 8.3.1-1 and 8.3.1-2 of Reference 6.1. The generator exciter and voltage regulator systems are capable of providing full voltage control during operating conditions including postulated fault conditions.

The diesel generator unit starts automatically on receipt of an undervoltage signal, or can be started manually by the operator, and is able to reach the rated speed and voltage and be ready to accept electrical loads within 120 seconds after a start signal. Each generator has an automatic load sequencer to enable controlled loading on the generator. The automatic load sequencer connects selected loads at predetermined intervals. This feature allows recuperation of generator voltage and frequency to rated values prior to the connection of the next load.

The onsite standby diesel generators are provided with necessary controls and indicators for local or remote monitoring of the operation of the units. Essential parameters are monitored and alarmed in the main control room via the plant data display and processing system as described in Chapter 7 of Reference 6.1. Indications and alarms that are available locally and in the main control room are listed in Table 8.3.1-5 of Reference 6.1.

6.8.5 Cathodic Protection System

The cathodic protection system protects the external surfaces of metal tanks in contact with the ground. The need for such a system will be assessed on a site-by-site basis in the relevant site-specific PCSR.

6.8.6 Excitation and Voltage Regulation System

The excitation and voltage regulation system (ZVS) is a static excitation system using a thyristor full bridge rectifier. Excitation power is fed from the generator through the excitation transformer. The excitation transformer is of outdoor use type, and will be located next to the turbine building. After stepping down the voltage at the excitation transformer, ac current from the generator is rectified by the thyristor rectifier.

The ZVS has no design requirements associated with safety.



6.8.7 Grounding and Lightning Protection System

The station grounding grid subsystem consists of buried, interconnected bare copper conductors and ground rods (copperweld) forming a plant ground grid matrix. The subsystem will maintain a uniform ground potential and limit the step-and-touch potentials to safe values under fault conditions.

The lightning protection system, consisting of air terminals and ground conductors, will be provided for the protection of exposed structures and buildings housing safety significant and fire protection equipment. Also, lightning arresters are provided in each phase of the transmission lines and at the high-voltage terminals of the outdoor transformers. The isophase bus connecting the main generator and the main transformer and the medium-voltage switchgear is provided with lightning arresters. In addition, surge suppressors are provided to protect the plant instrumentation and monitoring system from lightning-induced surges in the signal and power cables connected to devices located outside.

The design of the grounding grid system and the lightning protection system depends on the soil resistivity and lightning activity in the area. Therefore, the design of both systems is site-specific, and will be addressed in the site-specific PCSR.

6.8.8 Lighting System

The plant lighting system includes normal, emergency, panel, and security lighting. The normal lighting provides normal illumination during plant operating, maintenance, and test conditions. The emergency lighting provides illumination in areas where emergency operations are performed upon loss of normal lighting. The panel lighting in the control room is designed to provide the minimum illumination required at the safety panels.

The plant lighting system has no design requirements associated with safety.

6.8.9 Plant Security System

The physical security system provides physical features to detect, delay, assist response to, and defend against the design basis threat (DBT) for radiological sabotage. The physical security system consists of physical barriers and an intrusion detection system. The details of the physical security system are protected information. The physical security system provides protection for vital equipment and plant personnel.

The plant security system has no design requirements associated with safety.

6.8.10 Special Process Heat Tracing System

The special process heat trace system provides electrical heating where temperature above ambient is required for system operation and freeze protection.

The special process heat tracing system has no design requirements associated with safety.

6.9 HVAC Systems


• Annex/auxiliary building nonradioactive ventilation system.



• Central chilled water system.

• Containment air filtration system.

• Containment recirculation cooling system.

• Diesel generator building ventilation system.

• Health physics and hot machine shop HVAC system.

• Hot water heating system.

• Nuclear island nonradioactive ventilation system.

• Radiologically controlled area ventilation system.

• Radwaste building HVAC system.

• Turbine island building ventilation system.

6.9.1 Annex/Auxiliary Building Nonradioactive Ventilation System

The annex/auxiliary buildings nonradioactive HVAC system serves the nonradioactive personnel and equipment areas, electrical equipment rooms, clean corridors, the ancillary diesel generator room and demineralised water deoxygenating room in the annex building, and the main steam isolation valve compartments, reactor trip switchgear rooms, and piping and electrical penetration areas in the auxiliary building.

The annex/auxiliary buildings nonradioactive HVAC system consists of the following independent subsystems:

• General area HVAC subsystem.

• Switchgear room HVAC subsystem.

• Equipment room HVAC subsystem.

• MSIV compartment HVAC subsystem.

• Mechanical equipment areas HVAC subsystem.

• Valve/piping penetration room HVAC subsystem.

The annex/auxiliary building nonradioactive HVAC system has no design requirements associated with safety.

6.9.2 Central Chilled Water System

The HVAC systems require chilled water as a cooling medium to satisfy the ambient air temperature requirements for the plant. The central chilled water system (VWS) supplies chilled water to the HVAC systems and is functional during reactor full-power and shutdown operation.

The VWS has no design requirements associated with safety.



6.9.3 Containment Air Filtration System

6.9.3.1 Description

The containment air filtration system (VFS) serves the containment, the fuel handling area and the other radiologically controlled areas of the auxiliary and annex buildings, except for the hot machine shop and health physics areas which are served by a separate ventilation system.

The containment air filtration system consists of two 100 percent capacity supply air handling units, a ducted supply and exhaust air system with containment isolation valves and piping, registers, exhaust fans, filtration units, automatic controls and accessories. The supply air handling units are located in the south air handling equipment room of the annex building.


The following design requirements for the VFS support safe operation of the plant during normal operation:

• The VFS must provide intermittent flow of outdoor air to purge the containment atmosphere of airborne radioactivity during normal plant operation, and continuous flow during hot or cold plant shutdown conditions to provide an acceptable airborne radioactivity level prior to personnel access.

• The VFS must direct the exhaust air from the containment atmosphere to the plant vent for monitoring, and provides filtration to limit the release of airborne radioactivity at the site boundary within acceptable levels.

The following design requirements for VFS support safe shutdown of the plant during fault conditions:

• The VFS must be capable of being isolated by the containment isolation system.


Containment Ventilation

During normal plant operation, the containment air filtration system is operated periodically to purge the containment atmosphere, to reduce airborne radioactivity or to maintain the containment pressure within its normal operating range. One supply air handling unit provides filtered outdoor air to the containment areas above the operating floor. The airflow rate is controlled to a constant value by modulating the supply fan inlet vanes to compensate for filter loading or changes in containment pressure.

The exhaust air filtration units consist of an electric heater, an upstream high (80%) efficiency filter bank, a 99.97% efficiency HEPA filter bank, a 90% decontamination efficiency charcoal adsorber, a downstream 95% efficiency postfilter bank, and an exhaust fan. The filtration unit configurations, including housing, internal components, ductwork, dampers, fans, and controls, are designed, constructed, and tested to meet the applicable performance requirements.

The airflow rate through the filters is controlled to a constant value by modulating the exhaust fan inlet vanes to compensate for filter loading or changes in system resistance caused by single or parallel fan operation, or changes in containment pressure. The exhaust lines from the containment include a pair of isolation dampers arranged in parallel to restrict the airflow to



maintain the exhaust filter plenums at a negative air pressure when the containment is positively pressurised. Based on predetermined setpoints, the operators select the appropriate damper to open. This prevents exfiltration of unfiltered air from bypassing the filters.

Prior to and during plant shutdown, one or both trains of the containment air filtration system can be operated to remove airborne radioactivity prior to personnel access. During cold ambient conditions, the supply air is heated by the hot water heating system. The exhaust filter unit electric heater controls the relative humidity of the exhaust air entering the charcoal adsorber below 70 percent. The filtered exhaust air from the containment is discharged to the atmosphere through the plant vent by the exhaust fan. The gaseous effluents in the plant vent are monitored for radioactivity levels before the air is discharged to the environment. See section 6.5.17 for details of the radiation monitoring system.

When both trains are operated concurrently, the containment air filtration system provides a maximum airflow rate equivalent to approximately 0.21 air changes per hour (see section 9.4.7.2.3 of Reference 6.1).

Containment Isolation

The VFS containment penetrations include containment isolation valves on both side of containment. These containment isolation valves have air operators. The valves are designed to fail closed in the event of loss of electrical power or air pressure. The valves are actuated by the containment isolation system.

See section 9.4.7.2.2 of Reference 6.1 for further details.

6.9.4 Containment Recirculation Cooling System

The containment recirculation cooling system controls building air temperature and humidity to provide a suitable environment for equipment operability during normal operation and shutdown.

The containment recirculation cooling system is comprised of two 100 percent capacity skid mounted fan coil unit assemblies with a total of four 50 percent capacity fan coil units which connect to a common duct ring header and distribution system.

The cross-connections between the central chilled water system piping for containment cooling and hot water heating system piping for containment heating are located outside the containment. The water piping inside containment is common to both the central chilled water system and hot water heating system.

The containment recirculation cooling system has no design requirements associated with safety.

6.9.5 Diesel Generator Building Ventilation System

The diesel generator building heating and ventilation system serves the standby diesel generator rooms, electrical equipment service modules, and diesel fuel oil day tank vaults in the diesel generator building and the two diesel oil transfer modules located in the yard near the fuel oil storage tanks. Local area heating and ventilation equipment is used to condition the air to the stairwell and security room.

The system consists of the following subsystems:

• Normal heating and ventilation subsystem.



• Standby exhaust ventilation subsystem.

• Fuel oil day tank vault exhaust subsystem.

• Diesel oil transfer module enclosures ventilation and heating subsystem.

The diesel generator building heating and ventilation system has no design requirements associated with safety.

6.9.6 Health Physics and Hot Machine Shop HVAC System

6.9.6.1 Description

The health physics and hot machine shop HVAC system serves the annex building stairwell; the personnel decontamination area, frisking and monitoring facilities, containment access corridor, and other health physics facilities in the annex building. It also serves the hot machine shop in the annex building.

The health physics and hot machine shop HVAC system is a once-through ventilation system consisting of two integrated subsystems: a supply air system and an exhaust air system. The systems operate in conjunction with each other to satisfy the functional requirements of maintaining temperatures in the areas served while controlling air flow paths and area negative pressure.


The following design requirements for the health physics and hot machine shop HVAC system support safe operation of the plant during normal operation:

• The health physics and hot machine shop HVAC system must provide control of air pressure in order to minimize the spread of airborne contaminants.


The supply air system consists of two 100% capacity air handling units, consisting of a low (25%) efficiency filter bank, a high (80%) efficiency filter bank, heating and cooling coils and a supply fan with automatic inlet valves.

The exhaust air system consists of two 100% capacity exhaust fans sized to allow the system to maintain a negative pressure (see section 9.4.11.2.1 of Reference 6.1).

During normal operation, one supply air handling unit and one exhaust fan operate continuously to control air pressures in the health physics and hot machine shop areas of the annex building.

The supply air flow is automatically modulated to maintain a negative pressure in the areas served with respect to the outdoors and to surrounding areas which do not have their exhausts monitored for radioactivity. Differential pressure controllers, with sensors in the general health physics area and sensors mounted outdoors (shielded from wind effects), modulate the automatic inlet vanes of the supply fan to maintain area negative pressure. In addition, a separate differential pressure controller with a sensor in the hot machine shop modulates a damper in the supply air duct to the hot machine shop to maintain a negative pressure in the shop with respect to outdoors and to surrounding areas which do not have their exhausts monitored for radioactivity.



6.9.7 Hot Water Heating System

The hot water heating system (VYS) supplies heated water to selected air handling units and unit heaters in the plant during cold weather operation and to the containment recirculating fans coil units during cold weather plant outages.

Major components of the heating system include heat exchangers, pumps, a surge tank, and provisions for chemical feed. The hot water heating system consists of a heat transfer package for the production of hot water and a distribution system to the various HVAC systems and unit heaters.

The VYS has no design requirements associated with safety.

6.9.8 Nuclear Island Nonradioactive Ventilation System

6.9.8.1 Description

The Nuclear Island nonradioactive ventilation system (VBS) serves the MCR, control support area (CSA), dc equipment rooms, I&C rooms, electrical penetration rooms, battery rooms, remote shutdown room, reactor coolant pump trip switchgear rooms, adjacent corridors, and the PCS valve room during normal plant operation.

The nuclear island nonradioactive ventilation system is shown in Figure 9.4.1-1 of Reference 6.1. The system consists of the following independent subsystems:

Main control room/control support area HVAC subsystem Class 1E electrical room HVAC subsystem Passive containment cooling system valve room heating and ventilation subsystem


The Nuclear Island nonradioactive ventilation system has the following requirements during normal plant operation or as defence in depth capability for fault scenarios:

Main Control Room/Control Support Area (CSA) Areas The nuclear island nonradioactive ventilation system provides the following specific functions:

Controls the main control room and control support area relative humidity between 25 to 60 percent

Maintains the main control room and CSA areas at a slightly positive pressure with respect to the adjacent rooms and outside environment during normal operations to prevent infiltration of unmonitored air into the main control room and CSA areas

Isolates the main control room and/or CSA area from the normal outdoor air intake and provides

filtered outdoor air to pressurize the main control room and CSA areas to a positive pressure when a high gaseous radioactivity concentration is detected in the main control room supply air duct



Isolates the main control room and/or CSA area from the normal outdoor air intake and provides 100 percent recirculation air to the main control room and CSA areas when a high concentration of smoke is detected in the outside air intake

Provides smoke removal capability for the main control room and control support area

Maintains the main control room emergency habitability system passive cooling heat sink below its initial design ambient air temperature limit.

Maintains the main control room/control support area carbon dioxide levels below 0.5 percent concentration.

The background noise level in the main control room does not exceed 65 dB(A) when the VBS is operating.

The system maintains the room temperatures within limits based on the maximum and minimum outside air safety temperature conditions.

Class 1E Electrical Rooms/Remote Shutdown Room

The nuclear island nonradioactive ventilation system provides the following specific functions:

Exhausts air from the Class 1E battery rooms to limit the concentration of hydrogen gas to less than 2 percent by volume.

Maintains the Class 1E electrical room emergency passive cooling heat sink below its initial design ambient air temperature limit.

Provides smoke removal capability for the Class 1E electrical equipment rooms and battery rooms

The background noise level in the remote shutdown room does not exceed 65 dB(A) when the VBS is operating.

The system maintains the room temperatures within limits based on the maximum and minimum outside air safety temperature conditions.

Passive Containment Cooling System Valve Room

The subsystem maintains the room temperatures within limits based on the maximum and minimum outside air safety temperature conditions.

Post-72-Hour Design Basis

Main Control Room

The specific function of the nuclear island nonradioactive ventilation system is to maintain the control room below a temperature approximately 4.5°F above the average outdoor air temperature.



Divisions B and C Instrumentation and Control Rooms Design Basis

The specific function of the nuclear island nonradioactive ventilation system is to maintain the I&C rooms below the qualification temperature of the I&C equipment.

The nuclear island nonradioactive ventilation system provides the following safety significant design basis functions:

Monitors the main control room supply air for radioactive particulate and iodine concentrations

Isolates the HVAC penetrations in the main control room boundary on high-high particulate or iodine concentrations in the main control room supply air, or when the pressurizer pressure falls below the low setpoint, or on extended loss of ac power to support operation of the main control room emergency habitability system.


Main Control Room/Control Support Area (CSA) Areas

During normal plant operation, one of the two 100 percent capacity supply air handling units and return/exhaust air fans operates continuously. Outside makeup air supply to the supply air handling units is provided through an outside air intake duct. The outside airflow rate is automatically controlled to maintain the main control room and CSA areas at a slightly positive pressure with respect to the surrounding areas and the outside environment.

The main control room/control support area supply air handling units are sized to provide cooling air for personnel comfort, equipment cooling, and to maintain the main control room emergency habitability passive heat sink below its initial ambient air design temperature. The temperature of the air supplied by each air handling unit is controlled by temperature sensors located in the main control room return air duct and in the computer room B return air duct to maintain the ambient air design temperature within its normal design temperature range by modulating the electric heat or chilled water cooling. Some spaces have convection heaters for temperature control.

The outside air is continuously monitored by smoke monitors located at the outside air intake plenum and the return air is monitored for smoke upstream of the supply air handling units. The supply air to the main control room is continuously monitored for airborne radioactivity while the supplemental air filtration units remain in a standby operating mode.

For abnormal conditions, control actions are taken at two levels of radioactivity as detected in the main control room supply air duct. The first is "high" radioactivity based upon gaseous radioactivity instrumentation. The second is "high-high" radioactivity based upon either particulate or iodine radioactivity instruments.

If "high" gaseous radioactivity is detected in the main control room supply air duct and the main control room/control support area HVAC subsystem is operable, both supplemental air filtration units automatically start to pressurize the main control room and CSA areas with respect to the surrounding areas and the outside environment using filtered makeup air. After the room is pressurized, one of the supplemental air filtration units is manually shut down. The normal outside air makeup duct and the main control room and control support area toilet exhaust duct isolation dampers close. The smoke/purge exhaust isolation dampers close, if open. The main control room/control support area supply air handling unit continues to provide cooling with recirculation air to maintain the main control room passive heat sink below its initial ambient air design



temperature and maintains the main control room and CSA areas within their design temperatures. The supplemental air filtration subsystem pressurizes the combined volume of the main control room and control support area concurrently with filtered outside air. A portion of the recirculation air from the main control room and control support area is also filtered for cleanup of airborne radioactivity. The main control room/control support area HVAC equipment and ductwork that form an extension of the main control room/control support area pressure boundary limit the overall infiltration (negative operating pressure) and exfiltration (positive operating pressure) rates. The system is designed to maintain personnel doses within allowable limits during design basis accidents in both the main control room and the control support area.

If ac power is unavailable for more than 10 minutes, pressurizer pressure falls below the low setpoint, or if "high-high" particulate or iodine radioactivity is detected in the main control room supply air duct, the protection and safety monitoring system automatically isolates the main control room from the normal main control room/control support area HVAC subsystem by closing the supply, return, and toilet exhaust isolation valves. Main control room habitability is maintained by the main control room emergency habitability system, which is discussed in Section 6.4.4 of this PCSR.

The main control room and CSA areas ventilation supply and return/exhaust ducts can be remotely or manually isolated from the main control room.

If a high concentration of smoke is detected in the outside air intake, an alarm is initiated in the main control room and the main control room/control support area HVAC subsystem is manually realigned to the recirculation mode by closing the outside air and toilet exhaust duct isolation valves. The main control room and control support area toilet exhaust fans are tripped upon closure of the isolation valves. The main control room/CSA areas are not pressurized when operating in the recirculation mode. The main control room/control support area HVAC supply air subsystem continues to provide cooling, ventilation, and temperature control to maintain the emergency habitability passive heat sink below its initial ambient air design temperature and maintains the main control room and CSA areas within their design temperatures. In the event of a fire in the main control room or control support area, in response to heat from the fire or upon receipt of a smoke signal from an area smoke detector, the combination fire/smoke dampers close automatically to isolate the fire area. The subsystem continues to provide ventilation/cooling to the unaffected area and maintains the unaffected areas at a slightly positive pressure. The main control room/control support area HVAC subsystem can be manually realigned to the once-through ventilation mode to supply 100 percent outside air to the unaffected area. Realignment to the once-through ventilation mode minimizes the potential for migration of smoke or hot gas from the fire area to the unaffected area. Smoke and hot gases can be removed from the affected area by reopening the closed combination fire/smoke damper(s) from outside of the affected fire area during the once-through ventilation mode. In the once-through ventilation mode, the outside air intake damper to the air handling unit mixing plenum opens and the return air damper to the air handling unit closes to provide 100 percent outside air to the supply air handling unit. In this mode, the subsystem exhaust air isolation damper opens to exhaust the return air directly to the turbine building vent.

Power is supplied to the main control room/control support area HVAC subsystem by the plant ac electrical system. In the event of a loss of the plant ac electrical system, the main control room/control support area ventilation subsystem can be transferred to the onsite standby diesel generators. The convection heaters and duct heaters are not transferred to the onsite standby diesel generator.



When complete ac power is lost and the outside air is acceptable radiologically and chemically, MCR habitability is maintained by operating one of the two MCR ancillary fans to supply outside air to the MCR. It is expected that outside air will be acceptable within 72 hours following a radiological release. See subsection 6.4.2.2 of Refernce 6.1 for details. The outside air pathway to the ancillary fans is provided through the nonradioactive ventilation system air intake opening located on the roof, the mechanical room, and nonradioactive ventilation system supply duct. Warm air from the MCR is vented to the annex building through a stairway, into the remote shutdown room and the clean access corridor. The ancillary fan capacity and air flow rate maintain the MCR environment near the daily average outdoor air temperature. The ancillary fans and flow path are located within the auxiliary building which is a Seismic Category I structure.

Power supply to the ancillary fans is from the respective division B or C regulating transformers which receive power from the ancillary diesel generators.

Class 1E Electrical Rooms/Remote Shutdown Room

During normal plant operation, one of the redundant supply air handling units, return fans, and battery room exhaust fans operate continuously to provide room temperature control, to maintain the Class 1E electrical room emergency passive heat sink below its initial ambient air temperature, and to purge and prevent build-up of hydrogen gas concentration in the Class 1E Battery Rooms. The temperature of the air supplied by each air handling unit is controlled by temperature sensors located in the return air duct to maintain the room air temperature within the normal design range by modulating electric heating or chilled water cooling. Duct heaters are controlled by temperature sensors located in the space served by the heater.

Abnormal conditions:

The operation of the Class 1E electrical room HVAC subsystem is not affected by the detection of airborne radioactivity in the main control room supply air duct of the main control room/control support area HVAC subsystem. During a design basis accident (DBA), if the plant ac electrical system is unavailable, the Class 1E electrical room passive heat sink provides area temperature control.

If a high concentration of smoke is detected in the outside air intake and an alarm is initiated in the main control room, the Class 1E electrical HVAC subsystem(s) can be manually aligned to the recirculation mode by closing the outside air intake damper to the air handling unit mixing plenum. This allows 100 percent room air to return to the supply air subsystem air handling unit. The subsystem continues to provide cooling, ventilation, and temperature control to maintain the areas served by the subsystem(s) within their design temperatures and pressures.

In the event of a fire in a Class 1E electrical room, in response to heat from the fire or upon receipt of a smoke signal from an area smoke detector, the combination fire/smoke dampers close automatically to isolate the fire area. The affected subsystem continues to provide ventilation/cooling to the remaining areas and maintains the remaining areas at a slightly positive pressure. Either or both subsystems can be manually realigned to the once-through ventilation mode to supply 100 percent outside air to the unaffected areas. Realignment to the once-through ventilation mode minimizes the potential for migration of smoke and hot gases from a non-Class 1E electrical room or a Class 1E electrical room of one division into the Class 1E electrical room of another division. Smoke and hot gases can be removed from the affected areas by reopening the closed combination fire/smoke dampers from outside of the affected fire area during the once-through ventilation mode. In the once-through ventilation mode, the outside air intake damper to the air handling unit mixing plenum opens and the return air damper to the air handling unit closes to allow 100 percent outside air to the supply air handling unit. The



subsystem exhaust air isolation damper also opens to exhaust room air directly to the turbine building vent. During a fire, the pressure difference across the doors in stairwells S01 and S02 is maintained by dedicated stairwell pressurization fans.

The power supplies to the Class 1E electrical room HVAC subsystem are provided by the plant ac electrical system and the onsite standby diesel generators. In the event of a loss of the plant ac electrical system, the Class 1E electrical room HVAC subsystem is automatically transferred to the onsite standby diesel generators. The convection heaters and duct heaters are not transferred to the onsite standby diesel generator. When complete ac power is lost, division B and C instrumentation and control room temperature is maintained by operating their respective ancillary fans to supply outside air to the I&C rooms. It is expected that outside air will be supplied within 72 hours following a radiological release. The outside air pathway to the ancillary fans is through the nonradioactive ventilation system outside air intake opening located on the roof, the mechanical room, stairway doors at two elevations, the access corridor, and the divisional battery rooms. The warm air is vented to the annex building through the clean access corridor. The outside air supply provides cooling and maintains room temperature below the qualification temperature of the I&C equipment. The ancillary fans and flow path are located within the auxiliary building which is a Seismic Category I structure.

Power supply to the ancillary fans is from the respective division B or C regulating transformers which receive power from the ancillary diesel generators.

Passive Containment Cooling System Valve Room

During normal operation the passive containment cooling system valve room ventilation fan exhausts room air to the outside environment to maintain room temperature within its normal design temperature range.

When heating is required, one of the two redundant electric unit heaters provides heating to maintain the passive containment cooling system valve room temperature above its minimum design temperature. The lead electric unit heater starts or stops when the room air temperature is above or below predetermined setpoints. The standby electric unit heater starts automatically if the room air temperature drops below a predetermined setpoint.

Abnormal conditions:

The power supplies to the passive containment cooling system valve room unit heaters are provided by the plant ac electrical system and the onsite standby diesel generators. In the event of a loss of the plant ac electrical system, the passive containment cooling system valve room unit heaters can be transferred to the onsite standby diesel generators by the operator.

The power supply to the passive containment cooling system valve room ventilation fan is provided by the plant ac electrical system. The room temperature is not expected to exceed 120°F, based on maximum ambient conditions and internal heat sources.

Following a fire in the passive containment cooling system valve room, smoke and hot gases can be removed from the area using portable exhaust fans and flexible ductwork.



6.9.9 Radiologically Controlled Area Ventilation System

6.9.9.1 Description

The radiologically controlled area ventilation system (VAS) serves the fuel handling area of the Auxiliary Building, and the radiologically controlled portions of the Auxiliary and Annex Buildings, except for the health physics and hot machine shop areas which are provided with a separate ventilation system (VHS).

The radiologically controlled area ventilation system consists of the following subsystems:

• Auxiliary/Annex Building ventilation subsystem.

• Fuel handling area ventilation subsystem.


The following design requirements for the VAS support safe operation of the plant under normal conditions:

• The VAS must provide control of air pressure in order to minimize the spread of airborne contaminants.


During normal plant operation, both supply air handling units and both exhaust fans on both ventilation subsystems operate continuously to ventilate the areas served on a once-through basis. The supply airflow rate is modulated to maintain the areas served at a slightly negative pressure differential with respect to the outside environment. The exhaust air is unfiltered and directed to the plant vent for discharge and monitoring of offsite gaseous releases.

The Auxiliary/Annex Building ventilation subsystem exhaust air ductwork is routed to minimize the spread of airborne contamination by directing the supply airflow from the low radiation access areas into the radioactive equipment and piping rooms with a greater potential for airborne radioactivity. Additionally, the exhaust air ductwork is connected to the radioactive waste drain system sump to maintain the sump atmosphere at a negative air pressure to prevent the exfiltration of potentially contaminated air into the surrounding area. The exhaust air ductwork is connected to the radwaste effluent holdup tanks to prevent the potential buildup of airborne radioactivity or hydrogen gas within these tanks. The exhaust fans discharge the exhaust air into the plant vent for monitoring of offsite airborne radiological releases.

The fuel handling are ventilation subsystem supply and exhaust ductwork is arranged to exhaust the spent fuel pool plume and to provide directional airflow from the rail car bay/filter storage area into the spent resin equipment rooms. The exhaust fans discharge the normally unfiltered exhaust air into the plant vent for monitoring of offsite airborne gaseous and other radiological releases.

6.9.10 Radwaste Building HVAC System


The Radwaste Building HVAC system serves the Radwaste Building which includes the clean electrical/mechanical equipment room and the potentially contaminated HVAC equipment room, the packaged waste storage room, the waste accumulation room, and the mobile systems facility.



The radwaste building HVAC system is a once-through ventilation system that consists of two integrated subsystems: The radwaste building supply air system and the radwaste building exhaust air system. The systems operate in conjunction with each other to maintain temperatures in the areas served while controlling air flow paths and building negative pressure.


The following design requirements for the radwaste building HVAC support safe operation of the plant during normal conditions:

• The Radwaste Building HVAC system must collect the vented discharges from potentially contaminated equipment.

• The Radwaste Building HVAC system must maintain the radwaste building at a negative pressure with respect to ambient to prevent unmonitored releases from the radwaste building.


During normal operation, both supply air handling units and both exhaust fans operate continuously to maintain suitable temperatures in the radwaste building. The radwaste building supply air flow through the inlet vanes of the supply fans is modulated automatically by the differential pressure controllers to maintain the building at a negative pressure relative to the outdoors. Sensors for the controllers are mounted in the general building area.

6.9.11 Turbine Island Building Ventilation System

The turbine building ventilation system (VTS) operates during startup, shutdown, and normal plant operations. The system maintains acceptable air temperatures in the turbine building for equipment operation and for personnel working in the building.

The turbine building ventilation system consists of the following subsystems:

• General area heating, south bay equipment, and ventilation.

• Electrical equipment and personnel work area HVAC.

• Local area heating and ventilation (lube oil reservoir room ventilation, clean and dirty lube oil storage room ventilation, motor-driven fire pump room heating and ventilation, toilet area ventilation).

The VTS has no design requirements associated with safety.



6.10 Conclusion

This chapter describes the key plant associated with the AP1000 design. It addresses the key systems and components starting with the primary circuit, methodically describing them before going on to explain their design requirements and finally substantiating how these requirements are met. This process continues beyond the primary circuit to address in the same manner the engineered safety features, auxiliary systems, steam and power conversion systems, instrumentation and control, electrical power, and heating, ventilation and air conditioning.

It has thus justified the performance requirements of the key components which support the arguments which justify the safety and environmental performance of the AP1000 as described in the accompanying chapters of this PCSR.



REFERENCES

6.1. WEC, EPS-GW-GL-700, Rev. 1, AP1000 European Design Control Document, December 2009.

6.2. WEC, WCAP-15613, AP1000 PIRT and Scaling Assessment Report, March 2001.

6.3. WEC, UKP-GW-GLR-001, Rev. 0, AP1000 Internal Hazards Topic Report, (to be issued).

6.4. WEC, UKP-GW-GLR-TBC, AP1000 Spent Fuel Handling Topic Report, to be issued.

6.5. WEC, WCAP-15775, Rev. 2, AP1000 Instrumentation and Control Defence-in-Depth and Diversity Report, March 2003.

6.6. WEC, WCAP-16096-NP-A, Software Program Manual for Common Q Systems, Revision 01A, January 2004.

6.7. WEC, WCAP-15776, Safety Criteria for the AP1000 Instrumentation and Control Systems, April 2002.

6.8. WEC, WCAP-12488-A, Fuel Criteria Evaluation Process, October 1994.

6.9. WCAP-10125-P-A, Extended Burnup Evaluation Report, December 1985.

6.10. EPRI Report, “NIS Passive Autocatalytic Recombiners Depletion Rate Equation for Evaluation of Hydrogen Recombination during AP600 Design Basis Accident,” EPRI ALWR Program, November 15, 1995.

6.11. EPRI Report TR-107517, Volumes 1, 2, and 3, “Generic Model Tests of Passive Autocatalytic Recombiners for Combustible Gas Control in Nuclear Power Plants,” June 1997.

6.12. WEC, AP600 Standard Safety Analysis Report, June 1992.

6.13. WEC, UKP-GW-GLR-003, Revision 0, AP1000 Fault Schedule for the United Kingdom, September 2009.

6.14. WEC, UKP-GW-GL-790, Rev. 2, UK AP1000 Environment Report, December 2009



CHAPTER 7: DESCRIPTION OF THE CIVIL WORKS AND STRUCTURES AND THEIR DESIGN REQUIREMENTS FOR SAFETY



7.0 DESCRIPTION OF THE CIVIL WORKS AND STRUCTURES AND THEIR DESIGN REQUIREMENTS FOR SAFETY

This chapter describes the plant civil structures and their safety functions; it builds on the general description of the layout of the main civil structures presented in Chapter 2 of the PCSR.

Design requirements to enable structures to withstand internal and external hazards are presented in the respective External and Internal Hazard Topic Reports (References 7.1 and 7.2).

7.1 Introduction

The AP1000 is comprised of the following principal building structures:

• The nuclear island, which consists of:

o The free-standing steel containment building,

o The concrete shield building enclosing the containment building

o The auxiliary building

• The non-nuclear island, which consist of:

o The turbine building

o The annex building

o The diesel generator building

o The radwaste building

7.2 Nuclear Island Structures

The nuclear island structures include the containment (the steel containment vessel and the containment internal structure) and the shield and auxiliary buildings. The containment, shield and auxiliary buildings are structurally integrated on a common basemat, which is embedded below the finished plant grade level.

The containment vessel is a cylindrical welded steel vessel with elliptical upper and lower heads, supported by embedding a lower segment between the containment internal structures concrete and the basemat concrete. The containment internal structure is reinforced concrete with structural modules used for some walls and floors.

The shield building is a concrete and steel structure and, in conjunction with the internal structures of the containment building, provides shielding for the reactor coolant system (RCS) and the other radioactive systems and components housed in the containment. The shield building roof is a concrete and steel structure containing an integral, steel lined passive containment cooling water storage tank. The auxiliary building is reinforced concrete and houses the safety class 1 mechanical and electrical equipment located outside the containment and shield buildings.

Containment Building

The containment building comprises the containment vessel and the structures contained within the containment vessel. The containment building is designed to house the RCS and other related systems.



The containment building is an integral part of the overall containment system. Its functions are to contain the release of airborne radioactivity following postulated Design Basis Accidents (DBAs) and to provide shielding for the reactor core and the RCS during normal operations.

The containment building is a freestanding cylindrical steel containment vessel with elliptical upper and lower heads providing a high degree of leak tightness. It is surrounded by the concrete and steel shield building. There are two floor elevations (grade access maintenance floor and operating deck) and four lower equipment compartments within the containment building. Removable hatches are provided for access to equipment at other elevations. The In-containment Refuelling Water Storage Tank (IRWST) is located below the operating deck and has a capacity that exceeds the quantity of water required to accomplish safety functions or to fill the refuelling cavity during refuelling operations. Sub-section 6.4.5.4 (In-Containment Refuelling Water Storage Tank) in this PCSR provides more information about the design and associated requirements for the IRWST.

The containment vessel is an integral part of the Passive Containment Cooling System (PCS), which reduces the potential for radiological release to the environment.

The containment vessel and the PCS are designed to remove sufficient energy from the containment to prevent the containment from exceeding its design pressure following postulated DBAs.

Shield Building

The shield building is the structure that surrounds the containment vessel. During normal operations, a primary function of the shield building is to provide shielding for the radioactive systems and components located in the containment building.

The following items represent the significant features of the shield building and the annulus area:

• Shield building cylindrical structure

• Shield building roof structure

• Lower annulus area

• Middle annulus area

• Upper annulus area

• PCS air inlet

• PCS air inlet plenum

• PCS air diffuser

• PCS air baffle

The cylindrical section of the shield building serves as shielding and a missile barrier and is a key component of the PCS. It structurally supports the roof and is a major structural member for the entire nuclear island. Floor slabs and structural walls of the auxiliary building are structurally connected to the cylindrical section of the shield building.



The shield building, in conjunction with the internal structures of the containment building, provides the required shielding for the RCS and the other radioactive systems and components housed in the containment.

During accident conditions, the shield building provides the required shielding for radioactive airborne materials that may be dispersed in the containment as well as radioactive particles in the water distributed throughout the containment. The shield building is an integral part of the PCS.

The shield building shares a common basemat with the containment building and the auxiliary building.

A watertight seal is provided between the upper and middle annulus areas to provide an environmental barrier.

The middle annulus area contains the majority of containment penetrations and radioactive piping. This environmental barrier provides protection as follows:

• In the event of an accident or spurious actuation, the PCS drains the system water storage tank. The water, which runs down the outside of the containment vessel, is prevented from draining into the middle annulus area by the watertight seal. Drains are provided to direct the PCS run-off water out of the shield building. The design requirements for safety associated with the PCS are presented in section 6.4.3 of this PCSR.

• The PCS is designed to perform with the upper annulus permanently open to the environment to permit sufficient air flow through the shield building in the event of an accident. The watertight seal protects the middle annulus area from ambient environmental conditions.

The shield building is designed such that cooling air is circulated in accordance with the design intent.

The shield building roof is a steel and concrete conical shell supporting the PCS water storage tank and air diffuser. Air intakes are located at the top of the cylindrical portion of the shield building. The conical roof is constructed with a stainless steel liner. The air diffuser in the centre of the roof discharges containment cooling air directly upwards.

The PCS air baffle is located in the upper annulus area. It is attached to the cylindrical section of the containment vessel. The function of the PCS air baffle is to provide a pathway for natural circulation of cooling air in the event that a DBA results in a large release of energy into the containment. In this event the outer surface of the containment vessel transfers heat to the air between the baffle and the containment shell. This heated and thus lower density air flows up through the air baffle to the air diffuser, and cooler and higher density air is drawn into the shield building through the air inlets at the top cylindrical portion of the shield building.

Another function of the shield building is to protect the containment building from external hazards. The shield building protects the containment vessel and the RCS from the effects of a number of external hazards including tornadoes, tornado produced missiles and the impact of a large commercial aircraft.

Auxiliary Building

The primary function of the auxiliary building is to provide protection and separation for the safety class 1 mechanical and electrical equipment located outside the containment building.



The most significant equipment, systems, and functions contained within the auxiliary building are the following:

• Main control room

• Class 1 instrumentation and control systems

• Class 1 electrical system

• Fuel handling area

• Mechanical equipment areas

• Containment penetration areas

• Main steam and feed water isolation valve compartment.

The auxiliary building is a reinforced concrete structure. It shares a common basemat with the containment building and the shield building. The auxiliary building wraps around approximately 70% of the perimeter of the shield building. Floor slabs and the structural walls of the auxiliary building are structurally connected to the cylindrical section of the shield building.

The auxiliary building provides protection against the consequences of either a postulated internal or external event. The auxiliary building also provides shielding for the radioactive equipment and piping that is housed within the building.

Foundations

The nuclear island structures, consisting of the containment building, shield building and auxiliary building are founded on a common reinforced concrete basemat foundation as discussed in Section 3.8.5 of the EDCD (Reference 11.3).

Adjoining buildings, such as the radwaste building, turbine building and annex building are structurally separated from the nuclear island structures. This provides space to prevent interaction between the nuclear island structures and the adjacent structures during a seismic event.

Resistance to sliding of the concrete basemat foundation is provided by passive soil pressure and soil friction. This provides the required factor of safety against lateral movement under the most stringent loading conditions.

For ease of construction, the foundation is built on a mud mat. The mud mat is lean, non-structural concrete and rests upon the load-bearing soil.

The nuclear island structures consist of vertical shear / bearing walls and horizontal floor slabs. The walls carry the vertical loads from the structure to the basemat. Lateral loads are transferred to the walls by the roof and floor slabs and the walls then transmit the loads to the basemat. The walls also provide stiffness to the basemat and distribute the foundation loads between them.

The design of the basemat consists primarily of applying the design loads to the structures, calculating shears and moments in the basemat, and determining the required reinforcement.



7.2.1 Design Requirements for Safety during Normal Operations

During normal operations, the nuclear island structures will be operated within the design parameters (Section 13.5 of the EDCD, Reference 7.3 gives details of normal operations). This ensures the safety of plant personnel and persons outside of the site boundary. The following design requirement is identified:

• The civil structure of the buildings will withstand normal and abnormal loads, including severe and extreme environmental loads, without preventing the safe shutdown of the plant.

Normal loads are those loads to be encountered, as specified, during initial construction stages, during test conditions, and later, during normal plant operation and shutdown. They include the following:

• Dead loads or their related internal moments and forces, including any permanent piping and equipment loads

• Lateral and vertical pressure of liquids or their related internal moments and forces

• Live loads or their related internal moments and forces, including any movable equipment loads and other loads that vary with intensity and occurrence

• Static earth pressure or its related internal moments and forces

• Thermal effects and loads during normal operating or shutdown conditions, based on the most critical transient or steady-state condition

• Piping and equipment reactions during normal operating or shutdown conditions, based on the most critical transient or steady-state condition.

7.2.2 Design Requirements for Safety during Fault Conditions

The following design requirements for safety during fault conditions have been identified:

• The containment vessel will withstand a Design Basis accident such that the release of radioactivity is limited.

• The nuclear island structures will withstand a seismic event with 0.3g peak ground acceleration.

The steel containment vessel is an integral part of the containment system and serves both to limit releases in the event of an accident and to provide the safety significant ultimate heat sink as discussed in Section 3.8.2 of the EDCD (Reference 7.3). This is achieved through compliance with the relevant design codes.

Stress analyses of the containment include the following loads:

• Dead load

• Internal and external pressure

• Seismic



• Polar crane wheel loads

• Wind loads

• Thermal loads.

Major loads that induce compressive stresses in the containment vessel are internal and external pressure and crane and seismic loads.

The containment system is designed for break sizes, up to and including the double-ended severance of a reactor coolant pipe or secondary side pipe, such that the containment peak pressure is below the design pressure of 0.407 MPa gauge (59 psig). This includes allowance for the worst single failure of the PCS. The containment integrity analyses can be found in section 6.2.1 of the EDCD (Reference 7.3).

7.2.3 Internal Hazards

The Internal Hazards Topic Report (Reference 7.1) identifies safety functional requirements that represent the design requirements on systems, structures and components (SSCs) that enable the key safety functions to be maintained or their loss to be protected against when challenged by internal hazards.

The reviews of each internal hazard, identifying the types of requirements that are placed on specific SSCs in the Topic Report, are summarised in Section 4.4.1 of this PCSR.

7.2.4 External Hazards

The External Hazards Topic Report (Reference 7.2) identifies claims on SSCs that represent design requirements enabling the key safety functions to be maintained or their loss to be protected against when challenged by external hazards. The External Hazards Topic Report contains the arguments and evidence associated with these claims.

The reviews of each external hazard, identifying the types of requirements that are placed on specific SSCs in the Topic Report, are summarised in Section 4.4.2 of this PCSR.

7.3 Non-Nuclear Island Structures

The non-nuclear island structures comprise the annex building, diesel generator building, radwaste building and turbine building. The non-nuclear island structures contain no safety class 1 equipment.

Annex Building

The annex building provides the main personnel entrance to the power generation complex. It includes access-ways for personnel and equipment to the clean areas of the nuclear island in the auxiliary building and to the radiological controlled area. The building includes the health physics facilities for the control of entry to and exit from the radiological controlled area as well as personnel support facilities such as locker rooms. The building also contains the class 1 ac and dc electrical power systems, other electrical equipment, the control support area and various Heating, Ventilation and Air Conditioning (HVAC) systems. Additionally, the annex building contains the ancillary diesel generators and their fuel supply and the diverse actuation system (DAS) processor cabinets to which, sections 6.5 and 6.7 respectively refer.

That part of the annex building adjacent to the nuclear island is analysed and designed to prevent adverse interaction with the nuclear island structures for a 0.3g level earthquake.



Diesel Generator Building

The diesel generator building houses two identical slide-along diesel generators separated by a three hour fire wall. These generators provide backup power for plant operation in the event of disruption of normal power sources, to which section 6.8.4 refers.

Radwaste Building

The radwaste building includes facilities for segregated storage of various relatively low level categories of waste prior to processing and for storing processed waste in shipping and disposal containers.

The liquid radwaste processing areas are designed to contain any liquid spills, including a raised perimeter and floor drains that lead to the liquid radwaste system waste hold-up tanks. The foundation for the entire building is a reinforced concrete mat.

Turbine Building

The turbine building houses the main turbine, generator and associated fluid and electrical systems. It provides weather protection for the laydown and maintenance of major turbine / generator components. The turbine building also houses the make-up water purification system.

That part of the turbine building adjacent to the nuclear island is analysed and designed to prevent adverse interaction with the nuclear island structures for a 0.3g level earthquake.

7.4 Conclusion

This chapter has provided an overview of the buildings and civil structures of the AP1000. In particular, it describes the key nuclear island facilities that support the passive cooling features and also the design requirements imposed on them. Read in conjunction with Chapter 6 of this PCSR, this chapter provides a good overview of the functionality of the AP1000.



REFERENCES

7.1. WEC, UKP-GW-GLR-001, Rev 0, AP1000 Internal Hazards Topic Report (to be issued).

7.2. WEC, UKP-GW-GL-043, Rev 0, AP1000 External Hazards Topic Report, December 2009.

7.3. WEC, EPS-GW-GL-700 Rev. 1, AP1000 European Design Control Document, December 2009.



CHAPTER 8: ALARP ASSESSMENT OF THE DESIGN OF THE AP1000



8.0 ALARP ASSESSMENT OF THE DESIGN OF THE AP1000

8.1 Introduction

8.1.1 Purpose

This chapter of the PCSR provides the arguments underlying the overarching claim that the AP1000 design results in nuclear safety risk that is reduced to as low as reasonably practicable (ALARP). In particular, the evolution of the design of the AP1000 has followed relevant good practice. The basic design was subsequently enhanced by using probabilistic risk assessment (PRA) to identify worthwhile improvements. Thus each of the principal design decisions is ALARP in its own right; and the identified potential further enhancements to its design are not justified on ALARP grounds. This chapter develops the arguments and provides the evidence substantiating this claim.

Westinghouse Electric Company (WEC) has developed the AP1000 design to have a comparable electric power production capability to existing nuclear power stations, but with a level of risk more than an order of magnitude better than the best currently operating. The current nuclear power stations are safer than their predecessors. They have achieved an acceptable level of risk by evolving ever-increasing complexity with respect to their engineered safety features, but this complexity is subject to the law of diminishing returns. If taken too far in developing a new design, very low levels of risk might be achievable but at a price so high that it would be uneconomical to build the nuclear power station. Westinghouse has taken an alternative approach in designing the AP1000: it has reduced complexity by making the engineered safety features passive rather than active to the maximum degree feasible, thereby achieving a very high level of safety and a simplified design. The essence of the ALARP justification presented here is to show that:

• The Westinghouse process has achieved a design for the AP1000 that is in accordance with relevant good nuclear engineering practice.

• The designers have included features that result in very low overall levels of risk throughout the life cycle of the power station.

• No other worthwhile design feature has been overlooked or needs to be incorporated in the design, because the resultant further reduction in risk would be achieved at a cost grossly disproportionate to the benefit realised

This chapter includes significant references to the design and development of the AP1000 based around the US regulatory processes, this is due to historical reasons of the evolution of the design. Westinghouse via the PCSR and other supporting safety documentation will demonstrate that the design of the AP1000 will meet the UK Regulatory requirements.

8.1.2 Scope

The AP1000 is to be marketed throughout the world as a standard design, the balance of plant only varying for site-specific reasons or because of country-specific requirements such as the grid frequency or the measurement units in use. Such standardisation is of benefit in compiling the safety case and resolving technical issues that may arise during operation of the fleet of AP1000s.



The first AP1000 plant is already under construction in China. The design has also undergone design certification by the United States (US) Nuclear Regulatory Commission (NRC), albeit with some work still ongoing. This assessment shows that the design and development process of the AP1000 led to outcomes that are consistent with UK ALARP expectations.

The design variant that is presented in this PCSR is the European AP1000, as defined in AP1000 European Design Control Document Reference 8.1. This ALARP chapter addresses such a plant at the UK generic site. The ALARP principle for the AP1000 is managed currently by Westinghouse. In the future this role will progressively be taken over by the operating utilities, so the risks for individual AP1000 plants will continue to be managed to be ALARP during the detailed site-specific design, construction and operational phases.

8.1.3 Content

This ALARP assessment of the design of the AP1000 begins by exploring how the various standards defining current good practice have been applied to the design of the AP1000. These standards are considered over three levels:

• The legislative and regulatory requirements of what a nuclear power station must be able to achieve with respect to nuclear safety.

• The nuclear engineering good practice agreed and required by the US and European nuclear operators.

• The engineering codes and standards in normal use in the UK for the design and modification of nuclear power stations.

The next part of this document describes the evolution of the various features of the AP1000 design. There is a very substantial body of design and operational experience accumulated by Westinghouse plants over many years, culminating in the design development of the AP1000, a process that itself has been underway for the last two decades.

The defence in depth achieved by the AP1000 is presented next, to exemplify that its design fully complies with good international practice as specified in the Engineering Key Principles of the UK regulator.

The final part of the design evolution was driven by actively using the AP1000 risk model to seek design improvements to minimise the individual risks and achieve an optimised and balanced design.

Following on from this, each of the principal novel features of the AP1000 design, as identified by Reference 8.2 if the PCSR Chapter, are reviewed in detail to ascertain the balance between its benefits and disadvantages, and a qualitative ALARP argument is developed for each.

The final part of this ALARP assessment of the design investigates whether further reduction in risk would be cost-effective. Several potential enhancements were identified, the Severe Accident Mitigation Design Alternatives (SAMDA), but only one of these was taken forward in the generic AP1000 because the others were not cost-beneficial based on ALARP principles. A quantitative cost-benefit analysis is applied to each of the SAMDA options, to show that its non-inclusion is ALARP for the AP1000 design proposed for the UK.



This chapter is supplemented by the following appendices:

Appendix 8.1: AP1000 Release Categories.

Appendix 8.2: URD Overall Objectives.

Appendix 8.3: Changes to the AP600 and AP000 Designs Resulting from PRA.

Appendix 8.4: List of Potential UK AP1000 Design Improvements that were not taken Forward.

8.2 Use of Relevant Good Practice

8.2.1 Application of Standards Defining Good Practice

In an engineering context, a standard is a set of technical definitions or guidelines that defines the level of quality or excellence to be attained during the design, manufacture and operation of an engineering structure such as an AP1000 nuclear power station. A design code is a standard that has been formally adopted as an official regulation, and as such could be enforceable in law. The objective of this section is to show that the AP1000 has been designed to standards that lead to a level of nuclear safety in line with relevant good UK practice.

At the highest level, there are codes that define the expectations of the national safety authorities. These evolve over time, as technical developments result in ever-improving engineering capability and improved methods of analysis. At a lower level are the codes and standards developed in various countries specifically for nuclear facilities. It is shown that the US codes used in its design are both already recognised and used in the UK, or are equivalent to ones that are (see AP1000 Equivalence/Maturity Study of the US Codes and Standards, Reference 8.11).

8.2.1.1 Regulatory Targets

The AP1000 has been design to comply with the US regulatory requirements. However, the PCSR and other supporting documentation will demonstrate that the design will meet the UK Regulatory requirements (see Section 1.9 of Chapter 1 of Reference 8.1 for more detailed information). At this level, these requirements are encompassed in nine US Code of Federal Regulation (CFR) documents:

The equivalent UK regulatory counterparts are the nine numerical targets and the five Engineering Key Principles within the NII Safety Assessment Principles (SAPs) (Reference 8.6). The SAPs provide numerical targets that cover the risks to people during normal operation, and risks arising from those faults assessed in the Design Basis Assessment and the PRA. Nine targets express the expectations of the regulator, and some of them are legal requirements. The design of the AP1000 is considered against each of the targets and the five Engineering Key Principles in the following passages.

SAPs Numerical Targets on the Risks to People during Normal Operation

Target 1 sets an upper limit on the annual collective dose for occupational radiation exposure from anticipated operational occurrences. Section 12.4.7 of this PCSR demonstrates that the AP1000 design easily satisfies this. Target 1 also sets limits and objectives on the annual dose an individual may receive for two groups of on site employees: those working with ionising radiation, and other employees. Target 2 does the same for the average annual dose an individual working with ionising radiation may receive. Section 12.4.7 of this PCSR shows that the estimate



dose values at an AP1000 are well below the limit but just above the objective. It then demonstrates that reasonably practicable design solutions and improvements have been implemented to minimise worker doses, and there is no identified additional design measure that would reduce doses; furthermore, it is the responsibility of the site licensee to specifically manage the dose received by individual workers. Hence the anticipated doses with respect to these two targets are ALARP.

Target 3 addresses the annual dose any persons off the site might receive from sources of ionising radiation on site. Section 12.4.7 of this PCSR shows that the AP1000 design is below the Basic Safety Objective and below the dose constraint by a factor of 15demonstrating that the anticipated dose is ALARP.

SAPs Numerical Targets on the Risks Arising from Design Basis Initiating Events and from Radiological Accidents

Target 4 sets the limits on the effective annual dose for any person on site resulting from a Design Basis initiating event. Different targets are set for on-site and off-site individuals. The Basic Safety Level target varies according to the frequency band of the fault sequence. Section 5 of this PCSR assesses every Design Basis initiating event in the fault schedule. It concludes that the AP1000 Design Basis initiating events are below the Basic Safety Objective by such a factor that further ALARP justification would be grossly disproportionate.

Target 5 sets the limit on the risk of death for any person on site from an on-site accident that releases ionising radiation. Section 5 of this PCSR concludes that the risks for an AP1000 are about two orders of magnitude below the Basic Safety Objective, and thus further ALARP justification would be grossly disproportionate.

Target 6 sets limit and objectives on the frequency of occurrence of individual accidents that result in a dose to an individual on site. The limit varies with the predicted effective dose resulting from the accident. Section 5 of this PCSR reviews the AP1000 fault sequences and corresponding release categories, and concludes that the target is met.

Target 7 sets a limit on the risk of death for any person off site from an on-site accident that releases ionising radiation. Section 5 of this PCSR concludes that the risk of death is more than an order of magnitude below the Basic Safety Objective, and thus the target is met and further ALARP justification would be grossly disproportionate.

Target 8 sets the maximum value allowed for the total predicted frequency of accidents in the facility that results in a specific dose to an individual offsite. Section 5 of this PCSR reviews the various release bands, and concludes that the frequency is below the Basic Safety Objective for each, usually by a few orders of magnitude. At this level, further ALARP justification would be grossly disproportionate. The target is thus satisfied.

Target 9 sets the limit on the risk of 100 or more deaths from an on-site accident that releases ionising radiation. Section 5 of this PCSR concludes that the AP1000 satisfies its own safety goal that bounds Target 9 by an order of magnitude. At this level, further ALARP justification would be grossly disproportionate.

