why the westinghouse advanced, passive pressurized water ... · why the westinghouse advanced,...

9
803.1 Why the Westinghouse Advanced, Passive Pressurized Water Reactor, AP1000 ® ? Julie Gorgemans, Lawrence Conway, Andrew Pfister, Andreas Fristedt Åblad, Luca Oriani Westinghouse Electric Company LLC 1000 Westinghouse Drive, Cranberry Township, PA 16066 USA [email protected] ; [email protected] ; [email protected] ; [email protected] ; [email protected] ABSTRACT What does the AP1000 do that is an improvement over previous plants as well as the latest advanced commercial power reactor designs? The AP1000 ® plant is an 1100-MWe Class Pressurized Water Reactor (PWR) with extensive plant simplifications that enable it to favorably compete with the cost of electrical power generation by fossil plants, while improving plant safety far beyond current operating plant designs. This is accomplished by preserving the essentials of the proven, robust, and reliable power generating features of earlier Westinghouse plants while incorporating simpler but highly reliable passive safety features to mitigate design basis events. Westinghouse has used Probabilistic Risk Analysis (PRA) as a design tool for the AP1000 and has achieved a very low Core Damage Frequency (CDF) of 5.1x10 -7 /reactor yr, as certified by the US NRC. This compares to currently operating plants with active (pump-driven) safety systems that typically have a CDF of 5x10 - 5 /reactor yr. To compete with fossil plant electricity generation cost, Westinghouse has a highly developed construction plan to minimize the time and cost of construction of the AP1000. It is designed from the outset for modular and “open top” construction techniques. The whole process of construction and construction planning is further abetted by the lower appetite of AP1000 for construction commodities afforded by the passive design’s more compact dimensions and greatly reduced Seismic Category 1 construction building footprint and volume. With less bulk quantities and equipment required, AP1000 represents a focused effort towards minimizing the traditionally high cost of nuclear plant construction. Where do things stand today? Under its new licensing approach, the US NRC has reviewed and recently approved the AP1000 amended certification clearing the way for the deployment of eight AP1000 units on order in the United States. Additionally in China, the Chinese regulators granted construction permits for four AP1000 units in 2008 which are now under construction with operation of the first unit scheduled for 2013. Westinghouse has also remained active in pursuing European opportunities for the AP1000 plant. In particular, Westinghouse has cooperated for almost two decades with European utilities to ensure the AP1000 design is adapted to the European market. This cooperation has resulted in progress towards AP1000 plant deployment in European countries, culminating in the European Utility Requirements (EUR) organization certifying the AP1000 in 2007, confirming that the AP1000 design aligns with the European operational practice. Furthermore, the AP1000 design successfully completed Step 4 of the Nuclear Directorate’s Generic Design Approval (GDA) licensing process in the United Kingdom, confirming that the AP1000 design can be licensed in Europe. ©2011 Westinghouse Electric Company LLC All Rights Reserved

Upload: others

Post on 28-May-2020

10 views

Category:

Documents


0 download

TRANSCRIPT

803.1

Why the Westinghouse Advanced, Passive Pressurized Water

Reactor, AP1000®?

Julie Gorgemans, Lawrence Conway, Andrew Pfister, Andreas Fristedt Åblad, Luca Oriani Westinghouse Electric Company LLC

1000 Westinghouse Drive, Cranberry Township, PA 16066 USA [email protected]; [email protected]; [email protected];

[email protected]; [email protected]

ABSTRACT

What does the AP1000 do that is an improvement over previous plants as well as the latest advanced commercial power reactor designs? The AP1000® plant is an 1100-MWe Class Pressurized Water Reactor (PWR) with extensive plant simplifications that enable it to favorably compete with the cost of electrical power generation by fossil plants, while improving plant safety far beyond current operating plant designs. This is accomplished by preserving the essentials of the proven, robust, and reliable power generating features of earlier Westinghouse plants while incorporating simpler but highly reliable passive safety features to mitigate design basis events. Westinghouse has used Probabilistic Risk Analysis (PRA) as a design tool for the AP1000 and has achieved a very low Core Damage Frequency (CDF) of 5.1x10-7/reactor yr, as certified by the US NRC. This compares to currently operating plants with active (pump-driven) safety systems that typically have a CDF of 5x10-

5/reactor yr. To compete with fossil plant electricity generation cost, Westinghouse has a highly

developed construction plan to minimize the time and cost of construction of the AP1000. It is designed from the outset for modular and “open top” construction techniques. The whole process of construction and construction planning is further abetted by the lower appetite of AP1000 for construction commodities afforded by the passive design’s more compact dimensions and greatly reduced Seismic Category 1 construction building footprint and volume. With less bulk quantities and equipment required, AP1000 represents a focused effort towards minimizing the traditionally high cost of nuclear plant construction.

Where do things stand today? Under its new licensing approach, the US NRC has reviewed and recently approved the AP1000 amended certification clearing the way for the deployment of eight AP1000 units on order in the United States. Additionally in China, the Chinese regulators granted construction permits for four AP1000 units in 2008 which are now under construction with operation of the first unit scheduled for 2013. Westinghouse has also remained active in pursuing European opportunities for the AP1000 plant. In particular, Westinghouse has cooperated for almost two decades with European utilities to ensure the AP1000 design is adapted to the European market. This cooperation has resulted in progress towards AP1000 plant deployment in European countries, culminating in the European Utility Requirements (EUR) organization certifying the AP1000 in 2007, confirming that the AP1000 design aligns with the European operational practice. Furthermore, the AP1000 design successfully completed Step 4 of the Nuclear Directorate’s Generic Design Approval (GDA) licensing process in the United Kingdom, confirming that the AP1000 design can be licensed in Europe.

©2011 Westinghouse Electric Company LLC All Rights Reserved

803.2

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

1 INTRODUCTION

The AP1000 design is based on proven PWR technology, but with an emphasis on safety features that rely solely on natural forces to mitigate design basis events. These passive safety features are combined with simple, active, defense-in-depth systems used during normal plant operations which also provide the first level of defense against more probable events. The passive safety systems are designed to function without safety-grade support systems (such as AC power, component cooling water, service water, compressed air or HVAC). The passive safety systems are automatically actuated and eliminate the need for operator actions for 72 hours following significant events.

The design and operation of the AP1000 passive safety features has been demonstrated by an extensive testing program. PRA results show that the AP1000 design achieves both a very low core damage frequency and a low large release frequency, which far exceed the goals established for advanced reactor designs. The CDF, considering random internal events as well as fire and flood events during at-power and shutdown operations is 4.88x10-7/yr. The LRF for these same events is about 5.61x10-8/yr. This very low risk is a result of the AP1000 safety design features (simple passive safety features and active defense in depth features) as well as the use of PRA throughout the design process starting from the initial design phase.

In addition, the AP1000 design has carefully evaluated and addressed severe accident phenomenon. A key AP1000 feature in dealing with a severe accident is in-vessel retention of a molten core. This feature provides a robust, reliable, simple means of preventing a molten core from breeching the reactor vessel, eliminating ex-vessel phenomena that could cause containment failure. Reference 2 and 3 provide additional information on severe accident design features.

2 AP1000 DESIGN OBJECTIVES

Both the Utility Requirements Document (URD) and the European Utility Requirements (EUR) have the general approach of preserving the virtues of the operating plants when it comes to the power producing systems. But there is also a requirement for a simpler plant that is safer and costs less to construct. Both the EUR and URD anticipate and address specifically the advantages of a passive plant for both reducing construction cost and reliance on operator actions in the event of an accident. In fact, the expectation for a passive plant is to achieve and maintain safe shutdown in case of an accident for 72 hours without operator action. This is substantially different than the 30 minute period for operator action specified for an “evolutionary” plant that uses active safety systems. The URD also expects that new plant designs offered to utilities will be complete plants, encompassing the entire plant up to its connection to the grid.

