1. Research on Safety System Configuration of HPR1000作者
China Nuclear Power Design Co., ltd: Li Sheng Jie

2. Personal profile Li Sheng Jie
Senior engineer, director of Nuclear Island (NI) System Branch in NI Engineering Department of China Nuclear Power Design Co., ltd. Long been engaging in the engineering design of nuclear island main process systems, particularly specializing in the design of engineered safety features. Engaged in research and development and engineering design of CGN HPR1000 (formerly ACPR1000+) project since the kick-off in 2010, participating as the main person responsible for safety system configuration design of HPR1000.
加作者简介

3. Content 0. Introduction of HPR1000 Project
“3-Independent-Train” Engineered Safety Features (ESF)
“Active+Passive” provisions dedicated to Design Extension Conditions(DEC)
Improvement after Fukushima accident
加作者简介

4. 0. Introduction of HPR1000 Project
HPR1000 in FangChengGang Units 3, 4 is a 3-loop reactor, adopting the design concept of advanced pressurized water reactor with two main features on the configuration of safety systems:
“3-Independent-Trains”,
“Active+Passive”.
It meets the safety requirements of “3rd generation”NPP.

5. 1. “3-Independent-Train”Engineered Safety Features
1.1 Codes, regulations requirements
1.2“3-Train”Engineered Safety Features
1.3 Introduction of main Engineered Safety Features

6. 1.1 Codes, regulations requirements
1）Redundancy
The ESFs are required to consider “single failure criterion ”and redundancy in SSR-2/1:
“Requirement 25: The single failure criterion shall be applied to each safety group incorporated in the plant design. ”
Core
TrainA
TrainB
Core
TrainA
TrainC
TrainB
Initiating events
Initiating events
Single failure
Intact
Single failure

7. 1.1 Codes, regulations requirements
2）Independence
Independence of ESFs is required in SSR-2/1:
“Requirement 21: Interference between safety systems or between redundant elements of a system shall be prevented by means such as physical separation, electrical isolation, functional independence and independence of communication (data transfer), as appropriate.”
Core
Train A
Train B
physical separation

8. Cross-connections and branch lines
1.1 Codes, regulations requirements
3）Design simplification
It is specified in URD:
“A very important improvement in safety system design for the Evolutionary Plant is to be accomplished by subjecting them to major simplification. This includes such design action as eliminating unnecessary piping cross-connections and branch lines, simplifying actuation logic, and minimizing the number of configuration changes and component actuations required under emergency conditions. ”
Core
Train A
Train C
Train B
3 independent trains
Cross-connections and branch lines
Train A
Core
Train B

9. 1.1 Codes, regulations requirements
4）Postulated initiating events
In SSR-2/1, the initiating events must be postulated in all states including shutdown states.
“Requirement 16: The postulated initiating events shall include all foreseeable failures of structures, systems and components of the plant, as well as operating errors and possible failures arising from internal and external hazards, whether in full power, low power or shutdown states.”

10. 1.1 Codes, regulations requirements
4）Postulated initiating events
Compared to 2nd generation NPPs, 15 initiating events in shutdown states are added in HPR1000 design, covering the Design Basis Conditions (DBC2~4) and Design Extension Conditions, so that safety systems can cope with a wider range of accident conditions.

11. Initiating events of HPR1000 in shutdown states
1.1 Codes, regulations requirements
Initiating events of HPR1000 in shutdown states
Uncontrolled RCCA bank withdrawal (in shutdown states)
Uncontrolled RCCA withdrawal (in full power, hot shutdown and intermediate shutdown states)
Small Break-LOCA, including injection line break of emergency boration system (in shutdown states, SIS is not connected in RHR mode)
Cooling of Spent Fuel Pool in long term loss of offsite power (>2 hours) (in full power, hot shutdown and intermediate shutdown states)
Loss one train of cooling system and support system of PTR (in reactor complete fuel unloading states)
Loss term loss of offsite power (in intermediate shutdown and normal cold shutdown state)
Boron dilution resulted by the non-isolated break of tube of heat exchanger (in shutdown states)