Engineering Key Principle 1: Inherent Safety

“The underpinning safety aim for any nuclear facility should be an inherently safe design, consistent with the operational purposes of the facility. Inherent safety is one that avoids radiological hazards, through design or by arrangement, rather than by controlling them once they



have occurred. Inherent safety is not the same thing as passive safety. Where inherently safe design is not achievable, the design should be fault tolerant.”

In essence, the first Engineering Key Principle is to avoid the hazard by means of good design. The driving design philosophy of the AP1000 was to keep it safe by using proven engineering and the simplest feasible design arrangement; that is to say, risk can be reduced by using well-established technologies and proven engineering techniques; and that the best path to safety is through the elimination of failure modes rather than adding more engineered safety features. Design decisions were made in favour of the safer solution, even if it were more expensive. Risk was made as low as practicable by making the safety systems simple, automatic, driven by natural forces and diverse from the systems that make power.

Wherever possible, the designers of the AP1000 designed out the potentially unsafe condition, rather than designing in a complicated recovery strategy. Likewise, the operator response was designed out for the Design Basis initiating events, thereby eliminating operator reliability from the accident sequence. A detailed description of these design features is provided in Section 8.4, with an ALARP justification for each.

Engineering Key Principle 2: Fault Tolerance

“The sensitivity of the facility to potential faults should be minimised. Any failure, process perturbation or maloperation in a facility should produce either a change in plant state towards a safer condition or no significant response. If the change should be to a less safe condition, then the time constants of the systems involved should be long, so that key parameters deviate only slowly from their desired values.”

The second Engineering Key Principle requires the design to be fault tolerant. This involves identifying those faults that might challenge the design, and then showing that the inherent characteristics of the design are such that most of the fault sequences do not develop to the point where they could challenge a safety function. Section 5.2 of the PCSR describes the fault identification process for the AP1000, and then lists the Design Basis initiating events so identified. The AP1000 list of faults is broadly similar to those of current generation pressurised water reactor (PWR); what is different is that many of the required safety measures are passive, whereas they would be active systems for current generation plants. This is a significant improvement.

Engineering Key Principle 3: Defence in Depth

“A nuclear facility should be so designed and operated that defence in depth against potentially significant faults is achieved by the provision of several levels of protection.”

“Defence in depth is generally applied at five levels in the design of a facility. The methodology is such that, if one level fails, it will be compensated for, or corrected by, the subsequent level. The aims for each level of protection are described in detail in IAEA Safety Standard NS-R-1 (Reference 8.7).

• Level 1: Prevention of abnormal operation and failures by design.

• Level 2: Prevention and control of abnormal operation and detection of failures.

• Level 3: Control of faults within the Design Basis.



• Level 4: Control of severe plant conditions in which the Design Basis may be exceeded, including the prevention of fault progression and mitigation of the consequences of severe accidents.

• Level 5: Mitigation of radiological consequences of significant releases of radioactive substances.”

Section 8.2.2 of this PCSR provides a list of the safety measures incorporated into the design of the AP1000 at each of the five levels identified above. The list demonstrates that the AP1000 has a substantial number of safety measures at each of the first four levels; the Level 5 safety measures are entirely administrative and, as such, are not influenced by design features within a nuclear power station. This Engineering Key Principle is thus satisfied.

Engineering Key Principle 4: Safety Function

“The safety function to be delivered within the facility should be identified by a structured analysis. The identification of safety functions should be based on an analysis of normal operation and all significant fault sequences arising from possible initiating faults determined by fault analysis.”

This Engineering Key Principle is not particularly relevant to the ALARP assessment of the AP1000 design, but it is included here for completeness. It requires that the safety functions that the design has to accomplish during normal operation and fault conditions be identified, and a structured process for achieving this is required. Section 4.2 of the PCSR describes the categorisation process for identifying the importance to safety of functions being delivered by plant systems, structures and components (SSCs) during normal operation and during fault transients.

Engineering Key Principle 5: Safety Measures

“Safety measures should be identified to deliver the required safety function(s). Safety should be secured by characteristics as near as possible to the top of the list below:

• Passive safety measures that do not rely on control systems, active safety systems or human intervention.

• Automatically initiated active engineered safety measures.

• Active engineered safety measures that need to be manually brought into service in response to the fault.

• Administrative safety measures.

• Mitigation safety measures.”

Section 8.2.2 of the PCSR provides a list of the safety measures incorporated into the design of the AP1000. It can be seen that the Level 3 safety measures for Design Basis initiating events are passive, in that what they require to activate is for a valve or circuit breaker to make a one-off change to its state; the others require only a highly reliable battery-backed dc electrical supply. The majority of Level 1, Level 2 and Level 4 safety measures also satisfy this definition of passive. The remaining safety measures at Level 1, Level 2 and Level 4 are active systems in that they involve ac powered pumps or fans or heating elements. Only a few of the safety measures need to be activated manually (see the fault schedule, Section 5.2 of the PCSR ); in practice, the



operators could and probably would actually perform many useful actions. The administrative requirements for the safety measures are managed by the Tech-Specs, discussed in Chapter 16 of the EDCD (Reference 8.1), which will be legally enforceable through the Site Licence Condition 23.

8.2.1.2 Nuclear Operating Organisation Required Standards

US Utilities Requirements Document

An important part of the ALARP argument is that there was a US industry process to establish a consensus on what constituted relevant good practice in the development of new generation nuclear power plant designs. This process involved the operating utilities and the design and construction organisations, and was given additional credibility by US government sponsorship.

In the late 1980s and early 1990s, US utilities went through a formal process to collect operating experience from their operating fleet of light water reactors, both PWRs and boiling water reactors. This experience is extensive, as there are over 100 light water reactors currently operating in the US. The purpose of this effort was to create a set of requirements that encompassed the lessons learned from operating experience, which when applied to the design of a new plant would result in a significant improvement in safety. This effort, the Advanced Light Water Reactor (ALWR) Programme, was managed for the US electric utility industry by the Electric Power Research Institute (EPRI), and included the participation and sponsorship of several international utility companies and close cooperation with the US Department of Energy (DOE).

The programme to establish the technical foundation for the design of the ALWR has now been completed with the issue of a set of utility design requirements, which are contained in the ALWR Utility Requirements Document (URD) (Reference 8.8). These present a clear statement of the utilities’ requirements for their next generation of nuclear plants. The Utility Requirements Document consists of a set of design requirements for future Light Water Reactor, which correct problems that existed in the currently operating plants and incorporate features that assure a simple, robust, more forgiving design. These requirements are contained in the URD’s three volumes:

• The ALWR policy and summary, which contains the high-level objectives.

• The evolutionary ALWR design’s detailed requirements.

• The passive ALWR design’s detailed requirements.

The detailed requirements for both the evolutionary ALWR and the passive ALWR are extensive, providing many thousands of separate requirements. Part three, for PWRs, was developed concurrently with the early development of the AP600 design; indeed, the AP600 design demonstrated what was achievable by an advanced passive PWR, and this therefore determined the content of the URD’s third volume with respect to passive PWRs. Consequently, the AP600 is totally compliant with the requirements set out in the URD. The AP1000 is a derivative of the AP600 (see Section 8.2.2 of the PCSR ), and it has incorporated the URD requirements. A summary of the high-level requirements of the URD is provided in Appendix 8.2.



The most risk significant of the detailed URD requirements that were incorporated into the AP1000 design include the following:

• Reduce the chance of a reactor coolant system leak or loss of coolant accident (LOCA) and the consequential operational radiation exposures resulting from cleanup and repairs:

• Use of improved materials to reduce the chance of cracking that could lead to a reactor coolant system leakage or LOCA, thereby avoiding challenges to safety.

• Expanded use of limited leak-before-break to the reactor coolant system piping, by reducing the design stress levels; this reduces the chance of cracking that might lead to a LOCA. The AP1000 incorporates the leak-before-break approach most high-energy lines inside the containment that are 15 cm (6 inches) in diameter or larger, which includes the primary piping, the main steam lines, the passive heat removal heat exchanger lines, the automatic depressurisation system, the pressuriser surge line and the accumulator and residual heat removal piping.

• Increased lengths of straight pipe on either side of welds, to facilitate in-service inspection.

• Use passive safety features to reduce the overall risk, as assessed by the PRA.

• Reduce the dependence on the operators.

• Use canned motor reactor coolant pumps:

• To reduce the chance of reactor coolant system leaks or LOCA.

• To eliminate oil fires from reactor coolant pumps.

• To reduce the operation radiation exposures associated with planned seal replacement and the consequences of seal leaks.

• Use simplified radwaste systems based on an ion exchange process for the liquid radwaste system and a charcoal bed system for the gaseous radwaste system:

• To provide for low plant releases.

• To reduce solid waste generation.

• To reduce operation radiation exposures.

• Use radwaste truck bays to provide for specialised waste processing equipment. These would be brought to the plant for special problems, as well as to accommodate any advanced technologies developed in the future over the 60-year plant life. This equipment is not required for normal plant operation.

• Use digital instrumentation and control with multiplexing, to simplify construction (less cable) and facilitate in-plant testing and maintenance. An extensive verification and validation programme licensed in several countries, including the US, has verified the software. The AP1000 software will be verified and validated as part of the design completion activities. Reduced cabling also reduces fire loading, and it improves the separation around the main control room. Improved in-service testing includes automatic test



features and built-in full test capability. These test features improve reliability and reduce the chance of spurious failures associated with the manual test procedures used in currently operating plants.

• Use an advanced control room to simplify construction, maintenance and operations. Improved human factors considerations reduce the chance of operator error during an event or accident sequence compared to the large control rooms used in currently operating plants.

By incorporating the above features into the AP1000 design, the requirements of the URD for a passive advanced PWR have been satisfied.

European Utility Requirements

A few years after the URD, European utilities formed a steering group for new nuclear build in Europe, whose objective was geared towards European passive plant. In order to have a common specification for European passive plant for its member utilities, a European equivalent of the URD was developed, as a vehicle through which the European operating utilities articulate their expectations to the design and construction organisations. The resulting European Utility Requirements (EUR) (Reference 8.9) is broadly similar to the URD, but there are some differences due to European operating experience and licensing practices.

At this time, Westinghouse had the desire to make AP600 an international standard product, to the greatest extent possible. The concept of standard designs was already proven in Europe. Utility involvement allowed the incorporation of relevant good practices from around the World to be part of the AP600 design and, subsequently, the AP1000. This reinforced the worldwide standardisation objective of Westinghouse and its potential customers.

Although the AP1000 had been designed to meet the URD requirements, it has now been subjected to a detailed and thorough assessment against EUR Revision C, and shown to meet the EUR for almost all the approximate 5,000 requirements assessed. The results demonstrate that the AP1000 is a mature design.

8.2.1.3 Codes and Standards for Nuclear Facilities

As highlighted in the introduction the in the main US codes and standards have been used because the AP1000 reference design had to satisfy the US NRC Regulatory Guides, which are the basis of US licensing. These codes and standards provide a set of codes and standards for the design of a nuclear power station. Some International Commission on radiological protection (ICRP) Guides, International Electrotechnical Commission (IEC) Standards and International Atomic Energy Agency (IAEA) Guidelines have been followed. European nation-specific codes and standards have not been included.

A review of the codes and standards that are of greatest significance to nuclear safety and are used in the design of the AP1000 has been carried out (Reference 8.11). This first identifies those codes and standards that have implications for nuclear safety. In some instances, the identified codes and standards are already recognised and used in the UK. Others are equivalent to a UK code or standard. Wherever there is a disparity between the US and the UK code or standard, this is identified and the implications discussed. Codes and standards relating to instrumentation, control and electrical systems are part of separate studies being undertaken for Generic Design Assessment (GDA) Step 4.



8.2.2 Relevant Good Practice in Design

8.2.2.1 Evolution of the AP1000 Design

Westinghouse Design Experience

Westinghouse has designed and licensed PWRs for more than 35 years. Today, nearly 50 percent of the world’s 440 nuclear plants are based on Westinghouse technology. The AP1000 benefits from this operating experience in many ways as follows:

• Use of proven fuel and major reactor component designs, including reactor vessel, reactor internals, control rod drive mechanisms, reactor coolant pumps, steam generators, and pressuriser. Proven major components reduce the chance of leakage or failures that would affect normal plant operation, possibly resulting in plant transients or forced outages with their associated impacts on safety system challenges and occupational radiation exposures.

• Design of reactor systems including safety injection, decay heat removal, chemical/volume control, cooling water, radwaste, and the like. Improvements in these important systems directly improve plant safety through increased capacity and reliability.

• Layout, design, and analysis of piping systems. Recently, this has included the capability of eliminating snubbers, which improves in-service inspections and reduces the worker dose associated with those inspections.

• Layout, design, and analysis of buildings. Integrated considerations are given to fire separation, radiation zoning, flooding considerations, maintenance space/access, security and construction.

• Development and verification of thermal-hydraulic computer codes to analyse plant events and accidents. This effort includes performing tests, verifying the codes against these tests, and licensing the codes with the US NRC.

• Improvements in operating plant reliability, availability, and maintainability; specifically fuelling outage plans; and improved remote/robotic tooling. Improved tooling improves the quality of inspections and repairs and reduces worker doses.

• Development and application of digital-based instrumentation and control systems, which have been back-fit to operating plants. This experience includes extensive computer software verification and validation.

• Application of leak-before-break to reactor coolant system lines greater than or equal to 10.2 cm (4 inches) to reduce stresses, which reduces the chance of cracking and reactor coolant system leakage/loss-of-coolant accident (see Appendix 3B of Reference 8.1). This also eliminates many pipe whip restraints, which improves the ability to perform in service inspection and also reduces operation radiation exposures associated with the in service inspection. Reduced piping stresses reduce the chance of a pipe leak or break.

• Improved reactor coolant system materials to reduce the chance of reactor coolant system cracking, which can lead to reactor coolant system leakage and associated safety challenges and cleanup/repair operation radiation exposures. A specific example of this improvement is the elimination of Inconel 600, to prevent stress corrosion cracking affecting the reactor coolant system pressure boundary.



• Application of as low as reasonably achievable (ALARA) to operational radiation exposures is discussed in Section 12.1 of Reference 8.1. As a result of this process, the AP1000 is expected to have significantly reduced occupational radiation exposures in the range of 219 man-mSv/yr. This exposure is about 80 percent less than the current best practice for Westinghouse plants of the same power rating. Because the average experience is two or more times the best practice, the AP1000 exposure would be an even greater reduction to those plants.

In addition, advanced technologies that were not available when the operating plants were built have been developed. These include the following:

• Adopted the use of simple passive safety measures requiring only the one time re-alignment of valves. These systems do not require support systems, such as ac power (from offsite or onsite), cooling water systems (such as component cooling or service water) and heating, ventilation and air-conditioning (HVAC) systems.

• Adopted the use of increased defence in depth safety measures (those at IAEA Level 4), which prevent core damage and a large release of activity. These safety measures make use of active systems, passive systems and combinations of the passive and active systems. The resulting set of safety measures results in a well balanced design that is not overly dependent on any one system or component.

• Incorporated features and improvements to reduce activity releases following an accident. The features include:

• Use of a thick steel pressure vessel that is highly unlikely to leak.

• 50-percent reduction in the number of containment penetrations.

• Use of containment isolation valves types that are less likely to leak.

• The AP1000 has incorporated the capability of maintaining the containment integrity following a core melt PRA sequence. Testing and analysis has shown that the in-vessel retention capability of the AP1000 provides a robust means of keeping molten core debris in the reactor vessel (Section 19.34.2.1 of Reference 8.1).

• Modular construction – including structural, piping, and equipment – has been widely adopted in the plant design. Basic modules are factory-built in sizes that can be shipped by railway. The structural modules eliminate the need for rebar in the walls. Basic modules are assembled into large modules at the site, which are then lifted into the buildings by heavy lift crane. The use of factory fabrication improves the quality and reduces the chance of problems that would affect plant safety, including leakage and component failures.

• Three-dimensional (3D) computer modelling includes structures, equipment, pipe (including instrument tubing and vents/drains), HVAC ducts, and cables. The 3D model helps safety issues such as separation and fault evaluations to be addressed during the design process. With this approach, the safety of the plant is considerably improved because of reduced field changes to eliminate interferences and the field re-works required to eliminate them. It also provides for more fault evaluations, improved maintenance and inspections, and reduced operation radiation exposures.

• The regulatory treatment of duty system features as developed and licensed with the NRC. This approach provides a graded safety classification system. This process uses PRA and



deterministic criteria. It provides a mechanism to provide regulatory oversight that is appropriate to the safety mission of equipment.

• Design, development, and testing of an advanced main control room meeting the US ALWR URD and NRC human factors criteria. Actively incorporating human factors engineering in the design and testing of the main control room improves the reliability of operators during accidents (Chapter 18 of Reference 8.1).

Transition from the AP600 to the AP1000

When the AP600 received its design certification, natural gas plants were the economic plants of choice in the US. In order to compete against such natural gas plants and yet retain the major safety benefits of the AP600, the option chosen was a power upgrade to achieve economies of scale. A further constraint was to do this at the lowest cost possible, by realising the design and licensing effort already expended; that is, the $450,000,000 worth of design and licensing effort already invested in the AP600 design. Writing this effort off and re-starting the design would have been disproportionate. There was also a time constraint on delivery of the AP1000: starting again would have delayed the first plant by many years.

An even higher power up-rating was considered (some of the AP1000’s competitors have a capability of 1600MWe), gaining even more from economies of scale. The factors that mitigated against such a possibility were:

• The applicability of the rig testing carried out on the AP600 structures would have been outside the limit of sensible extrapolation.

• Post accident in vessel retention would have been hard to demonstrate.

• More than two primary coolant loops would have been needed, given that the size of the AP1000’s steam generators is at the current limit of engineering expertise.

• Likewise, the reactor coolant pumps were of a size above which further up scaling was judged to be unwise.

Having decided on a sensible power up rating, the detailed design constraints included the following:

• Maintain the AP600’s large margins to the safety limits.

• Maintain the passive nature (see Section 8.4.2 of this chapter for a discussion on what “passive” means in this context) of the engineered safety features.

• Do not compromise the ability of the plant to maintain its required safety functions without any operator action for the 72 hours (although operator action must not be locked out) following any Design Basis initiating event.

• Continue the use of proven components and technology.

• Make no changes to the plant’s layout, thereby risking the loss of the AP600’s rig testing and analysis already completed, increasing costs and delaying the programme.

• Make no design changes unless they are required for the power up rating.



The resulting AP1000 design met the cost goals while changing only those features necessary to increase the power and yet maintain the safety margins. The nuclear island footprint was unchanged, by adding height to the reactor vessel and containment vessel while maintaining their diameters. Large margins to safety limits were kept. No departures from proven components were introduced. The testing data obtained for the AP600 were shown to be applicable to AP1000. The AP600 design process and decisions were retained. The design improvements admitted into the AP1000 design were to implement the higher power, but with the same dedication to safety and simplicity as for the AP600. URD compliance was retained because design features included to satisfy URD requirements were generally not modified in the transition from the AP600 to the AP1000. In conclusion, the nuclear safety risks resulting from the design decisions needed to move from the AP600 to the AP1000 are ALARP, with the level of risk at least maintained and in some instances improved.

8.2.2.2 Defence in Depth Incorporated into the Design of the AP1000

The AP1000 has multiple levels of protection, as required by good relevant international practice (IEAE Safety of Nuclear Power Plants: Design 2000 Reference 8.7) and by the Engineering Key Principles of the UK regulator (Section 8.2.1.1 of the PCSR ). Both sources identify five levels of protection, providing overall safety and additional defence in depth. Each item in the following lists for each of the level is included in the AP1000 safety case. The items in Level 3 are claimed as safety measures for sequences following Design Basis initiating events; Level 4 for sequences following Beyond Design Basis initiating events. Those at Level 1 and Level 2 are of lower intrinsic reliability, and so are not claimed in the safety case as safety measures; they do, however, influence the way a transient might develop or could provide an additional safety margin, if they were available following the fault.

The Level 1 defence in depth features are the duty systems that control and monitor the plant during normal operation and during expected operational deviations. On the AP1000, the following SSCs are in this category:

• Plant control system.

• Data display and processing system.

• Pressuriser spray.

• Main feed water pumps.

• Power-operated atmospheric relief valves.

• Steam generators.

• Automatic turbine bypass system.

• Automatic rapid nuclear power cutback system.

• Isolation valves in the chemical and volume control system make-up pump suction line from the demineralised water tank.

• Chemical and volume control system make-up pumps.

• Spent fuel pool cooling system.



• Containment recirculation cooling system.

• Standby diesels.

• ac power fast bus transfer.

The Level 2 features are the duty systems that can be deployed during operational transients, equipment faults or human errors before a nuclear safety function is seriously challenged. On the AP1000, the following SSCs are in this category:

• Control room alarms, in particular the steam generator blow down radiation monitor alarm and the main steam line radiation monitor alarm.

• Seismic monitoring system.

• Steam generator safety valves


• Feed water control and isolation valves.

• Steam isolation valves.

• Start-up feed water pumps.

• Start-up feed water control and isolation valves.

• Isolation valves in the make-up flow line into the reactor coolant system.

• Normal letdown line.

• Reactor pressure vessel head vent valves.

• Containment spray from the fire protection system.

• Containment air filtration system.

• Condenser air removal discharge radiation monitor alarm.

• Fire detection and suppression systems.

• Remote shutdown workstation.

• HVAC systems.

The Level 3 features are the safety measures that intervene to protect against loss of a key safety function. On the AP1000, the following SSCs are in this category:

• Automatic reactor trip.

• Protection and safety monitoring system.

• Pressuriser safety valves.



• Passive residual heat removal (PRHR) heat exchanger.

• Automatic depressurisation system.

• Core make-up tanks.

• Accumulators.

• In containment refuelling water storage tank (IRWST), its injection lines, screens and isolation valves.

• Containment recirculation lines, screens and isolation valves.

• Containment isolation system.

• Passive containment cooling system.

• Diverse actuation system.

The Level 4 safety measures are the SSC that mitigate the radiological consequences of severe accidents following the loss of a key safety function. On the AP1000, the following SSCs are in this category:

• Hydrogen igniters.

• Catalytic hydrogen recombiners.

• In-vessel retention capability.

• Post accident radioactive isotope containment by controlling the pH of the water in the containment sump.

• IRWST gutter isolation valves.

• Provision of water to the passive containment cooling water storage tank beyond 72 hours into the accident sequence.

• Ancillary diesel generators.

• Spent fuel pool water sprays.

• Main control room emergency habitability system.

The Level 5 safety measures are merely the administrative measures (see Section 13 of this PCSR, for more details), such as evacuations, food bans, iodine tablet distribution and contingency plans, which would be needed should there be a significant releases of radioactivity. This will be addressed in the site-specific safety cases, which will be developed after the GDA.



8.3 Use of the PRA Risk Model to Inform Design

8.3.1 Background to the PRA Work

The designers of the AP1000s chose to use PRA as a tool to investigate various detailed design solutions and operational strategies to optimise safety. PRA provides insights on what is contributing to the risk, and it enables potential design improvements to be explored quantitatively. Addressing PRA issues at the design process leads to a low level of risk and results in an ALARP design.

Because the AP1000 design is based extensively on the AP600 standard nuclear plant, the AP600 PRA was used as the starting point for the AP1000 PRA. It is useful to discuss the evolution of the designs and PRAs for both:

• Work on the AP600 began in 1986. The first PRA quantification was in 1987. The initial PRA work was less detailed than the current PRA, but it was still sufficient to provide insights that were used to reduce risks.

• Over the next several years, the PRA was detailed to the point it included detailed fault trees of the mechanical, electrical, and instrumentation and control systems; and the scope was expanded to include: shutdown, fire, flood events, and large release frequency and off-site dose quantifications. Core damage frequency PRA was supported by extensive plant thermal-hydraulic analysis to justify success criteria. Extensive testing and thermal-hydraulic analysis, to support containment integrity during core melt sequences, underpinned the large release PRA.

• Between 1987 and 1997, at least seven major PRA quantifications were performed. For each of these quantifications, the results were reviewed with the plant design personnel for reducing risk.

• In the AP600 licensing process, an initial set of sensitivity analyses were made to assess the importance of duty systems. The results of the focused PRA (Section 19.1.5 of Reference 8.1) demonstrated that the AP600 passive plant design was able to meet the NRC safety goals taking account of the safety-significant equipment only, with no credit for any of the duty systems. To resolve the regulatory treatment of the duty systems, Westinghouse and the NRC agreed to availability controls of selected duty systems for the purposes of providing defence-in-depth as well as for investment protection.

• Design improvements were incorporated in the AP600 design based on the results of the AP600 PRA, and other design analyses. These improvements have been retained in the AP1000 design.

• The AP1000 design and its PRA were developed from the AP600. Of necessity, there were some changes to the design because of the power increase. These changes were incorporated into the AP1000 PRA.

• Between 2001 and 2004, four major PRA reviews were made using the AP1000 PRA risk model, each of which included consideration of the results by the plant designers, resulting in more changes to the AP1000 design in order to reduce risks.

Appendix 8.3 of this chapter lists the principal changes that have been made to the AP600 and AP1000 designs as a result of the PRA. The resultant design of the AP1000 is thus one that is highly optimised with respect to risk reduction; and well balanced, in the sense that no individual



plant area contributes inordinately to risk. This enables various quantitative ALARP claims to be made about the AP1000, which are the subjects of the following sections.

8.3.2 System and Function Reliability

The PRA has been used to analyse the relative importance of various systems in causing core damage (Section 19.59.3.3 of Reference 8.1). The use of PRA during the design process confirms that the risks are low, and demonstrates that the plant is well balanced, as shown by the system and component importance measures. The results of these sensitivity analyses show that the protection and safety monitoring system and the Class 1E dc power system are the most important in maintaining a low core damage frequency. The most risk-important systems are the safety measures (i.e. the engineered safety features protecting against key safety functions loss; Level 3 in the protection level discussed in sub-section 8.2.2.2). The duty system that prevent a sequence developing (defence in depth Level 2) are less important to the plant core damage frequency. The PRA model (Section 19.59.3.4 of Reference 8.1) shows that the Level 3 engineered safety features generally have the highest reliabilities of the features providing protection and defence in depth to the plant.

8.3.3 Human Reliability

Part of the ALARP demonstration is to provide arguments that justify the claim that the design of the AP1000 reduces the need for, and the importance of operator action following the occurrence of a Design Basis initiating event, and that no additional refinement or enhancement of the required actions would be beneficial. In essence, once the passive safety measures have automatically initiated, no operator actions are required for an extended period of time, a period very much longer than currently operating PWRs.

In the PRA, credit is taken for various tasks to be performed in the control room by the trained operators (Section 19.59.3.6 of Reference 8.1). The analysis shows that there are no actions for which the faults at-power core damage frequency contribution would decrease by more than 3 percent if it were assumed that the operators always were successful. This indicates that there would be no significant benefit from additional refinement of the actions modelled, or from special emphasis on operator training in these actions (versus other emergency actions). The risk increase results show that there are only seven operator actions whose guaranteed failure would result in a core damage increase greater than the base case core damage frequency. The most important action in this ranking, where the operator fails to diagnose a steam generator tube rupture event, has a risk achievement worth of 6.3, followed by manual actuation of automatic depressurisation system, with a risk achievement worth of 4.25. These results indicate that the AP1000 design is not particularly sensitive to failure of operator actions.

A sensitivity analysis was performed assuming the operator actions claimed in the PRA are achieved. The resulting core damage frequency indicates that human error is not risk important at the level of plant risk obtained by the base case; there is no significant benefit to be gained by improving operator response beyond the assumptions made in the PRA.

Another sensitivity analysis was performed in which the failure probability of the required operator response is increased and the failure assumed of the indication (protection and safety monitoring system, plant control system and the diverse actuation system originated). The result shows that operator actions are important in maintaining a very low plant core damage frequency for faults at power. However, this core damage frequency with no credit for operator actions is still low, at about the same order of core damage frequency as for current plants with full credit for operator actions. The AP1000 meets the US NRC core damage frequency safety goal without human action, whereas current plants typically do not.



8.3.4 Core Damage Frequency for Internal Initiating Events at Power

A major part of the ALARP demonstration is that the core damage frequencies for the risk dominant fault groups are considerably lower than the values for current generation PWRs; the lower risk values being attributed to the use of passive safety systems and the additional defence in depth provided by duty systems. Passive safety measures eliminate the dependence on ac electric power and compressed air. This significantly reduces the core damage frequency resulting from a loss of offsite power or station blackout event. The analysis shows that many of the events, which in the past were leading contributors to the risk of nuclear power plants, are not as significant for the AP1000. The contribution of interfacing systems loss-of-coolant accidents, which are typically the highest risk severe accident sequences, is made insignificant by the design of the AP1000. Typical current PRA dominant initiating events are significantly less important for the AP1000. For example, the reactor coolant pump (reactor coolant pump) seal LOCA event has been eliminated as a core damage initiator since the AP1000 uses canned motor reactor coolant pumps which do not have seals.

The AP1000 mean plant core damage frequency from events occurring whilst at power (see Section 8.3.6 for the equivalent analysis whilst shut down) is calculated by the PRA risk model to be 2.41×10-7 events per year (Section 19.59.3 of Reference 8.1), which states, “Twenty-six separate initiating event categories were defined to represent the AP1000 design. Of these event categories, 11 are loss-of-coolant accidents, 12 are transients, and 3 are anticipated transients without scram (initiating events that result in the anticipated transients, but the reactor subsequently fails to trip). Initiating event categories unique to the AP1000 design have been defined and evaluated, including safety injection line breaks, core make-up tank line breaks, and passive residual heat removal heat exchanger tube ruptures. The resulting core damage frequency is very small: a value of 2.41×10-7, which is two orders of magnitude smaller than corresponding values typically calculated for current pressurised water reactors”.

Seven initiating events, including 6 loss-of-coolant accidents and steam generator tube rupture, make up approximately 92 percent of the total at-power plant core damage frequency. The remaining initiating events make up the balance of the core damage frequency from internal events. The conditional probability of core damage is generally in the range of 1×10-3 to 1×10-5. This indicates that the various features of the AP1000 design act to prevent core damage. This is a significant level of protection.

The dominant initiating events, with their respective contributions (from Table 19.59-1 of Reference 8.2) shown in brackets, are:

• Safety injection line break (39.4%)

• Large loss-of-coolant accident (18.7%)

• Spurious automatic depressurisation system actuation (12.3%)

• Small loss-of-coolant accident (7.5%)

• Medium loss-of-coolant accident (6.7%)

• Reactor vessel rupture (4.2%)

• Steam generator tube rupture (2.8%)



The results show that the core damage frequency for the AP1000 is dominated by rare initiating events; that is, initiating events that are not expected to occur during the lifetime of a plant; for instance, the safety injection line break is predicted to occur once in 10 million reactor years. This indicates that the AP1000 design is robust with respect to its ability to withstand challenges from the more frequent events, and the overall very low core damage frequency indicates that adequate protection against the more severe events is provided.

8.3.5 Large Release Frequency for Internal Initiating Events at Power

Large releases occur if the containment fails during a fault sequence. The results of the PRA can be used to justify the assertion that the design of the AP1000’s containment is less susceptible to failure due to over-pressurisation after severe accident than current generation plants because its integrity is maintained by passive means. This feature removes decay heat from the containment by means of the water flowing over the containment shell. Also, the ability to flood the reactor cavity is an important contributor to maintaining a low release frequency for the AP1000. This feature and the design of the reactor insulation that provides for cooling of the reactor vessel keep a damaged core inside the reactor vessel. This reduces the potential for ex-vessel severe accident events. Finally, the AP1000 containment design enhances the deposition of aerosols on its structure before they are released to the environment, thereby reducing the potential environmental effects of a severe accident that fails the containment.

The overall large release frequency for AP1000 for internal initiating events at power (see Section 8.3.6 of this PCSR for the equivalent analysis whilst shut down) is 1.95×10-8 events per year (Section 19.59.4.1 of Reference 8.1), which is much lower than current generation plants, despite the many conservative assumptions built into the PRA risk models. The AP1000 large release frequency is approximately 8 percent of its core damage frequency; the containment effectiveness is thus 92 percent. Because this result already includes sequences that directly bypass the containment, the containment effectiveness for the remaining sequences is actually much better.

The dominant large release categories (see Appendix 8.1 for further explanation of release category), as stated in Section 19.59.4.1 of Reference 8.1, are:

• Containment bypass, with a 54 percent contribution

• Early containment failure, with a contribution of 38 percent

• Containment isolation failure, with a 7 percent contribution

The contributions to large release frequency from the late containment failure and intermediate containment failure release categories are negligible. The total frequency of the first two categories is 1.8×10-8 events per year. These two categories make up 92 percent of the AP1000’s large release frequency.

The PRA analysis provides the following insights into the AP1000 design (Section 19.59.4.2 of Reference 8.1):

• The containment effectiveness is lowest for accidents where the primary pressure is high after core damage.

• The large release frequency results are not very sensitive to the treatment of the steam generator tube rupture (SGTR) events for large release frequency.



• For faults initiated by vessel failure, containment effectiveness does not depend significantly on whether the assumed failure is above or below the pressure vessel beltline.

• The large release frequency is not very sensitive to the reliability of the hydrogen igniters.

• For accidents in which hydrogen is released into the IRWST and comes out from the IRWST vents and then ignites to cause containment failure, the containment effectiveness drops by about a factor of four from the base situation; such an increase is significant.

• The large release frequency is dominated by containment failures or bypasses due to steam generator tube rupture, and high primary pressure core damage sequences. The remaining containment failures are dominated by an early containment failure due to reactor cavity flooding failure.

• The large release frequency is not very sensitive to the reliability of the passive containment cooling system.

• The large release frequency is sensitive to the operator action to flood the reactor cavity in a short time following core damage. This operator action has been moved to the beginning of the appropriate Emergency Response Guideline, to increase its likelihood of success.

8.3.6 Core Damage Frequency and Large Release Frequency for Plant Initiating Events while Shutdown

The PRA results (Section 19.59.5 of Reference 8.21) show that the overall AP1000 shutdown core damage frequency is very small, at 1.23×10-7 per year. The estimated large release frequency is 2.05×10-8 per year.

There are three events that dominate the core damage frequency: loss of component cooling or service water while drained, loss of offsite power while drained and loss of the normal residual heat removal while drained. The 12 dominant accident sequences comprise 77 percent of the shutdown core damage frequency. These dominant sequences consist of:

• Loss of component cooling or service water system initiating event during drained condition, with a contribution of 64 percent.

• Loss of normal residual heat removal system initiating event during drained condition, with a contribution of 6 percent.

• Loss of offsite power initiating event during drained condition, with a contribution of 5 percent.

• Primary system over draining event during drainage to mid-loop, with a contribution of a 2 percent.

The insights drawn from the shutdown PRA core damage frequency analysis are as follows:

• Initiating events occurring when the reactor coolant system is drained make up approximately 90 percent of the total shutdown core damage frequency. Loss of decay heat removal capability during the drained condition due to failure of the component cooling water system or service water system is the initiating event with the greatest contribution.



• Common cause failures of the in-containment refuelling water storage tank components contribute approximately 59 percent of the total shutdown core damage frequency. Common cause failure of the in-containment refuelling water storage tank valves contributes approximately 33 percent of the total shutdown core damage frequency.

• Common cause failures of the automatic depressurization system Stage-4 squib valves contribute approximately 18 percent to the total shutdown core damage frequency. This indicates that maintaining the reliability of the automatic depressurization system is important.

• Common cause failures of the containment sump recirculation squib valves contribute approximately 15 percent to the total shutdown core damage frequency. This function is important during drained conditions. This indicates that maintaining the reliability of the recirculation line squib valves is important.

• Human errors are not overly important to the shutdown core damage frequency. There is no particular dominant contributor. Sensitivity results show that the shutdown core damage frequency would remain very low even with little credit for operator actions. One action, operator failure to recognise the need for reactor coolant system depressurisation during shutdown conditions, is identified as having a significant risk increase value. This indicates the importance of the operating procedures for this action and that the operators understand and are appropriately trained for it.

• Individual component failures are not significant contributors to shutdown core damage frequency, and there is no particular dominant contributor. This confirms the at-power conclusion that single independent component failures do not have a large impact on core damage frequency for the AP1000, and reflects the redundancy and diversity of protection at shutdown as well.

• The in-containment refuelling water storage tank provides a significant benefit during shutdown because it serves as a passive backup to the normal residual heat removal system.

8.3.7 Review of Defence in Depth Systems

Nuclear safety for the AP1000 is less dependent than current plants on the duty systems (IAEA Level 1) and the systems that are deployed to control abnormal operation and detect failures (IAEA Level 2), because of the presence of robust safety measures (IAEA Level 3) that stop the loss of nuclear safety function; these Level 3 safety measures are robust because they do not require support systems such as ac power, component cooling water and service water. The five IAEA levels of protection are discussed in more detail in Section 8.2.1 of this PCSR.

Nevertheless, sensitivity studies have been performed with the AP1000 risk model to evaluate the significance on risk of the IAEA Level 1 and Level 2 safety measures, to identify those SSCs that are important in providing defence-in-depth (Section 19.59.3 of Reference 8.1). The following systems have been identified as providing significant additional defence in depth:

• Diverse actuation system, Non-Class 1E dc and uninterruptible power supply system.

• Offsite power, main ac power, and onsite standby power systems.


• Component cooling water system.



• Service water system.

Once identified, appropriate functional requirements were incorporated into their design and into the arrangements covering their operation, maintenance and testing, so as to provide reasonable assurance that these SSCs would be operable during the anticipated events. For most of the SSCs involved, a substantial operating history is available, which defines the significant failure modes and their likely causes. The identification and prioritisation of the various possible failure modes for each SSC lead to design improvements for failure prevention or mitigation.

The Tech-Specs (Section 11.2) provide control on the availability of some of these SSCs, and on their surveillance and testing frequencies, thereby providing confidence that the reliability values assumed for them in the PRA will be maintained during plant operations.

These SSCs are also included in the Design Reliability Assurance Programme (D-RAP) (see Section 17.4 of Reference 8.2), whose purpose is to make sure that the important reliability assumptions made as part of the PRA remain valid throughout plant life; the PRA input includes specific values for the reliability of the various SSCs in the plant that provide the defence in depth capability.

8.4 ALARP Review of the Principal Design Decisions during AP1000 Design Development

8.4.1 Introduction

This section describes the principal design decisions made for the AP600 and AP1000. Because none of the design decisions described for AP600 were reversed for AP1000, the entire section ultimately applies to AP1000. These decisions occurred over the design life of AP600 and AP1000, a period of some 15 years, and many occurred concurrently. The selection of these example decisions was such that they are mostly independent of each other. The reason for including them in this report is to demonstrate the thorough nature of the AP600/AP1000 design process. The process reinforced a rigorous, disciplined approach to achieving safety through simplicity and developing a design that is ALARP.

Only a sample of the design decisions made for AP600 and AP1000 are discussed. Many more decisions were made.

The following sections address the design decisions made during the evolution of the AP1000, as grouped into the following categories:

• Residual heat removal.

• Containment design.

• Control room systems.

• Primary system design.

• Fuel route.

• Duty systems.



8.4.2 Residual Heat Removal

8.4.2.1 Reactor Coolant Post-LOCA Injection and Cooling

Following a LOCA, the safety systems must provide make-up for the water lost so as to maintain the reactor core immersed in liquid water. Many pressurised water reactors today rely on pumped systems and large sources of water from outside the containment to provide this make-up and cooling. These types of systems require safety grade and Seismic Category I sources of ac power and water. In the case of the AP1000, this is done without reliance on ac power.

Many possibilities exist for meeting the basic functional requirement here. The required motive power could be dc, gravity, stored (static) energy in the form of pressurised gas or a combination of them. The required water could be stored within the containment, on the containment, outside the containment or a combination of them. Different LOCA scenarios require different amounts of water at different times. Sufficient inventory with sufficient delivery capacity throughout the transient must be maintained. In addition, it is very desirable to deliver the right amount of water, at the right time without operator involvement. The true trade-off here is then between the ac powered, outside containment delivery and cooling system, and one that simply relies on total pressure balances and natural circulation.

While normal residual heat removal will be used when available for postulated design bases events, the design solution for selected DBA events was a set of passive core cooling elements wholly contained within the containment. A significant simplification of the design has been achieved by avoiding the need to construct an ultimate heat sink, which would require an engineered cooling chain. The elements include:

• The passive residual heat removal heat exchanger.

• The core make-up tanks.

• The accumulators.

• The in containment refuelling water storage tank.

• The passive core cooling long term recirculation system.

The only requirement of the above systems for dc power after an accident starts is to trigger the one time realignment of various valves. Heat and fluids then move by natural forces. These one-time valve movements are few, numbering less than 20 such movements, and are required to happen relatively quickly, in a time less than 30 minutes.

Advantages and Disadvantages

The following detailed advantages result from the chosen design option:

• No reliance on ac power.

• No reliance on external sources of water.

• No reliance on pumps.

• No reliance on remote heat exchangers.



• No penetrations through the containment required.

• No reliance on operator action during the first 72 hours after the accident.

• No liquid radioactive effluent.

• No risk for accidental loss of coolant outside the containment.

• A containment structure that disperses the fission product heat directly to the Earth’s atmosphere.

The main uncertainty with this design option was that there was little large-scale experience with a total pressure balance and natural circulation LOCA response systems. However, as part of the AP600 development program, extensive rig testing was performed to validate system functionality and the analysis capability for candidate total pressure balance and natural circulation LOCA response systems. This testing carries through to the AP1000.

One shortcoming of the system is that after 72 hours the Passive Containment Cooling Water Storage Tank (PCCWST) on top of the Containment Shield Building needs to be refilled. This requires active pumping. A seismically qualified tank and diesel driven pumps are to be added to the Auxiliary Building, to provide a supply of water to the PCCWST adequate for 7 days post accident (see Section 8.4.3.9 for more details).

ALARP Discussion

The designers have provided a set of core inventory and cooling features for the AP1000 by adopting a relatively simple set of mostly passive elements, but which provides enhanced safety over the counterpart active systems used in currently operating PWRs. These features are driven by natural forces, and they have been extensively tested and analysed. The design of the AP1000 provides a very high level of safety at the lowest overall plant cost. The designers have thus provided a design that is compatible with the UK ALARP requirements.

The option of adding an active high-pressure safety injection system has also been considered, but it was found not to be ALARP (see Section A8.4.14 Appendix 8.4); likewise, larger accumulators (see Section 8.5.3).

8.4.2.2 Selection of Squib Valves in Preference to Conventional Valve Types

Squib valves are self-contained valves that are actuated by an explosive charge on receipt of a firing signal. They are widely used on Boiling Water Reactors and in the aerospace industry for one-off emergency operation. Squib valves are used for the following three applications within the safety systems of the AP1000:

• Stage 4 Automatic Depressurisation System (ADS) valves.

• IRWST injection line isolation.

• Containment recirculation line isolation.

The squib valves are the only active components within these otherwise passive safety systems. Their operation thus needs to be very reliable. Experience has shown that squib valves are more reliable than other types of valve, because of the reliability of the actuating propellants, and also because of the simplicity of the mechanical design of a squib valve. For comparison, the



following probabilities for the failure to open on demand of each type are assumed by the AP1000 PRA:

• Air Operated Valves (AOVs) 8.76×10-3

• Motor-Operated Valves (MOVs) 1.41×10-2

• Squib Valves 5.80×10-4

The in-service testing for each squib valve includes both a test of the remote position indication and a test firing of the igniter and propellant. The squib valve charge assembly is removed, and then test fired outside of the valve, in a test rig that can monitor explosive charge performance. Any failures would result in the removal of the charges from the same production lot and replacement with new charges from a different lot. ASME code requires that 20% of the charges be tested every two years. AP1000 maintenance schedule performs these tests during refuelling outages, when the squib valves can be accessed for propellant charge removal.

The nature of a squib valve body design makes it virtually leak free; that is, the valve is not subject to internal leakage, as with standard valve designs such as: globe, butterfly, gate, and non-return valves. This is a very important safety function, because any such leakage would be the equivalent of a small LOCA, given the location of the squib valves in the primary circuit.


The following advantages result from choosing squib valves over other valve types:

• Squib valves are more reliable than other types of valve, by at least an order of magnitude, because of the simplicity of their design and because there is no reliance on any external power source for actuation.

• The squib valve body is virtually leak free.

• They are easily tested and maintained.

The following disadvantages result from choosing squib valves over other valve types:

• The explosive charge and igniter used within a squib valve have a limited shelf life and service life; however, the required maintenance and testing can easily be accommodated within the AP1000’s refuelling outages.

ALARP Discussion

Using squib valves within the design of the three chosen safety systems provides a simple, reliable and leak free solution for the one active element within otherwise passive safety systems.

The alternative would have been to use conventional valves of lower intrinsic reliability, thereby requiring higher levels of redundancy needed to achieve the necessary reliability, and the inclusion ac power or compressed air for actuation of the valves. This would have added complexity, and was judged not to be the optimal solution.



8.4.2.3 Diversity in Squib Valve Design

Squib valves are self-contained valves that are actuated by an explosive charge on receipt of a firing signal. The squib valves are significantly more reliable than conventional valves due to the relative simplicity of the design and the very high reliability of the igniters and explosive charges. Squib valves are used for the following three applications within the AP1000’s safety systems:

• Stage-4 ADS valves.

• IRWST injection line isolation.

• Containment recirculation line isolation.

Common mode failure within the three systems is minimised by using a different valve design for each of the three applications: one for the Stage 4 ADS squib valves; a second high-pressure valve design for the IRWST injection line and check valve recirculation line squib valves; and a third low-pressure recirculation line squib valve.

Design diversity is achieved through differences in the design details of the key valve actuation components, which requires differences in their physical configurations (and design tolerances) for the following:

• Valve body (inside surface forms shearing piston walls).

• Valve bonnet and retaining hardware (cylinder head which also houses the propellant cartridge).

• Propellant cartridges (volume/arrangement excluding propellant material/igniters).

• Actuation plug (shearing piston).

• Actuation plug piston tensioning (and shearing) bolt.

• Shear caps (shearing wall thickness which is pressure dependent).

• Valve latching mechanism (hold shearing piston in place after actuation).

• Metal foam (compression dampening upon actuation).

• Metal foam retainer plate and retaining hardware.

• Various valve body bolts and compression chamber metal o-rings.

In summary, design variations and design tolerances between the various designs provide adequate design diversity to protect against squib valve common failure modes.


Having a diverse valve design for each of the three squib valve applications on the AP1000 minimises the simultaneous common mode failure of the three applications. The only disadvantages are that more spares have to be held for maintenance on three valve designs, although this is minimal given the difference in valve size and pressure rating between the three applications.



ALARP Discussion

This option improves risk at negligible cost over the option of having the same squib valve design throughout. It is thus the ALARP option.

8.4.2.4 Passive Core Cooling System Pipe Size Increases

The primary function of the passive core cooling system is to provide emergency core cooling following postulated Design Basis initiating events. To accomplish this primary function, the passive core cooling system is designed to perform the following functions:

• Emergency Core Decay Heat Removal Provide core decay heat removal during transients, accidents or whenever the normal heat removal paths are lost.

• Reactor Coolant System Emergency Make-up and Boration Provide reactor coolant system make-up and boration during transients or accidents when the normal reactor coolant system make-up supply from the chemical and volume control system is unavailable or is insufficient.

• Safety Injection Provide safety injection to the reactor coolant system to provide adequate core cooling for the range of loss of coolant accidents.

• Containment pH Control Provide for chemical addition to the water in the containment during post-accident conditions, to establish flood-up chemistry conditions that support radionuclide retention and to prevent corrosion of containment equipment during long-term flood-up conditions.

The passive core cooling system is designed to operate without the use of active equipment such as pumps and ac power sources. The passive core cooling system depends on natural circulation and processes such as gravity injection and the expansion of compressed gases.

For the AP600 design the analysis was finished for system performance, for pipe size, routing and stresses, and for building structural response. The AP1000 design challenge was to increase the capacity of the passive core cooling system while changing as little of the AP600 physical design as possible. Alternatives included the addition of safety-significant pumps, increasing the thermal head differences from the core to the heat sinks and rerouting pipe to reduce the pressure drop or increasing pipe sizes.

Adding safety-significant pumps would have defeated the passive nature of AP600/1000 concept, and was rejected at the outset. Increasing the thermal head differences would have required a redesign of structures inside the containment; this type of redesign affects finished layouts, pipe routings, building structural calculations, building seismic responses, component seismic responses, system flow calculations, accident response calculations, containment free volume, containment flood-up volumes and more. Rerouting piping for pressure reduction would yield very little, because the piping was already routed for minimum resistance while maintaining structural adequacy. The remaining alternative of increasing the size of the pipes was selected because it had the lowest impact on the finished design.

Rough calculations were performed to determine the required pipe size. Then the next larger standard pipe size was selected, and placed on the same centrelines as for AP600. This approach created pipe routings that had some margin in the pressure drop, due to slightly larger pipe than required, and that could probably pass structural evaluations because the smaller pipe sizes had already passed. These assumptions proved valid, and the passive core cooling system design was



resized for the AP1000, with as little extra impact on the fully certified AP600 design as was reasonably practicable.


The following advantages resulted from increasing the pipe sizes within the passive core cooling system to accommodate the increased duty required by the AP1000:

• Slightly increased margin in the pressure drop, resulting in a higher natural circulation flow rate.

• No need for a redesign of any structures inside the containment.

• No need for reroute the passive core cooling system pipe work.

• No need to repeat the building structural calculations.

• No need to repeat the building seismic responses and component seismic responses.

• No change in the containment free volume and the containment flood-up volumes.

The only disadvantage resulting from increasing the pipe sizes within the passive core cooling system to accommodate the increased duty required by the AP1000 is the minimal extra cost of the larger pipes.

ALARP Discussion

This option results in slightly enhanced performance of the passive core cooling system, at a lower cost than any of the alternatives. It is thus the ALARP option.

8.4.2.5 Core Make-up Tanks Size Increase

The core make-up tanks are part of the passive core cooling system. They hold cold borated water stored under system pressure for reactor coolant system make-up and boration, and for safety injection to the reactor coolant system in the event of a loss of coolant accident. The amount of water required for the latter duty on an AP1000 is more than that required by the AP600, suggesting the need for larger tanks.

Given that design analysis had been completed for the AP600 with respect to system performance, tank size, stresses, and for building structural response, the AP1000 design challenge was to increase the capacity of the core make-up tanks while changing as little of the AP600 physical design as possible.

The core make-up tanks were resized for the AP1000 by ascertaining the largest tank size that could fit into the rooms assigned to the core make-up tanks and placing them on the same centrelines as for the AP600. The passive core cooling system performance was then reanalysed. This showed that the core make-up tank volumes still had margin for small break LOCAs, while maintaining the in-containment structural, flood up and high head injection capability.


The following advantages result from resizing the core make-up tank, but keeping the other aspects the same:

• There is no diminution in the flood up and high head injection capability of the resized tanks.



• Able to carry across the stress analysis and the building structural response analysis, because there is no change to the in containment structural layout.

The only disadvantage resulting from resizing the core make-up tank but keeping the other aspects the same is the reduced but still adequate margin for small break LOCAs.

ALARP Discussion

Resizing the core make-up tanks for the AP1000 to the largest tank size that can fit into the AP600 civil structure is the lowest cost option. Any further increase in size would be at a wholly disproportionate cost, involving as it would a total redesign of the layout and a consequential reanalysis of system performance, the stresses and the building structural response. Given that the functionality of the passive core cooling system is unaffected; that is, the resized core make-up tanks still have capacity margin for small break LOCAs; the option is ALARP.

8.4.2.6 Increasing the Capacity of the IRWST

It is desirable to increase the post-LOCA containment flood-up level for the AP1000, in order to maintain and increase the long-term core cooling safety margins. One of the changes made to the AP1000 design to accomplish this was to increase the water level in the IRWST during normal operation, but without changing any of the structures within the containment; that is, without adding a bigger tank. The option chosen was to fill the tank more fully.

To do this, it is important to be able to measure IRWST level accurately during normal operating conditions. The instrumentation used previously was wide-range differential pressure level sensor. This sensor was prone to relatively large errors when the tank was full. Whilst this was adequate for the AP600, the AP1000 needed a better measurement if the tank were to be filled to a higher level.

In order to maintain the operating margin in the tank, a more accurate narrow range ultrasonic sensor was added. It is permissible to use this type of relatively fragile sensor for monitoring the water level during normal operation because it does not have to function in the post accident environment. In the post accident environment, the safety-significant wide range level sensors are sufficient to monitor the drain down of the IRWST.

In summary, the ultrasonic level sensor is a simple device that is wall-mounted inside the IRWST, above the maximum water level. By adding this narrow range instrumentation, much of the error is eliminated, which allows the normal water level in the IRWST to be raised while maintaining the previous operating margin. This allows for increased water volume capacity, and thus, increased flood-up level post LOCA.


The following advantages result from incorporating a more accurate measurement of the IRWST level:

• Increases the post LOCA containment flood up level, thereby maintaining and increasing the long-term core cooling safety margins.

• Avoids the cost of making the IRWST larger.

• No change to the in-containment structural layout.



• No reanalysis of the stresses and the building structural response.

The only disadvantage resulting from incorporating a more accurate measurement of the IRWST level is the slight risk of the IRWST overflowing during normal operation, should the ultrasonic level sensor fail.

ALARP Discussion

The option of increasing the capacity of the IRWST level by the simple expedient of measuring its level more accurately results in the same benefits but at a trivial cost compared to the alternative of installing a larger tank. The proposed option is thus ALARP.

8.4.2.7 Passive Residual Heat Removal Heat Exchanger

The passive residual heat removal heat exchanger is part of the passive core cooling system. It is located in the in-containment refuelling water storage tank, which provides the heat sink for the heat exchanger. The heat exchanger is elevated above the reactor coolant system loops to induce natural circulation flow through the heat exchanger when the reactor coolant pumps are not available. The passive residual heat removal heat exchanger piping arrangement also allows actuation of the heat exchanger with reactor coolant pumps operating. When the reactor coolant pumps are operating, they provide forced flow in the same direction as natural circulation flow through the heat exchanger. If the pumps are operating and subsequently trip, then natural circulation continues to provide the driving head for heat exchanger flow.

