APPLICATION OF SELECTED SAFETY REQUIREMENTS FROM IAEA SSR-2/1 IN THE ENHANCED CANDU6 REACTOR DESIGN

A.G. Lee

Candu Energy Inc., Member of SNC-Lavalin Group

Mississauga, Ontario Canada

Abstract

The Enhanced CANDU 6® (EC6) design is updated from the provenCANDU 6 nuclear power plant with safety and operational improvements to meet the latest safety requirements for new NPP designs. The reference CANDU 6® plant is proven and mature technology with over 150 reactor years of combined safe operation infive countries around the world; Canada, Romania, Argentina, Korea and China. The EC6 design has been subjected to the Canadian Nuclear Safety Commission (CNSC) pre-licensing vendor design review process through a review against the requirements set forth in CNSC regulatory document RD-337, and successfully completed the Phase 3 review in June 2013. In May 2014, RD-337 was superseded by REGDOC-2.5.2, in which the CNSC largely adopted the principles set forth by IAEA SSR-2/1, Safety of Nuclear Power Plants. While REGDOC-2.5.2 introduced the concept of DEC, RD337 had already set forth many of the new safety requirements from IAEA SSR-2/1. In particular, RD-337 introduced the concept of complementary design feature which is a design feature added as a stand-alone structure, system or component (SSC) or added capability to an existing SSC to cope with DEC. This paper presents some examples of the approach that has been taken in the EC6 design to implement these new safety requirements, namely:

  • Application of defence in depth and increased independence of safety provisions, such as:
  • For level 2, an improved capability for detecting and intercepting deviations from normal operation;
  • For level 3, upgrading the Emergency Heat Removal System and improving containment;
  • For level 4, adding complementary design features, e.g., Emergency Support Centre, Severe Accident Recovery Heat Removal System, Emergency Filtered Containment Venting System, design features to facilitate the use of non-permanent equipment for power and heat removal, increased seismic capacity for the containment andimproved robustness of the containment design to mitigate the consequences of DEC; and
  • Application of safety classification, design rules and criteria for stand-alone SSCs added as complementary design features.

1.INTRODUCTION

The Enhanced CANDU 6 (EC6®[1]) design is updated from the proven CANDU 6 nuclear power plant with safety and operational improvements to meet the latest safety requirements. The reference CANDU®[2] 6 plant is a proven and mature technology.

The EC6 design has been subjected to the Canadian Nuclear Safety Commission (CNSC) pre-licensing vendor design review process [1] through a review against the requirements set forth in CNSC regulatory document RD-337 [2], and successfully completed the Phase 3 review in June 2013. In May 2014, RD-337 was superseded by REGDOC-2.5.2 [3], in which the CNSC largely adopted the principles set forth by IAEA SSR-2/1 [4]. While REGDOC-2.5.2 introduced the concept of design extension conditions (DEC), RD 337 had already set forth many of the new safety requirements from IAEA SSR-2/1. In particular, RD-337 introduced the concept of complementary design feature which is a design feature added as a stand-alone structure, system or component (SSC) or added capability to an existing SSC to cope with DEC.

The following sections present a brief description of the EC6 design, along with some examples of the application of the new safety requirements from IAEA SSR-2/1. This paper provides high-level examples of:

  • Implementation of defence in depth in new reactor designs and independence of safety provisions.
  • Identification of equipment considered as ultimately necessary to prevent large releases, for which larger safety margins against internal and external hazards are required.
  • Measures incorporated into the design to facilitate the use of non-permanent equipment for power supply and cooling.

2.EC6 DESIGN

The EC6 designis a medium sized pressurized heavy water reactor (PHWR), with a power output in the 700 MWe range. The design is based on natural uranium as fuel with heavy water (D2O) as a moderator. The reactor is equipped with horizontal fuel channels inside a cylindrical calandria vessel, which is further enclosed within a concrete, light water filled calandria vault. There are two functionally separate heat transport loops, each serving one half of the reactor, with heavy water as the coolant, as shown in Figure 1. The loops can be isolated from each other under certain accident conditions. Each loop contains two pumps, two steam generators, two inlet headers and two outlet headers, and half the fuel channels in a ‘figure of eight’ arrangement, with interconnecting piping. The flow through adjacent fuel channels in the reactor core is bi-directional (in opposite directions). The fission heat produced from the natural uranium fuel is transferred to the light water in the secondary side of the steam generators to produce steam, which drives the turbine generators to produce electricity. While retaining the basic features of the CANDU 6 plants, the EC6 design incorporates evolutionary features to enhance safety, operation and performance to address new safety requirements from IAEA SSR-2/1.

A technical summary of the EC6 design is available at Further details about the safety features in the EC6 design can be found in the INPRO Dialogue Forum 7 document [5].

The following sections describe some design improvements that have been made to the EC6 design to address safety requirements from IAEA SSR-2/1.