In line with the URD and EUR requirements, the AP1000 passive design represents a significant improvement over conventional PWRs, and is developed around the fundamental design principles of safety, simplification and standardization. The EUR organization certified the AP1000 in 2007 providing confirmation that the AP1000 design aligns with the European operational practice.

2.1 Retaining the virtues of current operating plants

The AP1000 plant is designed around a conventional 2 loop, 2 steam generator primary system configuration with two hot legs, four reactor coolant pumps directly mounted in the steam generator lower head and four cold legs.

The power producing primary system is a familiar one based on proven and reliable Westinghouse PWR features, but with evolutionary improvements to be expected with the

803.3

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

benefit of decades of operating experience, development of improved materials and better manufacturing techniques. Replacing Alloy 600 steam generator tubing with Alloy 690 tubing and the use of low cobalt-content alloys to reduce activation are some examples. This, of course, is a direct outgrowth of the steam generator replacements on the operating plants. To minimize welds and reduce in-service inspection, the AP1000 reactor vessel is ring-forged, eliminating longitudinal welds and there are no circumferential welds in the high flux core region where the effects of irradiation embrittlement can be more severe. These features combined with improved materials allow for a 60 year vessel life.

One of the improvements found in the AP1000 primary system design is the use of sealless, reactor coolant pumps. By eliminating the need for shaft seals and their complex support systems, a source of potential primary system leakage, especially important following a station blackout event, is eliminated. The sealless RCP requires no oil lubrication system, and is designed to be maintenance-free. In fact, sealless motor pumps were used in the first generation of Westinghouse PWRs but, as the plants became larger with the second generation designs, they out-grew the capacity of that type of pump available at the time. Since then sealless pump sizes have increased, enabling their application to power reactors once again.

2.2 Safety

The over-arching design principle of the AP1000 with respect to nuclear safety is the use of simple, passive safety systems. These safety systems are dedicated to the mitigation of safety issues and are not required for normal operation. This approach is applicable to core cooling, containment cooling, spent fuel cooling, control room habitability, and the electrical power supply for I&C.

The AP1000 passive safety systems use natural driving forces such as gravity and natural convection to address abnormal and/or accident conditions. These passive safety systems require no external or on-site AC power sources to function, and once actuated require no support systems to maintain their functionality for at least 72 hours. The passive systems require no pumps or other “active” component responses to perform functions after their initiation. They automatically establish and maintain reactor safe shutdown conditions (subcriticality, average coolant temperature below 216 °C). Limited operator actions are required to maintain safe conditions in the spent fuel pool via passive means. This provides the benefit of greatly reducing the dependency on operator actions to respond to an event. The AP1000 utilizes the inherent reliability of natural phenomena to simplify safety systems while enhancing safety. These passive safety features result in very low core damage frequency and very low large release frequency as calculated by the PRA.

Structures, systems and components critical to placing the reactor in a safe shutdown condition are protected within the steel containment vessel which is further surrounded by a substantial “steel and concrete” composite shield building.

When AC power is available, the AP1000 passive systems can be supplemented with simple, active defense-in-depth systems and equipment. The active defense-in-depth systems use reliable and redundant active equipment, supported by the use of defense-in-depth standby diesels to facilitate their functions when offsite AC power is available or not. These simple, active structures, systems and components are optimized for their normal operating functions. The active systems provide investment protection and reduce the overall risk to the plant owner and the public by minimizing the demand on the passive safety features. While important to the safe normal operation of the plant, the active systems are not necessary for the safe shutdown of the reactor following a design basis accident.

803.4

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

2.3 Simplification

The principle of simplification is applied throughout the lifecycle of the AP1000 plant: • Simpler design: The elimination or simplification of active systems as a result of

the reliable passive safety systems allows an overall simplification of the plant. This in turn results in the reduction of large quantities of unnecessary equipment and structures compared to other PWRs, which maximizes the certainty of delivery and schedule.