For postulated non-LOCA events, where a loss of capability to remove core decay heat via the steam generators occurs, the passive residual heat removal heat exchanger is capable of automatically removing core decay heat, assuming the steam generated in the in-containment refuelling water storage tank is condensed on the containment vessel and returned by gravity via the in-containment refuelling water storage tank condensate return gutter. It is designed to remove decay heat for an indefinite time in a closed-loop mode of operation. The passive residual heat removal heat exchanger is designed to cool the reactor coolant system to 215°C in 36 hours, with or without reactor coolant pumps operating. This allows the reactor coolant system to be depressurised and the stress in the reactor coolant system and connecting pipe to be reduced to low levels. This also allows plant conditions to be established for initiation of normal residual heat removal system operation. During a steam generator tube rupture event, the passive residual heat removal heat exchanger removes core decay heat, and reduces reactor coolant system temperature and pressure, equalising with steam generator pressure and terminating break flow without overfilling the steam generator.

Given that design analysis had been completed for the AP600 with respect to system performance, heat exchanger size, stresses, and for building structural response, the AP1000 design challenge was to increase the capacity of the core make-up tanks while changing as little of the AP600 physical design as possible.

The principal design change was to add extra tubes to the passive residual heat removal heat exchanger, sufficient to satisfy the requirements on cool down time for AP1000 Design Basis initiating events. There was also a requirement to alter the attachment to the in containment refuelling water storage tank, without changing the in-containment structural layout. The passive residual heat removal heat exchanger was placed on the same centrelines as for the AP600. The in containment refuelling water storage tank volume was more than adequate for the AP600 and did not need to be resized for the AP1000.




The following advantages result from resizing the passive residual heat removal heat exchanger, but keeping the other aspects the same:

• Adding extra tubes to the passive residual heat removal heat exchanger results in no diminution in its capability for cooling down the reactor for AP1000 Design Basis initiating events.

• The stress analysis and the building structural response analysis were carried across, because there is no change to the in containment structural layout.

The only disadvantage resulting from resizing the passive residual heat removal heat exchanger but keeping the other aspects the same is that it is necessary to alter the heat exchanger’s attachment to the in containment refuelling water storage tank.

ALARP Discussion

The passive residual heat removal heat exchanger was resized for AP1000 with as little extra impact on the fully certified AP600 design as was reasonably practicable. There is no obvious design alternative other than the hypothetical one of making it even bigger, but the ramifications of such a change could be that significant extra cost would be incurred. Given that the functionality of the passive core cooling system is unaffected, the proposed option is ALARP.

8.4.2.8 Disproportionate Increase in the Automatic Depressurisation System Stage-4 Pipe Size

Opening of the automatic depressurisation system valves is required for the passive core cooling system to function, as required to provide emergency core cooling following postulated accident conditions. Twenty valves are divided into four depressurisation stages. These stages connect to the reactor coolant system at three different locations. The automatic depressurisation system first, second, and third stage valves are included as part of the pressuriser safety and relief valve module, and are connected to nozzles on top of the pressuriser. The fourth stage valves connect to the hot leg of each reactor coolant loop. The first stage valves may also be used, as required following an accident, to remove non-condensable gases from the steam space of the pressuriser.

The first stage automatic depressurisation system valves are motor-operated 10cm (4 inch) valves. The second and third stage automatic depressurisation system valves are motor-operated 20cm (8 inch) valves. The fourth stage automatic depressurisation system valves are 36cm (14 inch) squib valves arranged in series with normally open, dc powered motor-operator valves. The control system for the opening of the automatic depressurisation system valves has an appropriate level of diverse and redundant features to minimise the inadvertent opening of the valves. For each discharge path, a pair of valves is placed in series to minimise the potential for an inadvertent discharge of the automatic depressurisation system valves. The fourth stage valves are interlocked so that they cannot be opened until reactor coolant system pressure has been substantially reduced.

An analysis was carried out to ascertain whether and by how much the various automatic depressurisation system pipes and associated valves had to increase in size to accommodate the higher power and reactor coolant volume of the AP1000 over the AP600. PRA analysis conducted for AP1000 showed that no additional size increase was required for the AP600 automatic depressurisation system stage 1, 2, and 3 pipes valves. Calculations indicated the requirement for a larger size for automatic depressurisation system stage-4 piping and valves; however, the required size fell between standard pipe sizes, so the next larger pipe size, 36cm (14 inch), was chosen. The pipe centrelines were kept the same, to simplify incorporation of the larger pipe into



the layout. This resulted in an automatic depressurisation system stage-4 capability of slightly more than was required to accommodate the increase in power. The automatic depressurisation system stage 4 piping size was increased from 25cm (10 inches) to 36cm (14 inch). The only other required change was to increase the core make-up tank capacity to allow for additional make up until system pressure fell below the required operational levels or actuation set points.


The following advantages result from using a commercially available standard size for the automatic depressurisation system stage-4 piping and valves:

• Additional capability for dealing with Design Basis initiating events.

• No change to the in containment structural layout.

• No reanalysis of the stresses and the building structural response.

The only disadvantages resulting from using a commercially available standard size for the automatic depressurisation system stage-4 piping and valves are the slightly more severe consequences from inadvertent operation of the stage-4 valves.

ALARP Discussion

Choosing a non-standard size for the automatic depressurisation system stage-4 piping and valves would not affect the performance of the system, but would increase the cost substantially. The negative consequence of slightly more severe consequences from inadvertent operation of the stage-4 valves is counteracted by the positive consequence of additional capability for dealing with Design Basis initiating events; in any case, the control system for the opening of the automatic depressurisation system valves has an appropriate level of diverse and redundant features to minimise the inadvertent opening of the valves. The proposed option is thus ALARP.

8.4.2.9 In-Vessel Retention

Certain Beyond Design Basis accident sequences could lead to a core melt; whilst this is extremely unlikely, it is not incredible. This possibility required some form of mitigation. The AP1000’s designers addressed this challenge by developing the capability for in-vessel retention. The alternative would have been to incorporate some form of “core catcher” outside the reactor vessel. A core catcher would have features that precluded re-criticality of the mixtures of core structural materials and building structures (known as corium), and cooled it to slow its reaction with materials around the reactor vessel. This could have been the design solution for AP1000.

The design team recognised that one of the consequences of the passive core cooling approach is the introduction of large amounts of water into the lower portions of the containment. The expected level of water in the containment after an accident is above the nozzles of the reactor vessel and, hence, above the top of the fuel. It was recognised that a possible design solution for the core melt scenario would be to take credit for this water, and use it to cool the corium. The water would flow into the reactor vessel insulation structure, and come into contact with the reactor vessel. It would then cool the reactor vessel by convection and evaporation. The steam would rise into the upper containment, carrying core heat with it. This steam would condense onto the inner surface of the containment vessel, and then return to the lower portion of the containment, where it could repeat the cycle.



To realise this solution, the design team had to demonstrate two things: first, prototype testing had to be performed to establish the feasibility of water outside the reactor vessel to cool it, given the heat fluxes expected during a core melt; second, a mechanical design of the reactor vessel insulation had to be developed that allowed water to get next to the reactor vessel in a severe accident, while not allowing air to flow next to the reactor vessel during normal operation. Both of these were achieved. Testing was performed at the University of California, Santa Barbara, to establish the design parameters for cooling the vessel during a core melt. A unique design of the lower portion of the reactor vessel insulation was developed that used buoyancy to allow water in, when present, but not to allow air. This solution of in-vessel retention was selected, and implemented in the design.


The following advantages result from choosing the in-vessel retention option:

• The reactor pressure vessel remains intact, thereby providing a robust barrier to fission product release, preventing the release of radioactivity into the containment.

• Eliminating the reactor vessel melt-through failure mechanism obviates the need for a mitigating feature such as a core catcher, thereby avoiding the substantial cost of a core catcher.

• There is no release of radioactivity into the environment in the event of a core catcher failing and, as a consequence, the containment failing as well.

The disadvantage of choosing the in-vessel retention option is that there is a slight risk that the natural movement of the in-containment water over the reactor vessel in a real core melt accident sequence could be insufficient to prevent core melt-through.

ALARP Discussion

Implementing in-vessel retention in this way provides a safe, simple, natural cooling mechanism for the reactor vessel that maintains its integrity and obviates the need for an external core catcher. Avoiding the dispersion of radioactive material is the dominant benefit; the ALARP option of adding a core catcher as well as in-vessel retention to the AP1000’s design would have no effect on this. The option to supplementing in-vessel retention with a core catcher has been considered, but found not to be ALARP. The in-vessel retention option alone is thus ALARP.

8.4.2.10 Improvements to the Design of the In-Vessel Retention

The additional power capability of the AP1000 over the AP600 has increased the severe accident (core melt) demands on the in-vessel retention design solution. To maintain the passive response to severe accidents, the design of the AP1000 in-vessel retention required some modification. The result of the testing performed for the AP600 to establish the thermal hydraulic parameters associated with core melt did not bound the calculated parameters for the AP1000. The University of California, Santa Barbara performed additional testing to expand their results to envelop AP1000 parameters. These new results required additional structure and a shaped internal boundary to be added to the reactor vessel insulation design. In addition, the insulation design had to be able to pass the increased fluid and energy flows required by the change from AP600 to AP1000.

The reactor vessel insulation design was modified only as necessary to incorporate the additional structure and the internal shaping required. The water inlet devices and steam outlet devices were



modified to increase their flow areas, to make their operation by natural forces simpler and more reliable, to create a new flow path, to provide additional shielding during normal operations and to make the design easier to fabricate and erect.

This solution was chosen using a process that promoted satisfying design requirements with the least change to the current design, high reliance on proven technology (natural forces), and lowest risk for public or operator radiation exposure.


The following advantages result from improving the design of the in-vessel retention:

• Minimum changes from the AP600 design, and hence read-through of the AP600 test results.

• Improved reliability of the natural circulation capability.

• Inclusion of a new flow path was allowed.

• Additional shielding provided, thereby reducing operational dose.

• Easier to fabricate and erect, thereby reducing cost.

The only disadvantage resulting from improving the design of the in-vessel retention is that it required additional structure and a shaped internal boundary for the reactor vessel insulation design, which incurred a development cost.

ALARP Discussion

The thermal hydraulic parameters associated with core melt demanded a change in the design of the AP1000’s In Vessel Retention features; doing nothing was not an option. The chosen solution involves the minimum change from the previous design, and has resulted in improved safety performance. It is thus the ALARP option.

8.4.2.11 Alternative Source of Cooling for the Residual Heat Removal System Heat Exchangers

The normal residual heat removal system cools the core when it is shutdown at low pressure, by reducing the temperature of the reactor coolant system during the second phase of plant cool down; the first (high pressure) phase of the cool down being the transfer of heat from the reactor coolant system to the main steam system through the steam generators. The residual heat removal system draws reactor coolant from the reactor coolant system hot leg and then cools it in two heat exchangers outside the containment, before returning it to the reactor vessel through the direct vessel injection lines. Its heat exchangers are cooled by the component cooling water system.

An alternative heat sink would be desirable in the unlikely event that component cooling water flow to the residual heat removal system heat exchangers should be lost. The fire protection system provides this additional method for cooling. What is required is for the design of the AP1000 to include a fire hose connection point at the input side of the heat exchangers and a drain at the heat exchanger outlet. The cooling water would go through the system once, its supply coming either from the fire water storage tanks or from any external source such as a fire engine.

This simple use of a fire protection connection in a once-through cooling mode provides additional defence in depth capability for cooling the residual heat removal system. This solution was chosen using a process that promoted satisfying design requirements with lowest change to



the current design, high reliance on proven technology, and lowest risk for public or operator radiation exposure.


The advantage of using a fire protection connection in a once-through cooling mode is increased reliability of the residual heat removal system.

The only disadvantage is that less fire-fighting water would be available in the event of a fire simultaneously with the loss of the component cooling water.

ALARP Discussion

This option is ALARP because it reduces the risk of losing the fission product heat removal capability when shutdown by using an option in compliance with the Engineering Key Principles, which are fully described in Section 8.2.1.1:

• By providing an alternative source of cooling water, it adds additional defence in depth and thereby satisfies Engineering Key Principle 3.

• It is midway up the hierarchy of the safety measures defined in Engineering Key Principle 5, because it is manually initiated; manual operation of a back-up to a back-up is acceptable.

Diverting some of the fire-fighting water to cooling duty could have safety implications; however, overall safety should not be eroded: in a real event the operators control the use of the fire-fighting water, and they would make the decision based on the actual circumstances and in line with the emergency operating instructions. Note fire-fighting water is not claimed by the safety case it is itself providing defence in depth.

8.4.2.12 High Pressure Residual Heat Removal System

The core damage frequency from inter-system loss-of-coolant accidents (ISLOCAs) for currently operating PWRs is now known to be substantially greater than the PRA estimates made when they were designed. An ISLOCA is defined by the NRC as a class of events in which a break occurs outside the containment in a system connected to the reactor coolant system. It is regarded as a Beyond Design Basis initiating event. Early PRAs were typically limited to modelling ISLOCA sequences that included only the catastrophic failures of the check valves that isolate the reactor coolant system from the low-pressure systems. Also, the PRAs included little consideration of human errors leading to an ISLOCA and the subsequent effects of the accident-caused harsh environment or flooding on plant equipment and recovery activities. Because of this concern, the designers of the AP1000 have re-evaluated the design pressure of the normal residual heat removal system.

The normal residual heat removal system is a duty system that provides shutdown cooling for the reactor coolant system. During normal shutdown operations, the reactor coolant system is cooled and depressurised to the normal residual heat removal system’s cut-in temperature and pressure. Once reactor coolant system pressure has been reduced, the normal residual heat removal system suction line isolation valves are opened, and the residual heat removal system pumps are started to provide the shutdown cooling. The normal residual heat removal system takes suction from the reactor coolant system hot leg, and discharges to the reactor vessel through the direct vessel injection lines. The residual heat removal system suction line contains three normally closed isolation valves in series; with a design pressure equal to reactor coolant system design pressure. The valves are interlocked so that they cannot be opened unless the reactor coolant system



pressure is reduced to a pressure within the design pressure of the low-pressure portion of the residual heat removal system of 30 bar (450 psig). The third normally closed isolation valve is a containment isolation valve, and is designed for full reactor coolant system pressure. Over-pressurisation would only occur if the three motor-operated isolation valves leaked excessively, or if the valves were inadvertently opened with the reactor coolant system pressure above the design pressure of the residual heat removal system.

The second potential over-pressurisation pathway for the normal residual heat removal system is by way of the discharge branch lines, which each connect to a direct vessel injection line. Each line contains two normally closed check valves, which, as reactor coolant pressure boundary valves, are designed for the reactor coolant system design pressure. The branch line connects to a common header, which penetrates the containment. The header contains two containment isolation valves.

Over-pressurisation would occur only if the three check valves and the motor operated gate isolation valves leaked excessively. The portions of the normal residual heat removal system from the reactor coolant system to the containment isolation valves outside the containment are designed for the operation pressure of the reactor coolant system. Traditionally, the portion of the normal residual heat removal system outside containment was designed to 40 bar (600 psig). In operating plants today, ISLOCAs are discounted, based on the suction valves’ interlock with reactor coolant system pressure and the power lock-out of these valves at the valve motor control centres. Such a design provides multiple redundant system isolation and a system design pressure that is 27 percent of reactor coolant system design pressure and 10 bar (150 psig) higher than the operating pressure of the residual heat removal system.

NRC guidance has suggested that a design pressure of 40 percent of the normal operating pressure of the residual heat removal system and a minimum wall thickness would enhance the survivability of the piping to more than 90 percent when pressurised to full reactor coolant system pressure. As a result of this suggestion, the design pressure of the AP1000 normal residual heat removal system outside containment has been increased to 60 bar (900 psig), to decrease the likelihood of ISLOCAs in the residual heat removal system.


The following advantages result from increasing the design pressure of the low-pressure portion of the residual heat removal system:

• Significant reduction in the likelihood of an ISLOCA.

• Lower risk of public or operator radiation exposure.

• Fairly simple to engineer.

The only disadvantage resulting from increasing the design pressure is that it increases the cost, but not by much.

ALARP Discussion

This option is ALARP because a significant reduction in the risk of radiation exposure is achieved for a moderate cost. A further option, to relocate the entire normal residual heat removal system of the AP1000 inside the containment was also considered, but was not ALARP (see Appendix A8.4.1 of this Chapter).



8.4.3 Containment Design

8.4.3.1 Low Leakage Steel Containment

Containment is the last boundary to preventing an uncontrolled release of radioactive fission products or coolant to the environment. It is a design requirement for the containment to retain its contents during any Design Basis initiating event, such as a steam line break or a small break LOCA, and certain Beyond Design Basis initiating events such as a large break LOCA. Thus, the containment design must be able to withstand the maximum expected pressure during any Design Basis accident and following a large break LOCA.

The Containment Buildings of currently operating PWRs are concrete and steel structures that rely on internal sprays to control their interior contents at acceptable temperature and pressure. The sprays are supplied by active pumping systems. Should they fail, then venting of the containment would be required before it becomes over-pressurised or its concrete becomes weakened by the high temperature. Given the assessed reliability of such arrangements, some regulators require double containments, to provide defence in depth.

The AP1000 design achieves a containment that can reliably withstand any Design Basis accident and following a large break LOCA without leaking. It achieves this by adopting a steel containment structure cooled by water draining by gravity over its outer surface, which evaporates into a naturally flowing current of air. The containment structure is a free standing steel pressure vessel, designed and built in accordance with the requirements of the ASME Code. This vessel has a high enough design pressure, a large enough free volume and a large enough heat transfer area to accommodate the worst pressure challenge resulting from any Design Basis accident or a large break LOCA, without any requirement to vent. It is not unduly susceptible to high temperatures, unlike concrete. The pressure vessel design requirements extend to its penetrations and attachments.


The following advantages result from using a steel containment structure:

• The gravity fed arrangement for the distribution of water over the exterior of the steel containment vessel is far more reliable than the traditional pumped containment spray system, thereby providing a passive means of heat removal and reducing containment pressure.

• The steel containment will not leak during any Design Basis accident and following a large break LOCA, and there should be no need to vent the containment post accident.

The only disadvantage resulting from using a steel containment structure is that it lacks the double barrier to fission product release inherent in a double containment structure.

ALARP Discussion

Using a steel containment structure results in a design solution that reduces the risk of public or operator radiation exposure compared to the traditional PWR containments. It does not lend itself to a double barrier structure because of the practicality of engineering two streams of cooling water and two currents of naturally flowing cooling air. In any case, the traditional double PWR containment is susceptible to common mode failure: should an accident result in internal temperature or pressure sufficiently high to fail the inner barrier, then the outer barrier would rapidly be subject to the same conditions and would also be likely to fail. It is suggested that the



passively cooled steel containment structure of the AP1000 is less likely to fail than a traditional double containment; hence, it is the ALARP option.

The option of designing the AP1000 to have massive high-pressure containment with design pressure of 20 bar has also been considered (see Section 8.5.4), but found not to be ALARP.

The option of adding filtered venting to the containment structure has been considered, but found not to be ALARP (see Section A8.4.11 Appendix 8.4 of this chapter).

8.4.3.2 Containment Height Increase

The increase in electrical power output in moving from the AP600 to the AP1000 required an increase in size of some of the principle components within the containment: reactor vessel, steam generators, and pressuriser. This necessitated some increase in the size of the containment to accommodate them, albeit retaining the same layout as the AP600.

However, a more important consideration was the internal pressure following a fault sequence. The increased power of the AP1000 inherently increases the steam mass and energy released into the Containment Building as a result of a LOCA or main steam line break. An essential requirement on the containment in a passive plant such as the AP600 or AP1000 is to provide sufficient free volume to accommodate the mass and energy release from such an event without challenging the containment design limits. Not only were the mass and energy releases for AP1000 greater than those for AP600, the limiting event changed from a LOCA to a main steam line break.

The options are to increase the free volume of the containment, or to make it stronger, or some combination of the two. Making the containment larger by increasing its diameter was not an attractive option because this would involve extensive redesign. Additionally, increasing the diameter would require a pro-rata increase in steel thickness for a given post-accident pressure, which would contravene the design constraint of containment vessel plate being sufficiently thin that post-welding heat treatment during installation in the field would not be required; this consideration also precludes the option of increasing the containment strength whilst keeping its original size (the option of massively strengthening the containment is reviewed in Section A4.13 Appendix A8.4 of this chapter).

The design decision was to make the containment vessel taller, but by as little as possible. Once the diameter is fixed, the strength of the containment vessel is determined by the material type and thickness. The selection process was first to investigate alternate plate material to maximise vessel strength. This would minimise height by minimising the volume increase required for the increased mass and energy release.

Once plate material and thickness had been selected, the height was changed by integral increments of commercially available plate width, to maximise simplicity of fabrication. As the volume increases for each plate width, the resultant peak accident pressure decreases. The least number of additional plate widths was chosen consistent with the requirement to be within the maximum allowable containment vessel pressures. The design outcome was a slightly increased margin to plate allowable stresses compared to the AP600 design.

In summary, the containment vessel plate material and additional vessel height were chosen in a process that promoted satisfying its design requirements with the lowest risk of a containment breach during an accident sequence, high reliance on proven technology (natural forces), and lowest cost.




The following advantages result from increasing only the height of the containment rather than increasing its diameter or increasing its strength:

• The existing plant layouts, pipe routings, building structural calculations, building seismic responses, component seismic responses, system flow calculations, the accident response calculations, containment flood-up volumes are largely unaffected, thereby avoiding the substantial costs of redoing them.

• The need for post welding heat treatment during installation was avoided for the containment vessel plate.

• Slightly increased margin to plate allowable stresses compared to the AP600 design.

Disadvantages resulting from increasing only the height of the containment rather than increasing its diameter or increasing its strength (however, this has been achieved).

• A taller Shield Building is required, at substantial cost.

• A taller Shield Building results in the PCCWST being higher off the ground. A higher PCCWST makes the justification of the seismic withstand of the Auxiliary Building more challenging.

ALARP Discussion

The ALARP assessment for this design option is complicated by the fact that there are several possibilities, any of which produce could accommodate the mass and energy releases from a LOCA or a main steam line break. The Westinghouse design engineers reviewed the alternatives, and concluded that the option of increasing the containment height was the most cost effective. The seismic withstand of the Auxiliary Building was justified for the taller Shield Building. It is thus the ALARP option.

8.4.3.3 Shield Building Structure

In response to the September 11, 2001 attack on the US by terrorists using commercial aircraft, the NRC proposed a rule requiring that new nuclear power plants be evaluated against the event of a targeted crash of a large commercial aircraft. This contingency was considered to be Beyond Design Basis. Because of timing, this new requirement for assessment did not apply to AP1000. However, the AP1000 design team has voluntarily performed an assessment in accordance with the proposed rule anyway. The AP1000 design objective is to now to withstand the crash of a large commercial aircraft, instead of adding mitigating safety measures. For the AP1000, this required changes to the AP600 Shield Building design. As a further complication, the AP1000 seismic acceptability analysis was already finished, and seismic input curves were already in use for analysis of safety-significant equipment.

The options were either to increase the thickness of the reinforced concrete to withstand the aircraft and then repeat the seismic analyses completed to date; or to develop another design solution that did not impact the completed seismic analysis results and equipment inputs. The second path was chosen. The construction techniques for the Shield Building were changed from reinforced concrete to a plate and concrete sandwich structure similar to that used inside the Auxiliary Building, and already approved by NRC. Details of the impact analysis are classified, but the results are acceptable, and the seismic design of AP1000 is essentially unchanged.



This solution was chosen using a process that promoted satisfying design requirements with lowest change to the current design, high reliance on proven technology, and lowest risk for public or operator radiation exposure.


The following advantages result from replacing the reinforced concrete of the original design of the Shield Building with a plate and concrete sandwich structure:

• Minimal change to the seismic analysis results and equipment inputs.

• Provides protection against the impact of a large commercial aircraft.

The only disadvantages would be a slight increase in cost.

ALARP Discussion

This design option significantly increases the ability of the AP1000 to withstand Beyond Design Basis aircraft crashes. The design has been optimised to achieve the required functionality at the minimum cost. Thus it is the ALARP option.

8.4.3.4 Shield Building Air Inlets

The passive containment cooling system transfers heat directly from the steel containment vessel to cooling air drawn from the external environment, thereby preventing the containment vessel from exceeding its design pressure and temperature following an accident. The passive containment cooling system has inlets for the cooling air located near the top of the Shield Building.

The air inlets must be structurally robust, because they are part of the Shield Building, which protects the steel containment structure from various external hazards, one of which is the crashing aeroplane. The design of AP600 air inlets consists of 15 large discrete openings in the top of the Shield Building, which penetrate the three-foot thick reinforced concrete Shield Building. The air inlets are sized to allow containment cooling at a level sufficient to make sure that the peak containment pressure does not surpass the containment design pressure following any Design Basis initiating event. Air inlets of this type and size are also sufficient to support containment cooling for the AP1000, and were incorporated into its original design.

However, it has since been questioned whether this design is sufficiently robust to withstand the impact of a large commercial aircraft. An additional concern is that the large openings provide a pathway for debris or fuel from a crashing aircraft to reach the steel containment vessel. It has been decided that the Shield Building must incorporate design features that provide inherent protection against the effects of such aircraft impacts, which are regarded as Beyond Design Basis (see Section 8.4.3). Therefore, alternative designs for AP1000 were explored, which maintained the original cooling air flow rate capability, but strengthened the Shield Building at the elevation of the air inlets so as to withstand a Beyond Design Basis large commercial aircraft impact.

One solution would have been to greatly increase the thickness of concrete of the Shield Building at the elevation of the air inlets. However, impact testing has shown that containing high strength concrete within steel liner plates on both faces significantly increases its impact resistance, so a more modest increase in concrete thickness could provide the required strength. Analysis demonstrated that modifying that portion of the Shield Building containing the air inlets to a 1.37m (4.5 foot) thickness of high strength concrete contained within steel liners on both faces



was sufficient for that portion of the Shield Building to withstand a Beyond Design Basis aircraft impact.

Reducing the size of the air inlets, to restrict debris or fuel from entering the building, further enhanced the air inlet portion of the Shield Building. Containment cooling requires a minimum inlet area to provide adequate air-cooling for the steel containment vessel. However, each air inlet does not have to be as large as the 15 air inlets of the original design, provided that the same total flow area was maintained. This could be achieved by dividing the flow area into many smaller air inlets. The optimum design was found to be for 384 small inlet ducts to replace the original 15 large openings. The smaller inlets consist of square steel tubes inclined upward form outside face to inside face. The new air inlets present no significant change to the Design Basis pressure response: for cases when the passive containment cooling system operates; and for the Beyond Design Basis air only cooling situations assumed by PRA. The redesigned air inlets also provide a significant increase in the Shield Building’s ability to restrict debris and fuel from entering the building, due to their small size and orientation. This design provides an additional safety benefit, by further reducing radiation sky shine.


The following advantages result from strengthening that portion of the Shield Building containing the air inlets, and replacing the 15 large air inlets with 384 small inlet ducts:

• The strengthening of the upper portion of the Shield Building provides protection against the impact of a large commercial aircraft.

• The redesign of the air inlets significantly reduces the risk of damage to the steel containment structure from burning fuel and debris from a crashing aircraft.

• The redesign reduces the radiation sky shine.

The only disadvantage resulting from strengthening that portion of the Shield Building containing the air inlets, and replacing the 15 large air inlets with 384 small inlet ducts, is an increase in the cost of the Shield Building.

ALARP Discussion

This design option significantly increases the ability of the AP1000 to withstand Beyond Design Basis aircraft crashes. The resign has been optimised to achieve the required functionality at the minimum cost. Thus it is the ALARP option.

8.4.3.5 Post Accident Isotope Control

Radioactive isotopes accumulate in the reactor coolant during operation. Some of these isotopes are gaseous or volatile; most are soluble or suspended in reactor coolant water. During a LOCA, these accumulated isotopes are released into the upper containment, thereby creating a radiation source. This source can be strong enough to be a hazard to those outside the containment.

The currently operating PWR plants use a containment spray system to cool the containment atmosphere; however, this spray also washes these soluble and suspended isotopes out of the containment atmosphere and off the containment walls. These containment spray systems include: a water source outside the containment, containment penetrations, pumps, valves, nozzles, and other equipment, which must be redundant, qualified, controlled, tested, maintained and repaired.



The AP1000 does not need a containment spray system to cool the containment atmosphere, because this function is performed by the passive containment cooling system. The principal means of post-accident isotope control for the AP1000 relies on natural forces, like natural convection, condensation and conduction, to transfer decay heat from the lower regions of the containment to the containment walls, which are cooled (there is also a containment spray utilising the fire protection system (see Section 8.4.3.10), as a backup for this function. The resulting steam condenses onto the containment wall, and then returns to IRWST or to the containment sump by gravity. Through analysis and testing, it has been shown that the soluble and suspended isotopes move with the water, and thus finish up in the water in the IRWST or the lower portions of the containment.


The following advantages result from using the natural convection and condensation of the steam onto the containment walls to remove radioactive isotopes from the containment atmosphere:

• The mechanism for isotope removal is entirely passive, with no risk of active failure.

• No risk of containment bypass due to a failed containment spray penetration.

• Enormous reduction in complexity and cost in not having to install a safety grade containment spray system.

The only disadvantage is that it creates a slightly higher general accident dose rate outside the containment, but still within allowable limits (for details see Chapter 12 of the PCSR).

ALARP Discussion

Following analysis and tests of the mechanisms for movement of isotopes within containment, the designers were able to use a simple natural isotope removal process, and not to require an additional claim on a containment spray system. A passive, gravity fed containment spray system was also considered, but this was found not to be ALARP (see Section A4.10 Appendix 8.4 of this chapter).

The decision not to fit a safety grade containment spray system is the ALARP option, because the natural isotope removal processes inherent in the passive containment cooling system renders it unnecessary. The benefit of eliminating the risk of a containment spray penetration failure causing containment bypass far outweighs the detriment associated with a slightly higher general post-accident dose rate outside the containment.

8.4.3.6 Fire Protection Function for the Passive Containment Cooling Water Tank

The regulations for nuclear power plants in the US require that the fire protection water delivery system for fires affecting safety-significant equipment must be classified as seismic Category 1. The AP1000 has the additional requirement that safety functions must be performed without ac power.

Other than the Containment Building, the AP1000 only has one building that houses such safety-significant equipment: the Auxiliary Building, which is divided, at each level, by a concrete wall without any doors. On one side are systems with potentially radioactive fluids; on the other, the clean side, are the plant control and protection equipment and control room operators. The lowest level of the Auxiliary Building is below grade, so there can be no drainage of fire water without ac



power. Consequently, there is a restriction of how much water can be put into the non-radiological clean side of the Auxiliary Building.

The AP1000 design process was directed at creating a fire protection system that requires no safety claims to be made on fire-fighting fluids at all. This was attempted by careful design of the plant layout into fire areas and zones, such that the equipment in a given fire area could be lost to the fire without loss of overall plant safety functions. Within the Containment Vessel, additional spatial separation requirements were enforced for redundant equipment, to make sure safety functions could be obtained in the event of a fire in the containment. This eliminated the requirement for a pumped fire protection system1 for internal fire hazards except for Beyond Design Basis fire events in the clean side of the Auxiliary Building.

Thus, the only required fire water delivery system is to the clean side of the Auxiliary Building, and preferably one in which the water to the fire hose stations is delivered by gravity rather than by pumps. The solution adopted by the AP1000’s designers is to dedicate a specific amount of water within the PCCWST to this particular duty. This tank is seismic Category 1. The fire water delivery system can deliver 2 hose streams of 17m3/hr (75 gallons per minute) for 2 hours. This incidentally satisfies USNRC requirements. Standpipes within the PCCWST limit the available amount of water for fire-fighting to less than the limit on how much water can be put into the non-radiological side of the Auxiliary Building before flooding becomes a threat to the safety equipment.


The following advantages result from using the PCCWST as the source of fire-fighting water to the clean side of the Auxiliary Building:

• The supply to fire water delivery system seismically qualified already, because of its primary safety duty, thereby avoiding the substantial cost of a new dedicated tank built to seismic Category 1.

• It does not require ac power or diesel-powered fire pumps.

• The amount of fire-fighting water that can be delivered is restricted to below the amount where flooding could be a problem by the simple expedient of using standpipes within the tank.

The only disadvantage from using the PCCWST as the source of fire-fighting water to the non-radiological side of the Auxiliary Building is that there is less water potentially available in the PCCWST for its primary safety duty.

ALARP Discussion

Diverting some of the water in the PCCWST to fire-fighting duty could have safety implications. However, overall safety would not be eroded: the containment structure can survive without use of PCCWST except following LOCAs, so there would only be a problem if a fire occurred as well; in a real event the operators control the use of PCCWST water, and they would make the decision based on the actual circumstances and in line with the emergency operating instructions.

1 It should be noted that pumped fire protection delivery systems are actually included in the design, but these are for investment protection, and are not required for the protection of safety equipment.



The alternative to the use of the PCCWST would be to install a conventional fire system, with a diesel driven fire pump and some mechanism to limit the maximum amount of water that could be delivered to the clean side of the Auxiliary Building. Such a system would need to be very reliable and seismically qualified, and would thus be much more expensive than the simple and intrinsically reliable design solution proposed. The PCCWST option is thus ALARP.

8.4.3.7 Catalytic Hydrogen Recombiner

There are a variety of PWR accident sequences that can generate free hydrogen gas in the containment atmosphere. Most of these generate very small amounts, but some Beyond Design Basis accidents can generate large amounts. Regardless of the source, accumulations of hydrogen could rise to a potentially explosive level following such accidents..

To provide continuous, hydrogen removal capability that does not rely on ac power, catalytic hydrogen recombiners were chosen for in-containment hydrogen control, in addition to the hydrogen igniters placed throughout containment. The passive autocatalytic recombiners are simple and passive in nature, without moving parts and no requirement for electrical power or any other support system. They are self-actuated in the presence of the reactants: hydrogen and oxygen. Passive autocatalytic recombiners are effective over a wide range of ambient temperatures, concentrations of reactants (rich and lean, oxygen/hydrogen less than 1 percent) and steam inerting (steam concentrations greater than 50 percent).

The hydrogen ignition system is provided to address the possibility of a Beyond Design Basis event that results in a rapid production of large amounts of hydrogen, such that the rate of production exceeds the capacity of the recombiners. Consequently, the containment hydrogen concentration could exceed the flammability limits. This massive hydrogen production is postulated to occur as the result of a degraded core or core melt accident (severe accident scenario) in which up to 100 percent of the zirconium fuel cladding reacts with steam to produce hydrogen. The primary objective of installing an ignition system is to promote hydrogen burning at a low concentration and, to the extent possible, to burn hydrogen more or less continuously so that the hydrogen concentration does not build up in the containment.


The following advantages result from incorporating catalytic hydrogen recombiners:

• They are passive, and would function if the hydrogen igniters, which rely on ac power (offsite power, then non-essential diesels, then 4 hours of operation on the non-Class 1E batteries), should fail.

• They result in the lowest risk for hydrogen detonation, which might possibly result in a release of radioactivity from the containment.

• Proven technology.

Disadvantages resulting from incorporating catalytic hydrogen recombiners:

• Their capacity is limited to moderate hydrogen production levels, and would be inadequate for certain severe accidents that are Beyond Design Basis.

• Extra cost, but a lot less expensive than making the hydrogen ignition system less susceptible to loss of ac power.



ALARP Discussion

The issue is to provide a means of reliably removing hydrogen from the containment atmosphere for Design Basis initiating events. Catalytic hydrogen recombiners were chosen over the more complicated option of making the hydrogen ignition system less susceptible to loss of ac power. It is thus the ALARP option.

8.4.3.8 Tri-Sodium Phosphate Baskets

Following a LOCA, it is necessary that the free water in the containment be treated to maintain its pH within prescribed limits. This is done to enhance radionuclide retention within the water in the containment (in particular, the formation of elemental iodine in the containment sump), and to prevent stress corrosion cracking of containment components during long-term containment flood up. In many operating plants this pH control is established by the chemistry of the containment recirculation water brought in from tanks outside containment. However, the response of an AP1000 to a LOCA without ac power does not involve any water entering or leaving the containment.

The possibilities for pH control inside the containment during a LOCA were investigated, extensively tested and analysed. These included tanks with buffer solution and baskets with solid tri-sodium phosphate (TSP) in containment. TSP is safe, stable, readily soluble in water and easy to inspect. The chosen option was to install baskets containing TSP low in the containment. In the event of a LOCA, the water accumulating in the lower region of the containment would self buffer by dissolving the TSP. The pH adjustment is capable of maintaining containment pH within a range of 7.0 to 9.5.


The following advantages result from incorporating TSP baskets low in the containment:

• Thoroughly tested and practicable.

• Lowest initial cost.

• Easy to inspect and does not degrade.

• Relatively harmless to people.

There are no disadvantages identified as resulting from incorporating TSP baskets.

ALARP Discussion

This option is safe and simple, with the lowest overall plant cost. Therefore it is ALARP.

8.4.3.9 Provision of Containment Cooling beyond 72 Hours Post Event

Analysis predicts that additional containment cooling might be required for some accident sequences from 72 hours onwards. One option would be to bring in support from outside, such as additional generators or pumping fire engines However, it was suggested that 72 hours could be insufficient time to allow external resources to arrive on site, based upon the experiences of hurricanes in the US. It was also suggested that potential onsite sources of water onsite might not be available for pumping up to the PCCWST unless they were seismically qualified; for instance, the site fire-fighting water should be assumed to be unavailable. Following on from this line of



thought, the NRC decided to impose the requirement that an on-site seismically qualified capability to replenish the PCCWST must be available for the period up to 7 days, assuming a total loss of off-site power.

Installing a much larger tank on the top of the Containment Shield Building would have required a total re-evaluation of the AP1000 design, with consequential repetition of most of the rig testing and rework of the analysis. Given the costs involved and the ensuing time delays, this was not considered to be a practical option.

One option for satisfying this requirement would be to seismically qualify the site fire protection system. Another possibility would be to add a new seismically qualified system for providing water to the PCCWST. After due consideration, the AP1000’s designers decided that the latter option was their preference. A seismically qualified water tank with pumps supplied from two diesel generators have been added to the Auxiliary Building, to provide a supply of water to the PCCWST adequate for 7 days post accident. Because this design change is not required for use until 3 days after the postulated accident, and whose duty period lasts only until 7 days post accident, the use of pumps supplied from two diesel generators was deemed to be acceptable.

Because the fire protection system already had a connection from the PCCWST tank to the Auxiliary Building (see Section 8.4.3.6), the designers chose to use it as an additional method for replenishing the water inventory. This can be achieved by supplying it either from the fire protection water tanks through the fire protection system pipe work, or from any external source using a fire pump truck connecting onto the existing fire supply hose connection point on the outside of the Auxiliary Building. This simple use of using the existing fire protection connection allows extra defence in depth capability to replenish PCCWST.


The following advantages result from adding a new seismically qualified system for providing water to the PCCWST:

• Much lower cost and avoidance of a huge delay in the AP1000 programme than making the PCCWST substantially bigger.

• Lower cost than making the entire fire protection system seismically qualified.

• High reliance on simple proven technology; that is, pumps supplied by two local diesel generators and an earthquake proof water tank.

• Easy to connect a mobile fire pumping engine to the new seismically qualified water tank, should the fixed diesel generators fail when demanded.

The only disadvantage is that the reliability of an active system is intrinsically lower than an equivalent passive system.

ALARP Discussion

This option is the lowest cost alternative for providing the required capability at an acceptable level of reliability, and hence is ALARP.



8.4.3.10 Containment Spray from the Fire System

As demonstrated in Section 8.4.3.8, the AP1000 design does not rely on containment spray for post-accident isotope control. However, the US NRC requires that the AP1000 design include a manually initiated containment spray for certain Beyond Design Basis initiating events: not only for isotope control but also as an alternate means for flooding the reactor vessel (in-vessel retention), for debris quenching should vessel failure occur and to control containment pressure should the passive containment cooling system fail.

One design solution to this requirement that was considered was to include a dedicated containment spray system with its own pumps, valves, water source and containment penetrations. An alternative, simpler solution was to feed the containment spray headers and nozzles from an existing system within the containment. The selected system was that portion of the fire protection system that is within the containment. This provides the containment spray function, without the need for the additional equipment of a dedicated spray system.


The following advantages result from providing the water supply to the containment spray headers and nozzles from the existing fire protection system:

• Substantial reduction in complexity and cost in not having to install a safety grade water supply to the containment spray headers and nozzles.

• The in-containment fire system already achieves the required reliability for a back-up system that is only required for Beyond Design Basis fault initiating events.

• There is no increase in the testing and maintenance burden.

The only disadvantage resulting from incorporating the existing fire protection system in the containment spray system is that there is less water available for fire-fighting should there be a fire simultaneously with the Beyond Design Basis sequence.

ALARP Discussion

This option is ALARP because it provides the operators with a back-up means of post accident isotope control during certain Beyond Design Basis sequences, using an option in compliance with the Engineering Key Principles (Section 8.2.1.1): containment spray water adds defence in depth, as required by Engineering Key Principle 3, and it is midway up (because it is manually initiated) the hierarchy of safety measures specified in Engineering Key Principle 5. Manual operation of a back-up to a back-up is acceptable.

Diverting some of the fire-fighting water to containment spray duty could have safety implications; however, overall safety should not be eroded: in a real event the operators control the use of the fire-fighting water, and they would make the decision based on the actual circumstances and in line with the emergency operating instructions.

8.4.3.10.1 Minimisation of the Number of Containment Penetrations

The penetrations through the containment are designed to be leak tight, allowing pipes and cables to pass through the containment vessel boundary with no loss of the containment atmosphere, which might be pressurised and radioactive after an accident, to escape to the outside environment. Very often, however, they do constitute sites of small leak pathways. The



penetrations and their associated piping up to the first isolation valves are safety-significant, and must be periodically inspected and tested. Minimising the number of penetrations reduces the possibility of containment leakage during a fault sequence, and the inspection and maintenance burdens.

The AP1000’s designers have reduced the number of penetrations by using a variety of innovative techniques:

• Service systems within the containment, such as component cooling water or compressed air, are configured inside the containment so as to require only one supply or return penetration for each service.

• Some intermittent services with common fluids share common penetrations. For example, both the chilled water and the hot water heating services to HVAC within the containment share common penetrations, since they will not be used at the same time.

• The fire-fighting water and the containment spray supply systems also share a common penetration.

• Instrumentation and control penetrations are reduced by taking advantage of digital data highway technology. Multiplexing cabinets are located such that instrumentation and control signals share a common highway penetration in lieu of multiple individual signal penetrations.


The following advantages result from minimising the number of containment penetrations:

• Reduces the possibility of containment leakage during a fault sequence.

• Reduces the cost of providing penetrations.

• Reduces the inspection and maintenance burden.

There are no disadvantages resulting from minimising the number of containment penetrations.

ALARP Discussion

Overall, this option reduces the risk of containment leakage and consequent public or operator radiation exposure, without any accompanying determent to risk; therefore it is ALARP.

8.4.4 Control Room Systems

8.4.4.1 Use of Digital Instrumentation and Control Systems

The digital instrumentation and control systems within the AP1000 control, protect and monitor the reactor and plant. They consist of the following systems, linked by real-time data highway:

• Protection and safety monitoring system.

• Special monitoring system.

• Plant control system.



• Diverse Actuation System.

• In-core instrumentation system.

The above systems have been subjected to safety evaluations, which show that the systems can be designed and built to conform to the applicable criteria, codes, and standards concerned with the safe generation of nuclear power.

The real-time data highway is a high-speed, redundant communications network that links systems of importance to the control room and the data display and processing system. Safety-significant systems are connected to the network through gateways and qualified isolation devices, so that the safety-significant functions are not compromised by failures elsewhere. Plant protection, control, and monitoring systems feed real-time data into the network for use by the control room and the data display and processing system.

Protection and Safety Monitoring System

The protection and safety monitoring system detects off-nominal conditions, and then actuates the appropriate safety-significant functions necessary to achieve and maintain the plant in a safe condition. It also controls the safety-significant components in the plant that are operated from the main control room or the remote shutdown workstation. In addition, the protection and safety monitoring system provides the equipment necessary to monitor the plant safety-significant functions during and following an accident.

The adequacy of the hardware and software within the protection and safety monitoring system has been demonstrated through a verification and validation process; in particular, that the software development process is consistent with appropriate industry standards.

Special Monitoring System

The special monitoring system does not perform any safety-significant or defence-in-depth functions. The special monitoring system consists of specialised subsystems that interface with the instrumentation and control architecture to provide diagnostic and long-term monitoring functions.

Plant Control System

The plant control system provides the functions necessary for normal operation of the plant, from cold shutdown through to full power. This system controls the duty systems in the plant, which are operated from the main control room or remote shutdown workstation. The plant control system contains the control and instrumentation needed to change reactor power, control pressuriser pressure and level, control feed water flow, turbine control and perform other plant functions associated with power generation.

Diverse Actuation System

The DAS provides an alternate means of initiating reactor trip and actuating selected engineered safety features; it also provides plant information to the operator. An ALARP review of its design is provided in Section 8.4.4.3.



In-Core Instrumentation System

The primary function of the in-core instrumentation system is to provide a three-dimensional flux map of the reactor core. This map is used to calibrate neutron detectors used by the protection and safety monitoring system, as well as to optimise core performance. A secondary function of the in-core instrumentation system is to provide the protection and safety monitoring system with the thermocouple signals necessary for the post-accident inadequate core cooling monitor. The in-core instrument assemblies house both fixed in core flux detectors and core exit thermocouples.


The following advantages result from adopting digital instrumentation and control instead of an analogue system:

• Provides the opportunity to incorporate more advanced control system concepts, thereby allowing better and more refined control.

• Enhanced human-machine interface features to reduce operator burden.

• Online component testing at higher power levels and in less time.

• Improved instrumentation and control systems availability, achieved through redundancy and advanced diagnostics.

• Significantly reduced costs of initial installation and through-life maintenance.

• Relatively easy to carry out through-life updates of the hardware, as its functionality depends only on the software, which is also relatively easy to update.

• Reduced likelihood of plant trips caused by instrumentation and control system problems.

• The use of a data highway eliminates large quantities of instrumentation and control system hardware, cabling, cable trays, cable spreading areas, containment penetrations and other equipment.

The only disadvantage resulting from adopting digital instrumentation and control instead of an analogue system is that it is more difficult and expensive to verify the integrity of a programmable electronic system of such complexity.

ALARP Discussion

This option is ALARP because the advantages of adopting digital instrumentation and control systems instead of an analogue system are overwhelming, provided that an adequate Safety Integrity Level can be demonstrated. Whilst this is difficult and expensive, it only has to be done once for the entire AP1000 fleet; given the potential number of such plants, the cost per plant is modest.

8.4.4.2 Use of a Digital Control Room

The control room provides the facilities that the operations personnel need to safely operate the plant, deal with any abnormal conditions and produce electricity. Over the past few decades there have been many substantial advances in the technology of the operator-machine interfaces in modern control rooms. The success of modern control rooms has been proven in other



comparable industries. The design of the AP600 and the subsequent enhancements in AP1000 has taken advantage of this new operator-interface technology, and the resultant main control room represents a move away from the traditional ‘control board’ control room design:

• The number of fixed controls and displays has been minimised, to the extent practical.

• The main operator-machine interface is by means of computer-based colour monitors, mice and keyboards.

• The graphics are supported by a set of graphics workstations, which take their input from the real-time data network.

• An advanced alarm system, implemented in a similar technology, is also provided.

The data display and processing (plant computer) system is implemented in a distributed architecture. The working elements of the distributed computer system are graphics workstations, although their graphics capability is secondary to their computing performance. The distributed computer system obtains its input from the real-time data network and delivers its output over the network to other users.


The following advantages result from new operator-interface technology in the main control room:

• The advanced control room technology has been proven to improve operator performance, increase productivity and reduce the likelihood of human errors.

• The visual display units (VDU) based operator-interface integrates a number of systems into one flexible interface technology. This includes the use of large screen displays that enable plant overview and alarm status information to be visible from any likely operator location in the main control room, thus facilitating crew group plant status awareness and decision-making.

• It enables the number of operations personnel required to be located in the control room to be decreased, thereby reducing electric generation costs.

• It is easy to modify the display formats.

• It is easy to update the control room hardware.

The only disadvantage resulting from new operator-interface technology in the main control room is that the software driving the displays is difficult and expensive to verify.

ALARP Discussion

This option is ALARP because the advantages of adopting a digital main control room instead of the analogue type are overwhelming, provided that an adequate safety integrity level can be demonstrated. Whilst this is difficult and expensive, it only has to be done once for the entire AP1000 fleet; given the potential number of such plants, the cost per plant is modest.



8.4.4.3 Inclusion of a Diverse Actuation System

The DAS provides an alternate means of initiating a reactor trip and actuating specific engineered safety features in the event of a common mode failure within the Protection and Safety Monitoring System; that is, it provides diverse backup to the main protection system. The DAS has three functions: diverse automatic actuation, diverse manual actuation and diverse indication of the plant information needed by the operator for a manual actuation of critical safety measures.

The DAS is included within the instrumentation and control architecture in order to support the risk goals in the AP1000 PRA for analyzed events. The DAS reduces the probability of a severe accident resulting from the unlikely coincidence of a Postulated Initiating Event (PIE) and postulated common-mode failures in the protection and control systems. Common-mode failure between the Protection and Safety Monitoring System and the DAS is unlikely because each runs on a different operating system from the other, and there are no sensors shared between the two systems (see Section 8.4.4.4 of this chapter for a further enhancement to the DAS to reduce common-cause failure even more).

The DAS is not claimed as a safety measure by the fault schedule. However, it does provide defence in depth, and as such it possesses two out of two voting logic to prevent spurious actuation, and it is designed to higher quality standards than normal duty systems.


The following advantages result from the inclusion of the design:

• Provides a diverse initiation of specific safety measures in the event of a common mode failure within the protection and safety monitoring system.

• Provides a diverse indication to the operators in the event of a common mode failure within the protection and safety monitoring system.

Disadvantages resulting from the inclusion of the DAS in the AP1000 design:

• It might cause some spurious reactor trips.

• Initial cost and through-life maintenance cost.

ALARP Discussion

Without the DAS or some other means of countering common mode failure within the protection and safety monitoring system, the AP1000 design would not have met the required risk targets. The DAS has been designed to be as simple as possible, and is the lowest cost alternative. This option is therefore ALARP.

8.4.4.4 Relocating Part of the Diverse Actuation System

The four divisions (guard lines) of the protection and safety monitoring system and its uninterruptible power supply, the electrical penetrations through the containment, portions of the plant control system, the main control room and the remote shutdown workstation are concentrated within the northern section of the Auxiliary Building. A large fire or explosion in this area could render these features unusable for a significant amount of time. Such an event would most likely result in an immediate reactor trip, due to the loss of power and control



functions; however, most of the plant instrumentation and control would be rendered unavailable, making the subsequent establishment of shutdown cooling very problematic.

The DAS was included in the design of the AP600 to provide protection against the loss of the protection and safety monitoring system. However, it is also located in the northern section of the Auxiliary Building, and hence a single large fire or explosion could disable both systems. The obvious solution is to relocate selected portions of the AP1000 DAS to the southern portion of the Auxiliary Building, thereby decentralising the plant Instrumentation and Control (I&C) capabilities and increasing the likelihood that the essential parts of the DAS capability would remain intact after a large fire or explosion in the northern portion of the Auxiliary Building.

Relocating selected portions of the DAS resulted in several consequential design changes: the control cabinet housing the relocated portions required a separate containment penetration in the southern portion of the Auxiliary Building; an internal battery-backed uninterruptible power supply was included within this cabinet, so that the DAS instrumentation could be accessed from this location without the need for an external power source.


The advantage of relocating part of the DAS away from the protection and safety monitoring system is that it substantially improves the likelihood of establishing adequate shutdown cooling and subsequent monitoring following the occurrence of a large fire or explosion in the northern section of the Auxiliary Building, thus lowering the risk of public or operator radiation exposure.

Disadvantages resulting from relocating part of the DAS away from the protection and safety monitoring system:

• Extra cost.

• Slight increase in the risk of a containment leak, due to the requirement for a new penetration.

ALARP Discussion

Common-cause failure of the DAS and the protection and safety monitoring system due to a fire or explosion could result in an unacceptable increase in risk of public or operator radiation exposure. The design solution effectively decouples the two systems at an acceptable cost, and it is therefore the ALARP option.

8.4.4.5 Human Factors Enhanced Control Room

The AP1000 main control room is an evolution of the AP600 design. It takes full advantage of the latest control room operator-interface technology. A detailed human factors engineering program has supported the development of the AP1000 main control room and its operator-interface design. This program included task analysis, operating experience reviews, engineering tests, the application of human factors design guidelines and verification and validation assessments.

The overall purpose of the main control room is to provide a comfortable environment for the operators and supervisors to safely, efficiently, and reliably monitor and control plant process during normal, abnormal, and accident conditions. Displays are provided to enable the operators to determine the plant status, and control facilities are provided to allow the operators to execute control actions. Alarms are provided to draw the operators’ attention to key indications that may



require operator action. It must remain habitable during abnormal or emergency conditions, including earthquakes.

The main control room provides an area that enables the operations personnel to focus their attention on the safe and efficient operation of the plant. It supports good operator performance by supplying the facilities for the operators to interact with other plant personnel, while preventing distractions from non-operations personnel. It supports the operations personnel in the effective and timely execution of their assigned tasks and responsibilities.