12. Initiating events of HPR1000 in shutdown states
1.1 Codes, regulations requirements
Initiating events of HPR1000 in shutdown states
Intermediate break (in full power and shutdown sates)
Small break-LOCA, including injection line break of emergency boration system (in shutdown states, SIS is connected in RHR mode)
Break of RHR pipes located outside the containment (≤DN250, in shutdown states)
Inadvertent opening of Dedicate depressurization valves (in full power and shutdown states)
Cooling of Spent Fuel Pool in case of non-isolated small break and isolated SIS break in RHR mode (≤DN250) (in refueling cold shutdown states)
Station black out (SBO) (in full power and shutdown states)
Total loss of cooling chain (TLOCC) (in shutdown states)

13. 1.1 Codes, regulations requirements
4） Support service systems
In SSR-2/1, the requirement of support and service systems is:
“Requirement 27: The reliability, redundancy, diversity and independence of support service systems and the provision of features for their isolation and for testing their functional capability shall be commensurate with the significance to safety of the system being supported. ”
The Engineered Safety Systems and the support systems (cooling source, HVAC, electrical, I&C) and the building configuration are all of 3 trains.
Safety class of the support systems ensuring the function of safety systems keeps consistent with safety systems.
The buildings and rooms accommodating these safety systems and support systems are separated physically, to withstand against the effects of internal and external hazards.

14. Codes, regulations requirements
Conformity analysis of HPR1000 to the above codes and regulations requirements:
Considering initiating events (IE) and single failure criterion (SFC), to meet the requirements of independence, physical separation, design simplification, 3 independent and redundant safety trains are the smallest configuration for 3-loop reactors.
Codes, regulations requirements
HPR1000
Conformity
Redundancy
3 trains (N+1) √
Independence
Separation and independence among 3 trains
Design Simplification
Elimination of Cross-connections and branch lines
Postulated initiating events
Consider low power and shutdown states
Support systems
Redundancy , independence
在考虑始发事件和单一故障准则，并满足独立性、实体隔离、设计简化的要求下，对于三环路堆型，三个独立、冗余的安全系列是满足安全要求的最小配置。

15. 1. “3-Independent-Train”Engineered Safety Features
1.1 Codes, regulations requirements
1.2“3-Train” Engineered Safety Features
1.3 Introduction of main Engineered Safety Features

16. 1.2 “3-Train” Engineered Safety Features
The 3-Train safety systems configuration of HPR1000 covers the full range of:
All the safety systems and the support systems (cooling source, HVAC, electrical, I&C), as well as the building configuration are 3-Train.
All the support systems coping with the function realization of safety systems, keeps consistent with safety systems in terms of safety class with a high reliability. The buildings and rooms accommodating these safety systems and support systems are separated physically, with a structure designed to meet the seismic requirements.

17. Nuclear Auxiliary Building
1.2 “3-Train” Engineered Safety Features
Nuclear island building:
All three safeguard buildings are classified as seismic class I. The safeguard building C, reactor building and fuel building can defend large commercial Air Plane Crash (APC).
Nuclear Auxiliary Building
Safeguard Building B
Safeguard Building A
Safeguard Building C
Fuel Building
Access
Building
Reactor Building
Safeguard Building B
Nuclear Auxiliary Building
Fuel
Building
Safeguard Building C
Safeguard Building A 17

18. Fuel building, safeguard building
1.2 “3-Train” Engineered Safety Features
Engineered Safety Features :
Support systems of safety systems:
Systems
Number of trains
Safety classified
Located building
SIS/RHR (Safety Injection /Residual Heat Removal) 3
yes
3 safeguard buildings
EFWS (Emergency Feedwater)
RBS (Emergency Boration)
Fuel building, safeguard building
FPCTS (Fuel Pool Cooling and Treatment)
Fuel building
ASDS (Atmospheric Steam Dump)
2 safeguard buildings
Support systems
Number of trains
Safety classified
Located building
CCWS (Component Cooling Water) 3
yes
3 safeguard buildings
ESWS (Essential Service Water)
SEC pump room (independent from Conventional Island Cooling Water System ) 18