Figure 1: Modular Construction Allows Activities in Parallel

• Simpler construction: AP1000 has a highly developed construction plan to

minimize the time and cost of construction. It is designed from the outset for modular and “open top” construction techniques. Modular construction allows activities to be run in parallel and it allows more activities to be performed in a controlled factory environment instead of in the field (see Figure 1). The whole process of construction and construction planning is further abetted by the lower appetite of AP1000 for construction commodities afforded by the passive design’s more compact dimensions and greatly reduced areas requiring Seismic Category 1 construction, as illustrated in Figure 2.

Figure 2: 3D Sketch of the AP1000 Power Block Showing Seismic Ratings

803.5

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

• Fewer safety related components: the passive safety systems result in fewer components which contribute to considerable savings in maintenance, testing & operation costs.

2.4 Standardization

The AP1000 standard plant design uses conservative, bounding site parameters (temperatures, wind velocities and seismic levels), achieves a very high level of safety and incorporates utility operational desires. As a result, it is a plant design that can be applied to different geographical regions around the world with varying regulatory standards and utility expectations without major changes which simplifies and standardizes construction, procurement, installation, testing, operator training, licensing, and operation.

3 EXAMPLES OF PASSIVE SAFETY SYSTEMS

3.1 Emergency Core Cooling System

The Passive Core Cooling System (PXS), shown in Figure 3, protects the plant against all postulated events from transients to Reactor Coolant System (RCS) leaks and ruptures of various sizes and locations. The PXS provides core residual heat removal, core reactivity control, safety injection, and depressurization. Safety analyses (using NRC-approved codes) demonstrate the effectiveness of the PXS in protecting the core following all postulated design basis events. Even for breaks in the RCS as severe as one of the 20.0-cm (8-in) vessel injection lines, there is no core uncovery. Following a double-ended rupture of a main reactor coolant pipe, the PXS cools the reactor with ample margin to the peak clad temperature limit thus minimizing core damage and clad/steam reaction.

Figure 3: Passive Core Cooling System

3.1.1 Boration, Safety Injection, and Depressurization

The PXS uses three sources of water to ensure boration and maintain core cooling through safety injection. These injection sources include the core makeup tanks (CMTs), the accumulators, and the in-containment refueling water storage tank (IRWST). These injection sources, together with the containment recirculation flow paths, are directly connected to two

803.6

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

nozzles on the reactor vessel so that no injection flow is spilled in case of larger breaks in the loop piping. They contain borated water which ensures RCS boration when they are injected.

There are two CMTs located inside the containment at an elevation above the reactor coolant loops. During normal operation, the CMTs are completely full of cold borated water. The boron concentration of this water is somewhat higher than that of the water in the accumulators and the IRWST. The boration capability of these tanks provides adequate core shutdown margin following a steam line break and for all safe shutdown events. Each CMT is connected to the RCS by a normally closed discharge line which injects directly into the reactor vessel downcomer, and by a normally open pressure balance inlet line connected to an RCS cold leg. The CMT pressure balance lines enable the CMTs to inject borated water into the RCS at any RCS pressure. The CMTs are actuated by opening either one of two redundant, fail-open valves that are located in parallel in the tank discharge lines.

The two accumulators contain borated water and a compressed nitrogen cover gas to provide rapid injection following postulated large breaks in the RCS. Each accumulator discharge line contains two check valves in series, which isolate the accumulators from the RCS during normal plant operation, so that they will inject borated water whenever the RCS pressure decreases to less than the accumulator cover gas pressure.

Long-term injection water is provided by gravity from the IRWST, which is located in the containment above the RCS loop elevation. Normally, the IRWST is isolated from the RCS by squib valves and check valves. Since this tank is designed for atmospheric pressure, the RCS must be depressurized before IRWST injection can occur. Therefore, the RCS pressure is automatically reduced so that the head of water in the IRWST is higher than the RCS pressure. The depressurization is provided using four stages of automatic depressurization to permit a relatively slow, controlled RCS pressure reduction.