The main control room accommodates an operator console, a supervisor’s console, safety consoles, the wall panel information system large screen displays and the DAS panel. The operator console provides the displays and controls to start up, manoeuvre, and shut down the plant, and it is designed to be staffed by one to six operators. The operator interfaces are the duty system control displays, soft controls, alarm presentation system displays, computerised procedures displays, as well as the VDU monitors, keyboards and mice. The supervisor’s console is a smaller version of the operators’ console, and is designed to be staffed by one or two personnel. The primary dedicated safety panel and VDU-based safety system workstations are located at the centre of the operator console, with a secondary safety panel located in close proximity to the supervisor’s console. The DAS panel is located at a sidewall in the main control room. The main control room also includes communication devices, document lay down areas, printers and storage space. A meeting table is provided and equipped with a VDU-based workstation to allow access to the duty control system by, for example, a technical advisor or shift manager, without disrupting control room operations. In close proximity to the main control room are the shift supervisor’s office, the operations staff area, an operations work area, restrooms, and kitchen facilities.


The following advantages result from incorporating the improvements resulting from the detailed human factors engineering programme into the design of the AP1000 and its operator interfaces:

• Enhances the performance of the operators during normal, abnormal and fault conditions, with increased likelihood of success.

• Reduces the possibility of operator distraction, whilst allowing the necessary interaction with other plant personnel.

• Allows access to the duty control system for, for example, a technical advisor or shift manager, without disrupting control room operations.

• Simplifies initial construction of the main control room, resulting in substantial cost saving.

• Simplifies maintenance of the main control room, resulting in cost savings.

The only disadvantage resulting from incorporating the improvements resulting from the detailed human factors engineering programme into the design of the AP1000 main control room and its operator interfaces is significant development cost, but this is spread over the entire AP1000 fleet.

ALARP Discussion

This design enhancement reduces the overall risk from operator error, at a manageable cost. It is thus the ALARP option.



8.4.4.6 Elimination of the Internal Flooding Threat from the Non-Radiological Side of the Auxiliary Building

The AP1000 Auxiliary Building is designed so that on each floor there is a solid concrete wall separating the spaces that are potentially radioactive and those that are not. The non-radiological side of the Auxiliary Building (the clean Auxiliary Building) accommodates the main control room and the rooms housing the plant control and protection hardware and their battery rooms. Some of these would be under threat from flooding should there be any substantial leak of water within the clean Auxiliary Building. The potential sources of water in the clean Auxiliary Building are the potable water for the manned main control room spaces, the fire protection water for the safety-significant equipment within the clean Auxiliary Building, and the pipes carrying water from the Containment Shield Building through the clean Auxiliary Building to the Turbine Building.

The lowest level within the clean Auxiliary Building is two floors below ground level, thereby requiring some means of preventing any water that might accumulate from becoming a threat to the safety-significant equipment housed there. This might be achieved either by establishing a large sump, or by providing an active means for clearing any accumulating water (without using ac power), or by limiting the amount of potential flooding water to a volume that would not threaten any safety significant equipment. The latter option was selected.

The potable water day tank is above the main control room area. It is filled as and when required but is otherwise isolated from external sources; thus any leakage is limited to the day tank volume. The potable water piping from the tank is sized so that even in the event of a pipe rupture the leak rate would be modest. The pipes are routed within the manned spaces, so that any leakage would be detected quickly. The potable water is thus not a flooding hazard to the safety significant equipment within the clean Auxiliary Building.

The volume of fire protection water available to the Auxiliary Building is limited by the design solution discussed in Section 8.4.3.6. Even in the event that this fire protection water should flood the lowest level of the clean Auxiliary Building, the water level would be below that of the safety-significant batteries, the lowest safety-significant equipment in the clean Auxiliary Building. The maximum potential volume of water from the fire-fighting water supply would thus not be a threat to any of the safety significant equipment housed there.

The piping carrying water from the containment to the Turbine Building is routed through two rooms within the clean Auxiliary Building. Both of these rooms are enclosed in concrete, with the only routes for water to escape from them, including through the doors, being to drains within the Turbine Building. Thus, any leakage of water from the piping carrying water from the containment to the Turbine Building would not accumulate within the clean Auxiliary Building but instead would drain out of it by gravity.


The following advantages result from limiting the maximum potential volume of water that could flood the lowest level of the clean Auxiliary Building:

• Limiting the volume of the potable water tank costs nothing, and might even be slightly cheaper than a larger tank.

• The volume of fire protection water is restricted to below the amount where flooding could be a problem by the simple expedient of using standpipes within the passive containment cooling water storage tank (see Section 8.4.3.6 of this chapter).



Disadvantages resulting from limiting the maximum potential volume of water that could flood the lowest level of the clean Auxiliary Building:

• The filling of the potable water tank needs to be manually initiated, on a regular basis.

• Reinforcing the two rooms containing the transfer piping from the Containment Building to the Turbine Building, and installing drain paths to Turbine Building does incur a cost.

ALARP Discussion

This option is ALARP because it eliminates the threat to the safety significant equipment housed in the clean Auxiliary Building from a flood by using the options that comply with the Engineering Key Principles (Section 8.2.1.1 of this chapter):

• Limiting the available volume of potable water and fire-fighting such that safety significant equipment cannot be affected makes for an intrinsically safe solution, as required by Engineering Key Principle 1.

• Draining away any water from the pipes that pass through the clean Auxiliary Building by gravity, being a passive solution, is at the top of the hierarchy of means of protection, as required by Engineering Key Principle 5.

8.4.5 Primary System Design

8.4.5.1 Selection of the Reactor Coolant Pump Type

The traditional function of a PWR reactor coolant pump is to deliver cooling water to the reactor during both normal operations at power and for fission product heat removal when shutdown. The reactor coolant pump type adopted in the US for currently operating plants is the shaft seal pump, which can be made large and can have high hydraulic and electrical efficiencies. The potential design options for the AP600 were numerous: ac powered shaft seal pumps, dc powered safety pumps, canned motor pumps, no pumps (natural circulation) and others.

A basic design premise of AP600 is to maintain safety and respond to accident situations without reliance on ac power. For post reactor trip core cooling this meant either dc powered safety pumps or to rely on natural circulation through the core. Clearly the no pump solution is the simplest choice, if natural circulation could be shown to provide adequate post shutdown core cooling. This was indeed demonstrated for the AP600 and subsequently for the AP1000, and so natural circulation is the claimed post-trip heat removal method for the AP1000. Forced circulation for normal operation at power is required, as natural circulation would be inadequate at the operational power level; this requires a pump.

A weakness of the shaft seal type pump is the potential for coolant leakage from the seal. Many members of the AP600 design team had experience with canned motor pumps in the US nuclear navy. They knew that these types of pumps are highly reliable and represent a reactor cooling pump solution with no possibility of coolant leakage from the shaft seal. The selection was made for the canned motor pump for the AP600, based on simplicity and reliability. The pump is not claimed to function post accident, and its pressure boundary is continuous, without any leakage during normal or fault conditions. The larger power rating of the AP1000 required an up-scaling of the pumps, which led to changing the pumps from canned motor pumps to seal-less pumps of twice the power.




The following advantages result from choosing seal-less pumps:

• No risk of a LOCA through failure of the shaft seals, thereby significantly enhancing safety.

• Because the motor and the pump bearings are within the coolant boundary, the canned motor pump also allows the designer to eliminate the shaft seal pump support systems, such as seal injection, seal leak off, lubricating oil and fire protection systems. This avoids complexity, and results in lower overall cost.

• Higher intrinsic reliability than shaft seal pumps.

• Reduced fire risk, because there is no lubricating oil system.

• Reduced radioactive effluent, because there is no shaft seal injection flow.

• The decision to use two seal-less pumps for each steam generator loop allowed the attachment of both pumps directly to their steam generator, eliminating the cross-over leg required for shaft seal pumps. This also eliminates the high/low stagnation portion of the cross-over, thus promoting natural circulation for post accident cooling.

• Reduced pump maintenance.

• Lower maintenance dose, due to the avoidance of maintenance time in the vicinity of the steam generators resulting from the need to remove the entire pump and motor.

The following disadvantages result from choosing seal-less motor pumps:

• Seal-less motor pumps are not as efficient as shaft seal pumps.

• Unlike shaft seal pumps, seal-less pumps cannot be repaired in situ, requiring a design to be developed for quick removal and replacement of entire pumps.

• Unlike shaft seal pumps, canned motor pumps of the size required for the AP600 had not been built before. This led to the decision to use two canned motor pumps, of modest extrapolation, for each steam generator loop.

• Natural circulation does not supply sufficient cooling flow at the very beginning of a shut down transient. The passive solution to this challenge was the addition of rotating inertia to the pump, in the form of a heavy flywheel.

ALARP Discussion

The seal-less pump was chosen over the shaft seal pump for reactor coolant duty in a process that promoted satisfying the design requirements of the lowest risk for accidental loss of coolant, the lowest radioactive effluent, substantial reduction in complexity, reduced fire risk, the lowest risk for public or operator radiation exposure and the lowest overall plant cost. The new required design feature of additional rotating inertia was easily tested and proven. The choice exemplifies safety through simplicity. Eliminating the possibility of a LOCA from failed seal, sacrificing efficiency for higher inherent reliability, and the deletion of pump support systems and attendant reactor coolant leakage is the ALARP decision.



Design work is currently ongoing to upscale the canned motor reactor coolant pumps of the AP600 to the more powerful seal-less pumps required by the AP1000.

8.4.5.2 Use of Grey Rods for Load-Following

Most nuclear power plants today are operated as base load plants, but with some ability to load-follow. For PWRs, this load following capability is achieved by means of systems that manage the boron concentration of the reactor coolant water by recycling the boron in and out, on a short time scale. This requires elaborate and complicated boron and water handling systems outside the containment, and results in restrictions on the rate of load follow available.

Based upon military experience, the AP1000 designers recognised that there is an alternative to short-term reactivity control other than boron concentration in the reactor coolant: grey control rods. These are control rods with low density neutron absorber, which can be moved to provide modest reactivity adjustments. The materials for grey rods are well known, and their effectiveness for partial reactivity control is easily analysed. It should be noted that grey rods are used in addition to the black safety rods, and are not needed for shutting the reactor down. The maximum number of grey rods that can be fitted is determined by the physical constraints of fitting the rod and their actuators; this limits the degree of load following that can be achieved, but it is nevertheless greater than the alternative.


The following advantages result from choosing grey control rods as the means for providing a load following capability:

• Greater ability to load-follow than would be achievable with continual boron recycling in and out of the primary coolant.

• Reduced possibility for a reactivity excursion caused by inadvertent dilution of the reactor coolant.

• Reduction of the liquid radioactive effluent discharged to the environment as a result of boron recycling, because relatively little boric acid is used during power operation as load follow is accomplished with grey rods and without changes in the reactor coolant system boron concentration.

• Reduced operator dose because less maintenance is required on the boron and water handling systems.

• Improved operational flexibility, especially towards the end of a fuel-cycle, the most difficult situation for a boron control system.

The following disadvantages are apparent:

• More penetrations through the reactor vessel.

• Potential reactivity faults caused by inadvertent grey rod withdrawal.

• Operator dose resulting from maintenance of the extra control rod actuators.

• More control rod actuators are needed.



ALARP Discussion

The designers of the AP1000 judged that the advantages of a greater degree of load-following capability, reduced operator dose and less environmental impact resulting from the use of grey control rods outweigh the disadvantages. Consideration will be given to providing further justification of the claim that the risk detriment associated with increased possibility of a reactivity excursion from inadvertent grey rod withdrawal is less than benefit gained from the lessened threat from inadvertent boron dilution, and that reduction in operator dose from extra maintenance control rod actuators than on the boron and water handling systems.

8.4.5.3 Locating the Chemical and Volume Control System within the Containment

The traditional functional requirements for the chemical and volume control system of a PWR are to:

• Fill, make up, let down and drain the primary system during normal operation.

• Coolant charging or letdown during certain fault sequences.

• Control the concentration of boron in the coolant during normal operation:

• For plant start-ups.

• For load following.

• To compensate for fuel depletion.

• While shutdown.

• Maintain the system pH by controlling the level of lithium hydroxide in the reactor coolant water during normal operation.

In operating PWR plants today, these functions are performed by a variety of safety-significant subsystems within the chemical and volume control system, which are outside the containment. In the AP1000, the safety-significant coolant charging or letdown from the chemical and volume control system during certain fault sequences is now performed by other means: the core make-up tanks, the accumulators, the in-containment refuelling water storage tank and, ultimately, the containment sump. The requirement for continual boron recycling in and out of the reactor coolant system has also been eliminated (see Section 8.4.5.2).

The remaining functions of the AP1000 chemical and volume control system consist of reactor coolant filling, make-up, let down and chemical control of the reactor coolant. The chemical and volume control system consists of regenerative and letdown heat exchangers, demineralisers and filters, make-up pumps, tanks, and associated valves, piping, and instrumentation.

The proper chemistry control of the reactor coolant water includes the removal of impurities, both radioactive and non-radioactive. In currently operating PWRs, this function is performed by taking a portion of the reactor coolant out of the containment, reducing its pressure and temperature, purifying it and then re-pressurising it and sending it back into the containment and the reactor coolant system. This process introduces potential reactor coolant leak sites outside the containment.



The simplifications that have been made to the AP1000 chemical and volume control system allow the possibility of continuous coolant purification to be performed at the full reactor coolant system pressure, by diverting a portion of the reactor coolant flow and using reactor coolant pump head as a motive force, and thereby enabling the purification equipment and the reactor coolant to be kept within the containment structure.


The following advantages result from locating the chemical and volume control system within the containment:

• Reduced potential for loss of coolant accident.

• A simplified chemical and volume control system, and hence a lower cost.

There are no disadvantages resulting from locating the chemical and volume control system within the containment.

ALARP Discussion

This option of high pressure coolant purification inside the containment, instead of pumped, low pressure purification outside the containment, reduces risk with no accompanying detriment. It is therefore ALARP.

8.4.5.4 Zinc Addition to the Primary Coolant

Chemical build-up in the reactor coolant system has the potential to cause water stress corrosion cracking and crud induced power shift. Operation with chemical zinc in the coolant has been demonstrated to change the oxide film on the primary piping and components, in such a way as to significantly reduce the potential for stress corrosion cracking and crud-induced power shift. Also zinc addition results in a significant reduction in occupational radiation exposure, by as much as 50% when incorporated as early as the hot functional testing. Zinc addition to the reactor coolant system has been implemented at numerous PWRs to date, with zinc concentrations ranging from 5 to 40 parts per billion.

The design of the chemical and volume control system incorporates a zinc addition subsystem. The reactor coolant water chemistry specifications for the AP1000 specify a maximum zinc concentration of 40 parts per billion (i.e. 40 parts in 1E12), in order to maximise the benefits associated with zinc addition.


The following advantages result from adding zinc to the primary coolant:

• Reduced likelihood of stress corrosion cracking.

• Reduced likelihood of crud induced power shift.

• Reduced occupational radiation exposure, thus, lowering the risk to the operators.

• Reliance on proven technology.



Disadvantages resulting from adding zinc to the primary coolant:

• Slight increase in the cost of the Chemical and Volume Control System.

• Slightly increased operational cost.

ALARP Discussion

This design option results in a substantial reduction in the risk of plant damage from stress corrosion cracking or crud-induced power shift, and in the risk of operator radiation exposure. This is achieved at a very modest cost. It is thus ALARP.

8.4.6 Fuel Route

8.4.6.1 Use of Ion-Exchange Resins for Liquid Waste Processing

Radioactive isotopes accumulate in the reactor coolant and the spent fuel pool cooling water during operation. Some of these isotopes are gaseous or volatile; most are soluble or suspended in the reactor coolant or spent fuel pool coolant water. The AP1000’s dominant source of radioactive water is from let-down during reactor heat-up. Unlike current PWR plants, the AP1000 has no planned leakage of reactor coolant from pump shaft seal leak off; in addition, AP1000 does not recycle dissolved boron in the reactor coolant for load following changes. Lesser sources of radioactive wastewater arise from coolant boron concentration adjustments by feed and bleed, and some small volumes accumulate as a result of sampling operations or as leakage. These sources will accumulate to the point where either they must be discharged from the plant, or re-used when the reactor begins its cool down prior to being shut down.

There are three alternative design possibilities here:

• Store and then re-use the radioactive waste water.

• Concentrate the radioactivity using evaporators, to a level that minimises its discharge volume.

• Process the radioactive water using ion-exchangers, to concentrate the radio-nuclides as solid radioactive waste in resin form.

The storage option would require equipment to store, monitor and recycle relatively small amounts of water. The concentration option would require evaporators, which are complicated, involve a number of fluid systems and use electrical energy. Ion exchangers use disposable resin to capture radio-nuclides in a highly concentrated solid form. After review of the options, the AP1000’s designers decided on the ion-exchange option, on the grounds of the simplicity of the equipment, its minimal operational requirements, the potential failure modes and its minimal energy consumption.


The following advantages result from choosing ion-exchange resins instead of storing and reusing the waste radioactive water:

• Simple and well-proven equipment for processing the radioactive wastewater.



• Obviates the need for complicated equipment to store, monitor and recycle the radioactive water.

• No risk of accidental loss of radionuclides due to leakage from radioactive water storage.

• Lower equipment cost.

• Lower operations cost.

The following advantages result from choosing ion-exchange resins instead of evaporating the waste radioactive water:

• Simple and well-proven equipment for processing the radioactive wastewater.

• Obviates the need for complicated equipment to evaporate the radioactive water.

• No liquid radioactive discharge.

• Avoids the possibility of accidental discharge of highly active radioactive water.

• Lower equipment cost.

• Lower operations cost.

• Lower energy consumption.

The disadvantages of the ion-exchange option are:

• Produces small amounts of solid intermediate level waste.

• Operator dose resulting from maintenance of the ion-exchange equipment.

ALARP Discussion

The problems arising from small amounts of solid intermediate level waste are far less than handling large volumes low level liquid waste. The capture of radioactive isotopes in ion exchange resins is the simplest process, and uses proven technology with the lowest initial and operational costs. It is the ALARP option.

8.4.6.2 Spent Fuel Pool Water Sprays and Water Tight Compartments

The spent fuel pool cooling system for AP1000 is designed to provide long-term pool cooling by passive means in the event that the normal cooling system cooling is lost. However, this relies on the pool being full of water. Beyond Design Basis initiating events have been postulated that could potentially drain the entire contents of the spent fuel pool. An event of this nature would lead to the overheating of freshly discharged spent fuel, to the extent that the zirconium cladding could ignite. The resulting fire from such an event would release significant amounts of radioactive material.

One solution that was considered for this particular Beyond Design Basis initiating event was to equip the area surrounding the spent fuel pool with hose stations capable of spraying the fuel stored in the pool, to provide continued cooling as it becomes uncovered. However, the



effectiveness of the hoses was difficult to quantify, and could subject the personnel operating the hoses to the risk of a high radiation exposure.

An alternative design solution was developed, based on preventing the pool from draining its entire contents. Located below the spent fuel pool are two separate waste holdup tank rooms. If the water leaking from the pool could be prevented by flooding these rooms, then it would have nowhere else to go, and the fuel would not become uncovered. Analysis has shown that if the pool drained into only one of the waste holdup tank rooms the water level in the spent fuel pool would not drain below the top of the spent fuel racks. This solution was achieved by strengthening the doors to the waste holdup tank rooms and making these doors water tight, thereby making the rooms leak tight.

In addition, the design was enhanced to include a redundant spray system embedded in the East and West walls of the spent fuel pool; each of which is capable of providing emergency cooling to the pool should it drain. The cooling water to the spray nozzles: either comes from the passive containment cooling water tank, using gravity driven flow; or from the fire protection system, using either the motor driven or diesel driven fire pumps.


The following advantages result from installing spent fuel pool water sprays and making the compartments under it water tight:

• The likelihood of the initiating event (pool draining) is substantially reduced; the doors to both waste holdup tank rooms would have to fail before the spent fuel becomes uncovered.

• A diverse defence in depth feature is provided by the spent fuel pool water sprays. These are highly reliable because of in-built redundancy and diverse water supplies.

• Avoids the inherent uncertainty in the effectiveness of the manually deployed hose option.

• Avoids the possibility of operator radiation exposure that would be incurred with manual hose deployment.

The only disadvantage resulting from installing spent fuel pool water sprays and making the compartments beneath the pool water tight is the higher cost of installation than the alternative option of installing hose stations.

ALARP Discussion

Whilst the hose station option is substantially cheaper to install, it would be of dubious effectiveness and would almost certainly result in substantial operator radiation exposure in a real event. The chosen option reduces the event frequency significantly, and provides a very robust defence in depth. It is the ALARP option.

8.4.6.3 Single Failure Proof Cask Loading Crane

The cask loading crane handles fuel assemblies into and out of the fuel storage pond and into and out of the transportation cask. It is located in the fuel handling portion of the Auxiliary Building. Various analyses were performed for the AP1000, to establish the degree of risk to public safety in the event of this crane dropping a fuel assembly. As a result of this work, there was no requirement in the US for this crane to be single failure proof for the AP1000.



However, it was subsequently realised that some other countries where the AP1000 was being promoted may require this type of crane to be single failure proof, by rule. It was decided to specify that this crane be single failure proof for the AP1000, regardless of country of deployment.


The following advantages result from specifying a single failure proof cask loading crane for the AP1000 design:

• Substantial reduction in the risk of dropping a fuel assembly, thus lowering the risk of public or operator radiation exposure.

• Results in standardisation of the AP1000 design.

Disadvantages resulting from specifying a single failure proof cask loading crane for the AP1000 design:

• Modest increase in the cost of the crane.

ALARP Discussion

This design option results in a substantial reduction in the risk of public or operator radiation exposure, achieved at a very modest cost. It is thus ALARP.

8.4.6.4 High Density Fuel Racks

The AP600 spent fuel pool had the capacity to store 619 spent fuel assemblies. The increased power rating of the AP1000 over the AP600 means that more irradiated fuel will need to be stored, making it desirable to increase the storage capacity of the AP1000 spent fuel pool, while maintaining the same safety basis for pool make-up. The AP600 and AP1000 spent fuel pool cooling systems are designed to cool the spent fuel pool for 72 hours passively, and then to cool it actively for the balance of 7 days, using on site sources if the normal forced flow cooling were to be lost.

Increasing the size of the spent fuel pool would create additional room to add storage spaces. However, this was rejected because one of the design objectives for the move from AP600 to AP1000 was not to change the nuclear island footprint and building design. Changing the building design would necessitate a change to the seismic design, which was substantially finished.

Alternatively, the design of the spent fuel pool storage racks could be changed to create additional storage cells without the need to alter the dimensions of the spent fuel pool. The AP600 spent fuel storage racks consisted of only Region 1 racks, with a centre-to-centre spacing of 277mm (10.9 inches). Using a combination of Region 1 and Region 2 racks would allow for increased storage capability within the same footprint, because the centre-to-centre spacing of the Region 2 racks is only 229mm (9.028 inches). It was found that the total spent fuel pool capacity could be increased to 889 spent fuel assemblies using a combination of Region 1 and Region 2 storage racks. The increased storage capacity of the spent fuel pool increased the maximum decay heat in the pool. The existing make-up water sources were found to be adequate to provide safety-significant cooling to the pool with the new higher heat loads, should forced flow cooling be lost.




The following advantages result from incorporating high-density storage racks into the design:

• The capacity of the spent fuel pool increases from 619 storage spaces to 889 storages spaces.

• The same pool footprint is maintained, obviating the need to re-evaluate the seismic design.

• Cheaper than the option of increasing the size of the spent fuel pool.

The only disadvantage resulting from incorporating high-density storage racks into the design is that the maximum decay heat in the pool is increased.

ALARP Discussion

The option to incorporate high-density storage racks is substantially cheaper than the option of increasing the size of the spent fuel pool, and the safety function of removing the decay heat can still be achieved without any upgrading of the cooling system. It is thus the ALARP option.

8.4.7 Duty Systems

8.4.7.1 Start-up Feed Water Cavitating Venturi

The start-up feed water pumps and their associated pipes and valves is the duty system for decay heat removal from the reactor coolant system. If it operates correctly, it obviates the need for its counterpart IAEA Level 3 safety measure, the passive residual heat removal heat exchanger. During a transient, at least one of the two start-up feed water pumps takes suction from the condensate storage tank, and delivers feed water to the steam generators.

The potential exists for excessive cool down or steam generator over fill if the water flow from the start-up feed water pumps increases too much. The design of AP1000 employs a cavitating venturi at the discharge of the start-up feed water pumps to limit the flow. The venturi flow elements provide a passive mean of choking the flow. The cavitating venturi also provides the secondary function of a flow measurement signal, at normal flow rates.


The following advantages result from incorporating a cavitating venturi at the outlet of the start-up feed water pumps:

• Reducing the likelihood of overfilling the steam generators, possibly causing water carryover to the turbine.

• Reducing the likelihood of excessive cool down of the primary circuit, and thereby causing a reactivity injection.

• Proven technology.

The only disadvantage resulting from incorporating a cavitating venturi is cost; however, because it also enables flow to be measured, a function that would have to be proved anyway, its net cost is negligible.



ALARP Discussion

The alternative would be to provide control equipment to prevent over-feeding from the start-up feed water pumps. This would be more expensive than the venturi option, which is thus ALARP.

8.4.7.2 Use of Air Diaphragm Pumps for Waste Water Duty

Wastewater needs to be transferred within the plant, from tank to tank or for processing, and ultimately it must be discharged out of the plant. This wastewater can be contaminated and non-radioactive, radioactive, or contaminated and radioactive; the contamination might be oily. In currently operating nuclear power plants, such transfers are brought about by a wide variety of pump types: centrifugal, positive displacement, air operated and others. Those pump types that require seals, especially rotating seals, are prone to leakage, with the potential for consequent radioactive or oily effluent, and accidental loss of radioactive fluid outside the containment.

It was decided to pick a pump type with no seals for wastewater pumping duty. In this type of pump, the working fluid remains fully contained inside the pump’s pressure boundary, thereby eliminating any chance of seal leakage. After consideration of the available pump types, the air diaphragm pump was chosen.


The following advantages result from using air diaphragm pumps for wastewater pumping duty:

• The air diaphragm pump is less expensive than other pump types of the same capacity.

• The air diaphragm pump, being a fully contained pump, eliminates the possibility of accidental loss of radioactive fluid due to seal leakage, thereby minimising the risk of public or operator radiation exposure from wastewater transfer.

There are no disadvantages resulting from using air diaphragm pumps for wastewater pumping duty.

ALARP Discussion

This option is ALARP because it achieves a reduction in the risk of public or operator radiation exposure at less cost than the alternatives.

8.4.7.3 AC Power Fast Bus Transfer

The onsite ac power system is comprised of a normal power supply, a preferred power supply, a maintenance power supply and a standby power supply. The normal, preferred, and maintenance power supplies are included in the main ac power system. The standby power supply is included in the onsite standby power system. These power supplies provide ac at 11 kV.

During normal power generation mode, the main turbine generator supplies electric power to the plant auxiliary loads through the unit auxiliary transformers. This is the normal power supply.

When the plant is shut down or starting up, the generator breaker is open and ac power is provided from the preferred power supply. This comes from the high-voltage sub-station by way of the main step-up transformers (main generator transformers, in UK parlance) and the unit auxiliary transformers.



During maintenance on the main step-up transformers, power comes from the high-voltage sub-station by way of the two reserve auxiliary transformers (station transformers, in UK parlance). Each reserve auxiliary transformer can be used in place of a unit auxiliary transformer; that is, its output rating is the same. Bus transfer to the maintenance power supply is manual or automatic, through a fast bus transfer scheme.

Two onsite standby diesel generators power the onsite standby power system. This supplies power to selected loads in the event of the loss of the normal or the preferred ac power supplies. These loads provide defence-in-depth functionality. The diesel generators are automatically started and connected to their respective buses. In the event of a fast bust transfer, the diesel connection to the bus is delayed such that the fast bus and residual transfer is allowed to initiate.

The original AP1000 design had only one reserve auxiliary transformer, and was vulnerable to losing ac power due to the failure any of the following:

• Any one of five large oil-filled transformers.

• The 26kV iso-phase bus duct.

• The associated malfunction of the protective relay for the above electrical equipment.

The ac power cut would last for up to approximately two minutes, until such time as the onsite standby diesel generators started, warmed up and loaded; or the plant operators transferred selected loads to the single reserve auxiliary transformer. This condition would result in a reactor trip, because of the loss of the four reactor coolant pumps, which are powered from the unit auxiliary transformer buses.

To prevent such a reactor trip from the electrical faults mentioned above, a fast bus transfer capability was incorporated into the AP1000 design. Automating the bus transfer from the unit auxiliary transformers to the single reserve auxiliary transformer would have required shedding sufficient unnecessary loads so as to be within the rating of the reserve auxiliary transformer; this would have required a complex automatic system. Instead, it was decided to go for a simple automatic capability and second reserve auxiliary transformer, to allow the transfer of loads from the unit auxiliary transformers to the reserve auxiliary transformers.

In summary, the addition of another reserve auxiliary transformer was chosen to allow for the bus transfer from the unit auxiliary transformers to the reserve auxiliary transformers.


The following advantages result from incorporating a fast bus transfer capability and a second reserve auxiliary transformer:

• Prevents a reactor trip in case of any of various electrical faults, thereby avoiding challenges to the shutting cooling system, preventing plant wear out and avoiding the cost of lost electrical production.

• Results in a much simpler and more reliable automatic system than the option with a single reserve auxiliary transformer.

• Two reserve auxiliary transformers allow functionally redundant pumps or groups of loads to be supplied from separate buses.



• Two reserve auxiliary transformers allow increased operational flexibility.

The only disadvantages resulting from incorporating a fast bus transfer capability and a second reserve auxiliary transformer are an increased initial cost and ongoing maintenance cost over not installing the system at all.

ALARP Discussion

This design option results in a substantial safety and economic benefit, with a new system that is simple and reliable, and which preserves the functional separation of the various redundant pumps. The alternative would involve either doing nothing, and accepting the increased risks; or installing a more complex and potentially unreliable automatic system and saving the cost of the second transformer, but losing the functional separation. It is thus the ALARP option.

8.5 Consideration of Further Options to Enhance Design Safety

8.5.1 Introduction

An ALARP case needs to demonstrate that the designers have properly considered further enhancements to their design. This requires that a process be in place for identifying potential options, which are then either chosen or rejected by means of a cost-benefit analysis. In a cost-benefit analysis, the costs and benefits are expressed on the same basis, usually money, so that a comparison can be made between the different options. It enables broad comparisons to be made between the risk reduction measures on a consistent basis, thereby facilitating the decision making process. In undertaking a cost-benefit analysis, the relevant costs that accrue from implementing a measure to reduce risk must be identified and costed. Likewise, the relevant health and safety and non-health and safety benefits arising from the risk reduction measure must be identified and expressed in monetary terms. The benefits include the avoidance of actions that would otherwise be taken after an incident, such as evacuation, food bans and land use restrictions.

First, the process that was used to identify potential design improvements is described. This is followed by an explanation of the UK cost-benefit analysis process in terms of how the benefits are to be estimated, the rules for discounting both costs and benefits, and an explanation of the UK regulator’s expectations on “gross disproportion”. Next, the Westinghouse design engineers’ cost estimates for including each potential improvement in the AP1000 design are presented, with some explanation of the basis for their derivation. The hypothetical total benefit of eliminating the total risk (this would be impossible to realise, in practice) is then calculated. Any individual design improvement whose cost is more than this figure can thus be eliminated, because it could never be cost-beneficial. Finally, the remaining potential improvements are subjected to an individual cost-benefit analysis, following which they are either chosen or rejected.

8.5.2 The Process for Identifying Potential Design Improvement Options

At the end of the AP1000 design process, as described in Section 8.2.2 of this chapter, the NRC required that it be demonstrated whether additional reduction in risk would be cost effective. This process is known as the severe accident mitigation design alternatives (SAMDA) process. The process used for identifying and selecting additional candidate design alternatives included the following sources of ideas:

• Additional design features identified by the NRC.

• Additional design features identified by Westinghouse.



• Design alternatives evaluated for other plant designs.

• Suggestions from AP600 and AP1000 design personnel.

• Assessment of the AP600 and AP1000 PRA results.

• Review of SAMDAs evaluated for other plant designs.

The AP1000 SAMDA process evaluated the following additional design features:

• Diverse containment recirculation valves.

• Normal residual heat removal system located inside the containment.

• Self-actuating containment isolation valves.

• Improved reliability of the diverse actuation system.

• Diverse IRWST injection valves.

• Steam generator safety valve flow directed to the IRWST.

• Steam generator shell-side passive heat removal system.

• Chemical and volume control system upgraded to mitigate small LOCAs.

• Ex-vessel core catcher.

• Secondary containment filtered ventilation.

• Passive containment spray.

• Filtered containment vent.

• Increase of steam generator secondary side pressure capacity.

• High-pressure containment design.

• Active high-pressure safety injection system.

Two design changes additional to those identified in the SAMDA process were also considered for inclusion in the AP1000 design:

• Larger accumulators.

• Larger fourth-stage ADS valves.

More details of each of the above options are given in Appendix 8.4 of this chapter, which describes the potential AP1000 design improvements that were not taken forward.

Each of the SAMDA options and the two additional design changes were subjected to a cost-benefit carried out to NRC rules. A bounding methodology was used in the evaluation, such that the potential benefit of each alternative was conservatively maximised. Then it was assumed that



each SAMDA performed beyond expectations, to the extent that it eliminated the severe accident that it was supposed to address. Finally, the capital cost estimates for each alternative were intentionally biased on the low side, to maximise the risk reduction benefit. Such an approach maximises the potential benefits associated with each alternative. This is explained in more detail in Appendix 1B of Reference 8.2.

The results for the AP1000 show that only one of the SAMDAs evaluated provides risk reductions that are cost-beneficial, despite the significant conservatism used in the evaluation. This is due primarily to the already low risk profile of the AP1000 design. Therefore, the option to include diversity within the containment recirculation valves has been incorporated into the design of the AP1000. Details of the diverse containment recirculation valves SAMDA are as follows:

• The diverse containment recirculation valves SAMDA consists of changing the containment recirculation valve designs, so that two out of the four lines use diverse valves. In the AP600 design, each of the four lines contained a squib valve, two of the lines contained non-return valves, and the other two lines contained motor-operated valves. In order to provide diversity, the squib valves in two of the lines would be made diverse, thereby reducing the frequency of core melt by eliminating the common cause failure of the containment recirculation.

• The four AP600 recirculation squib valves were of the “low-pressure” type and were a part of a single common cause group. In the AP1000, two of these valves that are in series with non-return valves are designated to be of “high-pressure” type, which are in a common cause group with the same design of valves on the IRWST injection lines. Thus, the common cause failure mode that fails the four recirculation lines in the AP600 is eliminated, and it is replaced with the product of two common cause failure modes, one applicable to the group of six high-pressure squib valves and the other to the two low-pressure squib valves. This design change reduces the likelihood of recirculation failure.

• To estimate the benefit from this SAMDA, the core damage sequences resulting from a failure of containment recirculation are assumed to be averted. Core damage sequences resulting from failure of containment recirculation correspond to probabilistic risk assessment core damage frequency at long term following failure of water recirculation to the reactor pressure vessel (RPV) after successful gravity injection.

None of the other SAMDAs were cost-beneficial on the NRC approach. The cost-benefit analysis must now be repeated using UK parameters and NII rules, to explore whether any of the other proposed enhancements would be required for an AP1000 reactor built in the UK. This analysis is set out in the following sections.

8.5.3 Cost-Benefit Analysis Methodology Using UK Parameters and Regulatory Rules

8.5.3.1 Estimation of the Potential Benefits

For this particular ALARP assessment, it has been decided to attribute no benefit to the value of lost availability of the plant; that is, to the value of lost electricity production. This is conservative, as far as the cost-benefit analysis is concerned, because such benefit would actually be very real. Otherwise, the benefit of any proposed additional design feature required to control a risk arises from three sources:

• Reducing the expected cost of clean-up of the plant, by lowering the probability of a nuclear accident in which there is core damage.



• Reducing the expected cost of environmental clean-up, by lowering the probability of a large release of radioactivity.

• Averting cancer and radiation induced deaths, by lessening the expected radiation dose to staff and the public.

These three benefits come from averting the successive stages of an accident sequence: the first stage occurs once there is substantial damage to the fuel, due to high neutron flux or overheating; the second stage occurs when the multiple barriers to fission product release fail; the third and final stage is when staff or members of the public are exposed to radiation. The three stages correspond to the analysis levels of the PSA. The first stage is the prediction of the frequency of core damage; the second stage is the prediction of the frequency of the large release of radioactivity; and the third stage is the frequency of various doses being received by the two populations.

The benefit of preventing an event that results in core damage and the subsequent plant clean up and repair is assumed to be £2 billion. This figure is comparable to the total initial cost of the plant.

The benefit of preventing an event that results in a large release of radioactivity comes from averting the costs of large-scale evacuation, food bans, land use restrictions and environmental clean-up of a large area. A figure of £20 billion is assumed.

The value for preventing a death from cancer caused by radiation exposure is taken to be £2 million (see Reducing Risks, Protecting People Reference 8.12). The ICRP recommends a value of 5% per man-Sievert (Sv) for the overall risk coefficient ( see ICRP103, the 2007 Recommendations of the International Commission on Radiological Protection Reference 8.13). The resulting benefit is thus £100,000 per man-Sv reduction in dose. To evaluate this benefit for each proposed additional design feature, an estimate is needed of the likely reduction in radiation dose resulting from its incorporation into the design.

8.5.3.2 Discounting

Discounting is a technique used to compare costs and benefits that occur in different time periods. It is a separate concept from inflation, and is based on the principle that, generally, people prefer to receive goods and services now rather than later. Society, as a whole, also prefers to receive goods and services sooner rather than later, and to defer costs to future generations. Thus both people and society value a benefit in the present more highly than the same benefit received some time in the future. Similarly, a health and safety measure paid for in the present is considered to be more costly than if it is paid for at some future date.

The discount rate recommended by HM Treasury for both costs and benefits is 3.5% ( see THE GREEN BOOK - Appraisal and Evaluation in Central Government Reference 8.14). This assumes that the monetary costs and benefits are expressed in real terms; that is, at constant prices. The discount rate is made up of the sum of two components:

• The first reflects individuals’ preference for consumption now rather than later, at a numerical value of 1.5%.

• The second is the rate of real GDP per capita growth; that is, by about 2% per year currently.

Lower effective discount rates apply to health and safety benefits accruing more than 30 years into the future. Advice is provided by HM Treasury, as follows: “Where the appraisal of a proposal



depends materially upon the discounting of effects in the very long term, the received view is that a lower discount rate for the longer term (beyond 30 years) should be used. The main rationale for declining long-term discount rates results from uncertainty about the future. This uncertainty can be shown to cause declining discount rates over time. In light of this evidence, it is recommended that for costs and benefits accruing more than 30 years into the future, appraisers use the schedule of discount rates provided in Table 6.1 below”. The said table recommends reducing the discount rate by half a percentage point from a base figure of 3.5% for periods from year-31 to year-75.

The AP1000 has a design life of 60 years. Thus the 3.5% discount rate applied for the first 30 years needs to change to 3.0% for the second 30 years of life.

8.5.3.3 Gross Disproportion

The concept of gross disproportion requires duty-holders to weigh the costs of a proposed enhancement against its risk reduction benefits, and to implement the enhancement unless its cost is not grossly disproportionate to the benefits achieved. This factor, the ratio of cost to benefit, must err on being significantly larger than unity. Nuclear Safety Directorate (NSD) takes as its starting point the HSE submission to the 1987 Sizewell B Inquiry that a factor of up to 3 applies for risks to workers; for low risks to members of the public a factor of 2 applies, and, for high risks, a factor of 10.

8.5.3.4 Sensitivity Analysis

A sensitivity analysis consists of varying one or more of the parameters or assumptions of the cost benefit analysis to see how these variations affect the cost benefit analysis outcomes. Duty-holders ought to conduct a sensitivity analysis, particularly if the cost benefit analysis is being used to “show” that further measures are not reasonably practicable.

8.5.4 Estimated Costs of the Potential Improvement Options

The cost of any proposed measure that would be required to control a risk needs to be assessed. Appendix 1B of Reference 8.2 provides the Westinghouse design engineers’ estimates of the cost for most of the potential additional design features in US dollars. These are shown in order of increasing cost in the table below. Also shown are the costs in UK pounds, assuming an exchange rate of $1.5 to £1.

The costs are assumed to occur during plant build, with no ongoing operational and maintenance spend. This is conservative, as far as the cost-benefit analysis is concerned, because such costs will actually be incurred. As a consequence of this assumption, no discounting of the cost (see Section 8.5.3.2 of this chapter) is applicable.



Table 8-1 Estimated Costs of Improvement Options

Estimated Cost of the Design Alternatives US $ £

1 Locate the normal residual heat removal system inside the containment.

Virtually no risk reduction benefit, and so was not be investigated further in terms of its cost

2 Self-actuating containment isolation valves. $33,000 £22,000

3 Improved reliability of the diverse actuation system. $470,000 £310,000

4 Diverse In-containment Refuelling Water Storage Tank (IRWST) injection valves.

$570,000 £380,000

5 Steam generator safety valve flow directed to the IRWST.

$620,000 £413,000

6 Steam generator shell-side passive heat removal system. $1,300,000 £870,000

7 Chemical and volume control system upgraded to mitigate small LOCAs.

$1,500,000 £1,000,000

8 Ex-vessel core catcher. $1,660,000 £1,100,000

9 Secondary containment filtered ventilation. $2,200,000 £1,500,000

10 Passive containment spray. $3,900,000 £2,600,000

11 Filtered containment vent. $5,000,000 £3,300,000

12 Increase of steam generator secondary side pressure capacity.

$8,200,000 £5,500,000

13 High-pressure containment design. $50,000,000 £33,000,000

14 Active high-pressure safety injection system. Extremely expensive, because it contravenes a fundamental design

objective 15 Larger accumulators Significant increase in cost

16 Larger fourth-stage ADS valves Significant increase in cost

8.5.5 Benefit Threshold for the Potential Improvement Options

8.5.5.1 Overview of the Process for Deriving the Benefit Threshold

The AP1000 is designed to be a very safe nuclear power plant, but it still has a finite probability of core damage occurring, a different but lower probability of releasing a large amount of radioactivity and a finite risk of radiation exposure to the plant personnel and the public; although these are small relative to currently operating PWR power plants. The maximum attainable benefit would be realised if these probabilities and risk could be reduced to zero. The value of this benefit can be evaluated by using the parameters specified for performing a UK cost-benefit analysis. This results in an annual benefit, which can be converted to a whole life value by applying the discounting formula. The reason for calculating this hypothetical total benefit is to set the maximum allowable spend on any single design improvement; any proposed further improvement costing more than this figure cannot possibly be cost-beneficial, as its benefits are bound to be less. The expectation is that applying this filter should significantly reduce the number of potential design improvements needing individual cost-benefit assessment.

8.5.5.2 Evaluating the Core Damage Frequency and the Large Release Frequency

The following table, which is an extract from the PRA (Table 19.59-15 of Reference 8.1), summarises the core damage and large release frequencies for both the “at power” and the



“shutdown” situations, and it indicates the relative magnitude of the various contributors. The table shows that there is little difference between the “at power” and “shutdown” situations, but the large release frequency is an order of magnitude less than that for core damage.

Table 8-2 AP1000 PRA Results

AP1000 PRA Results for Core Damage Frequency and Large Release Frequency

Core Damage Frequency, per year

Large Release Frequency, per year Events

At Power Shutdown At Power Shutdown

Internal Events 2.41×10-7 1.23×10-7 1.95×10-8 2.05×10-8

Internal Flood 8.82×10-10 3.22×10-9 7.14E×10-11 5.37×10-10

Internal Fire 5.61×10-8 8.5×10-8 4.54×10-9 1.43×10-8

Sub-Totals 2.97×10-7 2.11×10-7 2.41×10-8 3.53×10-8

Grand Totals 5.09×10-7 5.94×10-8

Applying the factor of £2 billion for averting core damage results in a value of £1016 per year benefit; likewise, for the avoidance of a large release, a value of £1188 per year benefit is obtained. These are very small values.

8.5.5.3 Evaluating the Dose Risk

To assess the potential benefits associated with a design alternative, estimates are made of the offsite population doses resulting from each of the release categories (see Appendix 8.1 for an explanation of release category). The code MACCS2 version 1.12 ( NUREG/CR-6613, Vol. 2 SAND97-0594 Reference 8.15) is used for the analysis. The NRC sponsored the development of this code. The code performs probabilistic estimates of offsite consequences from potential accidental releases in conformance with Chapter 9 of the probabilistic risk assessment guidelines described in NUREG/CR-2300 (see Reference 8.16). The relative contributions (Section 19.59.4.1 of Reference 8.21) to the large release frequency from each of the release categories are as follows:

• Containment bypass 54%

• Early containment failure 38%

• Containment isolation failure 7%

The total frequency of the first two categories, which together make up 92 percent of the plant large release frequency, is 1.8×10-8 events per year. The contributions of the late containment failure and intermediate containment failure release categories to the large release frequency are negligible. With intact containment, there is no large release at all.

Doses are determined for the early exposure effects resulting from the initial 24 hours following the core damage initiation. The dose evaluation provides the conditional probability distributions for the consequence measures, which includes the whole-body dose for this analysis. These consequence probability distributions are based on the assumption that the accident that produced



the source term has occurred. Therefore, the consequence probability distributions presented result from the variation in dose levels due to the various meteorological conditions. Hence, the actual probability of the identified dose levels would be the probability of the release category that produced the source term occurring multiplied by the probability of the dose level.

Multiplying the calculated frequency of each fission product release category by the mean dose for each category, then summing the results gives the total dose risk of the AP1000. The frequencies and the mean doses for each of the six release categories are quantified in the AP1000 PRA as discussed in Chapter 19 of Reference 8.1. The table below presents the results of the dose risk calculations at the site boundary at 24 hours. The table presents the release category identifier (see below), the release frequency, the mean dose, the resulting risk and the relative contribution of each release category to the total risk.

Table 8-3 Population Whole Body Effective Dose Equivalent Risk

Population Whole Body Effective Dose Equivalent Risk at 24 hours after Core Damage Occurs

Release Category

Release Frequency, per reactor year

Mean Collective Dose, man-Sv

Risk, man-Sv per reactor year

Contribution to Total Risk, %

CFI 1.89×10-10 7.03×103 1.33×10-6 0.3

CFE 7.47×10-9 8.51×103 6.36×10-5 14.7

IC 2.21×10-7 7.19×100 1.59×10-6 0.4

BP 1.05×10-8 3.23×104 3.39×10-4 78.4

CI 1.33×10-9 2.01×104 2.67×10-5 6.2

CFL 3.45×10-13 7.37×101 2.54×10-11 0.0

Total 2.41×10-7 4.32×10-4 100

A collective dose of one man-Sv is 4.32×10-4 per year. Applying the factor of £100,000 for averting a man-Sv collective dose results in a value of only £43 per year benefit.

8.5.5.4 Derivation of the Total Hypothetical Benefit of Eliminating Risk

Summing the three components of annual benefits derived above for the avoidance of core damage, environmental clean up and dose to human beings gives a total annual benefit of £2250. This can be converted to a whole 60-year life value for the NPP by applying the discounting formula; in effect, this is equivalent to multiplying by the factor 25.6, for the discount rates that have to be used for UK safety cases. The resultant hypothetical total benefit of eliminating risk is £57,500.

The reason for calculating this hypothetical total benefit is merely to set the mark for the maximum allowable spend on any single design improvement; that is to say, any proposed further improvement costing more than this figure cannot possibly be cost-beneficial, as its benefits are bound to be less. The expectation is that applying this filter should significantly reduce the number of potential design improvements needing individual cost-benefit assessment.



8.5.5.5 Applying the Concept of Gross Disproportion

It is necessary to demonstrate “gross disproportion” in the cost-benefit analysis; that is, it needs to be demonstrated that any cost is a factor of several greater than the corresponding benefit.

Given the very low risks for the AP1000, a disproportion factor of 2 is appropriate. The UK benefit threshold for the hypothetical perfect design improvement that eliminates risk is thus £115,000. Any real potential design improvement costing more than this is demonstrably not cost effective.

From review of the costs of each of the potential design improvements, it is apparent that there is only one candidate whose estimated cost is below the benefit threshold derived above, and thus requires an individual cost-benefit analysis: self-actuating containment isolation valves would cost £22,000. However, the next three cheapest options have also been subjected to an individual cost-benefit analysis, in order to provide confidence that the ALARP case is robust and not susceptible to challenge that the cost estimates on which it is based are inaccurate or that the gross disproportion factor is still too small.

8.5.6 Cost Benefit Analysis of Individual Potential Design Options

8.5.6.1 Self-Actuating Containment Isolation Valves

This potential design alternative consists of improved containment isolation provisions on the normally open containment penetrations. The category of “normally open” is limited to normally open pathways to the environment during power and shutdown conditions, excluding closed systems inside and outside the containment such as the normal residual heat removal system and component cooling. The design alternative would be to add a self-actuating valve or to enhance the existing inside containment isolation valve to provide for self-actuation in the event that containment conditions are indicative of a severe accident. Conceptually, the design would either be an independent valve or an appendage to an existing fail-closed valve that would respond to post-accident containment conditions within the containment; for example, a fusible link would melt in response to elevated ambient temperatures resulting in venting the air operator of a fail-closed valve. This would provide the self-actuating function.

The benefits of this potential design alternative are evaluated by assuming, generously, that it eliminates the release category (CI); this does not include induced containment failures that occur at the time of the accident, such as in cases of vessel rupture or anticipated transients without scram. Thus the component of the Large Release Frequency and the component of collective dose due to CI events can each be set to zero. This potential design alternative ameliorates the consequences of a core damage event but has no effect on reducing its frequency.

From the above table, the large release frequency for CI events is 1.33×10-9 per year. Applying the factor of £20 billion for averting a large release, the value of averting that part of a large release due to CI events is thus only £27 per year. Likewise, the mean collective dose from CI events is 2.01×104 Sv, resulting in a collective effective dose equivalent risk from CI failure events is 2.67×10-5 man-Sv per year. This is such a low risk that the value of averting it is a mere £3.

Discounting the benefit of total elimination of the CI release category over 60 years gives an assessed benefit of £750. The proposed enhancement would thus not be cost-effective, as it would require a disproportion factor of 29 to make it worthwhile. Thus there is an ALARP case for not including this potential design alternative.



8.5.6.2 Improved Reliability of the Diverse Actuation System

The second cheapest option is the improved reliability of the diverse actuation system. The estimated cost of this is £310,000, which is well above the UK threshold for the hypothetical total benefit of eliminating risk. The benefit accruing from this modification has not yet been evaluated. This will be done at the next release of this PCSR, and the disproportion factor evaluated.

8.5.6.3 Diverse IRWST Injection Valves

Sequences that are initiated by a LOCA with successful reactor coolant system depressurization but failure of the gravity injection prior to core damage are grouped into accident class 3BE. Failure of the gravity injection is due to common cause failures of the IRWST injection line squib valves and non-return valves. The potential design improvement consists of changing the IRWST injection valve designs so that two of the four lines use diverse valves. This change would reduce the frequency of core melt by eliminating the common cause failure of the IRWST injection.

To estimate the benefit from this potential design alternative, the core damage sequences resulting from a failure of IRWST injection are assumed to be averted. Core damage sequences resulting from a failure of IRWST injection correspond to probabilistic risk assessment Level 1 accident classification 3BE; thus, release category 3BE would be eliminated.

The importance and sensitivity analysis applied to the PRA calculates that the 3BE end state contribution to the “at power” core damage frequency is 0.806×10-7per year. The estimated core damage frequency while shutdown of 1.23×10-7 per year (Section 19.59.5 in Reference 8.1). The relative contribution of the 3BE end state is 0.33 to the “shutdown” core damage frequency of 0.33×10-7 per year. Summing the two values results in the component of the frequency of major core damage due to 3BE Events being 1.21×10-7 per year. The monetary benefit of this is £242.

Similarly, the 3BE end state contributes 14% of the frequency of the “at power” large release frequency of 0.195×10-7per year, and 77.4% of the “shutdown” large release frequency of 0.205×10-7 per year. Summing the two values results in the component of the frequency of large release due to 3BE Events being 1.86×10-8 per year. The monetary benefit of this is £372.

There is nothing quoted for the dose risk reduction from eliminating the 3BE end state, so it is pessimistically assumed to cause all of it, with a monetary benefit of £43 per year (see Section 8.5.5.3).

Discounting the benefit of total elimination of the 3BE end state over 60 years gives an assessed benefit of £17,000. The proposed enhancement would thus not be cost-effective, as it would require a disproportion factor of more than 22 to make it worthwhile. Thus there is an ALARP case for not including this potential design alternative.

8.5.6.4 Steam Generator Safety Valve Flow Directed to the IRWST

This potential design improvement would redirect the flow from the steam generator safety and relief valves to the IRWST. This would prevent or reduce fission product release from bypassing the containment in the event of a steam generator tube rupture event.

Release Category BP events are accident sequences in which fission products are released directly from the reactor coolant system to the environment via the secondary system or other interfacing system bypass the containment. The fission-product release to the environment begins approximately at the onset of fuel damage, and there is no attenuation of the magnitude of the



source term from natural deposition processes beyond that which occurs in the reactor coolant system, in the secondary system, or in the interfacing system. In order to evaluate the benefit from this potential design alternative, this design change is conservatively assumed to eliminate the entire BP release category.

This potential design alternative ameliorates the consequences of a core damage event but has no effect on reducing its frequency.

The 3BP end state contributes 14% of the frequency of the “at power” large release frequency of 0.241×10-7per year, and 77.4% of the “shutdown” large release frequency of 0.353×10-7 per year. Summing the two values results in the component of the frequency of large release due to 3BP Events being 1.82×10-8 per year. The monetary benefit of this is £363.

There is nothing quoted for the dose risk reduction from eliminating the 3BP end state, so it is pessimistically assumed to cause all of it, with a monetary benefit of £34 per year.

Discounting the benefit of total elimination of the 3BP end state over 60 years gives an assessed benefit of £10,200. The proposed enhancement would thus not be cost-effective, as it would require a disproportion factor of more than 40 to make it worthwhile. Thus there is an ALARP case for not including this potential design alternative.

8.6 Conclusions

1. The AP1000 design complies with the numerical targets and the Engineering Key Principles of the UK nuclear regulator.

2. The AP1000 design satisfies the requirements specified by the US and the European nuclear operators for the next generation of nuclear power stations.

3. The design decisions taken by Westinghouse in the evolution of the design of the AP1000 have followed relevant good practice.

4. The AP1000 design has safety measures and defence in depth at each of the internationally accepted levels.

5. The use of PRA during the AP1000 design process has led to a further reduction in the level of risk and an ALARP design.

6. A qualitative review of the principal design decisions made for the AP1000 shows that each decision taken was the ALARP option.

7. The designers of the AP1000 considered further enhancements to the design of the AP1000. A quantitative review of these identified potential design improvements demonstrates that none of them is cost-beneficial, with a high disproportion factor in every instance.

It is therefore concluded that the risk associated with the AP1000 design is ALARP, and the relevant claim is achieved.



REFERENCES

8.1. WEC, EPS-GW-GL-700 Rev, 1, AP1000 European Design Control Document, December 2009.

8.2. WEC, APP-GW-GER-005, Rev. 1, Safe and Simple: the Genesis and Process of the AP1000 Design, J Winters, August 2008.

8.3. US NRC, 10 CFR Part 20, Appendix B, April 28, 1995, Annual Limits on Intake and Derived Air Concentrations of Radionuclides for Occupational Exposure; Effluent Concentrations; Concentrations for Release to Sewerage.

8.4. US NRC, 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities, and the following appendices:

- Appendix A, General Design Criteria for Nuclear Power Plants.

- Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

- Appendix E, Emergency Plans and Emergency Preparedness

- Appendix G, Fracture Toughness Requirements.

- Appendix H, Reactor Vessel Material Surveillance Program Requirements.

- Appendix I, Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion “As Low as Reasonably Achievable” for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents.

- Appendix J, Primary Reactor Containment Leakage Testing for Water Cooled Power Reactors.

8.5. US NRC, 10 CFR Part 73, Physical Protection of Plant and Materials.

8.6. UK NII, Safety Assessment Principles for Nuclear Facilities, Revision 1, December 2006.

8.7. IAEA, Safety Standards Series Number NS-R-1, Safety of Nuclear Power Plants: Design 2000.

8.8. EPRI, Advanced Light Water Reactor Utility Requirements Document, Revision 8, 1999.

8.9. European Utility Requirements, Revision C, April 2001, European Utility Requirements Document for Light Water Reactor Nuclear Power Plants.

8.10. WEC, APP-GW-GLR-126, AP1000 Nuclear Island Response to Aircraft Impact.

8.11. WEC, UKP-GW-GL-045, Rev. 0, Revision Draft, AP1000 Equivalence/Maturity Study of the US Codes and Standards, December 2009.

8.12. UK HSE, 2001, Reducing Risks, Protecting People.

8.13. ICRP103, the 2007 Recommendations of the International Commission on Radiological Protection.



8.14. HM Treasury, the Green Book, Appraisal and Evaluation in Central Government, November 2007.

8.15. US NRC, SAND97-094, Volume 2, NUREG/CR-6613 – Code Manual for MACCS2.

8.16. US NRC, NUREG-2300, Volume 2, Chapter 9, PRA Procedures Guide.


UKP-GW-GL-732 AP8.1-1 Revision 2

APPENDIX 8.1 AP1000 RELEASE CATEGORIES

A8.1.1 Introduction

The release categories for the AP1000 are defined as follows:

IC – Intact Containment Containment integrity is maintained throughout the accident, and the release of radiation to the environment is due to nominal leakage.

CFE – Containment Failure Early Fission products are released through a containment failure caused by severe accident phenomenon occurring after the onset of core damage but prior to core relocation.

CFI – Containment Failure Intermediate Fission products are released through a containment failure caused by severe accident phenomenon occurring after core relocation but before 24 hours.

CFL – Containment Failure Late Fission products are released through a containment failure caused by severe accident phenomenon occurring after 24 hours.

CI – Containment Isolation Failure Fission-products are released through a failure of the system or valves that close the penetrations between the containment and the environment. Containment failure occurs prior to the onset of core damage.

BP – Containment Bypass Fission products are released directly from the Reactor Coolant System to the environment via the secondary system or other interfacing system bypass. Containment failure occurs prior to onset of core damage.

Elaboration on the AP1000 release categories is provided in the following sections.

A8.1.2 Release Category IC – Intact Containment

If the containment integrity is maintained throughout the accident, then the release of radiation from the containment is due to nominal leakage and is expected to be within the Design Basis of the containment. This is the “no failure” containment failure mode and is termed intact containment. The main location for fission- product leakage from the containment is penetration leakage into the auxiliary building where significant deposition of aerosol fission products may occur.



A8.1.3 Release Category CFE – Early Containment Failure

Early containment failure is defined as failure that occurs in the time frame between the onset of core damage and the end of core relocation. During the core melt and relocation process, several dynamic phenomena can be postulated to result in rapid pressurization of the containment to the point of failure. The combustion of hydrogen generated in-vessel, steam explosions, and reactor vessel failure from high pressure are major phenomena postulated to have the potential to fail the containment. If the containment fails during or soon after the time when the fuel is overheating and starting to melt, the potential for attenuation of the fission-product release diminishes because of short fission-product residence time in the containment. The fission products released to the containment prior to the containment failure are discharged at high pressure to the environment as the containment blows down. Subsequent release of fission products can then pass directly to the environment. Containment failures postulated within the time of core relocation are grouped into release category CFE.

A8.1.4 Release Category CFI – Intermediate Containment Failure

Intermediate containment failure is defined as failure that occurs in the time frame between the end of core relocation and 24 hours after core damage. After the end of the in-vessel fission-product release, the airborne aerosol fission products in the containment have several hours for deposition to attenuate the source term. The global combustion of hydrogen generated in-vessel from a random ignition prior to 24 hours can be postulated to fail the containment. The fission products in the containment atmosphere are discharged at high pressure to the environment as the containment blows down. Containment failures postulated within 24 hours of the onset of core damage are binned into release category CFI.

A8.1.5 Release Category CFL – Late Containment Failure

Late containment failure is defined as containment failure postulated to occur later than 24 hours after the onset of core damage. Since the probabilistic risk assessment assumes the dynamic phenomena, such as hydrogen combustion, to occur before 24 hours, this failure mode occurs only from the loss of containment heat removal via failure of the passive containment cooling system. The fission products that are airborne at the time of containment failure will be discharged at high pressure to the environment, as the containment blows down. Subsequent release of fission products can then pass directly to the environment. Accident sequences with failure of containment heat removal are grouped in release category CFL.

A8.1.6 Release Category CI – Containment Isolation Failure

A containment isolation failure occurs because of the postulated failure of the system or valves that close the penetrations between the containment and the environment. Containment isolation failure occurs before the onset of core damage. For such a failure, fission-product releases from the reactor coolant system can leak directly from the containment to the environment with diminished potential for attenuation. Most isolation failures occur at a penetration that connects the containment with the auxiliary building. The auxiliary building may provide additional attenuation of aerosol fission-product releases. However, this decontamination is not credited in the containment isolation failure cases. Accident sequences in which the containment does not isolate prior to core damage are grouped into release category CI.



A8.1.7 Release Category BP – Containment Bypass

Accident sequences in which fission products are released directly from the reactor coolant system to the environment via the secondary system or other interfacing system bypass the containment. The containment failure occurs before the onset of core damage and is a result of the initiating event or adverse conditions occurring when the core becomes uncovered. The fission-product release to the environment begins approximately at the onset of fuel damage, and there is no attenuation of the magnitude of the source term from natural deposition processes beyond that which occurs in the reactor coolant system, in the secondary system, or in the interfacing system. Accident sequences that bypass the containment are grouped into release category BP.



APPENDIX 8.2 URD OVERALL OBJECTIVES

A8.2.1 Introduction

The following is a cut down version of the Utility Requirements Documents (URD’s) high-level requirements.

A8.2.2 Simplification

Simplification is fundamental to Advanced Light Water Reactor (ALWR) success. Simplification opportunities are to be pursued with very high priority and assigned greater importance in design decisions than has been done in recent, operating plants; simplification is to be assessed primarily from the standpoint of the plant operator.

A8.2.3 Design Margin

Like simplicity, design margin is considered to be of fundamental importance and is to be pursued with very high priority. It will be assigned greater importance in design decisions than has been done in recent, operating plants. Design margins that go beyond regulatory requirements are not to be traded off or eroded for regulatory purposes.

A8.2.4 Human Factors

Human factors considerations will be incorporated into every step of the ALWR design process. Significant improvements will be made in the main control room design.

A8.2.5 Safety

The ALWR design will achieve excellence in safety for protection of the public, on-site personnel safety, and investment protection. It places primary emphasis on accident prevention as well as significant additional emphasis on mitigation. Containment performance during severe accidents will be evaluated to assure that adequate containment margin exists.

A8.2.6 Design Basis versus Safety Margin

The ALWR design will include both safety design and safety margin requirements. Safety design requirements (referred to as the Licensing Design Basis [LDB]) are necessary to meet the NRC’s regulations with conservative, licensing-based methods. Safety margin requirements (referred to as the Safety Margin Basis [SMB]) are Plant Owner-initiated features which address investment protection and severe accident prevention and mitigation on a best estimate basis.

A8.2.7 Regulatory Stabilisation

ALWR licensability is to be assured by resolving open licensing issues, appropriately updating regulatory requirements, establishing acceptable severe accident provisions, and achieving a design consistent with regulatory

A8.2.8 Standardisation

The ALWR utility requirements will form the technical foundation which leads the way to standardized, certified ALWR plant designs.



A8.2.9 Proven Technology

Proven technology will be employed throughout the ALWR design in order to minimize investment risk to the plant owner, control costs, take advantage of existing Light Water Reactor (LWR) operating experience, and assure that a plant prototype is not required; proven technology is that which has been successfully and clearly demonstrated in LWRs or other applicable industries such as fossil power and process industries.

A8.2.10 Maintainability

The ALWR will be designed for ease of maintenance to reduce operations and maintenance costs, reduce occupational exposure, and to facilitate repair and replacement of equipment.

A8.2.11 Constructability

The ALWR construction schedule will be substantially improved over existing pants and must provide a basis for investor confidence through use of a design-forconstruction approach, and completed engineering prior to initiation of construction.

A8.2.12 Quality Assurance

The responsibility for high quality design and construction work rests with the line management and personnel of the Plant Designer and Plant Constructor organizations.

A8.2.13 Economics

The ALWR plant will be designed to have projected busbar costs that provide a sufficient cost advantage over the competing base load electricity generation technologies to offset higher capital investment risk associated with nuclear plant utilization.

A8.2.14 Sabotage Protection

The design will provide inherent resistance to sabotage and additional sabotage protection through plant security and through integration of plant arrangements and system configuration with plant security design.

A8.2.15 Good Neighbour

The ALWR plant will be designed to be a good neighbour to its surrounding environment and population by minimizing radioactive and chemical releases.



APPENDIX 8.3 CHANGES TO THE AP600 AND AP1000 DESIGNS RESULTING FROM PRA

A8.3.1 Introduction

Design improvements were incorporated in the AP600 design based on the results of the AP600 probabilistic risk assessment (PRA) and other design analyses. These are listed in the next section. These improvements have been retained in the AP1000 design. Additional design changes have been incorporated in the AP1000 as a result of the AP1000 PRA and are shown in “Changes to AP1000 Based on PRA”, which is at the end of this appendix.

A8.3.2 Changes to AP600 Based on PRA

The most significant design changes prompted by the AP600 PRA are as follows:

• In the first three stages of the automatic depressurisation system (ADS), both series motor-operated valves are closed during normal operation instead of one closed/one open. This reduces the frequency of spurious actuation of the ADS.

• The number and size of the fourth-stage ADS valves has been increased. In the event of a small loss-of-coolant accident this modification provides a redundant and diverse path for depressurisation in case of common cause failure of the motor-operated valves in the first three stages of the ADS.

• The diverse actuation system is provided to automatically actuate selected systems such as the passive residual heat removal, the core make-up tank, the passive containment cooling system, reactor trip, and containment isolation. In addition, the system provides alarms and information to the main control room for manual actuation of these systems.

• Diversity is provided in the diverse actuation system by using components that are diverse from the microprocessor-based components used in the protection and safety monitoring system and the plant control system. This reduces the importance of potential common case failures (both hardware and software) of microprocessor-based components of the protection and safety monitoring system and the plant control system that process information and provide for actuation of safety significant and non-safety significant accident mitigation systems.

• The diversified functions are selected on the basis of PRA insights to reduce the core damage frequency and to reduce the conditional probability of large-release frequency, given core damage.

• Manual actuation of the normal residual heat removal system (RNS) can be accomplished from the main control room. The normal residual heat removal system provides, diverse means of coolant injection in case of failure of the check valves of the containment refuelling water storage tank. An emergency operating procedure requires aligning the normal residual heat removal system when the ADS is actuated.

• Two parallel paths, each containing a squib valve and a check valve in series, are used for gravity injection from the in-containment refuelling water storage tank. This improves the in-containment refuelling water storage tank reliability for the case of single valve failure during a safety injection line break event, or for the case of common cause failure of the two check valves in other events requiring full reactor depressurisation.



• The check valves in the core make-up rank injection lines are designed so that they remain in the open position during the plant normal operation. This design eliminates opening failures and common cause failures with the accumulator check valves.

• The ADS is automatically actuated during a transient event with loss of both secondary side heat removal and passive residual heat removal capability. This is accomplished by the provision to automatical1y actuate the core make-up tanks on low steam generator level and high hot leg temperature signals. Core make-up tank injection subsequently causes actuation of the automatic depressurisation system. This improvement reduces the importance of the operator actions.

• Automatic opening of the motor-operated valve of the in-containment refuelling water storage tank injection line occurs on a low hot leg water level signal. These valves are closed during shutdown conditions, such as mid-loop and vessel-flange operation, when the reactor coolant system is at atmospheric pressure. This also reduces the importance of operator action on these events.

• Alarms are provided in the main control room, to inform the operator of mispositioned isolation valves of the passive core cooling systems that have remote manual control capability. This reduces the probability of valve mispositioning.

• Protection system logic is adopted to preclude steam generator overfilling during a steam generator tube rupture event. This reduces the need for full reactor depressurisation and, therefore, reduces the frequency of core damage for steam generator tube rupture events with the containment bypassed.

• The capability to manually actuate the draining of in-containment refuelling water storage tank water into the reactor cavity is provided. This is incorporated to address a core damage event in which the injection of in-containment refuelling water storage tank water to the reactor vessel fails. This drained water cools the core debris inside the reactor vessel, removing the heat through the reactor vessel wall, avoiding failure of the reactor vessel.

A8.3.3 Changes to AP1000 Based on PRA

The most significant design changes prompted by the AP1000 PRA are as follows:

• Two recirculation lines, each containing a motor-operated valve and a squib valve or a check valve and a squib valve in series, are used to provide recirculation flow from the containment sump to the core through the direct vessel injection line. Diversity is provided in the actuation by using diverse squib valves. The motor-operated valve is designed so that it remains open in case of failure.

• Three parallel supply lines allow water flow from the passive containment cooling water storage tank to the containment shell. Diversity is provided in the actuation by using motor-operated valves for one path.

• The in-containment recirculating water storage tank vents are designed so that the vents open more easily than those close to the containment. As a result, hydrogen that could be vented from the tank in a core melt sequence cannot form a standing flame, which could challenge the containment integrity.



• The reactor vessel insulation shape has been improved to increase the heat transfer capabilities, to maintain the margins provided by the AP600 design. The shape was determined in AP1000 specific tests.



APPENDIX 8.4 LIST OF POTENTIAL UK AP1000 DESIGN IMPROVEMENTS THAT WERE NOT TAKEN FORWARD

A8.4.1 Introduction

This appendix lists those options that were evaluated for potential inclusion in the AP1000, together with the sensitivity analysis method. The conclusions reached are discussed in chapter 8 of this PCSR.

A8.4.2 Locate the Normal Residual Heat Removal System inside the Containment

This potential design improvement consists of placing the entire normal residual heat removal system and piping inside the containment pressure boundary. Doing this would prevent containment bypass due to interfacing system loss of coolant accidents (ISLOCAs) of the residual heat removal system. In previous probabilistic risk assessments of current generation nuclear power plants, the ISLOCA is the leading contributor of plant risk, because of large offsite consequences. A failure of the valves that isolate the low-pressure residual heat removal system from the high pressure reactor coolant system causes the residual heat removal system to over-pressurise and fail, releasing reactor coolant outside the containment, where it cannot be recovered for recirculation cooling of the core. The result is core damage and the direct release of fission products outside the containment.

In the AP1000, the design of normal residual heat removal system is already substantially enhanced over that of currently operating PWR plants: the AP1000 is designed with a higher design pressure, and an additional isolation valve is provided. In the AP1000’s probabilistic risk assessment, no ISLOCAs contribute significantly to the core damage frequency of the AP1000 (Reference A8.4.1). Therefore, relocating the normal residual heat removal system of the AP1000 inside the containment would provide virtually no risk reduction benefit, and so was not investigated further in terms of its cost.

A8.4.3 Self-Actuating Containment Isolation Valves

This potential design improvement consists of improved containment isolation provisions on all normally open containment penetrations. The category of “normally open” is limited to normally open pathways to the environment during power and shutdown conditions, excluding closed systems inside and outside the containment, such as the normal residual heat removal system and component cooling. The design alternative would be either to add a self- actuating valve or to enhance the existing inside containment isolation valve to provide for self-actuation in the event that containment conditions are indicative of a severe accident. Conceptually, the design would be either an independent valve or an appendage to an existing fail-closed valve that would respond to post-accident ambient conditions within the containment; for example, a fusible link would melt in response to elevated ambient temperatures resulting in venting the air operator of a fail-closed valve. This would provide the self-actuating function.

A8.4.4 Improved Reliability of the Diverse Actuation System

This potential design improvement consists of improving the reliability of the diverse actuation system, which actuates engineered safety features and allows the operator to monitor the plant status. The design change would add a third instrumentation and control cabinet and a third set of diverse actuation system instruments, to allow the use of two-out-of-three logic instead of two-out-of-two logic. Other changes, such as adding another set of batteries, have not been included in the cost estimates.



A perfectly reliable diverse actuation system would reduce the frequency of the release categories by the cumulative frequencies of all sequences in which diverse actuation system failure leads to core damage. In order to evaluate the benefit from the diverse actuation system upgrade, a core damage frequency sensitivity analysis assuming perfect reliability of diverse actuation system was performed.

A8.4.5 Diverse IRWST Injection Valves

This potential design improvement consists of changing the in-containment refuelling water storage tank (IRWST) injection valve designs so that two of the four lines use diverse valves. Each of the four lines is currently isolated by a squib valve in series with a non-return valve. In order to provide diversity, the valves in two of the lines would be provided by a different vendor. For the non-return valves, alternate vendors are available. However, it is questionable if non-return valves of different vendors would be sufficiently different to be considered diverse unless the type of non-return valve was changed from the current swing disk check to another type. The swing disk type is the preferred type for this application, and other types are considered to be less reliable. Squib valves are specialized valve designs for which there are few vendors. A vendor might not be willing to design, qualify, and build a reasonable squib valve design for this AP1000 application, given that they would only supply two valves per plant. As a result, this potential design improvement is not really practicable because of the uncertainty in availability of a second squib valve supplier and because of the uncertainty in the reliability of another non-return valve type.

However, the cost estimate for this potential design improvement assumes that a second squib valve vendor does exist and that this vendor provides only the two diverse IRWST squib valves. The cost impact does not include the additional first time engineering and qualification testing that would be incurred by the second vendor. Such costs would be expected to be more than a million dollars.

This change would reduce the frequency of core melt by eliminating the common cause failure of the IRWST injection.

A8.4.6 Steam Generator Safety Valve Flow Directed to the IRWST

This potential design improvement consists of providing all the piping and valves required for redirecting the flow from the steam generator safety and relief valves to the IRWST. An alternate, lower cost option of this potential design improvement consists of redirecting only the first-stage safety valve to the IRWST. This system would prevent or reduce fission product release from bypassing the containment in the event of a steam generator tube rupture event.

A8.4.7 Steam Generator Shell-Side Passive Heat Removal System

This potential design improvement consists of providing a passive safety significant heat removal system to the secondary side of the steam generators. The system would provide closed loop cooling of the secondary using natural circulation and stored water cooling. This would prevent a loss of primary heat sink in the event of a loss of start-up feed water and the passive residual heat removal heat exchanger. A perfect secondary heat removal system would eliminate transients from each of the release categories. In order to evaluate the benefit of this potential design improvement, the frequencies of all the transient sequences are subtracted from the overall frequency of each of the release categories and the risk is recalculated.



A8.4.8 Chemical and Volume Control System Upgraded to Mitigate Small LOCAs

The current design of chemical and volume control system (CVS) for the AP1000 is capable of supplying pressurised water at a rate sufficient to keep the reactor core covered in the event of a reactor coolant system leak of a magnitude within the very small LOCA category; the CVS can provide sufficient make-up of the reactor coolant in the event of a failure of a small line of 0.97 cm (3/8 in.) or less. Only one CVS pump would be needed for this duty. The CVS is regarded as an active duty system, which supports normal operations, and acts as a first line of defence to reduce the unnecessary actuation and operation of the safety systems. The AP1000 includes several active systems that provide defence-in-depth capabilities for reactor coolant system make-up and decay heat removal. These active systems are the first line of defense to reduce challenges to the passive systems in the event of transients or plant upsets. Most active systems in the AP1000 are designated as non-safety significant.

The potential design improvement proposed system is intended to enhance its capability so that it could intervene following a small or intermediate loss of coolant accident (LOCA), such as would result from a reactor coolant system leak or a tube leak within the passive residual heat removal heat exchanger, to keep the core covered during such LOCAs. This increase in capability would be achieved by means of the following severe accident mitigation design alternatives (SAMDA) enhancements:

• Connections provided from the IRWST containment recirculation to the CVS.

• A second line added from the CVS make-up pumps to the reactor coolant system.

A perfect, upgraded chemical, volume, and control system is assumed to prevent core damage in the reactor coolant system leak, passive residual heat removal heat exchanger tube ruptures, small LOCA, and intermediate LOCA release categories. The chemical, volume, and control system is assumed to have perfect support systems (power supply and component cooling) and to work in all situations regardless of the common cause failures of other systems.

A8.4.9 Ex-vessel Core Catcher

This potential design improvement consists of designing a structure in the containment cavity or using a special concrete or coating that will inhibit core- concrete interaction, even if the debris bed dries out. A perfect core catcher would prevent core-concrete interaction for all cases. However, the AP1000 incorporates a wet cavity design in which ex-vessel cooling is used to maintain the core debris in the vessel to prevent ex-vessel phenomena, such as core- concrete interaction. Consequently, containment failure due to core-concrete interaction is not considered in detail for the AP1000 large release probabilistic risk assessment. For cases in which reactor vessel flooding fails, it is assumed that containment failure would occur due to ex-vessel steam explosion or core- concrete interaction. This containment failure is assumed to be an early containment failure (CFE) (due to ex-vessel steam explosion) even though core-concrete interaction and base mat melt-through would be a late containment failure. To conservatively estimate the risk reduction of an ex- vessel core catcher, this design change is assumed to eliminate the CFE release category.

A8.4.10 Secondary Containment Filtered Ventilation

This potential design improvement consists of providing the middle and lower annulus of the secondary concrete containment with a passive annulus filter system, for filtration of elevated releases. The passive filter system would be operated by drawing a partial vacuum on the middle annulus through charcoal and high efficiency particulate in air filters. The partial vacuum is



drawn by a diffusion pump with motive flow from compressed gas tanks. The secondary containment would then reduce particulate fission product release from any failed containment penetrations (containment isolation failure, CI). In order to evaluate the benefit from such a system, this design change is assumed to eliminate the CI release category.

A8.4.11 Passive Containment Spray

This potential design improvement involves adding a passive safety significant spray system and all associated piping and support systems into the AP1000 containment. A passive containment spray system would result in risk benefits in the following ways:

• Scrubbing of fission products could be done, primarily for CI failures.

• Assuming appropriate timing, containment spray could be used as an alternate means for flooding the reactor vessel (in-vessel retention) and for debris quenching should vessel failure occur.

• Containment spray could also be used to control containment pressure for cases in which the passive containment cooling system has failed.

In order to envelop these potential risk benefits, the risk reduction evaluation will assume that containment sprays are perfectly effective for each of these benefits, with the exception of fission product scrubbing for containment bypass (BP). Thus, the risk reduction can be conservatively estimated by assuming all release categories except BP are eliminated.

A8.4.12 Filtered Containment Vent

This potential design improvement consists of placing a filtered containment vent and all associated piping and penetrations into the AP1000 containment design. The filtered vent could be used to vent the containment to prevent catastrophic overpressure failure, and it would also provide filtering capability for source term release. With respect to the AP1000 PRA, the possible scenario in which the filtered vent could result in risk reduction would be late containment overpressure failures (release category CFL). Other containment overpressure failures occur due to dynamic severe accident phenomena, such as hydrogen burn and steam explosion. The late containment failures for AP1000 are failures of the passive containment cooling system. Analyses have indicated that for scenarios with passive containment cooling system failure, air cooling might limit the containment pressure to less than the ultimate pressure. However, for the large release probabilistic risk assessment, failure of the passive containment cooling system is assumed to result in containment failure, based on an adiabatic heat up. To conservatively consider the risk reduction of a filtered vent, the use of a filtered vent to preclude a late containment failure will be evaluated. A decontamination factor (DF) of 1000 will conservatively be assumed for each probabilistic risk assessment Level-1 accident classification, even though it is realized that the dose due to noble gases will not be impacted by the filtered vent, because 100 percent of the noble gas fission products will still be released. Therefore, the risk reduction is equal to the decontamination factor assumed, because the probabilistic risk assessment core damage frequency accident classification frequencies do not change.

A8.4.13 Increase of Steam Generator Secondary Side Pressure Capacity

This potential design improvement consists of increasing the design pressure of the steam generator secondary side and safety valve set point to the degree that a steam generator tube rupture will not cause the secondary system safety valve to open. The design pressure would have to be increased sufficiently such that the combined heat capacity of the secondary system inventory and the passive residual heat removal system could reduce the reactor coolant system



temperature below Tsat for the secondary design pressure. Although specific analysis would have to be performed, it is estimated that the design pressure would have to be increased by tens of bar (several hundred psi). This design would also prevent the release of fission products that bypass the containment via the steam generator tube rupture.

A8.4.14 High-pressure Containment Design

This potential design improvement consists of using the massive high-pressure containment design in which the design pressure of the containment is approximately 20 bar (300 psi) for the AP1000 containment.

The massive containment design has a passive containment cooling feature much like the AP1000 containment. The high design pressure is considered only for prevention of containment failures due to severe accident phenomena, such as steam explosions and hydrogen detonation. A perfect high-pressure containment design would reduce the probability of containment failures, but would have no reduction of the frequency or magnitude of the release from an un-isolated containment (containment isolation failure or containment bypass). To estimate the risk reduction of a high-pressure containment design, this design is assumed to eliminate the CFE, containment failure intermediate (CFI), and CFL release categories.

A8.4.15 Active High-Pressure Safety Injection System

This potential design improvement consists of adding a safety significant active high-pressure safety injection pump and all associated piping and support systems to the AP1000 design. A perfect high-pressure safety injection system would prevent core melt for all events except excessive LOCA and anticipated transients without scram. Therefore, to estimate the risk reduction, only the contributions to each release category of core damage frequency accident classes 3C (vessel rupture) and 3A (anticipated transients without scram) need to be considered.

Including an active high-pressure safety injection system would contravene the fundamental design objective of the AP1000: that all safety systems should be passive. It would require a high-pressure safety injection pump or pumps, and all associated piping, ac power supplies and support systems. All equipment would have a high safety classification. This would be very expensive.

A8.4.16 Larger Accumulators

Increasing the size of the accumulators would result in a significant increase in cost that would be greater than the cost threshold established by the perfect SAMDA evaluation. In order to have any benefit in the probabilistic risk assessment, the accumulators would have to be increased in size sufficiently to change the large LOCA success criteria from two of two accumulators to one of two accumulators. WEC estimates that the accumulator tanks would have to be increased in size from 56 m3 (2000 ft3) to 112 m3 (4000 ft3), and the hardware costs associated with this change would be significant. Such a size increase would also likely result in a change to the design of the direct vessel injection (DVI) piping subsystem. The design of this piping system was established in the AP600 Design Certification, and the design does not change significantly for AP1000. Recently, WEC completed the leak-before break analysis of the DVI piping, and any change in the DVI piping would result in significant piping reanalysis of the DVI piping. WEC estimates the redesign costs associated with the changes in hardware and piping re-design to be significantly greater than the cost threshold established for the perfect SAMDA discussed above (Appendix 1B of Reference A8.4.1). Therefore this design change was not incorporated.



A8.4.17 Larger Fourth-Stage ADS Valves

Increasing the fourth-stage automatic depressurisation system (ADS) valves in size would result in a significant increase in cost associated with redesigning the AP1000 loop piping and fourth-stage piping configuration. The AP1000 ADS valves were already increased in size compared to the AP600 valves by more than the ratio of the power up rate of the AP1000. In order to have any benefit in the probabilistic risk assessment, the 4th stage ADS valves would have to be increased in size sufficiently to change the LOCA success criteria from three of four valves to two of four valves. To accommodate such a change, WEC estimates that the fourth-stage ADS valves would have to increase in size from 356mm (14 inch) to 457mm (18 inch) valves, and the associated piping. In addition, the common fourth-stage inlet piping that connects to the hot leg would have to increase in size from 457mm (18 inch) to at least 508mm (20 inch). This would require a significant redesign of the squib valve, and would also result in redesign of the ADS Stage 4 piping, which in turn would impact the design of the reactor coolant loop piping. Such a redesign would require WEC to perform additional confirmatory testing of the passive core cooling system to verify that the behaviour of the passive safety systems was not adversely impacted. WEC estimates the cost of this change to be significantly larger than the cost threshold of the perfect SAMDA discussed above (Appendix 1B of Reference A8.4.1). Therefore, this design change was not incorporated.



REFERENCES

A8.4.1 WEC, EPS-GW-GL-700 Rev. 0, AP1000 European Design Control Document.



CHAPTER 9: SAFETY MANAGEMENT THROUGHOUT THE PLANT LIFECYCLE



9.0 SAFETY MANAGEMENT THROUGHOUT THE PLANT LIFECYCLE

9.1 Introduction

The purpose of this chapter is to explain the existing and proposed safety management arrangements which will ensure that the required levels of safety and environmental protection will be delivered throughout the lifetime of an AP1000 plant. Responsibility for safety and the environment will rest with the site licence holder (the licensee) once a site has been licensed. However, there are arrangements and good practices which the vendor can bring to bear which will support the licensee, and these also will be discussed in this chapter.

The UK regulatory regime requires licensees to comply with the 36 licence conditions through appropriate arrangements. This compliance is an essential component of the safety management of the plant. The fundamental UK legal requirement is the Health and Safety at Work Act of 1974 (Reference 9.4). Specific legal requirements in relation to radiation protection are contained in the Ionising Radiation Regulations of 1999 (Reference 9.5). Other relevant legislation is contained in the Management of Health and Safety at Work Regulations (Reference 9.6), the Control of Major Accident Hazards Regulations of 1999 (COMAH) (Reference 9.7) and the Nuclear Installations Act of 1969 (Reference 9.8). The requirements of the Construction (Design and Management) Regulations of 2007 (CDM) (Reference 9.9) must also be recognised.

Good practice in the management of safety at nuclear facilities is addressed in a number of International Atomic Energy Agency (IAEA) publications. Examples include GS-R-3, the Management Systems of Facilities and Activities (Reference 9.1), draft Safety Guide 349, the Application of the Management System for Nuclear Installations (Reference 9.2), and the HSE Safety Assessment Principles (SAPs) (MS1 to MS4 of Reference 9.3).

9.2 Safety Management Framework

The AP1000 Life Cycle Safety Report (LCSR) (Reference 9.10) sets out the safety and quality philosophies for the deployment of an AP1000 in the UK. This report demonstrates that the design is safe, and that construction, operation and decommissioning activities will result in a plant of appropriate quality. It also demonstrates that the constructed plant will be optimised for operation within safe limits.

The management of safety starts at the senior level of an organisation, which must define a safety policy committing the organisation to objectives, actions and behaviours that will deliver effective safety through all phases of plant life. The safety policy must provide organisational commitment to continuous safety improvement, and it must result in an effective safety culture which permeates the entire organisation. This chapter will discuss the safety management responsibilities and arrangements of both Westinghouse and the future licensee.

The Westinghouse safety policy statement reads as follows:

“It is the AP1000 Westinghouse Policy to design, produce, market and distribute our products and services and to conduct our operations in an environmentally sound, socially responsible manner. We consider the impact our actions may have on the environment and the health and safety of our employees, subcontractors, customers and public.”

The policy is amplified by a number of paragraphs that expand on the statement. Westinghouse is committed to the integration of safety into the design process, and to safety during construction, commissioning, operation and decommissioning. Implementation of the policy is through the Westinghouse Environment, Health and Safety Manual (Reference 9.11).



Westinghouse has an established organisational structure and arrangements to deliver effective safety management through to the end of the GDA process. Thereafter, the licensee will assume responsibility for the safety management of the construction, the operation and the eventual decommissioning of the plant.

The first and most important principle which must be adhered to in any combination of vendor and licensee management arrangements is that the licensee is demonstrably responsible for safety on any licensed site. Within the licensee’s arrangements, an effective organisation, adequate leadership and personnel competence should be in place. Westinghouse will work with the licensee to ensure that knowledge of aspects of the design which affect each of these topics is transmitted in an appropriate way, and that assurance is visible that this has been achieved. Such assurance may, for example, be derived by personnel training records or individual examination.

There will be areas where the licensee will wish to allocate responsibility to the vendor for activities which could affect safety or the environment. This could be during pre-construction design consolidation, construction, operation or decommissioning. In such circumstances, the respective management arrangements will be updated to reflect this allocation of responsibilities.

The ability of the licensee to satisfy safety and environmental requirements of the site licence shall be demonstrated via its Safety Management Prospectus. This may optionally be one document which embraces safety, the environment and security, or it may be split according to the licensee’s preference. Westinghouse will assist throughout GDA, site licensing, construction and operation as required to ensure that such a Safety Management Prospectus is created and maintained. In addition, Westinghouse will advise and assist in the creation of a licensee’s nuclear baseline, by which it can demonstrate the adequacy of its organisational structure, staffing and competences to maintain safety. This will be based on Westinghouse’s clear understanding of the role of the operator to support safety and the environment.

Knowledge transfer will be systematically carried out starting with the arrangements in place during the GDA process. One such method during GDA is the involvement of the potential licensees as part of the safety and environmental document specification and review process. Another method is the participation of potential licensees in design optioneering processes.

Once a site has been selected, Westinghouse will provide the utility with technical, safety and environmental input for preparation of a site specific Pre Construction Safety Report (PCSR) and Environment Report.

During the GDA, pre-construction, construction and operational stages, Westinghouse will engage with the licensee regarding the Learning from Experience processes which Westinghouse has in place. This will enable the licensee to benefit from experience gained from plants in China and the USA. The requirements to alert licensees and to involve them in the discussion and resolution of learning events which have relevance to safety or the environment will be built into the Westinghouse management arrangements.

The licensee must be capable of exerting proper controls on the activities of contractors. The compliance arrangements produced by a licensee in relation to licence condition 36 will include the nuclear baseline identified previously. This will also ensure that the licensee operates as an intelligent customer.

The licensee arrangements are discussed in the LCSR (Reference 9.10), and are key components of the intelligent customer organisation. The GDA process requires that the vendor (Westinghouse) has arrangements for putting in place a design authority and for ensuring that sufficient information is transferred from the design organisation to the licensee, such that it can



function as an effective design authority. These arrangements will be developed prior to the granting of a site licence.

Westinghouse will ensure that design and operational knowledge is transferred to the licensee of the operating organisation in order to permit it to perform as an intelligent customer. This knowledge transfer includes the provision of design information and comprehensive training and education programmes such that the licensee can establish a credible design authority.

The operator will generally be the “design authority” however he may require support and input from other bodies, including the vendor. In the intelligent customer role, the licensee will show that it can maintain continuity of the necessary engineering skills and knowledge, access to appropriate research, and control of intellectual property issues. This will allow the licensee to demonstrate full control of the plant irrespective of changes in the external contracting environment.

The future licensee of an AP1000 will have the opportunity to join and to contribute to the Pressurised Water Reactor Owners Group, formerly the Westinghouse Owners Group. This group provides a focus for information, services and development programmes from which owners and licensees of AP1000 plants can benefit. The group is coordinated centrally by Westinghouse. The services provided by the group include the optimisation of technical specifications, performance improvements and access to a common knowledge base of plant and licensing issues.

9.3 Management of Safety throughout the Lifecycle

The management of safety considers the requirements during the whole lifecycle of the plant. It starts with the design, continues through construction and commissioning to operation and its eventual decommissioning.

The following sections identify the provisions, (existing and proposed), to implement the management of safety and the environment during each phase. The safety and environmental cases will be developed during each phase to meet the requirements of the appropriate part of the lifecycle. This is discussed in more detail in the LCSR (Reference 9.10).

9.3.1 Design

The principal duty of a design organisation is to provide a design that meets the specified performance while controlling the risks during the construction and operational phases of the plant to be as low as reasonably practicable (ALARP). The design of the plant must include features that will minimise the risks during construction, commissioning, operation and decommissioning.

Westinghouse has a well established design procedure, which includes a thorough and searching design review process (Reference 9.12). This process is described in detail in the LCSR (Section 6.0 Reference 9.10). Robust design change procedures are in place to assess and control the effect of design changes on safety. Westinghouse provides for regular review of these procedures.

The designers of the AP1000 plant are suitably qualified and experienced personnel (SQEP). Designers receive appropriate training and their professional competences are subject to regular review. Westinghouse recognises the importance of training and development during the design phase for licensee personnel who will become responsible for safety in later phases of the lifecycle. The process for transfer of the design authority role to the operating organisation is of high importance to Westinghouse.



The designers will undertake design activities in accordance with suitably quality-assured Westinghouse processes. These processes require that the design activities are subject to checking and review, and that appropriate quality- assured codes and data are employed in the design.

The GDA Safety Case is being assessed against a frozen design agreed on between the vendor and the regulators. This is known as the Design Reference Point. Any changes that Westinghouse may wish to make during the GDA process will be controlled using the Westinghouse change control process, and will use the Design Reference Point as the starting point. Changes to the safety case may also be required. After a site licence has been granted, the licensee may wish to make alterations to this design prior to (and possibly even during) construction. This will also require alterations to the safety case. The management arrangements (of both Westinghouse and the licensee) will clearly state that the licensee is responsible for the safety of any such changes. The relationship between Westinghouse and the licensee will require Westinghouse to provide the licensee with any information and support which is necessary in order to make informed decisions as an intelligent customer, and to be able to knowledgeably present the case for change to the regulators. This will also be embedded in the respective management arrangements. The licensee will choose how much work is done by Westinghouse, and how much work is done by the licensee. This choice will be informed by a clear licensee policy which takes due account of the safety implications of that choice and the respective competences of Westinghouse and the licensee.

The licensee will be responsible for ensuring that Westinghouse is fully informed of all aspects of site safety or environmental significance for any design change work which Westinghouse might be asked to do in this context. This should be fully incorporated into the licensee’s management arrangements.

9.3.2 Construction

Having established that the design is sound and controls are in place for design changes, the focus is directed towards construction, and the need to ensure that the plant construction meets the design intent.

During the construction phase responsibility for safety and the environment will rest with the licensee. Its arrangements will ensure that it is fully compliant with the Construction (Design & Management) (CDM) Regulations (Reference 9.9). In that respect, the licensee will determine the extent of work responsibility it wishes to impart to Westinghouse and other contractors. Otherwise, all responsibilities for safety and the environment will be similar to those described in 9.3.1 and will be documented in the management arrangements of the licensee and Westinghouse in accordance with the requirements of the CDM regulations.

The Westinghouse AP1000 design employs construction methods and a plant layout that are conducive to safe operations during construction. Much of the design is modular which allows the build and test of sub assemblies to be undertaken in a factory environment. The size of the plant and the number of components is also significantly less than previous generations of PWRs. These approaches reduce site construction work and the risks from those activities. Modular construction in a factory environment also has a positive effect on product quality, which improves safety and facilitates reduced maintenance requirements during the operation of the plant.

The site construction of AP1000 plants will be by a constructor. Safety will be a major discriminator in the choice and appointment of the constructor. The constructor will be required to develop a health, safety and environment programme to protect the project and site employees and



the public during construction. The expectations of the constructor are comprehensive, and are summarised in the LCSR (Reference 9.10).

Westinghouse will support the licensee arrangements to manage construction related design changes. It will be demonstrated that concessions or variations during the course of construction will not affect the design intent.

Westinghouse will provide support for the licensee to define a series of construction notification and hold points at which construction safety will be subject to formal review. The NII will be invited to select which of these points will require a licence instrument before work can re-commence, or to identify any additional such hold points.

The constructor will be required to provide a site safety manual which will address, for example, fire protection, accident reporting and analysis, work planning and training of construction personnel. The manual will also include what constitutes an environmental impact statement for the plant construction. Safety audits and inspections will be undertaken during construction. The emphasis will be on a leading indicator approach to the management of safety. The selected constructor will comply with the CDM regulations (Reference 9.9).

Chapter 21 of Reference 9.13 provides a detailed account of the Westinghouse construction verification process. This includes a description of the inspections, tests, analyses and acceptance criteria employed to demonstrate that the condition of the as-built plant is aligned with the design of the plant. The construction verification process is the means to demonstrate that the reviewed and approved as-designed AP1000 PWR will be reflected in the constructed AP1000 nuclear power plant in the UK, and is discussed in Section 7.0 of the LCSR (Reference 9.10) and Chapter 10 of the PCSR. The output from the construction verification process provides crucial evidence that the design intent has been achieved during construction, and this will be provided by Westinghouse to the operating organisation/licensee.

9.3.3 Commissioning

Responsibility for safety and the environment during the commissioning process rests with the licensee. Section 8.0 of the LCSR (Reference 9.13) provides a description of the initial test program for the AP1000 design. These documents identify the commissioning process for the AP1000. The documents describe separately the construction and installation test programmes, the pre-operational test programmes and the start-up test programmes. There is also some discussion of organisation, staffing and responsibility, together with environmental considerations and safety culture issues. The material demonstrates compliance with and commitment to the requirements of licence condition 21.

Westinghouse will develop further the initial test programme, to satisfy the licensee’s requirements for a Pre-Commissioning Safety Report (PCmSR). Guidance is provided in the relevant NII Technical Assessment Guide (Reference 9.14). Specifically, the safety of commissioning activities will be justified, interim additional controls will be identified, and safety significant hold points will be introduced into the commissioning process. The safety of inactive and active commissioning activities will be addressed. The licensee will define required organizational roles and responsibilities.

The requirements of the CDM regulations (Reference 9.9) during commissioning will be met, including the appropriate handover of the plant from the constructor to the operator.

Further information on specific commissioning activities is provided in Chapter 10 of this PCSR.



9.3.4 Operations

The licensee will identify the criteria which will justify moving from strict commissioning controls to operation under the Station Operating Instructions. This transition will be agreed on between the licensee and the Nuclear Installations Inspectorate (NII).

Safety management during the operational phase of the plant will be the responsibility of the licensee. The primary safety management responsibility of the licensee is the protection of the public and the operators from harm arising from ionising radiation and other causes. The licensee will operate and maintain the plant in accordance with the licence granted by the HSE, and will comply with the relevant UK legislation. Certain licence conditions impose specific duties on the licensee, while others require the licensee to establish arrangements for compliance. The licensee will comply with the requirements of the Environment Agency in relation to radioactive or other discharges from the plant. The safety aspects of plant operations will be subject to the ALARP principle. The plant will be operated in accordance with the Pre-Operational Safety Report or any developments thereof which have gone through due process.

Westinghouse will supply the operating organisation/licensee with a plant that has received design acceptance under the GDA. Controls and procedures during construction and commissioning will deliver to the operating organisation a plant that has been build-verified and commissioned and which is capable of being operated in accordance with the design and within the requirements of the site licence.

Westinghouse will supply the operating organisation with operational information through the technical specifications (tech specs), which are described in Chapter 11 of this report and more fully in Chapter 16 of the European Design Control Document (Reference 9.14). The tech specs define the allowed operating envelope of the plant, by setting conditions and limits consistent with the safety case. Implicitly defined within them is the manner in which the operating organisation will run the plant. The tech specs provide listings of potential non-compliances and, for each, the required action that must be taken by the operators in the control room along with the time for completion. Requirements for in-service plant inspection and testing are also covered by the tech specs.

Further Westinghouse guidance will be provided to the licensee in respect of the preparation of processes to deal with site incidents or emergencies.

The draft tech specs produced by Westinghouse include a section on administrative controls, which define organisational and staffing arrangements and required operator competences for the operation of the AP1000.

Westinghouse will identify to the licensee those aspects of the design which need special consideration from a security point of view. While these will not explicitly be identified in the management arrangements, a requirement to transfer such information will be included in the Westinghouse management arrangements as will an undertaking to support the licensee in any discussions with the Office for Civil Nuclear Security (OCNS).

9.3.5 Decommissioning

Safety management during the decommissioning of the plant will be the responsibility of the licensee. The licensee will be responsible for preparing a decommissioning safety case, preparing an environmental impact assessment, and demonstrating compliance with Article 37 of the Euratom Treaty in relation to its plans for the disposal of radioactive waste.



The licensee safety management arrangements will include the development and maintenance of a decommissioning strategy. A high-level summary of the AP1000 decommissioning strategy, drawing on these key references, is presented in Chapter 16 of this report. Currently Reference 9.15 and Chapter 20 of Reference 9.13 provide a sufficient framework for the licensee to undertake management preparations for decommissioning when required.

9.3.6 Quality Assurance

Westinghouse has a comprehensive and well proven quality management system which supports safety and the environment. This has been submitted to the joint UK regulators in support of the UK GDA process. Beyond GDA, specific quality management systems will be developed by the licensee to support the intentions described in this chapter.

The Westinghouse arrangements are described within Chapter 17 of Reference 9.13. There is no mechanism for formal approval by UK regulators for this management system. However, the quality management system for the AP1000 program has been accepted by other regulators under Appendix B of Reference 9.16, and the AP1000 specific quality plan satisfies the ASNI/ASME requirements (Reference 9.17). This provides further confidence in the Westinghouse arrangements. Quality assurance requirements for systems, structures, and components will be graded, based on a safety classification system that is discussed further in Chapter 5 of this PCSR.

9.4 Safety Culture

Safety culture is an important requirement necessary to support the successful application of safety related management arrangements. During the design process, safety culture will be led by Westinghouse in order to continuously challenge and improve the design and to support the corresponding operation. During construction, operation and decommissioning, the licensee will have responsibility for on-site safety culture, and will be supported by Westinghouse where required.

Westinghouse recognises the importance of safety culture issues during the design stages. Westinghouse will provide visibility of the management structures and safety accountabilities as the AP1000 project develops. This is further described in the LCSR (Reference 9.10),

Westinghouse will provide support to the licensee in its commitment to qualifications and training, task evaluation, effective communications, continuous employee encouragement, safety audit and review, including near miss and error reporting with appropriate follow up and tracking of issues. Westinghouse has also provided clear commitments to environmental issues.

Throughout plant operation, Westinghouse will continue to provide the licensee with required support in respect of safety culture, using as a basis the extensive experience obtained through many years of utility support worldwide. The licensee will also be invited to share safety culture experience with other operators through the Pressurised Water Reactor Owners Group.

Safety culture is discussed in a number of IAEA documents, principally INSAG 4, INSAG 15 and Safety Report Series 11 (References 9.18, 9.19 and 9.20), and is intrinsic to the site Licensing Conditions. Safety culture issues are relevant to all stages of the plant life cycle.

9.5 Conclusion

This chapter has discussed the arrangements that are appropriate to safety and environmental management throughout the lifecycle of the AP1000. It has explained how the flow of safety management progresses from vendor to licensee and how the licensee would then manage his



safety and environmental responsibilities throughout all stages of the plant life from construction through to decommissioning.



REFERENCES

9.1 IAEA, Safety Standards, The Management System for Facilities and Activities, Safety Requirements No. GS-R-3, 2006.

9.2 IAEA, The Application of the Management System for Nuclear Facilities, Safety Standard Guide, Series DS 349 (To be issued).

9.3 HSE’s Safety Assessment Principles for Nuclear Facilities, 2006 Edition, Rev. 1.

9.4 UK Health and Safety at Work etc Act, 1974.

9.5 UK Ionising Radiations Regulations, 1999.

9.6 UK Management of Health and Safety at Work Regulations, 1999.

9.7 UK Control of Major Accident Hazards Regulations 1999.

9.8 UK Nuclear Installations Act 1969.

9.9 UK Construction (Design and Management) Regulations 2007.

9.10 WEC, UKP-GW-GL-737 Rev. 1, AP1000 Plant Life Cycle Safety Report (to be issued).

9.11 WEC, Environment Health and Safety Manual, February 2003.

9.12 Design Reviews, “Westinghouse Procedure WEC 4.12, Rev 12, Feb 29 2008.

9.13 WEC, EPS-GW-GL-700 Rev. 0, AP1000 European Design Control Document, December 2009.

9.14 UK NII, T/AST/051, Issue 1, May 2002, Technical Assessment Guide – Guidance on the Purpose, Scope and Content of Nuclear Safety Cases.

9.15 UK NII, T/AST/026, Issue 2, March 2001, Technical Assessment Guide - Decommissioning on Nuclear Licensed Sites.

9.16 US NRC, 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities”, and the following appendices:

• Appendix A, General Design Criteria for Nuclear Power Plants.

• Appendix B, Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants.

• Appendix E, Emergency Plans and Emergency Preparedness

• Appendix G, Fracture Toughness Requirements.

• Appendix H, Reactor Vessel Material Surveillance Program Requirements.



• Appendix I, Numerical Guides for Design Objectives and Limiting Conditions for Operation to Meet the Criterion “As Low as Reasonably Achievable” for Radioactive Material in Light-Water-Cooled Nuclear Power Reactor Effluents.

9.17 ASNI/ASME, NQA-16-1991, Quality Assurance Program Requirements for Nuclear Facilities.

9.18 IAEA, INSAG 4, Safety Culture, 1991.

9.19 IAEA, INSAG 15, Key Practical Issues in Strengthening Safety Culture, 2002.

9.20 IAEA Safety Report Series 11, Developing Safety Culture in Nuclear Activities – Practical Suggestions to Assist Progress, 1998.



CHAPTER 10: COMMISSIONING



10.0 COMMISSIONING

10.1 Introduction

This chapter reviews the aspects of the generic AP1000 design that facilitate the verification of the nuclear safety requirements. The commissioning programme consists of a series of tests categorised as construction and installation, pre-operational (inactive commissioning) and start-up tests (active commissioning). The commissioning schedule and test programme are discussed in the WEC, UKP-GW-GL-737, AP1000 Plant Life Cycle Safety Report (LCSR) (Reference 10.1).

10.2 Overview of Construction Verification Process

The adequacy of construction, installation and preliminary operation of components and systems is verified during construction and installation commissioning. Development of the construction and installation tests is based on the engineering information for the equipment and systems installed.

The construction verification process is the means to demonstrate that the constructed AP1000 is as the design. This process will provide assurance that an application which receives a Design Acceptance is manufactured, installed and operated in conformance to the accepted design.

Prior to commissioning, arrangements will be put in place to ensure that procedures are available, roles and responsibilities are identified, and appointments are made to comply with UK Construction (Design and Management) Regulations (CDM) (Reference 10.2).

Further details are presented in Chapters 14 and 21 of WEC, EPS-GW-GL-700 AP1000 European Design Control Document (EDCD) (Reference 10.3). Note: The Design Control Document refers to commissioning as the ‘Initial Test Program’.

10.3 Summary of Commissioning and Objectives

The LCSR (Reference 10.1) describes the process for defining the verification test programme. Each UK licensee will need to confirm that the inspections, tests and analyses are identified in what is commonly referred to as a Safety Commissioning Schedule. Documentation listed in the acceptance criteria will be developed and maintained by the licensee as evidence that the design commitment has been successfully accomplished. The bases of the commissioning process will be the inspection, tests, analyses and acceptance criteria defined in Chapter 21 of the EDCD (Reference 10.3. These were derived to provide assurance that the structures, systems and components comply with their design criteria.

The overall objective of the commissioning is to demonstrate that the plant has been constructed as designed, that the systems performance is consistent with the plant design, and that activities which culminate in operation at full licensed power are performed in a controlled and safe manner. These activities include initial fuel load, initial criticality and power ascension.

Pre-operational and / or start-up commissioning is performed on those systems that are:

• Relied upon for safe shutdown and cool-down of the reactor under normal plant conditions and for maintaining the reactor in a safe condition for an extended shutdown period.

• Relied upon for safe shutdown and cool-down of the reactor under transient and postulated fault conditions and for maintaining the reactor in a safe condition for an extended shutdown period following such conditions.



• Relied upon for establishing conformance with safety limits or limiting conditions for operation that will be included in the facility tech-specs. (Chapter 16 of the EDCD, Reference 10.3.

• Classified as Engineered Safety Features Actuation Systems or are relied upon to support operation of an actuation system for Engineered Safety Features within design limits.

• Required as an integral part of the safety assessment of the AP1000.

• Used to process, store, control or limit the release of radioactive materials.

10.3.1 Pre-Operational Commissioning Objectives

Following construction and installation testing, pre-operational commissioning is performed to demonstrate that equipment and systems perform in accordance with design criteria so that initial fuel loading, initial criticality and subsequent power operation can be safely undertaken. Pre-operational tests at elevated pressure and temperature are referred to as hot functional tests.

The general objectives of the pre-operational test programme are the following:

• Demonstrate that essential plant components and systems, including alarms and indications, meet appropriate criteria based on the design.

• Provide documentation of the performance and condition of equipment and systems.

• Provide baseline test and operating data on equipment and systems for future use and reference.

• Demonstrate that plant systems operate on an integrated basis.

• Demonstrate to the regulators’ satisfaction that all safety systems, features and procedures are sufficiently advanced to enable fuel loading.

Plant operating, emergency and surveillance procedures are incorporated into the commissioning procedures. These procedures are verified through use, to the extent practicable, during the pre-operational test programme and revised if necessary, prior to fuel loading.

Plant equipment used in the performance of pre-operational tests is operated in accordance with appropriate operating procedures. This gives the plant operating staff an opportunity to gain experience in using these procedures and to demonstrate that the operator has Suitably Qualified and Experienced Persons (SQEPs) to operate the facility prior to the initial criticality.

10.3.2 Start-Up Commissioning Objectives

The start-up commissioning begins with initial fuel loading after the pre-operational testing has been successfully completed.

Start-up tests can be grouped into four broad categories:

• Tests related to initial fuel loading;

• Tests performed after initial fuel loading but prior to initial criticality;



• Tests related to initial criticality and those performed at low power <5%;

• Tests performed at power levels > 5%.

During performance of the start-up commissioning, the plant operating staff has the opportunity to obtain practical experience in the use of normal and abnormal operating procedures while the plant progresses through heat-up, criticality and power operations. This will build on their simulator training already completed.

The general objectives of the start-up commissioning are:

• Install the nuclear fuel in the reactor pressure vessel in a controlled and safe manner.

• Verify that the reactor core and components, equipment and systems required for control and shutdown have been assembled according to design and meet specified performance requirements.

• Achieve initial criticality and operation at power in a controlled and safe manner.

• Verify that the operating characteristics of the reactor core and associated control and protection equipment are consistent with design requirements and accident analysis assumptions.

• Obtain the required data and calibrate equipment used to control and protect the plant.

• Verify that the plant is operating within the limits imposed by the Tech-Specs (Chapter 16 of the EDCD, Reference 10.3).

10.4 Organisation, Staffing and Responsibilities

The workforce structure, staff responsibilities, authorisations and personnel qualifications for performing the AP1000 commissioning are the responsibility of the licensee. This test organisation is responsible for the planning, executing and documenting of the plant initial testing and related activities that occur between the completion of plant/system/component construction and commencement of plant commercial operation. Transfer and retention of experience and knowledge gained during commissioning for the subsequent commercial operation of the plant is an objective of the test programme.

10.5 Commissioning Specifications and Procedures

Pre-operational and start-up commissioning are performed using commissioning specifications and procedures. The specifications will cover (but are not limited to):

• Objectives for performing the test;

• Test prerequisites;

• Initial test conditions;

• Data requirements;

• Criteria for test results evaluation and reconciliation methods and analysis as required.



For each test, the procedure specifies the following:

• Objectives for performing the test;

• Prerequisites that must be completed before the test can be performed;

• Initial conditions under which the test is started;

• Special precautions required for the safety of personnel or equipment;

• Instructions delineating how the test is to be performed;

• Identification of the required data to be obtained and the methods for documentation;

• Data reduction analysis methods as appropriate.

Commissioning specifications and procedures are developed and reviewed by personnel that are suitably qualified and experienced. This includes the participation of principal design organisations in the establishment of test performance requirements and acceptance criteria. Specifically, the principal design organisations will provide scoping documents (i.e. pre-operational and start-up test specifications) containing commissioning objectives and acceptance criteria applicable to its scope of design responsibility as discussed in Section 14.4.5 of the EDCD (Reference 10.3).

Continuous learning from other operating units will be factored into the commissioning specifications and procedures as appropriate.

Pre-operational and start-up tests are performed with the site licensee quality assurance requirements equivalent to those specified in Section 17.5 of the EDCD (Reference 10.3.

10.6 Conduct of Commissioning Programme

Administrative procedures and requirements that govern the conduct of the commissioning include the following:

• Format and content of procedures.

• Process for both initial issue and subsequent revisions of procedures (configuration control ).

• Review process for commissioning results.

• Process for resolution of failures to meet performance criteria and of other operational problems or design deficiencies.

• Requirements for progressing from one phase of commissioning to the next, as well as requirements for moving beyond selected hold points or milestones within a given phase.

• Controls to monitor the as-tested status of each system and modifications including retest requirements deemed necessary for systems undergoing or already having completed testing.

• Qualifications and responsibilities of the positions within the start-up group.



The start-up administrative procedures supplement normal plant administrative procedures by addressing those issues that are unique to the start-up programme. A prerequisite to the start-up tests is that the accident management and emergency preparedness arrangements are in place.

10.7 Review of Commissioning Results

The licensee is responsible for review and evaluation of individual test results as well as final review of overall commissioning results and for review of selected milestones or hold points within the test phases. Exceptions or results which do not meet acceptance criteria are identified to the affected and responsible design organisations, and corrective actions and retests, as required, are performed. This is reported in the Safety Commissioning Report.

10.8 Commissioning Records

Retention periods for test records are based on considerations of their usefulness in documenting initial plant performance characteristics.

10.9 Utilisation of Reactor Operating and Testing Experience in the Development of Commissioning

The design, testing, start-up and operating experience from previous pressurised water reactor (PWR) plants is utilised in the development of the initial pre-operational and start-up test programme for the AP1000 plant. This will include any lessons learnt from the commissioning of other AP1000 plants throughout the world.

Special tests to further establish a unique phenomenological performance parameter of the AP1000 design features, beyond testing performed for design development and that will not change from plant to plant, are intended to be performed for the first AP1000 plant only. Because of the standardisation of the AP1000 design, these special tests (designated as first-plant-only tests) are not required on follow on plants.

The following is a listing of the first plant only tests:

• In-containment Refuelling Water Storage Tank (IRWST) heat-up test;

• Pressuriser surge line stratification evaluation;

• Reactor pressure vessel internals vibration testing;

• Natural circulation tests;

• Rod Cluster Control Assembly (RCCA) out of bank measurements;

• Load follow demonstration.

Other special tests which further establish a unique phenomenological performance parameter of the AP1000 design features, beyond testing performed for design development and that will not change from plant to plant, are intended to be performed for the first three AP1000 plants. Because of the standardisation of the AP1000 design, once these special tests have affirmed consistent passive system function they are not required on follow on plants. These tests (designated as first-three-plant tests), required only on the first three plants, are identified below:

• Core Make-up Tank (CMT) heated recirculation tests;



• Automatic Depressurisation System (ADS) blow down test.

For subsequent plants, the site licensee shall either perform the subject test or shall provide justification that the results of the first-plant- only tests or first-three-plant tests are applicable to the subsequent plant.

The justifications for the first-plant-only tests and the first-three-plant tests are provided in Section 14.2.5 of the EDCD (Reference 10.3.

10.10 Use of Plant Operating and Emergency Procedures

As appropriate and to the extent practicable, plant normal, abnormal and emergency operating procedures are used when performing pre-operational start-up tests. Operators will have qualified on the use of procedures on AP1000 simulators prior to their use on the plant.

The use of these procedures is intended to:

• Demonstrate the adequacy of the specific procedure or to identify changes that may be required.

• Increase the level of knowledge of plant personnel on the systems being tested.

10.11 Commissioning Schedule

The schedule for the initial fuel load and for each major phase of the commissioning includes the timetable for generation, review and approval of procedures as well as the actual testing and analysis of results.

Pre-operational testing is performed as system and equipment availability allows. The interdependence of systems is also considered. Sequencing of the start-up tests depends on specified power and flow conditions and intersystem prerequisites. The start-up test schedule establishes that, prior to core load, the test requirements are met for those plant structures, systems and components that are relied upon to prevent, limit or mitigate the consequences of postulated accidents. Commissioning is sequenced so that the safety of the plant is not dependent on untested systems, components or features.

10.12 Initial Fuel Loading and Initial Criticality

10.12.1 Prerequisites

Initial fuel loading and subsequent initial criticality and power ascension to full licensed power are performed during the start-up commissioning. Prior to the initiation of these operations, the systems and conditions necessary to bring the plant into compliance with the Tech-Specs (Chapter 16 of the EDCD, Reference 10.3 must be operable and satisfied. These operations are performed in a controlled and safe manner by using test procedures that specify:

• Required prerequisite testing;

• Operational status of required systems;

• Step-by-step instructions;

• Precautions which must be observed;



• Actions to be taken in the event of unanticipated or abnormal response.

10.12.2 Initial Fuel Loading

The minimum conditions for initial core loading include:

• The composition, duties and emergency procedure responsibilities of the fuel handling crew are established.

• Radiation monitors, nuclear instrumentation, manual initiation controls and other devices to actuate alarms and ventilation controls are tested and verified to be operable.

• The status of systems required for fuel loading is established and verified.

• The status of protection systems, interlocks, alarms and radiation protection equipment is established and verified for fuel loading.

• Inspections of fuel and control rods have been made.

• Containment integrity has been established to the extent required by the Tech-Specs (Chapter 16 of the EDCD, Reference 10.3).

• The reactor pressure vessel status has been established for fuel loading. Components are verified to be in place or out of the vessel as required for fuel loading.

• Required fuel handling tools are available, operational and calibrated to include indexing of the manipulator crane with a dummy fuel element. The fuel handling tools have been successfully tested.

• Reactor coolant water quality requirements are established and the reactor coolant water quality is verified.

• The reactor pressure vessel is filled with water to a level approximately equal to the centre of the vessel outlet nozzles. The reactor coolant water is circulating at a rate which provides uniform mixing.

• The boron concentration in the reactor coolant is verified to be equal to or greater than the level required by the plant Tech-Specs for refuelling, and is being maintained under a surveillance programme.

• Sources of un-borated water to the Reactor Coolant System (RCS) have been isolated and are under a surveillance programme.

• At least two neutron detectors are calibrated, operable and located in such a way that changes in core reactivity can be detected and recorded. One detector is connected to an audible count rate indicator and a containment alarm.

• A response check of nuclear instruments to a neutron source is required within 8 hours prior to loading (or resumption of loading if delayed for 8 hours or more).

Fuel assemblies together with inserted components (control rods, burnable poison assemblies, primary and secondary neutron sources) are placed in the reactor pressure vessel, according to an established and approved sequence. During and following the insertion of each fuel assembly,



until the last fuel assembly has been loaded, the response of the neutron detectors is observed and compared with previous fuel loading data or calculations to verify that the observed changes in core reactivity are as expected. Specific instructions are provided if unexpected changes in reactivity are observed.

Because of the unique conditions that exist during initial fuel loading, temporary neutron detectors may be used in the reactor pressure vessel to provide additional reactivity monitoring. Credit for the use of temporary detectors may be taken in meeting Tech-Specs requirements on the number of operable source range channels.

10.12.3 Initial Criticality

Following initial fuel loading, the reactor upper internals and the pressure vessel head are installed. Additional mechanical and electrical tests are performed in preparation for critical and power operations. The following conditions exist prior to initial criticality:

• The RCS is filled and vented.

• Tests are completed on the control rod drive system that demonstrate that the control rods have been latched, that the control and position indication systems are functioning properly and that the rod drop time under hot full flow conditions is less than the Tech-Specs limit.

• Tests are completed that demonstrate that plant control and protection systems are operable and that the reactor trip breakers respond as designed to appropriate trip signals.

• The RCS is at hot no-load temperature and pressure. The reactor coolant boron concentration is such that the shutdown margin requirements of the Tech-Specs are satisfied for the safe shutdown condition.

Initial criticality is achieved in an orderly, controlled fashion by the combination of shutdown and control bank withdrawal and RCS boron concentration reduction. During the approach to initial criticality, the response of the source range nuclear instruments is used as an indication of the rate of reactivity addition and the proximity to a critical condition so that criticality is achieved in a controlled, predictable fashion.

Rates for rod withdrawal and boron reduction are specified in such a way that the start-up rate is less than one decade per minute.

Following criticality and prior to operation at power levels greater than 5% of rated power, physics tests are performed to verify that the operating characteristics of the reactor core are consistent with design predictions. During these tests, values are obtained for the reactivity worth of control and shutdown rod banks, isothermal temperature coefficient and critical boron concentration for selected rod bank configurations.

Other tests at low power include verification of the response of the nuclear instrumentation system and radiation surveys.

10.12.4 Power Ascension

After the operating characteristics of the reactor have been verified by low-power testing, a power ascension programme brings the unit to its full rated power level in successive stages. At each successive stage, hold points are provided to evaluate and approve test results prior to proceeding



to the next stage. The minimum test requirements for each successive stage of power ascension are specified in the applicable start-up test procedures.

During the power ascension programme, tests are performed at various power levels as follows:

• State-point data, including secondary system heat balance measurements, are obtained at various power levels up to full licensed power. This information is used to project plant performance during power escalation, provide calibration data for the various plant control and protection systems and provide the bases for plant trip set-points.

• At prescribed power levels, the dynamic response characteristics of the primary and secondary systems are evaluated. System response characteristics are measured for design step load changes, rapid load reductions and plant trips.

• Adequacy of the radiation shielding is verified by gamma and neutron radiation surveys. Periodic sampling is performed to verify the chemical and radiochemical analysis of the reactor coolant.

• Using the in-core instrumentation as appropriate, the power distribution of the reactor core is measured to verify consistency with design predictions and Tech-Specs limits on peaking factors.

10.13 Pre-Operational Commissioning

Test abstracts for the pre-operational testing are described in detail in Section 14.2.9 of the EDCD (Reference 10.3.These are test summaries, some of which only apply to the first AP1000 tests, which describe the purpose of the test, the prerequisites, methodology and acceptance criteria.

10.13.1 Pre-Operational Commissioning of Systems with Safety Significant Functions

Section 14.2.9.1, Chapter 14 of the EDCD (Reference 10.3 includes detailed descriptions of the pre-operational commissioning required for the safety significant systems identified below:

• RCS testing;

• Steam Generator System (SGS) testing;

• Passive Core Cooling System (PXS) testing;

• Passive Containment Cooling System (PCS) testing;

• Chemical and Volume Control System (CVS) isolation testing;

• Main Control Room Emergency Habitability System (VES) testing;

• Expansion, vibration and dynamic effects testing of high-energy piping and components;

• Control rod drive system testing;

• Reactor pressure vessel internals flow induced vibration testing;

• Containment isolation and leak rate testing;



• Containment Hydrogen Control System (VLS) testing;

• Protection and Safety Monitoring System (PMS) testing;

• In-core Instrumentation System (IIS) testing;

• Class 1E dc Power and Uninterruptible Power Supply (UPS) System (IDS) testing;

• Fuel handling and reactor component servicing equipment test;

• Extended operation of safety significant system testing.

10.13.2 Pre-Operational Commissioning of Defence-in-Depth Systems

Section 14.2.9.2 of the EDCD (Reference 10.3 includes detailed descriptions of the pre--operational commissioning required for the defence-in-depth systems identified below:

• Main Steam System (MSS) testing;

• Main and Start-up Feed-water (FWS) System testing;

• Chemical Volume and Control System (CVS) testing;

• Normal Residual Heat Removal System (RNS) testing;

• Component Cooling Water System (CCS) testing;

• Service Water System (SWS) testing;

• Spent Fuel Pool Cooling System (SFS) testing;

• Fire Protection System (FPS) testing;

• Central Chilled Water System (VWS) testing;

• Nuclear Island Non-Radioactive Ventilation System (VBS) testing;

• Radiologically Controlled Area Ventilation System (VAS) testing;

• Plant Control System (PLS) testing;

• Data Display and Processing System (DDS) testing;

• Diverse Actuation System (DAS) testing;

• Main ac power system testing;

• Non class 1E dc and UPS system (EDS) testing;

• Standby diesel generator testing;

• Radiation Monitoring System (RMS) testing;



• Plant lighting system testing;

• Primary Sampling System (PSS) testing;

• Annex / Auxiliary Building (VXS) non-radioactive Heating, Ventilation and Air Conditioning (HVAC) system testing.

10.13.3 Pre-Operational Commissioning of Radioactive Systems

Section 14.2.9.3 of the EDCD (Reference 10.3 includes detailed descriptions of the pre--operational commissioning required for the radioactive systems identified below:

• Liquid Radwaste System (WLS) testing.

• Gaseous Radwaste System (WGS) testing.

• Solid Radwaste System (WSS) testing.

• Radioactive Waste Drain System (WRS) testing.

• Steam Generator Blowdown System (BDS) testing.

• Waste Water System (WWS) testing.

10.13.4 Pre-Operational Commissioning of Additional Systems

Section 14.2.9.4, Chapter 14 of the EDCD (Reference 10.3 includes detailed descriptions of the pre-operational commissioning required for the additional systems identified below:

• Condensate System (CDS) testing.

• Condensate Air Removal System (CMS) testing.

• Main Turbine System (MTS) and auxiliaries testing.

• Main generator system and auxiliaries testing.

• Turbine Building Closed Cooling Water System (TCS) testing.

• Circulating Water System (CWS) testing.

• Turbine Island Chemical Feed System (CFS) testing.

• Condensate Polishing System (CPS) testing.

• Demineralised Water Transfer and Storage System (DWS) testing.

• Compressed and Instrument Air System (CAS) testing.

• Containment Recirculation Cooling System (VCS) testing.

• Containment Air Filtration System (VFS) testing.



• Plant Communication Systems (EFS) testing.

• Mechanical Handling System (MHS) crane testing.

• Seismic Monitoring System (SJS) testing.

• Special Monitoring System (SMS) testing.

• Secondary Sampling System (SSS) testing.

• Turbine Building Ventilation System (VTS) testing.

• Health Physics and Hot Machine Shop HVAC System (VHS) testing.

• Radwaste Building HVAC System (VRS) testing.

• Main unit auxiliary and reserve auxiliary transformer test.

10.13.5 Start-Up Commissioning Procedures

Those tests comprising the start-up commissioning phase are identified in this section and discussed in detail in Section 14.2.10 of the EDCD (Reference 10.3. For each test, the document presents a general description for the test objective, test prerequisites, test description and test performance criteria, where applicable. In describing a test, the operating and safety significant characteristics of the plant to be tested and evaluated are identified.

The specifics of the start-up tests relating to test methodology, plant prerequisites, initial conditions, performance criteria and analysis techniques are discussed in Section 14.4 of the EDCD (Reference 10.3 in the form of plant, system and component performance and testing procedures.

10.13.5.1 Initial Fuel Loading and Pre-Critical Tests

This section identifies those commissioning tests that are performed following completion of the pre-operational commissioning but prior to initial criticality testing. These tests include those performed prior to core load to verify that the plant is ready for core loading, the loading of the core and the tests performed under hot conditions after the core has been loaded but prior to initial criticality.

These tests are described in detail in Section 14.2.10.1 of the EDCD (Reference 10.3. Tests to be performed prior to and during initial core loading are described in sections 14.2.10.1.1 through 14.2.10.1.5. These tests verify that the systems necessary to monitor the fuel loading process are operational and that the core loading is conducted properly. These tests are identified below:

• Fuel loading prerequisites and periodic checks;

• Reactor systems sampling for fuel loading;

• Fuel loading instrumentation and neutron source requirements;

• Inverse count rate ratio monitoring for fuel loading;

• Initial fuel loading confirmation.



Following core load, tests are performed at hot conditions to bring the plant to a final state of readiness prior to initial criticality. These tests are identified below:

• Post-fuel loading pre-critical test sequence;

• In-core instrumentation system pre-critical verification;

• Resistance temperature detectors-in-core thermocouple cross calibration;

• Nuclear instrumentation system pre-critical verification;

• Set-point pre-critical verification;

• Rod control system;

• Rod position indication system;

• Control rod drive mechanisms;

• Rod drop time measurement;

• Rapid power reduction system;

• Process instrumentation alignment;

• Reactor coolant system flow measurement;

• Reactor coolant system flow coast-down;

• Pressuriser spray capability and continuous spray flow verification;

• Feed-water valve stroke test.

10.13.6 Initial Criticality Tests

Following completion of the core loading and pre-criticality testing, the plant is brought to initial criticality, according to the test procedures in Section 14.2.10.2.1 of the EDCD (Reference 10.3. These are identified below:

• Initial criticality test sequence;

• Initial criticality;

• Nuclear instrumentation system verification;

• Post-critical reactivity computer checkout.



10.13.7 Low Power Tests

Following successful completion of the initial criticality tests, low power tests are conducted, typically at power levels less than 5%, to measure physics characteristics of the reactor system and to verify the operability of the plant systems at low power levels. These tests are described in detail in Section 14.2.10.3 of the EDCD (Reference 10.3 and identified below:

• Low-power test sequence;

• Determination of physics testing range;

• Boron endpoint determination;

• Isothermal temperature coefficient measurement;

• Bank worth measurement;

• Natural circulation (first plant only);

• Residual heat removal heat exchanger (first plant only).

10.13.8 Power Ascension Tests

After low power testing is completed, testing is performed at specified elevated power levels to demonstrate that the facility operates in accordance with design during normal steady-state operations and to the extent practical, during and following anticipated transients. During power ascension, tests are performed to obtain operational data and to demonstrate the operational capabilities of the plant. These tests are described in detail in Section 14.2.10.4 of the EDCD (Reference 10.3 and identified below:

• Test sequence;

• In-core instrumentation system;

• Nuclear instrumentation system;

• Set-point verification;

• Start-up adjustments of reactor control systems;

• RCCA out of bank measurements (first plant only);

• Axial flux difference instrumentation calibration;

• Primary and secondary chemistry;

• Process measurement accuracy verification;

• Process instrumentation alignment at power conditions;

• Reactor coolant system flow measurement at power conditions;

• Steam dump control system;



• Steam generator level control system;

• Radiation and effluent monitoring system;

• Ventilation capability;

• Biological shield survey;

• Thermal power measurement and state-point data collection;

• Dynamic response;

• Reactor power control system;

• Load swing test;

• 100 % load rejection;

• Load follow demonstration (first plant only);

• Hot full power boron endpoint;

• Plant trip from 100 % power;

• Thermal expansion;

• Loss of offsite power;

• Feed-water heater loss and out of service test;

• Remote shutdown workstation.

10.14 Conclusion

This chapter has provided a broad overview of the testing and commissioning of the AP1000 to demonstrate that the as-built plant will function safely as designed. It has described the requirements, staffing, procedures, records and controls which ensure that the process is comprehensive. As no AP1000s have yet been constructed, it highlights specific tests which are carried out on the first unit, or first few units, which verify fundamental and novel features of the Ap1000.



REFERENCES

10.1 WEC, UKP-GW-GL-737, AP1000 Plant Life Cycle Safety Report, Rev. 1, (to be issued).

10.2 UK Construction (Design and Management) Regulations 2007, April 2007.




CHAPTER 11: OPERATIONAL MANAGEMENT



11.0 OPERATIONAL MANAGEMENT

11.1 Introduction

This chapter presents the arguments that the AP1000 can be operated and maintained in accordance with the safety case.

11.2 Operating Instructions

The Operating Instructions are the detailed instructions provided to the operators in the main control room and those involved in refuelling. These instructions explain how to manoeuvre the plant in all circumstances and how to perform operations.

All operator actions that affect nuclear safety during plant operation must be carried out in accordance with approved operating instructions, including those actions in response to an accident situation. Checking of the operating instructions for consistency with the technical specifications is essential, and cross references to any relevant limiting conditions of operation (LCOs) are required. Once finalised, any modifications to the operating instructions will be subject to the licensee’s change control procedure.

Westinghouse has produced a full set of operating instructions for the AP1000, which are essentially an evolution from those of current generation PWRs. Those operating instructions associated with the passive and other novel features of the AP1000 will need to be validated before the AP1000 goes into service for the first time. A training simulator will be available before commissioning, which will be used as part of the validation of the operating instructions.

11.3 Operational Limits and Conditions

The safe operating envelope of the AP1000 is defined by the operational parameters within which it can be safely operated, and by the protective safety measures that must be available in case a duty system fails. The limiting operational parameters are the boundary conditions assumed by the transient analysis for each fault in the design basis fault schedule (see Section 5.2 of this PCSR). The conditions placed on the availability of protective safety measures are based on the required reliability of providing the nuclear safety function, given the postulated frequency and consequences of each fault.

It is a legal requirement that the operational limits and conditions for each nuclear power plant be formally specified in its operating rules (site license condition 23). The technical specifications for the AP1000, which are presented in Chapter 16 of the European Design Control Document (EDCD) (Reference 11.1), set out the operational limits and conditions needed by the design basis safety case.

11.4 Examination, Maintenance Inspection, and Testing

One of the design features of the AP1000 is to provide a greatly simplified plant with respect to maintenance requirements and maintenance dose burden. This includes the arrangement of buildings, access to plant, space for maintenance and laydown of equipment, and the availability of hoists, etc., to aid maintenance activities.

Examination, maintenance inspection, and testing (EMIT) activities on nuclear or radiation implicated SSCs are to be identified in the plant maintenance program (section 17.5 of the European DCD, Reference 11.1), also known as an EMIT (or mandatory maintenance) schedule.



This is necessary to ensure that such equipment is maintained to appropriate standards, thereby providing confidence that it would fulfil its safety functional requirements if called upon.

At a system level, the items that need to be included in the EMIT schedule are those on which the technical specifications impose availability requirements, because such requirements come from the underlying nuclear safety case An EMIT schedule will be produced, containing all EMIT activities, using a structured maintenance task analysis process. Each task in the schedule will be classified according to its nuclear safety significance.

EMIT schedules will be written by the Site Licensee, with guidance from the design engineers (Westinghouse and other suppliers).

11.5 Site Licensee Operational Management

The Site Licensee must provide arrangements under the site license for the following topics:

• Delegation of nuclear site licensee responsibilities.

• Defined manning levels for suitably qualified and experienced personnel (SQEP).

• Training.

• Management procedures for human resources, quality assurance, etc.

• Control of engineering change, i.e., modifications to nuclear safety significant SSCs and documentation.

• Radiological protection.

• Event reporting.

• Environmental protection.

• Emergency contingency plans.

• Site security.

These arrangements will be put in place progressively during the site licensing of the AP1000.

11.6 Conclusion

This chapter shows how the operational aspects of the AP1000 relate to the design and are a crucial part of the safety case. The AP1000 already has operational arrangements in place ready to be developed by the UK licensee prior to completion of construction. These are based initially on mature arrangements used on existing PWRs and are well tested. There are some developments which have yet to be proven on AP1000 specific features, and this chapter outlines how that will be achieved.

The hierarchy of operating arrangements is described (limiting conditions of operation, tech specs, operating instructions) including their inter-relationship. Also described is the concept and importance of the maintenance schedule.



REFERENCES

11.1 EPS-GW-GL-700, Rev 1, AP1000 European Design Control Document, December 2009.



CHAPTER 12: RADIOLOGICAL PROTECTION



12.0 RADIOLOGICAL PROTECTION

12.1 Introduction

This chapter of the PCSR summaries the radiological hazards associated with operation of the AP1000 reactor plant and the protection measures that have been implemented in the design. It describes:

• Radiation sources including a tabular description of the sources of radiation from the reactor plant (operating and shutdown), the exposure pathways, and how they are managed.

• Radiological protection principles and how they are applied. This includes reference to the radiation dose criteria and the safety analysis to show compliance with the principles.

• Design features for radiation protection; this covers how radiation protection has been applied to the design of the reactor plant.

• Radiation monitoring; this identifies the plant monitoring provisions throughout the lifetime. Details of site specific radiation protection programme are not included, as these will be subject to site licensee administrative arrangements and are not covered by the generic site PCSR.

The majority of the supporting analysis and evidence that radiation protection has been considered in the AP1000 design is contained in Chapters 11 and 12 of the AP1000 European Design Control Document (EDCD) (Reference 12.1). This includes the design features that have been incorporated to minimise the necessity for and the amount of time spent in a radiation area.

This chapter covers the normal operational radiological aspects of the design and operation of the AP1000 reactor plant, provides demonstration against criteria and the provisions for radiation monitoring. Chapters 5, 13, 14, 15, and 16 cover the related topics of accident risks, emergency preparedness, environmental protection, radioactive waste management, and decommissioning, respectively.

12.2 Radiation Sources

Table 12-1 describes the radiation sources that arise from the reactor plant whilst operating, maintaining, and refuelling. These are fully described in Section 12.2 of the EDCD (Reference 12.1) together with the design basis source terms for each individual reactor system and Section 12.3 of the EDCD (Reference 12.1) discusses the appropriate control measures.

The radioactive inputs to the liquid, gaseous, and solid radwaste systems are covered in Chapter 11 of the EDCD (Reference 12.1).



Table 12-1 SOURCES OF RADIATION

Source Source Term/ Radionuclide

Radiological Significance and Exposed Group

Radiation Sources (Power Operation and Shutdown)

Direct Core Radiation

Gamma and neutron flux

The reactor internals, reactor vessel, containment primary, and secondary interior shield systems and the shield building attenuate the radiation. These reduce the predicted dose exposure to the operator in normal power operation to low levels. Exposure to others is negligible. Administrative controls on potential access inside the containment are required to minimise dose uptake. The gamma and neutron flux is significantly reduced when the reactor is shut down and shielded by the reactor internals, reactor vessel, containment primary and secondary interior shield systems. Containment is accessible, but access is controlled. The dose rates in containment result from the residual fission products and activated wear and corrosion products (see below) in the reactor coolant system.

Fission Product

Fission Products These products are normally retained within the fuel. Pinhole defects in the fuel rod cladding may lead to fission product release to the reactor primary coolant. The design basis for fission product leakage is operation with cladding defects in fuel rods producing 0.25 percent of the core thermal power. The secondary shield surrounding the reactor coolant system equipment (including piping, pumps and steam generators) protects personnel from the direct gamma radiation emanating from the fission products carried away from the core by the primary coolant in power operation. Fission products will be released in the event of a severe accident that damages the fuel clad. In the unlikely event of this occurring fission products present a risk to the workers and others. Containment mitigates the effect of such releases. The design basis loss of coolant accident dictates the shielding requirement for the control room. Present in reactor coolant and deposited on primary circuit surfaces, this source presents a direct and potential internal radiation hazard to maintenance workers.






Coolant Activation Processes

Nitrogen-16 The activation of oxygen in the primary coolant results in the formation of N-16, which is a strong gamma emitter. Due to its short half-life of 7.1 seconds, N-16 is not a concern outside the containment. N-16 is the predominant contributor to the activity in the reactor coolant pumps, steam generators and reactor piping during operation. The activity in each component depends on the transit time to the component and the residence time. The secondary shield surrounding the reactor coolant system equipment (including piping, pumps, and steam generators) protects personnel in power operation. The source is terminated when the reactor is shutdown.


Argon-41 The activation of residual argon in the primary coolant results in the formation of Ar-41. A short-lived isotope (half-life 1.8 hrs) source, the dose from which attenuated by secondary shielding. The source is terminated when the reactor is shut down.


Tritium A number of tritium production processes add tritium to the reactor coolant. Fission product formation in the fuel (ternary fission) forms tritium that can diffuse through the fuel clad or leak through fuel clad defects. Also, neutron reactions with soluble boron, soluble lithium, and deuterium in the reactor coolant result in tritium. Tritium emits beta radiation and presents no hazard during power operation. Tritium exists in the reactor coolant primarily combined with hydrogen (that is, a tritium atom replaces a hydrogen atom in a water molecule) and thus cannot be readily separated from the coolant by normal processing methods. Tritium is present in all coolant liquor released during maintenance activities, it presents a potential internal radioactive hazard to maintenance workers requiring precautions to be taken to prevent ingestion and/or inhalation.


Carbon-14 The activation of oxygen-17 in the primary coolant results in the formation of C-14. Also present in activated corrosion products (see below). Emits beta radiation and presents no hazard during power operation. Present in all coolant liquor released during maintenance activities and is an important isotope in radioactive waste management.






Activation of Corrosion Products (CRUD)

Colbalt-58, Colbalt-60, Iron-55, Iron-59, Manganese-56, Manganese-54, Chromium-51

The activation of primary circuit component corrosion and wear products results in dissolved activation products within the primary coolant and the deposition of a contamination film, of these products, on all primary circuit components (termed crud deposits). The secondary shield surrounding the reactor coolant system equipment protects personnel in power operation. The dominant gamma emitting isotope in crud is Co-60 (half-life 5.24 years). Present in reactor coolant and deposited on primary circuit surfaces Crud present a direct and potential internal radiation hazard to maintenance workers.

Containment Atmosphere

Argon-41 The main source of airborne activity in containment is activation of naturally occurring argon in the atmosphere. Periodic purging prevents excessive activity build-up.

Radiation Sources (Refuelling)

Spent Reactor Fuel

Gamma and neutron (fission products and actinides)

Spent fuel is the primary source of radiation during refuelling. Extensive shielding is provided for areas surrounding the refuelling cavity and fuel transfer canal to limit radiation levels to refuelling personnel. Water provides shielding over the spent fuel assemblies during fuel handling.

Irradiated Control and Gray Rods

Gamma The gamma ray source strengths of the irradiated control rods and gray rods are used in establishing radiation shielding requirement during refuelling operations and during shipping of irradiated rods.

Secondary Source Rods

Gamma and neutron The photoneutron source material used in the secondary source rods is an equal volume mixture of antimony and beryllium (Sb-Be). Extensive shielding is provided for refuelling activities.

In-core Thimbles

Gamma Extensive shielding is provided for refuelling activities.



12.3 Radiation Protection Principles and Criteria

The management of radiation protection in the UK is governed by the Ionising Radiation Regulations 1999 (Reference 12.2) and also the principles and criteria presented in the NII Safety Assessment Principles (SAPs) for Nuclear Facilities (Reference 12.3).

The primary aim of the Ionising Radiation Regulations and the associated Approved Code of Practice and Guidance (Reference 12.4) is to establish a framework for ensuring that exposure to ionising radiation arising from work activities, whether from man-made or natural radiation and from external radiation or internal radiation is kept as low as reasonably practicable (ALARP) and does not exceed legal dose limits specified for individuals.

The NII SAPs (Reference 12.3) assign levels and objectives for radiation doses to individuals and groups; these are the basic safety levels (BSLs) and the basic safety objectives (BSOs), respectively. These encompass the legal limits defined in the Ionising Radiation Regulations. Between the BSL and the BSO, designers and operators, need to justify that the dose is ALARP. The ALARP principle will be applied below the BSO.

The specific UK individual dose criteria are presented in Table 12-2.

An important element of optimisation of protection is that the collective dose to individuals on and off site, as a result of operation of the nuclear facility, should be kept ALARP.

This principle takes precedence over compliance with the limits associated with IRR99 (reference 12.2) insofar as the operator must demonstrate that dose cannot be reasonably reduced further even though IRR99 requirements has been met.

Assessments against the NII individual dose criteria (Table 12-2) and the specific radiation protection assessment principles, defined in the NII SAPs (Reference 12.3), are considered in Section 12.4 below.



Table 12-2 RADIATION SAFETY CRITERIA

Annual Dose (mSv)

DESCRIPTION

BSL BSO

Normal Operation – collective dose all site operations

All employees working with ionising radiations (from all sources of radiation originating on the site)

1000 man-mSv

-

Normal Operation – any person on the site (Target 1)

Employees working with ionising radiations (from all sources of radiation originating on the site)

20 (LL) 1

Other employees on the site 2 0.1

Normal Operation – any group on the site (Target 2)

Average to a group of employees working with ionising radiations 10 0.5

Normal Operation – any person off the site (Target 3)

Any persons off the site from sources of ionising radiation on the site 1 (LL) 0.02

Note 1 LL – legal limit defined in Reference 12.2.

Note 2 There are other legal limits on doses for specific groups of people, tissues, and parts of the body defined in Reference 12.2.

12.4 Key Radiological Protection Issues

The sections below provide a discussion for each of the NII Safety Assessment Principles and numerical targets within the scope of the AP1000 design. Compliance with the radiation protection principles and the numerical operational dose targets are discussed. Much of the relevant radiological information needed to support the design has been evaluated and recorded in the ECDC (Reference 12.1) and this reference is called upon extensively to provide evidence for the statements made in the following sections.

12.4.1 Radiation Protection during Normal Operation

Radiation protection during normal operation is a fundamental design consideration for the AP1000, and it is discussed in detail in the EDCD, Chapter 12 (Reference 12.1). Methods incorporated to minimise occupational radiation exposure include: core and fuel design, which minimise fundamental radiation sources; operational chemistry, which supports excellent fuel performance; purification systems; shielding; automation; and overall simplification of the plant.

The numerical assessment of occupational radiation exposure, which is provided in the EDCD, Section 12.4 (Reference 12.1), provides an estimated annual dose of 671 man-mSv. This has recently been updated to more accurately consider improvements in materials and operational chemistry made in the AP1000 design. The total annual average projected occupational radiation



exposure is 219 man-mSv. This includes normal operations, refuelling operations, and routine maintenance.

12.4.2 Radiological Protection during Post-Accident Conditions

Radiation protection during post-accident conditions is a fundamental design consideration for the AP1000, and is discussed in the EDCD, Chapter 12 (Reference 12.1). Methods incorporated to minimise radiation exposure to workers include shielding, automation, and overall design approach of the plant.

The AP1000 safety systems are located inside the containment and shield building, and post-accident fluid is not re-circulated outside containment. Compared to traditional pressurised water reactor (PWR) designs, this greatly limits the extent to which post-accident contamination is spread. The need for operator actions post-accident has been greatly reduced. Those few that required actions have been studied with respect to radiation exposure, as shown in the EDCD, Section 12.3 (Reference 12.1).

12.4.3 Radiological Access Areas

The specific radiological access areas are designated in the EDCD, Chapter 12 (Reference 12.1), particularly in Sections 12.3 and 12.5.

A plant radiological access control programme will be developed in support of plant operations, during the commissioning phase, and it will be the responsibility of the Site Licensee. This will be fully supported by the vendor.

12.4.4 Protection for Work in Contaminated Areas

Controls for minimising contamination, monitoring radiation and for entering contaminated areas will be established before the plant goes operational. Information on the radiation monitoring systems is provided in the EDCD, Section 11.5 (Reference 12.1). Section 9.4 provides information on ventilation systems, specifically ventilation of radioactive portions of the plant is addressed in Sections 9.4.1, 9.4.2, and 9.4.3.

Operational considerations of radiation protection are covered in the EDCD, Section 12.5 (Reference 12.1), but significant responsibility for developing and implementing such features rests with the Site Licensee.

12.4.5 Handling Contaminated Items

Handling of contaminated replacement parts (primary filter cartridges) is done using remote tools and shielded transfer casks. Such cartridges are packaged and the packaging decontaminated in the truck bay of the auxiliary building, or in the radwaste building. Decontamination equipment and space for equipment is provided as part of the hot machine shop, located in the annex building. This area is useful for components and tools of mass up to 4500 kg. Larger components may be decontaminated in the cask washdown pit in the auxiliary building. More information is provided in the EDCD Section 11.4 (Reference 12.1).

12.4.6 Dose Control by Shielding

Key shielding for normal operations is provided by permanent installation of steel and concrete barriers. The life of the plant is considered in terms of potential contamination and accumulation of radioactive material. For areas requiring routine manipulation of components, such as valves in



radioactive process systems, permanent shielding in the form of valve boxes is provided, as well as extended handles and remote operation, to eliminate or minimise exposure to workers. Temporary shielding is not required for routine operations. Temporary shielding may be considered for abnormal operations if deemed ALARP.

More information is provided in the EDCD, Chapter 12 (Reference 12.1).

12.4.7 Radiation Protection Criteria

In terms of radiation safety numerical collective and individual targets and legal limits (Table 12-2), the AP1000 standard design meets these objectives. Further confirmation will evolve on a site specific basis as site characteristics are identified and analysed.

Collective Dose Target (see Table 12-2)

The numerical collective dose target for occupational radiation exposure is 1000 man-mSv/year from all anticipated operational occurrences. Section 12.4 of the EDCD (Reference 12.1) estimates the collective operational dose, including reactor operations and surveillance, routine inspection and maintenance, in-service inspection, special maintenance, waste processing, and refuelling at 219 man-mSv. This dose represents less than 25% of the collective dose target and is a significant improvement on the current UK nuclear power plant average (discussed in Reference Error! Reference source not found.).

Normal Operation – any person on site (Target 1 see Table 12-2)

The AP1000 design supports the licensee in its ability to meet this numerical target. Since the 219 man-mSv annual dose represents the total dose anticipated, reasonable staffing assumptions can be used to compare against the individual dose objectives provided in this numerical target.

The staff complement of a single reactor PWR station in the UK is of the order of 400 people, only some of whom work with ionising radiation. Assuming that all operations and maintenance personnel, who make up at least half the proposed staff on an AP1000, are the ones who work with ionising radiation, the average annual dose will be 1.1 mSv. Comparable operating data from US PWRs gave an annual operational dose of 1.1 mSv in 2007 (1.9 mSv for all facilities) (Reference 12.5). The estimate dose, which is conservative, is just above the BSO.

The basic philosophy guiding the AP1000 design effort to reduce radiation exposures are:

• Design structures, systems, and components for reliability and maintainability, thereby effectively reducing the maintenance requirements on radioactive components.

• Design structures, systems, and components to reduce the radiation fields, thereby allowing operation, maintenance, and inspection activities to be performed in the minimum design radiation field.

• Design structures, systems, and components to reduce access, repair, and removal times, thereby effectively reducing the time spent in radiation fields during operation, maintenance, and inspection.

• Design structures, systems, and components to accommodate remote and semi-remote operation, maintenance, and inspection, thereby effectively reducing time spent in radiation fields.



It has been demonstrated in the EDCD (Reference 12.1) that all reasonably practicable design solutions and improvements have been implemented to minimise worker doses. There are no further design measures identified that would help reduce doses further.

Whilst the design may be optimised to reduce dose, it is ultimately the responsibility of the licensee to specifically manage the dose received by individual workers. The vendor will work closely with the prospective licensee to ensure that he understands how to capitalise on the benefits of the design to keep doses down to a minimum.

Normal Operation – any group on the site (Target 2 see Table 12-2)

As discussed under Target 1, the AP1000 design supports the licensee in operating within the limit and is judged to be within the tolerable zone. The AP1000 dose prediction calculation is experience-based and task-based. The database used for the calculation is mature operated plants so the impact of build-up of contamination is properly considered. Breakdown of the anticipated dose by major task is provided. Similar ALARP arguments apply as to Target 1.

The management of doses received by individuals and groups of workers is the responsibility of the Site Licensee.

Normal Operation – any person off the site (Target 3 see Table 12-2)

Section 5.2 of the Environment Report (Reference 12.6) provides an estimate of the prospective individual dose at a generic site from the AP1000 generic design. The normal off-site dose, taking into account liquid, atmospheric, and short-atmospheric releases, is estimated as 15 µSv per year. These are based on discharges significantly greater than currently measured for Sizewell B PWR contained in the EA’s Study of Historic Nuclear Reactor Discharge Data (Reference 12.9).

The dose from direct radiation needs also to be added. Section 12.4.2 of the EDCD (Reference 12.1) states that the direct radiation dose at the site boundary is negligible. To provide an estimate, the doses experienced from the closest comparable design currently in operation in the UK have been used, i.e., the Sizewell B PWR, which is based on an older Westinghouse design. The direct shine dose at the Sizewell B perimeter fence was 4 µSv in 2007, taken from Appendix 4 of Radioactivity in Food and the Environment Report, 2007 (Reference 12.7).

This gives a total dose to the AP1000 design critical group of 19 µSv per year. This is below the objective of 20 µSv and lies well below the UK dose constraint of 300 µSv per year by a factor of 15 and below the proposed new constraint limit of 150 µSv per year, as given by the HPA advice on the Application of ICRP’s 2007 Recommendations to the UK (Reference 12.10).

The AP1000 plant design has many improvements compared to operating plants, including primary system materials, operating chemistry, and overall simplification. It is anticipated that normal offsite doses from operation of an AP1000 will be reduced compared to typical recent operating experience. Therefore, a brief review of well-performing (but not unique) US plants (Table 12-3) gives confidence that operation of the AP 1000 will meet Target 3.

Once a site is specified, both direct and inhaled/digested dose will be addressed as part of the site-selection phase.



Table 12-3 NORMAL OPERATION OFFSITE DOSES

Unit TEDE Dose Reported

(mSv)

Limit (mSv)

Objective (mSv)

Beaver Valley 1 & 2 (2005) 0.005 1 0.02

South Texas 1 & 2 (2003) 0.00003 1 0.02

12.4.8 ALARP Principle

The overall application of the ALARP principle to the overall AP1000 design is considered in Chapter 8 of this report. The application of ALARA/ALARP principle to operational radiation exposures is specifically considered in Section 12.1 of the EDCD (Reference 12.1). As a result of this process, the AP1000 is expected to have significantly reduced occupational radiation exposures, in the range of 219 man-mSv/year. This exposure is less than the current best practice for Westinghouse plants of the same power rating.

12.5 Design Features for Radiation Protection

Particular features of the AP1000 design that contribute to the minimisation of radiation exposure are described in Section 12.3 of the EDCD (Reference 12.1). Particular features are as described in the following subsections

12.5.1 Equipment and Component Designs

The reactor vessel includes an integrated head package. Mounted directly on the reactor vessel head, the system minimises the time, manpower, and radiation exposure associated with head removal and replacement during refuelling. Integral in the design is permanent shielding for reducing work area dose rates from the control rod drive motors and combined thermocouple/in-core detector system. The reactor vessel nozzle welds are designed to accommodate remote inspection with ultrasonic sensors.

Reactor coolant pumps are designed to require infrequent maintenance and inspection. When maintenance or replacement is required the pump can be removed to a low radiation area using a specially provided pump removal cart.

The steam generators incorporate many design features to facilitate maintenance and inspection in reduced radiation fields. The specification of low cobalt tubing material for the AP1000 plant is an important design feature, with the aim to reduce the total plant radiation source term.

Contamination (crud) traps are minimised in pipe work, and filters remove particulate material from the primary coolant.

To minimise personnel exposure from valve operations, motor operated, air operated or other remotely actuated valves are used where justified by activity levels and frequency of use. Where manual valves are used, either valve extenders or shielding is provided such that personnel need not enter a radiation area for valve operation.



Material selection is optimised to reduce the cobalt and nickel content where practical, to minimise the wear and corrosion product source term within the primary circuit. Primary circuit chemistry is designed to minimise the production of corrosion products.

12.5.2 Facility Layout Design

Plant areas are categorised into radiation zones according to the design basis radiation levels and anticipated personnel occupancy. The radiation zone categories employed and zoning for each plant area under normal and accident conditions is shown in the EDCD (Reference 12.1), Figures 12.3.1 and 12.3.2, respectively. Plant zones and control of personnel access are based upon surveys conducted by the Site Licensee. Access control provisions for each plant area under normal expected conditions are shown in Figure 12.3.3 of the EDCD (Reference 12.1). Based on actual operating plant data, the Site Licensee will assess the radiation areas in accordance with the Ionising Radiation Regulations.

Access control and personnel movements are considered in plant layout to reduce the potential for spread of contamination.

Shielded entrances are provided, where appropriate, for personnel protection. Floor drains are provided to control any radioactive leakage. To facilitate decontamination, concrete surfaces are covered with a smooth coating which allows decontamination.

Pipes carrying radioactive materials are routed through controlled access areas properly zoned for the level of activity. Where it is necessary that radioactive piping be routed through corridors or other low radiation areas, shielded pipe ducts, or distance separation are provided. Where practicable, radioactive and non-radioactive piping are separated.

Wall-penetration streaming is minimised with penetration offsets between the radioactive source and the normally accessible areas. Penetrations are located as far as practicable above the floor elevation to reduce exposure to personnel.

In those systems where process equipment is a major source of radiation, pumps, valves, and instruments are separated from the process equipment. Control panels are located in low-radiation areas.

12.5.3 Bulk Shielding

During reactor operation, the shield building protects personnel occupying adjacent plant structures and yard areas from radiation originating in the reactor vessel and primary loop components. Internal to the containment, the reactor vessel is shielded by the concrete primary shield and by the concrete secondary shield, which also surrounds the primary components.

Components of the purification portion of the chemical and volume control system in the containment are located in a shielded compartment, and system equipment is specifically shielded.

Extensive shielding is provided for areas surrounding the refuelling cavity and the fuel transfer canal to limit radiation levels in adjacent areas. The spent fuel cask loading and decontamination areas, fuel transfer and storage areas are suitably shielded.

Shielding is provided in the auxiliary building for potentially high radioactivity in the liquid radwaste, gaseous radwaste, and spent resin handing systems.



12.5.4 Airborne Activity

All practical steps are taken to minimise the potential for airborne activity. Welding of pipe systems to minimise the potential for leakage and drip trays at points of potential leakage are examples.

The airflow is directed from areas with low potential for contamination to areas with greater potential for contamination.

The ventilation system design for radiologically controlled areas is discussed in Section 9.4 of the EDCD (Reference 12.1).

12.6 Radiation Monitoring

During operation, the Site Licensee will employ a comprehensive radiation protection programme (see Section 12.7). The AP1000 design has an installed system of area radiation and airborne activity monitoring instrumentation. A description of the radiation monitoring system (RMS) is presented in Chapter 11.5 of the EDCD (Reference 12.1).

The RMS provides plant effluent monitoring, process and fluid monitoring, airborne monitoring, and continuous indication of the radiation environment in plant areas where such information is required. Radiation monitors that have a function important to safety are qualified environmentally, seismically, or both and conform to separation and fire protection criteria.

Fluid process, airborne, liquid and gaseous radiation monitors include:

• Steam generator blowdown radiation monitors. The presence of radioactive material in the steam generator blowdown indicates a leak between the primary and secondary side of the steam generator. The monitor initiates an alarm in the main control room, initiates closure of the steam generator blowdown containment isolation and flow control valves and diverts flow to the liquid radwaste system.

• Component cooling water system radiation monitor. Radioactive material in the component cooling water system indicates leakage. The monitor initiates an alarm in the main control room.

• Main steam line radiation monitors. Radioactive material in the main steam line provides early indication of leakage in the form of a steam generator tube leak. The monitor initiates an alarm in the main control room.

• Service water blowdown radiation monitor. The monitor measures the concentration of radioactive materials in the blowdown flow from the service water system. The monitor initiates an alarm in the main control room.

• Primary sampling system liquid sample radiation monitor. The monitor’s primary function is to indicate elevated reactor coolant sample radiation levels following a design basis event or severe accident. It may also be used to provide early indication of a possible fuel cladding breach. The monitor isolates the sample flow and initiates an alarm in the main control room and locally.

• Primary sampling system gaseous sample radiation monitor. The monitor provides indication of significant radioactivity in a gaseous sample taken from the containment atmosphere. The monitor initiates an alarm locally and in the main control room.



• Main control room supply air duct radiation monitors. These monitors measure the concentration of radioactive materials in the air that is supplied to the main control room. The monitors initiate the supplemental air filtration system on high gaseous concentration and to isolate the air intake and exhaust ducts and activate the main control room emergency habitability system on high particulate or iodine concentrations. Alarms are provided in the main control room.

• Containment air filtration exhaust radiation monitor. The monitor provides an alarm in the main control room when the concentration of radioactive gases exceeds a predetermined setpoint.

• Gaseous radwaste discharge radiation monitor. The monitor provides an alarm in the main control room and terminates the release of radioactive gas to the plant vent by closing the discharge isolation valve when a predetermined setpoint is exceeded.

• Containment atmosphere radiation monitor. The containment atmosphere radiation monitor is part of the reactor coolant pressure boundary leak detection system described in Section 5.2.5 of the EDCD (Reference 12.1).

• Fuel handling area exhaust radiation monitor. The monitor initiates an alarm in the main control room, closure of the fuel handling area supply and exhaust isolation dampers, opening the area exhaust air isolation damper to the containment air filtration exhaust units and to start a containment air filtration exhaust unit.

• Auxiliary building exhaust radiation monitor. This monitor provides the same function as the fuel handling area exhaust radiation monitor.

• Annex building exhaust radiation monitor. This monitor provides the same function as the fuel handling area exhaust radiation monitor.

• Health physics and hot machine shop exhaust radiation monitor. The monitor provides an alarm in the main control room when the concentration of radioactive gases in the exhaust exceeds a predetermined setpoint.

• Radwaste building exhaust radiation monitor. The monitor provides an alarm in the main control room when the concentration of radioactive gases in the exhaust exceeds a predetermined setpoint.

• Plant vent radiation monitor. The plant vent is the only design pathway for the release of radioactive material to the atmosphere. Alarms are provided in the main control room.

• Turbine island vent discharge radiation monitor. This monitor measures the concentration of radioactive gases in the steam and non-condensable gases that are discharged by the condenser vacuum pumps and the gland steam condenser. This measurement provides early indication of leakage between the primary and secondary sides of the steam generators. The monitor provides alarm in the main control room.

• Liquid radwaste discharge radiation monitor. The liquid discharge monitor provides signals to isolate the discharge of liquid radwaste, stop the discharge pumps, and provide an alarm to the main control room if concentration exceed a predetermined setpoint.



• Waste water discharge radiation monitor. The monitor stops the turbine building sump pumps and the basin transfer pumps and initiates an alarm in the main control room.

Area radiation monitors are provided to supplement the personnel and area radiation survey of the radiation protection program as described in Section 11.5 of the EDCD (Reference 12.1). During refuelling operations in containment and fuel handling area, criticality monitoring functions are performed by the area radiation monitors. A local readout, audible and visual alarms are provided internal to each area to be monitored. Visual alarms are provided outside each monitored area. Indication and alarm are also provided in the main control room.

Post accident area monitors include:

• Containment high range radiation monitor. These monitors measure the radiation from the radioactive gases in the containment atmosphere. The data is displayed in the main control room. Alarms are provided in the main control room and signals to the protection and safety monitoring system for containment air filtration isolation and normal heat removal system valve closure.

• Primary sampling room area monitor. The primary sampling station is the location where samples are collected and/or analysed after a postulated accident. The monitor provides local readout, audible and visual alarms inside and outside the sampling room. Indication and alarm are also provided in the main control room.

• Control support area (CSA) monitor. The CSA is the location from which engineering support will be provided to the operators following a postulated accident. A local readout, audible and visual alarms are provided internal and external to the room. Indication and alarm are also provided in the main control room.

• Fuel handling area criticality monitors. Two radiation monitors perform criticality monitoring of the fuel handling and storage areas. The area radiation monitoring is augmented during fuel handling operations by a portable radiation monitor on the fuel handling machine. A criticality excursion will produce an audible local alarm and an alarm in the main control room.

12.7 Radiation Protection Programme

For the Site Licence PCSR, this section will describe the proposed administrative organisation, the equipment, instrumentation and facilities, and the procedures for enabling a radiation protection programme. The prospective Site Licensee will complete this section. The radiation protection programme will cover:

• Arrangements to conform with the Ionising Radiation Regulations;

• The administrative controls for the use of the AP1000 design features provided to control access to radiologically restricted areas;

• Classification of work areas and routine radiation surveys;

• Local rules and the supervision of work;

• Work planning and work permits;

• Protective clothing and protective equipment;



• Health surveillance;

• Administration of a personnel dosimetry programme for both routine and accident dosimetry.

• Application of the ALARP principle;

• Source reduction;

• Training;

• Arrangements for response to emergencies.

The access and egress of radiologically controlled areas and health physics facilities is considered in Section 12.5 of the EDCD (Reference 12.1).

12.8 Conclusion

This chapter has considered operational aspects of the AP1000 in respect of how the design facilitates the achievement of world standard dose control. In doing so, the assessment is supported by access to a wealth of operating dose information to enable informed judgements to be made.

The underlying principles for radiation protection are explained and the processes for ensuring compliance during normal and fault conditions are described.

Finally, the engineering features of the AP1000 which protect against dose, include monitoring arrangements, are described.



REFERENCES

12.1 WEC Report EPS-GW-GL-700, Rev. 1, AP1000 European Design Control Document, December 2009.

12.2 UK Ionising Radiation Regulations, 1999.

12.3 HSE’s Safety Assessment Principles for Nuclear Facilities, 2006, First Edition, Rev. 1.

12.4 UK HSE, 2000, Ionising Radiations Regulations 1999 - Approved Code of Practice and Guidance.

12.5 NUREG-0713, Volume 29, Occupational Radiation Exposure at Commercial Nuclear Power Reactors and Other Facilities 2007.

12.6 WEC Report UKP-GW-GL-790, Rev. 2, “UK AP1000 Environment Report,” December 2009.

12.7 Radioactivity in Food and the Environment Report, 2007 – RIFE-13, Environment Agency, December 2008.

12.8 HPA-RPD-001, Ionising Radiation Exposure of the UK Population: 2005 Review, Watson SJ et al, HPA, May 2005.

12.9 EA, SC070015/SR1, Study of Historic Nuclear Reactor Discharge Data, September 2009.

12.10 Health Protection Agency, Advice on the Application of ICRP’s 2007 Recommendations to the UK, August 2008.



CHAPTER 13: EMERGENCY PREPAREDNESS



13.0 EMERGENCY PREPAREDNESS

13.1 Introduction

All nuclear power stations are required to include arrangements, facilities, and equipment to facilitate the management of emergencies. The purpose of this chapter is to highlight the requirements for the AP1000 plant and to identify the facilities that are currently included in the design.

13.2 General

All UK licensed civil nuclear facilities are required to have in place emergency arrangements which are rehearsed regularly. The requirement for emergency arrangements is specified by Licence Condition 11 under the Nuclear Installations Act 1965, and is subject to approval by the NII.

Accident Management and Emergency Preparedness are also addressed in Principle AM.1 of the HSE Safety Assessment Principles for Nuclear Facilities (Reference 13.1), which states:

“A nuclear facility should be so designed and operated to ensure that it meets the needs of accident management and emergency services.”

The Radiation (Emergency Preparedness and Public Information) Regulations (REPPIR), 2001 (Reference 13.2) are also relevant. REPPIR establishes a framework for the protection of workers and the public through emergency preparedness for a radiation emergency. These Regulations place a requirement on the Licensee (duty holder) and the off-site Emergency Services to develop and test emergency plans.

The Nuclear Emergency Planning Liaison Group (NEPLG), under the auspices of the Department of Energy and Climate Change (DECC), has produced consolidated guidance documentation for emergency preparedness that will be taken into account by the prospective site licensee. NEPLG will also provide guidance on aligning with the practices evolving from the Civil Contingencies Act (CCA) 2004. The NEPLG consolidated guidance also identifies the requirements for on-site and off-site emergency response centres.

The licensee of each AP1000 site in the UK will establish Emergency Arrangements through an emergency plan for managing emergencies arising from activities on the site; these will be submitted and approved by the NII in accordance with Licence Condition (LC) 11. The LC 11 submission will be specific to each site but may draw on a generic plan prepared by the operating organisation and will contain a description of the emergency plan, which will include the emergency organisational structure and the manner in which it will respond to specific types of emergency.

Typically, the site emergency response organisation is headed by an emergency controller supported by a number of individuals with key technical skills; for example health physics, reactor physics, operations, engineering and technical experts based either on the site or accessible remotely in the Licensee’s central organisation. Additionally there will be administrative support and security staff to control access to the site. Trained emergency response teams will be available to the emergency controller to cover fire control, search and rescue and radiological surveys. The following are the areas of responsibility of the site emergency response organisation:

• Initiation of the site emergency arrangements.



• Issuing appropriate warnings at the correct time and ensuring the safe withdrawal of all persons on site to pre-arranged assembly points.

• Notifying promptly all persons and external organisations concerned with implementing remedial actions.

• Notifying the regulators.

• Assembling and deploying emergency teams to assess and minimise the consequences of the accident.

• Assessing the risk and extent of any potentially hazardous situation and ensuring timely advice is given on appropriate measures to safeguard the public and station personnel.

• Protecting the environment.

• Minimising the release of radioactivity and make the affected plant safe.

• Providing authoritative specialist advice to the police, local authorities, and other organisations responsible for the protection of the public.

• Provision of accurate information for the local authority to inform the public.

The Licensee’s emergency arrangements require the declaration of either a “Site Incident” or a “Nuclear Emergency,” depending on the nature of the event. A Site Incident or Nuclear Emergency can only be declared by the duty emergency controller (a senior manager on the power station) or by the shift charge engineer (the engineer in charge of the operation of power station) in the control room.

The definitions of these two declaration states are given below:

• Site Incident – A hazardous condition that is confined in its effect to within the boundary of the site security fence.

• Nuclear Emergency -–A hazardous condition that results, or is likely to result, in the need to consider urgent countermeasures to protect the public outside the site security fence from a radiological hazard.

A Site Incident may not call for the full implementation of the operator’s emergency plan, nor necessarily, the alerting of the off-site emergency services. The possibility of a Site Incident developing into a Nuclear Emergency is continuously assessed by power station emergency response staff. On the declaration of a Nuclear Emergency, the Licensee will initiate the off-site emergency plan.

Table 13-1 illustrates how the UK classification system works in practice is taken from the British Energy Generation Ltd Emergency Planning Group, Generic Emergency Plan (Reference 13.3).

The Radiation (Emergency Preparedness and Public Information) Regulations 2001 (REPPIR – Reference 13.2) require local authorities to:

• Prepare, review, revise, test, and implement an off-site plan for any premises with an operator’s plan (in the case of a power station, an emergency plan). The off-site plan should



bring together the emergency arrangements of all the off-site agencies with a role to play in the intervention of a radiation emergency occurring at the premises (the power station site).

• Prepare arrangements to supply information to members of the public in the event of a radiation emergency actually occurring, however it may occur. These arrangements are intended to cover events such as fallen nuclear-powered satellites, transport accidents, or incidents occurring overseas that may also affect Great Britain, as well as from premises subject to REPPIR, including nuclear power stations and nuclear chemical plants.

Specific off-site plans will be required for each AP1000 site but for existing sites only a modification of the plan will be necessary. The off-site plan for the two current Sizewell stations is a good example of an off-site plan prepared by the local civil authorities potentially affected by an emergency at that site. The Sizewell plan can be viewed at the following web site and shows clearly the roles and responsibilities associated with an off-site plan: http://www.suffolkresilience.com/docs/pdf/sizewell off site plan.pdf.

13.3 Emergency Response Facilities

All nuclear power stations are required to include facilities and equipment to facilitate the management of emergencies. The AP1000 Main Control Room provides the main control function for the plant and is designed to remain habitable following a design basis accident. The Main Control Room is shielded and provided with filtered air at a modest overpressure.

In addition to the Main Control Room, the AP1000 Design, described in the European DCD (Reference 13.4), specifies an on-site Technical Support Centre (TSC) and an Operational Support Centre. The function of these facilities is as follows:

• The Operational Support Centre is an emergency response facility to provide a habitable area for operations support personnel and the resources to coordinate the assignment of duties and tasks to personnel outside of the main control room and the technical support centre in support of plant emergency operation. The major task of the Operational Support Centre is to provide a centralised area and the necessary supporting resources for the assembly of support staff during an emergency. The Operational Support Centre provides the resources for communicating with the Main Control Room and the Technical Support Centre. This permits personnel reporting to the operational support centre to be assigned to duties in support of emergency operations.

• The Technical Support Centre provides an area and resources for use by personnel providing plant management and technical support to operating staff during an emergency. The facility relieves the reactor operators of peripheral duties and communications not directly related to reactor system manipulations and prevents congestion in the control room. The TSC is shielded and operated at a slight positive pressure with atmospheric filtration. Communications link the plant (including the main control room and operational support centre), the emergency operations facility and external agencies.

The on-site provision of a Main Control Room and an Operational Support Centre is consistent with current UK practice in which the Central Control Room is the location of the first control centre to be set up in an emergency. Each UK nuclear power station has a purpose built on-site Emergency Control Centre from which an emergency is managed.

The Emergency Control Centre combines many of the functions provided for in the AP1000 by Technical and Operational Support Centres. Hence, in the UK context, the provision/use of a Technical Support Centre will be considered on a site specific basis.



For UK plants, there is an off-site Local Emergency Centre under Police “Gold” Command at which actions and decisions to protect the public are implemented. The use of this facility will only be necessary during a Nuclear Emergency.

The Operating Organisation will also have a remote Emergency Support Centre from which technical support is provided to the power station site. Typically, this will be located at the Operating Organisation headquarters.

13.4 Conclusion

This chapter addresses the UK requirements for emergency response to a nuclear incident. There are no features of the AP1000 which make the requirements different from any other nuclear power station. It is shown that the AP1000 design poses no obstacles to the licensee developing suitable arrangements.



Table 13-1 EMERGENCY CLASSIFICATION GUIDANCE

CONDITION STATE

(a) Any fission product barrier is believed to be or is breached or challenged in either an extreme or severe manner as defined in SOI No 8.1 Critical Safety Function Monitoring

(b) A rapid increase in Reactor Coolant System activity coupled with a CVCS let down radiation high alarm

(c) An increase in containment radiological and/or environmental conditions is observed

(d) An accident occur during irradiated fuel handling operations resulting in high radiation and/or airborne activity alarms in the Containment or Fuel Building

(e) The inability of the charging system to maintain primary circuit water inventory (f) An uncontrolled increase in any steam generator level coupled with an increase

in steam generator outlet N-16 measurements observed (g) Alarms initiating on condenser off gas activity High and steam generator blow

down radiation high (h) A major fire affecting Safety-Related plant or other hazardous occurrence on the

site which requires the attention of emergency personnel and the mustering of personnel

(i) A significant increase in site radiation levels is observed (j) Evacuation of the Main Control Room (k) Loss of shutdown cooling coupled with a high radiation and/or airborne activity

in containment (l) An external hazard which could affect the safety of the site (m) The person empowered to declare a Site Incident considers that the

circumstances demand such action

Site Incident

(n) Two or more fission product barriers are believed to be or are breached or challenged in either an extreme or severe manner as defined in SOI No 8.1 Critical Safety Function Monitoring, except in the case of steam generator Tube leak(s) when a Site Incident under Condition (f) may be more Appropriate

(o) Perimeter Monitoring Equipment Alarms are confirmed on two or more adjacent operating detectors indicating that a quantity of airborne radioactivity is being released from site

(p) The person empowered to declare a Nuclear Emergency considers that the circumstances demand such action

Nuclear Emergency



REFERENCES

13.1 HSE’s Safety Assessment Principles for Nuclear Facilities, 2006 Edition, Rev. 1.

13.2 UK HSE, Radiation (Emergency Preparedness and Public Information) Regulations 2001, September 2001.

13.3 BEG/SPEC/OPSV/EMPCG/011, British Energy Group Ltd, Emergency Planning Group, Generic Emergency Plan, Rev. 013, February 2004.

13.4 WEC, EPS-GW-GL-700, Rev. 1, AP1000 European Design Control Document, December 2009.



CHAPTER 14: ENVIRONMENTAL ASPECTS



14.0 ENVIRONMENTAL ASPECTS

14.1 Introduction

This chapter describes the arrangements that are in place to optimise the environmental impact of AP1000 operation. It includes the arrangements to ensure that the environmental impact of “normal operation,” which includes irregular but anticipated operational events, remains within statutory discharge limits, and that the environmental impact of more significant events, which are deemed to be due to faults or accidents, are controlled in an acceptable and optimised manner. It also describes arrangements designed to monitor the plant and inform the operators of any developing situations. Offsite monitoring arrangements designed for normal and accident condition releases are also discussed.

The chapter will also describe how the Best Available Technique (BAT) process has been used in the evolution of the design in order to minimise environmental impact.

14.2 Environmental Protection

14.2.1 General

This section provides a discussion of the design and the controls in place to demonstrate that the AP1000 has been optimised from an environmental point of view, and that the issue of environmental protection has thereby been addressed.

A detailed description of the AP1000 design and performance, insofar as environmental aspects are concerned, can be found in the Westinghouse AP1000 Environment Report (Reference 14.4). The structure and content of this Environment Report are consistent with the Environment Agency’s Process and Information Document for Generic Assessment of Candidate Nuclear Power Plant Designs (Reference 14.1), which describes the information on waste management and environmental issues that the Environment Agency needs to perform a generic assessment of new nuclear power plants. This consistency ensures complete coverage of the Agency’s requirements in order for a full and meaningful assessment to be carried out.

The Environment Report provides a summary of all the environmental and waste management assessment undertaken to support AP1000 build in the UK. The Environment Report refers to a generic site, details of which are provided in UKP-GW-GL-025, Characteristics of a Generic Site for a Nuclear Power Station (Reference 14.5) and which is discussed further in Chapter 3 of this PCSR. A similar approach will be taken to develop this report to reflect the features of a future real site.

The safety of the public and the power plant workers, and the impact to the environment have been addressed by adhering to the following requirements:

• Operational releases are minimised by design features.

• Aggressive goals for worker radiation exposure are set and satisfied.

• Total waste volumes are minimized.

• Other hazardous materials (non-radioactive) are minimized on site.



14.2.2 Environment Agency - Regulatory Role

The Environment Agency (EA) has a role in regulation of licensed nuclear sites alongside the Nuclear Installations Inspectorate (NII). Essentially, the EA role is to ensure protection of the environment. Section 1.2.2 of the Environment Report (Reference 14.4) summarises the full range of possible regulatory duties for the Environment Agency.

14.2.3 Radiological Controls

This section outlines the measures that are proposed to control and monitor discharges to the environment of solid, liquid, and gaseous radioactive effluents. This includes:

• The definition of any authorised limits and operational targets for solid, liquid, and gaseous discharges and the measures to comply with such limits.

• The off-site monitoring regime for radioactive pollution.

• The production, storage, and retention of the records of authorised routine radioactive releases from the site.

• The dedicated environmental monitoring programmes and alarm systems that will respond to unplanned radioactive releases, and the automatic devices to interrupt such releases.

• The measures that will be taken to make appropriate data available to the authorities and the public.

The Environment Report (Reference 14.4) and Integrated Waste Strategy Report (Reference 14.7) set out radioactive waste management strategies and demonstrate the process chosen are the Best Available Technique (BAT). A brief summary of this BAT assessment is provided in this Pre-Construction Safety Report (PCSR) (Chapter 15).

The radioactive waste management systems are engineered to provide primary containment for mobile waste (i.e., tanks and pipework) and secondary containment (i.e. sloping floors, floor drains and sumps, etc.).

The Environment Report (Reference 14.4) defines the authorised limits and operational targets for solid, liquid, and gaseous discharges, and the measures to comply with such limits. It also describes the sources of activity and the management arrangements for the solid, liquid, and gaseous discharge systems, and provides the envisioned discharge rates, details on the measurement and assessment of discharges, and individual and collective dose assessments for the generic site.

Storage facilities will be appropriately designed and sized to contain the waste contents and releases will be monitored. Monitoring of the release of radioactive substances into the environment will be performed as described in the Environment Report.

Chapter 12 of this PCSR details the dedicated environmental monitoring programmes and alarm systems that will respond to unplanned radioactive releases, and the automatic devices to interrupt such releases.

The prospective site licensee will be responsible for the off-site monitoring regime for radioactive pollution, the maintenance of records, and the dissemination of information to the regulators (HSE and EA). This issue is discussed further in Chapter 12 of this PCSR.



14.2.4 Non-Radiological Controls

This section summarises aspects of site activities that have the potential to affect the non-radiological environmental impacts throughout the lifetime of the plant, including construction, operation, and decommissioning. This includes the non-radiological impacts from any dangerous solid, liquid, and gaseous non-radioactive effluents arising from operation of the AP1000, for example dosing chemicals, any authorised limits and operational targets, off-site monitoring regime for pollution, and measures that will be taken to make appropriate data available to the public.

The conventional waste management strategy meets the relevant objectives of the Waste Framework Directive (Reference 14.8), which is in the process of transposition into UK legislation. To the extent practicable, techniques will be used to prevent or minimise the production of wastes in any of the categories listed in the Directive (Annex I), and will be used for the recovery of waste by recycling, re-use, or reclamation. Plans for management of non-radioactive waste will make sure that it is recovered or disposed of without endangering human health and without using processes or methods that could harm the environment.

The Environment Report (Reference 14.4) defines the operational non-radiological impacts. This includes the impact of cooling and analysis of chemical waste streams.

The AP1000 design has been reviewed against the current requirement of Environmental Permitting (EP) (Reference 14.9), which defines the material thresholds above which EP is required. This is discussed further under section 14.3.2.1 of this chapter. This assessment demonstrates that (currently) the AP1000 design does not fall within EP; the standby (diesel) generation capacity is below the threshold for EP. An EP permit is not required with regard to disposal of non-radioactive solid wastes; the permits of waste carriers and the receiving waste management facilities cover the requirement of EP. The situation may change in 2010 when the EA will be able to incorporate their major regulatory functions for a nuclear licensed site under a single EP permit.

The AP1000 design has also been reviewed against the requirements of the Control of Major Accident Hazards (COMAH) Regulations (Reference 14.10). The Environment Report shows that the AP1000 nuclear power plant site will be a lower tier COMAH site because of the proposed hydrazine inventory. The hydrazine tank has a maximum capacity of 1.1 tonnes of hydrazine; this is above the lower tier COMAH threshold of 0.5 tonnes, but below the upper tier COMAH threshold of 2.0 tonnes.

14.3 Prevention of an Environmental Accident

14.3.1 General

This section sets out to demonstrate that, during the lifecycle of the generic AP1000 site, pollution prevention measures will reduce the possibility of a major accident to the environment in accordance with ALARP. The demonstration of the pollution prevention measures is presented in general accordance with the guidance relating to EP (Reference 14.11). Regard has also been given to the EA “Radioactive Substances Regulation – Environmental Principles” (Reference 14.12), in particular Principles CLDP1 (on “Prevention of Contamination”) and CLDP2 (on “Strategy for Radioactively Contaminated Land and Groundwater”). Irrespective of the guidance provided, all design is done in accordance with the principles of Best Available Technique (BAT) and As Low as Reasonably Practicable (ALARP).



The major focus for environmental protection on any nuclear licensed site is to minimise controlled discharges and to minimise the possibility of uncontrolled losses of material to the environment. Engineering containment and management controls are in place (with regard to worker safety and environmental protection) to ensure that the probability of such minor leakages is very low and that, in the unlikely event of such occurring, they will be rapidly detected.

Non-radioactive substances utilised and/or stored on the site also represent potential hazards to the environment. This section will demonstrate that environmental protection measures are in place with regard to both radioactive and non-radioactive substances.

Environmental pollution incidents can range in size from minor localised spillages, resulting in negligible or short-term only impact, to major releases affecting a wider area and resulting in long-term deterioration of the environment. What might constitute a major environmental accident with regard to the generic AP1000 site design is discussed in this section. The requirement for and scope of remedial measures would be site-specific (and pollutant specific), and informed by risk assessment and cost/benefit analysis.

During normal operation of the generic AP1000 site, there will be routine discharges to air and water. These discharges are subject to constraints that will set discharge limits that protect the environment. Generic discharge limits for radioactive discharges are proposed in UKP-GW-GL-028 (Reference 14.13). These discharges will be monitored to ensure compliance and operational procedures adopted to prevent discharges occurring above the permitted limits discussed in UKP-GW-GL-029 (Reference 14.14).

Typically, a major environmental accident would be as a result of an acute/one-off event involving a significant (in terms of volume and/or hazard) release of pollutants into the environment. Environmental damage (sufficient to be considered a major accident) could also result from chronic/long-term loss to the environment from undetected leakage, etc. This section will demonstrate that measures are in place to prevent and limit the consequences of both acute and chronic accident scenarios.

The information on pollution prevention measures in this PCSR (and the Environment Report) can only be generic in nature at this stage; greater detail will be required at the site-specific design stage. This is particularly the case with regard to the assessment of possible environmental consequences of a major accident, and the requirement for site boundary/off-site environmental monitoring. Likewise, information concerning pollution prevention measures to be adopted during decommissioning cannot be provided in any detail.

14.3.2 Environmental Accidents

Accidents that could apply to the generic AP1000 site are discussed below, with reference to the regulatory regimes that apply (or could apply) to the generic site. Notwithstanding the legislation, all design and operational considerations in relation to accidents are done in accordance with the principles of Best Available Technique (BAT) and As Low as Reasonably Practicable (ALARP).

A description of the key regulations with which the AP1000 will demonstrate compliance are described below, together with a description of the main characteristics of the generic site.

14.3.2.1 Environmental Permitting Regulations (EP)

EP seeks to protect the environment (and human health) from pollution as a result of certain listed activities. These activities are ones that utilise substances that are considered hazardous to the environment as result of their properties (including environmental fate and behaviour) and/or the



volumes involved. EP does not currently (as of 2009) cover radioactive substances, nor does it cover all activities that could result in pollution or environmental damage.

EP requires operators to:

• Assess the risk of pollution occurring and the potential consequences of such; and,

• Implement the appropriate management measures to limit the risk of pollution.

In conjunction with this assessment of environmental risk, operators are required to develop an accident management plan (and implement it in the event of an accident). The associated EP guidance does not differentiate specifically between what might be considered a major environmental accident and other lesser pollution incidents.

14.3.2.2 COMAH Regulations

COMAH applies to establishments on which certain identified substances (or categories of dangerous substances) are present in quantities equal to or greater than specified thresholds. COMAH requires operators of such establishments to take measures to prevent major accidents and to limit their consequences to human health and the environment. This requires the preparation of emergency plans and, depending on the substances and volumes involved, possibly safety reports and off-site emergency plans (in conjunction with the local authority and emergency services). COMAH does not apply to radioactive substances on a nuclear licensed site; COMAH does apply with regard to any relevant non-radioactive substances present on a nuclear licensed site.

Major accidents include a fire, an explosion, or a major uncontrolled leakage/spillage/emission that leads to serious danger to human health or the environment.

The COMAH definition of a major accident to the environment can be summarised as follows:

• An accident that presents a significant hazard to human health, e.g., through contamination of food or drinking water or exposure to other environmental contamination; or,

• An accident that causes significant or permanent damage to ecosystems of protected species and/or habitats.

14.3.2.3 Environmental Damage Regulations

The Environmental Damage (Prevention and Remediation) (England) Regulations 2009 (Reference 14.15) set out a framework that identifies:

• Liabilities for environmental damage;

• Responsibilities for remediation of environmental damage; and,

• Responsibilities for addressing the imminent threat of environmental damage.



The Environmental Damage Regulations are not a prescriptive permitting regime (unlike EP and COMAH); rather, they aim to promote operator responsibility with regulatory powers available only in the event of non-compliance. The definition of environmental damage set out in the regulations is summarised briefly as follows:

• Damage to species and habitats - damage to the conservation status of species and habitats protected under EU legislation;

• Damage to water –damage which affects status or quality (both ecological and chemical) of surface waters and groundwater; or,

• Risk to human health from contamination of land – as defined in general accordance with the contaminated land regulatory regime (under Part 2A EPA’90).

14.3.2.4 Generic Site Characteristics and Environmental Impact

A generic site has been defined as part of the GDA process in order to permit the assessment of the AP1000 design prior to a site being identified. The characteristics of the generic site are developed on the basis of the potential sites (identified at the GDA stage) for new build in the United Kingdom. All the potential sites are in coastal or estuarine locations. The characteristics of the generic site are set out in the Environment Report (Reference 14.4, Section 5.1) and presented in full in UKP-GWGL-025 (Reference 14.5).

The generic site includes for the following.

• Human Population – population centres are present and defined within 2km, 10km, and 20km of the site; individual properties/farms are also present within 2km of site.

• Sensitive Ecology (habitats and species) – are present and defined within 20km of the site, with many present within 10km or less; these include European designated sites (including Special Areas of Conservation (SAC), Special Protection Area (SPA), wetland of international importance (‘Ramsar site’), and UK designated Site of Special Scientific Interest (SSSI)).

• Water Environment – the nearby foreshore and marine environment supports a fishery, wildfowl, and seabirds. The site and surrounding on-land area is underlain by geological strata containing a minor aquifer. The minor aquifer is important as a major potable water resource; it could be subject to local abstraction and provide a pathway for movement of pollution into the marine environment.

A major environmental accident associated with the generic site could impact all three of these receptor groups. The magnitude of impact of any accident would depend on the type and volume of pollution and the site-specific surrounding environment.

The assessment of the impact of the prospective generic environmental discharges of radioactivity on human populations is presented in Section 5.2 of the Environmental Report, and in more detail in UKP-GW-GL-030 (Reference 14.16) and UKP-GW-GL-031 (Reference 14.17). This assessment includes routine discharges and possible short-term enhanced discharges. In addition to direct exposure, these assessments cover indirect exposure via effluent and the impact on the marine environment. The conclusion is that the prospective dose is below the UK dose constraint of 300μSv y –1.



No assessment has been made of the potential impact of non-radioactive pollutants on human health, either as a result of permitted discharge or accidental release. This issue will be addressed further as part of the development of a Conceptual Site Model at detailed site-specific design planning stage.

The assessment of the impact of prospective generic environmental discharges of radioactivity on ecological receptors is presented in Section 5.3 of the Environmental Report (Reference 14.4), and in more detail in UKP-GW-GL-033 (Reference 14.18). This assessment looks at possible impact on selected reference organisms. The assessment indicates that there is negligible impact beyond the immediate vicinity of emission/discharge points; further details of the conclusions are set out in the Environment Report (Reference 14.4). This will be confirmed by further site-specific assessment.

The impact of elevated temperature of discharged cooling water has been assessed in UKP-GW-GL-034 (Reference 14.19). No other detailed assessment has been made of the potential impact of non-radioactive pollutants on ecological receptors, either as a result of permitted discharge or accidental release. This issue of impact on ecological receptors will be addressed further as part of the development of a Conceptual Site Model at detailed site-specific design/planning stage.

The prospective discharge limits for liquid radioactive waste are such that there will be no significant effect on marine water quality. Secondary impacts on receptors exposed to marine discharge are addressed as part of the dose assessment for human and ecological receptors.

There are no assessments of discharge (either direct or indirect) of radioactive wastes to groundwater, as this would be difficult without specific site details. Hence, no assessment of impact on the underlying minor aquifer has been made at this generic stage. In the event of an accident (or other failure of containment), this water body could be effected. However, as noted above, this water body is considered primarily as a migration pathway rather than as receptor. Further assessment of this issue is required at site-specific design stage, in particular with regard to possible impact on any local abstractions from the minor aquifer.

A brief assessment has been made of the potential impact of non-radioactive pollutants on the water environment; this covers authorised discharges to sea water (Section 4.2.5 of the Environment Report,). Further assessment is required as part of the development of a Conceptual Site Model at detailed site-specific design/planning stage. This will include the issue of agreeing discharge limits for non-radioactive pollutants and assessing possible risk to the minor aquifer.

For the purposes of demonstrating mitigation of a major environmental accident, radioactive and non-radioactive pollutants are discussed separately. It is recognised, however, that a pollution incident could involve both radioactive and non-radioactive pollutants. Furthermore, it is also recognised that, in addition to a radioactive hazard, radionuclides can also present a chemical/toxicological hazard.

14.3.3 Potential Environmental Pollutants

For a major accident to the environment to occur, polluting substances must be able to migrate away from source and into the environment surrounding the AP1000 site. Mobility in the environment is greatest for substances lost as either gas/vapours (including entrained particulates) or in liquid/aqueous form. Pollutants present in the solid phase are less mobile and are unlikely to migrate into the environment (to any significant extent) unless exposed to environmental factors such as rain (or other precipitation) and wind.



Details of the substances present on site that are potential environmental pollutants are provided in Section 2.9 of the Environment Report (Reference 14.4). Potential pollutants can be summarised as follows:

• Radioactive substances, e.g., spent fuels rods;

• Media contaminated with radioactive substances, e.g., reactor coolant and radioactive waste materials; and,

• Non-radioactive hazardous substances.

For the purposes of assessing major environmental accidents, radioactive substances and media contaminated with radioactive substances are considered together.

14.3.3.1 Radioactive Pollutants

The primary sources of radioactivity on the AP1000 generic site are the enriched uranium dioxide in the fuel rods and the fission products that build up through operation. This radioactive material is contained within the fuel cladding. Fuel rods are initially handled within the Nuclear Island (i.e., containment/shield building and auxiliary building). Spent fuel will be stored initially in pools within the auxiliary building. There is insufficient storage capacity for the full operational lifetime of the facility, and exterior dry spent fuel stores will be required as discussed in Section 15.4 of the PCSR and in the Environment Report (Reference 14.4). As a result of the rigorous safety handling procedures, there will be negligible exposure of these solid phase radioactive materials to the environment at any stage of use; hence, they do not represent a source of direct environmental pollution under normal credible circumstances.

The fuel rods represent a source of indirect release to the environment through the following routes:

• Contamination of reactor coolant;

• Generation of gaseous radioactive waste;

• Generation of liquid radioactive waste; and,

• Generation of solid radioactive waste.

The reactor coolant system consists of two circuits to transfer heat from the reactor core to the steam generator, as described in Chapter 6 of the PCSR. The water within the reactor coolant system represents a possible source of environmental pollution.

The Plant Vent is the only designed pathway for release of gaseous phase radioactive material into external atmosphere/environment. Discharge from the Plant Vent is monitored prior to release to ensure compliance with permitted discharge limits. If monitoring indicates that limits would be exceeded, discharges are directed to the gaseous radwaste system. Other gaseous radioactive wastes, generated on an intermittent basis, are collected and passed through the system to remove radionuclides to within permitted limits prior to discharge to atmosphere. This treatment involves passing the gaseous radwaste streams through activated carbon. The treatment system is contained within the Nuclear Island. The gaseous waste represents a possible source of environmental pollution. Further details on the gaseous radwaste system are provided in Section 3.3 of the Environment Report.



Liquid radioactive waste is generated from a number of sources, including effluents from the reactor coolant system and spent fuel pools, and steam generator blowdown, together with various drains and sumps. The liquid waste is collected and passed through a liquid radwaste treatment system prior to permitted discharge to the aqueous environment (sea water for the generic site). Treatment involves degassing, filtration, and passing through ion exchange media. The treatment system is contained mainly within the Nuclear Island; treated effluent is stored in tanks in the radwaste building prior to discharge. The liquid radwaste system represents a possible source of environmental pollution. Further details on the sources of radioactive liquid wastes and the liquid radwaste treatment system are provided in Section 3.4 of the Environment Report (Reference 14.4).

During the operational lifecycle of the AP1000, solid radioactive wastes will be generated. Further details on the sources of solid radioactive wastes and the solid radwaste treatment system are provided in Section 3.5 of the Environment Report (Reference 14.4) and Integrated Waste Strategy (IWS) report (Reference 14.7). The solid waste streams comprise:

• High Level Waste (HLW), which will be generated in the form of spent fuel (see above). A BAT assessment for management of HLW is presented in a Radioactive Waste Management Case Evidence Report (Reference 14.20).

• Intermediate Level Waste (ILW), which will comprise mainly adsorption and filter media from gaseous and liquid radwaste treatment. Following appropriate pre-treatment, the ILW will be encapsulated in cement (to immobilise radionuclides) and stored on site (prior to future consignment to an off-site repository facility). A BAT assessment for management of ILW is presented in a Radioactive Waste Management Case Evidence Report (Reference 14.21). All ILW solid waste streams will be handled in internal areas and not exposed to the external environment.

• Low Level Waste (LLW), which will comprise mixed wastes resulting from plant operations. Following appropriate pre-treatment, LLW will be packed into drums, with full drums placed into half height ISO containers (HHISO). The HHISO will be stored on-site prior to consignment to the LLW repository (LLWR) near Drigg in Cumbria (or a successor national repository). The LLW will be collected/accumulated and treated within the Radwaste building. All LLW solid waste streams will be handled in internal areas and not exposed to the external environment.

The radioactive waste flow paths are summarized in Figure 14.1.



Figure 14.1 Radioactive Waste Flowchart

The rigorous handling and storage procedures will ensure that there will be negligible exposure of solid radioactive waste to the environment. Hence, solid wastes do not represent a source of environmental pollution under normal credible circumstances.

14.3.3.2 Non-Radioactive Pollutants

All of the above discussed radioactive contaminated media and waste could also contain non-radioactive environmental pollutants, e.g., boron and other water treatment chemicals in reactor coolant effluents. The mitigation measures taken to prevent release of radioactive pollutants into the environment will also mitigate the release of some non-radioactive pollutants. With regard to the identification of non-radioactive pollutants that could result in a major environmental accident, this section only considers the storage/use of substances that does not involve exposure to (and possible contamination with) radionuclides.

Details of the non-radioactive substances stored and used on the AP1000 generic site are provided in the Environment Report (Reference 14.4) (Section 2.9 and Tables 2.9.1, 2.9.2 and 2.9.3) and in UKP-GW-GL-037 (Reference 14.22).



The potential for these non-radioactive substances to result in a major environmental accident is related to the quantities stored and the hazardous nature of these substances. Taking this into account, the most significant non-radioactive substances present on site are:

• Diesel fuel oil will be stored on site for use by the standby generators. The majority of this volume will be stored in bunded tanks located to the south of the turbine building. The maximum on-site quantity will be in the region of 450 tonnes (Reference 14.23). Diesel fuel is subject to regulation as a List I substance in the Groundwater Directive (Reference 14.24) and should be prevented from entering the aqueous environment.

• Hydrazine will be stored on the turbine building. The quantity of hydrazine will be such that the lower tier COMAH regulation will apply to this substance (Reference 14.22).

• Ammonium hydroxide solution is stored on the turbine building to a total quantity of up to 15 tonnes. Ammonium hydroxide is not subject to COMAH regulation, but is a potential pollutant of the aqueous environment (Environmental Report, Tables 2.9.4 and 2.9.5, reference 14.4).

• Sodium hypochlorite solution is stored on the turbine building adjacent to the cooling water system, to a total quantity of up to 12 tonnes. Sodium hypochlorite is not subject to COMAH regulation, but is a potential pollutant of the aqueous environment (Environmental Report, Tables 2.9.4 and 2.9.5, reference 14.4).

• Boric acid solution is stored externally to the annex building to a total quantity of 132 tonnes (Environmental Report Tables 2.9.3 and 2.9.6, reference 14.4). Boric acid is not subject to regulation under COMAH. Boric acid (i.e., a compound of boron) is subject to regulation as a List II substance in Groundwater Directive (Reference 14.24) and should be prevented from escaping thereby causing pollution.

Other potential non-radioactive pollutants are stored in much smaller quantities or as dilute concentrations in solution. The majority of these substances are stored on the turbine building and are water treatment chemicals (e.g., for treatment of reactor coolant system water, abstracted sea water, and/or non-radioactive waste waters). Other such substances could include the following:

• Ammonium chloride, lithium hydroxide, sodium molybdate, sodium bromide, polyphosphates/orthophosphates/phosphoric acid, zinc acetate, and ethylene/propylene glycol.

Taking into account the relatively small volumes of these substances, and that they will be stored and handled predominantly in internal areas, they are not considered to present a significant risk of a major environmental accident. This will be confirmed at site-specific design stage, when the list of chemicals to be used/stored on site will be finalised.

Nitrogen, carbon dioxide, and hydrogen are stored on site. These substances would be rapidly dispersed into the atmosphere if lost and are not considered to represent a source of a major environmental accident. Hydrogen gas storage does represent a hazard in terms of fire/explosion, and therefore is situated a safe distance away from the nuclear island and turbine building. It is not deemed to be a direct source of pollution.

In addition to their direct storage and use, many of the above listed substances could also be present in non-radioactive liquid waste. A non-radioactive waste water system collects and processes liquid waste from drains and sumps (in the turbine, auxiliary, diesel generator, and annex buildings). Waste water is monitored for radioactivity, and if radioactivity is detected, it is



routed into the liquid radwaste system. Otherwise, it is directed to retention basins where its quality is monitored further, prior to discharge. Under normal circumstances, the presence of these substances will be at concentrations that are authorised for discharge to controlled waters (to sea water for the generic site). Further details of the management of this waste stream are provided in UKP-GW-GL-035 (Reference 14.25).

14.3.4 Discussion of Generic Accident Scenarios

A major environmental accident could occur as a result of loss of pollutants (both radioactive and non-radioactive) during either:

• An acute/one-off incident, typically occurring as a result of a fault/failure or other impacts (hazards); or,

• A chronic unidentified/uncontrolled small scale loss during normal operations.

These potential scenarios are discussed below with regard to the AP1000 generic design. Based on past experience of plant and operations (in particular the potential for plant failure), a large number of possible acute and chronic events can be foreseen. These credible events are taken into account, and mitigation measures are incorporated into design. These mitigation measures comprise both engineering and management controls.

The consequences of some events are harder to predict, for example extreme weather conditions beyond those ever experienced in the vicinity of the facility, or a deliberate attack/sabotage. It would not be reasonable to expect specific environmental mitigation measures against all such low frequency events; hence, they are not considered further in this section.

14.3.4.1 Acute Accident Scenarios

Acute accidents will only occur if some part or parts of the plant fail, thereby creating a pathway for pollution to escape to the environment. Chapter 5 of the PCSR sets out the process for assessment of radioactive safety for the generic AP1000 site. The objective of this safety assessment is to demonstrate that the design construction, commissioning, and operation of a constructed facility will reduce the probability of any accidental release of radioactive material to below that required by the various regulatory authorities. The AP1000 has been designed such that under normal operating conditions and circumstances, it provides containment (other than of controlled/permitted discharges) of radioactive materials and potential non-radioactive pollutants.

The safety assessment is undertaken by the identification of potential hazards to the containment and analysis of the potential accident scenarios presented by these hazards (i.e., scenarios that could potentially give rise to release of radioactivity). The hazard types that have been considered in Chapter 5 of this PCSR are:

• Failure modes/faults - initiating events in terms of radioactive safety are modelled as credible (foreseeable) faults during normal operating processes for both “at power” and “shutdown” phases;

• Internal hazards – for example fire, explosion, internal flooding, etc., and,

• External hazards – for example seismic, extreme weather, and external flooding.

Plant faults are discussed further in the Fault Schedule Reference 14.32.



Internal Hazards considered are typically fire, flood, dropped loads etc. A full description of the AP1000’s response to these is given in the Internal Hazard Topic Report (Reference 14.31).

The external hazards considered are: seismic events, external floods, extreme weather, lightning, external electromagnetic interference, and aircraft crash; analysis demonstrates that the design features of the AP1000 provide appropriate protection against these hazards (External Hazard Report, Reference 14.30). Therefore, it is demonstrated that external hazards do not present a significant probability of a major accident to the environment. Hence, the risk of acute environmental pollution as a result of external hazards is not considered further in this section. Plant faults and internal hazards are discussed further below.

On this basis, acute risk is considered with regard to mitigation of reasonably foreseeable (credible) containment failure events that could occur during the operational lifecycle of the facility. The possible acute accident scenarios for radioactive pollutants involve some form of failure of containment of vessels or pipework within the nuclear island or radwaste buildings. This approach is in general accordance with the assessment process required with regard to pollution by non-radioactive substances under EP. These accident scenarios are identified and analysed in Chapter 5 of the PCSR and are not discussed further in this section.

The analyses described above relate to potential release of radioactivity. Acute accident scenarios involving non-radioactive polluting substances are not specifically addressed in the PCSR. However, the philosophy/practice of environmental protection is the same for both radioactive and non-radioactive pollutants.

14.3.4.2 Chronic Accident Scenarios

Containment of potential pollutants should ensure that no accidental releases to the environment occur under normal operational circumstances. However, if a minor leakage/spillage was to occur and go undetected for other than a short time scale, sufficient volume of pollutants could be lost to result in environmental deterioration equivalent to a major environmental accident. Typically, undetected chronic leakage occurs in association with the storage of raw materials and wastes rather than during use, e.g., from pipework leading to and from storage.

The potential point sources of any minor (chronic) loss of pollutants are those points of weakness, some of which are identified and analysed with regard to acute events. Measures adopted to prevent or mitigate against acute accident events will also help prevent chronic accident events. In addition, a programme of inspection and maintenance will also help prevent such chronic accidents.

For a chronic event to occur, the mitigation measures associated with an acute event must have failed to detect leakage. Scenarios where this could occur are as follows:

• Leakage is from a length of pipework that is inaccessible for physical/visual inspection; or,

• Where volumes and/or concentrations are below detection limit of monitoring instrumentation.

14.3.5 Accident Mitigation Measures (Commissioning/Operation) – Radioactive Pollutants

As demonstrated throughout this PCSR, the AP1000 has been designed and will be operated with a defence-in-depth approach to nuclear safety in order to minimise the possibility of release of radioactivity, in accordance with the ALARP principle. This is provided by a combination of:



• Engineered containment; and,

• Management controls - including monitoring (e.g., of internal environmental conditions, effluent quality, infrastructure integrity) and management/quality systems.

As discussed above, the main potential sources of radioactive pollution that could result in a major environmental accident are:

• Reactor coolant;

• Gaseous radioactive waste;

• Liquid radioactive waste; and

• Solid radioactive waste.

Details of the engineering containment and management controls to ensure radioactive safety are presented and demonstrated in the Chapters 7 and 9 of the PCSR and the European Design Control Document (EDCD) (Reference 14.2). In turn, these are described below in very brief detail with regard to mitigation of environmental pollution.

Unless specifically stated otherwise, the mitigation measures outlined below provide mitigation against both acute and chronic environmental accident scenarios

14.3.5.1 Reactor Coolant

Engineering

Primary containment for reactor coolant is provided by the pipework and vessels that make up the coolant system, as described in Chapter 6 of this PCSR. Secondary containment is provided by the steel containment vessel. For further details, see Chapter 7 of this PCSR.

As demonstrated in Chapter 5 of this PCSR and the EDCD Reference 14.2, numerous safety systems (active and passive) are in place to mitigate against plant failure that could result in a loss of coolant accident (LOCA) or other core damage resulting in the release of radioactivity.

Management Controls

The passive plant design is such that the environmental consequences of a LOCA will be contained using passive safety systems, and there will be no requirement for operator intervention for 72 hours. Detailed management systems and processes will, however, be developed during the site licence application phase (see PCSR Chapter 9). This will include systems and process relating to the safety of the reactor coolant system and mitigation of a LOCA.

As part of the operational management controls, the AP1000 generic design includes for a system of area radiation and airborne activity monitoring (Chapter 12.5 of the PCSR). This monitoring system provides warning of any escape of radioactivity from the primary circuit, i.e., while it is retained within the buildings and structures that provide the containment. The following monitoring systems enable detection of possible escapes from the reactor coolant system:

• Steam generator blowdown radiation monitor;

• Component cooling water system radiation monitor;



• Main steamline radiation monitors;

• Primary sampling system liquid sample radiation monitor;

• Primary sampling system gaseous sample radiation monitor, and,

• Containment atmosphere radiation monitor.

In the event that a LOCA were to occur, the released liquids/gaseous should be retained within the containment and building structure of the nuclear island, and would subsequently be ‘collected’ and consigned into the relevant radioactive waste management stream.

Summary of Potential for a Major Environmental Accident (Reactor Coolant)

The probability risk assessment (PRA) process has identified that the frequency of core damage as a result of postulated accident (internal events) scenarios would be 2.41x10-7/yr and 1.23x10-7/yr for at-power and shutdown operation, respectively (see chapter 5 of this PCSR). Additionally, the frequency of a possible release of radioactivity for these scenarios would be 1.95x10-8/yr and 2.05x10-8/yr for at-power and shutdown operation, respectively.

Overall, it is demonstrated that the safety systems present in the generic AP1000 design mitigate the possibility of a major accident to the environment as a result of release of radioactivity associated with the reactor coolant system.

In practice, further reassurance that this is the case will be provided by an on-going environmental monitoring system, as described below.

14.3.5.2 Gaseous Radioactive Waste

Engineering

The gaseous radwaste treatment system will be located within the auxiliary building. For the majority of time during normal operations, the gaseous radwaste system is inactive; it is expected to operate only intermittently. The system will be operated when needed as radioactive waste gases are generated (i.e., during reactor coolant degassing or when monitoring of routine venting/discharge indicates concentration above limits). It is estimated that the system will run for a total of approximately 70 hours per year.

Primary containment is provided by the vessels and pipework of the treatment system. The system is designed to operate at pressures only slightly above atmospheric; this minimises the rate of loss in the event of a leak. Secondary containment is provided by the building structure of the Nuclear Island. The gaseous radwaste system will be located internally, with no points where there could be leakage directly to external environment. Further details of the system are provided in the Environment Report (Section 3.3), and the EDCD section 11.3, (Reference 14.2).

Management Controls

Management systems and process will be developed during the site licence application phase (as described in Chapter 9 of the PCSR). This will include systems and process relating to the operation of the gaseous radwaste system, including monitoring its integrity.

The input to and outlet from the gaseous radwaste system will be monitored, as outlined in UKP-GW-GL029 (Reference 14.14). Any leakage from the gaseous radwaste system would be detected



by the internal monitoring system (see Chapter 12 of this PCSR). This leakage would be contained within the auxiliary building, leakage would be stopped by isolating the system, and the content of the building atmosphere processed through the ventilation system for the radioactive area.

Summary of Potential for a Major Environmental Accident (Gaseous Radioactive Waste)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of release of radioactivity associated with gaseous radioactive waste.

In practice, further reassurance that this is the case will be provided by an on-going environmental monitoring system, as described further below.

14.3.5.3 Liquid Radioactive Waste

Engineering

The liquid radwaste system is designed to control, collect, process, handle, store, and dispose of liquid radioactive waste generated as the result of normal operations, including anticipated operational occurrences. The system is located primarily within the auxiliary building.

While the liquid radwaste system is designed to handle most foreseeable liquid effluents (including those arising from anticipated events), it is not necessarily designed to handle events occurring at very low frequencies and which might produce non-compatible effluents. In such circumstances, temporary equipment will be brought into either the auxiliary building or radwaste building (see EDCD Section 11.2, Reference 14.2).

Primary containment is provided by the vessels/tanks and pipework that make up the liquid radwaste system. Secondary containment is provided by: the concrete floor of the auxiliary building radwaste buildings, and the integrated drainage system including floor drains and collection sumps. The liquid radwaste system will be located internally, with no points where there could be leakage directly to external environment. Further details of the system are provided in Environment Report (Section 3.4.3 and Tables 3.4.2 and 3.4.3) and Reference 14.2 (Section 11.2).

Management Controls

Management systems and processes will be developed during the site licence application phase (as described in Chapter 9 of the PCSR). This will include systems and processes relating to the operation of the liquid radwaste system, including monitoring its integrity.

The inputs to and outlet from the liquid radwaste system will be monitored, as outlined in UKP-GW-GL029 (Reference 14.14). Any leakage from the liquid radwaste system would be detected by the internal radiation monitoring system (see Chapter 12 of this PCSR). This leakage would be contained within the drainage system (and passed back through the system once leakage had been addressed).

Summary of Potential for a Major Environmental Accident (Liquid Radioactive Waste)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of release of radioactivity associated with liquid radioactive waste.



In practice, further reassurance that this is the case will be provided by an ongoing environmental monitoring system, as described further below.

14.3.5.4 Solid Radioactive Waste

Engineering

The solid radwaste system is designed to control, collect, process, handle, store, and dispose of solid radioactive waste generated as a result of normal operations, including anticipated operational occurrences. The management of solid radwaste will take place primarily in the Radwaste building, with external waste storage buildings provided for short to long-term storage prior to off-site disposal.

Primary containment is provided by drums and other container that will be utilised. Secondary containment will be provided by the floor, walls, and roof of the Radwaste Building and the external stores. Further details on the solid radwaste system, including drums and other waste containers, are provided in Environment Report (Section 3.5) and IWS report (Reference 14.7).

Management Controls

Management systems and process will be developed during the site licence application phase (Chapter 9 of this PCSR). This will include systems and processes relating to the operation of the solid radwaste system, including monitoring its integrity.

All solid radwaste will be monitored as it enters and leaves the system. Further details of the various monitoring proposed are provided in the Section 3.5 of the Environment Report (Reference 14.4), which covers both monitoring of waste packages and of working /storage areas.

Summary of Potential for a Major Environmental Accident (Solid Radioactive Waste)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of release of radioactivity associated with solid radioactive waste.


14.3.6 Accident Mitigation Measures (Construction/Commissioning/Operation) – Non-Radioactive Pollutants

14.3.6.1 Diesel Fuel Oil

Engineering

Diesel fuel oil is stored for use by standby diesel generators. This system consists of two fuel oil storage tanks, a diesel generator fuel oil transfer system and an ancillary diesel generator fuel oil system. Details of the system are provided in Section 9.5.4 of the EDCD (Reference 14.2). The design will comply with the requirements of The Control of Pollution (Oil Storage) (England) Regulations 2001 (Reference 14.26) and associated guidance (Reference 14.27).

Primary containment is provided by the storage tanks (above ground) and pipework of the system. The exterior and interior surface of storage tanks will be treated to protect from corrosion, as will



exterior surfaces of the pipework. Further details of primary containment are provided in Table 2.9.6 of the Environment Report (Reference 14.4).

Secondary containment of the bulk storage tanks is provided by concrete bunds and bases; drainage from which is to sumps, which discharge into an oil separator. Secondary containment of auxiliary day tanks is provided by the concrete base of the generator buildings in which these are located; the floors also drain to sumps, which discharge into the oil separator. Further details of secondary containment are provided in Table 2.9.6 of the Environment Report (Reference 14.4).

Where oil transfer pipework is below ground, it is enclosed in guard pipes to prevent leakage into the environment; the guard pipe is corrosion resistant plastic and designed/fabricated to withstand overground pressures. Where oil transfer pipework is above ground, secondary containment is provided by concrete bases, which drain to the oil separator via sumps.

Management Controls

Management controls for testing and inspection of the diesel fuel oil system are outlined in Section 9.5.4 of EDCD Reference 14.2. Processes and systems will be incorporated into these controls to cover (for diesel oil storage):

• Inspection of the integrity of storage tanks, associated pipework, and pollution prevention infrastructure; and,

• Filling and monitoring of tank contents.

Summary of Potential for a Major Environmental Accident (Diesel Fuel Oil)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of release of diesel fuel oil.

In practice, further reassurance that this is the case will be provided by an on-going environmental monitoring system, as described further below in section 14.4

14.3.6.2 Boric Acid Solution

Engineering

Boric acid solution is stored in a cylindrical stainless steel tank to the exterior of the Nuclear Island. This tank provides primary containment. Secondary containment is provided, as a minimum, by the underlying concrete base and drainage to external areas waste water system. During site-specific detailed design, the requirement for a bund to contain this tank will be finalised. Further details of primary and secondary containment are provided in Table 2.9.6 of the Environment Report.

Management Controls

Management systems and process will be developed during the site licence application phase as described in Chapter 9 of the PCSR. This will include systems and processes relating to boric acid solution storage and covering:

• The inspection of the integrity of storage tanks, associated pipework, and pollution prevention infrastructure; and,




Summary of Potential for a Major Environmental Accident (Boric Acid Solution)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of release of boric acid solution.


14.3.6.3 Water Treatment Chemicals (Ammonium Hydroxide, Hydrazine and Sodium Hypochlorite)

Engineering

These substances are used on site for water treatment; further details regarding use of these substances are provided in UKP-GW-GL-035 (Reference 14.23). These substances are stored in liquid/solution form in tanks located within the turbine building (Table 6.4.1 of the EDCD, Reference 14.2). Tank locations within the building will be subject to detailed design/layout. These substances are used primarily in association with the cooling water system and are stored in the circulating water system (CWS) area, in an area reserved for chemical storage.

Ammonium hydroxide and sodium hypochlorite will be stored in stainless steel tanks, treated to minimise corrosion. Typically, hydrazine is stored in non-metallic tanks (polyethylene/ polypropylene/polyvinylchloride (PVC)/glass reinforced plastic (GRP)). The chemical storage tanks provide primary containment.

Secondary containment is provided by bunding and the underlying concrete floor. Floor drains in this area will be plugged, and specific drainage arrangements provided for the bunded areas. The detailed design of the bunding will ensure that incompatible chemicals will not mix. As a minimum, bunded areas will have a volume of 110% of the enclosed tank.

Further details of primary and secondary containment for these substances are provided in Environment Report, Table 2.9.6 (reference 14.4).

The storage/use of hydrazine is subject to regulation under COMAH (lower tier); this requires the development of a Major Accident Prevention Policy (MAPP) document at detailed design/pre-construction stage. At this generic stage, controlled reaction of hydrazine with sodium hypochlorite (to produce water, sodium chloride, and nitrogen) is proposed for treating any spillage/leakage into the bunded area. The MAPP for hydrazine will also consider the possibility of accidents during delivery of hydrazine into the site, and will set out proposed mitigation measures. This could include measures to contain drainage of external areas/roadways prior to discharge into the water environment.

Management Controls

Management systems and processes will be developed during the site licence application phase (as described in Chapter 9 of the PCSR). This will include systems and processes (for water treatment chemicals) relating to:

• Inspection of the integrity of storage tanks, associated pipework, and pollution prevention infrastructure; and,




The above systems and process would need to be referenced to the MAPP required under COMAH for hydrazine. Effectively, although not all water treatment chemicals would be subject to regulation under COMAH, they will be treated as such in designing and implementing pollution prevention measures. This approach will also be in full accordance with that outlined in the Environmental Permitting (EP) guidance (Reference 14.6).

Summary of Potential for a Major Environmental Accident (Water Treatment Chemicals)

Overall, it is demonstrated that the AP1000 generic design mitigates the possibility of a major accident to the environment as a result of water treatment chemicals.

In practice, further reassurance that this is the case will be provided by an on-going environmental monitoring system as described further below.

14.3.7 Accident Mitigation Measures (Decommissioning) – Radioactive and Non-Radioactive Pollutants

Decommissioning of the generic AP1000 design is addressed briefly in Chapter 16 of this PCSR, and an outline plan and technical specification for a decommissioning strategy is presented in Section 20 of the EDCD (Reference 14.2) and in Reference 14.28.

Throughout the development of the plan/strategy, the potential environmental impacts of the process will be considered fully and appropriate engineering and control measures incorporated. These mitigation measures will minimise the potential for any environmental impact, and will seek to prevent the occurrence of a major environmental accident.

The environmental monitoring undertaken during the lifetime of the facility will be continued and supplemented by any decommissioning-specific monitoring/investigation identified as appropriate. This will include investigation/assessment of any localised ground or groundwater contamination that has occurred during the operational lifetime of the facility.

The environmental protection aspects of the decommissioning plan/strategy will be developed further as part of site-specific design, and will be subject to revision throughout the lifetime of the facility to reflect operational changes and events.

14.4 Environmental Monitoring Programme

Section 6 of the Environment Report (Reference 14.4) provides summary details of environmental monitoring. The outlined monitoring programme is concerned primarily with setting limits on radioactive discharges to air and water, and monitoring the impacts of these discharges on the environment. Requirements for hydrological, ecological, thermal, and chemical monitoring are also highlighted.

This outline programme for environmental monitoring will need to be designed further on a site-specific basis. The objectives of this developing monitoring programme are:

• To ensure compliance with discharge limits and prevent unauthorised discharges;

• To demonstrate that the authorised discharges are having a negligible impact on the receiving environment;



• To demonstrate that the facility as whole is having a negligible environmental impact; and,

• To give early warning of any undetected releases of pollutants to the environment.

This monitoring programme will thus provide an additional safeguard that, in the unlikely event of a failure of the mitigation measures incorporated into the AP1000 design, this will be detected and action can be taken before a major environmental accident occurs.

The monitoring programme is to be designed to cover, primarily, those substances highlighted above as the most significant sources of a possible major environmental accident. However, it will also consider those substances which present a lesser risk.

14.4.1 Development of Conceptual Site Model

The development of a site-specific environmental monitoring plan will be informed by the Conceptual Site Model (CSM), which will be developed as part of the Environmental Statement that is required to support an application for a Nuclear Site Licence and relevant planning consents. With regard to environmental pollution, the CSM defines the following.

• The sources of pollution (i.e., the AP1000 facility);

• The receptors of pollution (i.e., the aspects of the surrounding environment that could be impacted by pollutants); and,

• The pathways whereby pollutants can reach and impact the identified receptors.

These source-pathway-receptor (SPR) linkages are commonly referred to as pollutant linkages. Guidance on the development of a CSM is contained in a variety of documents; for example, Model Procedures for the Management of Land Contamination (Reference 14.29).

Subsequent to the development of a preliminary CSM based on available documentary information, baseline studies will be required to establish the environmental conditions prior to construction and the pathways for migration of contamination. For example, this would include:

• A hydrogeological investigation to characterise groundwater quality and flow;

• An investigation of any existing ground contamination; and,

• A survey of the existing ecology.

The regulatory authorities (principally the Environment Agency) will be consulted regularly throughout the development of the CSM to demonstrate that all environmental considerations have been addressed.

14.4.2 Routine Environmental Monitoring

Following completion of pre-construction baseline studies, the CSM is refined and requirements for on-going routine environmental monitoring agree with the regulatory authorities. At a minimum, this is likely to include:

• Monitoring of air quality for radioactive pollutants;

• Monitoring of groundwater for radioactive and non-radioactive pollutants;



• Monitoring of radioactivity in soils, sediments, etc., that receive routine discharges; and,

• Monitoring of sensitive indicators of ecological quality.

The frequency of monitoring would be finalised as part of site-specific design.

Monitoring for ground contamination by non-radioactive pollutants would not normally be undertaken on a regular basis. Once pre-construction baseline conditions have been established, additional investigation might not be required until the decommissioning stage. The exception to this could be in response to a pollution incident resulting in loss to ground.

14.4.3 Review and Assessment of Monitoring Data

The data provided by the monitoring programmes will be reviewed on a regular on-going basis to identify any trends that are indicative of environmental pollution.

In order to aid the review process, control and trigger levels will be derived and agreed with regulatory authorities. These are defined as follows:

• Control (or Assessment) Levels – these are assessment criteria used to indicate whether pollution prevention measures are performing as designed. They are intended to provide early warning to site management and regulatory authorities of adverse trends, and enable appropriate investigation and/or corrective action to be implemented. Control levels are set below the threshold at which significant environmental pollution has occurred, i.e., they are not indicative of a major environmental accident, but rather an emerging trend.

• Action (or Trigger) Levels - these are assessment criteria that indicate a significant adverse environmental effect has occurred, i.e., they are indicative that a major environmental accident has occurred or is likely to be imminent.

Control Levels, which should be subject to periodic review, are likely to be set on the basis of a combination of the CSM (including baseline data) and modelling based on predicted and authorised discharges. Typically they would be set as a percentage rise above baseline (allowing for normal temporal fluctuation).

Action levels, which are more likely to be set for the lifetime of the facility, are typically based on environmental quality standards (EQS), possibly with some variation to reflect the site-specific baseline conditions.

With regard to monitoring of the presence of radiological and non-radiological (chemical) pollutants in the environment, control and action levels are likely to be set on the basis of analytical concentrations. For ecological monitoring, they are more likely to be set with regard to changes in population of sensitive indicator species or loss of habitat.

14.4.4 Quality Assurance and Reporting

Management systems and process will be developed during the site licence application phase (as described in Chapter 9 of this PCSR). Procedures and processes covering environmental monitoring will include:

• Sample collection – e.g., sampling frequency, sampling procedures, equipment, volumes, duplicate samples/blanks, sample preservation/filtering/pre-treatment, etc.;



• Field monitoring – e.g., frequency, monitoring parameters, detection limits, methodology/instrumentation, calibration requirements, etc.;

• Laboratory monitoring – e.g., analytical schedule, detection limits, methodology/instrumentation, laboratory/method accreditation (i.e., MCERTS), etc.; and,

• Data handling and assessment – e.g., data storage, use of trigger/control values, averaging periods (i.e., 12 months), implementation of Contingency Action Plan (CAP), reporting requirements.

Data from the environmental monitoring programme will be stored in a format that is accessible and capable of interrogation. The data will be stored on-site throughout the lifetime of the facility. Duplicate off-site data storage will also be undertaken, and continued following decommissioning for as long as required by the regulatory authorities.

Data and findings of regular assessment will be forwarded to the regulatory authorities on a routine basis at an agreed-upon frequency. All data records will also be available to the regulatory authorities on request at any time.

All personnel involved will receive full appropriate training to ensure that they are competent and capable. Training requirements will be identified and reviewed on a regular basis. Full records will be kept of training requirements and delivery.

14.4.5 Contingency Action Plan (CAP) and Emergency Response

A CAP will be developed and agreed upon with the regulatory authorities. The CAP will need to be site-specific and developed as part of the detailed design of an AP1000 facility. This CAP will need to satisfy the requirement for a MAPP under COMAH for hydrazine. In effect, with regard to pollution prevention and emergency planning, all of the non-radioactive substances stored/used on site in bulk will be managed in a manner similar to that required under COMAH.

The CAP will set out actions to be implemented in response to:

• A control level being exceeded;

• An action level being exceeded; or

• A breach of containment or other pollution incident.

CAP will be detailed but flexible. It will not be prescription, but will set out procedures that can be adapted to address-specific events. At a minimum, contingency action is likely to involve an increased frequency/scope of monitoring to allow the cause to be identified and a decision taken on the requirement for remedial action. For a more serious pollution incident, immediate emergency remedial action might be necessary. Procedures in the CAP will include, at a minimum, requirements for:

• Reporting to site management;

• Reporting to regulatory authorities;

• Increased scope/frequency of environmental monitoring;

• Additional intrusive investigations;



• Review of Conceptual Site Model (CSM) and associated risk assessment;

• Review of site management/operation and facility integrity/containment;

• Review of requirement for deployment of emergency environmental remedial actions (containment, clean-up, etc.); and,

• Emergency contact details (site management, regulatory authorities, local authorities, emergency services).

The CAP will be reviewed and updated on a regular basis throughout the lifetime of the facility, in particular prior to entering the decommissioning phase.

The Nuclear Site Licence and Radiation (Emergency Preparedness and Public Information) Regulations 2001 (REPPIR) require Emergency Arrangements to be in place (and rehearsed regularly), setting out the responses to be taken in the event of a release of radioactivity that presents “a hazardous condition”. These emergency arrangements require the declaration of either a Site Incident or a Nuclear Emergency, depending on the nature of the event. The requirements for Emergency Arrangements are discussed further in Chapter 13 of this PCSR.

The Emergency Arrangement will include plans for increased environmental monitoring; for example, following a major accident, surveys of soils and agricultural products will be required. These plans will be fully integrated with the CAP for the environmental monitoring system. Likewise, the CAP for environmental monitoring will include criteria against which to judge when “a hazardous condition” has arisen or is likely to arise, and instructions on informing the Emergency Controller (i.e., the person responsible for coordinating the emergency response).

It is possible that an incident giving rise to “a hazardous condition” could also involve the release of non-radioactive pollution. In such circumstances, the Emergency Arrangements will need to be integrated with the CAP. In the event of an incident involving solely non-radioactive pollution, the Emergency Arrangement would be unlikely to be triggered and the CAP should come into action.

In order to allow for this integration of the CAP with the Emergency Arrangements, it might be appropriate to develop separate (but linked) parts of the CAP for radioactive and non-radioactive pollutants.

14.5 Conclusions

This chapter has described the arrangements whereby the environmental impact of the AP1000 during construction, operation, and decommissioning are minimised. It has discussed both normal and abnormal events. It is concluded that the overall design and proposals for operation and decommissioning have been carried out in compliance with Best Available Technology (BAT) and As Low As Reasonably Practicable (ALARP) principles.



REFERENCES

14.1 Environment Agency, Process and Information Document for Generic Assessment of Candidate Nuclear Power Plant Designs, Version 1, January 11 2007.


14.3 UK Environment Agency letter WEC70020R, “Generic Design Assessment – Regulatory Issue RI-AP 1000-0001, Revision 0”, C Grundy, February 1, 2008.

14.4 WEC, UKP-GW-GL-790, Rev. 2, UK AP1000 Environment Report, December 2009.

14.5 WEC, UKP-GW-GL-025, Rev. 0, 2009, Characteristics of a Generic Site for a Nuclear Power Station.

14.6 UK Office of Public Sector Information, Environmental Permitting (England and Wales) Regulations 2007.

14.7 WEC, UKP-GW-GL-054 Rev. 0, 2009, UK AP1000 Integrated Waste Strategy.

14.8 Off. J. Eur. Union, 5 April 2006, Directive 2006/12/EC of the European Parliament and of the Council of 5 April 2006 on Waste, L114, 27.4.2006 – Waste Framework Directive.

14.9 WEC, UKP-GW-GL-036, Rev. 0, 2009, Applicability of the Environmental Permitting (England and Wales) Regulations 2007 to AP1000.

14.10 UK Control of Major Accident Hazards Regulations 1999.

14.11 www.environment-agency.gov.uk/business/topics/permitting

14.12 Environment Agency, September 2009, Radioactive Substances Regulation – Environmental Principles.

14.13 WEC, UKP-GW-GL-028, Rev. 0, 2009, Proposed Annual Limits for Radioactive Discharge.

14.14 WEC, UKP-GW-GL-029, Rev 0, 2009, AP1000 Generic Design Measurement and Assessment of Discharges.

14.15 Environmental Damage (Prevention and Remediation) (England) Regulations 2009, SI 2009/153 [and corresponding SI 2009/995 for Wales].

14.16 WEC, UKP-GW-GL-030, Rev. 0, 2009, AP1000 Generic Design Prospective Individual Dose Assessment.

14.17 WEC, UKP-GW-GL-031, Rev. 0, 2009, AP1000 Generic Design Collective Dose Assessment.

14.18 WEC, UKP-GW-GL-033, Rev. 0, 2009, Assessment of Radioactive Discharges on Non-Human Species.

14.19 WEC, UKP-GW-GL-034, Rev 0, 2009, Generic Assessment of the Impacts of Cooling Options for the Candidate Nuclear Power Plant AP1000.



14.20 WEC, UKP-GW-GL-056, Rev. 0, 2008, UK AP1000 Radioactive Waste Management Case Evidence Report for High Level Waste.

14.21 WEC, UKP-GW-GL-055, Rev. 0, 2008, UK AP1000 Radioactive Waste Management Case Evidence Report for Intermediate Level Waste.

14.22 WEC, UKP-GW-GL-037, Rev 0, 2009, Applicability of COMAH Regulations to AP1000.

14.23 WEC, UKP-GW-GL-035, Rev. 0, 2009, Non-Radioactive Liquid Wastes Management System.

14.24 Official Journal of the European Communities L20 43-47, Directive on Protection of Groundwater Against Pollution Caused by Certain Dangerous Substances (80/68/EEC).

14.25 WEC, UKP-GW-GL-035, Rev. 0, 2009, Non-Radioactive Liquid Wastes Management System.

14.26 The Control of Pollution (Oil Storage)(England) Regulations 2001, SI 2001/2954.

14.27 www.environment-agency.gov.uk/business/topics/oil.

14.28 Aker Solutions, 63000333-000-000-0005, Rev 2, Technical Specification for Decommissioning Strategy for the AP 1000 Generic Design Assessment, August 2008.

14.29 Defra and Environment Agency, 2004, CLR11, The Model Procedures for the Management of Land Contamination.

14.30 WEC, UKP-GW-GL-043 2009, Rev. 0, AP1000 External Hazards Topic Report, December 2009.

14.31 UKP-GW-GLR-001, Rev. 0, AP1000 Internal Hazards Topic Report, (to be issued).

14.32 (UKP-GW-GLR-003, Rev. 0, AP1000 Fault Schedule for the United Kingdom, September 2009.



CHAPTER 15: RADIOACTIVE WASTE MANAGEMENT



15.0 RADIOACTIVE WASTE MANAGEMENT

15.1 Introduction

This chapter of the PCSR justifies the measures proposed for the safe management of all types of radioactive waste (including spent fuel) that is generated throughout the lifetime of the plant.

The management of radioactive waste is a function potentially spanning all stages in the life cycle of a facility. Guidance on the management of radioactive wastes is provided jointly by the Health and Safety Executive (HSE) and Environment Agency (EA) (References 15.1 and15.2).

HSE/EA guidance acknowledges that although safety cases are a well-established concept within the nuclear industry, their application is less familiar with regard to radioactive waste management. Conventional safety cases typically focus on the nuclear plant itself. However, a safety case for radioactive waste management should consider not only generation and immediate management/treatment, but also longer-term storage and ultimate disposal.

The HSE/EA guidance also introduces the concept of a radioactive waste management case (RWMC). Guidance on the production, content, maintenance, and review of a RWMC has been issued by the HSE/EA (Reference 15.3). The RWMC needs to address longer-term safety (e.g., safety during on-site storage pending final off-site disposal) and environmental issues associated with a particular waste stream.

Radioactive waste can be gaseous, liquid, or solid. The main sources of radioactive waste (and estimates of their generation rate) for the generic AP1000 design, together with the provisions for the management of solid, liquid, and gaseous wastes, are provided in Reference 15.4.

An Integrated Waste Strategy (IWS) has been produced for the generic AP1000 site. This IWS is presented in the UK AP1000 Integrated Waste Strategy (Reference 15.5) and the UK AP1000 Environment Report (Reference 15.6). The IWS includes both the higher-activity wastes (i.e., high and intermediate level) and low-level wastes.

The Environment Report and IWS summarise the radioactive waste management strategies to be used during construction, operation, and decommissioning and demonstrates that the chosen waste management processes are the best available technology (BAT).

The Environment Report and IWS consider the following:

• BAT Assessment of AP1000 Nuclear Island;

• BAT Assessment of Radwaste Treatment.

The anticipated timescales for the management of radioactive waste (including spent fuel) is over the 60 year life of the AP1000 plant plus the amount of time that on-site storage is necessary (potentially 100 years in total). Implementation of the strategy will draw on the operating organisation relevant policy, principles, and objectives with regard to radioactive waste and spent fuel management.

The treatment systems for gaseous and liquid radioactive waste result in authorised discharges to atmosphere and controlled waters. Progressive reductions in discharges consistent with the UK National Strategy are expected as the AP1000 is operated over time by applying plant operational experience and lessons learned from the individual AP1000 plants, AP1000 plants as an operating



group, and from other plants which will result in improved operating processes to reduce emissions.

The Radioactive Waste Management Case (RWMC) Evidence Reports have been prepared to cover high-level waste (Reference 15.8) and intermediate-level waste (Reference 15.9). The RWMC evidence reports will develop as the design moves into the site specific phase and will continue to be enhanced throughout the operational lifetime of the new build plant and beyond (to cover waste storage prior to ultimate off-site disposal).

15.2 Integrated Waste Strategy

The AP1000 IWS has been developed in the format set out by the relevant Nuclear Decommissioning Authority (NDA) guidance, Specification for the Content and Format of a Site Integrated Waste Strategy Document (Reference 15.7) and Companion Document to Integrated Waste Strategy Specification (Reference 15.8). It also takes account of the above referenced HSE/Environment Agency guidance.

In developing the generic IWS, due regard has also been taken of the national strategies (England and Wales) (Reference 15.9) that set out a waste management hierarchy that promotes waste avoidance, waste minimisation and recycling above disposal to landfill.

In accordance with the guidance, the IWS:

• provides a co-ordinated approach to waste management and stakeholder engagement;

• makes the most effective use of existing waste management facilities; and,

• provides value for money.

In particular, the IWS demonstrates that the framework, for consideration of potential waste management options, transparently takes account of the full range of relevant health, safety, environmental, and security (including safeguards) principles and regulatory requirements.

The IWS relates to all wastes and all materials that could become waste, radioactive and non-radioactive, arising from all stages of the site lifecycle including operational and decommissioning activities.

Currently, the IWS is generic in nature; it is planned to develop the IWS further with the operating organisation at the site specific stage of a nuclear license application. Further development will include incorporation of the IWS into the Integrated Management System (IMS) for the facility. The IMS will incorporate environmental and safety management features, and will be accredited to national/international standards (e.g., BS EN ISO 9001 & BS EN ISO 14001). Further details of the requirement for integration of the IWS into an IMS are provided in Section 3.3 of the UK AP1000 Integrated Waste Strategy (Reference 15.5).

Construction of the facility will be subject to the Site Waste Management Plan (SWMP) Regulations 2008 (Reference 15.10). The objectives of the SWMP regulations are: to promote efficient use of resources by minimising waste generation during construction and encouraging reuse/recycling; and, to provide traceability of waste disposal (i.e., reduce fly-tipping). The SWMP regulations for a nuclear licensed site state that, provided the IWS includes for construction waste, a separate SWMP is not required. The IWS does not currently cover construction wastes; however, this aspect of lifecycle waste management will be included as the IWS is developed further at a site specific stage.



15.3 BAT Assessment of AP1000 Nuclear Island

The BAT assessment provides AP1000 design decisions that relate to waste minimisation, waste generation, and waste disposal.

As a result of basic design principles the AP1000 design minimises the creation of radioactive waste. For example, the AP1000 was designed using fewer components, such as valves and piping, and therefore, generates less waste during maintenance activities including repair and replacement. There will also be less waste generated during decommissioning leading to a lower waste burden on the environment.

The amount of cobalt in reactor internal structures is limited to less than 0.05 weight percent, and in primary and auxiliary materials to less than 0.2 weight percent. This limits the activation of the metal components.

Surfaces will be sealed, including steel wall and floor surfaces, to prevent penetration and to facilitate decontamination. During operation and maintenance, waste will be minimised by using BAT (e.g., limiting the amount of material brought into containment).

The Environment Report (reference 15.6) also demonstrates that liquid, gaseous, and solid radioactive waste discharges have been minimised in accordance with the ALARP principle.

15.4 BAT Assessment Radwaste Treatment

The AP1000 radioactive waste (radwaste) management systems control the handling and treatment of liquid, gaseous, and solid radwaste produced within the Nuclear Island:

• Gaseous Radioactive Wastes – the Environment Report, section 3.2 of the Environment Report (reference 15.6) summarises the sources of gaseous radioactive waste, the gaseous radwaste system (WGS), and a BAT assessment for the chosen design options.

• Liquid Radioactive Wastes – the Environment Report, section 3.3 of the Environment Report, (reference 15.6) summarises the sources of liquid radioactive waste, the liquid radwaste system (WLS), and a BAT assessment for the chosen design options.

• Solid Radioactive Wastes – the Environment Report, section 3.4 of the Environment Report (reference 15.6) summarises the sources of solid radioactive waste, the solid radwaste system (WSS), and a BAT assessment for the chosen design options.

The Environment Report (Reference 15.6) demonstrates that these radwaste systems utilise BAT. The methods of abatement and level of discharges are predicted to reflect best practice.

15.4.1 Gaseous Radwaste System (WGS)

The gaseous radwaste system, which is described in detail in Reference 15.4, Section 11.3 and summarised in the Environment Report, is designed to work on an intermittent basis as gaseous waste arises from plant operations.

The treatment system is a once-through, ambient temperature, activated carbon delay system. The system comprises a gas cooler, a moisture separator activated carbon guard bed, and two activated carbon delay beds. The resultant treated gas streams are monitored for radioactivity prior to discharge. The Environment Report (Section 3.2.1.3) provides a summary of the BAT assessment for the delay bed sizing.



In addition to the intermittent gaseous waste streams passed through the treatment system, there are discharges to atmosphere resulting from ventilation of the containment building. These emissions are passed through two air filtration systems to remove any airborne radioactivity. Each filtration system comprises an electric heater, a high efficiency particulate air (HEPA) filter bank, a charcoal adsorber with a downstream postfilter bank, and an exhaust fan (see Environment Report, Figure 3.2-1). The downstream treated air is monitored prior to venting to atmosphere. A similar HEPA system is also present in the radwaste building. The Environment Report (Section 3.2.2.2) provides a BAT assessment for the HEPA filtration system which demonstrates the use of best practice.

Ventilation from other areas of the plant is monitored, and if radioactivity is detected, the air flow is passed through one of the abovementioned treatment systems.

15.4.2 Liquid Radwaste System (WLS)

The liquid radwaste system is described in detail in Section 11.2 of Reference 15.14 and summarised in the Environment Report (reference 15.6). The liquid radwaste system is based on well-established ion exchange technology.

The treatment system comprises effluent/waste hold-up tanks, pre-filtration system (including a deep bed filter), ion exchange beds, and downstream filter. Treated effluent/waste is collected in tanks and monitored prior to discharge (see Environment Report, Figure 3.3-1). The Environment Report (Section 3.3.4) provides a BAT assessment for the liquid radwaste treatment system.

15.4.3 Solid Radwaste System (WSS)

The WSS is designed: to minimise, to the extent practicable, contamination of the facility and the environment; to facilitate decommissioning; and, to minimise, to the extent practicable, the generation of radioactive waste. This is achieved through appropriate selection of design technology for the overall AP1000 design as well as the system, plus incorporating the ability to update the system to use BAT throughout the life of the plant. Radioactive waste management during decommissioning is discussed briefly in PCSR Chapter 16, with more detail provided in the UK AP1000 Integrated Waste Strategy (Reference 15.5).

Each step in the management of solid radioactive waste and spent fuel will be compatible with all other steps, including pre-treatment, treatment, storage, disposal, handling, and on-site and off-site transport. Treatment of solid radioactive waste, including treatment in a radwaste treatment facility that is to be designed, is discussed in the Environment Report (Reference 15.6) and the UK AP1000 Integrated Waste Strategy (Reference 15.5).

The solid radwaste system is described in detail in Section 11.4 of Reference 15.14 and summarised in the Environment Report. The system categorises solid radioactive waste as high-level waste (HLW), intermediate-level waste (ILW), or low-level waste (LLW) (see Environment Report, Figures 3.4-1 & 3.4-2). The solid radwaste system comprises a radwaste building for handling and sorting LLW and an LLW buffer store area.

The HLW comprises spent fuel that will be managed as set out in the Environment Report (see Figure 3.4-15). There is no proposal to reprocess spent fuel; it will be stored for future off-site disposal, awaiting the development of a permanent UK disposal repository. A summary of the BAT assessment for HLW is provided in the Environment Report (Section 3.4.6) and in the Radioactive Waste Management Case Evidence Report for High Level Waste (Reference 15.11).



After spent fuel is removed from the reactor it will be stored initially in the Fuel Storage Pool (Pond). There is insufficient capacity in the Pond for the lifetime of the facility. Hence, a facility for dry spent fuel storage for the lifetime of the plant is proposed. Further details regarding the proposed dry storage facility are provided in the Environment Report (Sections 3.4.8.3 and 3.4.9.3).

Solid ILW radwaste will comprise primarily of organic resins from gaseous and liquid radwaste systems. ILW will be managed as set out in the Environment Report (see Figure 3.4-14). These resins will be dewatered and encapsulated in concrete to immobilise radionuclides. This treatment system is based on a simple, well understood technology that complies with current transportation and waste repository requirements. A mobile encapsulation plant will be used for ILW and an ILW store provided for on-site storage of ILW boxes and drums. A summary of the BAT assessment for LLW is provided in the Environment Report (Section 3.4.5) and in the Radioactive Waste Management Case Evidence Report for Intermediate Level Waste (Reference 15.12).

An onsite ILW storage facility has been designed for interim storage of ILW until such time that a future geologic repository is available. This is designed to store the ILW until long after the station ceases to generate.. Details of storage containers and storage facility are provided in the Environment Report (Sections 3.4.8.2 & 3.4.8.3), Reference 15.6.

LLW will be managed as set out in the Environment Report (see Figure 3.4-10). The solid LLW radwaste treatment process is based on sorting, sizing (e.g., cutting, shredding, and crushing) and compaction. The LLW will be compacted initially into drums and the drums placed in half-height ISO containers (HHISO). The Environment Report (Section 3.4.5) provides a BAT assessment for the treatment of LLW.

The LLW HHISO containers will be stored on-site prior to shipment for off-site disposal at the LLW repository (LLWR) near Drigg (or successor national repository). A facility will be available to store LLW during periods when waste cannot be received by the LLWR. LLW will be shipped for disposal routinely according to schedules agreed to by the plant operator and the UK NDA. Transport to LLWR will be by road. Details of storage and disposal of LLW are provided in the Environment Report (Sections 3.4.8.1 & 3.4.9.1).

Management of radioactive solid waste (both operational and generated during decommissioning) is being planned with the understanding that off-site disposal of HLW, ILW, and LLW will be to NDA waste management facilities when available. The NDA have confirmed in the Summary of Disposability Assessment for Wastes and Spent Fuel Arising from Operation of the Westinghouse AP1000 (Reference 15.13) that, in principle, spent fuel and ILW waste from the generic AP1000 site would be acceptable for disposal at the planned UK national repositories (when constructed and operational). This confirmation is subject to assessment and endorsement of more specified detailed proposals by the NDA.

15.5 Radiological Protection

The information above demonstrates that management of radioactive waste generated as a result of the operation of the generic AP1000 design will be undertaken in a manner that will comply with all relevant regulatory requirements.

The primary objectives of the radioactive waste management regulatory regime include:

• to protect workers from the effects of ionising radiation;

• to protect the general public from the effects of ionising radiation; and,



• to protect the wider environment from the effects of ionising radiation.

The protection of site workers from ionising radiation is discussed in Chapter 12 of this PCSR. This section, which considers normal plant operations and all on-site sources of radiation, concludes that operational radiation exposures are ALARP.

The potential impact of releases/discharges of radioactive waste on the general public and the wider environment are discussed in the Environment Report (Reference 15.5) and are summarized in Chapter 14 of this PCSR.

The assessments mentioned above will continue to be developed/reviewed at the site specific design stage for any proposed new build. Likewise, the developing RWMCs for a proposed new build reactor will demonstrate specifically that radioactive waste management strategies/practices will provide adequate protection against ionising radiation for plant workers, the general public, and the wider environment.

15.6 Conclusion

This chapter has considered the means by which the generation of gaseous, liquid and solid radioactive waste has been assessed as part of the AP1000 design process and minimised in line with best practices. It then describes the processes by which each of the radioactive waste streams is managed and the either discharged or disposed of under controlled conditions or stored on site in preparation for final geological disposal.



REFERENCES

15.1 HSE / EA, “Fundamentals of the management of Radioactive waste, An introduction to the management of higher-level radioactive waste on nuclear licensed sites,” December 2007.

15.2 HSE / EA, “The management of higher activity radioactive waste on nuclear licensed sites, Part 1 The regulatory process” December 2007.

15.3 HSE / EA, “The management of higher activity radioactive waste on nuclear licensed sites, Radioactive waste management cases,” November 2008.

15.4 WEC, EPS-GW-GL-700, Rev. 1, AP1000 European Design Control Document, December 2009.

15.5 WEC, UKP-GW-GL-054, Rev. 0, UK AP1000 Integrated Waste Strategy, 2009.


15.7 Nuclear Decommissioning Authority (NDA), ENG01, Rev. 2, Specification for the Content and Format of a Site Integrated Waste Strategy Document, August 2006.

15.8 Nuclear Decommissioning Authority (NDA), ENG02, Rev. 2, Companion Document to Integrated Waste Strategy Specification, August 2006.

15.9 Defra, Waste Strategy for England 2007, May 2007.

15.10 The Site Waste Management Plans (SWMP) Regulations 2008, SI 2008/314.

15.11 WEC, UKP-GW-GL-056, Rev. 0, “UK AP1000 Radioactive Waste Management Case Evidence Report for High Level Waste,” 2008.

15.12 WEC, UKP-GW-GL-055, Rev. 0, “UK AP1000 Radioactive Waste Management Case Evidence Report for Intermediate Level Waste,” 2008.

15.13 Nuclear Decommissioning Authority (NDA), NDA Tech Note 11339711, “Generic Design Assessment: Summary of Disposability Assessment for Wastes and Spent Fuel Arising from Operation of the Westinghouse AP1000,” October 2009.



CHAPTER 16: DECOMMISSIONING AND END OF LIFE ASPECTS



16.0 DECOMMISSIONING AND END OF LIFE ASPECTS

16.1 Introduction

Adequate arrangements are required to be in place for the eventual decommissioning of a nuclear licensed site. Although decommissioning is the last stage in the overall lifecycle of a facility, it must be taken into account at the planning and design stages. The objective of this chapter is to review the aspects of the generic design of the AP1000 that will facilitate safe decommissioning at the end of operational life.

16.2 General

The main objectives in decommissioning any industrial site, including a nuclear power plant, are:

• To ensure that the decommissioned site does not present unacceptable risks to human health or the wider environment; and,

• To allow the release of the site for future use (e.g., for redevelopment or use as open space).

Typically, as a minimum, this would include:

• The removal of all hazardous materials (including wastes);

• The dismantling of plant/machinery; and,

• The demolition of above ground structures.

With regard to the generic AP1000 site, in order to achieve these objectives, the overriding requirement would be the safe removal of radioactive materials (to include spent fuel, radioactive wastes, and activated plant components).

The decommissioning process is regulated by the Nuclear Site Licence and must be accomplished to the satisfaction of the regulatory authorities prior to surrender of the licence. Guidance on the decommissioning process is provided in 16.1 Technical Assessment Guide – Decommissioning on Nuclear Licensed Sites (Reference 16.1). The Site Licence Condition covering decommissioning includes requirements that:

• “The licensee shall make and implement adequate arrangements for the decommissioning of any plant or process which may affect safety.” and,

• “The licensee shall make arrangements for the production and implementation of decommissioning programmes for each plant.”

As part of this process, it is necessary to demonstrate that the doses to workers and the general public will be as low as is reasonably practicable (ALARP), and that Best Available Technology (BAT) will be adopted with regard to the methods of decommissioning.

As part of the licensing process for any new nuclear site, the applicant must show that the process of decommissioning has been taken into account during the design phase, including as part of a Pre-Construction Safety Report (PCSR).

NII Technical Assessment Guide T/AST/051 (Reference 16.2) provides guidance on the purpose, scope, and content of nuclear safety cases covering all stages of the facility lifecycle from



conception through to decommissioning. It states that one of the qualities of a safety case is that it is ‘forward looking’ – it should demonstrate that the facility will remain safe throughout a defined life time. It also states that it is important that the lifecycle of the facility is reflected in all stages, specifically highlighting that the decommissioning feasibility should be taken into account during design. It does, however, recognise that at the start of the lifecycle, limited information will be available on decommissioning.

Technical Assessment Guide T/AST/051 (Reference 16.2) calls for the production of a Decommissioning Strategy document by the licensee to set out in broad terms the approach that is to be followed, and then to divide up the decommissioning into smaller parcels of works. During the later stages of the lifecycle, decommissioning should increasingly be taken into account. As the lifecycle moves from design into operation, the responsibility for decommissioning will transfer to the licensee/operator along with the ownership, management, and maintenance of the safety case.

The European Design Control Document (EDCD) (Reference 16.3 Section 20 and Appendix 20A) demonstrates, to a level of detail commensurate with the design maturity and stage of the AP1000 lifecycle, that decommissioning is indeed feasible. Further evidence regarding the outline strategy is provided in a Tech-Spec for the Decommissioning Strategy for the AP1000 Generic Design Assessment (Reference 16.4).

16.3 Differing Approaches to Decommissioning

The International Atomic Energy Agency (IAEA) have recognised three primary decommissioning strategies in developing IAEA safety standards. These primary strategies are:

• Immediate Dismantling - Dismantling commences soon after shutdown of the plant (typically within 5 years) with radioactive material above a specific level being removed. This strategy does not allow for any significant decay of radionuclides.

• Deferred Dismantling or Safe Enclosure (Safestore) – Those parts of the facility containing radioactivity are processed or brought into a condition such that they can be stored and maintained in a safe manner (e.g., liquids are drained from the system and irradiated fuel and operational waste materials removed). The facility is placed in long-term storage (e.g., 50 years) prior to later dismantling. This option allows for decay of radionuclides.

• Entombment - As with the deferred dismantling option, liquids and waste are removed. The remaining radioactive material is encased on-site (normally in concrete). Essentially, the site becomes a near surface waste repository.

The nature of the AP1000 design is amenable to all options, but lends itself to the immediate dismantling option. Adoption of an immediate dismantling option assumes that a disposal facility is available for High Level Waste (HLW) (i.e., spent fuel) and Intermediate Level Waste (ILW); either to a UK national repository or to an interim waste management/storage facility (whilst a national repository is awaited). In the event that this was not to be the case, a safe enclosure option might be more applicable. It is unlikely that an entombment option would be acceptable within the UK. However, whatever option is adopted, HLW (spent fuel), which would be discharged from the core and kept in an interim dry store on site at the end of station operation and for a period after decommissioning started, would not be kept on site indefinitely. Final disposal arrangements would require to be made as described below.

Current UK policy is for the development of national repositories for HLW and ILW. The Nuclear Decommissioning Authority (NDA) have confirmed in the Summary of Disposability



Assessment for Wastes and Spent Fuels (Reference 16.5) that, in principle, HLW and ILW waste from the generic AP1000 site would be acceptable for disposal at the planned UK national repositories (when constructed and operational).

16.4 Decommissioning Concept

The Reference 16.3 (Appendix 20A) provides an “AP1000 Outline Decommissioning Plan” that demonstrates the technical and practical feasibility of one method by which the AP1000 can be safely decommissioned. The outline plan provides assurance that decommissioning can be safely accomplished within the currently acceptable limits of personnel exposure to radiation; and will not result in any pollution impact on the decommissioned site or wider environment.

The outline plan is based on an immediate dismantling option and adopts a staged approach, which can be summarised as follows:

• Stage 1 - Operational containment facilities and monitoring/surveillance procedures are maintained whilst fuel removal, internal decontamination, and waste removal works are undertaken.

• Stage 2 - The establishment of interim waste storage facilities to allow dismantling and removal of larger active components (e.g., steam generators).

• Stage 3 - The removal of reactor vessel, and progressive demolition of containment and auxiliary buildings.

This outline strategy assumes that, prior to Stage 1 works commencing, temporary buildings will be provided for processing/storage of ILW/ Low Level Waste (LLW) generated by dismantling of large-scale components.

Management of radioactive waste (both operational and generated during decommissioning) is being planned on the assumption that off-site disposal of HLW, ILW, and LLW will be to NDA waste management facilities. Further details of radioactive waste management during decommissioning are provided in UK AP1000 Integrated Waste Strategy (Reference 16.6) and UK AP1000 Radioactive Waste Management Case Evidence Report for Intermediate Waste (Reference 16.7). An estimate of the main radwaste arisings that will be generated as a result of decommissioning works is present in the Environment Report (Reference 16.10 Table 3.4-8 and Appendix A3).

The outline plan forms the basis for a detailed decommissioning strategy to be produced by the plant licensee/operator and developed throughout the lifecycle of the facility. As the end of the operational lifetime of the facility is approached, a detailed decommissioning plan will be produced. This detailed plan will expand and improve upon the outline plan, and will reflect the best available technology. As required by the nuclear site licence, the development of the detailed plan will be undertaken with full consultation with the regulatory authorities.

The removal and disposal of the conventional buildings and equipment that are not active waste are not addressed as part of the outline decommissioning plan. These issues will be incorporated into the detailed decommissioning plan as it is generated through the lifecycle of the facility. Likewise, the detailed plan will incorporate remedial measures necessary to address any environmental pollution (radioactive and/or no-radioactive) that has occurred during the operational lifetime of the facility.

Currently (2009), the Environmental Impact for Decommissioning Regulations (EIDAR) (References 16.8 and 16.9) require that an environmental statement is prepared to accompany the



detailed decommissioning plan. It is anticipated that a similar requirement will apply at the time an AP1000 facility is due for decommissioning. This will be the responsibility of the licensee.

16.4.1 Outline Plan – Main Activities

A summary of the major activities to be undertaken at the three stages of the outline decommissioning strategy is provided below.

16.4.1.1 Stage 1

The principal activities to be accomplished during Stage 1 are as follows.

• The removal of fuel from the reactor and disposal as per the established practices;

• The cleaning, decontamination, and surveying of all areas to facilitate dismantling and removal from site of all readily removable radioactive items;

• The preparation for, and implementation of, the chemical decontamination of active circuits;

• The establishment of new radiation control areas based on the above actions as work progresses; and,

• A demonstration that radioactive waste systems are in working order for use during decommissioning.

Although decommissioning could commence on cessation of power generation, some benefit may be sought delaying some activities to allow short live fission products to decay. Current estimates are that Stage 1 activities would take approximately 2 years to complete.

16.4.1.2 Stage 2


• The conversion of the fuel handling building into an interim waste storage, decontamination, waste reduction, packaging, and processing area for ILW level waste;

• Component removal to the interim storage areas of all active equipment with the exception of the reactor pressure vessel and internals (the concrete and steel shield will remain in place); and,

• Radiation and security controls.

Stage 2 works could begin once removal of fuel (from reactor and spent fuel pool) has been completed, and the spent fuel area has been decontaminated and cleared for use. Current plans are that Stage 2 activities would take approximately 6 years to complete.

16.4.1.3 Stage 3


• The removal and dismantling of the reactor pressure vessel and internals;



• Cutting, processing, and removal of active and clean concrete in the containment vessel and fuel handling building;

• Dismantling of the containment vessel and shield building;

• Dismantling of the auxiliary building; and,

• Dismantling of the temporary waste facilities (construction prior to decommissioning commencing).

The activity level of some components (in particular the reactor vessel and internals) are anticipated to be elevated above the level at which the dismembered pieces would not be ALARP to be transported off-site (within the regulations applicable at that time). Under such circumstances, one strategy would be for the elevated activity waste to be packaged and stored on-site prior to transportation, with decommissioning activities continuing. An alternative strategy could be a period of Safestore between Stages 2 and 3 to allow additional decay. Decisions on the strategy, timing, and programme for Phase 3 would need to take into account the progress on the development and operation of a national repository for ILW. The strategy proposed here would be the former option, whereby decommissioning would proceed without loss of schedule.

Once Stage 3 activities are underway, current estimates are that they will take approximately 6 years to complete.

16.5 Provisions for Safety during Decommissioning

16.5.1 Inherently Simple Design

Compared with similar nuclear power plants, the AP1000 has roughly 50 percent fewer valves, 35 percent fewer pumps, 80 percent less piping, and 80 percent fewer heating, ventilation, and air-conditioning systems. Considering these characteristics, the decommissioning phase of the AP1000 will be shorter and the decommissioning activities will produce less activated/ contaminated material that should be treated and conditioned for interim storage and final disposal as radioactive waste. This will result in simpler strategies, less to do, and increased safety.

16.5.2 Design Features for Radiation Protection

The AP1000 design provides features for protection against radiation including:

• Plant and buildings layout which incorporates substantial shielding;

• Elimination or minimisation of materials used in the construction that may give rise to activity, activated components/commodities; and,

• Primary circuit chemistry requirements which minimise corrosion products.

16.5.3 Design Features for Protection against the Limitation of Contamination

The AP1000 design provides features for protection against the occurrence, spread, and thus potential personnel exposure to radioactive contamination, including:

• Sealed surfaces, including steel wall and floor surfaces that prevent penetration, which facilitates decontamination; and,



• Provision of heating, ventilation, and air conditioning (HVAC) within the secondary containment areas, which limits contamination spread.

16.5.4 Design Features Supporting Decommissioning

The AP1000 design incorporates features that facilitate safe decommissioning:

• Easier access routes for equipment have been considered in the design; optional routes are available through the equipment hatches. Temporary access through the steel containment is easily provided and controlled. This reduces potential exposure times.

• Specific equipment at the lower elevations has been provided with removable shielded hatch covers, e.g., chemical and volume control system (CVS) demineralisers.

• The polar crane structure in the containment building (see Reference 16.3, Section 1) has sufficient capacity, with the addition of a larger capacity hoist module, to handle heavy equipment during decommissioning.. In addition, the polar crane can accommodate the upper assembly of the steam generators between the girders.

• Laydown areas have been provided for protecting and wrapping potentially contaminated equipment prior to transportation to the site decontamination and sorting facility.

• Removable gratings have been used for floors to facilitate the transport and handling of equipment.

• Floor slabs, where practicable, have been designed to support the weight of equipment during the decommissioning process.

All of the above enable easier and faster decommissioning, which results in lower operator exposure times.

16.6 Decommissioned Site End Point

Section 4.5 of the UK AP1000 Integrated Waste Strategy (Reference 16.7) provides a generic site end point to be reached following decommissioning and site clearance works. This generic end point is as follows:

• Structures present will be deplanted and demolished.

• Buildings will be removed down to a depth of 1m below ground level.

• Roads, car parks, underground services, and the like, will be removed.

• The active drains and outfall will be removed. Fouls and surface water drains will be removed if less than 1m below ground level.

• Basements (if present) will be demolished to 1m below ground level and any remaining sub-surface structures punctured to assist drainage.

• Contaminated ground will be identified and remediated appropriately.

• Ground will be appropriately landscaped and land drains installed (if necessary).



At this end-point, the site is suitable to be de-licensed.

Defining site end point will be the responsibility of the site licensee and will need to reflect both national policy and local land-use requirements at the time of final site clearance.

16.7 Conclusions

The AP1000 design facilitates safe decommissioning following its design life.



REFERENCES

16.1 NII, T/AST/026, Issue 2, Technical Assessment Guide – Decommissioning on Nuclear Licensed Sites, March 2001.

16.2 UK NII, T/AST/051, Issue 1, May 2002, Technical Assessment Guide – The Purpose, Scope and Content of Nuclear Safety Cases.


16.4 Aker Solutions, 63000333-000-000-0005 Rev 3, Technical Specification for Decommissioning Strategy for the AP 1000 Generic Design Assessment, October 2008. [included in WEC, UKP-GW-GL-027, Rev 0, Radioactive Waste Arisings, Management and Disposal].

16.5 Nuclear Decommissioning Authority (NDA), NDA Tech Note 11339711, Generic Design Assessment: Summary of Disposability Assessment for Wastes and Spent Fuels arising from Operation of the Westinghouse AP1000, October 2009.

16.6 WEC, UKP-GW-GL-054 Rev. 0, UK AP1000 Integrated Waste Strategy, 2009.

16.7 WEC, UKP-GW-GL-055 Rev. 0, UK AP1000 Radioactive Waste Management Case Evidence Report for Intermediate Level Waste.

16.8 SI 1999/2892, The Nuclear Reactors (Environmental Impact Assessment for Decommissioning) Regulations 1999, November 1999.

16.9 SI 2006/657, The Nuclear Reactors (Environmental Impact Assessment for Decommissioning) (Amendment) Regulations 2006, April 2006.




CHAPTER 17: CONCLUSION



17.0 CONCLUSION

This chapter presents the key conclusion of this generic Pre-Construction Safety Report (PCSR). The prime objectives of the document are to support the generic design assessment (GDA) process being undertaken by the United Kingdom (UK) regulators, and to inform the public of the safety arguments which underpin the AP1000 design. In respect to the former objective, Westinghouse Electric Company (WEC) seeks Design Acceptance Confirmation (DAC) from the Nuclear Installations Inspectorate (NII) and the Environment Agency (EA) for its AP1000 Standard design. This generic PCSR is issued in support of the commencement of GDA Step 4.

The PCSR is a live document. During the GDA process, it will be revised to reflect developments arising from the responses to regulator questions and other developments in the safety case, including the production of further topical reports. It will then be developed through stages towards site licensing and operation.

Normally, a PCSR is associated with a specific site. In this case, it is generic and as such is a demonstration of the fitness for purpose of the design itself.

Chapter 1 of this PCSR identified the overarching safety claims that were made against the AP1000. These are repeated below:


The lifecycle of the plant includes construction, commissioning, operation, maintenance, refuelling, and decommissioning. It includes all modes of operation, including power operation and shutdown. It includes discharges and waste disposal. This claim has been addressed by:

- The identification and substantiation of design requirements on plant systems, structures, and components, which show how nuclear safety functions are maintained throughout the lifecycle.

- The use of safety categorisation and classification processes to assign appropriate codes and standards to plant design, qualification, and through life management, in accordance with their importance to nuclear safety.


This claim has been addressed by postulated fault conditions being defined in a fault schedule, and the engineering safety features have being demonstrated to maintain the potential for core damage and release of radioactive material within the defined prescribed safety limits.

• The AP1000 risks have been reduced to as low as reasonably practicable (ALARP).

This claim has been addressed by:

- Dose and risk associated with the operation of the AP1000 being assessed to demonstrate that the design has reduced them to as low as reasonably practicable (ALARP).



- The design evolution of the AP1000 being shown to make extensive use of relevant good practice.

- Potential additional design improvements to the AP1000 being shown to require disproportionate cost relative to the benefit they would provide to plant safety.

The three claims are all underpinned by appropriate safety management throughout life, to make sure that design requirements are maintained, emergency arrangements are in place, and environmental impact is appropriately monitored and managed.

The three claims cover the safety case for the AP1000, since they cover the possible plant conditions over the plant lifetime and the impact of the plant on the operators, the public, and the environment.

In support of the PCSR, specific topic reports have been developed to address particular demonstration/description requirements:

• The AP1000 Lifecycle Safety Report (LCSR) has described the management arrangements and philosophies of safety and quality that will be applied throughout the lifecycle of UK application of the AP1000.

• The AP1000 UK Fault Schedule has identified the credible initiating events within the AP1000 design basis, and has shown that safety measures are in place to provide adequate protection. The PCSR has used the initiating events identified, and the analyses of fault sequence development, and has shown that the fault sequences and safety measures identified are compliant with a range of Design Basis targets, and has identified the claims on systems, structures, and components required for the plant to be adequately protected.

• The AP1000 External Hazards Topic Report has identified the claims, arguments, and evidence associated with the plant response to credible external hazards (i.e., those hazards originating beyond the site boundary), and established that they are adequately protected.

• The AP1000 UK Safety Categorisation and Classification of Systems, Structures, and Components has used a consistent process to identify the importance to nuclear safety of the AP1000 systems, structures, and components, and has assigned Safety Classes to each SSC accordingly. Codes and standards associated with the substantiation, construction, and through life management of SSCs have been identified for each Safety Class.

• The AP1000 Safe Operating Envelope report has described the principles behind development of the safe operating envelope, and how this information has been used to support the design basis assessment and plant technical specifications.

• Safe and Simple: the Genesis of the AP1000 Design has described the evolution of the AP1000 design, identifying input from utilities and relevant good practice in its development. This report has been a key reference in the demonstration that risk associated with operation of the AP1000 is as low as reasonably practicable (ALARP).

• The AP1000 Equivalence/Maturity Study for Codes and Standards has reviewed those codes and standards underpinning safety significant aspects of plant design and substantiation, and has confirmed that they represent, or are equivalent to, relevant good practice in the UK.



Additional reports are also in production, which will provide further support to the PCSR as follows:

• The AP1000 Internal Hazards Topic Report will identify the claims, arguments and evidence associated with the plant response to credible internal hazards (i.e., those hazards originating within the site boundary but external to the plant) and establish that they are adequately protected.

• The AP1000 Human Factors Topic Report will identify the claims made on operators with regard to actions of significance to plant safety.

• The AP1000 Electrical System Topic Report will identify key standards to enable the transfer of the current 60 Hz design based on US standards to be applied in the UK.

• The AP1000 Spent Fuel Handling is being evaluated in a series of separate studies that will present a detailed safety assessment of the processes and equipment associated with spent fuel handling for the AP1000, identifying claims, arguments, and evidence that demonstrate them to be adequately safe.

Evidence underpinning the PCSR and topic reports has been drawn primarily from the following sources:

• The European AP1000 Design Control Document (DCD) has provided the design description of the AP1000, the analysis associated with its response to fault conditions, the risk evaluation, and the design control processes for application throughout plant life. The DCD is also supported by a range of licensing documents providing additional information relating to design definition and analysis. The information in the DCD and supporting licensing documents has been used extensively in the PCSR and its supporting documents to underpin the nuclear safety claims made on systems, structures, and components.

• The AP1000 Environment Report has described those elements of the AP1000 design that could directly impact a generic UK site. The Environment Report itself is supported by several technical reports, including the AP1000 Disposability Assessment and the AP1000 Integrated Waste Strategy. Information from the Environment Report has been used to underpin the elements of the claims in the PCSR that refer to the management of environmental impact and radioactive waste disposal.

There are some other key issues and practices underpinning the safety of the AP1000 design that have been described in this PCSR, which add support to the claims above.

• The extensive use of proven components gives the operators confidence that plant performance will be reliable and predictable, thereby contributing to the overall safety of the plant.

• The plant is simple in comparison to other PWRs operating worldwide. This makes it easier for operators to understand, and there is less plant to maintain.

• The plant has evolved from specifications contributed by experienced operators, and as such, has the benefit of many hundred reactor years of operation behind the design specification. This is a significant contributor to the ALARP claim.



In conclusion, PCSR has provided confirmation that the detailed design of the plant is fit for purpose and can be adopted for construction (subject to any site specific issues). The AP1000 is acceptably safe in accordance with UK legal requirements and relevant good practice. UK numerical targets and legal limits encompass specific targets for radiological dose and risk, and it has been demonstrated that the risk arising from conceivable faults is as low as reasonably practicable. It has also been demonstrated that all safety case outputs, with regard to activities required to substantiate plant performance and manage systems, structures, and components and processes through life, have been captured, and a suitable management framework has been put in place. It has also been demonstrated that the discharges and disposals through life to the environment are minimised and safely conducted.