19. Heating and ventilation systems
1.2 “3-Train” Engineered Safety Features
Electrical systems:
Heating and ventilation systems:
Electrical systems
Number of trains
Safety classified
Located building
EDG (Emergency Diesel Generator) 3
yes
3 diesel buildings
2h Batteries (Uninterruptible)
3 safeguard buildings
Electrical Division
Heating and ventilation systems
Number of trains
Safety classified
Located building
SBCAVS (Safeguard Building Controlled Area) 3
yes
3 safeguard buildings
EDVS (Electrical Division of Safeguard Building)
SCWS (Safety Chilled Water)
MCRACS (Main Control Room)
Safeguard building C 19

20. 1.2 “3-Train” Engineered Safety Features
I&C Systems:
I&C Systems
Number of trains
Safety classified
Located building
Engineered Safety Feature Actuation Cabinet 3
yes
3 safeguard buildings 20

21. 1. “3-Independent-Train”Engineered Safety Features
1.1 Codes, regulations requirements
1.2“3-Train” Engineered Safety Features
1.3 Introduction of main Engineered Safety Features

22. 1.3 Introduction of main Engineered Safety Features
Safety Injection System (SIS/RHR)
3 ×100%
No High Head Safety Injection (HHSI)
Combine with RHR
In-Containment Refueling Water Storage Tank (IRWST)

23. 1.3 Introduction of main Engineered Safety Features
Emergency Feedwater System (EFWS)
3 × 100%
No normal feedwater function during startup and shutdown (compared to M310)
Two redundant valves ensure isolation in SGTR

24. 1.3 Introduction of main Engineered Safety Features
Emergency Boration System (RBS)
3 × 100%
Piston pump
Enriched boron

25. 1.3 Introduction of main Engineered Safety Features
Cooling chain system (Component Cooling Water System CCWS)
3 × 100%
2 pumps and 2 heat exchangers are configurated in A/B trains, realizing preventive maintenance in power operation

26. 1.3 Introduction of main Engineered Safety Features
Cooling chain system (Essential Service Water System ESWS)
3 × 100%
3 train, 5 sub-train in configuration, realizing preventive maintenance in power operation.

27. 2. Design Extension Conditions (DEC) and provisions
2.1 Independence of DiD levels
2.2 Selection of DECs
2.3 Systems dedicated to DECs
2.4 Practical elimination of early or large radioactive releases
国内版“超设计基准事故”

28. 2.1 Independence of DiD levels
In SSR-1/2, independence among different levels of DiD is required:
“2.13:Defence in depth is implemented primarily through the combination of a number of consecutive and independent levels of protection that would have to fail before harmful effects could be caused to people or to the environment. If one level of protection or barrier were to fail, the subsequent level or barrier would be available . ”
“4.13A. The levels of defence in depth shall be independent as far as practicable to avoid the failure of one level reducing the effectiveness of other levels. In particular, safety features for design extension conditions (especially features for mitigating the consequences of accidents involving the melting of fuel) shall as far as is practicable be independent of safety systems.”

29. 2.1 Independence of DiD levels
HPR1000 establishes provisions at each DiD level, systems for mitigating the consequences of a severe accident and the ESFs are independent from each other.
HPR1000
Systems
Levels of defence in depth
Safety Injection System
DiD-3
DiD-4a
Emergency Feedwater System
Emergency Boration System
Atmospheric Steam Dump System
Secondary Passive Heat Removal System
Diverse Actuation System (I&C)
SBO Diesel Generator
DiD-4b
Containment Heat Removal System
Extra Cooling System
Severe Accident I&C System
增加仪控（KDS和KDA）和电气（SBO柴油机、移动电源）

30. 2. Design Extension Conditions (DEC) and provisions
2.1 Independence of DiD levels
2.2 Selection of DECs
2.3 Systems dedicated to DECs
2.4 Practical elimination of early or large radioactive releases
国内版“超设计基准事故”

31. 2.2 Selection of Design Extension Conditions
Requirement for “ Design Extension Conditions” in SSR-1/2: “Requirement 20: A set of design extension conditions shall be derived on the basis of engineering judgement, deterministic assessments and probabilistic assessments for the purpose of further improving the safety of the nuclear power plant by enhancing the plant’s capabilities to withstand, without unacceptable radiological consequences, accidents that are either more severe than design basis accidents or that involve additional failures. These design extension conditions shall be used to identify the additional accident scenarios to be addressed in the design and to plan practicable provisions for the prevention of such accidents or mitigation of their consequences.”

32. 2.2 Selection of Design Extension Conditions
Criteria for selecting Design Extension Conditions of HPR1000:
10-5 /reactor-year (r.y)
10-8 /r.y
Selection of Design basis accident
Preliminary PSA analysis
Selection of accident sequences
Engineering judgement &
deterministic assessments
核实1E-05/堆年的含义
Final PSA analysis
Categorizati-on of accident sequences
Provisions
System Configuration

33. 2.2 Selection of Design Extension Conditions
DECs of HPR1000
Loss of secondary cooling function (power/shutdown states)
Small-break LOCA, with MHSI or LHSI failure (power state)
Initiating small-break LOCA, with MHSI or LHSI failure (shutdown state)
RHR system failure or after LOOP RHR recovery failure (shutdown state)
Station blackout accident (SBO) (power/shutdown states)
Station blackout accident, with loss of fuel pool cooling system
Emergency shutdown failure resulting from reactor trip signal failure (power state)
Emergency shutdown failure resulting from stuck rod (power state)
DECs of HPR1000
Non-RCV homogeneous dilution with failure of dilution source isolation (shutdown state)
Small-break LOCA or SGTR, with MHSI or LHSI failure (power state)
Total loss of cooling chain (TLOCC), with a break on reactor coolant pumps seals (power state)
Total loss of cooling chain (TLOCC) (shutdown state)
SGTR (10 tubes in one SG)
Main steam line break, with SGTR (1 tube in the affected SG)
SGTR (1 tube), with failure to close a main steam relief valve (VDA) (power state)

34. 2.2 Selection of Design Extension Conditions
PSA results（CDF<10-6）：
HPR1000
Core Damage Probability (/r.y)
放到本节最后

35. 2.2 Selection of Design Extension Conditions
PSA results （LRF<10-7）：
HPR1000
Large Release Frequency (/r.y)

36. 2. Design Extension Conditions (DEC) and provisions
2.1 Independence of DiD levels
2.2 Selection of DECs
2.3 Systems dedicated to DECs
2.4 Practical elimination of early or large radioactive releases
国内版“超设计基准事故”

37. 2.3 Systems designed for Design Extension Conditions
Containment Heat Removal System (CHRS)
2 × 100%
Backflushing of Strainers
Containment spray
Passive IVR (In-Vessel Retention)

38. 2.3 Systems designed for Design Extension Conditions
Extra Cooling System (ECS)
2 × 100%
Diverse cooling tower heat sink

39. 2.3 Systems designed for Design Extension Conditions
Secondary Passive Heat Removal System (SPHRS)
3 × 50%
Passive circulation
Water makeup for Emergency Feedwater Tank and Spent Fuel Pool

40. 2. Design Extension Conditions (DEC) and provisions
2.1 Independence of DiD levels
2.2 Selection of DECs
2.3 Systems dedicated to DECs
2.4 Practical elimination of early or large radioactive releases
国内版“超设计基准事故”