The AP1000 containment is configured such that the water from the postulated break (including the PXS injection water) floods the lower portion of the containment to an elevation above the RCS loop piping. This water is returned to the reactor through two redundant and diverse containment recirculation paths. Each of the two recirculation paths contains one path with a squib valve backed up by a check valve and another path containing a different squib valve design backed up by a normally open motor-operated valve.

Both the IRWST injection paths and the containment recirculation paths are protected by screens that prevent debris that could interfere with core cooling from being injected to the reactor.

3.1.2 Passive Residual Heat Removal

The PXS includes one passive residual heat removal heat exchanger (PRHR HX). The PRHR HX is able to remove core decay heat, even at full RCS pressure, and to cool the RCS to safe shutdown conditions following any event where the normal heat removal via the steam generators is unavailable; for example, a loss of feedwater event with failure to provide start-up feedwater. It satisfies the safety criteria for loss of feedwater, feedwater line breaks, and steam line breaks. The PRHR HX is submerged within the IRWST whose water inventory serves as the heat sink. The PRHR HX inlet line is connected to RCS loop 1 hot leg and the outlet line returns cooled reactor coolant to the steam generator cold side channel head which connects to the RCS cold legs. The HX is actuated by opening either one of two redundant, fail-open valves that are located in parallel in the HX outlet (return) line. Following PRHR HX actuation the IRWST water can absorb the core decay heat and RCS sensible heat for almost two hours before the IRWST water will begin to boil. Once boiling starts, steam is vented to the containment and will be condensed on the steel containment vessel (see Section 3.2) and, after collection, drains by gravity back into the IRWST. The PRHR HX, the IRWST water inventory, and the passive containment cooling system (described below)

803.7

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

provide decay heat removal capability for an extended time with no operator action or AC power required.

3.2 Passive Containment Cooling System

The passive containment cooling system (PCS) illustrated in Figure 4 provides the safety-related ultimate heat sink for the plant. The PCS cools the containment following any event which results in energy release into the containment so that containment design pressure is not exceeded and pressure inside containment is rapidly reduced. The steel containment vessel provides the heat transfer surface that removes heat from inside the containment and transfers it to the atmosphere. Heat is removed from the containment vessel by the continuous, natural circulation of air. If required, the normally operating air cooling is supplemented by applying water onto the outside of the containment steel shell, where the water is heated and evaporates into the cooling air flowpath. The water is provided from a tank located on top of the containment shield building and drains by gravity by opening either one of two, normally closed, fail-open valves in parallel lines, or by opening diverse, battery powered, motor operated valve in a third flow path.

The PCS water storage tank located above the containment contains sufficient water for gravity draining for three days. After three days the AP1000 includes additional on-site water storage and equipment to continue water application for an additional four days. After this time period air-cooling alone is sufficient to prevent containment over pressurization.

Figure 4: AP1000 Passive Residual Heat Removal and Passive Containment Cooling

4 ROBUSTNESS AGAINST EXTREME EXTERNAL EVENTS

The passive safety systems enable the AP1000 to minimize the potential risks to plant safety that could result from both design basis and extreme external events, and thus meet all International Atomic Energy Agency (IAEA) and the U.S. Nuclear Regulatory Commission guidance. These external hazards include seismic events, flooding, tsunamis, high winds and

803.8

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

tornadoes, transportation accidents, and malicious aircraft impacts. The following plant design features reduce the risk caused by these types of events:

• AP1000 “fails safe.” The AP1000 passively aligns crucial safety related functions which maintain RCS inventory, ensure boration for shutdown, and provide reactor core and the spent fuel decay heat removal. These functions achieve and maintain safe shutdown with no operator action for three days even with a loss of all electrical power, I&C controls, and instrument air. These functions are extended for four additional days with on-site supplies limited operator action.

• AP1000 is self-reliant. The AP1000 passive safety systems reduce the importance of AC electrical power or heat sinks such as the service water cooling interface with nearby bodies of water. AP1000 plants ultimately use ambient air as the safety related heat sink for core heat removal.