2.1Safety Classification

The following safety classification scheme is used for the EC6 design:

Safety Class A / A system is assigned to Class A if it meets any of the following criteria:
a)Maintains pressure boundary integrity of heat transport system where a failure would lead to a non-isolatable loss of coolant accident.
b)Performs an immediate fast reactor shutdown function to prevent an initiating event from leading to unacceptable consequences that exceed the design bases of Heat Transport System or safety systems.
Safety Class B / A system not included in Safety Class A is assigned to Safety Class B if it meets any of the following criteria:
a)Performs the function of core cooling to prevent an initiating event from leading to unacceptable consequences that exceed the design bases.
b)Performs the function of containment to prevent an initiating event from leading to unacceptable radioactive releases that exceed the design bases.
Safety Class C / A system not included in Safety Class A or B is assigned to Class C if it meets any of the following criteria:
a)Supports the operation of Class A or B systems.
b)Performs safety functions in longer term as a backup.
c)Failure of the system during operation (i.e. running failure) initiates a design basis accident.
d)Provides monitoring of safety functions during a design basis accident.
Safety Class D / A system not included in Safety Class A, B or C is assigned to Safety Class D if it meets any of the following criteria:
a)Maintains adequate operating conditions for safety systems or systems important to safety during normal plant operation, AOO or DBAs.
b)Prevents minor releases of radioactive materials.
c)Prevents/minimizes radiation exposure of plant staff.
d)Provides monitoring that the plant remains within normal conditions.
e)Provided for mitigation or monitoring of DEC.
Not important to safety / A system not included in Safety Class A, B, C or D is assigned to not important to safety.

2.2Digital Control Systems

Modern digital control systems technology is deployed in the EC6 design to achieve an integrated architecture. The distributed control system (DCS) platform is qualified to handle both Safety Class C and D functions. In addition to DCS technology, several important architectural improvements have been made to the digital control systems of the CANDU 6:

  • The fuel handling control and display systems, although implemented using the same DCS and Plant Display System (PDS) platform technology, have been made into a fully separate system with an independent and diverse digital sub-system to implement protective safety interlocks. This design enhancement addresses clause 4.11(a) under requirement 7 in IAEA SSR-2/1.
  • All important to safety mitigating functions previously in the digital control computers, e.g., setback and stepback, are now implemented in a separate Class 2 mitigating controller, which along with some other Level 2 defence-in-depth functions is referred to as the “essential control sub-system”. This design enhancement addresses clause 4.11(c) under requirement 7 in IAEA SSR-2/1.
  • Additional parameters for setback and stepback, e.g., end shield outlet temperature high and Shield Cooling System pump differential pressure low. This design enhancement addresses clause 4.11(c) under requirement 7 in IAEA SSR-2/1.
  • Fully digital device control sub-systems will interface via digital communications with the digital group controls. This design enhancement addresses clause 4.11(b) under requirement 7 in IAEA SSR-2/1.
  • Read-backs are provided from the digital device control sub-systems (including panel status information) to the PDS, the advanced alarm annunciation system, and the computer based procedures. This design enhancement addresses clause 4.11(b) under requirement 7 in IAEA SSR-2/1.

2.3Emergency Heat Removal System

The EC6 design addresses requirement 53 in IAEA SSR-2/1 by including anEmergency Heat Removal System (EHRS) to remove heat from the steam generators to the ultimate heat sinkwhen the feedwater supply to the steam generators is lost, i.e., Level 3 defence-in-depth, or when cooling to the secondary side of the emergency core cooling system (ECCS) heat exchangers is lost after a loss of coolant accident. EHRS initiates automatically on detection of loss of the primary feedwater supply to the steam generatorsas follows:

  1. EHRS pump starts up;
  2. Auto depressurization of the steam generators commences with time delay; and
  3. Reserve water tank (RWT) injection valves open for automatic injection.

EHRS is designed to supply water from two sources:

(a)Gravity feed system taking water from the RWT tank via EHRS valves to the steam generators, and

(b)Pump from a fresh water source to either the RWT or the secondary side of the ECCS heat exchangers.

Unlike auxiliary feedwater, the EHRS is a low pressure system. Therefore, the steam generator auto depressurization is initiated automatically by opening the main steam safety valves on an abnormally low steam generator level, which indicates an unavailability of normal feedwater. At least eight out of sixteen of the main steam safety valves are credited for depressurization to maintain the steam generator at a sufficiently low pressure to permit continuous makeup from the RWT.

EHRS meets the single failure criterion, as defined in requirement 25 in IAEA SSR-2/1. System components required to perform on demand for a flow permissive function are duplicated in parallel (e.g., pump, injection valves). System components required to perform on demand for a flow isolation function (e.g., containment isolation valves) are duplicated in series. Valves not required to perform on demand, but which might impair system performance if inadvertently left in the wrong position (e.g., recirculation test, large bore drain valves), are provided with position indication.

2.4Containment

The EC6 reactor building, its penetrations and the isolation valves form the containment envelope. The containment envelope includes containment isolation and hydrogen control that uses 44 igniters (Level 3 defence-in-depth) and 33 passive autocatalytic recombiner units (Level 4 defence-in-depth). Automatic containment isolation will occur when containment high pressure and/or high radiation is detected. Cooling in the reactor building is provided by electrically driven forced air coolers in the reactor vaults and upper boiler room. Heat is removed by the recirculating cooling water system. The containment envelope is designated as safety class B, and follows the design requirements in CSA N287.3 [6].