41. 2.4 Practical elimination of early or large releases
Requirements for “Practical elimination of early or large releases” in SSR-1/2 :
“2.11 Plant event sequences that could result in high radiation doses or in a large radioactive release have to be ‘practically eliminated’ and plant event sequences with a significant frequency of occurrence have to have no, or only minor, potential radiological consequences. ”
“5.31 The design shall be such that the possibility of conditions arising that could lead to an early radioactive release or a large radioactive release is ‘practically eliminated’.”
“Practical elimination of early or large releases” involves a very wide range of study, in this presentation, we only discuss HPR1000’s engineered safety features’ effects on practical elimination.
Example of accident sequences that have to be “practically eliminated”:

42. 2.4 Practical elimination of early or large releases
Positive reactivity insertion resulting in severe core degradation: 1）CVCS is designed to automatically isolate from CVCS volume control tank and switch to IRWST. This can evidently reduce the possibility of non-RCV homogeneous dilution accident caused by CVCS water makeup or by operator errors; 2）Emergency boration system dedicatedly designed, can automatically start up and compensate the reactivity. High pressure core-meltdown resulting in direct containment heating: 1）Dedicate depressurization valves are designed to discharge when the core outlet temperature exceeds the threshold. Severe accident analysis indicates that, if pressure is lower than 2 Mpa a. when reactor core melts, there is no risk of high pressure core-meltdown, preventing the containment from being directly heated.

43. 2.4 Practical elimination of early or large releases
Steam explosion possible to threaten containment integrity: 1）IVR is designed in HPR1000 and guaranteed successful by means of calculation analysis and experimental verification. It can prevent the molten core get contacted with large amount of water. Hydrogen deflagration: 1）Containment combustible gas control system is designed in HPR1000, measures eliminating hydrogen including passive hydrogen recombiner and hydrogen igniter can practically prevent the hydrogen concentration from reaching deflagration level.

44. 2.4 Practical elimination of early or large releases
Containment bypass: 1）RHR is evaluated with RCS normal operation pressure, avoiding breaks outside containment when connecting to primary loop. 2）EFWS can be automatically isolated when SGTR occur, MHSI pump head is lower than the steam safety valve setpoint, preventing the affected SG from being overfilled and radioactive materials from being released to the environment.

45. 2.4 Practical elimination of early or large releases
Other provisions: Besides the provisions dedicated designed for “Practical elimination”, HPR1000 is also equipped with redundant and diverse provisions for DECs, which can significantly reduce the probability of core melting caused by multi-failure sequences. And can provide non-permanent mitigation provisions when severe accidents caused by extreme external hazard (e.g. Fukushima) happen.
Provisions
Functions
SBO power supply
Provide power supply reliability
Secondary passive heat removal system
Passively remove residual heat
Extra cooling system
Provide diverse heat sink
Containment heat removal system
Remove heat in containment
Feed and Bleed
Remove heat by primary loop
Secondary loop fast cooling
Fast reduce primary and secondary temperature and pressure
Diverse I&C systems
Provide diverse shutdown control measures
Safety chilled water system
Provide diverse safety equipment cooling
Containment filtration and exhaust system
containment heat and radioactivity exhaust
Non-permanent equipment
Provide mobile power supply and makeup water for primary/secondary loop and spent fuel pool

46. 2.4 Practical elimination of early or large releases
PSA of complex accident sequences Quantitative analysis results show that the probability of complex sequences which are more probable to cause core damage accident is decreased to below 10-8 after considering effect of these systems. In this research, events below this probability can be estimated as “practically eliminated”. Quantitative analysis results of typical complex sequences based on internal events are given as follows:

47. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
SBO in power state
SBO Diesel
2.81E-06
2.26E-08
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

48. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
Loss of offsite power with secondary feedwater failure in power state
SPHRS
5.23E-06
3.54E-10
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

49. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
Loss of RHRs in shutdown state
ECS
3.38E-06
5.16E-09
CHRS
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

50. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
SGTR with secondary feedwater failure in power state
Open pressurizer safety valve to feed and bleed primary loop
2.06E-06
3.01E-09
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

51. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
Small LOCA or SGTR, with MHSI failure in power state
Secondary loop fast cooling
5.23E-06
3.54E-10
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

52. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
Loss of main feedwater resulting in ATWS
EBS
2.78E-05
8.94E-10
Diverse I&C
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

53. 2.4 Practical elimination of early or large releases
Complex accident sequences
Provision
Quantitative results (/r.y)
Without provision
With provision
Loss of cooling chain with RCP seal break and MHSI failure in power state
Safety chilled water system
2.98E-08
2.87E-10
Without provision
With provision
此处可考虑使用柱状图美化
最后加一行，打省略号

54. 3. Non-permanent measures after Fukushima accident
3.1 Primary water makeup and containment heat removal
3.2 Secondary water makeup
3.3 Spent fuel pool water makeup
3.4 Mobile power supply

55. 3.1 Primary water makeup and containment heat removal
Related requirements in SSR-1/2 :
“6.28B: The design shall also include features to enable the safe use of non-permanent equipment for restoring the capability to remove heat from the containment.“
HPR1000 is able to remove heat from the containment with mobile equipment when severe accidents happen and permanent equipment are unavailable (usually because of active equipment failure or loss of all power supply).
国内版加上《通技要求》
Mobile equipment
Function
Mobile emergency pump
Water makeup for primary loop
Mobile emergency power supply
Power supply for pumps, valves and cooling towers
Hand-carried mobile pump
Water makeup for heat sink feedwater pool

56. 3.1 Primary water makeup and containment heat removal
ECS
CHRS
Makeup water
tank
Hand-carried
mobile pump
Cooling
Tower
Heat
exchanger
Heat
exchanger
End filter
Reactor
vessel
考虑进一步美化
Intercycle circulation pump
Containment heat removal pump
End circulation pump
Mobile emergency pump
Mobile emergency
power supply

57. 3. Non-permanent measures after Fukushima accident
3.1 Primary water makeup and containment heat removal
3.2 Secondary water makeup
3.3 Spent fuel pool water makeup
3.4 Mobile power supply

58. 3.2 Secondary water makeup
If long-term LOOP (>72h) happens in power state, EFWS water tank and permanent back-up water supply will be used up. Mobile equipment can be used to provide makeup water for EFWS water tank (train A/B), so that secondary heat removal function is maintained.
EFWS
water
tank
Hand-carried
mobile pump
Power
limiting
valve
Water level
Regulating valve
Emergency
feedwater
pump SG

59. 3. Non-permanent measures after Fukushima accident
3.1 Primary water makeup and containment heat removal
3.2 Secondary water makeup
3.3 Spent fuel pool water makeup
3.4 Mobile power supply

60. 3.3 Spent fuel pool water makeup
Related requirements in SSR-1/2: “6.68: The design shall also include features to enable the safe use of non-permanent equipment to ensure sufficient water inventory for the long term cooling of spent fuel and for providing shielding against radiation. “
Hand-carried mobile pump
HPR1000 design meets the requirement above and refers to NEI12-06 to address emergency water makeup and spray function to spent fuel pool, which can provide a better cooling effect when spent fuel elements are uncovered.

61. 3. Non-permanent measures after Fukushima accident
3.1 Primary water makeup and containment heat removal
3.2 Secondary water makeup
3.3 Spent fuel pool water makeup
3.4 Mobile power supply

62. 3.4 Mobile power supply Related requirements in SSR-1/2 :
“6.45A: The design shall also include features to enable the safe use of non-permanent equipment to restore the necessary electrical power supply..”
Containment heat removal pump and valve
Extra cooling system circulation
Extra cooling system cooling tower fan
Spent fuel pool cooling pump and valve
Containment filtration and exhaust system chemical addition pump and mixing pump
Mobile power supply is designed in HPR1000, enhancing provisions for SBO, so that safety functions like containment heat removal and spent fuel pool cooling are guaranteed after severe accidents.

63. Thank you for your attention！