• AP1000 is self-contained. All structures, systems, or components required to achieve and maintain AP1000 in a safe shutdown are protected from external events since they are located within the steel containment vessel and surrounded by the robust steel-concrete-steel shield building.

• AP1000 has many layers of defence. The combination of redundant passive safety systems designed with functional diversity, fail-safe functions for safe shutdown, redundant battery powered 1E power supplies, ancillary equipment and supplies to extend passive functions, redundant active defense-in-depth systems, redundant standby AC power supplies, and non-safety diverse battery power and actuation capability; provide multiple levels of defense against postulated as well as unexpected events.

Thanks to these features, the AP1000 provides a unique and extremely robust defense against severe external events (earthquakes, tsunamis, aircraft crash,…) and their potential consequences (i.e. a complete station blackout), to prevent fuel damage in the reactor and in the spent fuel pool and thus protecting public health and safety as well as the plant investment.

5 CONCLUSIONS

The AP1000 is an 1100-MWe Class PWR with passive safety features and extensive plant simplifications that enhance construction, operation, maintenance and safety. The design of the AP1000 has incorporated a standardization approach, which results in a single plant design that can be constructed in multiple geographical regions with varying regulatory standards and expectations.

One of the key design approaches in the AP1000 is to use passive features to mitigate design basis accidents. In addition to redundancy, these features incorporate functional diversity based on PRA insights. Active defense-in-depth features reduce the demands on the passive features and support the PRA.

Following an event, the AP1000 safety-related passive systems establish and maintain core cooling, containment cooling, spent fuel cooling and main control room habitability without the support of any off-site or on-site ac power for 72 hours. The AP1000 design achieves thus a high safety record, with a CDF of 5.1x10-7/yr, as certified by the US NRC.

NOMENCLATURE

AC Alternating Current

803.9

Proceedings of the International Conference Nuclear Energy for New Europe, Bovec, Slovenia, Sept. 12-15, 2011

CDF Core Damage Frequency

CMT Core Makeup Tank

EUR European Utility Requirements

HVAC Heating, Ventilation and Air Conditioning

HX Heat Exchanger

IAEA International Atomic Energy Agency

IRWST In-Containment Refueling Water Storage Tank

LRF Large Release Frequency

NRC Nuclear Regulatory Commission

PCS Passive Containment Cooling System

PRA Probabilistic Risk Assessment

PRHR Passive Residual Heat Removal System

PWR Pressurized Water Reactor

PXS Passive Core Cooling System

RCS Reactor Coolant System

URD Utility Requirements Document

US United States

REFERENCES

[1] Westinghouse Electric Company, “AP1000 Design Control Document,” APP-GW-GL-700, Revision 19.

[2] J.H. Scobel and T.L. Schulz; Westinghouse “Westinghouse AP1000 PRA Maturity”, Proc. of International Congress on Advances in Nuclear Power Plants ’05, Seoul, Korea, May 15-19, American Nuclear Society, 2005, Paper 5672.

[3] Scobel,J.H., et al., Using Severe Accident Management to Address Phenomenological Uncertainties Related to Lower Plenum Debris Bed Chemistry and Mixing during AP1000 In-Vessel Retention (IVR) of Molten Core Debris,” Proceedings of ICAPP 2011, Nice France, May 2-5, 2011.

[4] W.E. Cummins, R.P. Vijuk, R.P. and T.L. Schulz; Westinghouse “Westinghouse AP1000 Advanced Passive Plant”, Proc. of International Congress on Advances in Nuclear Power Plants ’05, Seoul, Korea, May 15-19, American Nuclear Society, 2005, Paper 5670.

[5] L. Oriani, T. L. Schulz and L. E. Conway; Westinghouse “AP1000(TM) Design Adaptation to European Markets and EUR Compliance”, Proc. of International Congress on Advances in Nuclear Power Plants ’11, Nice, France, May 2-5, American Nuclear Society, 2011, Paper 11364.

AP1000 is a registered trademark of Westinghouse Electric Company LLC in the United States and may be registered in other countries throughout the world. All rights reserved.

Unauthorized use is strictly prohibited.