The EC6 design has made the following improvements to address requirement 54 in IAEA SSR-2/1:

  • Acontainment design pressure of 400 kPa (g),
  • Adesign leakage rate of 0.2%/day,
  • Seismically qualified to a design basis earthquake with a return frequency of one in ten thousand years and a peak ground acceleration of 0.3 g,
  • A steel liner plate on the entire inside surface of the containment structure, to ensure that leak-tightness is within acceptable limits and to prevent spalled concrete from being generated as a result of an external impact, and
  • Increased thickness of the containment structure from the CANDU 6 plants, to meet current safety requirements for radiation shielding, missile protection, aircraft crash, and fire protection.

These design improvementsaddress requirement 20 in IAEA SSR-2/1 by providing additional margin in maintaining containment integrity following DEC and provide additional time for implementation of off-site emergency procedures. CSA N287.3 provides guidance on design rules for assessing the containment safety margins for DEC.

2.5Emergency Filtered Containment Venting System

As a result of the Fukushima lessons learned and to addressrequirement 20 in IAEA SSR-2/1 to control, monitor and filter releases, the EC6 design includes an emergency containmentfiltered venting system (ECFVS) for relief of pressure and removal of aerosols and iodine, to be used as a last resort in a severe accident event. The ECFVS will be protected from external events. For the EC6 design, the ECFVS is part of the severe accident management function in the unlikely event of overpressurization of the containment to prevent unfiltered releases of radioactive products. The ECFVS is based on the commercially available system that has been installed on existing CANDU 6 reactors. The ECFVS is designated as safety class D, and follows the design requirements under CSA N285.0 for pressure boundary Class 6 systems and components.

2.6Severe Accident Recovery Heat Removal System

The Severe Accident Recovery Heat Removal System (SARHRS), as shown in Figure 2,has been designed as a complementary design feature for DEC. SARHRS addresses the safety requirements from requirement 20, para 5.27 inIAEA SSR-2/1. SARHRS is designated as safety class D, and is designed in accordance with CSA N285.0 for pressure-boundary Class 6 systems and components. The key function of this system is to remove the decay heat from the core to prevent the further development of core damage during DEC involving sustained loss of heat sinks, i.e., loss of Moderator System, Feedwater System, AuxilliaryFeedwater System, Shutdown Cooling System, Shield Cooling System, and EHRS.

SARHRS iscomprised of a makeup and recovery circuit which includes pumps, a heat exchanger and associated valves and piping. SARHRS recovers water from the reactor building basement, cools it using a heat exchanger, and delivers it for make up to the calandria vessel and calandria vault, and to the low flow containment cooling spray. SARHRS is capable of providing make-up to refill the RWT from the lake intake structure / forebay for steam generator secondary side makeup to allow core decay heat removal. The fixed pump-driven recovery circuit is backed up by the capability to connect emergency mobile equipment.

Asingle dedicated diesel generatorper two-unit station has been incorporated into the EC6 design to provide electrical power to the SARHRS pumps, motorized valves and associated controls. The Electrical Power System dedicated for SARHRS is independent and separated from other power systems. The SARHRS-dedicated electrical system is designed such that following a DEC, the unavailability of the Emergency Power Supply does not compromise the availability of the systems important to safety that are required for decay heat removal and reactor building post-accident monitoring. The dedicated diesel generator is backed up by the capability to connect emergency mobile equipment.

2.7Emergency Support Centre

The EC6 design provides an Emergency Support Centre (Levels 4 and 5 defence-in-depth) that is separate from the plant control rooms, for use by the emergency operation support staff in the event of an emergency. The Emergency Support Centre provides overall management of the Licensee’s emergency response. This addresses requirement 67 in IAEA SSR-2/1.

The Emergency Support Centre includes:

  • A Safety Parameter Display System similar to those in the Main Control Room and in the Secondary Control Room to access and display information about reactor conditions, spent fuel bay conditions, the radiological conditions in the plant and its immediate surroundings, and about meteorological conditions in the vicinity of the plant;
  • Equipment for evaluation of all data pertinent to determine the magnitude and effects of actual or potential radioactive releases, and the need for offsite protective measures;
  • Secure means of communication with the Main Control Room, the Secondary Control Room, and other important points in the plant, and with on-site and off-site emergency response organizations;
  • Provisions to protect occupants and equipment over protracted periods from the hazards resulting from a severe accident;
  • A dedicated seismically qualified back up power supply including a diesel generator and anuninterruptible power supply to support safety computers and communication equipment to address station blackout events to allow extended operating periods;
  • The capability to connect emergency mobile equipment to back up the diesel generator.

3.SUMMARY

This paper presents some examplesof the design approach that has been taken in the EC6 design to implement safety requirements from IAEA SSR-2/1: